Skip to content

Support FIPS 140-3 validated crypto via fips-golang-1.26-linux package #1135

Description

@ivo1116

Summary

Go 1.24+ ships with a native FIPS 140-3 validated cryptographic module (CMVP Certificate #5247). A PR has been opened to add an opt-in FIPS variant package (fips-golang-1.26-linux) to bosh-package-golang-release:

Once that merges, diego-release can vendor the FIPS package to produce binaries compiled with the CMVP-certified crypto module, enabling deployment in regulated environments (FedRAMP, US government, etc.).

What would change in diego-release

The change is mechanical — no code modifications to any Diego component:

  1. Vendor the FIPS golang package:

    bosh vendor-package fips-golang-1.26-linux ~/workspace/bosh-package-golang-release
  2. Update package specs (all Go packages — rep, bbs, auctioneer, route_emitter, etc.):

     dependencies:
    -  - golang-1.26-linux
    +  - fips-golang-1.26-linux
  3. Update packaging scripts (glob pattern):

    -source /var/vcap/packages/golang-*-linux/bosh/compile.env
    +source /var/vcap/packages/fips-golang-*-linux/bosh/compile.env

That's it. All Diego binaries (rep, bbs, auctioneer, route_emitter, locket, ssh_proxy, cfdot, file_server, etc.) would then be compiled with FIPS 140-3 mode enabled.

What FIPS mode provides at runtime

  • Integrity self-check at process initialization
  • Known-answer self-tests (KATs) for all crypto algorithms
  • crypto/rand backed by NIST SP 800-90A DRBG
  • crypto/tls restricted to FIPS-approved cipher suites and TLS 1.2+
  • Pairwise consistency tests on generated keys
  • No performance-impacting changes for steady-state operation (~1-2ms extra per TLS handshake)

Testing done

Successfully deployed FIPS-enabled Diego on a test landscape (ubuntu-noble stemcell, AWS):

  • All processes (rep, route_emitter, garden, silk-daemon) started without issues
  • No TLS cipher compatibility problems observed
  • FIPS verified via: strings /var/vcap/packages/rep/bin/rep | grep "fips140=on"
  • Result: DefaultGODEBUG=fips140=on

CI compatibility

The package uses the PREFIX naming convention (fips-golang-1.26-linux) which is compatible with the existing bump-golang-package-name task in wg-app-platform-runtime-ci via PREFIX=fips. Future Go version bumps (1.26→1.27) would be handled automatically by CI.

Context

  • No external forks needed (BoringCrypto, Microsoft, Red Hat golang-fips are all unnecessary)
  • Red Hat's golang-fips fork has announced Go 1.26 as their final release and recommends upstream Go's native FIPS
  • Ruby-based CF components (Cloud Controller, BOSH) already inherit FIPS-compliant OpenSSL from the stemcell
  • Java-based UAA uses Bouncy Castle FIPS
  • Go-based components are the remaining gap for full platform FIPS compliance

Blocked on

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    Inbox

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions