Skip to content

Use native Go for Linux FIPS builds#51345

Merged
macdewee merged 12 commits into
mainfrom
drosiek-use-native-go-fips
Jul 3, 2026
Merged

Use native Go for Linux FIPS builds#51345
macdewee merged 12 commits into
mainfrom
drosiek-use-native-go-fips

Conversation

@macdewee

Copy link
Copy Markdown
Contributor

Proposed commit message

Go 1.24+ ships its own FIPS 140-3 certified crypto module (GOFIPS140), so we no longer need the Microsoft Go fork (GOEXPERIMENT=systemcrypto) which required CGO and a linked OpenSSL. This switches auditbeat, filebeat, and metricbeat Linux FIPS builds to use the native module instead.

Changes:

  • fips-settings.yaml: replace GOEXPERIMENT=systemcrypto + cgo: true with GOFIPS140: v1.0.0
  • crossbuild.go: stop selecting the MS Go -fips crossbuild Docker image
  • build.go / settings.go: remove dead CGO field and OR
  • checkFIPS() / VerifyFIPSBinary(): check GOFIPS140 + DefaultGODEBUG=fips140=on instead of GOEXPERIMENT + OpenSSL ELF symbols
  • CI: switch FIPS test steps from AWS FIPS image to standard GCP image; unskip (SSH key issue was caused by OS-level FIPS enforcement, which is gone)

Mirrors elastic/elastic-agent@07f98a8.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works.
  • I have added an entry in ./changelog/fragments using the changelog tool.

Disruptive User Impact

FIPS binaries no longer link against system OpenSSL — no runtime OpenSSL dependency.

How to test this PR locally

cd x-pack/filebeat
FIPS=true mage Build

# check buildinfo
go version -m filebeat | grep -E 'GOFIPS140|DefaultGODEBUG'
# expect: GOFIPS140=v1.0.0-... and DefaultGODEBUG=...fips140=on...

Related issues

@botelastic botelastic Bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jun 18, 2026
@github-actions

Copy link
Copy Markdown
Contributor

🤖 GitHub comments

Just comment with:

  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)
  • /test : Run the Buildkite pipeline.

@mergify

mergify Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @macdewee? 🙏.
For such, you'll need to label your PR with:

  • The upcoming major version of the Elastic Stack
  • The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit
  • backport-active-all is the label that automatically backports to all active branches.
  • backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
  • backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

@coderabbitai

coderabbitai Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 665029fb-eb6b-4d0e-a33a-6b4fda8e5e14

📥 Commits

Reviewing files that changed from the base of the PR and between 5acbbac and 53abbd3.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (15)
  • .buildkite/libbeat/pipeline.libbeat.yml
  • .buildkite/scripts/custom_fips_ech_test.sh
  • .buildkite/x-pack/pipeline.xpack.filebeat.yml
  • .buildkite/x-pack/pipeline.xpack.metricbeat.yml
  • NOTICE.txt
  • changelog/fragments/1781782084-use-native-go-for-linux-fips-builds.yaml
  • dev-tools/mage/build.go
  • dev-tools/mage/crossbuild.go
  • dev-tools/mage/fips-settings.yaml
  • dev-tools/mage/gotest.go
  • dev-tools/mage/settings.go
  • dev-tools/packaging/package_test.go
  • go.mod
  • libbeat/esleg/eslegclient/connection_test.go
  • testing/go-ech/ech.go
💤 Files with no reviewable changes (1)
  • dev-tools/mage/settings.go

📝 Walkthrough

Walkthrough

This PR migrates Linux FIPS builds from OpenSSL-based GOEXPERIMENT=systemcrypto to native Go FIPS 140 module support (GOFIPS140: v1.0.0), updating mage build/crossbuild/gotest tooling, FIPS settings schema, and binary verification logic in package_test.go and ech.go to check GOFIPS140/DefaultGODEBUG instead of ELF symbols. Buildkite pipelines for libbeat, filebeat, and metricbeat drop AWS FIPS-specific images/skip conditions and run FIPS tests on GCP. TLS connection tests gain FIPS-specific RSA-1024 rejection assertions. Also bumps elastic-agent-libs dependency and adds a changelog fragment.

