Add FIPS support for RHEL targets

This commit is contained in:
Alejandro Sáez 2023-06-13 14:34:13 +02:00
parent 4716400a7f
commit 069f0dcbce
4 changed files with 140 additions and 66 deletions

2
.gitignore vendored
View File

@ -133,3 +133,5 @@
/go1.20.3.src.tar.gz
/go1.20.4.src.tar.gz
/go1.20.5.src.tar.gz
/go1.20.5-1-openssl-fips.tar.gz
/go1.20.4-3-openssl-fips.tar.gz

3
golang-prelink.conf Normal file
View File

@ -0,0 +1,3 @@
# there are ELF files in src which are testdata and shouldn't be modified
-b /usr/lib/golang/src
-b /usr/lib64/golang/src

View File

@ -38,6 +38,13 @@
# Golang build options.
# Disable FIPS by default
%global fips 0
# Enable FIPS by default in RHEL
%if 0%{?rhel}
%global fips 1
%endif
# Build golang using external/internal(close to cgo disabled) linking.
%ifarch %{ix86} x86_64 ppc64le %{arm} aarch64 s390x
%global external_linker 1
@ -73,10 +80,6 @@
%global shared 0
%endif
# Pre build std lib with -race enabled
# Disabled due to 1.20 new cache usage, see 1.20 upstream release notes
%global race 0
# Fedora GOROOT
%global goroot /usr/lib/%{name}
@ -102,15 +105,16 @@
%global gohostarch s390x
%endif
# Comment out go_prerelease and go_patch as needed
%global go_api 1.20
# Use only for prerelease versions
#global go_prerelease rc3
%global go_patch 5
%global go_patch 4
%global go_version %{go_api}%{?go_patch:.%{go_patch}}%{?go_prerelease:~%{go_prerelease}}
%global go_source %{go_api}%{?go_patch:.%{go_patch}}%{?go_prerelease}
# Go FIPS package release
%global pkg_release 3
# For rpmdev-bumpspec and releng automation
# For rpmdev-bumpspec and releng automation.
%global baserelease 1
Name: golang
@ -121,8 +125,16 @@ Summary: The Go Programming Language
License: BSD and Public Domain
URL: https://go.dev
Source0: https://go.dev/dl/go%{go_source}.src.tar.gz
# Go's FIPS mode bindings are now provided as a standalone
# module instead of in tree. This makes it easier to see
# the actual changes vs upstream Go. The module source is
# located at https://github.com/golang-fips/openssl-fips,
# And pre-genetated patches to set up the module for a given
# Go release are located at https://github.com/golang-fips/go.
# making a source conditional creates odd behaviors so for now, include FIPS always
Source1: https://github.com/golang-fips/go/archive/refs/tags/go%{go_source}-%{pkg_release}-openssl-fips.tar.gz
# make possible to override default traceback level at build time by setting build tag rpm_crashtraceback
Source1: fedora.go
Source2: fedora.go
# The compiler is written in Go. Needs go(1.4+) compiler for build.
%if !%{golang_bootstrap}
@ -130,16 +142,34 @@ BuildRequires: gcc-go >= 5
%else
BuildRequires: golang > 1.4
%endif
# Install hostname(1) or net-tools(1) depending on the OS version
%if 0%{?rhel} > 6 || 0%{?fedora} > 0
BuildRequires: hostname
%else
BuildRequires: net-tools
%endif
# for tests
BuildRequires: pcre-devel, glibc-static, perl-interpreter, procps-ng
# If FIPS is enabled, we need openssl-devel
%if %{fips}
BuildRequires: openssl-devel
%endif
BuildRequires: pcre-devel, glibc-static
# For running the tests on Fedora
%if 0%{?fedora}
