Closed clyang82 closed 2 years ago
cc @davidben
@clyang82 per the Security Policy for BoringCrypto module, BoringSSL FIPS is supported on ppc64le only on POWER9 (cc @agl to confirm), but currently there is no support for it in Envoy.
That's correct: we currently maintain validation on x86-64 and POWER9. (An older version was validated on POWER8 too.)
Thanks @PiotrSikora and @agl How hard to support it in Envoy?
Just change it to "@bazel_tools//platforms:ppc",
?
https://github.com/envoyproxy/envoy/blob/f7aa9710cd1e2d11dec3ec75b8f6d6b41dc53919/bazel/BUILD#L156
Can you share some experience how to test to ensure envoy supports fips? I think just verify version is not enough. Thanks again.
@clyang82 you'd need to extend boringssl_fips.genrule_cmd
to support building on ppc64le, ideally restricted to POWER9.
While this shouldn't be hard, there are no official prebuilt binaries for LLVM 6.0.1 and Ninja for ppc64le, which means that they would need to be built as part of the build process.
Alternatively, we could distribute precompiled BoringSSL libraries for various architectures, but that's probably more of a request to the BoringSSL team. @agl any thoughts on that?
@clyang82 you'd need to extend
boringssl_fips.genrule_cmd
to support building on ppc64le, ideally restricted to POWER9.While this shouldn't be hard, there are no official prebuilt binaries for LLVM 6.0.1 and Ninja for ppc64le, which means that they would need to be built as part of the build process.
Alternatively, we could distribute precompiled BoringSSL libraries for various architectures, but that's probably more of a request to the BoringSSL team. @agl any thoughts on that?
Thanks for your guidance. Can you also share how to verify or test it? Do you have automation cases for it?
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions.
This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted". Thank you for your contributions.
could we mark this as staleproof?
Closing this as won't fix. We don't have a ppc build, let alone FIPS for it.
I saw the document about FIPS 140-2
@PiotrSikora Does BoringSSL with fips enabled support in ppc64le?