Possibly related PRs

  • elastic/beats#51481: Also modifies TestConnectionTLS in libbeat/esleg/eslegclient/connection_test.go, including FIPS vs non-FIPS assertions and related test certificate data.

Suggested labels: enhancement, Team:Elastic-Agent-Data-Plane

🚥 Pre-merge checks | ✅ 2
✅ Passed checks (2 passed)
Check name Status Explanation
Linked Issues check ✅ Passed The FIPS test steps now avoid Ubuntu 22.04 FIPS runners by switching to standard GCP images and removing the failing SSH-key dependency.
Out of Scope Changes check ✅ Passed The changes align with the native Go FIPS migration and CI/test updates described in the PR objectives, with no clear unrelated code paths.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch drosiek-use-native-go-fips
  • 🛠️ Update Documentation

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

This comment has been minimized.

@github-actions

This comment has been minimized.

@github-actions

This comment has been minimized.

@mergify

mergify Bot commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b drosiek-use-native-go-fips upstream/drosiek-use-native-go-fips
git merge upstream/main
git push upstream drosiek-use-native-go-fips

@macdewee macdewee added the Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team label Jun 24, 2026
@botelastic botelastic Bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jun 24, 2026
@github-actions

This comment has been minimized.

@macdewee macdewee force-pushed the drosiek-use-native-go-fips branch from 28dc67a to a504c40 Compare July 1, 2026 10:54
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

TL;DR

check-default failed because NOTICE.txt is stale after the PR bumped github.com/elastic/elastic-agent-libs to v0.44.1-0.20260701084740-d72ff2012311. Regenerate and commit NOTICE.txt, then rerun the check-default workflow.

Remediation

  • From the repo root on branch drosiek-use-native-go-fips, run make notice and commit the resulting NOTICE.txt update.
  • Re-run make check-default locally or rerun the GitHub Actions check-default workflow after pushing; the check should no longer fail at check-no-changes for NOTICE.txt.
Investigation details

Root Cause

The PR changes go.mod from github.com/elastic/elastic-agent-libs v0.44.0 to github.com/elastic/elastic-agent-libs v0.44.1-0.20260701084740-d72ff2012311, and go.sum is updated accordingly, but NOTICE.txt is not part of the PR file list. During make check-default, the notice target regenerated NOTICE.txt; the later check-no-changes target failed because that generated diff was uncommitted.

Evidence

Generating NOTICE
go mod tidy
...
go list -m -json all | go run go.elastic.co/go-licence-detector \
	-includeIndirect \
	-rules dev-tools/notice/rules.json \
	-overrides dev-tools/notice/overrides.json \
	-noticeTemplate dev-tools/notice/NOTICE.txt.tmpl \
	-noticeOut NOTICE.txt \
	-depsOut ""
...
diff --git a/NOTICE.txt b/NOTICE.txt
@@ -10798,11 +10798,11 @@ SOFTWARE
 Dependency : github.com/elastic/elastic-agent-libs
-Version: v0.44.0
+Version: v0.44.1-0.20260701084740-d72ff2012311
 Licence type (autodetected): Apache-2.0
...
-Contents of probable licence file $GOMODCACHE/github.com/elastic/elastic-agent-libs@v0.44.0/LICENSE:
+Contents of probable licence file $GOMODCACHE/github.com/elastic/elastic-agent-libs@v0.44.1-0.20260701084740-d72ff2012311/LICENSE:
NOTICE.txt: needs update
make[1]: *** [Makefile:119: check-no-changes] Error 1
make: *** [Makefile:107: check-default] Error 2

Validation

  • Not run locally; this was a workflow-log investigation. I checked the PR file list and confirmed NOTICE.txt is not included while go.mod/go.sum contain the dependency bump.

Follow-up

  • The prior PR Actions Detective report on this PR covered different golangci-lint failures from an older workflow run, so this is a new report rather than a duplicate.

