Skip to content

Instantly share code, notes, and snippets.

@stanpalatnik
Forked from jeesmon/istio-fips-build.sh
Created October 4, 2023 15:33
Show Gist options
  • Save stanpalatnik/8be69a64e9975c9238dd59e5f9eb459f to your computer and use it in GitHub Desktop.
Save stanpalatnik/8be69a64e9975c9238dd59e5f9eb459f to your computer and use it in GitHub Desktop.
Istio FIPS Build
ISTIO_VERSION=${ISTIO_VERSION:-1.16.1}
git clone https://github.com/istio/proxy.git --depth 1
pushd proxy
git fetch --tags
git checkout "${ISTIO_VERSION}"
# Compile envoy with FIPS: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fips-140-2
echo "build --define boringssl=fips" >> .bazelrc
BUILD_WITH_CONTAINER=1 make build_wasm build build_envoy exportcache
popd
git clone https://github.com/istio/istio.git --depth 1
pushd istio
git fetch --tags
git checkout "${ISTIO_VERSION}"
# Pre-built binaries need to copied with SHA in name, otherwise build process will download it from gc bucket
# https://github.com/istio/istio/blob/1.16.1/bin/init.sh#L105
# Populate the git version for istio/proxy (i.e. Envoy)
PROXY_REPO_SHA="${PROXY_REPO_SHA:-$(grep PROXY_REPO_SHA istio.deps -A 4 | grep lastStableSHA | cut -f 4 -d '"')}"
# Copy locally built binaries
mkdir -p out/linux_amd64/release
cp -f ../proxy/out/linux_amd64/envoy out/linux_amd64/release/envoy-${PROXY_REPO_SHA}
cp -f out/linux_amd64/release/envoy-${PROXY_REPO_SHA} out/linux_amd64/release/envoy
cp -f ../proxy/out/linux_amd64/stats.wasm out/linux_amd64/release/stats-${PROXY_REPO_SHA}.wasm
cp -f out/linux_amd64/release/stats-${PROXY_REPO_SHA}.wasm out/linux_amd64/release/stats-filter.wasm
cp -f ../proxy/out/linux_amd64/stats.compiled.wasm out/linux_amd64/release/stats-${PROXY_REPO_SHA}.compiled.wasm
cp -f out/linux_amd64/release/stats-${PROXY_REPO_SHA}.compiled.wasm out/linux_amd64/release/stats-filter.compiled.wasm
cp -f ../proxy/out/linux_amd64/metadata_exchange.wasm out/linux_amd64/release/metadata_exchange-${PROXY_REPO_SHA}.wasm
cp -f out/linux_amd64/release/metadata_exchange-${PROXY_REPO_SHA}.wasm out/linux_amd64/release/metadata-exchange-filter.wasm
cp -f ../proxy/out/linux_amd64/metadata_exchange.compiled.wasm out/linux_amd64/release/metadata_exchange-${PROXY_REPO_SHA}.compiled.wasm
cp -f out/linux_amd64/release/metadata_exchange-${PROXY_REPO_SHA}.compiled.wasm out/linux_amd64/release/metadata-exchange-filter.compiled.wasm
# Patch Makefile to use BoringCrypto: https://github.com/tetratelabs/istio/blob/tetrate-workflow/tetrateci/docs/fips.md
sed -i'' -e 's/GOOS=linux/CGO_ENABLED=1 GOEXPERIMENT=boringcrypto GOOS=linux/' Makefile.core.mk
# Envoy built with BoringSSL requires libc++ installed in the docker image
# Patch pilot/docker/Dockerfile.proxyv2 to install libc++
cat > Dockerfile.proxyv2.patch << EOF
RUN apt-get update \
&& apt-get upgrade -y \
&& apt-get install -y libc++1 \
&& apt-get autoremove -y \
&& apt-get clean \
&& rm -rf /tmp/* /var/tmp/* \
&& rm -rf /var/lib/apt/lists/*
EOF
sed -i'' '/FROM ${BASE_DISTRIBUTION/r Dockerfile.proxyv2.patch' pilot/docker/Dockerfile.proxyv2
rm Dockerfile.proxyv2.patch
# Build pilot and proxy
make docker.pilot docker.proxyv2
@stanpalatnik
Copy link
Author

objdump -t envoy | grep -q BORINGSSL_bcm_text_start

@stanpalatnik
Copy link
Author

stanpalatnik commented Oct 12, 2023

Checkout tools:

