FIPS - dynamic linking on mac causes linking failures when running cargo installed executable.

rmullin-apptio commented 1 month ago

Problem:

It seems that static linking for aws-lc when compiled in fips mode is only available on Linux. When compiled on Mac M1, the library is dynamically linked. The program can be run through cargo run, but if it's installed using cargo install, the libraries aren't installed with it, so it crashes on startup:

» ./rust-fips-test                                                                                                                                                                  
dyld[53187]: Library not loaded: @rpath/libaws_lc_fips_0_12_11_crypto.dylib
  Referenced from: <A3DAE490-6F88-3CA7-9D27-464C9314D5D8> /Users/ryan/src/rust-fips-test/target/debug/rust-fips-test
  Reason: no LC_RPATH's found
[1]    53187 abort      ./rust-fips-test

Solution:

Right now the only way I've found to get this to work is to manually copy the dylib files into the same directory as the output executable and use install_name_tool to add @loader_path to the output executable's rpath:

cp build/aws-lc-fips-sys-2da5c751fdbe11cd/out/build/artifacts/libaws_lc_fips_0_12_11_crypto.dylib .
cp build/aws-lc-fips-sys-2da5c751fdbe11cd/out/build/artifacts/libaws_lc_fips_0_12_11_rust_wrapper.dylib .
install_name_tool -add_rpath @loader_path ./the-executable

After that it works. I'm unsure why this restriction exists outside of linux so am unsure if it's possible to statically link the fips library. At the very least if this is necessary it may be worthwhile to add documentation addressing this, and what the best approach is for installing fips versions of rust programs built with this library.

Does this change any public APIs? No
Which algorithm(s) will this impact? None

Requirements / Acceptance Criteria:

Provide documentation on the optimal way to install fips enabled rust programs on non-linux platforms.

RFC links: N/A
Related Issues: It appears this behavior was added in this PR
Will the Usage Guide or other documentation need to be updated? Yes
Testing: How will this change be tested? Call out new integration tests, functional tests, or particularly interesting/important unit tests. N/A.

justsmth commented 4 weeks ago

Hello!

Yeah, unfortunately this is a limitation of the AWS-LC FIPS build, which currently can only provide a static library on the Linux platform.

The reason for this limitation is complicated; it relates to the FIPS requirement for an integrity check on the cryptographic module. We provide more information about the nature of our FIPS build and this integrity check here: https://github.com/aws/aws-lc/blob/main/crypto/fipsmodule/FIPS.md#integrity-test

The solution you found is the only way I know of to manage this. You're right about us needing to improve our documentation around the shared FIPS build.

I'll leave this issue open as a reminder for us to update our documentation. Thanks for contacting us about this!

justsmth commented 6 days ago

You mentioned the scenario where someone uses cargo install to install a crate that has a dependency on aws-lc-rs with the "fips" feature. With this next release the User Guide will mention that the "fips" build for MacOS & Windows produce shared libraries, but this doesn't fully address the specific issue you had. I'll try to look into this some more next week.

justsmth commented 6 days ago

The discussion here seems related: https://github.com/rust-lang/cargo/issues/5077

aws / aws-lc-rs