bazel/ssl: Cleanup flags and config

.bazelrc

@@ -204,9 +204,7 @@ build:compile-time-options --define=admin_html=disabled
 build:compile-time-options --define=signal_trace=disabled
 build:compile-time-options --define=hot_restart=disabled
 build:compile-time-options --define=google_grpc=disabled
-build:compile-time-options --define=boringssl=fips
-build:compile-time-options --test_tag_filters=-nofips
-build:compile-time-options --build_tag_filters=-nofips
+build:compile-time-options --config=boringssl-fips
 build:compile-time-options --define=log_debug_assert_in_release=enabled
 build:compile-time-options --define=path_normalization_by_default=true
 build:compile-time-options --define=deprecated_features=disabled
@@ -219,6 +217,27 @@ build:compile-time-options --@envoy//bazel:http3=False
 build:compile-time-options --@envoy//source/extensions/filters/http/kill_request:enabled
 
 
+#############################################################################
+# SSL
+#############################################################################
+
+build:fips-common --test_tag_filters=-nofips
+build:fips-common --build_tag_filters=-nofips
+
+# BoringSSL FIPS
+common:boringssl-fips --config=fips-common
+common:boringssl-fips --//bazel:ssl=@boringssl_fips//:ssl
+common:boringssl-fips --//bazel:crypto=@boringssl_fips//:crypto
+common:boringssl-fips --//bazel:fips=True
+
+# AWS-LC FIPS
+common:aws-lc-fips --config=fips-common
+common:aws-lc-fips --//bazel:ssl=@aws_lc//:ssl
+common:aws-lc-fips --//bazel:crypto=@aws_lc//:crypto
+common:aws-lc-fips --//bazel:fips=True
+common:aws-lc-fips --//bazel:http3=False
+
+
 #############################################################################
 # sanitizers
 #############################################################################

bazel/BUILD

@@ -489,40 +489,48 @@ config_setting(
     values = {"define": "force_libcpp=enabled"},
 )
 
+# SSL library selection using label_flag and bool_flag
+label_flag(
+    name = "ssl",
+    build_setting_default = "@boringssl//:ssl",
+)
+
+label_flag(
+    name = "crypto",
+    build_setting_default = "@boringssl//:crypto",
+)
+
+bool_flag(
+    name = "fips",
+    build_setting_default = False,
+)
+
 config_setting(
-    name = "boringssl_fips",
-    constraint_values = [
-        "@platforms//os:linux",
-    ],
-    values = {"define": "boringssl=fips"},
+    name = "fips_build",
+    flag_values = {":fips": "True"},
 )
 
 config_setting(
-    name = "boringssl_disabled",
-    values = {"define": "boringssl=disabled"},
+    name = "using_boringssl",
+    flag_values = {":ssl": "@boringssl//:ssl"},
 )
 
-selects.config_setting_group(
-    name = "boringssl_fips_x86",
-    match_all = [
-        ":boringssl_fips",
-        "@platforms//cpu:x86_64",
-    ],
+config_setting(
+    name = "using_boringssl_fips",
+    flag_values = {":ssl": "@boringssl_fips//:ssl"},
 )
 
-selects.config_setting_group(
-    name = "boringssl_fips_ppc",
-    match_all = [
-        ":boringssl_fips",
-        ":linux_ppc64le",
-    ],
+config_setting(
+    name = "using_aws_lc",
+    flag_values = {":ssl": "@aws_lc//:ssl"},
 )
 
+# Convenience grouping for any FIPS SSL library
 selects.config_setting_group(
-    name = "boringssl_fips_not_ppc",
-    match_all = [
-        ":boringssl_fips",
-        ":not_ppc",
+    name = "using_fips_ssl",
+    match_any = [
+        ":using_boringssl_fips",
+        ":using_aws_lc",
     ],
 )
 
@@ -561,28 +569,6 @@ config_setting(
     values = {"define": "uhv=enabled"},
 )
 
-# Alias pointing to the selected version of BoringSSL:
-# - BoringSSL FIPS from @boringssl_fips//:ssl,
-# - non-FIPS BoringSSL from @boringssl//:ssl.
-# - aws-lc from @aws_lc//:ssl
-alias(
-    name = "boringssl",
-    actual = select({
-        "//bazel:boringssl_fips_ppc": "@aws_lc//:ssl",
-        "//bazel:boringssl_fips_not_ppc": "@boringssl_fips//:ssl",
-        "//conditions:default": "@boringssl//:ssl",
-    }),
-)
-
-alias(
-    name = "boringcrypto",
-    actual = select({
-        "//bazel:boringssl_fips_ppc": "@aws_lc//:crypto",
-        "//bazel:boringssl_fips_not_ppc": "@boringssl_fips//:crypto",
-        "//conditions:default": "@boringssl//:crypto",
-    }),
-)
-
 config_setting(
     name = "linux_x86_64",
     constraint_values = [

bazel/README.md

@@ -697,13 +697,14 @@ The following optional features can be enabled on the Bazel build command-line:
   is required and target platform is Linux, then `bazel/exported_symbols.txt` can be used to land it.
 * Perf annotation with `--define perf_annotation=enabled` (see
   source/common/common/perf_annotation.h for details).
-* BoringSSL can be built in a FIPS-compliant mode with `--define boringssl=fips`
+* BoringSSL can be built in a FIPS-compliant mode with `--config=boringssl-fips`
   (see [FIPS 140-2](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fips-140-2) for details).
+* AWS-LC FIPS can be used with `--config=aws-lc-fips`.
 * ASSERT() can be configured to log failures and increment a stat counter in a release build with
   `--define log_fast_debug_assert_in_release=enabled`. SLOW_ASSERT()s can be included with `--define log_debug_assert_in_release=enabled`. The default behavior is to compile all debug assertions out of
   release builds so that the condition is not evaluated. This option has no effect in debug builds.
 * memory-debugging (scribbling over memory after allocation and before freeing) with
-  `--define tcmalloc=debug`. Note this option cannot be used with FIPS-compliant mode BoringSSL and
+  `--define tcmalloc=debug`. Note this option cannot be used with FIPS mode and
   tcmalloc is built from the sources of Gperftools.
 * Default [path normalization](https://github.com/envoyproxy/envoy/issues/6435) with
   `--define path_normalization_by_default=true`. Note this still could be disable by explicit xDS config.

bazel/SSL.md

@@ -0,0 +1,67 @@
+# SSL library configuration
+
+Envoy uses [BoringSSL](https://github.com/google/boringssl) as its default SSL library.
+
+For FIPS-compliant builds, Envoy supports both BoringSSL-FIPS and [AWS-LC](https://github.com/aws/aws-lc) FIPS,
+which provides FIPS support for the aarch64 and ppc64le architectures.
+
+## Default (non-FIPS)
+
+No configuration needed. Envoy builds with standard BoringSSL by default:
+
+```bash
+bazel build //source/exe:envoy-static
+```
+
+## FIPS builds
+
+### BoringSSL-FIPS
+
+```bash
+bazel build --config=boringssl-fips //source/exe:envoy-static
+```
+
+- **Supported architectures:** Linux x86_64 only
+- **Version string:** `BoringSSL-FIPS` (visible in `envoy --version`)
+
+### AWS-LC FIPS
+
+```bash
+bazel build --config=aws-lc-fips //source/exe:envoy-static
+```
+
+- **Supported architectures:** Linux x86_64, aarch64, ppc64le
+- **Version string:** `AWS-LC-FIPS` (visible in `envoy --version`)
+- **Note:** HTTP/3 (QUIC) is disabled for AWS-LC builds
+
+## Migration from `--define boringssl=fips`
+
+The legacy `--define boringssl=fips` flag is deprecated. Migrate as follows:
+
+| Legacy | New |
+|--------|-----|
+| `--define boringssl=fips` | `--config=boringssl-fips` |
+| `--define boringssl=fips` (on ppc64le) | `--config=aws-lc-fips` |
+
+The legacy flag automatically selected AWS-LC on ppc64le. With the new approach, you must explicitly choose the library.
+
+## SSL flag integrity
+
+The SSL configuration uses three interdependent Bazel flags: `//bazel:ssl`, `//bazel:crypto`, and `//bazel:fips`.
+
+**Do not set these flags directly.** Use the `--config` options above, which ensure the flags are set consistently.
+
+Inconsistent flag combinations (e.g., a FIPS library with `--//bazel:fips=False`, or mismatched `ssl`/`crypto` libraries) will produce broken builds or incorrect version strings.
+
+## Verifying FIPS build
+
+Check the SSL library in use:
+
+```bash
+envoy --version
+```
+
+Look for:
+- `BoringSSL-FIPS` — BoringSSL FIPS build
+- `AWS-LC-FIPS` — AWS-LC FIPS build
+- `BoringSSL` — Standard (non-FIPS) build

bazel/envoy_binary.bzl

@@ -92,7 +92,7 @@ def _envoy_linkopts():
         ],
     }) + select({
         "@envoy//bazel:apple": [],
-        "@envoy//bazel:boringssl_fips": [],
+        "@envoy//bazel:fips_build": [],
         "@envoy//bazel:windows_x86_64": [],
         "//conditions:default": ["-pie"],
     }) + envoy_select_exported_symbols(["-Wl,-E"])

