Skip to content

[9.4](backport #51345) Use native Go for Linux FIPS builds#51952

Merged
macdewee merged 2 commits into
9.4from
mergify/bp/9.4/pr-51345
Jul 15, 2026
Merged

[9.4](backport #51345) Use native Go for Linux FIPS builds#51952
macdewee merged 2 commits into
9.4from
mergify/bp/9.4/pr-51345

Conversation

@mergify

@mergify mergify Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Proposed commit message

Go 1.24+ ships its own FIPS 140-3 certified crypto module (GOFIPS140), so we no longer need the Microsoft Go fork (GOEXPERIMENT=systemcrypto) which required CGO and a linked OpenSSL. This switches auditbeat, filebeat, and metricbeat Linux FIPS builds to use the native module instead.

Changes:

  • fips-settings.yaml: replace GOEXPERIMENT=systemcrypto + cgo: true with GOFIPS140: v1.0.0
  • crossbuild.go: stop selecting the MS Go -fips crossbuild Docker image
  • build.go / settings.go: remove dead CGO field and OR
  • checkFIPS() / VerifyFIPSBinary(): check GOFIPS140 + DefaultGODEBUG=fips140=on instead of GOEXPERIMENT + OpenSSL ELF symbols
  • CI: switch FIPS test steps from AWS FIPS image to standard GCP image; unskip (SSH key issue was caused by OS-level FIPS enforcement, which is gone)

Mirrors elastic/elastic-agent@07f98a8.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works.
  • I have added an entry in ./changelog/fragments using the changelog tool.

Disruptive User Impact

FIPS binaries no longer link against system OpenSSL — no runtime OpenSSL dependency.

How to test this PR locally

cd x-pack/filebeat
FIPS=true mage Build

# check buildinfo
go version -m filebeat | grep -E 'GOFIPS140|DefaultGODEBUG'
# expect: GOFIPS140=v1.0.0-... and DefaultGODEBUG=...fips140=on...

Related issues


This is an automatic backport of pull request #51345 done by [Mergify](https://mergify.com).

* feat: use native Go for Linux FIPS builds

Switch Linux FIPS builds from Microsoft Go (GOEXPERIMENT=systemcrypto)
to the upstream Go native FIPS module (GOFIPS140=v1.0.0, CMVP cert #5247).
Drops CGO requirement and the Microsoft Go cross-build Docker image.
Updates package tests to verify GOFIPS140 and DefaultGODEBUG buildinfo
instead of GOEXPERIMENT and OpenSSL ELF symbols.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* chore: clean up MS Go FIPS artifacts

- Remove GOEXPERIMENT=systemcrypto from CI pipelines and ECH test script
- Switch FIPS unit/ECH test steps from AWS FIPS image to standard GCP image; unskip
- Update VerifyFIPSBinary to check GOFIPS140+DefaultGODEBUG instead of GOEXPERIMENT+OpenSSL symbols
- Strengthen GOFIPS140 assertion to require v1.0.0 version; improve error messages
- Remove dead CGO field and OR from FIPSConfig/DefaultBuildArgs

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* chore: golangci-lint fixes

Signed-off-by: Dominik Rosiek <dominik.rosiek@elastic.co>

* fix: propagate FIPS env to unit tests and pre-populate module cache for crossbuild

- Inject FIPS compile env vars (GOFIPS140=v1.0.0) into go test args so
  that test binaries actually enforce FIPS crypto at runtime, not just
  compile with the requirefips tag.
- Pre-populate golang.org/fips140 in the host module cache before FIPS
  crossbuild containers mount it read-only, avoiding a write failure
  when the toolchain tries to unpack the module inside the container.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix: update TestConnectionTLS for native Go FIPS

Add verification_mode:strict so Go's native TLS stack performs chain
verification (InsecureSkipVerify=false) and the FIPS key-size check
triggers. Update the expected error string to match native Go's message.
Simplify the test comment to remove implementation details.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* mod: pin elastic-agent-libs to main for native Go FIPS validation

Picks up the unreleased FIPS 140-3 peer-cert key-type enforcement
(elastic/elastic-agent-libs#426), which TestConnectionTLS depends on.
Update the test's expected error string to match the actual message
that check produces, rather than Go's own (unreachable, since a
custom TLS callback is always installed) internal FIPS error.

This is a temporary pin for CI validation ahead of a tagged
elastic-agent-libs release containing the fix.

* notice: regenerate for elastic-agent-libs pin bump

* mod: bump elastic-agent-libs to released v0.45.0

Swaps the temporary pseudo-version pin (unreleased main commit) for
the now-tagged release containing the FIPS 140-3 peer-cert key-type
enforcement fix (elastic/elastic-agent-libs#426). Same commit
content (d72ff2012311), now backed by a real release.

* notice: regenerate for elastic-agent-libs v0.45.0

* fix: address reviewer findings on FIPS migration

- gotest.go: wire fipsTestEnv() into makeGoTestArgsForPackage too, so
  per-module integration test builds (FIPS=true mage goIntegTest on a
  single module) get GOFIPS140 set, not just the requirefips tag.
- crossbuild.go: drop the bogus "G122" gosec rule code from the nolint
  comment on os.Chown (gosec has no G122; nolint:gosec suppresses by
  linter name, so the code was misleading, not functional).
- connection_test.go: cover both elastic-agent-libs FIPS callback paths
  (verification_mode strict and none use different callbacks) and
  assert the RSA-1024-specific error message instead of the more
  generic FIPS-rejection substring.

* test: require GOFIPS140 value to start with v1.0.0, not just contain it

Contains would tolerate v1.0.0 appearing anywhere in the buildinfo
value; HasPrefix asserts it's actually the version identifier itself.

* test: describe TestConnectionTLS modes by behavior, not libs internals

The comment named elastic-agent-libs' unexported checkAllChainsFIPS
and fipsVerifyNoneCallback, leaking implementation details of a
dependency with no compatibility guarantee. Describe the observable
strict-vs-none distinction instead.

---------

Signed-off-by: Dominik Rosiek <dominik.rosiek@elastic.co>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
(cherry picked from commit a829d56)
@mergify mergify Bot added the backport label Jul 15, 2026
@mergify mergify Bot requested review from a team as code owners July 15, 2026 06:43
@mergify mergify Bot requested review from AndersonQ and removed request for a team July 15, 2026 06:43
@mergify mergify Bot added the backport label Jul 15, 2026
@mergify mergify Bot requested a review from orestisfl July 15, 2026 06:43
@botelastic botelastic Bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jul 15, 2026
@mergify mergify Bot mentioned this pull request Jul 15, 2026
6 tasks
@github-actions

Copy link
Copy Markdown
Contributor

🤖 GitHub comments

Just comment with:

  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)
  • /test : Run the Buildkite pipeline.

@github-actions github-actions Bot added Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team dequeued labels Jul 15, 2026
@infra-vault-gh-plugin-prod

Copy link
Copy Markdown

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

@botelastic botelastic Bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jul 15, 2026
@mergify mergify Bot removed the dequeued label Jul 15, 2026
DEV_OS/DEV_ARCH are trusted build-time env vars set by CI, not user
input. Add nolint:gosec to match the fix already present on main.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@macdewee macdewee merged commit 84d645b into 9.4 Jul 15, 2026
214 checks passed
@macdewee macdewee deleted the mergify/bp/9.4/pr-51345 branch July 15, 2026 09:22
@mergify

mergify Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor Author

Tick the box to add this pull request to the merge queue (same as @mergifyio queue).

  • Queue this pull request

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backport Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant