create, use, and test fips-compliant go images

[v0lkan]

Right now Aegis is based on standard go, which is not FIPS compliant.

One option to attain compliance is to base the code on boring crytpo fork instead:

# builder image
FROM my-golang-boringcrypto:latest as builder

RUN mkdir /build
COPY app /build/app
COPY core /build/core
COPY vendor /build/vendor
COPY go.mod /build/go.mod
WORKDIR /build
RUN CGO_ENABLED=0 GOOS=linux go build -mod vendor -a -o aegis-safe ./app/safe/cmd/main.go

# generate clean, final image for end users
FROM gcr.io/distroless/static-debian11

LABEL "maintainers"="Volkan Özçelik <volkan@aegis.ist>"
LABEL "version"="0.17.2"
LABEL "website"="https://aegis.ist/"
LABEL "repo"="https://github.com/shieldworks/aegis-safe"
LABEL "documentation"="https://aegis.ist/docs/"
LABEL "contact"="https://aegis.ist/contact/"
LABEL "community"="https://aegis.ist/contact/#community"
LABEL "changelog"="https://aegis.ist/changelog"

COPY --from=builder /build/aegis-safe .

# executable
ENTRYPOINT [ "./aegis-safe" ]
CMD [ "" ]

In this Dockerfile, my-golang-boringcrypto:latest should be replaced with your actual BoringCrypto Go image. If you don't have this image, you will need to create one. Here's an example of how you can do it:

Clone the BoringCrypto Go repository: git clone https://go.googlesource.com/go && cd go Check out the dev.boringcrypto branch: git checkout dev.boringcrypto Build Go: cd src && ./all.bash Once Go is built, you can use it to create a Docker image.

# Use the official Golang image as a base.
FROM golang:1.20.1-alpine3.17

# Install Git.
RUN apk update && apk upgrade && \
    apk add --no-cache bash git openssh

# Clone and build BoringCrypto Go.
RUN git clone https://go.googlesource.com/go /go-boringcrypto && \
    cd /go-boringcrypto && \
    git checkout dev.boringcrypto && \
    cd src && ./all.bash

# Add the BoringCrypto Go binary to PATH.
ENV PATH="/go-boringcrypto/bin:${PATH}"

# Set the current working directory inside the container.
WORKDIR /go/src

This Dockerfile will create a Docker image with the BoringCrypto build of Go, which you can use as the builder image in your application's Dockerfile. Remember to replace my-golang-boringcrypto:latest in the application Dockerfile with the name and tag of the BoringCrypto Go Docker image you created.

Please note that this information is based on the state of Go, Docker, and BoringCrypto as of my last update in September 2021, and things might have changed

[v0lkan]

Looks like boringcrypto is in the mainline now:

RUN GOEXPERIMENT=boringcrypto go build . && \
    go tool nm fips-echo-server > tags.txt && \
    grep '_Cfunc__goboringcrypto_' tags.txt 1> /dev/null

ref:

• https://kupczynski.info/posts/fips-golang/
• https://developers.redhat.com/articles/2022/05/31/your-go-application-fips-compliant
• You might need CGO_ENABLED=1 too » https://projectcontour.io/guides/fips/
• more: https://github.com/sunjayBhatia/contour/blob/d4591c0eed06c19695939aa4004850c5ec0349c6/site/content/guides/fips.md?q=%22GOEXPERIMENT%3Dboringcrypto%22#L50-L59

[v0lkan]

Also update the documentation that FIPS mode incurs performance overhead; if you can use Age encryption, better stick with it.

some ref: https://www.druva.com/blog/overhead-boringssl-fips-mode-go

[v0lkan]

Done.