-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider FIPS support on macOS / darwin #1013
Comments
Our team would love support for building FIPS compliant darwin binaries; we're building Go binaries that are part of a toolchain that is otherwise using FIPS compliant .NET binaries for Windows, Linux, and MacOS, so ideally we'd be able to produce FIPS compliant Go binaries for the same set of OS targets. |
We got this clarified by someone responsible for the policy--they don't see it this way, which is great news. It's ok to use OpenSSL on macOS, and there isn't any need to rule out the possibility of using macOS native crypto: OpenSSL is always ok, as long as the OpenSSL-specific requirements are met. Getting this enabled in Microsoft Go will take some work (in addition to tweaking the patch, we would probably want to set up macOS builders to continuously test it), but the path is clear. |
@dagood Thanks for the update! I’m interested in learning more about any progress related to the recent discussions on supporting Microsoft Go on macOS. We have a similar use case where we need to create a FIPS-compliant Go binary for macOS. |
We have a draft PR for a macOS builder at #1279 that we plan to keep working on, but no progress yet on a FIPS backend. I suspect though that the work to be done on that will be:
(We haven't looked at CommonCrypto/etc., and using OpenSSL on macOS is still the plan for this issue.) |
@dagood we're attempting to follow the provided instructions to generate a FIPS build on macOS, but we're encountering errors when applying the patches. Could you please provide more detailed instructions? Alternatively, if you already have a version that supports Darwin, we'd be happy to test it. |
@dagood, in continue to my previous message, I didn't generate patches/0007-Add-backend-code-gen.patch alone, but run the build after updating patches/0004-Add-OpenSSL-crypto-backend.patch with (darwin || linux) where linux appeared in the code. goroutine 1 [running]: |
Sorry for the quiet here. I've opened #1368 for supporting producing (signed) macOS prebuilt Microsoft Go toolsets, which will make it easier to then work on the FIPS side of things. I'm going to take a stab at getting #1279 through. I don't have direct access to a machine running macOS, but I'm hoping I can get it through CI to the point where others can keep this work going. Apologies also for the trouble with the patch files... seeing #1362, it looks like you might be editing the |
An important update: We (the Go team) have been experimenting with several different crypto backends for macOS and intend to go with the CommonCrypto (falling back to CryptoKit where required). This is still very early days and we don't anticipate having a GA binary for a while but we would be interested in having 1P customers testing out some EA binaries for us (if this is of interest then please drop me an email) The macOS crypto bindings have been open sourced here: https://github.com/microsoft/go-crypto-darwin and we actively encourage contributions. As with our other backends, it may not be possible to support every single algorithm so we'll fall back to the Go native crypto where necessary. |
As of writing, we've been asked about macOS FIPS support, but we haven't been asked to provide it. I'm opening this issue to keep track of any interest.
My reading of the internal Microsoft crypto policy is that using OpenSSL on macOS would be considered noncompliant. Instead, the platform-provided CommonCrypto, Security Transforms, and Secure Transport APIs must be used. If I'm wrong, or for anyone looking into this from outside Microsoft, maybe this isn't an issue. In that case, golang-fips/openssl#98 is an effort to make the OpenSSL backend work on macOS (and Windows), although we haven't determined for certain that it will work in microsoft/go releases.
I haven't looked into any of those macOS-provided libraries to see what kind of effort it would take to make a backend for it.
The text was updated successfully, but these errors were encountered: