fips: Make build bazel hermetic

.bazelrc

@@ -219,6 +219,7 @@ build:libc++ --action_env=BAZEL_CXXOPTS=-stdlib=libc++
 build:libc++ --action_env=BAZEL_LINKLIBS=-l%:libc++.a:-l%:libc++abi.a
 build:libc++ --action_env=BAZEL_LINKOPTS=-lm:-pthread
 build:libc++ --define force_libcpp=enabled
+build:libc++ --//bazel:libc++=true
 build:clang-libc++ --config=libc++
 build:clang-libc++ --action_env=ARFLAGS=r
 build:arm64-clang-libc++ --config=clang-libc++

bazel/BUILD

@@ -785,6 +785,14 @@ selects.config_setting_group(
     ],
 )
 
+selects.config_setting_group(
+    name = "engflow_rbe_aarch64",
+    match_all = [
+        ":engflow_rbe",
+        ":linux_aarch64",
+    ],
+)
+
 selects.config_setting_group(
     name = "apple",
     match_any = [
@@ -1073,3 +1081,15 @@ config_setting(
         ":enable_liburing": "True",
     },
 )
+
+bool_flag(
+    name = "libc++",
+    build_setting_default = False,
+)
+
+config_setting(
+    name = "libc++_enabled",
+    flag_values = {
+        ":libc++": "True",
+    },
+)

bazel/external/boringssl_fips.BUILD

@@ -1,5 +1,33 @@
+load("@envoy//bazel/external:fips_build.bzl", "boringssl_fips_build_command", "ninja_build_command")
+load("@rules_cc//cc:cc_library.bzl", "cc_library")
+
 licenses(["notice"])  # Apache 2
 
+# BoringSSL build as described in the Security Policy for BoringCrypto module "update stream":
+# https://boringssl.googlesource.com/boringssl/+/refs/heads/main/crypto/fipsmodule/FIPS.md#update-stream
+
+FIPS_GO_VERSION = "go1.24.2"
+
+FIPS_NINJA_VERSION = "1.10.2"
+
+FIPS_CMAKE_VERSION = "cmake version 3.22.1"
+
+SUPPORTED_ARCHES = {
+    "x86_64": "amd64",
+    "aarch64": "arm64",
+}
+
+STDLIBS = [
+    "libc++",
+    "libstdc++",
+]
+
+# marker for dir
+filegroup(
+    name = "crypto_marker",
+    srcs = ["crypto/crypto.cc"],
+)
+
 cc_library(
     name = "crypto",
     srcs = [
@@ -21,13 +49,65 @@ cc_library(
     deps = [":crypto"],
 )
 
+genrule(
+    name = "ninja_bin",
+    srcs = [
+        "@fips_ninja//:all",
+        "@fips_ninja//:configure.py",
+    ],
+    outs = ["ninja"],
+    cmd = select(ninja_build_command()),
+    toolchains = [
+        "@rules_python//python:current_py_toolchain",
+        "@bazel_tools//tools/cpp:current_cc_toolchain",
+    ],
+    tools = [
+        "@bazel_tools//tools/cpp:current_cc_toolchain",
+        "@rules_python//python:current_py_toolchain",
+    ],
+)
+
 genrule(
     name = "build",
-    srcs = glob(["**"]),
+    srcs = glob(["**"]) + ["crypto_marker"],
     outs = [
         "crypto/libcrypto.a",
         "ssl/libssl.a",
     ],
-    cmd = "$(location {}) $(location crypto/libcrypto.a) $(location ssl/libssl.a)".format("@envoy//bazel/external:boringssl_fips.genrule_cmd"),
-    tools = ["@envoy//bazel/external:boringssl_fips.genrule_cmd"],
+    cmd = select(boringssl_fips_build_command(
+        SUPPORTED_ARCHES,
+        STDLIBS,
+        FIPS_GO_VERSION,
+        FIPS_NINJA_VERSION,
+        FIPS_CMAKE_VERSION,
+    )),
+    exec_properties = select({
+        "@envoy//bazel:engflow_rbe_x86_64": {
+            "Pool": "linux_x64_large",
+        },
+        "@envoy//bazel:engflow_rbe_aarch64": {
+            "Pool": "linux_arm64_small",
+        },
+        "//conditions:default": {},
+    }),
+    toolchains = ["@bazel_tools//tools/cpp:current_cc_toolchain"],
+    tools = [
+        ":ninja_bin",
+        "@bazel_tools//tools/cpp:current_cc_toolchain",
+        "@envoy//bazel/external:boringssl_fips.genrule_cmd",
+    ] + select({
+        "@platforms//cpu:x86_64": [
+            "@fips_cmake_linux_x86_64//:all",
+            "@fips_cmake_linux_x86_64//:bin/cmake",
+            "@fips_go_linux_amd64//:all",
+            "@fips_go_linux_amd64//:bin/go",
+        ],
+        "@platforms//cpu:aarch64": [
+            "@fips_cmake_linux_aarch64//:all",
+            "@fips_cmake_linux_aarch64//:bin/cmake",
+            "@fips_go_linux_arm64//:all",
+            "@fips_go_linux_arm64//:bin/go",
+        ],
+        "//conditions:default": [],
+    }),
 )

bazel/external/boringssl_fips.genrule_cmd

@@ -2,123 +2,115 @@
 
 set -eo pipefail
 
-export CXXFLAGS=''
-export LDFLAGS=''
-
 # BoringSSL build as described in the Security Policy for BoringCrypto module "update stream":
 # https://boringssl.googlesource.com/boringssl/+/refs/heads/main/crypto/fipsmodule/FIPS.md#update-stream
 
-OS=`uname`
-ARCH=`uname -m`
+OS=$(uname)
+ARCH=$(uname -m)
 # This works only on Linux-x86_64 and Linux-aarch64.
 if [[ "$OS" != "Linux" || ("$ARCH" != "x86_64" && "$ARCH" != "aarch64") ]]; then
-  echo "ERROR: BoringSSL FIPS is currently supported only on Linux-x86_64 and Linux-aarch64."
-  exit 1
-fi
-
-
-# Bazel magic.
-# ROOT=$(dirname $(rootpath boringssl/BUILDING.md))/..
-ROOT=./external/boringssl_fips
-pushd "$ROOT"
-export HOME="$PWD"
-
-# The security policy recommends using the recent compiler versions:
-# "The latest stable versions of Clang, Go, Ninja, and CMake should be used".
-# This build makes use of the same LLVM toolchain as the rest of Envoy.
-
-# Override $PATH for build tools, to avoid picking up anything else.
-export PATH="/usr/bin:/bin:/opt/llvm/bin"
-
-printf "set(CMAKE_C_COMPILER \"clang\")\nset(CMAKE_CXX_COMPILER \"clang++\")\n" > ${HOME}/toolchain
-
-# Go: requires minimum 1.22.
-VERSION=1.24.2
-if [[ "$ARCH" == "x86_64" ]]; then
-  PLATFORM="linux-amd64"
-  SHA256=68097bd680839cbc9d464a0edce4f7c333975e27a90246890e9f1078c7e702ad
-else
-  PLATFORM="linux-arm64"
-  SHA256=756274ea4b68fa5535eb9fe2559889287d725a8da63c6aae4d5f23778c229f4b
+    echo "ERROR: BoringSSL FIPS is currently supported only on Linux-x86_64 and Linux-aarch64." >&2
+    echo "  found: $OS-$ARCH" >&2
+    exit 1
 fi
 
-curl -sLO https://dl.google.com/go/go"$VERSION"."$PLATFORM".tar.gz \
-  && echo "$SHA256" go"$VERSION"."$PLATFORM".tar.gz | sha256sum --check
-tar xf go"$VERSION"."$PLATFORM".tar.gz --no-same-owner
-
-export GOPATH="$PWD/gopath"
-export GOROOT="$PWD/go"
-export PATH="$GOPATH/bin:$GOROOT/bin:$PATH"
-
-if [[ `go version | awk '{print $3}'` != "go$VERSION" ]]; then
-  echo "ERROR: Go version doesn't match."
-  exit 1
+if [[ -z "$CRYPTO_OUT" ]]; then
+    echo "ERROR: CRYPTO_OUT not set for crypto lib path." >&2
+    exit
 fi
 
-# Go tests use go:embed directives which fail to compile in a Bazel sandbox because Go refuses to embed symlinks.
-# (see issue https://github.com/golang/go/issues/59924). As a workaround, replace symlinks with the file copies.
-for pem in $(ls ssl/test/runner/*.pem);
-  do cp --dereference ${pem} tmp.pem; cp --remove-destination tmp.pem ${pem}; rm tmp.pem;
-done
-for testdata in $(ls ssl/test/runner/hpke/testdata/*.json);
-  do cp --dereference ${testdata} tmp.json; cp --remove-destination tmp.json ${testdata}; rm tmp.json;
-done
-
-# Ninja
-VERSION=1.10.2
-SHA256=ce35865411f0490368a8fc383f29071de6690cbadc27704734978221f25e2bed
-curl -sLO https://github.com/ninja-build/ninja/archive/refs/tags/v"$VERSION".tar.gz \
-  && echo "$SHA256" v"$VERSION".tar.gz | sha256sum --check
-tar -xvf v"$VERSION".tar.gz --no-same-owner
-cd ninja-"$VERSION"
-python3 ./configure.py --bootstrap
-
-export PATH="$PWD:$PATH"
-
-if [[ `ninja --version` != "$VERSION" ]]; then
-  echo "ERROR: Ninja version doesn't match."
-  exit 1
-fi
-cd ..
-
-# CMake
-VERSION=3.22.1
-if [[ "$ARCH" == "x86_64" ]]; then
-  PLATFORM="linux-x86_64"
-  SHA256=73565c72355c6652e9db149249af36bcab44d9d478c5546fd926e69ad6b43640
-else
-  PLATFORM="linux-aarch64"
-  SHA256=601443375aa1a48a1a076bda7e3cca73af88400463e166fffc3e1da3ce03540b
-fi
-
-curl -sLO https://github.com/Kitware/CMake/releases/download/v"$VERSION"/cmake-"$VERSION"-"$PLATFORM".tar.gz \
-  && echo "$SHA256" cmake-"$VERSION"-"$PLATFORM".tar.gz | sha256sum --check
-tar xf cmake-"$VERSION"-"$PLATFORM".tar.gz --no-same-owner
-
-export PATH="$PWD/cmake-$VERSION-$PLATFORM/bin:$PATH"
-
-if [[ `cmake --version | head -n1` != "cmake version $VERSION" ]]; then
-  echo "ERROR: CMake version doesn't match."
-  exit 1
-fi
-
-# Clean after previous build.
-rm -rf build
-
-# Build BoringSSL.
-# Setting -fPIC only affects the compilation of the non-module code in libcrypto.a,
-# because the FIPS module itself is already built with -fPIC.
-mkdir build && cd build && cmake -GNinja -DCMAKE_TOOLCHAIN_FILE=${HOME}/toolchain -DFIPS=1 -DCMAKE_BUILD_TYPE=Release -DCMAKE_C_FLAGS="-fPIC" -DCMAKE_CXX_FLAGS="-fPIC" ..
-ninja
-ninja run_tests
-
-# Verify correctness of the FIPS build.
-if [[ `./bssl isfips` != "1" ]]; then
-  echo "ERROR: BoringSSL tool didn't report FIPS build."
-  exit 1
+if [[ -z "$SSL_OUT" ]]; then
+    echo "ERROR: SSL_OUT not set for ssl lib path." >&2
+    exit
 fi
 
