From 24bf1a9b5d8411ff95c590bdb3eb5c2d0b4a665a Mon Sep 17 00:00:00 2001 From: Simran Singh Date: Wed, 15 May 2024 05:18:34 +0000 Subject: [PATCH] project docs, helper scripts, sample Dockerfile --- docs/build.md | 49 +++++++++++++++++++++++++++++++++++++++ docs/deps.md | 1 + docs/openssl.md | 1 + docs/overview.md | 1 + docs/test-conf.md | 1 + scripts/Dockerfile.sample | 43 ++++++++++++++++++++++++++++++++++ scripts/build1.sh | 11 +++++++++ scripts/build2.sh | 49 +++++++++++++++++++++++++++++++++++++++ 8 files changed, 156 insertions(+) create mode 100644 docs/build.md create mode 100644 docs/deps.md create mode 100644 docs/openssl.md create mode 100644 docs/overview.md create mode 100644 docs/test-conf.md create mode 100644 scripts/Dockerfile.sample create mode 100755 scripts/build1.sh create mode 100755 scripts/build2.sh diff --git a/docs/build.md b/docs/build.md new file mode 100644 index 0000000000..2129414495 --- /dev/null +++ b/docs/build.md @@ -0,0 +1,49 @@ +# Building a go binary that includes golang-fips patches + +## Env variables + +`GOEXPERIMENT=strictfipsruntime` helps ensure a fips compliant binary is built. Note that this is functionally equivalent of + +``` +GO_BUILDTAGS+="goexperiment.strictfipsruntime" +``` + +## Native build - Method 1 + +The easiest way to do is to simply clone this repo, apply patches and from the internal go/src directory run ./make.bash. See a more comprehensive script at `scripts/build1.sh` + +``` +git clone https://github.com/golang-fips/go.git golang-fips +cd golang-fips +./scripts/full-initialize-repo.sh go$GOLANG_VER +cd go/src +./make.bash --no-clean +``` + +## Native build - Method 2 + +Another way is to directly apply fips patches on downloaded go and golang-fips binaries. See full script at `scripts/build2.sh` + +``` +wget https://github.com/golang/go/archive/refs/tags/go1.22.2.tar.gz +wget https://github.com/golang-fips/go/archive/refs/tags/go1.22.2-1-openssl-fips.tar.gz +tar -xf go1.22.2.tar.gz +tar -xf go1.22.2-1-openssl-fips.tar.gz +cd go-go1.22.2 +for patch in ../go-go1.22.2-1-openssl-fips/patches/*.patch; do + patch -p1 < "${patch}" +done +cd src +./make.bash --no-clean +``` + +## Container Build + +So far the two methods above described steps to build golang natively. To build golang inside a container, copy the sample Dockerfile located at scripts/Dockerfile.sample to a new directory, modify it to add distro specific variables and run docker/podman on it. + +``` +mkdir build-context +cp scripts/Dockerfile.sample scripts/Dockerfile +# modify it to make it distro specific +podman/docker build . +``` diff --git a/docs/deps.md b/docs/deps.md new file mode 100644 index 0000000000..3c3f15c798 --- /dev/null +++ b/docs/deps.md @@ -0,0 +1 @@ +# Dependencies diff --git a/docs/openssl.md b/docs/openssl.md new file mode 100644 index 0000000000..fef371ed96 --- /dev/null +++ b/docs/openssl.md @@ -0,0 +1 @@ +# OpenSSL considerations diff --git a/docs/overview.md b/docs/overview.md new file mode 100644 index 0000000000..9a0f7f9b73 --- /dev/null +++ b/docs/overview.md @@ -0,0 +1 @@ +# Overview here diff --git a/docs/test-conf.md b/docs/test-conf.md new file mode 100644 index 0000000000..7b82c2bc1f --- /dev/null +++ b/docs/test-conf.md @@ -0,0 +1 @@ +# Test configuration diff --git a/scripts/Dockerfile.sample b/scripts/Dockerfile.sample new file mode 100644 index 0000000000..c6f2201ca9 --- /dev/null +++ b/scripts/Dockerfile.sample @@ -0,0 +1,43 @@ +FROM + +ARG GOLANG_VER=1.21.9 +# turn on FIPS and CGO_ENABLED by default +ARG FIPS=1 +ARG GODEBUG=0 +ARG CGO_ENABLED=1 + +# certain env need proxy to download from github +ENV http_proxy="" +ENV https_proxy="" +ENV no_proxy="" + +ENV GOLANG_FIPS=$FIPS +ENV GODEBUG=$GODEBUG +ENV CGO_ENABLED=1 + +# distro specific package manager +# need bootstrap golang to build go, will be removed later +RUN dnf/apt install -y git wget golang && \ + dnf/apt groupinstall -y "Development Tools" + +RUN go version +RUN echo "GOROOT_BOOTSTRAP = / by default so will use installed go as compiler" +RUN git config --global user.email "" +RUN git config --global user.name "" + +RUN git clone https://github.com/golang-fips/go.git golang-fips && cd golang-fips && \ + GOLANG_VER_SHORT=${GOLANG_VER%.*} && \ + git fetch origin go${GOLANG_VER_SHORT}-fips-release && git checkout go${GOLANG_VER_SHORT}-fips-release && \ + ./scripts/full-initialize-repo.sh go$GOLANG_VER + +RUN cd golang-fips/go && \ + cd src && ./make.bash --no-clean + +# rm bootstrap golang +RUN dnf -y erase golang + +ENV PATH=/golang-fips/go/bin:$PATH:/usr/local/go/bin +ENV GOPATH=$HOME/go +ENV PATH=$PATH:$GOPATH/bin + +RUN go version diff --git a/scripts/build1.sh b/scripts/build1.sh new file mode 100755 index 0000000000..d434552080 --- /dev/null +++ b/scripts/build1.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash +# this script builds a go binary after applying openssl fips patches. + +set -x +export GOLANG_VER=1.22.2 +[[ -d go ]] || ./scripts/full-initialize-repo.sh go$GOLANG_VER +cd go/src +export GO_BUILDTAGS+="goexperiment.strictfipsruntime" +export CGO_ENABLED=1 +./make.bash --no-clean +{ set +x ; } 2>/dev/null diff --git a/scripts/build2.sh b/scripts/build2.sh new file mode 100755 index 0000000000..0df3a28501 --- /dev/null +++ b/scripts/build2.sh @@ -0,0 +1,49 @@ +#! /usr/bin/env bash +# this script builds a go binary after applying openssl fips patches one by one. +# +export GOLANG_VER=1.22.2 +export GOLANG_REL=1 + +# variables to store tar file names +GO_TAR_NAME=go$GOLANG_VER +PATCH_TAR_NAME=go$GOLANG_VER-$GOLANG_REL-openssl-fips +GO_SRC_TAR=$GO_TAR_NAME.tar.gz +PATCH_TAR=$PATCH_TAR_NAME.tar.gz + +# after untar, the dir names are stored in PATCH_DIR and SRC_DIR +SRC_DIR=go-$GO_TAR_NAME +PATCH_DIR=go-$PATCH_TAR_NAME +TOP_DIR=/tmp/golang-fips/build2 +# If the go src dir ends up in a weird state where in patches are failing to apply, you might want to remove the $TOP_DIR (rm -rf /tmp/golang-fips/build2) to start with a clean slate. +PATCH_PATH=$TOP_DIR/$PATCH_DIR/patches + +# this file stores state of last applied patch, that way patches are not reapplied +PATCH_STATE=$TOP_DIR/state +set -x +[[ -d $TOP_DIR ]] || mkdir -p $TOP_DIR +cd $TOP_DIR + +[[ -f $GO_SRC_TAR ]] || wget -q --show-progress https://github.com/golang/go/archive/refs/tags/$GO_SRC_TAR +[[ -f $PATCH_TAR ]] || wget -q --show-progress https://github.com/golang-fips/go/archive/refs/tags/$PATCH_TAR +[[ -d $SRC_DIR ]] || tar -xf $GO_SRC_TAR +[[ -d $PATCH_DIR ]] || tar -xf $PATCH_TAR + +cd $SRC_DIR +{ set +x; } 2>/dev/null +if [[ -f $PATCH_STATE && "$(cat $PATCH_STATE)" == "complete" ]]; then + echo "patches already applied. skipping" +else + for patch in $PATCH_PATH/*.patch; do + patch -p1 < "${patch}" + [[ $? -eq 0 ]] || { echo "incomplete" > $PATCH_STATE; break; exit 1; } + done +fi + +echo "complete" > $PATCH_STATE +# patches have been supplied successfully, simply build like above. +set -x +cd src +export GO_BUILDTAGS+="goexperiment.strictfipsruntime,!no_openssl" +export CGO_ENABLED=1 +./make.bash --no-clean +{ set +x; } 2>/dev/null