Add FIPS support for RHEL targets
This commit is contained in:
parent
4716400a7f
commit
069f0dcbce
2
.gitignore
vendored
2
.gitignore
vendored
@ -133,3 +133,5 @@
|
||||
/go1.20.3.src.tar.gz
|
||||
/go1.20.4.src.tar.gz
|
||||
/go1.20.5.src.tar.gz
|
||||
/go1.20.5-1-openssl-fips.tar.gz
|
||||
/go1.20.4-3-openssl-fips.tar.gz
|
||||
|
3
golang-prelink.conf
Normal file
3
golang-prelink.conf
Normal file
@ -0,0 +1,3 @@
|
||||
# there are ELF files in src which are testdata and shouldn't be modified
|
||||
-b /usr/lib/golang/src
|
||||
-b /usr/lib64/golang/src
|
196
golang.spec
196
golang.spec
@ -38,6 +38,13 @@
|
||||
|
||||
# Golang build options.
|
||||
|
||||
# Disable FIPS by default
|
||||
%global fips 0
|
||||
# Enable FIPS by default in RHEL
|
||||
%if 0%{?rhel}
|
||||
%global fips 1
|
||||
%endif
|
||||
|
||||
# Build golang using external/internal(close to cgo disabled) linking.
|
||||
%ifarch %{ix86} x86_64 ppc64le %{arm} aarch64 s390x
|
||||
%global external_linker 1
|
||||
@ -73,10 +80,6 @@
|
||||
%global shared 0
|
||||
%endif
|
||||
|
||||
# Pre build std lib with -race enabled
|
||||
# Disabled due to 1.20 new cache usage, see 1.20 upstream release notes
|
||||
%global race 0
|
||||
|
||||
# Fedora GOROOT
|
||||
%global goroot /usr/lib/%{name}
|
||||
|
||||
@ -102,15 +105,16 @@
|
||||
%global gohostarch s390x
|
||||
%endif
|
||||
|
||||
# Comment out go_prerelease and go_patch as needed
|
||||
%global go_api 1.20
|
||||
# Use only for prerelease versions
|
||||
#global go_prerelease rc3
|
||||
%global go_patch 5
|
||||
|
||||
%global go_patch 4
|
||||
%global go_version %{go_api}%{?go_patch:.%{go_patch}}%{?go_prerelease:~%{go_prerelease}}
|
||||
%global go_source %{go_api}%{?go_patch:.%{go_patch}}%{?go_prerelease}
|
||||
# Go FIPS package release
|
||||
%global pkg_release 3
|
||||
|
||||
# For rpmdev-bumpspec and releng automation
|
||||
# For rpmdev-bumpspec and releng automation.
|
||||
%global baserelease 1
|
||||
|
||||
Name: golang
|
||||
@ -121,8 +125,16 @@ Summary: The Go Programming Language
|
||||
License: BSD and Public Domain
|
||||
URL: https://go.dev
|
||||
Source0: https://go.dev/dl/go%{go_source}.src.tar.gz
|
||||
# Go's FIPS mode bindings are now provided as a standalone
|
||||
# module instead of in tree. This makes it easier to see
|
||||
# the actual changes vs upstream Go. The module source is
|
||||
# located at https://github.com/golang-fips/openssl-fips,
|
||||
# And pre-genetated patches to set up the module for a given
|
||||
# Go release are located at https://github.com/golang-fips/go.
|
||||
# making a source conditional creates odd behaviors so for now, include FIPS always
|
||||
Source1: https://github.com/golang-fips/go/archive/refs/tags/go%{go_source}-%{pkg_release}-openssl-fips.tar.gz
|
||||
# make possible to override default traceback level at build time by setting build tag rpm_crashtraceback
|
||||
Source1: fedora.go
|
||||
Source2: fedora.go
|
||||
|
||||
# The compiler is written in Go. Needs go(1.4+) compiler for build.
|
||||
%if !%{golang_bootstrap}
|
||||
@ -130,16 +142,34 @@ BuildRequires: gcc-go >= 5
|
||||
%else
|
||||
BuildRequires: golang > 1.4
|
||||
%endif
|
||||
|
||||
# Install hostname(1) or net-tools(1) depending on the OS version
|
||||
%if 0%{?rhel} > 6 || 0%{?fedora} > 0
|
||||
BuildRequires: hostname
|
||||
%else
|
||||
BuildRequires: net-tools
|
||||
%endif
|
||||
# for tests
|
||||
BuildRequires: pcre-devel, glibc-static, perl-interpreter, procps-ng
|
||||
|
||||
# If FIPS is enabled, we need openssl-devel
|
||||
%if %{fips}
|
||||
BuildRequires: openssl-devel
|
||||
%endif
|
||||
|
||||
BuildRequires: pcre-devel, glibc-static
|
||||
|
||||
# For running the tests on Fedora
|
||||
%if 0%{?fedora}
|
||||
BuildRequires: perl-interpreter, procps-ng
|
||||
%endif
|
||||
|
||||
# For running the tests on RHEL
|
||||
%if 0%{?rhel}
|
||||
BuildRequires: perl
|
||||
%endif
|
||||
|
||||
Provides: go = %{version}-%{release}
|
||||
|
||||
%if 0%{?fedora}
|
||||
# Bundled/Vendored provides generated by bundled-deps.sh based on the in tree module data
|
||||
# - in version filed substituted with . per versioning guidelines
|
||||
Provides: bundled(golang(github.com/google/pprof)) = 0.0.0.20221118152302.e6195bd50e26
|
||||
@ -153,6 +183,7 @@ Provides: bundled(golang(golang.org/x/sys)) = 0.3.0
|
||||
Provides: bundled(golang(golang.org/x/term)) = 0.2.0
|
||||
Provides: bundled(golang(golang.org/x/text)) = 0.5.0
|
||||
Provides: bundled(golang(golang.org/x/tools)) = 0.3.1.0.20230118190848.070db2996ebe
|
||||
%endif
|
||||
|
||||
Requires: %{name}-bin = %{version}-%{release}
|
||||
Requires: %{name}-src = %{version}-%{release}
|
||||
@ -171,14 +202,11 @@ Obsoletes: %{name}-data < 1.1.1-4
|
||||
Obsoletes: %{name}-vim < 1.4
|
||||
Obsoletes: emacs-%{name} < 1.4
|
||||
|
||||
# We stopped building the golang-race subpackage, so we need to to maintain the
|
||||
# update path.
|
||||
Obsoletes: golang-race < 1.20~rc3-2
|
||||
|
||||
# These are the only RHEL/Fedora architectures that we compile this package for
|
||||
ExclusiveArch: %{golang_arches}
|
||||
|
||||
Source100: golang-gdbinit
|
||||
Source101: golang-prelink.conf
|
||||
|
||||
%description
|
||||
%{summary}.
|
||||
@ -280,22 +308,35 @@ Summary: Golang shared object libraries
|
||||
%{summary}.
|
||||
%endif
|
||||
|
||||
%if %{race}
|
||||
%package race
|
||||
Summary: Golang std library with -race enabled
|
||||
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
|
||||
%description race
|
||||
%{summary}
|
||||
%endif
|
||||
|
||||
%prep
|
||||
%autosetup -p1 -n go
|
||||
# Copy fedora.go to ./src/runtime/
|
||||
cp %{SOURCE2} ./src/runtime/
|
||||
|
||||
cp %{SOURCE1} ./src/runtime/
|
||||
# If FIPS is enabled, install the FIPS source
|
||||
%if %{fips}
|
||||
echo "Preparing FIPS patches"
|
||||
pushd ..