BuildRequires: perl-interpreter, procps-ng
%endif
# For running the tests on RHEL
%if 0%{?rhel}
BuildRequires: perl
%endif
Provides: go = %{version}-%{release}
%if 0%{?fedora}
# Bundled/Vendored provides generated by bundled-deps.sh based on the in tree module data
# - in version filed substituted with . per versioning guidelines
Provides: bundled(golang(github.com/google/pprof)) = 0.0.0.20221118152302.e6195bd50e26
@ -153,6 +183,7 @@ Provides: bundled(golang(golang.org/x/sys)) = 0.3.0
Provides: bundled(golang(golang.org/x/term)) = 0.2.0
Provides: bundled(golang(golang.org/x/text)) = 0.5.0
Provides: bundled(golang(golang.org/x/tools)) = 0.3.1.0.20230118190848.070db2996ebe
%endif
Requires: %{name}-bin = %{version}-%{release}
Requires: %{name}-src = %{version}-%{release}
@ -171,14 +202,11 @@ Obsoletes: %{name}-data < 1.1.1-4
Obsoletes: %{name}-vim < 1.4
Obsoletes: emacs-%{name} < 1.4
# We stopped building the golang-race subpackage, so we need to to maintain the
# update path.
Obsoletes: golang-race < 1.20~rc3-2
# These are the only RHEL/Fedora architectures that we compile this package for
ExclusiveArch: %{golang_arches}
Source100: golang-gdbinit
Source101: golang-prelink.conf
%description
%{summary}.
@ -280,22 +308,35 @@ Summary: Golang shared object libraries
%{summary}.
%endif
%if %{race}
%package race
Summary: Golang std library with -race enabled
Requires: %{name} = %{version}-%{release}
%description race
%{summary}
%endif
%prep
%autosetup -p1 -n go
# Copy fedora.go to ./src/runtime/
cp %{SOURCE2} ./src/runtime/
cp %{SOURCE1} ./src/runtime/
# If FIPS is enabled, install the FIPS source
%if %{fips}
echo "Preparing FIPS patches"
pushd ..
tar -xf %{SOURCE1}
popd
# TODO Check here, this is failing due to the external linker flag? maybe, but it's clearly related to that according tho this commit:
# https://github.com/golang-fips/go/blob/main/patches/000-initial-setup.patch#L48
patch -p1 < ../go-go%{version}-%{pkg_release}-openssl-fips/patches/000-initial-setup.patch
patch -p1 < ../go-go%{version}-%{pkg_release}-openssl-fips/patches/001-initial-openssl-for-fips.patch
# Configure crypto tests
echo "Configure crypto tests"
pushd ../go-go%{version}-%{pkg_release}-openssl-fips
ln -s ../go go
./scripts/configure-crypto-tests.sh
popd
%endif
%build
# -x: print commands as they are executed
# -e: exit immediately if a command exits with a non-zero status
set -xe
# print out system information
uname -a
cat /proc/cpuinfo
@ -322,12 +363,21 @@ export CC="gcc"
export CC_FOR_TARGET="gcc"
export GOOS=linux
export GOARCH=%{gohostarch}
DEFAULT_GO_LD_FLAGS=""
%if !%{external_linker}
export GO_LDFLAGS="-linkmode internal"
export GO_LDFLAGS="-linkmode internal $DEFAULT_GO_LD_FLAGS"
%else
# Only pass a select subset of the external hardening flags. We do not pass along
# the default $RPM_LD_FLAGS as on certain arches Go does not fully, correctly support
# building in PIE mode.
export GO_LDFLAGS="\"-extldflags=-Wl,-z,now,-z,relro\" $DEFAULT_GO_LD_FLAGS"
%endif
%if !%{cgo_enabled}
export CGO_ENABLED=0
%endif
./make.bash --no-clean -v
popd
