release-23.2: fipsccl: Add interfaces to expose FIPS-readiness status #115202
Conversation
![blathers[crl]](https://avatars.githubusercontent.com/in/59700?s=40&u=373d9101a12edc3847d2fb6ae78e3adcfb4ca41e&v=4){kind=avatar}
|
Thanks for opening a backport. Please check the backport criteria before merging:
If your backport adds new functionality, please ensure that the following additional criteria are satisfied:
Also, please add a brief release justification to the body of your PR to justify this |
blathers-crl
bot
added
the
backport
|
This change is |
bdarnell
force-pushed
the
backport23.2-114709
branch
from
9381193 to
25c2267
Compare
bdarnell
requested review from
jlinder,
MyAlterLego and
emnet-crl
and removed request for
MyAlterLego
bdarnell
force-pushed
the
backport23.2-114709
branch
from
25c2267 to
d011be7
Compare
There was a problem hiding this comment.
Reviewed 1 of 1 files at r1, 7 of 9 files at r2, 3 of 3 files at r3, 14 of 14 files at r4, all commit messages.
Reviewable status:complete! 0 of 0 LGTMs obtained (waiting on @rsevinsky-cr)
jlinder
force-pushed
the
backport23.2-114709
branch
from
d011be7 to
2e19646
Compare
|
The last force push was to correct the generated files from a run of |
There was a problem hiding this comment.
Reviewed 7 of 7 files at r5, all commit messages.
Reviewable status:
The boringcrypto build tag/experiment is not necessary to enable FIPS functionality with this toolchain, but it is necessary to expose the crypto/boring.Enabled method, which is the application-visible way to confirm that FIPS mode is in use. Updates cockroachdb#114344 Release note: None
This command reports on the status of certain prerequisites for our fips-ready builds. Updates cockroachdb#114344 Release note (cli change): New command `cockroach debug enterprise-check-fips` diagnoses errors in FIPS deployments
Previously, misconfigurations of the FIPS environment would result in a silent fallback to non-FIPS-compliant Go cryptography. This flag permits users who require FIPS compliance to add some checks to CockroachDB startup to ensure that the Go crypto implementation will not be used. Updates cockroachdb#114344 Release note (cli change): New flag --enterprise-require-fips-ready can be added to any CRDB command to prevent startup if certain prerequisites for FIPS compliance are not met.
This function provides a way to verify FIPS readiness without modifying the deployment to add the --enterprise-require-fips-ready flag. Updates cockroachdb#114344 Release note (enterprise change): New SQL function fips_ready can be used to verify the FIPS readiness of the gateway node.
jlinder
force-pushed
the
backport23.2-114709
branch
from
2e19646 to
80795c9
Compare
|
Pushed to fix conflicts (only one: from the go version change in the |
|
Encountered an error creating backports. Some common things that can go wrong:
You might need to create your backport manually using the backport tool. error setting reviewers, but backport branch blathers/backport-release-23.2.0-rc-115202 is ready: POST https://api.github.com/repos/cockroachdb/cockroach/pulls/116281/requested_reviewers: 422 Reviews may only be requested from collaborators. One or more of the teams you specified is not a collaborator of the cockroachdb/cockroach repository. [] Backport to branch 23.2.0-rc failed. See errors above. 🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf. |
Backport 4/4 commits from #114709.
/cc @cockroachdb/release
cockroach debug enterprise-check-fipsfor detailed diagnostics--enterprise-require-fips-readyto abort if FIPS checks failcrdb_internal.fips_ready()to check at runtimeCloses #114344
Release justification: FIPS-ready mode requires a different version of OpenSSL in 23.2 than in older versions, so new tools are needed to ensure that upgrades are done properly.