Add FIPS build to CI and add README.fips.md (#15038)

2025-01-23 12:43:16 -05:00 · 2022-06-04 18:25:37 -07:00 · 2022-06-04 18:25:37 -07:00 · addfa35d93
commit addfa35d93
parent 5afdc56796
2 changed files with 58 additions and 0 deletions
--- a/.github/workflows/go-fips.yml
+++ b/.github/workflows/go-fips.yml
@ -0,0 +1,51 @@
 name: FIPS Build Test
 on:
  pull_request:
    branches:
    - master
 # This ensures that previous jobs for the PR are canceled when the PR is
 # updated.
 concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref }}
  cancel-in-progress: true
 permissions:
  contents: read
 jobs:
  build:
    name: Go BoringCrypto ${{ matrix.go-version }} on ${{ matrix.os }}
    runs-on: ${{ matrix.os }}
    strategy:
      matrix:
        go-version: [1.17.11b7, 1.18.3b7]
        os: [ubuntu-latest]
    steps:
      - uses: actions/checkout@v2
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      - name: Setup dockerfile for build test
        run: |
          echo "FROM us-docker.pkg.dev/google.com/api-project-999119582588/go-boringcrypto/golang:${{ matrix.go-version }}" > Dockerfile.fips.test
          echo "COPY . /minio" >> Dockerfile.fips.test
          echo "WORKDIR /minio" >> Dockerfile.fips.test
          echo "RUN make" >> Dockerfile.fips.test
      - name: Build
        uses: docker/build-push-action@v3
        with:
          context: .
          file: Dockerfile.fips.test
          push: false
          load: true
          tags: minio/fips-test:latest
      # This should fail if grep returns non-zero exit
      - name: Test binary
        run: |
          docker run --rm minio/fips-test:latest ./minio --version
          docker run --rm -i minio/fips-test:latest /bin/bash -c 'go tool nm ./minio' | grep -q FIPS
--- a/README.fips.md
+++ b/README.fips.md
@ -0,0 +1,7 @@
 # MinIO FIPS Builds
 MinIO creates FIPS builds using a patched version of the Go compiler (that uses BoringCrypto, from BoringSSL, which is [FIPS 140-2 validated](https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2964.pdf)) published by the Golang Team [here](https://github.com/golang/go/tree/dev.boringcrypto/misc/boring).
 MinIO FIPS executables are available at http://dl.min.io - they are only published for `linux-amd64` architecture as binary files with the suffix `.fips`. We also publish corresponding container images to our official image repositories.
 We are not making any statements or representations about the suitability of this code or build in relation to the FIPS 140-2 standard. Interested users will have to evaluate for themselves whether this is useful for their own purposes.