Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consider FIPS support on macOS / darwin #1013

Closed
dagood opened this issue Aug 8, 2023 · 9 comments · Fixed by #1453
Closed

Consider FIPS support on macOS / darwin #1013

dagood opened this issue Aug 8, 2023 · 9 comments · Fixed by #1453
Assignees
Labels
fips new-platform Support a platform new to the microsoft/go infrastructure

Comments

@dagood
Copy link
Member

dagood commented Aug 8, 2023

As of writing, we've been asked about macOS FIPS support, but we haven't been asked to provide it. I'm opening this issue to keep track of any interest.

My reading of the internal Microsoft crypto policy is that using OpenSSL on macOS would be considered noncompliant. Instead, the platform-provided CommonCrypto, Security Transforms, and Secure Transport APIs must be used. If I'm wrong, or for anyone looking into this from outside Microsoft, maybe this isn't an issue. In that case, golang-fips/openssl#98 is an effort to make the OpenSSL backend work on macOS (and Windows), although we haven't determined for certain that it will work in microsoft/go releases.

I haven't looked into any of those macOS-provided libraries to see what kind of effort it would take to make a backend for it.

@dagood dagood added fips new-platform Support a platform new to the microsoft/go infrastructure labels Aug 8, 2023
@danegsta
Copy link

Our team would love support for building FIPS compliant darwin binaries; we're building Go binaries that are part of a toolchain that is otherwise using FIPS compliant .NET binaries for Windows, Linux, and MacOS, so ideally we'd be able to produce FIPS compliant Go binaries for the same set of OS targets.

@qmuntal
Copy link
Member

qmuntal commented Mar 15, 2024

@danegsta supporting macOS is currently not in our backlog. Please send an email to @gdams, our manager, explaining your business case so we can prioritize this effort and see how it can be funded.

@dagood
Copy link
Member Author

dagood commented Mar 27, 2024

My reading of the internal Microsoft crypto policy is that using OpenSSL on macOS would be considered noncompliant. Instead, the platform-provided CommonCrypto, Security Transforms, and Secure Transport APIs must be used.

We got this clarified by someone responsible for the policy--they don't see it this way, which is great news. It's ok to use OpenSSL on macOS, and there isn't any need to rule out the possibility of using macOS native crypto: OpenSSL is always ok, as long as the OpenSSL-specific requirements are met.

Getting this enabled in Microsoft Go will take some work (in addition to tweaking the patch, we would probably want to set up macOS builders to continuously test it), but the path is clear.

@toanant
Copy link

toanant commented Aug 26, 2024

@dagood Thanks for the update! I’m interested in learning more about any progress related to the recent discussions on supporting Microsoft Go on macOS. We have a similar use case where we need to create a FIPS-compliant Go binary for macOS.
Any updates or insights you can provide would be greatly appreciated!

@dagood
Copy link
Member Author

dagood commented Aug 26, 2024

We have a draft PR for a macOS builder at #1279 that we plan to keep working on, but no progress yet on a FIPS backend. I suspect though that the work to be done on that will be:

  1. Modify patches/0004-Add-OpenSSL-crypto-backend.patch to allow darwin along with linux in the relevant build tags.
  2. Regenerate patches/0007-Add-backend-code-gen.patch to update the error messages so go build will let you target darwin without stopping your build.
  3. Modify patches/0001-Add-systemcrypto-GOEXPERIMENT.patch so that systemcrypto uses opensslcrypto on darwin.
    • I don't think this step is truly necessary to build your own binary if you're comfortable building your own copy of Go and assign GOEXPERIMENT=opensslcrypto directly rather than use the systemcrypto alias. We'll want to have systemcrypto working in official/signed Microsoft Go builds, though.

(We haven't looked at CommonCrypto/etc., and using OpenSSL on macOS is still the plan for this issue.)

@lmaliniak
Copy link

@dagood we're attempting to follow the provided instructions to generate a FIPS build on macOS, but we're encountering errors when applying the patches. Could you please provide more detailed instructions? Alternatively, if you already have a version that supports Darwin, we'd be happy to test it.
Thanks

@lmaliniak
Copy link

@dagood, in continue to my previous message, I didn't generate patches/0007-Add-backend-code-gen.patch alone, but run the build after updating patches/0004-Add-OpenSSL-crypto-backend.patch with (darwin || linux) where linux appeared in the code.
here is the build output:
sudo pwsh eng/run.ps1 build -refresh
Building MacOS darwin arm64...
In ' /Users/devuser/dev/fips/go/eng/_util', building './cmd/build' -> /Users/devuser/dev/fips/go/eng/artifacts/toolbin/build
Built 'build'. Running from repo root...
---- Running command: /usr/bin/git [git submodule update --init -f]
Submodule path 'go': checked out '6b2ffc72b67713de4f08915937a64392aa4dbff0'
---- Running command: /usr/bin/git [git rev-parse --show-toplevel]
---- Running command: /usr/bin/git [git rev-parse --show-toplevel]
---- Running command: /usr/bin/git [git am --abort]
---- Running command: /usr/bin/git [git rebase --abort]
---- Running command: /usr/bin/git [git merge --abort]
---- Running command: /usr/bin/git [git reset --hard]
HEAD is now at 6b2ffc72b6 cmd: extract cmd/go's cfg.LookPath into separate pathcache package
---- Running command: /usr/bin/git [git clean -df]
Removing src/cmd/go/internal/modindex/build_test.go
Removing src/crypto/ed25519/boring.go
Removing src/crypto/ed25519/notboring.go
Removing src/crypto/internal/backend/
Removing src/go/build/buildbackend_test.go
Removing src/go/build/testdata/backendtags_openssl/
Removing src/go/build/testdata/backendtags_system/
Removing src/internal/goexperiment/exp_systemcrypto_off.go
Removing src/internal/goexperiment/exp_systemcrypto_on.go
---- Running command: /usr/bin/git [git apply --index --whitespace=nowarn /Users/devuser/dev/fips/go/patches/0001-Add-systemcrypto-GOEXPERIMENT.patch /Users/devuser/dev/fips/go/patches/0002-Add-crypto-backend-foundation.patch /Users/devuser/dev/fips/go/patches/0003-Add-BoringSSL-crypto-backend.patch /Users/devuser/dev/fips/go/patches/0004-Add-OpenSSL-crypto-backend.patch /Users/devuser/dev/fips/go/patches/0005-Add-CNG-crypto-backend.patch /Users/devuser/dev/fips/go/patches/0006-Vendor-crypto-backends.patch /Users/devuser/dev/fips/go/patches/0007-Add-backend-code-gen.patch /Users/devuser/dev/fips/go/patches/0008-Update-default-go.env.patch /Users/devuser/dev/fips/go/patches/0009-Skip-failing-tests-on-Windows.patch /Users/devuser/dev/fips/go/patches/0010-Support-TLS-1.3-in-fipstls-mode.patch /Users/devuser/dev/fips/go/patches/0011-unset-GOFIPS-when-running-the-Go-toolchain.patch /Users/devuser/dev/fips/go/patches/0012-add-support-for-logging-used-Windows-APIs.patch /Users/devuser/dev/fips/go/patches/0013-remove-long-path-support-hack.patch /Users/devuser/dev/fips/go/patches/0014-Omit-internal-go.mod-files-used-for-codegen.patch]
error: patch failed: src/cmd/dist/test.go:1225
error: src/cmd/dist/test.go: patch does not apply
panic: exit status 1

goroutine 1 [running]:
main.main()
/Users/devuser/dev/fips/go/eng/_util/cmd/build/build.go:75 +0x344
Failed to run tool.

@dagood
Copy link
Member Author

dagood commented Oct 23, 2024

Sorry for the quiet here. I've opened #1368 for supporting producing (signed) macOS prebuilt Microsoft Go toolsets, which will make it easier to then work on the FIPS side of things. I'm going to take a stab at getting #1279 through. I don't have direct access to a machine running macOS, but I'm hoping I can get it through CI to the point where others can keep this work going.

Apologies also for the trouble with the patch files... seeing #1362, it looks like you might be editing the .patch files directly rather than using git commands to apply/format/extract them. We have a tool git-go-patch that we use to maintain them. I noticed that we don't link to it anywhere from the microsoft/go repo--I'll fix that.

@gdams
Copy link
Member

gdams commented Dec 17, 2024

An important update:

We (the Go team) have been experimenting with several different crypto backends for macOS and intend to go with the CommonCrypto (falling back to CryptoKit where required).

This is still very early days and we don't anticipate having a GA binary for a while but we would be interested in having 1P customers testing out some EA binaries for us (if this is of interest then please drop me an email)

The macOS crypto bindings have been open sourced here: https://github.com/microsoft/go-crypto-darwin and we actively encourage contributions. As with our other backends, it may not be possible to support every single algorithm so we'll fall back to the Go native crypto where necessary.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
fips new-platform Support a platform new to the microsoft/go infrastructure
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants