Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FIPS: Add pom profile to build fips compliant boringSSL netty-tcnative #821

Merged
merged 5 commits into from
Oct 5, 2023
Merged

FIPS: Add pom profile to build fips compliant boringSSL netty-tcnative #821

merged 5 commits into from
Oct 5, 2023

Conversation

k-raina
Copy link
Contributor

@k-raina k-raina commented Sep 6, 2023
edited
Loading

Motivation:

As discussed in issue, considering the growing demand for FIPS compliance in security-sensitive environments, an official netty-tcnative release supporting FIPS validation would greatly benefit the open-source community. This would simplify integration and provide a reliable, community-supported solution.

Setup Configurations:

Tools: cmake 3.20, ninja build 1.10.0, clang-12, golang, java 11, maven 3.6.3, libapr1, automake, autoconf, libtool, libunwind-dev, pkg-config

Fips validated BoringSSL commit used is 853ca1ea1168dff08011e5d42d94609cc0ca2e27

Build Steps:

  • Run Maven
 mvn clean install -f boringssl-static/pom.xml -Pfips-boringssl-static
  • While build is running you should see in logs:
...
Boringssl is fips compliant
...
  • After build steps are completed you should see Jars eg.
.m2/repository/io/netty/netty-tcnative-boringssl-static/2.0.61.Final/netty-tcnative-boringssl-static-2.0.61.Final.jar
.m2/repository/io/netty/netty-tcnative-boringssl-static/2.0.61.Final/netty-tcnative-boringssl-static-2.0.61.Final-linux-x86_64.jar

Modifications:

  • Added pom profile fips-boringssl-static for fips compliant

Tested on:

Tested on linux AMD and ARM machine, which are supported as per FIPS security document attached in reference.
Output: https://drive.google.com/file/d/1eAFUIrHLbB7xiTpxHPs__N3Ha_Ltli76/view?usp=sharing

Reference:

Guidance on how to build FIPS validated modules: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4407.pdf

@normanmaurer
Copy link
Member

I think we could pull this in to make things easier for people. I am not sure yet about including this in our release process. But thats a different discussion

@k-raina k-raina changed the title FIPS: Add pom profile to build fips compliant netty-tcnative FIPS: Add pom profile to build fips compliant BoringSSL netty-tcnative Sep 20, 2023
@k-raina k-raina changed the title FIPS: Add pom profile to build fips compliant BoringSSL netty-tcnative FIPS: Add pom profile to build fips compliant boringSSL netty-tcnative Sep 20, 2023
@k-raina
Copy link
Contributor Author

k-raina commented Sep 25, 2023

Thanks @normanmaurer ,
I have added sample output and build details in the description.
Please let me know if anything else is needed to merge this branch to master? Thanks in Advance

@k-raina k-raina marked this pull request as ready for review September 25, 2023 20:26
normanmaurer
normanmaurer reviewed Sep 26, 2023
View reviewed changes
boringssl-static/pom.xml Outdated
</execution>
</executions>
<configuration>
<url>https://commondatastorage.googleapis.com/chromium-boringssl-fips/boringssl-853ca1ea1168dff08011e5d42d94609cc0ca2e27.tar.xz</url>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How would we keep track of the right tar ball to download ?

Copy link
Contributor Author

@k-raina k-raina Sep 26, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated in commit: d1e16ba

tar ball uses same booringssl comit set in environment https://github.com/netty/netty-tcnative/pull/821/files#diff-9f1aa030fe8568dc7f081010d6f14b6d2c26ea2170502365e8f1ebe3f3e58607R86

@normanmaurer
Copy link
Member

@k-raina can you please sign our icla: https://netty.io/s/icla and let me know once done ?

@k-raina
Copy link
Contributor Author

k-raina commented Sep 29, 2023
edited
Loading

@normanmaurer I have signed icla. Can i go ahead and merge?

@normanmaurer normanmaurer merged commit 62b0a1a into netty:main Oct 5, 2023
7 checks passed
@normanmaurer normanmaurer added this to the 2.0.62.Final milestone Oct 5, 2023
@normanmaurer
Copy link
Member

@k-raina thanks a lot!

@k-raina k-raina mentioned this pull request Oct 6, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@normanmaurer normanmaurer normanmaurer approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.0.62.Final
Development

Successfully merging this pull request may close these issues.
2 participants
@k-raina @normanmaurer