Envoy FIPS v1.30 build failing with errors in new cryptomb contrib extension

agrawroh commented 7 months ago

Description

Envoy v1.30.0 FIPS build seems to be failing for newly added cryptomb extension [Link] on AMD64.

Bazel Logs

_____ BEGIN BUILD LOGS _____

Bazel external C/C++ Rules. Building library ipp-crypto

Environment:______________
BUILD_SCRIPT=bazel-out/k8-opt/bin/contrib/cryptomb/private_key_providers/source/ipp-crypto_foreign_cc/build_script.sh
EXT_BUILD_ROOT=/build/bazel_root/base/sandbox/processwrapper-sandbox/4330/execroot/envoy
BUILD_LOG=bazel-out/k8-opt/bin/contrib/cryptomb/private_key_providers/source/ipp-crypto_foreign_cc/CMake.log
PWD=/build/bazel_root/base/sandbox/processwrapper-sandbox/4330/execroot/envoy
LLVM_CONFIG=/opt/llvm/bin/llvm-config
CXX=clang++
CXXFLAGS=-stdlib=libc++
LDFLAGS=-stdlib=libc++
BUILD_WRAPPER_SCRIPT=bazel-out/k8-opt/bin/contrib/cryptomb/private_key_providers/source/ipp-crypto_foreign_cc/wrapper_build_script.sh
BAZEL_LINKOPTS=-lm:-pthread
TMPDIR=/tmp
EXT_BUILD_DEPS=/build/bazel_root/base/sandbox/processwrapper-sandbox/4330/execroot/envoy/bazel-out/k8-opt/bin/contrib/cryptomb/private_key_providers/source/ipp-crypto.ext_build_deps
BAZEL_LINKLIBS=-l%:libc++.a:-l%:libc++abi.a
BUILD_TMPDIR=/build/bazel_root/base/sandbox/processwrapper-sandbox/4330/execroot/envoy/bazel-out/k8-opt/bin/contrib/cryptomb/private_key_providers/source/ipp-crypto.build_tmpdir
SHLVL=2
BAZEL_CXXOPTS=-stdlib=libc++
INSTALLDIR=/build/bazel_root/base/sandbox/processwrapper-sandbox/4330/execroot/envoy/bazel-out/k8-opt/bin/contrib/cryptomb/private_key_providers/source/ipp-crypto
PATH=/build/bazel_root/base/sandbox/processwrapper-sandbox/4330/execroot/envoy:/opt/llvm/bin:/opt/llvm/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
BAZEL_COMPILER=clang
CC=clang
_=/usr/bin/env
__________________________
+ /build/bazel_root/base/sandbox/processwrapper-sandbox/4330/execroot/envoy/external/cmake-3.23.2-linux-x86_64/bin/cmake -DCMAKE_AR=/usr/bin/ar '-DCMAKE_SHARED_LINKER_FLAGS=-shared -Wl,--gdb-index -fuse-ld=/opt/llvm/bin/ld.lld -Wl,-no-as-needed -Wl,-z,relro,-z,now -B/opt/llvm/bin -lm -pthread -Wl,--gc-sections -l:libc++.a -l:libc++abi.a -fuse-ld=lld -L/opt/llvm/lib -Wl,-rpath,/opt/llvm/lib' '-DCMAKE_EXE_LINKER_FLAGS=-Wl,--gdb-index -fuse-ld=/opt/llvm/bin/ld.lld -Wl,-no-as-needed -Wl,-z,relro,-z,now -B/opt/llvm/bin -lm -pthread -Wl,--gc-sections -l:libc++.a -l:libc++abi.a -fuse-ld=lld -L/opt/llvm/lib -Wl,-rpath,/opt/llvm/lib' -DBORINGSSL=on -DDYNAMIC_LIB=off -DMB_STANDALONE=off -DCMAKE_BUILD_TYPE=Bazel -DCMAKE_INSTALL_PREFIX=/build/bazel_root/base/sandbox/processwrapper-sandbox/4330/execroot/envoy/bazel-out/k8-opt/bin/contrib/cryptomb/private_key_providers/source/ipp-crypto '-DCMAKE_PREFIX_PATH=/build/bazel_root/base/sandbox/processwrapper-sandbox/4330/execroot/envoy/bazel-out/k8-opt/bin/contrib/cryptomb/private_key_providers/source/ipp-crypto.ext_build_deps;external/boringssl_fips/boringssl/include;bazel-out/k8-opt/bin/external/boringssl_fips/boringssl/include' -DCMAKE_RANLIB= -GNinja -G Ninja /build/bazel_root/base/sandbox/processwrapper-sandbox/4330/execroot/envoy/external/com_github_intel_ipp_crypto_crypto_mb/sources/ippcp/crypto_mb
-- The C compiler identification is Clang 14.0.0
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working C compiler: /opt/llvm/bin/clang-14 - skipped
-- Detecting C compile features
-- Detecting C compile features - done
-- CMAKE_BUILD_TYPE is not set to Debug explicitly, defaulting to Release
CMake Warning (dev) at CMakeLists.txt:67 (set):
  Cannot set "MBX_INTERFACE_VERSION": current scope has no parent.
This warning is for project developers.  Use -Wno-dev to suppress it.

