Update Readme on FIPS version changes (#636)

justsmth · web-flow · commit c4b8050ba1cd · 2024-12-17T19:06:12.000Z
diff --git a/aws-lc-fips-sys/README.md b/aws-lc-fips-sys/README.md
@@ -3,57 +3,71 @@
 [![crates.io](https://img.shields.io/crates/v/aws-lc-fips-sys.svg)](https://crates.io/crates/aws-lc-fips-sys)
 [![GitHub](https://img.shields.io/badge/GitHub-awslabs%2Faws--lc--rs-blue)](https://github.com/awslabs/aws-lc-rs)
 
-**Autogenerated** low-level AWS-LC FIPS bindings for the Rust programming language. We do not recommend directly relying on these bindings.
+**Autogenerated** low-level AWS-LC FIPS bindings for the Rust programming language. We do not recommend directly relying
+on these bindings.
 
 [Documentation](https://github.com/aws/aws-lc).
 
 ## FIPS
 
-This crate provides bindings to [AWS-LC-FIPS 2.x](https://github.com/aws/aws-lc/tree/fips-2022-11-02), which has completed
-FIPS validation testing by an accredited lab and has been submitted to NIST for certification. The static build of AWS-LC-FIPS
-is used.
+The aws-lc-fips-sys crate provides bindings to the latest version of the AWS-LC-FIPS module that
+has completed FIPS validation testing by an accredited lab and has been submitted to NIST for
+certification. This will continue to be the case as we periodically submit new versions of
+the AWS-LC-FIPS module to NIST for certification. Currently, aws-lc-fips-sys binds to
+[AWS-LC-FIPS 3.0.x](https://github.com/aws/aws-lc/tree/fips-2024-09-27).
 
-| Supported Targets |
-| --- |
-| x86_64-unknown-linux-gnu |
-| aarch64-unknown-linux-gnu |
+Consult with your local FIPS compliance team to determine the version of AWS-LC-FIPS module that you require. Consumers
+needing to remain on a previous version of the AWS-LC-FIPS module should pin to specific versions of aws-lc-rs to avoid
+automatically being upgraded to a newer module version.
+(See [cargo’s documentation](https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html)
+on how to specify dependency versions.)
 
-Refer to the [NIST Cryptographic Module Validation Program's Modules In Progress List](https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List)
-for the latest status of the static or dynamic AWS-LC Cryptographic Module. A complete list of supported operating environments will be
-made available in the vendor security policy once the validation certificate has been issued. We will also update our release notes
-and documentation to reflect any changes in FIPS certification status.
+| AWS-LC-FIPS module | aws-lc-rs |
+|--------------------|-----------|
+| 2.0.x              | \<1.12.0  |
+| 3.0.x              | *latest*  |
 
-## Release Support
+Refer to the
+[NIST Cryptographic Module Validation Program's Modules In Progress List](https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List)
+for the latest status of the static or dynamic AWS-LC Cryptographic Module. Please see the
+[FIPS.md in the aws-lc repository](https://github.com/aws/aws-lc/blob/main/crypto/fipsmodule/FIPS.md)
+for relevant security policies and information on supported operating environments.
+We will also update our release notes and documentation to reflect any changes in FIPS certification status.
 
-This crate pulls in the source code of the latest AWS-LC FIPS branch to build with it. Bindings for platforms we officially support are pre-generated.
-The platforms which `aws-lc-fips-sys` builds on is limited to the platforms where the AWS-LC FIPS static build is supported.
+## Building and Bindings
+
+This crate contains source code from a FIPS branch of AWS-LC for building and for bindings generation. A
+specialized FIPS build is performed. Bindings for some platforms are pre-generated.
 
 ### Pregenerated Bindings Availability
 
-Targets
----------------------
-aarch64_apple_darwin
-aarch64_unknown_linux_gnu
-aarch64_unknown_linux_musl
-x86_64_apple_darwin
-x86_64_unknown_linux_gnu
-x86_64_unknown_linux_musl
+| Targets                    |
+|----------------------------|
+| aarch64_apple_darwin       |
+| aarch64_unknown_linux_gnu  |
+| aarch64_unknown_linux_musl |
+| x86_64_apple_darwin        |
+| x86_64_unknown_linux_gnu   |
+| x86_64_unknown_linux_musl  |
 
 ### Prebuilt NASM objects
 
 Prebuilt NASM objects are *not* available for this crate.
 
 ### Tested AWS-LC FIPS Build Environments
 
-`aws-lc-fips-sys` currently relies on the AWS-LC FIPS static build, please see our CI documentation at [AWS-LC](https://github.com/aws/aws-lc/tree/main/tests/ci#unit-tests).
+`aws-lc-fips-sys` currently relies on the AWS-LC FIPS static build, please see our CI documentation
+at [AWS-LC](https://github.com/aws/aws-lc/tree/main/tests/ci#unit-tests).
 
 ## Build Prerequisites
 
-Since this crate builds AWS-LC as a native library, all build tools needed to build AWS-LC are applicable to `aws-lc-fips-sys` as well. This includes Go and Perl, which are hard dependencies for the AWS-LC FIPS build.
+Since this crate builds AWS-LC as a native library, all build tools needed to build AWS-LC are applicable to
+`aws-lc-fips-sys` as well. This includes Go and Perl, which are hard dependencies for the AWS-LC FIPS build.
 
