Skip to content

Use labkit for fips check

Vishal Tak requested to merge fips-labkit into master

What does this MR do?

labkit v1.14.0 added support for performing fips checks. This MR removes the existing code from pages and uses labkit for it.

fips build tag is used instead of boringcrypto in labkit to align to business names and to not inherit build tag dependency.

Testing

# building pages on a FIPS machine
gitlab-pages git:(fips-labkit) ✗ FIPS_MODE=1 make gitlab-pages
mkdir -p .GOPATH
GOBIN=/home/ec2-user/gitlab-pages/bin go install -v -ldflags="-X "main.VERSION=1.57.0" -X "main.REVISION=833b02a"" -tags "continuous_profiler_stackdriver,fips" -buildmode exe gitlab.com/gitlab-org/gitlab-pages
GO_BUILD_ID=$( go tool buildid /home/ec2-user/gitlab-pages/bin/gitlab-pages ) && \
GNU_BUILD_ID=$( echo $GO_BUILD_ID | sha1sum | cut -d' ' -f1 ) && \
 GOBIN=/home/ec2-user/gitlab-pages/bin go install -v -ldflags="-X "main.VERSION=1.57.0" -X "main.REVISION=833b02a" -B 0x$GNU_BUILD_ID" -tags "continuous_profiler_stackdriver,fips" -buildmode exe gitlab.com/gitlab-org/gitlab-pages
go tool nm /home/ec2-user/gitlab-pages/bin/gitlab-pages | grep boringcrypto >/dev/null &&  echo "binary is correctly built in FIPS mode" || (echo "binary is not correctly built in FIPS mode" && exit 1)
binary is correctly built in FIPS mode
cp -f /home/ec2-user/gitlab-pages/bin/gitlab-pages .
# checking if boring function are properly compiled
gitlab-pages git:(fips-labkit) ✗ go tool nm gitlab-pages | grep _Cfunc__goboringcrypto_
  401870 T _cgo_71ae3cd1ca33_Cfunc__goboringcrypto_BN_bin2bn
  4018f0 T _cgo_71ae3cd1ca33_Cfunc__goboringcrypto_BN_bn2bin
  401960 T _cgo_71ae3cd1ca33_Cfunc__goboringcrypto_BN_free
  401c30 T _cgo_71ae3cd1ca33_Cfunc__goboringcrypto_BN_new
  4019a0 T _cgo_71ae3cd1ca33_Cfunc__goboringcrypto_BN_num_bytes
  401a00 T _cgo_71ae3cd1ca33_Cfunc__goboringcrypto_DLOPEN_OPENSSL
...

TODO

Edited by Vishal Tak

Merge request reports