What is this? | From workflow: PR Actions Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

macdewee and others added 12 commits July 2, 2026 07:49
Switch Linux FIPS builds from Microsoft Go (GOEXPERIMENT=systemcrypto)
to the upstream Go native FIPS module (GOFIPS140=v1.0.0, CMVP cert #5247).
Drops CGO requirement and the Microsoft Go cross-build Docker image.
Updates package tests to verify GOFIPS140 and DefaultGODEBUG buildinfo
instead of GOEXPERIMENT and OpenSSL ELF symbols.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Remove GOEXPERIMENT=systemcrypto from CI pipelines and ECH test script
- Switch FIPS unit/ECH test steps from AWS FIPS image to standard GCP image; unskip
- Update VerifyFIPSBinary to check GOFIPS140+DefaultGODEBUG instead of GOEXPERIMENT+OpenSSL symbols
- Strengthen GOFIPS140 assertion to require v1.0.0 version; improve error messages
- Remove dead CGO field and OR from FIPSConfig/DefaultBuildArgs

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Dominik Rosiek <dominik.rosiek@elastic.co>
…or crossbuild

- Inject FIPS compile env vars (GOFIPS140=v1.0.0) into go test args so
  that test binaries actually enforce FIPS crypto at runtime, not just
  compile with the requirefips tag.
- Pre-populate golang.org/fips140 in the host module cache before FIPS
  crossbuild containers mount it read-only, avoiding a write failure
  when the toolchain tries to unpack the module inside the container.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add verification_mode:strict so Go's native TLS stack performs chain
verification (InsecureSkipVerify=false) and the FIPS key-size check
triggers. Update the expected error string to match native Go's message.
Simplify the test comment to remove implementation details.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Picks up the unreleased FIPS 140-3 peer-cert key-type enforcement
(elastic/elastic-agent-libs#426), which TestConnectionTLS depends on.
Update the test's expected error string to match the actual message
that check produces, rather than Go's own (unreachable, since a
custom TLS callback is always installed) internal FIPS error.

This is a temporary pin for CI validation ahead of a tagged
elastic-agent-libs release containing the fix.
Swaps the temporary pseudo-version pin (unreleased main commit) for
the now-tagged release containing the FIPS 140-3 peer-cert key-type
enforcement fix (elastic/elastic-agent-libs#426). Same commit
content (d72ff2012311), now backed by a real release.
- gotest.go: wire fipsTestEnv() into makeGoTestArgsForPackage too, so
  per-module integration test builds (FIPS=true mage goIntegTest on a
  single module) get GOFIPS140 set, not just the requirefips tag.
- crossbuild.go: drop the bogus "G122" gosec rule code from the nolint
  comment on os.Chown (gosec has no G122; nolint:gosec suppresses by
  linter name, so the code was misleading, not functional).
- connection_test.go: cover both elastic-agent-libs FIPS callback paths
  (verification_mode strict and none use different callbacks) and
  assert the RSA-1024-specific error message instead of the more
  generic FIPS-rejection substring.
Contains would tolerate v1.0.0 appearing anywhere in the buildinfo
value; HasPrefix asserts it's actually the version identifier itself.
The comment named elastic-agent-libs' unexported checkAllChainsFIPS
and fipsVerifyNoneCallback, leaking implementation details of a
dependency with no compatibility guarantee. Describe the observable
strict-vs-none distinction instead.
@macdewee macdewee force-pushed the drosiek-use-native-go-fips branch from df4e775 to 53abbd3 Compare July 2, 2026 05:49
@macdewee macdewee marked this pull request as ready for review July 2, 2026 05:49
@macdewee macdewee requested review from a team as code owners July 2, 2026 05:49
@ebeahan

ebeahan commented Jul 2, 2026

Copy link
Copy Markdown
Member

@macdewee let's make sure someone from @elastic/elastic-agent-data-plane also gives a proper review since my membership dismissed 😄

@fr4nc1sc0-r4m0n fr4nc1sc0-r4m0n left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The CI changes LGTM

@mergify

mergify Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Queued — the merge queue status continues in this comment ↓.

@mergify

mergify Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Merge Queue Status

This pull request spent 17 minutes 46 seconds in the queue, including 17 minutes 17 seconds running CI.

Waiting for
  • check-success=buildkite/beats
  • any of: [🛡 GitHub branch protection]
    • check-neutral = buildkite/beats
    • check-skipped = buildkite/beats
    • check-success = buildkite/beats
All conditions

Reason

The merge conditions cannot be satisfied due to failing checks

  • buildkite/beats
  • CLA

Failing checks:

Hint

You may have to fix your CI before adding the pull request to the queue again.
If you update this pull request, to fix the CI, it will automatically be requeued once the queue conditions match again.
If you think this was a flaky issue instead, you can requeue the pull request, without updating it, by posting a @mergifyio queue comment.

Tick the box to put this pull request back in the merge queue (same as @mergifyio queue).

  • Requeue this pull request

@mergify mergify Bot added the queued label Jul 3, 2026
mergify Bot added a commit that referenced this pull request Jul 3, 2026
@mergify mergify Bot added dequeued and removed queued labels Jul 3, 2026
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

TL;DR

Metricbeat Run check/update failed because metricbeat/mb/module/runner_test.go:173 passes logptest.NewTestingLogger(t, "") directly to module.NewWrapper, but module.NewWrapper now expects *beat.Info as its third argument. This appears to be from the current main merge-queue base commit (c2c559cd, #50834), not from the FIPS changes in this PR.

Remediation

  • Change metricbeat/mb/module/runner_test.go:173 to match the other calls in the same file, e.g. pass &beat.Info{Logger: logptest.NewTestingLogger(t, "")} as the third module.NewWrapper argument.
  • Validate with go test ./metricbeat/mb/module or rerun make -C metricbeat check update.
Investigation details

Root Cause

module.NewWrapper is declared at metricbeat/mb/module/wrapper.go:93 as:

func NewWrapper(config *conf.C, r *mb.Register, info *beat.Info, monitoring beatmonitoring.Monitoring, p *paths.Path, options ...Option) (*Wrapper, error)

Most calls in metricbeat/mb/module/runner_test.go already pass &beat.Info{Logger: logptest.NewTestingLogger(t, "")} (metricbeat/mb/module/runner_test.go:57 and metricbeat/mb/module/runner_test.go:85), but the new runner-stop test still passes only the logger at metricbeat/mb/module/runner_test.go:173.

Evidence

# github.com/elastic/beats/v7/metricbeat/mb/module_test
# [github.com/elastic/beats/v7/metricbeat/mb/module_test]
vet: mb/module/runner_test.go:173:51: cannot use logptest.NewTestingLogger(t, "") (value of type *logp.Logger) as *beat.Info value in argument to module.NewWrapper
Error: failed running go vet, please fix the issues reported: running "go vet ./..." failed with exit code 1

I also reproduced the package compile failure locally:

$ go test ./metricbeat/mb/module
# github.com/elastic/beats/v7/metricbeat/mb/module_test [github.com/elastic/beats/v7/metricbeat/mb/module.test]
metricbeat/mb/module/runner_test.go:173:51: cannot use logptest.NewTestingLogger(t, "") (value of type *logp.Logger) as *beat.Info value in argument to module.NewWrapper
FAIL	github.com/elastic/beats/v7/metricbeat/mb/module [build failed]

Verification

  • Ran go test ./metricbeat/mb/module; it fails at compile time with the same module.NewWrapper argument mismatch.
  • Did not apply the fix locally because this detective workflow is read-only.

Follow-up

Since the failing line comes from c2c559cd ([metricbeat] fix race condtion on runner closure (#50834)) on the merge-queue base, this should be fixed on main or the merge queue should be retried after that fix lands.