|
||||
tar -xf %{SOURCE1}
|
||||
popd
|
||||
# TODO Check here, this is failing due to the external linker flag? maybe, but it's clearly related to that according tho this commit:
|
||||
# https://github.com/golang-fips/go/blob/main/patches/000-initial-setup.patch#L48
|
||||
patch -p1 < ../go-go%{version}-%{pkg_release}-openssl-fips/patches/000-initial-setup.patch
|
||||
patch -p1 < ../go-go%{version}-%{pkg_release}-openssl-fips/patches/001-initial-openssl-for-fips.patch
|
||||
|
||||
# Configure crypto tests
|
||||
echo "Configure crypto tests"
|
||||
pushd ../go-go%{version}-%{pkg_release}-openssl-fips
|
||||
ln -s ../go go
|
||||
./scripts/configure-crypto-tests.sh
|
||||
popd
|
||||
%endif
|
||||
|
||||
%build
|
||||
# -x: print commands as they are executed
|
||||
# -e: exit immediately if a command exits with a non-zero status
|
||||
set -xe
|
||||
|
||||
# print out system information
|
||||
uname -a
|
||||
cat /proc/cpuinfo
|
||||
@ -322,12 +363,21 @@ export CC="gcc"
|
||||
export CC_FOR_TARGET="gcc"
|
||||
export GOOS=linux
|
||||
export GOARCH=%{gohostarch}
|
||||
|
||||
DEFAULT_GO_LD_FLAGS=""
|
||||
%if !%{external_linker}
|
||||
export GO_LDFLAGS="-linkmode internal"
|
||||
export GO_LDFLAGS="-linkmode internal $DEFAULT_GO_LD_FLAGS"
|
||||
%else
|
||||
# Only pass a select subset of the external hardening flags. We do not pass along
|
||||
# the default $RPM_LD_FLAGS as on certain arches Go does not fully, correctly support
|
||||
# building in PIE mode.
|
||||
export GO_LDFLAGS="\"-extldflags=-Wl,-z,now,-z,relro\" $DEFAULT_GO_LD_FLAGS"
|
||||
%endif
|
||||
|
||||
%if !%{cgo_enabled}
|
||||
export CGO_ENABLED=0
|
||||
%endif
|
||||
|
||||
./make.bash --no-clean -v
|
||||
popd
|
||||
|
||||
@ -336,12 +386,7 @@ popd
|
||||
GOROOT=$(pwd) PATH=$(pwd)/bin:$PATH go install -buildmode=shared -v -x std
|
||||
%endif
|
||||
|
||||
%if %{race}
|
||||
GOROOT=$(pwd) PATH=$(pwd)/bin:$PATH go install -race -v -x std
|
||||
%endif
|
||||
|
||||
%install
|
||||
echo "== 1 =="
|
||||
rm -rf $RPM_BUILD_ROOT
|
||||
# remove GC build cache
|
||||
rm -rf pkg/obj/go-build/*
|
||||
@ -354,7 +399,7 @@ mkdir -p $RPM_BUILD_ROOT%{goroot}
|
||||
# https://code.google.com/p/go/issues/detail?id=5830
|
||||
cp -apv api bin doc lib pkg src misc test VERSION \
|
||||
$RPM_BUILD_ROOT%{goroot}
|
||||
echo "== 2 =="
|
||||
|
||||
# bz1099206
|
||||
find $RPM_BUILD_ROOT%{goroot}/src -exec touch -r $RPM_BUILD_ROOT%{goroot}/VERSION "{}" \;
|
||||
# and level out all the built archives
|
||||
@ -371,8 +416,11 @@ docs_list=$cwd/go-docs.list
|
||||
tests_list=$cwd/go-tests.list
|
||||
rm -f $src_list $pkg_list $docs_list $misc_list $tests_list $shared_list $race_list
|
||||
touch $src_list $pkg_list $docs_list $misc_list $tests_list $shared_list $race_list
|
||||
|
||||
##################
|
||||
# Register files #
|
||||
##################
|
||||
