diff --git a/.bazelrc b/.bazelrc index 29fbb3b6d064a..86ab794745ea7 100644 --- a/.bazelrc +++ b/.bazelrc @@ -204,9 +204,7 @@ build:compile-time-options --define=admin_html=disabled build:compile-time-options --define=signal_trace=disabled build:compile-time-options --define=hot_restart=disabled build:compile-time-options --define=google_grpc=disabled -build:compile-time-options --define=boringssl=fips -build:compile-time-options --test_tag_filters=-nofips -build:compile-time-options --build_tag_filters=-nofips +build:compile-time-options --config=boringssl-fips build:compile-time-options --define=log_debug_assert_in_release=enabled build:compile-time-options --define=path_normalization_by_default=true build:compile-time-options --define=deprecated_features=disabled @@ -219,6 +217,27 @@ build:compile-time-options --@envoy//bazel:http3=False build:compile-time-options --@envoy//source/extensions/filters/http/kill_request:enabled +############################################################################# +# SSL +############################################################################# + +build:fips-common --test_tag_filters=-nofips +build:fips-common --build_tag_filters=-nofips + +# BoringSSL FIPS +common:boringssl-fips --config=fips-common +common:boringssl-fips --//bazel:ssl=@boringssl_fips//:ssl +common:boringssl-fips --//bazel:crypto=@boringssl_fips//:crypto +common:boringssl-fips --//bazel:fips=True + +# AWS-LC FIPS +common:aws-lc-fips --config=fips-common +common:aws-lc-fips --//bazel:ssl=@aws_lc//:ssl +common:aws-lc-fips --//bazel:crypto=@aws_lc//:crypto +common:aws-lc-fips --//bazel:fips=True +common:aws-lc-fips --//bazel:http3=False + + ############################################################################# # sanitizers ############################################################################# diff --git a/bazel/BUILD b/bazel/BUILD index 40c6a72f7230e..f23ebaf771742 100644 --- a/bazel/BUILD +++ b/bazel/BUILD @@ -489,40 +489,48 @@ config_setting( values = {"define": "force_libcpp=enabled"}, ) +# SSL library selection using label_flag and bool_flag +label_flag( + name = "ssl", + build_setting_default = "@boringssl//:ssl", +) + +label_flag( + name = "crypto", + build_setting_default = "@boringssl//:crypto", +) + +bool_flag( + name = "fips", + build_setting_default = False, +) + config_setting( - name = "boringssl_fips", - constraint_values = [ - "@platforms//os:linux", - ], - values = {"define": "boringssl=fips"}, + name = "fips_build", + flag_values = {":fips": "True"}, ) config_setting( - name = "boringssl_disabled", - values = {"define": "boringssl=disabled"}, + name = "using_boringssl", + flag_values = {":ssl": "@boringssl//:ssl"}, ) -selects.config_setting_group( - name = "boringssl_fips_x86", - match_all = [ - ":boringssl_fips", - "@platforms//cpu:x86_64", - ], +config_setting( + name = "using_boringssl_fips", + flag_values = {":ssl": "@boringssl_fips//:ssl"}, ) -selects.config_setting_group( - name = "boringssl_fips_ppc", - match_all = [ - ":boringssl_fips", - ":linux_ppc64le", - ], +config_setting( + name = "using_aws_lc", + flag_values = {":ssl": "@aws_lc//:ssl"}, ) +# Convenience grouping for any FIPS SSL library selects.config_setting_group( - name = "boringssl_fips_not_ppc", - match_all = [ - ":boringssl_fips", - ":not_ppc", + name = "using_fips_ssl", + match_any = [ + ":using_boringssl_fips", + ":using_aws_lc", ], ) @@ -561,28 +569,6 @@ config_setting( values = {"define": "uhv=enabled"}, ) -# Alias pointing to the selected version of BoringSSL: -# - BoringSSL FIPS from @boringssl_fips//:ssl, -# - non-FIPS BoringSSL from @boringssl//:ssl. -# - aws-lc from @aws_lc//:ssl -alias( - name = "boringssl", - actual = select({ - "//bazel:boringssl_fips_ppc": "@aws_lc//:ssl", - "//bazel:boringssl_fips_not_ppc": "@boringssl_fips//:ssl", - "//conditions:default": "@boringssl//:ssl", - }), -) - -alias( - name = "boringcrypto", - actual = select({ - "//bazel:boringssl_fips_ppc": "@aws_lc//:crypto", - "//bazel:boringssl_fips_not_ppc": "@boringssl_fips//:crypto", - "//conditions:default": "@boringssl//:crypto", - }), -) - config_setting( name = "linux_x86_64", constraint_values = [ diff --git a/bazel/README.md b/bazel/README.md index 070c0305cd317..e79518f5de9e5 100644 --- a/bazel/README.md +++ b/bazel/README.md @@ -697,13 +697,14 @@ The following optional features can be enabled on the Bazel build command-line: is required and target platform is Linux, then `bazel/exported_symbols.txt` can be used to land it. * Perf annotation with `--define perf_annotation=enabled` (see source/common/common/perf_annotation.h for details). -* BoringSSL can be built in a FIPS-compliant mode with `--define boringssl=fips` +* BoringSSL can be built in a FIPS-compliant mode with `--config=boringssl-fips` (see [FIPS 140-2](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fips-140-2) for details). +* AWS-LC FIPS can be used with `--config=aws-lc-fips`. * ASSERT() can be configured to log failures and increment a stat counter in a release build with `--define log_fast_debug_assert_in_release=enabled`. SLOW_ASSERT()s can be included with `--define log_debug_assert_in_release=enabled`. The default behavior is to compile all debug assertions out of release builds so that the condition is not evaluated. This option has no effect in debug builds. * memory-debugging (scribbling over memory after allocation and before freeing) with - `--define tcmalloc=debug`. Note this option cannot be used with FIPS-compliant mode BoringSSL and + `--define tcmalloc=debug`. Note this option cannot be used with FIPS mode and tcmalloc is built from the sources of Gperftools. * Default [path normalization](https://github.com/envoyproxy/envoy/issues/6435) with `--define path_normalization_by_default=true`. Note this still could be disable by explicit xDS config. diff --git a/bazel/SSL.md b/bazel/SSL.md new file mode 100644 index 0000000000000..515c9ebeefc3c --- /dev/null +++ b/bazel/SSL.md @@ -0,0 +1,67 @@ +# SSL library configuration + +Envoy uses [BoringSSL](https://github.com/google/boringssl) as its default SSL library. + +For FIPS-compliant builds, Envoy supports both BoringSSL-FIPS and [AWS-LC](https://github.com/aws/aws-lc) FIPS, +which provides FIPS support for the aarch64 and ppc64le architectures. + +## Default (non-FIPS) + +No configuration needed. Envoy builds with standard BoringSSL by default: + +```bash +bazel build //source/exe:envoy-static +``` + +## FIPS builds + +### BoringSSL-FIPS + +```bash +bazel build --config=boringssl-fips //source/exe:envoy-static +``` + +- **Supported architectures:** Linux x86_64 only +- **Version string:** `BoringSSL-FIPS` (visible in `envoy --version`) + +### AWS-LC FIPS + +```bash +bazel build --config=aws-lc-fips //source/exe:envoy-static +``` + +- **Supported architectures:** Linux x86_64, aarch64, ppc64le +- **Version string:** `AWS-LC-FIPS` (visible in `envoy --version`) +- **Note:** HTTP/3 (QUIC) is