search

envoyproxy / envoy

Cloud-native high-performance edge/middle/service proxy
https://www.envoyproxy.io
Apache License 2.0
24.9k stars 4.79k forks source link

FIPS 140-2 for ppc64le #7221

Closed clyang82 closed 2 years ago

clyang82 commented 5 years ago

I saw the document about FIPS 140-2

BoringSSL can be built in a FIPS-compliant mode, following the build instructions from the Security Policy for BoringCrypto module, using --define boringssl=fips Bazel option. Currently, this option is only available on Linux-x86_64.

@PiotrSikora Does BoringSSL with fips enabled support in ppc64le?

mattklein123 commented 5 years ago

cc @davidben

PiotrSikora commented 5 years ago

@clyang82 per the Security Policy for BoringCrypto module, BoringSSL FIPS is supported on ppc64le only on POWER9 (cc @agl to confirm), but currently there is no support for it in Envoy.

agl commented 5 years ago

That's correct: we currently maintain validation on x86-64 and POWER9. (An older version was validated on POWER8 too.)

clyang82 commented 5 years ago

Thanks @PiotrSikora and @agl How hard to support it in Envoy? Just change it to "@bazel_tools//platforms:ppc",? https://github.com/envoyproxy/envoy/blob/f7aa9710cd1e2d11dec3ec75b8f6d6b41dc53919/bazel/BUILD#L156

Can you share some experience how to test to ensure envoy supports fips? I think just verify version is not enough. Thanks again.

PiotrSikora commented 5 years ago

@clyang82 you'd need to extend boringssl_fips.genrule_cmd to support building on ppc64le, ideally restricted to POWER9.

While this shouldn't be hard, there are no official prebuilt binaries for LLVM 6.0.1 and Ninja for ppc64le, which means that they would need to be built as part of the build process.

Alternatively, we could distribute precompiled BoringSSL libraries for various architectures, but that's probably more of a request to the BoringSSL team. @agl any thoughts on that?

clyang82 commented 5 years ago

@clyang82 you'd need to extend boringssl_fips.genrule_cmd to support building on ppc64le, ideally restricted to POWER9.

While this shouldn't be hard, there are no official prebuilt binaries for LLVM 6.0.1 and Ninja for ppc64le, which means that they would need to be built as part of the build process.

Alternatively, we could distribute precompiled BoringSSL libraries for various architectures, but that's probably more of a request to the BoringSSL team. @agl any thoughts on that?

Thanks for your guidance. Can you also share how to verify or test it? Do you have automation cases for it?

stale[bot] commented 5 years ago

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions.

stale[bot] commented 5 years ago

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted". Thank you for your contributions.

clnperez commented 4 years ago

could we mark this as staleproof?

mattklein123 commented 2 years ago

Closing this as won't fix. We don't have a ppc build, let alone FIPS for it.