Build the Go toolchain using allowcryptofallback
#1505
+64
−84
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
qmuntal
force-pushed
the
dev/qmuntal/allowfips
branch
from
da6b804 to
654eb65
Compare
qmuntal
requested review from
a team and
microsoft-golang-review-bot
as code owners
dagood
approved these changes
Jan 17, 2025
| + // or "GOFIPS=1 go run .". | ||
| + // Shadow goexperiment so that the global variable is not modified. | ||
| + goexperiment := goexperiment | ||
| + if !strings.Contains(goexperiment, "allowcryptofallback") { |
There was a problem hiding this comment.
Hmm, wonder if this patch would also let us remove this, to simplify:
go/eng/_util/buildutil/buildutil.go
Lines 89 to 97 in 88aa286
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
allowcryptofallbackcan be used to allow executing the Go toolchain withGOFIPS=1, e.g.GOFIPS=1 go test ., even when the Go toolchain itself is not built withGOEXPERIMENT=systemcrypto.Reusing
allowcryptofallbackallows us to drop patch 7, which was tackling the same issue with a more intrusive and less robust approach: unsettingGOFIPSwhen the runtime was initializing and setting it again every time a child process was spawned.This will help migrating from
GOFIPStoGODEBUG=fips140.These changes uncovered a latent bug in the Go toolchain:
GOFIPSwas not being honored, for a reason that I still not understand, the Go toolchain didn't pass theGOFIPSenv var to child processes. Note that this bug doesn't affect settingGOFIPSin production environments, only when running commands likego test,go run, orgo tool dist test.Now that
GOFIPSactually does something when runninggo tool dist test(which we execute in CI to run all the toolchain tests), Mariner 1 and Mariner 2 builders started to fail (see logs) due to FIPS mode not being enabled (remember that we removed theopenssl.SetFIPS(true)call in #1496, so we no longer enable FIPS mode on demand). To fix this, I've updated the builder scripts so that it enables FIPS mode before running the tests by setting the Mariner/AZL3 specificOPENSSL_FORCE_FIPS_MODEenv var. Note that we already do something similar on Windows, where FIPS mode is enabled by modifying the system registry.For #1445.