CMake Warning (dev) at CMakeLists.txt:68 (set):
  Cannot set "MB_PUBLIC_HEADERS": current scope has no parent.
This warning is for project developers.  Use -Wno-dev to suppress it.

CMake Warning (dev) at CMakeLists.txt:69 (set):
  Cannot set "MB_DYN_LIB_TARGET": current scope has no parent.
This warning is for project developers.  Use -Wno-dev to suppress it.

CMake Warning (dev) at CMakeLists.txt:70 (set):
  Cannot set "MB_STATIC_LIB_TARGET": current scope has no parent.
This warning is for project developers.  Use -Wno-dev to suppress it.

-- Looking for pthread.h
-- Looking for pthread.h - found
-- Performing Test CMAKE_HAVE_LIBC_PTHREAD
-- Performing Test CMAKE_HAVE_LIBC_PTHREAD - Success
-- Found Threads: TRUE
-- Found OpenSSL: /build/bazel_root/base/sandbox/processwrapper-sandbox/4330/execroot/envoy/bazel-out/k8-opt/bin/contrib/cryptomb/private_key_providers/source/ipp-crypto.ext_build_deps/lib/libcrypto.a (found version "")
-- Configuring done
-- Generating done
-- Build files have been written to: /build/bazel_root/base/sandbox/processwrapper-sandbox/4330/execroot/envoy/bazel-out/k8-opt/bin/contrib/cryptomb/private_key_providers/source/ipp-crypto.build_tmpdir
+ /build/bazel_root/base/sandbox/processwrapper-sandbox/4330/execroot/envoy/external/cmake-3.23.2-linux-x86_64/bin/cmake --build . --config Release
[1/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/ifma_div_104_by_52.c.o
[2/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/avx512_primitives/ifma_ams5x52x10_diagonal_mb8.c.o
[3/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/ifma_method.c.o
[4/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/avx512_primitives/ifma_amm52x40_mb8.c.o
[5/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/ifma_rsa_layer_mb8.c.o
[6/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/ifma_exp52x60_65537_mb8.c.o
[7/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/avx512_primitives/ifma_ahmr52x20_mb8.c.o
[8/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/avx512_primitives/ifma_amm52x10_mb8.c.o
[9/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/avx512_primitives/ifma_amm52x30_mb8.c.o
[10/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/ifma_exp52x20_65537_mb8.c.o
[11/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/ifma_exp52x79_65537_mb8.c.o
[12/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/avx512_primitives/ifma_ahmm52x20_mb8.c.o
[13/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/avx512_primitives/ifma_amm52x20_mb8.c.o
[14/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/avx512_primitives/ifma_extract_amm52x20_mb8.c.o
[15/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/ifma_exp52x20_mb8.c.o
[16/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/ifma_exp52x30_mb8.c.o
[17/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/avx512_primitives/ifma_amm52x79_mb8.c.o
[18/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/avx512_primitives/ifma_ams52x10_diagonal_mb8.c.o
[19/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/avx512_primitives/ifma_ams5x52x20_diagonal_mb8.c.o
[20/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/ifma_exp52x10_mb8.c.o
[21/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/ifma_exp52x40_65537_mb8.c.o
[22/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/ifma_exp52x40_mb8.c.o
[23/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/ifma_exp52x60_mb8.c.o
[24/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/ifma_rsa_mb8.c.o
[25/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/ifma_rsa_ssl_prv2_layer_mb8.c.o
[26/140] Building C object src/CMakeFiles/crypto_mb_s.dir/common/ifma_version.c.o
[27/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/avx512_primitives/ifma_amm52x60_mb8.c.o
[28/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/avx512_primitives/ifma_ams52x20_diagonal_mb8.c.o
[29/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/ifma_exp52x79_mb8.c.o
[30/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/avx512_primitives/AMS4x52x20_diagonal_stitched_with_extract_mb8.c.o
[31/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/ifma_rsa_ssl_prv2_mb8.c.o
[32/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/ifma_rsa_ssl_prv5_layer_mb8.c.o
[33/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/ifma_rsa_ssl_pub_layer_mb8.c.o
[34/140] Building C object src/CMakeFiles/crypto_mb_s.dir/ecnist/ifma_arith_m256.c.o
[35/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/ifma_rsa_ssl_prv5_mb8.c.o
[36/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/ifma_rsa_ssl_pub65537_mb8.c.o
[37/140] Building C object src/CMakeFiles/crypto_mb_s.dir/common/ifma_cvt52.c.o
FAILED: src/CMakeFiles/crypto_mb_s.dir/common/ifma_cvt52.c.o
/opt/llvm/bin/clang-14 -DSIMD_LEN=512 -DUSE_AMS_5x -I/build/bazel_root/base/sandbox/processwrapper-sandbox/4330/execroot/envoy/external/com_github_intel_ipp_crypto_crypto_mb/sources/ippcp/crypto_mb/include -I/usr/include/X11 -isystem /build/bazel_root/base/sandbox/processwrapper-sandbox/4330/execroot/envoy/bazel-out/k8-opt/bin/contrib/cryptomb/private_key_providers/source/ipp-crypto.ext_build_deps/include -falign-functions=32 -std=c99 -Wno-pointer-to-int-cast  -O3 -DNDEBUG -fvisibility=hidden  -march=icelake-server -mavx512dq -mavx512ifma -mavx512f -mavx512vbmi2 -mavx512cd -mavx512bw -mbmi2   -Wformat -Wformat-security -Werror=format-security -fcf-protection=full -D_FORTIFY_SOURCE=2 -fstack-protector -fpic -fPIC -Wall -Werror -MD -MT src/CMakeFiles/crypto_mb_s.dir/common/ifma_cvt52.c.o -MF src/CMakeFiles/crypto_mb_s.dir/common/ifma_cvt52.c.o.d -o src/CMakeFiles/crypto_mb_s.dir/common/ifma_cvt52.c.o -c /build/bazel_root/base/sandbox/processwrapper-sandbox/4330/execroot/envoy/external/com_github_intel_ipp_crypto_crypto_mb/sources/ippcp/crypto_mb/src/common/ifma_cvt52.c
/build/bazel_root/base/sandbox/processwrapper-sandbox/4330/execroot/envoy/external/com_github_intel_ipp_crypto_crypto_mb/sources/ippcp/crypto_mb/src/common/ifma_cvt52.c:196:10: error: implicit declaration of function 'BN_bn2lebinpad' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
         BN_bn2lebinpad(bn[i], d[i], byteLen);
         ^
/build/bazel_root/base/sandbox/processwrapper-sandbox/4330/execroot/envoy/external/com_github_intel_ipp_crypto_crypto_mb/sources/ippcp/crypto_mb/src/common/ifma_cvt52.c:196:10: note: did you mean 'BN_bn2binpad'?
/build/bazel_root/base/sandbox/processwrapper-sandbox/4330/execroot/envoy/bazel-out/k8-opt/bin/contrib/cryptomb/private_key_providers/source/ipp-crypto.ext_build_deps/include/openssl/bn.h:946:20: note: 'BN_bn2binpad' declared here
OPENSSL_EXPORT int BN_bn2binpad(const BIGNUM *in, uint8_t *out, int len);
                   ^
/build/bazel_root/base/sandbox/processwrapper-sandbox/4330/execroot/envoy/external/com_github_intel_ipp_crypto_crypto_mb/sources/ippcp/crypto_mb/src/common/ifma_cvt52.c:483:10: error: implicit declaration of function 'BN_bn2lebinpad' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
