-
-
Notifications
You must be signed in to change notification settings - Fork 178
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FIPS: Add pom profile to build fips compliant boringSSL netty-tcnative #821
Conversation
I think we could pull this in to make things easier for people. I am not sure yet about including this in our release process. But thats a different discussion |
Thanks @normanmaurer , |
boringssl-static/pom.xml
Outdated
</execution> | ||
</executions> | ||
<configuration> | ||
<url>https://commondatastorage.googleapis.com/chromium-boringssl-fips/boringssl-853ca1ea1168dff08011e5d42d94609cc0ca2e27.tar.xz</url> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How would we keep track of the right tar ball to download ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated in commit: d1e16ba
tar ball uses same booringssl comit set in environment https://github.com/netty/netty-tcnative/pull/821/files#diff-9f1aa030fe8568dc7f081010d6f14b6d2c26ea2170502365e8f1ebe3f3e58607R86
@k-raina can you please sign our icla: https://netty.io/s/icla and let me know once done ? |
@normanmaurer I have signed icla. Can i go ahead and merge? |
@k-raina thanks a lot! |
Motivation:
As discussed in issue, considering the growing demand for FIPS compliance in security-sensitive environments, an official netty-tcnative release supporting FIPS validation would greatly benefit the open-source community. This would simplify integration and provide a reliable, community-supported solution.
Setup Configurations:
Tools: cmake 3.20, ninja build 1.10.0, clang-12, golang, java 11, maven 3.6.3, libapr1, automake, autoconf, libtool, libunwind-dev, pkg-config
Fips validated BoringSSL commit used is 853ca1ea1168dff08011e5d42d94609cc0ca2e27
Build Steps:
Modifications:
fips-boringssl-static
for fips compliantTested on:
Tested on linux AMD and ARM machine, which are supported as per FIPS security document attached in reference.
Output: https://drive.google.com/file/d/1eAFUIrHLbB7xiTpxHPs__N3Ha_Ltli76/view?usp=sharing
Reference:
Guidance on how to build FIPS validated modules: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4407.pdf