FIPS 140-2 compliant GitLab Runner for amd64, RHEL
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.
Release notes
For some GitLab customers, US government regulatory requirements require the use of FIPS (Federal Information Processing Standards) compliant software. The Federal Information Processing Standard PUB 140-2 (FIPS 140-2) and FIPS 140-3 define the security requirements for cryptographic modules used in computer and telecommunication systems and within cyber systems protecting sensitive information. To be considered FIPS 140-2 compliant means that the product must only use FIPS validated cryptography libraries. For GitLab Runner, this means that we have to distribute a version of GitLab Runner that uses a separate Go toolchain and replaces the standard cryptographic modules with FIPS validated modules. Today we are pleased to announce the release of a FIPS 140-2 compliant GitLab Runner for amd64 compute architectures and Red Hat Enterprise Linux (RHEL) distributions.
Supported Distros and Compute Architectures
- Note: For this release, only Red Hat Enterprise Linux (RHEL) distros and amd64 compute architectures are supported.
Documentation
Overview
- As part of a larger initiative, we evaluated the work required to make GitLab Runner FIPS 140-2 compliant. This feature delivers on iteration 1 from that analysis.
Proposal Iteration 1 (FIPS 140-2 Compliance)
- Build a separate GitLab Runner binary for FIPS.
- Compile-out any libraries that don’t use supported algorithms.
- Switch from MD5 to SHA-1 in the Runner codebase.
- Check if there are any other unsupported algorithms that are being used in the Runner
- Establish automated checks which disallow unsupported algorithms in the codebase
- Establish a rudimentary set of integration tests which verify that basic functionality works: e.g. registration since that uses TLS, which in turn uses the FIPS libraries
- Depending on whether we want to be FIPS Compliant or FIPS Validated we should be Compliant at this point. Note: If all we want is to be compliant we can choose to not compile-out libraries that use unsupported algorithms as long as the operation isn't part of any cryptographic operation but merely used as a hash. But that's less black and white.