microsoft / go

The Microsoft build of the Go toolset
BSD 3-Clause "New" or "Revised" License
283 stars 27 forks source link

OpenSSL static linking proposal #744

Open qmuntal opened 2 years ago

qmuntal commented 2 years ago

Goal

Add OpenSSL static linking support to Microsoft Go OpenSSL crypto backend.

Background

We currently support OpenSSL dynamic loading by calling dlopen(libcrypto.so.X), being X a configurable version string (see docs). The supported OpenSSL versions are 1.0.2, 1.1.0, 1.1.1 and 3.

We also support portable OpenSSL, which means users can build an application using an OpenSSL version different that the one used at runtime.

One can tune the FIPS behavior by using the GOFIPS environment variable in the following ways:

OpenSSL static linking is not supported, although we could add this capability to go-crypto-openssl with a reasonable effort. This proposal is not about how to update go-crypto-openssl nor how is integrated with microsoft/go, but about the user experience around the different OpenSSL linking/loading modes

Why static linking

Proposal

The most difficult part of this proposal is to agree on who provides the FIPS-capable OpenSSL sources and built recipe. This proposal is consciously vague at this point so we focus the discussion on the UX. If at the end we can't provide a FIPS-capable OpenSSL static library I would argue that we should not provide OpenSSL static linking at all.

@dagood @jaredpar @chsienki FYI @derekparker

derekparker commented 2 years ago

cc @simo5 @ueno

dagood commented 2 years ago
  • The Microsoft Go team shouldn't be responsible of maintaining this library, it should build the source code from a trusted repository (e.g. CBL-Mariner) using a compliant build recipe.

Do we (microsoft/go) need to build this from source to satisfy some UX? I think we should be open to acquiring the actual binaries from CBL-Mariner, so they keep control over the entire build process. We already build our Linux platform Go on a Mariner container, so we already have these binaries on the build machine.

This also is what Mariner would need to do when they build Microsoft Go from source, so if we can both use the same binary ingestion process, I think that will work well for everyone.

This isn't the focus of the proposal and you mentioned keeping this part vague, I think it's probably just not quite vague enough. 😄

qmuntal commented 2 years ago

Do we (microsoft/go) need to build this from source to satisfy some UX? I think we should be open to acquiring the actual binaries from CBL-Mariner, so they keep control over the entire build process. We already build our Linux platform Go on a Mariner container, so we already have these binaries on the build machine.

This is a possibility and could be a good initial plan. What worries me is that Mariner only provides amd64 binaries, thus it wouldn't work for arm64. I'm not aware of any requirement to support arm64, but something to keep in mind.

dagood commented 2 years ago

What worries me is that Mariner only provides amd64 binaries

They have arm64 too, just not armv6l. From emulated Docker:

root [ / ]# rpm -q --whatprovides /usr/lib/libcrypto.so.1.1.1k
openssl-libs-1.1.1k-12.cm1.aarch64
root [ / ]# file /usr/lib/libcrypto.so.1.1.1k
/usr/lib/libcrypto.so.1.1.1k: ELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), statically linked, BuildID[sha1]=dfa8ebe52a3de49330d9867765450d98db00d73d, with debug_info, not stripped, too many notes (256)
qmuntal commented 2 years ago

What worries me is that Mariner only provides amd64 binaries

They have arm64 too, just not armv6l. From emulated Docker:

root [ / ]# rpm -q --whatprovides /usr/lib/libcrypto.so.1.1.1k
openssl-libs-1.1.1k-12.cm1.aarch64
root [ / ]# file /usr/lib/libcrypto.so.1.1.1k
/usr/lib/libcrypto.so.1.1.1k: ELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), statically linked, BuildID[sha1]=dfa8ebe52a3de49330d9867765450d98db00d73d, with debug_info, not stripped, too many notes (256)

You got me there. I'll update the proposal to include this option 😄