disabled for AWS-LC builds + +## Migration from `--define boringssl=fips` + +The legacy `--define boringssl=fips` flag is deprecated. Migrate as follows: + +| Legacy | New | +|--------|-----| +| `--define boringssl=fips` | `--config=boringssl-fips` | +| `--define boringssl=fips` (on ppc64le) | `--config=aws-lc-fips` | + +The legacy flag automatically selected AWS-LC on ppc64le. With the new approach, you must explicitly choose the library. + +## SSL flag integrity + +The SSL configuration uses three interdependent Bazel flags: `//bazel:ssl`, `//bazel:crypto`, and `//bazel:fips`. + +**Do not set these flags directly.** Use the `--config` options above, which ensure the flags are set consistently. + +Inconsistent flag combinations (e.g., a FIPS library with `--//bazel:fips=False`, or mismatched `ssl`/`crypto` libraries) will produce broken builds or incorrect version strings. + +## Verifying FIPS build + +Check the SSL library in use: + +```bash +envoy --version +``` + +Look for: +- `BoringSSL-FIPS` — BoringSSL FIPS build +- `AWS-LC-FIPS` — AWS-LC FIPS build +- `BoringSSL` — Standard (non-FIPS) build diff --git a/bazel/envoy_binary.bzl b/bazel/envoy_binary.bzl index d4a73b9daf0da..fed61187023a8 100644 --- a/bazel/envoy_binary.bzl +++ b/bazel/envoy_binary.bzl @@ -92,7 +92,7 @@ def _envoy_linkopts(): ], }) + select({ "@envoy//bazel:apple": [], - "@envoy//bazel:boringssl_fips": [], + "@envoy//bazel:fips_build": [], "@envoy//bazel:windows_x86_64": [], "//conditions:default": ["-pie"], }) + envoy_select_exported_symbols(["-Wl,-E"]) diff --git a/bazel/envoy_build_system.bzl b/bazel/envoy_build_system.bzl index 5714d6a89a9ed..ecfee096b1c3f 100644 --- a/bazel/envoy_build_system.bzl +++ b/bazel/envoy_build_system.bzl @@ -32,7 +32,6 @@ load( _envoy_select_admin_functionality = "envoy_select_admin_functionality", _envoy_select_admin_html = "envoy_select_admin_html", _envoy_select_admin_no_html = "envoy_select_admin_no_html", - _envoy_select_boringssl = "envoy_select_boringssl", _envoy_select_disable_exceptions = "envoy_select_disable_exceptions", _envoy_select_disable_logging = "envoy_select_disable_logging", _envoy_select_enable_exceptions = "envoy_select_enable_exceptions", @@ -244,7 +243,6 @@ envoy_select_admin_functionality = _envoy_select_admin_functionality envoy_select_static_extension_registration = _envoy_select_static_extension_registration envoy_select_envoy_mobile_listener = _envoy_select_envoy_mobile_listener envoy_select_envoy_mobile_xds = _envoy_select_envoy_mobile_xds -envoy_select_boringssl = _envoy_select_boringssl envoy_select_disable_logging = _envoy_select_disable_logging envoy_select_google_grpc = _envoy_select_google_grpc envoy_select_enable_http3 = _envoy_select_enable_http3 diff --git a/bazel/envoy_internal.bzl b/bazel/envoy_internal.bzl index f6d6eac6e1591..43e26ec6d9e6b 100644 --- a/bazel/envoy_internal.bzl +++ b/bazel/envoy_internal.bzl @@ -149,8 +149,8 @@ EXTERNAL_DEPS_MAP = { "grpc": "@com_github_grpc_grpc//:grpc++", "grpc_health_proto": "@com_github_grpc_grpc//src/proto/grpc/health/v1:health_cc_proto", # SSL/Crypto (aliases defined in @envoy//bazel) - "ssl": "@envoy//bazel:boringssl", - "crypto": "@envoy//bazel:boringcrypto", + "ssl": "@envoy//bazel:ssl", + "crypto": "@envoy//bazel:crypto", # Bazel tools "bazel_runfiles": "@bazel_tools//tools/cpp/runfiles", } diff --git a/bazel/envoy_select.bzl b/bazel/envoy_select.bzl index 11da16641e456..b25730db8656c 100644 --- a/bazel/envoy_select.bzl +++ b/bazel/envoy_select.bzl @@ -11,13 +11,6 @@ def envoy_cc_platform_dep(name): "//conditions:default": [name + "_posix"], }) -def envoy_select_boringssl(if_fips, default = None, if_disabled = None): - return select({ - "@envoy//bazel:boringssl_fips": if_fips, - "@envoy//bazel:boringssl_disabled": if_disabled or [], - "//conditions:default": default or [], - }) - # Selects the given values if Google gRPC is enabled in the current build. def envoy_select_google_grpc(xs, repository = ""): return select({ diff --git a/bazel/foreign_cc/BUILD b/bazel/foreign_cc/BUILD index d8fdb8980a52d..8ad760590023e 100644 --- a/bazel/foreign_cc/BUILD +++ b/bazel/foreign_cc/BUILD @@ -255,7 +255,7 @@ envoy_cmake( out_static_libs = ["libsxg.a"], tags = ["skip_on_windows"], # Use boringssl alias to select fips vs non-fips version. - deps = ["//bazel:boringssl"], + deps = ["//bazel:ssl"], ) envoy_cmake( diff --git a/bazel/grpc.patch b/bazel/grpc.patch index 49c2e52b0653b..d821742b2eab2 100644 --- a/bazel/grpc.patch +++ b/bazel/grpc.patch @@ -237,7 +237,7 @@ index 13a4714d4b..8664e99ffc 100644 - ":grpc_use_openssl_setting": "@openssl//:ssl", - "//conditions:default": "@boringssl//:ssl", - }), -+ actual = "@envoy//bazel:boringssl", ++ actual = "@envoy//bazel:ssl", tags = ["manual"], ) @@ -247,7 +247,7 @@ index 13a4714d4b..8664e99ffc 100644 - ":grpc_use_openssl_setting": "@openssl//:crypto", - "//conditions:default": "@boringssl//:crypto", - }), -+ actual = "@envoy//bazel:boringcrypto", ++ actual = "@envoy//bazel:crypto", tags = ["manual"], ) diff --git a/bazel/proxy_wasm_cpp_host.patch b/bazel/proxy_wasm_cpp_host.patch index a2ebf2e5224d6..ab07c33596af4 100644 --- a/bazel/proxy_wasm_cpp_host.patch +++ b/bazel/proxy_wasm_cpp_host.patch @@ -7,7 +7,7 @@ index 91792a8..872131c 100644 ] + select({ "//bazel:crypto_system": [], - "//conditions:default": ["@boringssl//:crypto"], -+ "//conditions:default": ["@envoy//bazel:boringcrypto"], ++ "//conditions:default": ["@envoy//bazel:crypto"], }), alwayslink = 1, ) diff --git a/contrib/all_contrib_extensions.bzl b/contrib/all_contrib_extensions.bzl index 437453c66826a..d9d1c00ca9eb8 100644 --- a/contrib/all_contrib_extensions.bzl +++ b/contrib/all_contrib_extensions.bzl @@ -34,10 +34,20 @@ PPC_SKIP_CONTRIB_TARGETS = [ "envoy.compression.qatzstd.compressor", ] -FIPS_LINUX_X86_SKIP_CONTRIB_TARGETS = [ +# BoringSSL-FIPS historically only skipped qatzip and kae on x86_64 +BORINGSSL_FIPS_SKIP_CONTRIB_TARGETS = [ "envoy.compression.qatzip.compressor", "envoy.tls.key_providers.kae", ] +# AWS-LC needs to skip additional Intel-specific crypto providers +AWS_LC_SKIP_CONTRIB_TARGETS = [ + "envoy.tls.key_providers.cryptomb", + "envoy.tls.key_providers.qat", + "envoy.tls.key_providers.kae", + "envoy.compression.qatzip.compressor", + "envoy.compression.qatzstd.compressor", +] + def envoy_all_contrib_extensions(denylist = []): return [v + "_envoy_extension" for k, v in CONTRIB_EXTENSIONS.items() if not k in denylist] diff --git a/contrib/cryptomb/private_key_providers/source/BUILD b/contrib/cryptomb/private_key_providers/source/BUILD index 5562f190f8c64..6ed70b7646c4b 100644 --- a/contrib/cryptomb/private_key_providers/source/BUILD +++ b/contrib/cryptomb/private_key_providers/source/BUILD @@ -27,7 +27,7 @@ envoy_cmake( "Python_EXECUTABLE": "$$EXT_BUILD_ROOT/$(PYTHON3)", } | select({ # FIPS builds use libcrypto.a/libssl.a - "//bazel:boringssl_fips": { + "//bazel:using_fips_ssl": { "OPENSSL_CRYPTO_LIBRARY": "$$EXT_BUILD_DEPS/lib/libcrypto.a", }, # Non-FIPS