 [Building AWS-LC](https://github.com/aws/aws-lc/blob/main/BUILDING.md)
 
-If you use a different build combination for FIPS and would like us to support it, please open an issue to us at [AWS-LC](https://github.com/aws/aws-lc/issues/new?assignees=&labels=&template=build-issue.md&title=).
+If you use a different build combination for FIPS and would like us to support it, please open an issue to us
+at [AWS-LC](https://github.com/aws/aws-lc/issues/new?assignees=&labels=&template=build-issue.md&title=).
 
 ## Security Notification Process
 
diff --git a/aws-lc-rs/README.md b/aws-lc-rs/README.md
@@ -45,17 +45,30 @@ function. This adds a requirement on `untrusted = "0.7.1"`.
 ##### fips
 
 Enable this feature to have aws-lc-rs use the [*aws-lc-fips-sys*](https://crates.io/crates/aws-lc-fips-sys)
-crate for the cryptographic implementations. The *aws-lc-fips-sys* crate provides bindings to
-[AWS-LC-FIPS 2.x](https://github.com/aws/aws-lc/tree/fips-2022-11-02), which has completed
-FIPS validation testing by an accredited lab and has been submitted to NIST for certification.
-The static build of AWS-LC-FIPS is used.
+crate for the cryptographic implementations. The aws-lc-fips-sys crate provides bindings to the
+latest version of the AWS-LC-FIPS module that has completed FIPS validation testing by an
+accredited lab and has been submitted to NIST for certification. This will continue to be the
+case as we periodically submit new versions of the AWS-LC-FIPS module to NIST for certification.
+Currently, aws-lc-fips-sys binds to
+[AWS-LC-FIPS 3.0.x](https://github.com/aws/aws-lc/tree/fips-2024-09-27).
+
+Consult with your local FIPS compliance team to determine the version of AWS-LC-FIPS module that you require. Consumers
+needing to remain on a previous version of the AWS-LC-FIPS module should pin to specific versions of aws-lc-rs to avoid
+automatically being upgraded to a newer module version.
+(See [cargo’s documentation](https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html)
+on how to specify dependency versions.)
+
+| AWS-LC-FIPS module | aws-lc-rs |
+|--------------------|-----------|
+| 2.0.x              | \<1.12.0  |
+| 3.0.x              | *latest*  |
 
 Refer to the
 [NIST Cryptographic Module Validation Program's Modules In Progress List](https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List)
-for the latest status of the static or dynamic AWS-LC Cryptographic Module. A complete list of supported operating
-environments will be made available in the vendor security policy once the validation certificate has been issued. We
-will also update our release notes
-and documentation to reflect any changes in FIPS certification status.
+for the latest status of the static or dynamic AWS-LC Cryptographic Module. Please see the
+[FIPS.md in the aws-lc repository](https://github.com/aws/aws-lc/blob/main/crypto/fipsmodule/FIPS.md)
+for relevant security policies and information on supported operating environments.
+We will also update our release notes and documentation to reflect any changes in FIPS certification status.
 
 ##### asan
 
diff --git a/aws-lc-rs/src/lib.rs b/aws-lc-rs/src/lib.rs
@@ -47,17 +47,30 @@
 //! #### fips
 //!
 //! Enable this feature to have aws-lc-rs use the [*aws-lc-fips-sys*](https://crates.io/crates/aws-lc-fips-sys)
-//! crate for the cryptographic implementations. The *aws-lc-fips-sys* crate provides bindings to
-//! [AWS-LC-FIPS 2.x](https://github.com/aws/aws-lc/tree/fips-2022-11-02), which has completed
-//! FIPS validation testing by an accredited lab and has been submitted to NIST for certification.
-//! The static build of AWS-LC-FIPS is used.
+//! crate for the cryptographic implementations. The aws-lc-fips-sys crate provides bindings to the
+//! latest version of the AWS-LC-FIPS module that has completed FIPS validation testing by an
+//! accredited lab and has been submitted to NIST for certification. This will continue to be the
+//! case as we periodically submit new versions of the AWS-LC-FIPS module to NIST for certification.
+//! Currently, aws-lc-fips-sys binds to
+//! [AWS-LC-FIPS 3.0.x](https://github.com/aws/aws-lc/tree/fips-2024-09-27).
+//!
+//! Consult with your local FIPS compliance team to determine the version of AWS-LC-FIPS module that you require. Consumers
+//! needing to remain on a previous version of the AWS-LC-FIPS module should pin to specific versions of aws-lc-rs to avoid
+//! automatically being upgraded to a newer module version.
+//! (See [cargo’s documentation](https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html)
+//! on how to specify dependency versions.)
+//!
+//! | AWS-LC-FIPS module | aws-lc-rs |
+//! |--------------------|-----------|
+//! | 2.0.x              | \<1.12.0  |
+//! | 3.0.x              | *latest*  |
 //!
 //! Refer to the
 //! [NIST Cryptographic Module Validation Program's Modules In Progress List](https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List)
-//! for the latest status of the static or dynamic AWS-LC Cryptographic Module. A complete list of supported operating
-//! environments will be made available in the vendor security policy once the validation certificate has been issued. We
-//! will also update our release notes
-//! and documentation to reflect any changes in FIPS certification status.
+//! for the latest status of the static or dynamic AWS-LC Cryptographic Module. Please see the
+//! [FIPS.md in the aws-lc repository](https://github.com/aws/aws-lc/blob/main/crypto/fipsmodule/FIPS.md)
+//! for relevant security policies and information on supported operating environments.
+//! We will also update our release notes and documentation to reflect any changes in FIPS certification status.
 //!
 //! #### asan
 //!
