Open rmullin-apptio opened 1 month ago
Hello!
Yeah, unfortunately this is a limitation of the AWS-LC FIPS build, which currently can only provide a static library on the Linux platform.
The reason for this limitation is complicated; it relates to the FIPS requirement for an integrity check on the cryptographic module. We provide more information about the nature of our FIPS build and this integrity check here: https://github.com/aws/aws-lc/blob/main/crypto/fipsmodule/FIPS.md#integrity-test
The solution you found is the only way I know of to manage this. You're right about us needing to improve our documentation around the shared FIPS build.
I'll leave this issue open as a reminder for us to update our documentation. Thanks for contacting us about this!
You mentioned the scenario where someone uses cargo install
to install a crate that has a dependency on aws-lc-rs with the "fips" feature. With this next release the User Guide will mention that the "fips" build for MacOS & Windows produce shared libraries, but this doesn't fully address the specific issue you had. I'll try to look into this some more next week.
The discussion here seems related: https://github.com/rust-lang/cargo/issues/5077
Problem:
It seems that static linking for aws-lc when compiled in fips mode is only available on Linux. When compiled on Mac M1, the library is dynamically linked. The program can be run through
cargo run
, but if it's installed usingcargo install
, the libraries aren't installed with it, so it crashes on startup:Solution:
Right now the only way I've found to get this to work is to manually copy the dylib files into the same directory as the output executable and use install_name_tool to add @loader_path to the output executable's rpath:
After that it works. I'm unsure why this restriction exists outside of linux so am unsure if it's possible to statically link the fips library. At the very least if this is necessary it may be worthwhile to add documentation addressing this, and what the best approach is for installing fips versions of rust programs built with this library.
Requirements / Acceptance Criteria:
Provide documentation on the optimal way to install fips enabled rust programs on non-linux platforms.