ISTIO_VERSION=1.18.3
git clone https://github.com/istio/tools.git --depth 1
pushd tools
git fetch --tags
git checkout "${ISTIO_VERSION}"

Apply following patch:

diff --git a/docker/build-tools/Dockerfile b/docker/build-tools/Dockerfile
index 815fa2d2..5a2e115e 100644
--- a/docker/build-tools/Dockerfile
+++ b/docker/build-tools/Dockerfile
@@ -652,7 +652,7 @@ ENTRYPOINT ["/usr/local/bin/docker-entrypoint"]
 # Clang+LLVM
 ##############

-FROM ubuntu:xenial AS clang_context_amd64
+FROM ubuntu:jammy AS clang_context_amd64
 FROM ubuntu:bionic AS clang_context_arm64
 # hadolint ignore=DL3006
 FROM clang_context_${TARGETARCH} AS clang_context
@@ -744,8 +744,8 @@ RUN mv ${BAZELISK_BIN} /usr/local/bin/bazel
 # Final image for proxy
 ########################

-FROM ubuntu:xenial AS build_env_proxy_amd64
-ENV UBUNTU_RELEASE_CODE_NAME=xenial
+FROM ubuntu:jammy AS build_env_proxy_amd64
+ENV UBUNTU_RELEASE_CODE_NAME=jammy
 FROM ubuntu:bionic AS build_env_proxy_arm64
 ENV UBUNTU_RELEASE_CODE_NAME=bionic
 # hadolint ignore=DL3006
@@ -761,8 +761,8 @@ LABEL "io.istio.repo"="https://github.com/istio/tools"
 LABEL "io.istio.version"="${VERSION}"

 # Docker
-ENV DOCKER_VERSION=5:20.10.7~3-0~ubuntu-${UBUNTU_RELEASE_CODE_NAME}
-ENV CONTAINERD_VERSION=1.4.6-1
+ENV DOCKER_VERSION=5:20.10.14~3-0~ubuntu-${UBUNTU_RELEASE_CODE_NAME}
+ENV CONTAINERD_VERSION=1.6.12-1

 # General
 ENV HOME=/home
@@ -865,7 +865,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     cmake \
     libtool \
     ninja-build \
-    python \
+#    python \
     unzip \
     virtualenv

Build tools:

cd docker/build-tools/
DRY_RUN=true ./build-and-push.sh
cd ../../..

Build proxy:

cd proxy
IMG=gcr.io/istio-testing/build-tools-proxy:release-1.18-latest-amd64 BUILD_WITH_CONTAINER=1 TARGET_OS=linux make build_wasm build build_envoy exportcache

@stanpalatnik
Copy link
Author

stdout (/home/.cache/bazel/_bazel_root/1e0bb3bee2d09d2e4ad3523530d3b40c/execroot/io_istio_proxy/bazel-out/_tmp/actions/stdout-6186) 1849441 exceeds maximum size of --experimental_ui_max_stdouterr_bytes=1048576 bytes; skipping
Target //:envoy up-to-date:
bazel-bin/envoy
INFO: Elapsed time: 1738.780s, Critical Path: 354.78s
INFO: 7530 processes: 3070 internal, 4460 processwrapper-sandbox.
INFO: Build completed successfully, 7530 total actions
cp: cannot stat '/envoy': No such file or directory
make[1]: *** [Makefile.core.mk:179: exportcache] Error 1
make: *** [Makefile:44: exportcache] Error 2

@stanpalatnik
Copy link
Author

/socure/tools/docker/proxy% out/linux_amd64/envoy --version

out/linux_amd64/envoy version: b9b6f76dfa98ee923571601e80e8a5a922b3e1a0/1.26.5-dev/Modified/DEBUG/BoringSSL-FIPS