@ -336,12 +386,7 @@ popd
GOROOT=$(pwd) PATH=$(pwd)/bin:$PATH go install -buildmode=shared -v -x std
%endif
%if %{race}
GOROOT=$(pwd) PATH=$(pwd)/bin:$PATH go install -race -v -x std
%endif
%install
echo "== 1 =="
rm -rf $RPM_BUILD_ROOT
# remove GC build cache
rm -rf pkg/obj/go-build/*
@ -354,7 +399,7 @@ mkdir -p $RPM_BUILD_ROOT%{goroot}
# https://code.google.com/p/go/issues/detail?id=5830
cp -apv api bin doc lib pkg src misc test VERSION \
$RPM_BUILD_ROOT%{goroot}
echo "== 2 =="
# bz1099206
find $RPM_BUILD_ROOT%{goroot}/src -exec touch -r $RPM_BUILD_ROOT%{goroot}/VERSION "{}" \;
# and level out all the built archives
@ -371,8 +416,11 @@ docs_list=$cwd/go-docs.list
tests_list=$cwd/go-tests.list
rm -f $src_list $pkg_list $docs_list $misc_list $tests_list $shared_list $race_list
touch $src_list $pkg_list $docs_list $misc_list $tests_list $shared_list $race_list
##################
# Register files #
##################
pushd $RPM_BUILD_ROOT%{goroot}
echo "== 3 =="
find src/ -type d -a \( ! -name testdata -a ! -ipath '*/testdata/*' \) -printf '%%%dir %{goroot}/%p\n' >> $src_list
find src/ ! -type d -a \( ! -ipath '*/testdata/*' -a ! -name '*_test.go' \) -printf '%{goroot}/%p\n' >> $src_list
@ -386,7 +434,6 @@ pushd $RPM_BUILD_ROOT%{goroot}
find misc/ ! -type d -printf '%{goroot}/%p\n' >> $misc_list
%if %{shared}
echo "== 4 =="
mkdir -p %{buildroot}/%{_libdir}/
mkdir -p %{buildroot}/%{golibdir}/
for file in $(find . -iname "*.so" ); do
@ -402,16 +449,6 @@ echo "== 4 =="
find pkg/*_dynlink/ -type d -printf '%%%dir %{goroot}/%p\n' >> $shared_list
find pkg/*_dynlink/ ! -type d -printf '%{goroot}/%p\n' >> $shared_list
%endif
echo "== 5 =="
%if %{race}
find pkg/*_race/ -type d -printf '%%%dir %{goroot}/%p\n' >> $race_list
find pkg/*_race/ ! -type d -printf '%{goroot}/%p\n' >> $race_list
%endif
find test/ -type d -printf '%%%dir %{goroot}/%p\n' >> $tests_list
find test/ ! -type d -printf '%{goroot}/%p\n' >> $tests_list
find src/ -type d -a \( -name testdata -o -ipath '*/testdata/*' \) -printf '%%%dir %{goroot}/%p\n' >> $tests_list
@ -420,7 +457,6 @@ echo "== 5 =="
find lib/ -type d -printf '%%%dir %{goroot}/%p\n' >> $tests_list
find lib/ ! -type d -printf '%{goroot}/%p\n' >> $tests_list
popd
echo "== 6 =="
# remove the doc Makefile
rm -rfv $RPM_BUILD_ROOT%{goroot}/doc/Makefile
@ -435,7 +471,7 @@ mkdir -p $RPM_BUILD_ROOT%{gopath}/src/github.com
mkdir -p $RPM_BUILD_ROOT%{gopath}/src/bitbucket.org
mkdir -p $RPM_BUILD_ROOT%{gopath}/src/code.google.com/p
mkdir -p $RPM_BUILD_ROOT%{gopath}/src/golang.org/x
echo "== 7 =="
# make sure these files exist and point to alternatives
rm -f $RPM_BUILD_ROOT%{_bindir}/go
ln -sf /etc/alternatives/go $RPM_BUILD_ROOT%{_bindir}/go
@ -446,40 +482,74 @@ ln -sf /etc/alternatives/gofmt $RPM_BUILD_ROOT%{_bindir}/gofmt
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/gdbinit.d
cp -av %{SOURCE100} $RPM_BUILD_ROOT%{_sysconfdir}/gdbinit.d/golang.gdb
echo "== END OF INSTALL =="
# prelink blacklist
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/prelink.conf.d
cp -av %{SOURCE101} $RPM_BUILD_ROOT%{_sysconfdir}/prelink.conf.d/golang.conf
