Skip to content

[8.19](backport #4889) Add ms_tls13kdf tag when requirefips is passed #4897

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
michel-laterman merged 1 commit into from
May 8, 2025
Merged

[8.19](backport #4889) Add ms_tls13kdf tag when requirefips is passed #4897

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,7 @@ ifeq "${FIPS}" "true"
BUILDER_IMAGE=fleet-server-fips-builder:${GO_VERSION}
DOCKER_IMAGE:=docker.elastic.co/fleet-server/fleet-server-fips
STANDALONE_DOCKERFILE=Dockerfile.fips
gobuildtags += requirefips
gobuildtags += requirefips ms_tls13kdf
GOFIPSEXPERIMENT=GOEXPERIMENT=systemcrypto CGO_ENABLED=1
FIPSSUFFIX=-fips
endif
Expand Down
6 changes: 3 additions & 3 deletions docs/fips.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ This toolchain must be present for local compilation.

As we are using Microsfot/go as a base we follow their conventions.

The buildtag `requirefips` is passed when FIPS is enabled/required.
The buildtags `requirefips`, and `ms_tls13kdf` are passed when FIPS is enabled/required.
Additionally when compiling `GOEXPERIMENT=systemcrypto` is specified.

The `FIPS=true` env var is used by our Makefile as the indicator that controls FIPS.
Expand All @@ -23,8 +23,8 @@ The following make commands have different behaviour when FIPS is enabled:
- `make multipass` - Provision a multipass VM with the Microsoft/go toolchain. See [Multipass VM Usage](#multipass-vm-usage) for additional details.
- `make local` - Compile a fleet-server targetting the machine's GOOS/GOARCH with FIPS enabled
- `make cover-*` - Compile a coverage and fips enabled fleet-server for e2e tests
- `make test-unit` - Run unit tests passing the `requirefips` build tag.
- `make benchmark` - Run benchmarks passing the `requirefips` build tag.
- `make test-unit` - Run unit tests passing the `requirefips`, and `ms_tls13kdf` build tags.
- `make benchmark` - Run benchmarks passing the `requirefips`, and `ms_tls13kdf` build tags.
- `make release-*` - Compile a release binary with FIPS enabled. Will have the name fleet-server-$VERSION-$OS-$ARCH-fips
- `make package-target` - Will package a FIPS enabled release and produce the sha512 checksum for it.
- `make build-releaser` - Will create the fleet-server builder image based on Microsoft's FIPS enabled golang image.
Expand Down
1 change: 1 addition & 0 deletions testing/e2e/fips_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ func (suite *FIPSStandAlone) TestVerifyArtifact() {
case "-tags":
foundTags = true
suite.Require().Contains(setting.Value, "requirefips")
suite.Require().Contains(setting.Value, "ms_tls13kdf")
continue
case "GOEXPERIMENT":
foundExperiment = true
Expand Down
Loading