What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

@macdewee macdewee added the backport-skip Skip notification from the automated backport with mergify label Jul 3, 2026
@macdewee macdewee merged commit a829d56 into main Jul 3, 2026
219 of 220 checks passed
@macdewee macdewee deleted the drosiek-use-native-go-fips branch July 3, 2026 12:48
macdewee added a commit to elastic/elastic-agent that referenced this pull request Jul 3, 2026
…eGoTestArgs

Picks up elastic/elastic-agent-libs#426 (enforce FIPS 140-3 peer cert key
types across all TLS verification modes), mirroring the native-Go FIPS
migration landing in elastic/beats#51345. Replaces a local filesystem
replace directive used to validate against that PR before it merged.

Also adds TestMakeGoTestArgsFIPS covering the FIPS env propagation added
in the prior follow-up commit.
macdewee added a commit to elastic/elastic-agent that referenced this pull request Jul 7, 2026
* Follow up native Go FIPS migration: remove dead msft-go artefacts and tighten test assertion

- Remove MS_GOTOOLCHAIN_TELEMETRY_ENABLED from the FIPS integration pipeline and magefile.go Windows archive build; both Linux and Windows FIPS now use GOFIPS140 (native Go), so the Microsoft toolchain env var is dead code.
- Remove the msft-go toolchain smoke-check from buildkite-integration-tests.sh; the check was specific to GOEXPERIMENT=systemcrypto and is no longer meaningful.
- Remove CGO field from FIPSConfig.Compile and its use in DefaultBuildArgs; native Go FIPS does not require CGO.
- Propagate FIPS compile env vars (e.g. GOFIPS140) into Go test args so unit tests run with the same crypto constraints as packaged binaries.
- Change GOFIPS140 test assertion from require.Contains(..., "v1.0.0") to require.Equal so it fails loudly on any version mismatch.
- Update tls.go comment to reference GOFIPS140 instead of the removed GOEXPERIMENT paths.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* test: assert prefix rather than exact match for GOFIPS140 env

Signed-off-by: Dominik Rosiek <dominik.rosiek@elastic.co>

* Bump elastic-agent-libs to v0.46.0 and add FIPS test coverage for makeGoTestArgs

Picks up elastic/elastic-agent-libs#426 (enforce FIPS 140-3 peer cert key
types across all TLS verification modes), mirroring the native-Go FIPS
migration landing in elastic/beats#51345. Replaces a local filesystem
replace directive used to validate against that PR before it merged.

Also adds TestMakeGoTestArgsFIPS covering the FIPS env propagation added
in the prior follow-up commit.

* docs: add changelog fragment for FIPS TLS cert key-type fix

Documents the customer-facing fix (elastic-agent-libs v0.46.0 bump) where
FIPS mode was silently accepting TLS peer certificates with non-approved
key types due to a native Go FIPS gap with custom verify callbacks.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Apply suggestion from @macdewee

---------

Signed-off-by: Dominik Rosiek <dominik.rosiek@elastic.co>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
@macdewee macdewee added the backport-active-9 Automated backport with mergify to all the active 9.[0-9]+ branches label Jul 15, 2026
@github-actions

Copy link
Copy Markdown
Contributor

@Mergifyio backport 9.5 9.4 9.3

@mergify

mergify Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

backport 9.5 9.4 9.3

✅ Backports have been created

Details

Cherry-pick of a829d56 has failed:

On branch mergify/bp/9.5/pr-51345
Your branch is up to date with 'origin/9.5'.

You are currently cherry-picking commit a829d56a0.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   .buildkite/libbeat/pipeline.libbeat.yml
	both modified:   .buildkite/x-pack/pipeline.xpack.filebeat.yml
	both modified:   .buildkite/x-pack/pipeline.xpack.metricbeat.yml

no changes added to commit (use "git add" and/or "git commit -a")

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally

Cherry-pick of a829d56 has failed:

On branch mergify/bp/9.3/pr-51345
Your branch is up to date with 'origin/9.3'.

