FIPS support with boringcrypto

Question

FIPS support with boringcrypto

seanorama opened this issue 7 months ago · comments

Which component:
controller and kubeseal, though more important for kubeseal since that is where the cryptographic functions happen.

Is your feature request related to a problem? Please describe.
Many high compliance environments, require crypto modules to be FIPS-compliant and validated by NIST. Thankfully, for Go, Google freely provides BoringCrypt (aka boringssl).

Describe the solution you'd like
Provide container images containing controller and kubeseal which have been compiled with FIPS-validation, likely via boringcrypto.

To test that the applications can be built with boringcrypto, I followed this guide, to build it on ubi8-minimal and used the go-toolset to validate that FIPS mode is enabled.

$ docker run -it redhat/ubi8-minimal
# microdnf install -y git go-toolset make findutils
# git clone https://github.com/bitnami-labs/sealed-secrets
# make
# ./kubeseal --version
kubeseal version: f88b8ce629576082d52d63a0257217f457d47c7d

# go tool nm ./kubeseal | grep FIPS_mode
 1275820 T _cgo_0edd79296193_Cfunc__goboringcrypto_FIPS_mode
 22622d8 d _g_FIPS_mode
  653cd0 t vendor/github.com/golang-fips/openssl-fips/openssl._Cfunc__goboringcrypto_FIPS_mode.abi0
 21a1208 d vendor/github.com/golang-fips/openssl-fips/openssl._cgo_0edd79296193_Cfunc__goboringcrypto_FIPS_mode

# go tool nm ./controller | grep FIPS_mode
 14fe760 T _cgo_0edd79296193_Cfunc__goboringcrypto_FIPS_mode
 288c278 d _g_FIPS_mode
  58d090 t vendor/github.com/golang-fips/openssl-fips/openssl._Cfunc__goboringcrypto_FIPS_mode.abi0
 27c1250 d vendor/github.com/golang-fips/openssl-fips/openssl._cgo_0edd79296193_Cfunc__goboringcrypto_FIPS_mode

Describe alternatives you've considered
No alternatives. FIPS-validation is not negotiable for high compliance environments, such as those required by the Federal government and others who comply with NIST controls.

Alfredo Garcia · Answer 1 · Thu Nov 23 2023 21:18:06 GMT+0800 (China Standard Time)

Hi @seanorama thanks for the report. FIPS compliance is indeed an important feature for many corporate or regulated environments. While we do not provide a default compilation for the Sealed Secrets components supporting FIPS, customers with those requirements should consider the Tanzu Application Catalog alternative instead.

The Sealed Secrets container distributed with TAC includes the Kubseal binary and FIPS compliance is verified using the PhotonOS images.

Let me know if you need further assistance on obtaining a TAC subscription and accessing the FIPS-compliant version of Sealed Secrets.

Regards

github-actions · Answer 2 · Sat Dec 09 2023 09:24:51 GMT+0800 (China Standard Time)

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

github-actions · Answer 3 · Sat Dec 30 2023 09:23:32 GMT+0800 (China Standard Time)

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

github-actions · Answer 4 · Sat Jan 06 2024 09:25:07 GMT+0800 (China Standard Time)

Due to the lack of activity in the last 7 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.