builds use libcrypto_internal.a/libssl_internal.a @@ -55,8 +55,8 @@ envoy_cmake( toolchains = ["@rules_python//python:current_py_toolchain"], visibility = ["//visibility:private"], working_directory = "sources/ippcp/crypto_mb", - # Use boringssl alias to select fips vs non-fips version. - deps = ["//bazel:boringssl"], + # Use ssl label_flag to select the SSL library. + deps = ["//bazel:ssl"], ) envoy_cc_library( diff --git a/contrib/exe/BUILD b/contrib/exe/BUILD index 37294654c6153..4f7dd9e7c61df 100644 --- a/contrib/exe/BUILD +++ b/contrib/exe/BUILD @@ -7,7 +7,8 @@ load( load( "//contrib:all_contrib_extensions.bzl", "ARM64_SKIP_CONTRIB_TARGETS", - "FIPS_LINUX_X86_SKIP_CONTRIB_TARGETS", + "AWS_LC_SKIP_CONTRIB_TARGETS", + "BORINGSSL_FIPS_SKIP_CONTRIB_TARGETS", "PPC_SKIP_CONTRIB_TARGETS", "X86_SKIP_CONTRIB_TARGETS", "envoy_all_contrib_extensions", @@ -25,7 +26,8 @@ alias( SELECTED_CONTRIB_EXTENSIONS = select({ "//bazel:linux_aarch64": envoy_all_contrib_extensions(ARM64_SKIP_CONTRIB_TARGETS), "//bazel:linux_ppc": envoy_all_contrib_extensions(PPC_SKIP_CONTRIB_TARGETS), - "//bazel:boringssl_fips_x86": envoy_all_contrib_extensions(FIPS_LINUX_X86_SKIP_CONTRIB_TARGETS), + "//bazel:using_aws_lc": envoy_all_contrib_extensions(AWS_LC_SKIP_CONTRIB_TARGETS), + "//bazel:using_boringssl_fips": envoy_all_contrib_extensions(BORINGSSL_FIPS_SKIP_CONTRIB_TARGETS), "//conditions:default": envoy_all_contrib_extensions(X86_SKIP_CONTRIB_TARGETS), }) diff --git a/contrib/qat/BUILD b/contrib/qat/BUILD index bfe960e2be921..03c4145d82d25 100644 --- a/contrib/qat/BUILD +++ b/contrib/qat/BUILD @@ -41,9 +41,9 @@ configure_make( ], target_compatible_with = envoy_contrib_linux_x86_64_constraints(), visibility = ["//visibility:public"], - # Use boringssl alias to select fips vs non-fips version. + # Use crypto label_flag to select the SSL library. deps = [ - "//bazel:boringcrypto", + "//bazel:crypto", "@numactl//:numa", ], alwayslink = True, diff --git a/contrib/qat/compression/qatzip/compressor/source/BUILD b/contrib/qat/compression/qatzip/compressor/source/BUILD index 8610cd60a8a4c..e80dd911c49e6 100644 --- a/contrib/qat/compression/qatzip/compressor/source/BUILD +++ b/contrib/qat/compression/qatzip/compressor/source/BUILD @@ -53,8 +53,8 @@ configure_make( "//bazel/foreign_cc:lz4", "//bazel:zlib", "//contrib/qat:qatlib", - # Use boringssl alias to select fips vs non-fips version. - "//bazel:boringcrypto", + # Use crypto label_flag to select the SSL library. + "//bazel:crypto", "@numactl//:numa", ], alwayslink = False, diff --git a/contrib/sxg/filters/http/source/BUILD b/contrib/sxg/filters/http/source/BUILD index 83a1f04817cf6..fd8f836333f92 100644 --- a/contrib/sxg/filters/http/source/BUILD +++ b/contrib/sxg/filters/http/source/BUILD @@ -31,8 +31,8 @@ envoy_cc_library( "//source/extensions/filters/http/common:pass_through_filter_lib", "@envoy_api//contrib/envoy/extensions/filters/http/sxg/v3alpha:pkg_cc_proto", "//bazel/foreign_cc:libsxg", - # use boringssl alias to select fips vs non-fips version. - "//bazel:boringssl", + # use ssl label_flag to select the SSL library. + "//bazel:ssl", ], ) diff --git a/docs/root/intro/arch_overview/security/ssl.rst b/docs/root/intro/arch_overview/security/ssl.rst index d13aa6b2747dc..5900916b29c4d 100644 --- a/docs/root/intro/arch_overview/security/ssl.rst +++ b/docs/root/intro/arch_overview/security/ssl.rst @@ -44,9 +44,10 @@ BoringSSL can be built in a `FIPS-compliant mode `_, following the build instructions from the `Security Policy for BoringCrypto module `_, -using ``--define boringssl=fips`` Bazel option. Currently, this option is only available on Linux-x86_64. +using ``--config=boringssl-fips`` Bazel option. AWS-LC FIPS can also be used with ``--config=aws-lc-fips``. +Currently, these options are only available on Linux-x86_64. -The correctness of the FIPS build can be verified by checking the presence of ``BoringSSL-FIPS`` +The correctness of the FIPS build can be verified by checking the presence of ``BoringSSL-FIPS`` or ``AWS-LC-FIPS`` in the :option:`--version` output. It's important to note that while using FIPS-compliant module is necessary for FIPS compliance, diff --git a/mobile/library/common/network/BUILD b/mobile/library/common/network/BUILD index 1359b1397517f..9b00813a6617f 100644 --- a/mobile/library/common/network/BUILD +++ b/mobile/library/common/network/BUILD @@ -109,7 +109,7 @@ envoy_cc_library( deps = select({ "@envoy//bazel:apple": [ "//library/common/extensions/cert_validator/platform_bridge:c_types_lib", - "@envoy//bazel:boringssl", + "@envoy//bazel:ssl", ], "//conditions:default": [], }), diff --git a/mobile/library/jni/BUILD b/mobile/library/jni/BUILD index a480b81640975..656147c3c2295 100644 --- a/mobile/library/jni/BUILD +++ b/mobile/library/jni/BUILD @@ -107,7 +107,7 @@ envoy_cc_library( "//library/common/extensions/cert_validator/platform_bridge:c_types_lib", "//library/common/network:network_types_lib", "//library/common/types:c_types_lib", - "@envoy//bazel:boringssl", + "@envoy//bazel:ssl", ], ) diff --git a/source/common/jwt/BUILD b/source/common/jwt/BUILD index 8d209ecf3c1f0..85689b85ddef1 100644 --- a/source/common/jwt/BUILD +++ b/source/common/jwt/BUILD @@ -27,7 +27,7 @@ envoy_cc_library( "verify.h", ], deps = [ - "//bazel:boringssl", + "//bazel:ssl", "//source/common/protobuf", "@com_google_absl//absl/container:flat_hash_set", "@com_google_absl//absl/strings", diff --git a/source/common/version/BUILD b/source/common/version/BUILD index da39bf367b3e0..2de10bdb55b07 100644 --- a/source/common/version/BUILD +++ b/source/common/version/BUILD @@ -3,7 +3,6 @@ load( "envoy_basic_cc_library", "envoy_cc_library", "envoy_package", - "envoy_select_boringssl", ) licenses(["notice"]) # Apache 2 @@ -63,10 +62,11 @@ envoy_cc_library( envoy_cc_library( name = "version_lib", srcs = ["version.cc"], - copts = envoy_select_boringssl( - ["-DENVOY_SSL_VERSION=\\\"BoringSSL-FIPS\\\""], - ["-DENVOY_SSL_VERSION=\\\"BoringSSL\\\""], - ), + copts = select({ + "//bazel:using_boringssl_fips": ["-DENVOY_SSL_VERSION=\\\"BoringSSL-FIPS\\\""], + "//bazel:using_aws_lc": ["-DENVOY_SSL_VERSION=\\\"AWS-LC-FIPS\\\""], + "//conditions:default": ["-DENVOY_SSL_VERSION=\\\"BoringSSL\\\""], + }), external_deps = ["ssl"], tags = ["notidy"], deps = [ diff --git a/test/exe/BUILD b/test/exe/BUILD index cdaec4604f00e..490244185f888 100644 --- a/test/exe/BUILD +++ b/test/exe/BUILD @@ -4,7 +4,6 @@ load( "envoy_cc_test_library", "envoy_package", "envoy_select_admin_functionality", - "envoy_select_boringssl", "envoy_sh_test", ) @@ -155,7 +154,10 @@ envoy_cc_test( name = "all_extensions_build_test", size = "large", srcs = ["all_extensions_build_test.cc"], - copts = envoy_select_boringssl(["-DENVOY_SSL_FIPS"]), + copts = select({ + "//bazel:fips_build": ["-DENVOY_SSL_FIPS"], + "//conditions:default": [], + }), data = [ "fips_check.sh", "//source/extensions:extensions_metadata.yaml",