pushd $RPM_BUILD_ROOT%{goroot}
|
||||
echo "== 3 =="
|
||||
find src/ -type d -a \( ! -name testdata -a ! -ipath '*/testdata/*' \) -printf '%%%dir %{goroot}/%p\n' >> $src_list
|
||||
find src/ ! -type d -a \( ! -ipath '*/testdata/*' -a ! -name '*_test.go' \) -printf '%{goroot}/%p\n' >> $src_list
|
||||
|
||||
@ -386,7 +434,6 @@ pushd $RPM_BUILD_ROOT%{goroot}
|
||||
find misc/ ! -type d -printf '%{goroot}/%p\n' >> $misc_list
|
||||
|
||||
%if %{shared}
|
||||
echo "== 4 =="
|
||||
mkdir -p %{buildroot}/%{_libdir}/
|
||||
mkdir -p %{buildroot}/%{golibdir}/
|
||||
for file in $(find . -iname "*.so" ); do
|
||||
@ -402,16 +449,6 @@ echo "== 4 =="
|
||||
find pkg/*_dynlink/ -type d -printf '%%%dir %{goroot}/%p\n' >> $shared_list
|
||||
find pkg/*_dynlink/ ! -type d -printf '%{goroot}/%p\n' >> $shared_list
|
||||
%endif
|
||||
|
||||
echo "== 5 =="
|
||||
|
||||
%if %{race}
|
||||
|
||||
find pkg/*_race/ -type d -printf '%%%dir %{goroot}/%p\n' >> $race_list
|
||||
find pkg/*_race/ ! -type d -printf '%{goroot}/%p\n' >> $race_list
|
||||
|
||||
%endif
|
||||
|
||||
find test/ -type d -printf '%%%dir %{goroot}/%p\n' >> $tests_list
|
||||
find test/ ! -type d -printf '%{goroot}/%p\n' >> $tests_list
|
||||
find src/ -type d -a \( -name testdata -o -ipath '*/testdata/*' \) -printf '%%%dir %{goroot}/%p\n' >> $tests_list
|
||||
@ -420,7 +457,6 @@ echo "== 5 =="
|
||||
find lib/ -type d -printf '%%%dir %{goroot}/%p\n' >> $tests_list
|
||||
find lib/ ! -type d -printf '%{goroot}/%p\n' >> $tests_list
|
||||
popd
|
||||
echo "== 6 =="
|
||||
# remove the doc Makefile
|
||||
rm -rfv $RPM_BUILD_ROOT%{goroot}/doc/Makefile
|
||||
|
||||
@ -435,7 +471,7 @@ mkdir -p $RPM_BUILD_ROOT%{gopath}/src/github.com
|
||||
mkdir -p $RPM_BUILD_ROOT%{gopath}/src/bitbucket.org
|
||||
mkdir -p $RPM_BUILD_ROOT%{gopath}/src/code.google.com/p
|
||||
mkdir -p $RPM_BUILD_ROOT%{gopath}/src/golang.org/x
|
||||
echo "== 7 =="
|
||||
|
||||
# make sure these files exist and point to alternatives
|
||||
rm -f $RPM_BUILD_ROOT%{_bindir}/go
|
||||
ln -sf /etc/alternatives/go $RPM_BUILD_ROOT%{_bindir}/go
|
||||
@ -446,40 +482,74 @@ ln -sf /etc/alternatives/gofmt $RPM_BUILD_ROOT%{_bindir}/gofmt
|
||||
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/gdbinit.d
|
||||
cp -av %{SOURCE100} $RPM_BUILD_ROOT%{_sysconfdir}/gdbinit.d/golang.gdb
|
||||
|
||||
echo "== END OF INSTALL =="
|
||||
# prelink blacklist
|
||||
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/prelink.conf.d
|
||||
cp -av %{SOURCE101} $RPM_BUILD_ROOT%{_sysconfdir}/prelink.conf.d/golang.conf
|
||||
|
||||
%if %{fips}
|
||||
# Quick fix for the rhbz#2014704
|
||||
sed -i 's/const defaultGO_LDSO = `.*`/const defaultGO_LDSO = ``/' $RPM_BUILD_ROOT%{goroot}/src/internal/buildcfg/zbootstrap.go
|
||||
%endif
|
||||
|
||||
%check
|
||||
echo ">>> check <<<"
|
||||
export GOROOT=$(pwd -P)
|
||||
export PATH="$GOROOT"/bin:"$PATH"
