WIP FIPS Build

elastic · Jan 22, 2025 · d6d4430 · d6d4430
1 parent 27adc68
commit d6d4430
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 2 deletions.
diff --git a/dev-tools/mage/build.go b/dev-tools/mage/build.go
@@ -74,6 +74,9 @@ func DefaultBuildArgs() BuildArgs {
 		// Remove all file system paths from the compiled executable, to improve build reproducibility
 		args.ExtraFlags = append(args.ExtraFlags, "-trimpath")
 	}
+	if FIPSBuild {
+		args.ExtraFlags = append(args.ExtraFlags, "-tags=requirefips")
+	}
 
 	return args
 }
@@ -175,6 +178,10 @@ func Build(params BuildArgs) error {
 	if params.CGO {
 		cgoEnabled = "1"
 	}
+	if FIPSBuild {
+		cgoEnabled = "1"
+		env["GOEXPERIMENT"] = "systemcrypto"
+	}
 	env["CGO_ENABLED"] = cgoEnabled
 
 	// Spec

diff --git a/dev-tools/mage/crossbuild.go b/dev-tools/mage/crossbuild.go
@@ -248,6 +248,9 @@ func CrossBuildImage(platform string) (string, error) {
 	if err != nil {
 		return "", err
 	}
+	if FIPSBuild {
+		return FIPSBuildImage + ":" + goVersion + "-1-fips-bookworm", nil
+	}
 
 	return BeatsCrossBuildImage + ":" + goVersion + "-" + tagSuffix, nil
 }
@@ -331,6 +334,7 @@ func (b GolangCrossBuilder) Build() error {
 		"--env", "MAGEFILE_VERBOSE="+verbose,
 		"--env", "MAGEFILE_TIMEOUT="+EnvOr("MAGEFILE_TIMEOUT", ""),
 		"--env", fmt.Sprintf("SNAPSHOT=%v", Snapshot),
+		"--env", fmt.Sprintf("FIPS=%v", FIPSBuild),
 		"-v", repoInfo.RootDir+":"+mountPoint,
 		"-w", workDir,
 	)

diff --git a/dev-tools/mage/settings.go b/dev-tools/mage/settings.go
@@ -44,6 +44,8 @@ const (
 	beatsFPMImage = "docker.elastic.co/beats-dev/fpm"
 	// BeatsCrossBuildImage is the image used for crossbuilding Beats.
 	BeatsCrossBuildImage = "docker.elastic.co/beats-dev/golang-crossbuild"
+	//FIPSBuildImage is the image used for building FIPS compliant artifacts
+	FIPSBuildImage = "mcr.microsoft.com/oss/go/microsoft/golang"
 
 	elasticBeatsImportPath = "github.com/elastic/beats"
 
@@ -79,8 +81,9 @@ var (
 
 	BeatProjectType ProjectType
 
-	Snapshot bool
-	DevBuild bool
+	Snapshot  bool
+	DevBuild  bool
+	FIPSBuild bool
 
 	versionQualified bool
 	versionQualifier string
@@ -128,6 +131,11 @@ func init() {
 		panic(fmt.Errorf("failed to parse DEV env value: %w", err))
 	}
 
+	FIPSBuild, err = strconv.ParseBool(EnvOr("FIPS", "false"))
+	if err != nil {
+		panic(fmt.Errorf("failed to parse FIPS env value: %w", err))
+	}
+
 	versionQualifier, versionQualified = os.LookupEnv("VERSION_QUALIFIER")
 }
 
@@ -179,6 +187,7 @@ func varMap(args ...map[string]interface{}) map[string]interface{} {
 		"BeatUser":        BeatUser,
 		"Snapshot":        Snapshot,
 		"DEV":             DevBuild,
+		"FIPS":            FIPSBuild,
 		"Qualifier":       versionQualifier,
 		"CI":              CI,
 	}