Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

release-23.2.0-rc: fipsccl: Add interfaces to expose FIPS-readiness status #116281

Merged
merged 4 commits into from
Dec 13, 2023
Merged

release-23.2.0-rc: fipsccl: Add interfaces to expose FIPS-readiness status #116281

merged 4 commits into from
Dec 13, 2023

Conversation

blathers-crl[bot]
Copy link

@blathers-crl blathers-crl bot commented Dec 12, 2023
edited by jlinder
Loading

Backport 4/4 commits from #115202 on behalf of @bdarnell.

/cc @cockroachdb/release

Backport 4/4 commits from #114709.

/cc @cockroachdb/release

  • CLI tool cockroach debug enterprise-check-fips for detailed diagnostics
  • Global CLI flag --enterprise-require-fips-ready to abort if FIPS checks fail
  • SQL function crdb_internal.fips_ready() to check at runtime

Closes #114344

Release justification: FIPS-ready mode requires a different version of OpenSSL in 23.2 than in older versions, so new tools are needed to ensure that upgrades are done properly.

@bdarnell
bazel: Add boringcrypto experiment to go_sdk_fips
e86aaa0 
The boringcrypto build tag/experiment is not necessary to enable FIPS
functionality with this toolchain, but it is necessary to expose the
crypto/boring.Enabled method, which is the application-visible
way to confirm that FIPS mode is in use.

Updates #114344
Release note: None
@bdarnell
cliccl: Add debug enterprise-check-fips command
8e11868 
This command reports on the status of certain prerequisites for our fips-ready
builds.

Updates #114344

Release note (cli change): New command `cockroach debug
enterprise-check-fips` diagnoses errors in FIPS deployments
@bdarnell
cliccl: Add global --enterprise-require-fips-ready flag
0d547ee 
Previously, misconfigurations of the FIPS environment would result in a
silent fallback to non-FIPS-compliant Go cryptography. This flag permits
users who require FIPS compliance to add some checks to CockroachDB
startup to ensure that the Go crypto implementation will not be used.

Updates #114344

Release note (cli change): New flag --enterprise-require-fips-ready
can be added to any CRDB command to prevent startup if certain
prerequisites for FIPS compliance are not met.
@bdarnell
fipsccl: Add a SQL function to check fips status
cebe0d1 
This function provides a way to verify FIPS readiness without modifying
the deployment to add the --enterprise-require-fips-ready flag.

Updates #114344

Release note (enterprise change): New SQL function fips_ready can be
used to verify the FIPS readiness of the gateway node.
@blathers-crl blathers-crl bot requested a review from a team as a code owner December 12, 2023 20:33
@blathers-crl blathers-crl bot force-pushed the blathers/backport-release-23.2.0-rc-115202 branch from ebb2aff to cebe0d1 Compare December 12, 2023 20:33
@blathers-crl blathers-crl bot requested review from a team as code owners December 12, 2023 20:33
@blathers-crl blathers-crl bot added blathers-backport This is a backport that Blathers created automatically. O-robot Originated from a bot. labels Dec 12, 2023
@blathers-crl blathers[crl]
Copy link
Author

blathers-crl bot commented Dec 12, 2023
edited by jlinder
Loading

Thanks for opening a backport.

Please check the backport criteria before merging:

  • Backports should only be created for serious
    issues     or test-only changes.
  • Backports should not break backwards-compatibility.
  • Backports should change as little code as possible.
  • Backports should not change on-disk formats or node communication protocols.
  • Backports should not add new functionality (except as defined
    here).
  • Backports must not add, edit, or otherwise modify cluster versions; or add version gates.
  • All backports must be reviewed by the owning areas TL and one additional
    TL. For more information as to how that review should be conducted, please consult the backport
    policy    .
If your backport adds new functionality, please ensure that the following additional criteria are satisfied:
  • There is a high priority need for the functionality that cannot wait until the next release and is difficult to address in another way.
  • The new functionality is additive-only and only runs for clusters which have specifically “opted in” to it (e.g. by a cluster setting).
  • New code is protected by a conditional check that is trivial to verify and ensures that it only runs for opt-in clusters. State changes must be further protected such that nodes running old binaries will not be negatively impacted by the new state (with a mixed version test added).
  • The PM and TL on the team that owns the changed code have signed off that the change obeys the above rules.
  • Your backport must be accompanied by a post to the appropriate Slack
    channel (#db-backports-point-releases or #db-backports-XX-X-release) for awareness and discussion.

Also, please add a brief release justification to the body of your PR to justify this
backport.

@blathers-crl blathers-crl bot added the backport Label PR's that are backports to older release branches label Dec 12, 2023
@cockroach-teamcity
Copy link
Member

This change is Reviewable

@jlinder jlinder requested a review from emnet-crl December 12, 2023 20:39
emnet-crl
emnet-crl approved these changes Dec 13, 2023
View reviewed changes
Copy link
Collaborator

@emnet-crl emnet-crl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed 1 of 1 files at r1, 7 of 9 files at r2, 3 of 3 files at r3, 21 of 21 files at r4, all commit messages.
Reviewable status: :shipit: complete! 0 of 0 LGTMs obtained (waiting on @bdarnell)

@jlinder jlinder changed the title release-23.2.0-rc: release-23.2: fipsccl: Add interfaces to expose FIPS-readiness status release-23.2.0-rc: fipsccl: Add interfaces to expose FIPS-readiness status Dec 13, 2023
@jlinder jlinder merged commit 2fa0495 into release-23.2.0-rc Dec 13, 2023
5 of 6 checks passed
@jlinder jlinder deleted the blathers/backport-release-23.2.0-rc-115202 branch December 13, 2023 17:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@emnet-crl emnet-crl emnet-crl approved these changes

@jlinder jlinder jlinder approved these changes

Assignees

@bdarnell bdarnell

Labels
backport Label PR's that are backports to older release branches blathers-backport This is a backport that Blathers created automatically. O-robot Originated from a bot.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@cockroach-teamcity @jlinder @emnet-crl @bdarnell