|
||||
cd src
|
||||
|
||||
# Add some sanity checks.
|
||||
echo "GO VERSION:"
|
||||
go version
|
||||
|
||||
echo "GO ENVIRONMENT:"
|
||||
go env
|
||||
|
||||
export CC="gcc"
|
||||
export CFLAGS="$RPM_OPT_FLAGS"
|
||||
export LDFLAGS="$RPM_LD_FLAGS"
|
||||
%if !%{external_linker}
|
||||
export GO_LDFLAGS="-linkmode internal"
|
||||
%else
|
||||
export GO_LDFLAGS="-extldflags '$RPM_LD_FLAGS'"
|
||||
%endif
|
||||
%if !%{cgo_enabled} || !%{external_linker}
|
||||
export CGO_ENABLED=0
|
||||
%endif
|
||||
# workaround for https://github.com/golang/go/issues/39466 until it gests fixed
|
||||
# Commented until the patch is ready, this workaround suggested in the link above
|
||||
# doesn't work properly
|
||||
#ifarch aarch64
|
||||
#export CGO_CFLAGS="-mno-outline-atomics"
|
||||
#endif
|
||||
|
||||
# make sure to not timeout
|
||||
export GO_TEST_TIMEOUT_SCALE=2
|
||||
|
||||
export GO_TEST_RUN=""
|
||||
%ifarch aarch64
|
||||
export GO_TEST_RUN="-run=!testshared"
|
||||
%endif
|
||||
|
||||
%if %{fail_on_tests}
|
||||
./run.bash --no-rebuild -v -v -v -k
|
||||
./run.bash --no-rebuild -v -v -v -k $go_test_run
|
||||
|
||||
%if %{fips}
|
||||
# tested25519vectors needs network connectivity but it should be cover by
|
||||
# this test https://pkgs.devel.redhat.com/cgit/tests/golang/tree/regression/internal-testsuite/runtest.sh#n127
|
||||
|
||||
# run tests with fips enabled.
|
||||
export GOLANG_FIPS=1
|
||||
export OPENSSL_FORCE_FIPS_MODE=1
|
||||
pushd crypto
|
||||
# run all crypto tests but skip tls, we will run fips specific tls tests later
|
||||
go test $(go list ./... | grep -v tls) -v
|
||||
# check that signature functions have parity between boring and notboring
|
||||
cgo_enabled=0 go test $(go list ./... | grep -v tls) -v
|
||||
popd
|
||||
# run all fips specific tls tests
|
||||
pushd crypto/tls
|
||||
go test -v -run "Boring"
|
||||
popd
|
||||
%endif
|
||||
%else
|
||||
./run.bash --no-rebuild -v -v -v -k || :
|
||||
./run.bash --no-rebuild -v -v -v -k || :
|
||||
%endif
|
||||
cd ..
|
||||
|
||||
|
||||
%post bin
|
||||
%{_sbindir}/update-alternatives --install %{_bindir}/go \
|
||||
go %{goroot}/bin/go 90 \
|
||||
@ -512,10 +582,12 @@ fi
|
||||
%dir %{gopath}/src/golang.org
|
||||
%dir %{gopath}/src/golang.org/x
|
||||
|
||||
|
||||
# gdbinit (for gdb debugging)
|
||||
%{_sysconfdir}/gdbinit.d
|
||||
|
||||
# prelink blacklist
|
||||
%{_sysconfdir}/prelink.conf.d
|
||||
|
||||
%files src -f go-src.list
|
||||
|
||||
%files docs -f go-docs.list
|
||||
@ -534,13 +606,9 @@ fi
|
||||
%files shared -f go-shared.list
|
||||
%endif
|
||||
|
||||
%if %{race}
|
||||
%files race -f go-race.list
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Jun 06 2023 Alejandro Sáez <asm@redhat.com> - 1.20.5-1
|
||||
- Update to go 1.20.5
|
||||
* Tue Jun 13 2023 Alejandro Sáez <asm@redhat.com> - 1.20.4-3
|
||||
- Add FIPS support for RHEL targets
|
||||
|
||||
* Tue May 02 2023 Alejandro Sáez <asm@redhat.com> - 1.20.4-1
|
||||
- Update to go1.20.4
|
||||
|
3
sources
3
sources
@ -1 +1,2 @@
|
||||
SHA512 (go1.20.5.src.tar.gz) = 94cecb366cd9d9722b53e52ea3b0a5715a9e9dc21da0273dd3db9354557f71b9501b018125ef073dacc2e59125335f436cea1151cd8df0d60e2ad513f841905c
|
||||
SHA512 (go1.20.4.src.tar.gz) = 43898325bab48c24e533f360a2c7de356a8a56946602e727b5bcd4a62ff4f64fd750e2650032f7e0525b0699e40e506d79446e16838f097e6bdc2a16f10d81be
|
||||
SHA512 (go1.20.4-3-openssl-fips.tar.gz) = b3c3a61e44e61c0e4feb1c499d194630d0c9466cfd06daf86e523c0b54933f5a63d350dc0eef3f0f38dc30598fb1a636f14812a0d3d56f9673da1b9f373d5513
|
||||
|
Loading…
Reference in New Issue
Block a user