boilerplate icon indicating copy to clipboard operation
boilerplate copied to clipboard

Published 20 hours ago verified publisher icon openshift

POC of replacing boringcrypto with Go's native FIPS-140-3 module

Open mjlshen opened this issue 1 month ago • 4 comments

[!WARNING]
Disclaimer: How boilerplate sets up FIPS compliance should definitely follow Red Hat guidelines. I don't know what they are. I am just making this MR to raise awareness of this configuration and its brief history.

  • GOEXPERIMENT=boringcrypto + the "crypto/tls/fipsonly" library, which required CGO_ENABLED=1 was initially used. The cgo requirement necessitated a swap from ubi*-micro --> ubi*-minimal images.
  • Then there was GOEXPERIMENT=strictfipsruntime, added in https://github.com/openshift/boilerplate/pull/298 when Red Hat was supporting an internal fork of Go, this was deprecated and removed in https://github.com/openshift/boilerplate/pull/516
  • Nowadays, Go natively supports FIPS starting in Go 1.24 (without requiring cgo!) with borincrypto slated to be removed in a future release. Boilerplate was already updated for Go 1.24 in https://github.com/openshift/boilerplate/pull/582

I think this makes FIPS compliance easier than ever - especially the removal of the cgo requirement should allow usage of ubi*-micro images again if there's a desire for that (fewer CVEs to manage!).

mjlshen avatar Oct 30 '25 05:10 mjlshen

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mjlshen Once this PR has been reviewed and has the lgtm label, please assign joshbranham for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci[bot] avatar Oct 30 '25 05:10 openshift-ci[bot]

/hold

This shouldn't be merged. It should be worked on internally if important.

mjlshen avatar Oct 30 '25 05:10 mjlshen

This is blocked internally for HCM security to confirm that FIPS-140-3 is good to go. I will follow up with them.

joshbranham avatar Nov 03 '25 18:11 joshbranham

I asked about this a long time ago when the blog first dropped, so it may not be valid information anymore. As I understand it, the FIPS in native Go is still "In process" and is not fully "approved" so there may be some legal/compliance-y back and forth on what that means. +1 to definitely discussing with internal compliance/security teams + the FIPS folks before any major changes. Lately I've been using go-toolset (installed via package manager) for FIPS builds which is essentially Red Hat's fork of Go with all the OpenSSL bits to ensure FIPS compliance.

tonytheleg avatar Nov 24 '25 21:11 tonytheleg