Unverified Commit eef109e7 authored by rorosen's avatar rorosen Committed by GitHub
Browse files

rke2: build with goboring library (#393009) 

Use the FIPS Compatible boringcrypto Go compiler. This version of Go
replaces the standard Go crypto libraries with the FIPS validated
BoringCrypto module. Using a validated compiler is a requirement for
FIPS 140-2 Enablement of the RKE2 package.
parent 163a6be7

pkgs/applications/networking/cluster/rke2/builder.nix

+11 −0
Original line number Diff line number Diff line
@@ -74,6 +74,9 @@ let 
      lvm2 # dmsetup

    ];



    # Passing boringcrypto to GOEXPERIMENT variable to build with goboring library

    GOEXPERIMENT = "boringcrypto";



    # See: https://github.com/rancher/rke2/blob/e7f87c6dd56fdd76a7dab58900aeea8946b2c008/scripts/build-binary#L27-L38

    ldflags = [

      "-w"
@@ -120,6 +123,14 @@ let 


    doCheck = false;



    doInstallCheck = true;

    installCheckPhase = ''

      runHook preInstallCheck

      # Verify that the binary uses BoringCrypto

      go tool nm $out/bin/.rke2-wrapped | grep '_Cfunc__goboringcrypto_' > /dev/null

      runHook postInstallCheck

    '';



    passthru = {

      inherit updateScript;

      tests =