You are currently cherry-picking commit a829d56a0.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	modified:   .buildkite/scripts/custom_fips_ech_test.sh
	modified:   NOTICE.txt
	new file:   changelog/fragments/1781782084-use-native-go-for-linux-fips-builds.yaml
	modified:   dev-tools/mage/build.go
	modified:   dev-tools/mage/crossbuild.go
	modified:   dev-tools/mage/fips-settings.yaml
	modified:   dev-tools/mage/gotest.go
	modified:   dev-tools/mage/settings.go
	modified:   dev-tools/packaging/package_test.go
	modified:   go.mod
	modified:   go.sum
	modified:   libbeat/esleg/eslegclient/connection_test.go
	modified:   testing/go-ech/ech.go

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   .buildkite/libbeat/pipeline.libbeat.yml
	both modified:   .buildkite/x-pack/pipeline.xpack.filebeat.yml
	both modified:   .buildkite/x-pack/pipeline.xpack.metricbeat.yml

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally

@macdewee macdewee removed the backport-skip Skip notification from the automated backport with mergify label Jul 15, 2026
macdewee added a commit that referenced this pull request Jul 15, 2026
Mergify left unresolved conflict markers in three Buildkite pipeline
files. Resolve by keeping 9.3's image versions (1782878510) and
dropping IMAGE_UBUNTU_X86_64_FIPS, which no step references after the
switch to native Go FIPS (GOFIPS140=v1.0.0).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
macdewee added a commit that referenced this pull request Jul 15, 2026
* Use native Go for Linux FIPS builds (#51345)

* feat: use native Go for Linux FIPS builds

Switch Linux FIPS builds from Microsoft Go (GOEXPERIMENT=systemcrypto)
to the upstream Go native FIPS module (GOFIPS140=v1.0.0, CMVP cert #5247).
Drops CGO requirement and the Microsoft Go cross-build Docker image.
Updates package tests to verify GOFIPS140 and DefaultGODEBUG buildinfo
instead of GOEXPERIMENT and OpenSSL ELF symbols.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* chore: clean up MS Go FIPS artifacts

- Remove GOEXPERIMENT=systemcrypto from CI pipelines and ECH test script
- Switch FIPS unit/ECH test steps from AWS FIPS image to standard GCP image; unskip
- Update VerifyFIPSBinary to check GOFIPS140+DefaultGODEBUG instead of GOEXPERIMENT+OpenSSL symbols
- Strengthen GOFIPS140 assertion to require v1.0.0 version; improve error messages
- Remove dead CGO field and OR from FIPSConfig/DefaultBuildArgs

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* chore: golangci-lint fixes

Signed-off-by: Dominik Rosiek <dominik.rosiek@elastic.co>

* fix: propagate FIPS env to unit tests and pre-populate module cache for crossbuild

- Inject FIPS compile env vars (GOFIPS140=v1.0.0) into go test args so
  that test binaries actually enforce FIPS crypto at runtime, not just
  compile with the requirefips tag.
- Pre-populate golang.org/fips140 in the host module cache before FIPS
  crossbuild containers mount it read-only, avoiding a write failure
  when the toolchain tries to unpack the module inside the container.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: update TestConnectionTLS for native Go FIPS

Add verification_mode:strict so Go's native TLS stack performs chain
verification (InsecureSkipVerify=false) and the FIPS key-size check
triggers. Update the expected error string to match native Go's message.
Simplify the test comment to remove implementation details.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* mod: pin elastic-agent-libs to main for native Go FIPS validation

Picks up the unreleased FIPS 140-3 peer-cert key-type enforcement
(elastic/elastic-agent-libs#426), which TestConnectionTLS depends on.
Update the test's expected error string to match the actual message
that check produces, rather than Go's own (unreachable, since a
custom TLS callback is always installed) internal FIPS error.

This is a temporary pin for CI validation ahead of a tagged
elastic-agent-libs release containing the fix.

* notice: regenerate for elastic-agent-libs pin bump

* mod: bump elastic-agent-libs to released v0.45.0

Swaps the temporary pseudo-version pin (unreleased main commit) for
the now-tagged release containing the FIPS 140-3 peer-cert key-type
enforcement fix (elastic/elastic-agent-libs#426). Same commit
content (d72ff2012311), now backed by a real release.

