CBL-Mariner: the `fips` compiler does not support `CGO_ENABLED=0`

[mfrw]

What did we do ?

• Used the fips compliant go compiler on CBL-Mariner as a drop in replacement for the upstream compiler.
• Used the defaults that Mariner has been using CGO_ENABLED=0

How did we build the fips compiler ?

• Bootstrapped using upstream go1.4
• Once the bootstrap was built we did a normal build as : [e.g. for go1.18.0]

echo 'go1.18.0-1-fips' > VERSION
pushd src
./make.bash --no-clean
popd

What Happened ?

• The compiler threw an error [e.g. the first few lines for building moby-buildx]

export CGO_ENABLED=0"                                                                                                                                                                                                                                                          
CGO_ENABLED=0"                                                                                                                                                                                                                                                                 
go build -mod=vendor -ldflags '-X version.Version=0.7.1 -X version.Revision=05846896d149da05f3d6fd1e7770da187b52a247 -X version.Package=github.com/docker/buildx' -o buildx ./cmd/buildx"                                                                                      
package github.com/docker/buildx/cmd/buildx"                                                                                                                                                                                                                                   
imports github.com/docker/buildx/commands"                                                                                                                                                                                                                                     
imports github.com/docker/buildx/bake"                                                                                                                                                                                                                                         
imports github.com/compose-spec/compose-go/loader"                                                                                                                                                                                                                             
imports github.com/compose-spec/compose-go/schema"                                                                                                                                                                                                                             
imports github.com/xeipuuv/gojsonschema"                                                                                                                                                                                                                                       
imports net/http"                                                                                                                                                                                                                                                              
imports crypto/rand"                                                                                                                                                                                                                                                           
imports crypto/aes"                                                                                                                                                                                                                                                            
imports crypto/internal/backend"                                                                                                                                                                                                                                               
imports github.com/microsoft/go-crypto-openssl/openssl: build constraints exclude all Go files in /usr/lib/golang/src/vendor/github.com/microsoft/go-crypto-openssl/openssl"

What did we expect ?

• The compiler works as a drop in replacement for the upstream compiler.
• Are we missing anything ?

Related Issues/PRs:

• [RFC] golang: switch to microsoft/go & bump version to 1.18.0 azurelinux#2545
• [RFC] golang: switch to microsoft/go & bump version to 1.16.15 azurelinux#2507

[qmuntal]

This is a a design limitation. OpenSSL functions are loaded at runtime using dlopen and dlsym, and to do so we need cgo heavy lifting.

There is a proposal to make those functions work without cgo, but the chances of it getting implemented in the near future are next to zero due to technical limitations.

[dagood]

The compile error is now fixed in this new set of releases:

• https://github.com/microsoft/go/releases/tag/v1.16.15-2-fips
• https://github.com/microsoft/go/releases/tag/v1.17.8-2-fips
• https://github.com/microsoft/go/releases/tag/v1.18.0-2-fips

However, this doesn't make it so Go will produce FIPS-compatible code when the Go toolset was built without cgo enabled. As noted, that is not possible with the current design: cgo must be enabled to produce build FIPS-compatible apps. The fix just allows the Go standard library crypto fallback to work in this case.

We are tracking another change that will make sure Go will panic if someone tries to enable FIPS mode in this situation, rather than potentially let someone think they're running FIPS-compatible code when they really aren't:

• Panic if cgo disabled and FIPS requested CGO_ENABLED=0 and GOFIPS=1 #494

---

Is this issue asking to fix the compile error, or to make FIPS compatibility not require cgo? (The title and description of the issue don't seem to me like they quite match up. The title seems to be asking for the latter.)

If it's requesting that FIPS compatibility shouldn't require cgo, can you explain why enabling cgo isn't reasonable for CBL-Mariner's build of Go?

[mfrw]

However, this doesn't make it so Go will produce FIPS-compatible code when the Go toolset was built without cgo enabled. As noted, that is not possible with the current design: cgo must be enabled to produce build FIPS-compatible apps. The fix just allows the Go standard library crypto fallback to work in this case.

I think I should apologise for my wording of the issue. I should have written compiler panics instead of support

Is this issue asking to fix the compile error, or to make FIPS compatibility not require cgo? (The title and description of the issue don't seem to me like they quite match up. The title seems to be asking for the latter.)

Yes!, It is asking to fix the compiler error. I only wanted to point out that, using CGO_ENABLED=0 should not panic, instead fall back to gocrypt :)
I completely understand, having FIPS would mean CGO_ENABLED=1 as it has to do a lot of cgo heavy lifting.

If it's requesting that FIPS compatibility shouldn't require cgo, can you explain why enabling cgo isn't reasonable for CBL-Mariner's build of Go?

No!, Absolutely not. It is not asking for FIPS compatibility should not require CGO :)

Thanks for the prompt response. I think we can close the issue.