         BN_bn2lebinpad(bn[i], (unsigned char *)inp[i], byteLen);
         ^
2 errors generated.
[38/140] Building C object src/CMakeFiles/crypto_mb_s.dir/ecnist/ifma_arith_n256.c.o
[39/140] Building C object src/CMakeFiles/crypto_mb_s.dir/ecnist/ifma_arith_n384.c.o
[40/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/avx512_primitives/ifma_ams52x30_diagonal_mb8.c.o
[41/140] Building C object src/CMakeFiles/crypto_mb_s.dir/ecnist/ifma_ecdh_p256.c.o
[42/140] Building C object src/CMakeFiles/crypto_mb_s.dir/ecnist/ifma_arith_p521.c.o
[43/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/avx512_primitives/ifma_ams52x40_diagonal_mb8.c.o
[44/140] Building C object src/CMakeFiles/crypto_mb_s.dir/ecnist/ifma_arith_n521.c.o
[45/140] Building C object src/CMakeFiles/crypto_mb_s.dir/ecnist/ifma_ecpoint_p384.c.o
[46/140] Building C object src/CMakeFiles/crypto_mb_s.dir/ecnist/ifma_arith_p384.c.o
[47/140] Building C object src/CMakeFiles/crypto_mb_s.dir/ecnist/ifma_ecdh_p384.c.o
[48/140] Building C object src/CMakeFiles/crypto_mb_s.dir/ecnist/ifma_ecdh_p521.c.o
[49/140] Building C object src/CMakeFiles/crypto_mb_s.dir/sm2/ifma_arith_nsm2.c.o
[50/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/ifma_other52x_mb8.c.o
[51/140] Building C object src/CMakeFiles/crypto_mb_s.dir/ecnist/ifma_ecdsa_p256.c.o
[52/140] Building C object src/CMakeFiles/crypto_mb_s.dir/ecnist/ifma_ecpubkey_p256.c.o
[53/140] Building C object src/CMakeFiles/crypto_mb_s.dir/ecnist/ifma_arith_p256.c.o
[54/140] Building C object src/CMakeFiles/crypto_mb_s.dir/ecnist/ifma_ecpoint_p256.c.o
[55/140] Building C object src/CMakeFiles/crypto_mb_s.dir/ecnist/ifma_ecpubkey_p521.c.o
[56/140] Building C object src/CMakeFiles/crypto_mb_s.dir/sm2/ifma_ecdh_sm2.c.o
[57/140] Building C object src/CMakeFiles/crypto_mb_s.dir/ecnist/ifma_ecpubkey_p384.c.o
[58/140] Building C object src/CMakeFiles/crypto_mb_s.dir/x25519/ifma_x25519.c.o
[59/140] Building C object src/CMakeFiles/crypto_mb_s.dir/ecnist/ifma_ecpoint_p521.c.o
[60/140] Building C object src/CMakeFiles/crypto_mb_s.dir/sm2/ifma_ecpubkey_sm2.c.o
[61/140] Building C object src/CMakeFiles/crypto_mb_s.dir/ecnist/ifma_ecdsa_p384.c.o
[62/140] Building C object src/CMakeFiles/crypto_mb_s.dir/sm2/ifma_ecpoint_sm2.c.o
[63/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/avx512_primitives/ifma_ams5x52x40_diagonal_mb8.c.o
[64/140] Building C object src/CMakeFiles/crypto_mb_s.dir/ecnist/ifma_ecdsa_p521.c.o
[65/140] Building C object src/CMakeFiles/crypto_mb_s.dir/sm2/ifma_ecdsa_sm2.c.o
[66/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/avx512_primitives/ifma_ams52x60_diagonal_mb8.c.o
[67/140] Building C object src/CMakeFiles/crypto_mb_s.dir/sm3/sm3_avx512_mb8.c.o
[68/140] Building C object src/CMakeFiles/crypto_mb_s.dir/sm3/sm3_avx512_mb16.c.o
[69/140] Building C object src/CMakeFiles/crypto_mb_s.dir/rsa/avx512_primitives/ifma_ams52x79_diagonal_mb8.c.o
[70/140] Building C object src/CMakeFiles/crypto_mb_s.dir/sm2/ifma_arith_psm2.c.o
ninja: build stopped: subcommand failed.
_____ END BUILD LOGS _____
rules_foreign_cc: Build wrapper script location: bazel-out/k8-opt/bin/contrib/cryptomb/private_key_providers/source/ipp-crypto_foreign_cc/wrapper_build_script.sh
rules_foreign_cc: Build script location: bazel-out/k8-opt/bin/contrib/cryptomb/private_key_providers/source/ipp-crypto_foreign_cc/build_script.sh
rules_foreign_cc: Build log location: bazel-out/k8-opt/bin/contrib/cryptomb/private_key_providers/source/ipp-crypto_foreign_cc/CMake.log

phlax commented 7 months ago

@agrawroh i think this extension should probably be disabled for FIPS - it is for arm, just not for x86

currently the way of doing that is a bit messy - and has had some recent prs to resolve related issues - but i think if it should always be disabled we want to mark the BUILD target with the nofips label

adisuissa commented 7 months ago

cc @giantcroc @soulxu for cryptomb owners input.

soulxu commented 7 months ago

Recently we upgrade the ipp-crypto, then the temp fix for the BN_bn2lebinpad was removed, since the ipp-crypto fix that also. https://github.com/envoyproxy/envoy/pull/32838/files#diff-9d29f5207ccdac885d0d1ebd78a329857698e120557d73f6e1a011235c5051b3

cc @zhxie

let us give some test

soulxu commented 7 months ago

I can fix this build error by the below patch:

diff --git a/bazel/ipp-crypto-fips.patch b/bazel/ipp-crypto-fips.patch
new file mode 100644
index 0000000000..e9ab2620c8
--- /dev/null
+++ b/bazel/ipp-crypto-fips.patch
@@ -0,0 +1,16 @@
+diff --git a/sources/ippcp/crypto_mb/src/common/ifma_cvt52.c b/sources/ippcp/crypto_mb/src/common/ifma_cvt52.c
+index e6db178c..222531ab 100644
+--- a/sources/ippcp/crypto_mb/src/common/ifma_cvt52.c
++++ b/sources/ippcp/crypto_mb/src/common/ifma_cvt52.c
+@@ -19,6 +19,11 @@
+ 
+ #include <assert.h>
+ 
++#include <openssl/bn.h>
++static int BN_bn2lebinpad(const BIGNUM *a, unsigned char *to, int tolen) {
++    return BN_bn2le_padded(to, tolen, a);
++}
++
+ #if defined(_MSC_VER) && (_MSC_VER < 1920)
+   // Disable optimization for VS2017 due to AVX512 masking bug
+   #define DISABLE_OPTIMIZATION __pragma(optimize( "", off ))
\ No newline at end of file
diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl
index 9719778081..f578ce0b07 100644
--- a/bazel/repositories.bzl
+++ b/bazel/repositories.bzl
@@ -546,6 +546,8 @@ def _com_github_unicode_org_icu():
 def _com_github_intel_ipp_crypto_crypto_mb():
     external_http_archive(
         name = "com_github_intel_ipp_crypto_crypto_mb",
+        patches = ["@envoy//bazel:ipp-crypto-fips.patch"],
+        patch_args = ["-p1"],
         build_file_content = BUILD_ALL_CONTENT,
     )

This really confused me, we removed the BN_bn2lebinpad declaration previously to make the FIPS build work https://github.com/envoyproxy/envoy/pull/30001/files

But why we need that BN_bn2lebinpad declaration again, we even didn't upgrade the version of boringSSL fips after the fix https://github.com/envoyproxy/envoy/pull/30001

I need to figure that out.

soulxu commented 7 months ago

This really confused me, we removed the BN_bn2lebinpad declaration previously to make the FIPS build work https://github.com/envoyproxy/envoy/pull/30001/files

But why we need that BN_bn2lebinpad declaration again, we even didn't upgrade the version of boringSSL fips after the fix #30001

I figured out the reason and described here https://github.com/envoyproxy/envoy/pull/33756#issuecomment-2074058990

soulxu commented 7 months ago

And our CI doesn't test FIPs build with contrib extensions today, give a test, if we force compile-time-option build with contrib, then we can reproduce this build issue in the CI https://github.com/envoyproxy/envoy/pull/33757, but yea, we need to discuss how to test that in the CI officially.

envoyproxy / envoy

Envoy FIPS v1.30 build failing with errors in new cryptomb contrib extension #33585

Description

Bazel Logs