-# Move compiled libraries to the expected destinations.
-popd
-mv $ROOT/build/libcrypto.a $1
-mv $ROOT/build/libssl.a $2
+validate_go() {
+    GO_VERSION=$(go version | awk '{print $3}')
+    if [[ "$GO_VERSION" != "$EXPECTED_GO_VERSION" ]]; then
+        echo "ERROR: Go version doesn't match." >&2
+        echo "  expected: $EXPECTED_GO_VERSION" >&2
+        echo "  found: $GO_VERSION" >&2
+        return 1
+    fi
+}
+
+validate_ninja() {
+    NINJA_VERSION=$(ninja --version)
+    if [[ "$NINJA_VERSION" != "$EXPECTED_NINJA_VERSION" ]]; then
+        echo "ERROR: Ninja version doesn't match." >&2
+        echo "  expected: $EXPECTED_NINJA_VERSION" >&2
+        echo "  found: $NINJA_VERSION" >&2
+        return 1
+    fi
+}
+
+validate_cmake() {
+    CMAKE_VERSION=$(cmake --version | head -n1)
+    if [[ "$CMAKE_VERSION" != "$EXPECTED_CMAKE_VERSION" ]]; then
+        echo "ERROR: CMake version doesn't match." >&2
+        echo "  expected: $EXPECTED_CMAKE_VERSION" >&2
+        echo "  found: $CMAKE_VERSION" >&2
+        return 1
+    fi
+}
+
+build_boringssl_fips() {
+    cd "$BSSL_SRC" || exit 1
+    export HOME="${BSSL_SRC}"
+
+    # The security policy recommends using the recent compiler versions:
+    # "The latest stable versions of Clang, Go, Ninja, and CMake should be used".
+    # This build makes use of the same LLVM toolchain as the rest of Envoy.
+    printf "set(CMAKE_C_COMPILER \"${CC}\")\nset(CMAKE_CXX_COMPILER \"${CC}\")\n" > "${BSSL_SRC}/toolchain"
+
+    # Go tests use go:embed directives which fail to compile in a Bazel sandbox because Go refuses to embed symlinks.
+    # (see issue https://github.com/golang/go/issues/59924). As a workaround, replace symlinks with the file copies.
+    for pem in $(ls ssl/test/runner/*.pem); do
+        cp --dereference "${pem}" tmp.pem; mv tmp.pem "${pem}";
+    done
+    for testdata in $(ls ssl/test/runner/hpke/testdata/*.json); do
+        cp --dereference "${testdata}" tmp.json; mv tmp.json "${testdata}";
+    done
+
+    # Build BoringSSL.
+    # Setting -fPIC only affects the compilation of the non-module code in libcrypto.a,
+    # because the FIPS module itself is already built with -fPIC.
+    mkdir build
+    cd build
+    cmake -GNinja \
+          -DCMAKE_TOOLCHAIN_FILE="${BSSL_SRC}/toolchain" \
+          -DFIPS=1 \
+          -DCMAKE_BUILD_TYPE=Release \
+          -DCMAKE_C_FLAGS="-fPIC" \
+          -DCMAKE_CXX_FLAGS="${CXXFLAGS} -fPIC" \
+          -DCMAKE_EXE_LINKER_FLAGS="$LDFLAGS" \
+          -DCMAKE_SHARED_LINKER_FLAGS="$${LDFLAGS}" \
+          ..
+    ninja -j "${NINJA_CORES:-1}"
+}
+
+validate_fips() {
+    cd "$BSSL_SRC/build" || exit 1
+    ninja run_tests
+    # Verify correctness of the FIPS build.
+    IS_FIPS="$(./bssl isfips)"
+    if [[ "${IS_FIPS}" != "1" ]]; then
+        echo "ERROR: BoringSSL tool didn't report FIPS build." >&2
+        echo "  expected: 1" >&2
+        echo "  found: ${IS_FIPS}" >&2
+        return 1
+    fi
+}
+
+output_libs() {
+    # Move compiled libraries to the expected destinations.
+    mv "${BSSL_SRC}/build/libcrypto.a" "$CRYPTO_OUT"
+    mv "${BSSL_SRC}/build/libssl.a" "$SSL_OUT"
+}
+
+validate_go
+validate_ninja
+validate_cmake
+build_boringssl_fips
+validate_fips
+output_libs