Add fips toolchain (#513)

* Add golang-fips

Split golang into a collection

Signed-off-by: Ettore Di Giacinto <[email protected]>

* Move common toolchain packages to a single collection

Signed-off-by: Ettore Di Giacinto <[email protected]>

Co-authored-by: Ettore Di Giacinto <[email protected]>

Author: mudlers

packages/golang/build.yaml

@@ -16,7 +16,7 @@ prelude:
 {{end}}
 - |
   PACKAGE_VERSION=${PACKAGE_VERSION%\+*} && \
-  wget https://golang.org/dl/go$PACKAGE_VERSION.linux-{{.Values.golang_arch}}.tar.gz -O golang.tar.gz
+  wget {{.Values.base_url}}/go$PACKAGE_VERSION.linux-{{.Values.golang_arch}}.tar.gz -O golang.tar.gz
 - echo "{{ ( index .Values.labels "package.checksum" ) }}  golang.tar.gz" | sha256sum -c
 steps:
 - tar -C /usr/local -xzf golang.tar.gz

packages/golang/collection.yaml

@@ -0,0 +1,36 @@
+packages:
+  - name: "golang"
+    category: "build"
+    version: 1.16.6+5
+    base_url: https://golang.org/dl
+    hidden: true # No need to make it installable for now
+    labels:
+      autobump.revdeps: "true"
+      autobump.string_replace: '{ "prefix": "" }'
+      autobump.strategy: "custom"
+      autobump.prefix: "prefix"
+      autobump.hook: |
+        curl -s -L 'https://golang.org/VERSION?m=text' | sed 's/go//g'
+      autobump.version_hook: |
+        curl -s -L 'https://golang.org/VERSION?m=text' | sed 's/go//g'
+      package.version: "1.16.6"
+      autobump.checksum_hook: "curl -q -L https://storage.googleapis.com/golang/go{{.Values.labels.package.version}}.linux-{{.Values.golang_arch}}.tar.gz.sha256"
+      package.checksum: "be333ef18b3016e9d7cb7b1ff1fdb0cac800ca0be4cf2290fe613b3d069dfe0d"
+  - name: "golang-fips"
+    category: "build"
+    version: "1.16.6b7"
+    base_url: https://go-boringcrypto.storage.googleapis.com
+    hidden: true # No need to make it installable for now
+    labels:
+      autobump.revdeps: "true"
+      autobump.string_replace: '{ "prefix": "" }'
+      autobump.strategy: "custom"
+      autobump.prefix: "prefix"
+      autobump.hook: |
+        curl -s -L https://raw.githubusercontent.com/golang/go/dev.boringcrypto/misc/boring/RELEASES | tail -n1 | cut -d" " -f 1 | sed 's/go//'
+      autobump.version_hook: |
+        curl -s -L https://raw.githubusercontent.com/golang/go/dev.boringcrypto/misc/boring/RELEASES | tail -n1 | cut -d" " -f 1 | sed 's/go//'
+      package.version: "1.16.6b7"
+      autobump.checksum_hook: |
+        curl -s -L https://raw.githubusercontent.com/golang/go/dev.boringcrypto/misc/boring/RELEASES | grep go{{.Values.labels.package.version}} | grep -v src | cut -d" " -f 5
+      package.checksum: "f7f33064643ce0ab8ac1cede100e7eee8509a970178f5be961d9fba331226067"

packages/golang/definition.yaml

@@ -24,6 +24,34 @@ packages:
   - category: toolchain
     name: luet
     version: ">=0"
+  - name: "base-dracut-modules"
+    category: "system"
+    version: ">=0"
+- category: "meta"
+  name: "cos-minimal-fips"
+  version: "0.6.1+1"
+  requires:
+  - category: toolchain-fips
+    name: yip
+    version: ">=0"
+  - category: utils
+    name: installer
+    version: ">=0"
+  - category: system
+    name: cos-setup
+    version: ">=0"
+  - category: system
+    name: immutable-rootfs
+    version: ">=0"
+  - category: system
+    name: grub-config
+    version: ">=0"
+  - category: system
+    name: cloud-config
+    version: ">=0"
+  - category: toolchain-fips
+    name: luet
+    version: ">=0"
   - name: "base-dracut-modules"
     category: "system"
     version: ">=0"

packages/meta/collection.yaml

@@ -21,3 +21,9 @@
   mkdir -p /luetbuild/go/src/{{$host}}/{{$org}} && cd /luetbuild/go/src/{{$host}}/{{$org}} && \
   git clone https://{{$host}}/{{$org}}/{{$repo}} && cd {{$repo}} && git checkout "$PACKAGE_VERSION" -b build
 {{end}}
+
+{{ define "golang_env" }}
+- PATH=$PATH:/usr/local/go/bin
+- GOPATH=/luetbuild/go
+- GO111MODULE=on
+{{end}}

packages/templates/golang.yaml

@@ -0,0 +1,32 @@
+requires:
+  - name: "golang{{- if .Values.fips -}}-fips{{- end -}}"
+    category: "build"
+    version: ">=0"
+env:
+{{ template "golang_env" }}
+{{if .Values.fips}}
+- CGO_ENABLED=1
+{{ else }}
+- CGO_ENABLED=0
+- LDFLAGS="-s -w"
+{{ end }}
+
+prelude:
+{{ template "golang_deps" .}}
+{{ $opts:= dict "version" .Values.version "org" ( index .Values.labels "github.owner" ) "repo" ( index .Values.labels "github.repo" ) }}
+{{ template "golang_download_package" $opts}}
+steps:
+- |
+    PACKAGE_VERSION=${PACKAGE_VERSION%\+*} && \
+    cd /luetbuild/go/src/github.com/{{ ( index .Values.labels "github.owner" ) }}/{{.Values.name}} && \
+    buildtime=$(date -u '+%Y-%m-%d %I:%M:%S %Z') && \
+    buildcommit=$(git rev-parse HEAD) && \
+    go build -ldflags "$LDFLAGS -X \"github.com/{{ ( index .Values.labels "github.owner" ) }}/{{.Values.name}}/cmd.BuildTime=$buildtime\" -X \"github.com/{{ ( index .Values.labels "github.owner" ) }}/{{.Values.name}}/cmd.BuildCommit=$buildcommit\"" && \
+    mv {{.Values.name}} /usr/bin/{{.Values.name}}
+{{ if .Values.fips }}
+# Check that we build with fips
+- go tool nm /usr/bin/{{.Values.name}} | grep '_Cfunc__goboringcrypto_' 1> /dev/null
+{{ end }}
+
+includes:
+  - /usr/bin/{{.Values.name}}

packages/toolchain/build.yaml

@@ -0,0 +1,61 @@
+packages:
+  - category: "toolchain"
+    name: "luet"
+    version: "0.17.6+1"
+    branch: ""
+    upx: false
+    fips: false
+    labels:
+      github.repo: "luet"
+      github.owner: "mudler"
+      autobump.revdeps: "true"
+      autobump.revbump_related: "system/cos recovery/cos recovery/cos-img recovery/cos-squash"
+  - category: "toolchain-fips"
+    name: "luet"
+    version: "0.17.6+1"
+    branch: ""
+    upx: false
+    fips: true
+    labels:
+      github.repo: "luet"
+      github.owner: "mudler"
+      autobump.revdeps: "true"
+      autobump.revbump_related: "system/cos recovery/cos recovery/cos-img recovery/cos-squash"
+  - name: "luet-makeiso"
+    category: "toolchain"
+    version: "0.3.4+1"
+    upx: false
+    fips: false
+    labels:
+      github.repo: "luet-makeiso"
+      github.owner: "mudler"
+      autobump.revdeps: "true"
+  - name: "luet-makeiso"
+    category: "toolchain-fips"
+    version: "0.3.4+1"
+    upx: false
+    fips: true
+    labels:
+      github.repo: "luet-makeiso"
+      github.owner: "mudler"
+      autobump.revdeps: "true"
+  - category: "toolchain-fips"
+    name: "yip"
+    upx: false
+    fips: true
+    version: "0.9.8+1"
+    labels:
+      github.repo: "yip"
+      github.owner: "mudler"
+      autobump.revdeps: "true"
+      autobump.revbump_related: "system/cos recovery/cos recovery/cos-img recovery/cos-squash"
+  - category: "toolchain"
+    name: "yip"
+    upx: false
+    fips: false
+    version: "0.9.8+1"
+    labels:
+      github.repo: "yip"
+      github.owner: "mudler"
+      autobump.revdeps: "true"
+      autobump.revbump_related: "system/cos recovery/cos recovery/cos-img recovery/cos-squash"