bazel/envoy_build_system.bzl

@@ -32,7 +32,6 @@ load(
     _envoy_select_admin_functionality = "envoy_select_admin_functionality",
     _envoy_select_admin_html = "envoy_select_admin_html",
     _envoy_select_admin_no_html = "envoy_select_admin_no_html",
-    _envoy_select_boringssl = "envoy_select_boringssl",
     _envoy_select_disable_exceptions = "envoy_select_disable_exceptions",
     _envoy_select_disable_logging = "envoy_select_disable_logging",
     _envoy_select_enable_exceptions = "envoy_select_enable_exceptions",
@@ -244,7 +243,6 @@ envoy_select_admin_functionality = _envoy_select_admin_functionality
 envoy_select_static_extension_registration = _envoy_select_static_extension_registration
 envoy_select_envoy_mobile_listener = _envoy_select_envoy_mobile_listener
 envoy_select_envoy_mobile_xds = _envoy_select_envoy_mobile_xds
-envoy_select_boringssl = _envoy_select_boringssl
 envoy_select_disable_logging = _envoy_select_disable_logging
 envoy_select_google_grpc = _envoy_select_google_grpc
 envoy_select_enable_http3 = _envoy_select_enable_http3

bazel/envoy_internal.bzl

@@ -149,8 +149,8 @@ EXTERNAL_DEPS_MAP = {
     "grpc": "@com_github_grpc_grpc//:grpc++",
     "grpc_health_proto": "@com_github_grpc_grpc//src/proto/grpc/health/v1:health_cc_proto",
     # SSL/Crypto (aliases defined in @envoy//bazel)
-    "ssl": "@envoy//bazel:boringssl",
-    "crypto": "@envoy//bazel:boringcrypto",
+    "ssl": "@envoy//bazel:ssl",
+    "crypto": "@envoy//bazel:crypto",
     # Bazel tools
     "bazel_runfiles": "@bazel_tools//tools/cpp/runfiles",
 }

bazel/envoy_select.bzl

@@ -11,13 +11,6 @@ def envoy_cc_platform_dep(name):
         "//conditions:default": [name + "_posix"],
     })
 
-def envoy_select_boringssl(if_fips, default = None, if_disabled = None):
-    return select({
-        "@envoy//bazel:boringssl_fips": if_fips,
-        "@envoy//bazel:boringssl_disabled": if_disabled or [],
-        "//conditions:default": default or [],
-    })
-
 # Selects the given values if Google gRPC is enabled in the current build.
 def envoy_select_google_grpc(xs, repository = ""):
     return select({

bazel/foreign_cc/BUILD

@@ -255,7 +255,7 @@ envoy_cmake(
     out_static_libs = ["libsxg.a"],
     tags = ["skip_on_windows"],
     # Use boringssl alias to select fips vs non-fips version.
-    deps = ["//bazel:boringssl"],
+    deps = ["//bazel:ssl"],
 )
 
 envoy_cmake(

bazel/grpc.patch

@@ -237,7 +237,7 @@ index 13a4714d4b..8664e99ffc 100644
 -        ":grpc_use_openssl_setting": "@openssl//:ssl",
 -        "//conditions:default": "@boringssl//:ssl",
 -    }),
-+    actual = "@envoy//bazel:boringssl",
++    actual = "@envoy//bazel:ssl",
      tags = ["manual"],
  )
 
@@ -247,7 +247,7 @@ index 13a4714d4b..8664e99ffc 100644
 -        ":grpc_use_openssl_setting": "@openssl//:crypto",
 -        "//conditions:default": "@boringssl//:crypto",
 -    }),
-+    actual = "@envoy//bazel:boringcrypto",
++    actual = "@envoy//bazel:crypto",
      tags = ["manual"],
  )
 

bazel/proxy_wasm_cpp_host.patch

@@ -7,7 +7,7 @@ index 91792a8..872131c 100644
      ] + select({
          "//bazel:crypto_system": [],
 -        "//conditions:default": ["@boringssl//:crypto"],
-+        "//conditions:default": ["@envoy//bazel:boringcrypto"],
++        "//conditions:default": ["@envoy//bazel:crypto"],
      }),
      alwayslink = 1,
  )

contrib/all_contrib_extensions.bzl

@@ -34,10 +34,20 @@ PPC_SKIP_CONTRIB_TARGETS = [
     "envoy.compression.qatzstd.compressor",
 ]
 
