Closed hilagross closed 4 years ago
Is it possible to create a separate FIPS-compliant image of golang and keep pretty much everything else the same?
For example, it appears from the boringcrypto docs that you can use the goboring Docker image in place of the standard golang Docker image with (likely) no other modifications.
Can we add a Dockerfile.fips
to this project that uses the goboring
base image but is otherwise identical to the Dockerfile
, and is only built when a special command is passed to ./bin/build
? That would preserve the development experience in almost all cases, and the pipeline could build this custom image in addition to the other images and push it to DockerHub and/or our internal registry.
@hilagross - I think a PR would be easier for comments
regarding the doc - is this a requirement? "Compiling the authenticator on RHEL" why do we must use RHEL?
@shaharglazner @hilagross how do we decide that a solution is FIPS compliant. For example, in the description of the GoBoring solution you say disadvantage of this approach is that Google does not guarantee any “support” or responsibility on this version being FIPS compliant.
. Does this mean that we can't use this solution?
@izgeri when you say
Can we add a Dockerfile.fips to this project that uses the goboring base image but is otherwise identical to the Dockerfile, and is only built when a special command is passed to ./bin/build?
why would we have another image instead of building our main image from the goboring base image? Are there any risks here?
@orenbm goboring
is a fork of Go (see here).
What is the benefit to all of our customers from requiring that the binary is built using FIPS-compliant libraries for everyone? It does not add much complexity for us to build the binary using the official Golang project and distribute Docker images that include that, and separately create a binary using the goboring and distribute a Docker image which includes that for end-users interested in a FIPS-compliant version of this project.
thanks @izgeri , that sounds like a good reason. It's really not hard to have 2 images, just wondered why we need the original one.
@orenbm there is more work in this epic still, correct? I understood there would be additional test changes to happen - is there a separate issue for tracking that work?
@izgeri you are correct. It moved to Closed by accident when I merged #97.
I added now all the relevant issues that needs to be done as part of this effort.
Thanks!
FIPS compliance for authn-client-k8s
Overview
The National Institute of Standards and Technology (NIST) issued the FIPS 140-2 Publication Series to coordinate the requirements and standards for cryptography modules that include both hardware and software components.
The requirements are to support FIPS in all cryptography 3rd parties, preferably as one source code if possible, otherwise by configuration.
As making Conjur product FIPS compliant, our costumer will gain a cryptographic standard to protect their unclassified, but sensitive data.
As part of the effort of making Conjur FIPS compliant, we tackled an issue regarding Golang. The issue is that Golang, by nature, is not FIPS compliant and they claim that they are not going to be (https://github.com/golang/go/issues/11658#issuecomment-120441723).
There are three alternatives:
Use cgo to call out to an existing certified library
Use BoringSSL based crypto
Use RHEL go toolchain.
Requirement
Compare all options (cgo, google toolset, RHEL) and decide on the best approach. should include also in seed-fetcher container. Consider all 3 alternatives:
our goal:
Consider: a. Dev vs Test vs Prod i. UX wise ii. Pipeline iii. RHEL subscription (PR needed?)
b. If deciding on the 3rd option (RHEL), we should compare between RHEL and UBI i. PoC ii. Understand concerns iii. share with security expert
Performance Same SLA of performance should be kept.
DoD
Team
SDLC Timeline