8000 Add 2024 FIPS and fix build issues on older arm FIPS by torben-hansen · Pull Request #1920 · aws/aws-lc · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Add 2024 FIPS and fix build issues on older arm FIPS #1920

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 16, 2024
Merged

Add 2024 FIPS and fix build issues on older arm FIPS #1920

merged 3 commits into from
Oct 16, 2024

Conversation

torben-hansen
Copy link
Contributor
@torben-hansen torben-hansen commented Oct 16, 2024
edited
Loading

Issues:

P162016551

Description of changes:

Firstly, when building multiple versions of bssl using the main branch as the base, builds on Arm will fail when using older versions of AWS-LC e.g. FIPS 2021 from the 2021 FIPS branch. The reason is that an internal header file [...]/cpucap/nternal.h is included into the compilation unit by #include "...". The gcc search path will then, irrespective of any user-specified search paths via -I, pick up the main branch header files. This include identifiers such as ARMV8_NEOVERSE_V2. But the definition of this identifier is in arm_arch.h, which is transitively included into the compilation unit via #include <..> directives. The search path for these DO follow the user-specified search path from -I (at least on GCC) and use e.g. the FIPS 2021 include file version of arm_arch.h that does not have the identifier defined. The result of this are build errors. For example, from one of the performance canary hosts:

/home/ec2-user/canary/src-AWS-LC/tool/../crypto/fipsmodule/cpucap/internal.h:245:32: error: use of undeclared identifier 'ARMV8_NEOVERSE_V2'
           (OPENSSL_armcap_P & ARMV8_NEOVERSE_V2) != 0 ||
                               ^

[...]

/home/ec2-user/canary/src-AWS-LC/tool/../crypto/fipsmodule/cpucap/internal.h:257:18: error: use of undeclared identifier 'ARMV8_DIT_ALLOWED'
    (ARMV8_DIT | ARMV8_DIT_ALLOWED);
                 ^
8 errors generated.

The pattern of adding internal header files to a consuming application that is going to be build with multiple old version of the library is not ideal, because one can hit these hidden incompatibilities that. But now it's a bit rusted-in and it's not apparent to me if there is a much easier way to organise it currently. Leaving that as an open question and simply fix by guarding the inclusion for now.

Secondly, the reason this even escaped as a bug, is that the CI doesn't test the special multiple-build of bssl with other library sources on Arm. We only test on x86_64. The above is purely an Arm-specific bug because for som reason there is a special Arm header file(?). I added an Arm stanza to the Arm omnibus config file that will execute the relevant test script. However, this needs to be deployed before taking effect. (EDIT: no, actually not...)

Thirdly, the LD_LIBRARY_PATH option was incorrect for aws-lc-fips-2022, when testing the executable. But, in fact, this doesn't actually matter for bssl, because DT_RPATH is set in the resulting executables, e.g.:

$ readelf -d aws-lc-fips-2022 | grep RPATH                       
 0x000000000000000f (RPATH)              Library rpath: [/home/benchmark-scratch/libcrypto_install_dir/aws-lc-fips-2022-11-02/lib64]

When resolving the dynamic dependency at load-time, DT_RPATH takes precedence over LD_LIBRARY_PATH. As an example, trying to resolve to another library version still resolve to DT_RPATH from the executable:

$ LD_LIBRARY_PATH=/home/benchmark-scratch/libcrypto_install_dir/aws-lc-fips-2024-09-27/lib64 ldd aws-lc-fips-2022 
        libcrypto.so => /home/benchmark-scratch/libcrypto_install_dir/aws-lc-fips-2022-11-02/lib64/libcrypto.so (0x0000ffffb050d000)
[...]

Finally, added the new FIPS 2024 prospective branch to the test cases.

Testing:

I tested the changes to the speed tool locally to ensure that build errors are resolved.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

@torben-hansen torben-hansen requested a review from a team as a code owner October 16, 2024 16:36
@codecov-commenter
Copy link
codecov-commenter commented Oct 16, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 78.54%. Comparing base (7ff9840) to head (4dca78f).
Report is 1 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1920      +/-   ##
==========================================
+ Coverage   78.53%   78.54%   +0.01%     
==========================================
  Files         585      585              
  Lines       99783    99803      +20     
  Branches    14283    14286       +3     
==========================================
+ Hits        78362    78395      +33     
+ Misses      20785    20774      -11     
+ Partials      636      634       -2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@torben-hansen torben-hansen enabled auto-merge (squash) October 16, 2024 18:08
@torben-hansen torben-hansen merged commit 5afcb95 into aws:main Oct 16, 2024
112 of 115 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@samuel40791765 samuel40791765 samuel40791765 approved these changes

@andrewhop andrewhop andrewhop approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@torben-hansen @codecov-commenter @samuel40791765 @andrewhop
0