Compile FIPS rust binaries #173
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Forced push includes:
|
bcressey
reviewed
Oct 9, 2024
|
(Forced push includes a rebase) |
|
(Forced push includes a rebase onto develop and #197 ) |
|
Forced push includes:
I'll keep it as a draft until I remove my |
|
(forced update removes hack commit to bump twoliter's version) |
bcressey
reviewed
Oct 17, 2024
|
Forced push includes:
|
ginglis13
reviewed
Oct 21, 2024
ginglis13
approved these changes
Oct 21, 2024
bcressey
reviewed
Oct 21, 2024
|
Forced push includes:
|
|
(Forced push updates commit messages to drop extra |
|
(Forced push updates commit message for |
|
(Forced push fixes nits in commit messages) |
|
Forced push includes:
|
bcressey
reviewed
Oct 23, 2024
There was a problem hiding this comment.
CI is failing and has a suggested fix for Cargo.toml:
error: unexpected `cfg` condition name: `crypto_unstable`
--> aws-smithy-experimental/src/hyper_1_0.rs:687:11
|
687 | #[cfg(crypto_unstable)]
| ^^^^^^^^^^^^^^^
|
= help: expected names are: `clippy`, `debug_assertions`, `doc`, `docsrs`, `doctest`, `feature`, `miri`, `overflow_checks`, `panic`, `proc_macro`, `relocation_model`, `rustfmt`, `sanitize`, `sanitizer_cfi_generalize_pointers`, `sanitizer_cfi_normalize_integers`, `target_abi`, `target_arch`, `target_endian`, `target_env`, `target_family`, `target_feature`, `target_has_atomic`, `target_has_atomic_equal_alignment`, `target_has_atomic_load_store`, `target_os`, `target_pointer_width`, `target_thread_local`, `target_vendor`, `test`, `ub_checks`, `unix`, and `windows`
= help: consider using a Cargo feature instead
= help: or consider adding in `Cargo.toml` the `check-cfg` lint config for the lint:
[lints.rust]
unexpected_cfgs = { level = "warn", check-cfg = ['cfg(crypto_unstable)'] }
Comment on lines
1
to
4
| allowed_external_types = [ | ||
| "aws_smithy_runtime_api::*", | ||
| "aws_smithy_async::*" | ||
| ] |
COPYRIGHT
Outdated
|
|
||
| =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= | ||
|
|
||
| Contains modified aws-smithy-experimental files [README.md, Cargo.toml] from |
There was a problem hiding this comment.
I would drop this specific list and update this in a PR that actually adds source code changes:
Contains aws-smithy-experimental files from
COPYRIGHT
Outdated
| =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= | ||
|
|
||
| Contains modified aws-smithy-experimental files [README.md, Cargo.toml] from | ||
| https://github.com/smithy-lang/smithy-rs/tree/HEAD/rust-runtime/aws-smithy-experimental 2024-10-22. |
There was a problem hiding this comment.
This should point to a stable commit or release tag of some kind.
|
Forced push includes:
|
ginglis13
reviewed
Oct 23, 2024
| @@ -286,6 +286,8 @@ where | |||
|
|
|||
| /// Uses the reqwest library to send a GET request to `URL` and returns the response. | |||
| fn send_get_request(url: &str) -> Result<Response> { | |||
| let _ = rustls::crypto::aws_lc_rs::default_provider().install_default(); | |||
There was a problem hiding this comment.
do we want to install_default() in respective main / run functions for our sources ?
applications should call CryptoProvider::install_default() early in their fn main(). If applications uses a custom provider based on the one built-in, they can activate the custom-provider feature to ensure its usage.
I see that's done for other cases of install_default() in this PR
There was a problem hiding this comment.