* notice: regenerate for elastic-agent-libs v0.45.0

* fix: address reviewer findings on FIPS migration

- gotest.go: wire fipsTestEnv() into makeGoTestArgsForPackage too, so
  per-module integration test builds (FIPS=true mage goIntegTest on a
  single module) get GOFIPS140 set, not just the requirefips tag.
- crossbuild.go: drop the bogus "G122" gosec rule code from the nolint
  comment on os.Chown (gosec has no G122; nolint:gosec suppresses by
  linter name, so the code was misleading, not functional).
- connection_test.go: cover both elastic-agent-libs FIPS callback paths
  (verification_mode strict and none use different callbacks) and
  assert the RSA-1024-specific error message instead of the more
  generic FIPS-rejection substring.

* test: require GOFIPS140 value to start with v1.0.0, not just contain it

Contains would tolerate v1.0.0 appearing anywhere in the buildinfo
value; HasPrefix asserts it's actually the version identifier itself.

* test: describe TestConnectionTLS modes by behavior, not libs internals

The comment named elastic-agent-libs' unexported checkAllChainsFIPS
and fipsVerifyNoneCallback, leaking implementation details of a
dependency with no compatibility guarantee. Describe the observable
strict-vs-none distinction instead.

---------

Signed-off-by: Dominik Rosiek <dominik.rosiek@elastic.co>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
(cherry picked from commit a829d56)

* fix: suppress gosec G706 on dev-tool log line

DEV_OS/DEV_ARCH are trusted build-time env vars set by CI, not user
input. Add nolint:gosec to match the fix already present on main.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Signed-off-by: Dominik Rosiek <dominik.rosiek@elastic.co>
Co-authored-by: Dominik Rosiek <6997361+macdewee@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Dominik Rosiek <dominik.rosiek@elastic.co>
macdewee added a commit that referenced this pull request Jul 15, 2026
* Use native Go for Linux FIPS builds (#51345)

* feat: use native Go for Linux FIPS builds

Switch Linux FIPS builds from Microsoft Go (GOEXPERIMENT=systemcrypto)
to the upstream Go native FIPS module (GOFIPS140=v1.0.0, CMVP cert #5247).
Drops CGO requirement and the Microsoft Go cross-build Docker image.
Updates package tests to verify GOFIPS140 and DefaultGODEBUG buildinfo
instead of GOEXPERIMENT and OpenSSL ELF symbols.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* chore: clean up MS Go FIPS artifacts

- Remove GOEXPERIMENT=systemcrypto from CI pipelines and ECH test script
- Switch FIPS unit/ECH test steps from AWS FIPS image to standard GCP image; unskip
- Update VerifyFIPSBinary to check GOFIPS140+DefaultGODEBUG instead of GOEXPERIMENT+OpenSSL symbols
- Strengthen GOFIPS140 assertion to require v1.0.0 version; improve error messages
- Remove dead CGO field and OR from FIPSConfig/DefaultBuildArgs

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* chore: golangci-lint fixes

Signed-off-by: Dominik Rosiek <dominik.rosiek@elastic.co>

* fix: propagate FIPS env to unit tests and pre-populate module cache for crossbuild

- Inject FIPS compile env vars (GOFIPS140=v1.0.0) into go test args so
  that test binaries actually enforce FIPS crypto at runtime, not just
  compile with the requirefips tag.
- Pre-populate golang.org/fips140 in the host module cache before FIPS
  crossbuild containers mount it read-only, avoiding a write failure
  when the toolchain tries to unpack the module inside the container.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: update TestConnectionTLS for native Go FIPS

Add verification_mode:strict so Go's native TLS stack performs chain
verification (InsecureSkipVerify=false) and the FIPS key-size check
triggers. Update the expected error string to match native Go's message.
Simplify the test comment to remove implementation details.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* mod: pin elastic-agent-libs to main for native Go FIPS validation

Picks up the unreleased FIPS 140-3 peer-cert key-type enforcement
(elastic/elastic-agent-libs#426), which TestConnectionTLS depends on.
Update the test's expected error string to match the actual message
that check produces, rather than Go's own (unreachable, since a
custom TLS callback is always installed) internal FIPS error.

