Enabling BoringSSL FIPS-140 support in the Dart SDK build process.

[slightfoot]

Summary

Provide a means to build Dart for various platforms with BoringSSL in FIPS mode. This is required in order to get FIPS certification for a Dart build for iOS and Android, so that Flutter apps can be used in environments that require FIPS certification.

FIPS is the Federal Information Processing Standards.

Detail

BoringSSL, which includes BoringCrypto, can be compiled in a FIPS mode, which makes its cryptography and functioning compliant with FIPS certification criteria, and enables tests to be run against it to show its compliance. With this mode enabled, there are limitations on what particular crypto algorithms are included, and an integrity check that is run when the library is initialized.

While it is straightforward to build BoringSSL in this mode, doing this as part of building the Dart SDK is more involved. The particular piece that is difficult is supporting the integrity check. This involves saving a textual assembly file rather than a binary object and for the build process to execute this script to modify the assembly listing in various ways. This allows the contents of memory to be securely hashed, and confirmed at runtime to be unmodified. Details of this process are explained in the BoringSSL FIPS documentation.

Issue needing resolution

It is unclear what modifications are required to the Dart SDK GN build process to include the steps required to build Boring SSL in this very unique way. Even though we have Dart building using Depot Tools etc., it is difficult to understand how the process of including and building third party libraries works.

We would appreciate any advice or support in making the required build process changes.

/cc @SteveAlexander @csells @kevmoo

[mit-mit]

cc @whesse @athomas

[slightfoot]

More information after investigation:

• I have found there is a dart/boringssl_gen repo that is which contains the magic GN glue that makes boringssl compile with the dart-sdk.
  • The problem we have is that the GN build script here does not process outlined in the BoringSSL FIPS-140 document, and performed by this CMakelists.txt file.
  • I see the main contributor and reviewer of this is Zach Anderson @zanderso perhaps, he could step in and help find a solution.

[zanderso]

I can see a couple of options:

1. Translate the logic in the reference CMake build to GN.
2. In the GN build, delegate building the BoringSSL static libraries to the reference CMake build. Both (1) and (2) require the Dart build to take a new build-time dependency on go, and (2) also requires a new build-time dependency on cmake.

My suggestion would be (1) since it has fewer new dependencies. Also (2) requires correctly configuring both the GN build and the CMake build, which seems error prone. However, (1) is probably a bit more work to wire up. I don't have the cycles to work on this myself, but I'm happy to advise and/or review patches.