I didn't want to install the default provider unless really necessary. For logdog, that's only when the request type is http or https.
bcressey
approved these changes
Oct 23, 2024
| description = "Experiments for the smithy-rs ecosystem" | ||
| edition = "2021" | ||
| license = "Apache-2.0" | ||
| repository = "https://github.com/smithy-lang/smithy-rs" |
There was a problem hiding this comment.
nit: we should set publish = false here, and remove the repo URL, since we don't want to ever publish this fork of the crate
Vend `aws-smithy-experimental` so that we can use the APIs required to support Proxies in AWS SDK clients Signed-off-by: Arnaldo Garcia Rincon <[email protected]>
Add `tls` feature flag to allow consumers of the crate opt-in to TLS connections when required. Additionally, add `fips` feature flag to constrain any TLS connection to FIPS ciphers. Signed-off-by: Arnaldo Garcia Rincon <[email protected]> Signed-off-by: Ben Cressey <[email protected]>
Force the `aws-lc-rs` crypto provider and expose the `fips` feature flag to constrain the binary to FIPS ciphers. Signed-off-by: Arnaldo Garcia Rincon <[email protected]> Signed-off-by: Ben Cressey <[email protected]>
Force the `aws-lc-rs` rustls' crypto provider and expose the `fips` feature flag to constrain the binary to FIPS ciphers. Signed-off-by: Arnaldo Garcia Rincon <[email protected]>
Force the `aws-lc-rs` rustls crypto provider and expose the `fips` feature flag to constrain the binary to FIPS ciphers. Signed-off-by: Arnaldo Garcia Rincon <[email protected]>
Force the `aws-lc-rs` rustls crypto provider and expose the `fips` feature flag to constrain the binary to FIPS ciphers. Signed-off-by: Arnaldo Garcia Rincon <[email protected]>
Force the `aws-lc-rs` rustls' crypto provider and expose the `fips` feature flag to constrain the binary to FIPS ciphers. Signed-off-by: Arnaldo Garcia Rincon <[email protected]>
Force the `aws-lc-rs` rustls' crypto provider and expose the `fips` feature flag to constrain the binary to FIPS ciphers. Also migrate to HyperClientBuilder exposed by `aws-smithy-experiment` Signed-off-by: Arnaldo Garcia Rincon <[email protected]>
Force the `aws-lc-rs` crypto provider and expose the `fips` feature flag to constrain the binary to FIPS ciphers. Initial migration to HyperClientBuilder provided by `aws-smithy-experimental` Signed-off-by: Arnaldo Garcia Rincon <[email protected]> Signed-off-by: Ben Cressey <[email protected]>
Refactor how the Rust binaries that require FIPS treatment are provided and installed. Signed-off-by: Arnaldo Garcia Rincon <[email protected]>
Now all Rust builds should pass the check-fips check Signed-off-by: Arnaldo Garcia Rincon <[email protected]>
|
Forced push includes:
|
ginglis13
approved these changes
Oct 23, 2024
jpculp
reviewed
Oct 23, 2024
bcressey
approved these changes
Oct 23, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue number:
Related: bottlerocket-os/bottlerocket#1667
Description of changes:
The first commit in the series adds
rustlsandaws-smithy-experimentalto the workspace dependencies, so that crates that depend on these libraries can enforce the FIPS flags each expose.The subsequent commits add a
fipsflag to the binaries flagged by thecheck-fipsscript in the Bottlerocket SDK. In #191, thecheck-fipswas disabled in Rust programs that required the FIPS treatment but in this series the checks are re-enabled.The spec files for
oswas updated to provide thefips-binpackage for any binary that needs it. This resembles what's already done forGopackages so that the correct binaries are installed in the image when thefipsimage flag is used while building a variant.plutowas modified to split the HTTP Proxy support, given thataws-smithy-experimentaldoesn't expose the same APIs as the "stable"aws-smithy.Testing done:
fipsimage flag inaws-k8s-1.30, and confirmed thefips-binpackages were installed:[root@admin]# cat /.bottlerocket/rootfs/x86_64-bottlerocket-linux-gnu/sys-root/usr/share/bottlerocket/application-inventory.json | jq '.Content[].Name' -r | grep fips-bin apiclient-fips-bin aws-iam-authenticator-fips-bin aws-signing-helper-fips-bin cfsignal-fips-bin cni-plugins-fips-bin containerd-fips-bin early-boot-config-aws-fips-bin ecr-credential-provider-1.30-fips-bin host-ctr-fips-bin hostname-imds-fips-bin kubelet-1.30-fips-bin logdog-fips-bin metricdog-fips-bin migration-fips-bin pluto-fips-bin runc-fips-bin shibaken-fips-bin updog-fips-bin/usr/bin/and/usr/libexecare actually the FIPS binaries and not their non-FIPS counterpart.Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.