This is a temporary pin for CI validation ahead of a tagged
elastic-agent-libs release containing the fix.

* notice: regenerate for elastic-agent-libs pin bump

* mod: bump elastic-agent-libs to released v0.45.0

Swaps the temporary pseudo-version pin (unreleased main commit) for
the now-tagged release containing the FIPS 140-3 peer-cert key-type
enforcement fix (elastic/elastic-agent-libs#426). Same commit
content (d72ff2012311), now backed by a real release.

* notice: regenerate for elastic-agent-libs v0.45.0

* fix: address reviewer findings on FIPS migration

- gotest.go: wire fipsTestEnv() into makeGoTestArgsForPackage too, so
  per-module integration test builds (FIPS=true mage goIntegTest on a
  single module) get GOFIPS140 set, not just the requirefips tag.
- crossbuild.go: drop the bogus "G122" gosec rule code from the nolint
  comment on os.Chown (gosec has no G122; nolint:gosec suppresses by
  linter name, so the code was misleading, not functional).
- connection_test.go: cover both elastic-agent-libs FIPS callback paths
  (verification_mode strict and none use different callbacks) and
  assert the RSA-1024-specific error message instead of the more
  generic FIPS-rejection substring.

* test: require GOFIPS140 value to start with v1.0.0, not just contain it

Contains would tolerate v1.0.0 appearing anywhere in the buildinfo
value; HasPrefix asserts it's actually the version identifier itself.

* test: describe TestConnectionTLS modes by behavior, not libs internals

The comment named elastic-agent-libs' unexported checkAllChainsFIPS
and fipsVerifyNoneCallback, leaking implementation details of a
dependency with no compatibility guarantee. Describe the observable
strict-vs-none distinction instead.

---------

Signed-off-by: Dominik Rosiek <dominik.rosiek@elastic.co>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
(cherry picked from commit a829d56)

# Conflicts:
#	.buildkite/libbeat/pipeline.libbeat.yml
#	.buildkite/x-pack/pipeline.xpack.filebeat.yml
#	.buildkite/x-pack/pipeline.xpack.metricbeat.yml

* fix: resolve merge conflicts in backport of #51345

Mergify left unresolved conflict markers in three Buildkite pipeline
files. Resolve by keeping 9.3's image versions (1782878510) and
dropping IMAGE_UBUNTU_X86_64_FIPS, which no step references after the
switch to native Go FIPS (GOFIPS140=v1.0.0).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: suppress gosec G706 on dev-tool log line

DEV_OS/DEV_ARCH are trusted build-time env vars set by CI, not user
input. Add nolint:gosec to match the fix already present on main.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Dominik Rosiek <6997361+macdewee@users.noreply.github.com>
Co-authored-by: Dominik Rosiek <dominik.rosiek@elastic.co>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
@macdewee macdewee added the backport-active-all Automated backport with mergify to all the active branches label Jul 15, 2026
@github-actions

Copy link
Copy Markdown
Contributor

@Mergifyio backport 9.5 9.4 9.3 8.19

@macdewee macdewee added the backport-active-8 Automated backport with mergify to all the active 8.[0-9]+ branches label Jul 15, 2026
@github-actions

Copy link
Copy Markdown
Contributor

@Mergifyio backport 9.5 9.4 9.3 8.19

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backport-active-8 Automated backport with mergify to all the active 8.[0-9]+ branches backport-active-9 Automated backport with mergify to all the active 9.[0-9]+ branches backport-active-all Automated backport with mergify to all the active branches dequeued Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team

Projects

None yet

Development

Successfully merging this pull request may close these issues.

FIPS Integration Tests not compatible with current Git SSH keys

3 participants