[9.3](backport #51345) Use native Go for Linux FIPS builds#51953
Conversation
* feat: use native Go for Linux FIPS builds Switch Linux FIPS builds from Microsoft Go (GOEXPERIMENT=systemcrypto) to the upstream Go native FIPS module (GOFIPS140=v1.0.0, CMVP cert #5247). Drops CGO requirement and the Microsoft Go cross-build Docker image. Updates package tests to verify GOFIPS140 and DefaultGODEBUG buildinfo instead of GOEXPERIMENT and OpenSSL ELF symbols. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * chore: clean up MS Go FIPS artifacts - Remove GOEXPERIMENT=systemcrypto from CI pipelines and ECH test script - Switch FIPS unit/ECH test steps from AWS FIPS image to standard GCP image; unskip - Update VerifyFIPSBinary to check GOFIPS140+DefaultGODEBUG instead of GOEXPERIMENT+OpenSSL symbols - Strengthen GOFIPS140 assertion to require v1.0.0 version; improve error messages - Remove dead CGO field and OR from FIPSConfig/DefaultBuildArgs Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * chore: golangci-lint fixes Signed-off-by: Dominik Rosiek <dominik.rosiek@elastic.co> * fix: propagate FIPS env to unit tests and pre-populate module cache for crossbuild - Inject FIPS compile env vars (GOFIPS140=v1.0.0) into go test args so that test binaries actually enforce FIPS crypto at runtime, not just compile with the requirefips tag. - Pre-populate golang.org/fips140 in the host module cache before FIPS crossbuild containers mount it read-only, avoiding a write failure when the toolchain tries to unpack the module inside the container. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix: update TestConnectionTLS for native Go FIPS Add verification_mode:strict so Go's native TLS stack performs chain verification (InsecureSkipVerify=false) and the FIPS key-size check triggers. Update the expected error string to match native Go's message. Simplify the test comment to remove implementation details. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * mod: pin elastic-agent-libs to main for native Go FIPS validation Picks up the unreleased FIPS 140-3 peer-cert key-type enforcement (elastic/elastic-agent-libs#426), which TestConnectionTLS depends on. Update the test's expected error string to match the actual message that check produces, rather than Go's own (unreachable, since a custom TLS callback is always installed) internal FIPS error. This is a temporary pin for CI validation ahead of a tagged elastic-agent-libs release containing the fix. * notice: regenerate for elastic-agent-libs pin bump * mod: bump elastic-agent-libs to released v0.45.0 Swaps the temporary pseudo-version pin (unreleased main commit) for the now-tagged release containing the FIPS 140-3 peer-cert key-type enforcement fix (elastic/elastic-agent-libs#426). Same commit content (d72ff2012311), now backed by a real release. * notice: regenerate for elastic-agent-libs v0.45.0 * fix: address reviewer findings on FIPS migration - gotest.go: wire fipsTestEnv() into makeGoTestArgsForPackage too, so per-module integration test builds (FIPS=true mage goIntegTest on a single module) get GOFIPS140 set, not just the requirefips tag. - crossbuild.go: drop the bogus "G122" gosec rule code from the nolint comment on os.Chown (gosec has no G122; nolint:gosec suppresses by linter name, so the code was misleading, not functional). - connection_test.go: cover both elastic-agent-libs FIPS callback paths (verification_mode strict and none use different callbacks) and assert the RSA-1024-specific error message instead of the more generic FIPS-rejection substring. * test: require GOFIPS140 value to start with v1.0.0, not just contain it Contains would tolerate v1.0.0 appearing anywhere in the buildinfo value; HasPrefix asserts it's actually the version identifier itself. * test: describe TestConnectionTLS modes by behavior, not libs internals The comment named elastic-agent-libs' unexported checkAllChainsFIPS and fipsVerifyNoneCallback, leaking implementation details of a dependency with no compatibility guarantee. Describe the observable strict-vs-none distinction instead. --------- Signed-off-by: Dominik Rosiek <dominik.rosiek@elastic.co> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> (cherry picked from commit a829d56) # Conflicts: # .buildkite/libbeat/pipeline.libbeat.yml # .buildkite/x-pack/pipeline.xpack.filebeat.yml # .buildkite/x-pack/pipeline.xpack.metricbeat.yml
|
Cherry-pick of a829d56 has failed: To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally |
🤖 GitHub commentsJust comment with:
|
|
Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane) |
Mergify left unresolved conflict markers in three Buildkite pipeline files. Resolve by keeping 9.3's image versions (1782878510) and dropping IMAGE_UBUNTU_X86_64_FIPS, which no step references after the switch to native Go FIPS (GOFIPS140=v1.0.0). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
TL;DRThe Buildkite failures are caused by unresolved cherry-pick conflict markers from the Mergify backport, not by the native Go FIPS code. The markers make all three affected pipeline YAML files invalid, so both pipeline upload steps fail and Remediation
Investigation detailsRoot CauseThe PR head contains unresolved cherry-pick conflict blocks in the pipeline environment sections. The conflict markers are at Evidence
VerificationNo source changes were made by this investigation; the failing Buildkite logs and PR head were inspected. The required verification is to rerun the pre-commit and pipeline-upload commands after conflict resolution. What is this? | From workflow: PR Buildkite Detective Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not. |
TL;DRThe Remediation
Investigation detailsRoot CauseThe Evidence
ValidationNo source changes were made by this investigation; the workflow log was inspected. Follow-upThe earlier detective report on this PR concerns unresolved Buildkite YAML conflict markers and is a separate failure from this golangci-lint finding. What is this? | From workflow: PR Actions Detective Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not. |
DEV_OS/DEV_ARCH are trusted build-time env vars set by CI, not user input. Add nolint:gosec to match the fix already present on main. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
Tick the box to add this pull request to the merge queue (same as
|
Proposed commit message
Go 1.24+ ships its own FIPS 140-3 certified crypto module (
GOFIPS140), so we no longer need the Microsoft Go fork (GOEXPERIMENT=systemcrypto) which required CGO and a linked OpenSSL. This switchesauditbeat,filebeat, andmetricbeatLinux FIPS builds to use the native module instead.Changes:
fips-settings.yaml: replaceGOEXPERIMENT=systemcrypto+cgo: truewithGOFIPS140: v1.0.0crossbuild.go: stop selecting the MS Go-fipscrossbuild Docker imagebuild.go/settings.go: remove dead CGO field and ORcheckFIPS()/VerifyFIPSBinary(): checkGOFIPS140+DefaultGODEBUG=fips140=oninstead ofGOEXPERIMENT+ OpenSSL ELF symbolsMirrors elastic/elastic-agent@07f98a8.
Checklist
I have commented my code, particularly in hard-to-understand areasI have made corresponding changes to the documentationI have made corresponding change to the default configuration files./changelog/fragmentsusing the changelog tool.Disruptive User Impact
FIPS binaries no longer link against system OpenSSL — no runtime OpenSSL dependency.
How to test this PR locally
Related issues
This is an automatic backport of pull request #51345 done by [Mergify](https://mergify.com).