Open qmuntal opened 2 years ago
cc @simo5 @ueno
- The Microsoft Go team shouldn't be responsible of maintaining this library, it should build the source code from a trusted repository (e.g. CBL-Mariner) using a compliant build recipe.
Do we (microsoft/go) need to build this from source to satisfy some UX? I think we should be open to acquiring the actual binaries from CBL-Mariner, so they keep control over the entire build process. We already build our Linux platform Go on a Mariner container, so we already have these binaries on the build machine.
This also is what Mariner would need to do when they build Microsoft Go from source, so if we can both use the same binary ingestion process, I think that will work well for everyone.
This isn't the focus of the proposal and you mentioned keeping this part vague, I think it's probably just not quite vague enough. 😄
Do we (microsoft/go) need to build this from source to satisfy some UX? I think we should be open to acquiring the actual binaries from CBL-Mariner, so they keep control over the entire build process. We already build our Linux platform Go on a Mariner container, so we already have these binaries on the build machine.
This is a possibility and could be a good initial plan. What worries me is that Mariner only provides amd64 binaries, thus it wouldn't work for arm64. I'm not aware of any requirement to support arm64, but something to keep in mind.
What worries me is that Mariner only provides amd64 binaries
They have arm64 too, just not armv6l. From emulated Docker:
root [ / ]# rpm -q --whatprovides /usr/lib/libcrypto.so.1.1.1k
openssl-libs-1.1.1k-12.cm1.aarch64
root [ / ]# file /usr/lib/libcrypto.so.1.1.1k
/usr/lib/libcrypto.so.1.1.1k: ELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), statically linked, BuildID[sha1]=dfa8ebe52a3de49330d9867765450d98db00d73d, with debug_info, not stripped, too many notes (256)
What worries me is that Mariner only provides amd64 binaries
They have arm64 too, just not armv6l. From emulated Docker:
root [ / ]# rpm -q --whatprovides /usr/lib/libcrypto.so.1.1.1k openssl-libs-1.1.1k-12.cm1.aarch64 root [ / ]# file /usr/lib/libcrypto.so.1.1.1k /usr/lib/libcrypto.so.1.1.1k: ELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), statically linked, BuildID[sha1]=dfa8ebe52a3de49330d9867765450d98db00d73d, with debug_info, not stripped, too many notes (256)
You got me there. I'll update the proposal to include this option 😄
Goal
Add OpenSSL static linking support to Microsoft Go OpenSSL crypto backend.
Background
We currently support OpenSSL dynamic loading by calling
dlopen(libcrypto.so.X)
, beingX
a configurable version string (see docs). The supported OpenSSL versions are 1.0.2, 1.1.0, 1.1.1 and 3.We also support portable OpenSSL, which means users can build an application using an OpenSSL version different that the one used at runtime.
One can tune the FIPS behavior by using the
GOFIPS
environment variable in the following ways:GOFIPS=0
: disable OpenSSL FIPS mode.GOFIPS=1
: force OpenSSL FIPS mode, panic is not enabled and can't be enabled.GOFIPS
unset: try to enable FIPS mode if not enabled. If can't be enabled, go on with the OpenSSL backend in non-FIPS mode.OpenSSL static linking is not supported, although we could add this capability to go-crypto-openssl with a reasonable effort. This proposal is not about how to update
go-crypto-openssl
nor how is integrated withmicrosoft/go
, but about the user experience around the different OpenSSL linking/loading modesWhy static linking
libcrypto.so
, so embedding it into the binary facilitate running it without installing external packages.Proposal
GOEXPERIMENT=opensslcrypto
uses dynamic loading (akadlopen
) by default, which is the current behavior. Using the platform crypto is the Microsoft Crypto Board recommendation, so we should stick to it.GOEXPERIMENT=opensslcrypto
uses static linking when used together with-tags=opensslstatic
. e.g.,GOEXPERIMENT=opensslcrypto go build . -tags=opensslstatic
.GOFIPS
to default to `GOFIPS=1, which means it will panic if OpenSSL cannot be used in FIPS mode. If someone is not sure whether FIPS mode will be supported at runtime they should use OpenSSL static linking, which will be warranted to support FIPS.The most difficult part of this proposal is to agree on who provides the FIPS-capable OpenSSL sources and built recipe. This proposal is consciously vague at this point so we focus the discussion on the UX. If at the end we can't provide a FIPS-capable OpenSSL static library I would argue that we should not provide OpenSSL static linking at all.
@dagood @jaredpar @chsienki FYI @derekparker