-FIPS_LINUX_X86_SKIP_CONTRIB_TARGETS = [
+# BoringSSL-FIPS historically only skipped qatzip and kae on x86_64
+BORINGSSL_FIPS_SKIP_CONTRIB_TARGETS = [
     "envoy.compression.qatzip.compressor",
     "envoy.tls.key_providers.kae",
 ]
 
+# AWS-LC needs to skip additional Intel-specific crypto providers
+AWS_LC_SKIP_CONTRIB_TARGETS = [
+    "envoy.tls.key_providers.cryptomb",
+    "envoy.tls.key_providers.qat",
+    "envoy.tls.key_providers.kae",
+    "envoy.compression.qatzip.compressor",
+    "envoy.compression.qatzstd.compressor",
+]
+
 def envoy_all_contrib_extensions(denylist = []):
     return [v + "_envoy_extension" for k, v in CONTRIB_EXTENSIONS.items() if not k in denylist]

contrib/cryptomb/private_key_providers/source/BUILD

@@ -27,7 +27,7 @@ envoy_cmake(
         "Python_EXECUTABLE": "$$EXT_BUILD_ROOT/$(PYTHON3)",
     } | select({
         # FIPS builds use libcrypto.a/libssl.a
-        "//bazel:boringssl_fips": {
+        "//bazel:using_fips_ssl": {
             "OPENSSL_CRYPTO_LIBRARY": "$$EXT_BUILD_DEPS/lib/libcrypto.a",
         },
         # Non-FIPS builds use libcrypto_internal.a/libssl_internal.a
@@ -55,8 +55,8 @@ envoy_cmake(
     toolchains = ["@rules_python//python:current_py_toolchain"],
     visibility = ["//visibility:private"],
     working_directory = "sources/ippcp/crypto_mb",
-    # Use boringssl alias to select fips vs non-fips version.
-    deps = ["//bazel:boringssl"],
+    # Use ssl label_flag to select the SSL library.
+    deps = ["//bazel:ssl"],
 )
 
 envoy_cc_library(

contrib/exe/BUILD

@@ -7,7 +7,8 @@ load(
 load(
     "//contrib:all_contrib_extensions.bzl",
     "ARM64_SKIP_CONTRIB_TARGETS",
-    "FIPS_LINUX_X86_SKIP_CONTRIB_TARGETS",
+    "AWS_LC_SKIP_CONTRIB_TARGETS",
+    "BORINGSSL_FIPS_SKIP_CONTRIB_TARGETS",
     "PPC_SKIP_CONTRIB_TARGETS",
     "X86_SKIP_CONTRIB_TARGETS",
     "envoy_all_contrib_extensions",
@@ -25,7 +26,8 @@ alias(
 SELECTED_CONTRIB_EXTENSIONS = select({
     "//bazel:linux_aarch64": envoy_all_contrib_extensions(ARM64_SKIP_CONTRIB_TARGETS),
     "//bazel:linux_ppc": envoy_all_contrib_extensions(PPC_SKIP_CONTRIB_TARGETS),
-    "//bazel:boringssl_fips_x86": envoy_all_contrib_extensions(FIPS_LINUX_X86_SKIP_CONTRIB_TARGETS),
+    "//bazel:using_aws_lc": envoy_all_contrib_extensions(AWS_LC_SKIP_CONTRIB_TARGETS),
+    "//bazel:using_boringssl_fips": envoy_all_contrib_extensions(BORINGSSL_FIPS_SKIP_CONTRIB_TARGETS),
     "//conditions:default": envoy_all_contrib_extensions(X86_SKIP_CONTRIB_TARGETS),
 })
 

contrib/qat/BUILD

@@ -41,9 +41,9 @@ configure_make(
     ],
     target_compatible_with = envoy_contrib_linux_x86_64_constraints(),
     visibility = ["//visibility:public"],
-    # Use boringssl alias to select fips vs non-fips version.
+    # Use crypto label_flag to select the SSL library.
     deps = [
-        "//bazel:boringcrypto",
+        "//bazel:crypto",
         "@numactl//:numa",
     ],
     alwayslink = True,

contrib/qat/compression/qatzip/compressor/source/BUILD

@@ -53,8 +53,8 @@ configure_make(
         "//bazel/foreign_cc:lz4",
         "//bazel:zlib",
         "//contrib/qat:qatlib",
-        # Use boringssl alias to select fips vs non-fips version.
-        "//bazel:boringcrypto",
+        # Use crypto label_flag to select the SSL library.
+        "//bazel:crypto",
         "@numactl//:numa",
     ],
     alwayslink = False,