Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FIPS Build #42402

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
+130 −5
Open

FIPS Build #42402

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
2e9400c
FIPS Build
michel-laterman Jan 22, 2025
73980d2
Use fips crossbuild images
michel-laterman Feb 7, 2025
1fc51bd
Merge branch 'main' into fips-build
michel-laterman Feb 12, 2025
5d370f9
Fix tag handling
michel-laterman Feb 19, 2025
e55a418
Add missing header
michel-laterman Feb 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 43 additions & 1 deletion dev-tools/mage/build.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
"log"
"os"
"path/filepath"
"regexp"
"strings"

"github.com/josephspurrier/goversioninfo"
Expand All @@ -46,6 +47,39 @@
WinMetadata bool // Add resource metadata to Windows binaries (like add the version number to the .exe properties).
}

// buildTagRE is a regexp to match strings like "-tags=abcd"
// but does not match "-tags= "
var buildTagRE = regexp.MustCompile(`-tags=([\S]+)`)

// ParseExtraFlags returns the ExtraFlags param where all flags that are go build tags are joined by a comma.
//
// For example if given -someflag=val1 -tags=buildtag1 -tags=buildtag2
// It will return -someflag=val1 -tags=buildtag1,buildtag2
func (b BuildArgs) ParseExtraFlags() []string {
Comment on lines +54 to +58
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When building agentbeat without this parsing, it results in two -tags= values being sent to the go build command. one tag gets ignored; this resulted in the behaviour in my previous comment where I then had to adjust a runtime env var to get the binary in compliance.

Parsing the extra flags to join all -tags= flags is required in order to send -tags=agentbeat,requirefips which produced a binary that works as expected.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How does this interact with the build tags for testing? I'm thinking of "integration" as an example. I'm assuming we will need tests that require both a testing build tag and the fips build tag.

beats/dev-tools/mage/gotest.go

Line 297 in 1473ae9

testArgs = append(testArgs, "-tags", params)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, I've altered gotest.go to join the tags with a comma to be consistent

flags := make([]string, 0)
if len(b.ExtraFlags) == 0 {
return flags
}

buildTags := make([]string, 0)
for _, flag := range b.ExtraFlags {
if buildTagRE.MatchString(flag) {
arr := buildTagRE.FindStringSubmatch(flag)
if len(arr) != 2 {
log.Printf("Parsing buildargs.ExtraFlags found strange flag %q ignoring value", flag)
continue
}
buildTags = append(buildTags, arr[1])
} else {
flags = append(flags, flag)
}
}
if len(buildTags) > 0 {
flags = append(flags, "-tags="+strings.Join(buildTags, ","))
}
return flags
}

// DefaultBuildArgs returns the default BuildArgs for use in builds.
func DefaultBuildArgs() BuildArgs {
args := BuildArgs{
Expand Down Expand Up @@ -74,6 +108,10 @@
// Remove all file system paths from the compiled executable, to improve build reproducibility
args.ExtraFlags = append(args.ExtraFlags, "-trimpath")
}
if FIPSBuild {
args.ExtraFlags = append(args.ExtraFlags, "-tags=requirefips")
args.CGO = true
}

return args
}
Expand Down Expand Up @@ -175,6 +213,10 @@
if params.CGO {
cgoEnabled = "1"
}
if FIPSBuild {
cgoEnabled = "1"
env["GOEXPERIMENT"] = "systemcrypto"
}
env["CGO_ENABLED"] = cgoEnabled

// Spec
Expand All @@ -186,7 +228,7 @@
if params.BuildMode != "" {
args = append(args, "-buildmode", params.BuildMode)
}
args = append(args, params.ExtraFlags...)
args = append(args, params.ParseExtraFlags()...)

// ldflags
ldflags := params.LDFlags
Expand Down Expand Up @@ -248,7 +290,7 @@
},
StringFileInfo: goversioninfo.StringFileInfo{
CompanyName: BeatVendor,
ProductName: strings.Title(BeatName),

Check failure on line 293 in dev-tools/mage/build.go

View workflow job for this annotation

GitHub Actions / lint (windows) 

SA1019: strings.Title has been deprecated since Go 1.18 and an alternative has been available since Go 1.0: The rule Title uses for word boundaries does not handle Unicode punctuation properly. Use golang.org/x/text/cases instead. (staticcheck)
ProductVersion: version,
FileVersion: version,
FileDescription: BeatDescription,
Expand Down
4 changes: 4 additions & 0 deletions dev-tools/mage/crossbuild.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -248,6 +248,9 @@ func CrossBuildImage(platform string) (string, error) {
if err != nil {
return "", err
}
if FIPSBuild {
return FIPSBuildImage + ":" + goVersion + "-1-fips-bookworm", nil
}

return BeatsCrossBuildImage + ":" + goVersion + "-" + tagSuffix, nil
}
Expand Down Expand Up @@ -331,6 +334,7 @@ func (b GolangCrossBuilder) Build() error {
"--env", "MAGEFILE_VERBOSE="+verbose,
"--env", "MAGEFILE_TIMEOUT="+EnvOr("MAGEFILE_TIMEOUT", ""),
"--env", fmt.Sprintf("SNAPSHOT=%v", Snapshot),
"--env", fmt.Sprintf("FIPS=%v", FIPSBuild),
"-v", repoInfo.RootDir+":"+mountPoint,
"-w", workDir,
)
Expand Down
13 changes: 11 additions & 2 deletions dev-tools/mage/settings.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,8 @@ const (
beatsFPMImage = "docker.elastic.co/beats-dev/fpm"
// BeatsCrossBuildImage is the image used for crossbuilding Beats.
BeatsCrossBuildImage = "docker.elastic.co/beats-dev/golang-crossbuild"
//FIPSBuildImage is the image used for building FIPS compliant artifacts
FIPSBuildImage = "mcr.microsoft.com/oss/go/microsoft/golang"

elasticBeatsImportPath = "github.com/elastic/beats"

Expand Down Expand Up @@ -79,8 +81,9 @@ var (

BeatProjectType ProjectType

Snapshot bool
DevBuild bool
Snapshot bool
DevBuild bool
FIPSBuild bool

versionQualified bool
versionQualifier string
Expand Down Expand Up @@ -128,6 +131,11 @@ func init() {
panic(fmt.Errorf("failed to parse DEV env value: %w", err))
}

FIPSBuild, err = strconv.ParseBool(EnvOr("FIPS", "false"))
if err != nil {
panic(fmt.Errorf("failed to parse FIPS env value: %w", err))
}

versionQualifier, versionQualified = os.LookupEnv("VERSION_QUALIFIER")
}

Expand Down Expand Up @@ -179,6 +187,7 @@ func varMap(args ...map[string]interface{}) map[string]interface{} {
"BeatUser": BeatUser,
"Snapshot": Snapshot,
"DEV": DevBuild,
"FIPS": FIPSBuild,
"Qualifier": versionQualifier,
"CI": CI,
}
Expand Down
Loading