Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auto-generated bindings for aws-lc-fips-sys v0.12.6 #372

Merged
merged 15 commits into from
Mar 22, 2024
Merged

Auto-generated bindings for aws-lc-fips-sys v0.12.6 #372

merged 15 commits into from
Mar 22, 2024
+268,319 −10,759

Conversation

justsmth
Copy link
Contributor

@justsmth justsmth commented Mar 19, 2024
edited
Loading

Description of changes:

  • Update aws-lc-fips-sys to 0.12.6 to align with AWS-LC-FIPS 2.0.9
  • Auto-generation of bindings for aws-lc-fips-sys.
  • Provide pregenerated bindings for 4 more platforms: "x86_64-apple-darwin", "aarch64-apple-darwin", "aarch64-unknown-linux-musl" and "x86_64-unknown-linux-musl"
  • Added a CI job to build/test FIPS build with LTO enabled.

Testing:

Bindings generated by this workflow run: https://github.com/aws/aws-lc-rs/actions/runs/8346539433

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

@justsmth justsmth requested a review from a team as a code owner March 19, 2024 14:44
@justsmth justsmth changed the title Generate/aws lc fips sys v0.12.6 Auto-generated bindings for aws-lc-fips-sys v0.12.6 Mar 19, 2024
@justsmth justsmth force-pushed the generate/aws-lc-fips-sys-v0.12.6 branch 2 times, most recently from b9b5090 to fd1befa Compare March 19, 2024 15:20
@codecov-commenter
Copy link

codecov-commenter commented Mar 19, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 95.82%. Comparing base (2298ca8) to head (3e70628).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #372   +/-   ##
=======================================
  Coverage   95.82%   95.82%           
=======================================
  Files          60       60           
  Lines        7865     7865           
=======================================
  Hits         7537     7537           
  Misses        328      328

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

camshaft
camshaft previously approved these changes Mar 19, 2024
View reviewed changes
@justsmth justsmth marked this pull request as draft March 19, 2024 16:04
@justsmth justsmth force-pushed the generate/aws-lc-fips-sys-v0.12.6 branch from fd1befa to 90f2b48 Compare March 19, 2024 16:49
@justsmth justsmth marked this pull request as ready for review March 19, 2024 16:50
@justsmth justsmth force-pushed the generate/aws-lc-fips-sys-v0.12.6 branch from 90f2b48 to de3112b Compare March 19, 2024 17:38
@nebeid nebeid requested a review from skmcgrail March 19, 2024 20:08
@justsmth justsmth requested a review from camshaft March 20, 2024 11:23
@Mark-Simulacrum
Copy link

Defaults to dynamic build for FIPS (except for "musl" or when AWS_LC_FIPS_SYS_STATIC is set in environment).

Is there a reason for this documented somewhere? In general static builds are fairly idiomatic for Rust so this sounds surprising to me.

Instead of conditioning on musl I'd probably recommend crt-static target feature (see https://rust-lang.github.io/rfcs/1721-crt-static.html for some docs), that is probably more in line with matching libc linkage across lots of platforms. (Note that there's a long-standing ask from musl upstream that Rust stops statically linking by default, since that's not what you want on musl distros like Alpine).

@justsmth
Copy link
Contributor Author

justsmth commented Mar 20, 2024
edited
Loading

Is there a reason for this documented somewhere? In general static builds are fairly idiomatic for Rust so this sounds surprising to me.

There are a few reasons for this that are fairly specific to "FIPS":

  • The FIPS standard requires a "self-test" at runtime to verify a hash of the contents of the FIPS module. The concern with a static build is that this hash might get broken by link-time-optimizations (LTO).
  • Our static build of the FIPS module is only supported on Linux for x86-64 and aarch64. The reason for this is complicated, but it relates to our need to eliminate relocations (due to having position-independent code) in order for the FIPS module contents hash to not get changed. We call the process of eliminating relocations the "delocation", and it requires parsing and restructuring of assembly code. This "delocation" logic is currently implemented in Go, which is one reason why our "FIPS" build requires Go.

Thus, we can perform the shared build of the FIPS modules across many more platforms than we can with static, and the shared build is less likely to be affected by LTO.

justsmth and others added 15 commits March 21, 2024 09:04
@justsmth justsmth force-pushed the generate/aws-lc-fips-sys-v0.12.6 branch from de3112b to 3e70628 Compare March 21, 2024 13:35
@justsmth
Copy link
Contributor Author

To avoid potentially breaking downstream builds/deployment, the default build of aws-lc-fips-sys on Linux (x86-64 and aarch64) remains static in this PR.

@justsmth justsmth merged commit a6b0170 into aws:main Mar 22, 2024
152 of 157 checks passed
@justsmth justsmth deleted the generate/aws-lc-fips-sys-v0.12.6 branch March 22, 2024 21:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@skmcgrail skmcgrail

@camshaft camshaft

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@justsmth @codecov-commenter @Mark-Simulacrum @skmcgrail @camshaft