Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(fips): enforce requirements for fips mode #16031

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat(fips): enforce requirements for fips mode #16031

wants to merge 3 commits into from
+88 −0

Conversation

kruskall
Copy link
Member

@kruskall kruskall commented Mar 5, 2025

Motivation/summary

enforce fips140=only in fips mode
enforce -tags=requirefips in fips mode

Checklist

For functional changes, consider:

  • Is it observable through the addition of either logging or metrics?
  • Is its use being published in telemetry to enable product improvement?
  • Have system tests been added to avoid regression?

How to test these changes

Related issues

@kruskall
feat(fips): enforce requirements for fips mode
0da2a2c 
enforce fips140=only in fips mode
enforce -tags=requirefips in fips mode
@kruskall kruskall requested a review from a team as a code owner March 5, 2025 19:22
@mergify Mergify
Copy link
Contributor

mergify bot commented Mar 5, 2025

This pull request does not have a backport label. Could you fix it @kruskall? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-7.17 is the label to automatically backport to the 7.17 branch.
  • backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit.
  • backport-9./d is the label to automatically backport to the 9./d branch. /d is the digit.
  • backport-8.x is the label to automatically backport to the 8.x branch.
  • backport-active-all is the label that automatically backports to all active branches.
  • backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
  • backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

@kruskall kruskall added backport-8.x Automated backport to the 8.x branch with mergify backport-8.18 Automated backport to the 8.18 branch backport-9.0 Automated backport to the 9.0 branch labels Mar 5, 2025
@kruskall
fix: move godebug to main package
b71acbe 
//go:debug lines can only be in main packages
@kruskall
Copy link
Member Author

kruskall commented Mar 5, 2025

mmh, the godebug issue should be fixed in go 1.24.1

1pkg
1pkg reviewed Mar 6, 2025
View reviewed changes
internal/fips140/fips.go
package fips140

func CheckFips() {
// all good
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we actually panic if !cryptofips.Enabled() here?

1pkg
1pkg reviewed Mar 6, 2025
View reviewed changes
internal/fips140/nofips.go
import cryptofips "crypto/fips140"

func CheckFips() {
if cryptofips.Enabled() {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need to panic if fips is not required but was enabled anyway?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@1pkg 1pkg 1pkg left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
backport-8.x Automated backport to the 8.x branch with mergify backport-8.18 Automated backport to the 8.18 branch backport-9.0 Automated backport to the 9.0 branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kruskall @1pkg