@stanpalatnik
Copy link
Author

./out/linux_amd64/envoy --version

./out/linux_amd64/envoy version: b9b6f76dfa98ee923571601e80e8a5a922b3e1a0/1.26.5-dev/Modified/DEBUG/BoringSSL-FIPS

objdump -t ./out/linux_amd64/envoy | grep BORINGSSL_bcm_text_start

000000000b877000 l .text 0000000000000000 BORINGSSL_bcm_text_start

@stanpalatnik
Copy link
Author

docker run --rm -it -v $(pwd)/out/linux_amd64:/out/linux_amd64 gcr.io/istio-testing/build-tools:release-1.18-4287eda8177f959e4cb6a4726bbc65bb5303165b bash

Inside build-tools

cd /out/linux_amd64/

go tool nm pilot-agent | grep FIPS

462b80 t BORINGSSL_FIPS_abort
45ea80 t FIPS_mode_set
45ea90 t FIPS_read_counter
4022a0 T _cgo_d8b1bdd8e714_Cfunc__goboringcrypto_FIPS_mode
45ea70 t _goboringcrypto_FIPS_mode
c43220 T crypto/internal/boring._Cfunc__goboringcrypto_FIPS_mode.abi0
3967090 D crypto/internal/boring._cgo_d8b1bdd8e714_Cfunc__goboringcrypto_FIPS_mode
3969660 D crypto/tls.defaultCipherSuitesFIPS
39696e0 D crypto/tls.defaultFIPSCurvePreferences

go tool nm pilot-discovery | grep FIPS

4865b80 t BORINGSSL_FIPS_abort
4861a80 t FIPS_mode_set
4861a90 t FIPS_read_counter
4804be0 T _cgo_d8b1bdd8e714_Cfunc__goboringcrypto_FIPS_mode
4861a70 T _goboringcrypto_FIPS_mode
7c1b40 T crypto/internal/boring._Cfunc__goboringcrypto_FIPS_mode.abi0
7b692f8 D crypto/internal/boring._cgo_d8b1bdd8e714_Cfunc__goboringcrypto_FIPS_mode
7b6c400 D crypto/tls.defaultCipherSuitesFIPS
7b6c480 D crypto/tls.defaultFIPSCurvePreferences
9630a0 T crypto/tls.needFIPS
7c1b40 t local.crypto/internal/boring._Cfunc__goboringcrypto_FIPS_mode.abi0
9630a0 t local.crypto/tls.needFIPS
d98400 T crypto/tls.needFIPS

Install fips-detect

go install github.com/acardace/fips-detect@latest

fips-detect pilot-agent

FIPS System Report
Host running in FIPS mode ...No
FIPS-capable crypto library ...No
no crypto libraries have been found The OpenSSL library is not installed
FIPS-capable Go binary ...Yes!

fips-detect pilot-discovery

FIPS System Report
Host running in FIPS mode ...No
FIPS-capable crypto library ...No
no crypto libraries have been found The OpenSSL library is not installed
FIPS-capable Go binary ...Yes!

@stanpalatnik
Copy link
Author

go tool nm envoy | grep FIPS
b8d5b80 t BORINGSSL_FIPS_abort
b8d1a70 t FIPS_mode
b8d1a80 t FIPS_mode_set
b8d1a90 t FIPS_read_counter