%if %{fips}
# Quick fix for the rhbz#2014704
sed -i 's/const defaultGO_LDSO = `.*`/const defaultGO_LDSO = ``/' $RPM_BUILD_ROOT%{goroot}/src/internal/buildcfg/zbootstrap.go
%endif
%check
echo ">>> check <<<"
export GOROOT=$(pwd -P)
export PATH="$GOROOT"/bin:"$PATH"
cd src
# Add some sanity checks.
echo "GO VERSION:"
go version
echo "GO ENVIRONMENT:"
go env
export CC="gcc"
export CFLAGS="$RPM_OPT_FLAGS"
export LDFLAGS="$RPM_LD_FLAGS"
%if !%{external_linker}
export GO_LDFLAGS="-linkmode internal"
%else
export GO_LDFLAGS="-extldflags '$RPM_LD_FLAGS'"
%endif
%if !%{cgo_enabled} || !%{external_linker}
export CGO_ENABLED=0
%endif
# workaround for https://github.com/golang/go/issues/39466 until it gests fixed
# Commented until the patch is ready, this workaround suggested in the link above
# doesn't work properly
#ifarch aarch64
#export CGO_CFLAGS="-mno-outline-atomics"
#endif
# make sure to not timeout
export GO_TEST_TIMEOUT_SCALE=2
export GO_TEST_RUN=""
%ifarch aarch64
export GO_TEST_RUN="-run=!testshared"
%endif
%if %{fail_on_tests}
./run.bash --no-rebuild -v -v -v -k
./run.bash --no-rebuild -v -v -v -k $go_test_run
%if %{fips}
# tested25519vectors needs network connectivity but it should be cover by
# this test https://pkgs.devel.redhat.com/cgit/tests/golang/tree/regression/internal-testsuite/runtest.sh#n127
# run tests with fips enabled.
export GOLANG_FIPS=1
export OPENSSL_FORCE_FIPS_MODE=1
pushd crypto
# run all crypto tests but skip tls, we will run fips specific tls tests later
go test $(go list ./... | grep -v tls) -v
# check that signature functions have parity between boring and notboring
cgo_enabled=0 go test $(go list ./... | grep -v tls) -v
popd
# run all fips specific tls tests
pushd crypto/tls
go test -v -run "Boring"
popd
%endif
%else
./run.bash --no-rebuild -v -v -v -k || :
%endif
cd ..
%post bin
%{_sbindir}/update-alternatives --install %{_bindir}/go \
go %{goroot}/bin/go 90 \
@ -512,10 +582,12 @@ fi
%dir %{gopath}/src/golang.org
%dir %{gopath}/src/golang.org/x
# gdbinit (for gdb debugging)
%{_sysconfdir}/gdbinit.d
# prelink blacklist
%{_sysconfdir}/prelink.conf.d
%files src -f go-src.list
%files docs -f go-docs.list
@ -534,13 +606,9 @@ fi
%files shared -f go-shared.list
%endif
%if %{race}
%files race -f go-race.list
%endif
%changelog
* Tue Jun 06 2023 Alejandro Sáez <asm@redhat.com> - 1.20.5-1
- Update to go 1.20.5
* Tue Jun 13 2023 Alejandro Sáez <asm@redhat.com> - 1.20.4-3
- Add FIPS support for RHEL targets
* Tue May 02 2023 Alejandro Sáez <asm@redhat.com> - 1.20.4-1
- Update to go1.20.4

View File

@ -1 +1,2 @@
SHA512 (go1.20.5.src.tar.gz) = 94cecb366cd9d9722b53e52ea3b0a5715a9e9dc21da0273dd3db9354557f71b9501b018125ef073dacc2e59125335f436cea1151cd8df0d60e2ad513f841905c
SHA512 (go1.20.4.src.tar.gz) = 43898325bab48c24e533f360a2c7de356a8a56946602e727b5bcd4a62ff4f64fd750e2650032f7e0525b0699e40e506d79446e16838f097e6bdc2a16f10d81be
SHA512 (go1.20.4-3-openssl-fips.tar.gz) = b3c3a61e44e61c0e4feb1c499d194630d0c9466cfd06daf86e523c0b54933f5a63d350dc0eef3f0f38dc30598fb1a636f14812a0d3d56f9673da1b9f373d5513