@stanpalatnik
Copy link
Author

build-tools:/out/linux_amd64# go tool nm pilot-agent | grep FIPS
462b80 t BORINGSSL_FIPS_abort
45ea80 t FIPS_mode_set
45ea90 t FIPS_read_counter
402380 T _cgo_d8b1bdd8e714_Cfunc__goboringcrypto_FIPS_mode
45ea70 t _goboringcrypto_FIPS_mode
c317a0 T crypto/internal/boring._Cfunc__goboringcrypto_FIPS_mode.abi0
3aaa4d0 D crypto/internal/boring._cgo_d8b1bdd8e714_Cfunc__goboringcrypto_FIPS_mode
3aad630 D crypto/tls.defaultCipherSuitesFIPS
3aad610 D crypto/tls.defaultFIPSCurvePreferences
d91ca0 T crypto/tls.needFIPS
build-tools:/out/linux_amd64# go tool nm pilot-discovery | grep FIPS
462b80 t BORINGSSL_FIPS_abort
45ea80 t FIPS_mode_set
45ea90 t FIPS_read_counter
4017d0 T _cgo_d8b1bdd8e714_Cfunc__goboringcrypto_FIPS_mode
45ea70 t _goboringcrypto_FIPS_mode
90c280 T crypto/internal/boring._Cfunc__goboringcrypto_FIPS_mode.abi0
6772208 D crypto/internal/boring._cgo_d8b1bdd8e714_Cfunc__goboringcrypto_FIPS_mode
6774200 D crypto/tls.defaultCipherSuitesFIPS
67741e0 D crypto/tls.defaultFIPSCurvePreferences
aada00 T crypto/tls.needFIPS

@stanpalatnik
Copy link
Author

export PATH=/usr/lib/llvm/bin:/usr/local/go/bin:/gobin:/usr/local/google-cloud-sdk/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin CC=clang CXX=clang++ && bazel build --config=libc++ --config=release //extensions:metadata_exchange.wasm

@stanpalatnik
Copy link
Author

IMG=gcr.io/istio-testing/build-tools-proxy:release-1.18-latest-amd64 BUILD_WITH_CONTAINER=1 BAZEL_BUILD_ARGS=--config=release TARGET_OS=linux make build

@stanpalatnik
Copy link
Author

IMG=gcr.io/istio-testing/build-tools-proxy:release-1.18-latest-amd64 BUILD_WITH_CONTAINER=1 BAZEL_BUILD_ARGS=--config=release TARGET_OS=linux make build_wasm build build_envoy exportcache

@stanpalatnik
Copy link
Author

./out/linux_amd64/envoy --version

./out/linux_amd64/envoy version: b9b6f76dfa98ee923571601e80e8a5a922b3e1a0/1.26.5-dev/Modified/RELEASE/BoringSSL-FIPS

@stanpalatnik
Copy link
Author

diff --git a/pilot/docker/Dockerfile.proxyv2 b/pilot/docker/Dockerfile.proxyv2
index c8cd04c182..5af894fc54 100644
--- a/pilot/docker/Dockerfile.proxyv2
+++ b/pilot/docker/Dockerfile.proxyv2
@@ -43,3 +43,10 @@ COPY ${TARGETARCH:-amd64}/pilot-agent /usr/local/bin/pilot-agent

The pilot-agent will bootstrap Envoy.

ENTRYPOINT ["/usr/local/bin/pilot-agent"]
+
+COPY --from=debug /lib/x86_64-linux-gnu/libm.so.6 /lib/x86_64-linux-gnu/libm.so.6
+COPY --from=debug /lib/x86_64-linux-gnu/librt.so.1 /lib/x86_64-linux-gnu/librt.so.1
+COPY --from=debug /lib64/ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2
+COPY --from=debug /lib/x86_64-linux-gnu/libdl.so.2 /lib/x86_64-linux-gnu/libdl.so.2
+COPY --from=debug /lib/x86_64-linux-gnu/libpthread.so.0 /lib/x86_64-linux-gnu/libpthread.so.0
+COPY --from=debug /lib/x86_64-linux-gnu/libc.so.6 /lib/x86_64-linux-gnu/libc.so.6

@stanpalatnik
Copy link
Author

@stanpalatnik
Copy link
Author

1.18.3:
find . -name envoy
./agent/workspace/istio-build-fips-images/proxy/out/linux_amd64/envoy
./agent/workspace/istio-build-fips-images/istio/istioctl/pkg/writer/envoy
./agent/workspace/istio-build-fips-images/istio/pkg/envoy
./agent/workspace/istio-build-fips-images/istio/pkg/test/envoy
1.19.3:
find . -name envoy
./agent/workspace/istio-build-fips-images/istio/istioctl/pkg/writer/envoy
./agent/workspace/istio-build-fips-images/istio/pkg/envoy
./agent/workspace/istio-build-fips-images/istio/pkg/test/envoy

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment