build: compile FIPS go archives

Epic: none
Release note: None

.bazelrc

@@ -76,6 +76,11 @@ build:crosslinux '--workspace_status_command=./build/bazelutil/stamp.sh x86_64-p
 build:crosslinux --config=crosslinuxbase
 build:crosslinuxbase --platforms=//build/toolchains:cross_linux
 build:crosslinuxbase --config=cross
+build:crosslinuxfips '--workspace_status_command=./build/bazelutil/stamp.sh x86_64-pc-linux-gnu'
+build:crosslinuxfips --config=crosslinuxfipsbase
+build:crosslinuxfipsbase --platforms=//build/toolchains:cross_linux
+build:crosslinuxfipsbase --config=cross
+build:crosslinuxfipsbase --@io_bazel_rules_go//go/toolchain:sdk_repo=@go_sdk_fips
 build:crosswindows '--workspace_status_command=./build/bazelutil/stamp.sh x86_64-w64-mingw32'
 build:crosswindows --config=crosswindowsbase
 build:crosswindowsbase --platforms=//build/toolchains:cross_windows

WORKSPACE

@@ -643,3 +643,14 @@ new_local_repository(
     build_file_content = """exports_files[("bin/node")]""",
     path = "/usr/local",
 )
+
+# Download and register the FIPS enabled Go toolchain at the end to avoid toolchain conflicts for gazelle.
+go_download_sdk(
+    name = "go_sdk_fips",
+    sdks = {
+        "linux_amd64": ("go1.19.4.linux-amd64-fips.tar.gz", "ae787622e5288b78e1675979c2a348a12363765f0fe788b7cda2c7a92ff5c66e"),
+        "linux_arm64": ("go1.19.4.linux-arm64-fips.tar.gz", "60c3ff60470b383d1cf30d9a08592e4b2e5154368dc630648c7133bd19bd9f4f"),
+    },
+    urls = ["https://storage.googleapis.com/public-bazel-artifacts/go-fips/20230127-044832/{}"],
+    version = "1.19.4",
+)

build/bazelutil/distdir_files.bzl

@@ -1019,6 +1019,8 @@ DISTDIR_FILES = {
     "https://storage.googleapis.com/public-bazel-artifacts/c-deps/20230105-170607/libproj_foreign.macos.20230105-170607.tar.gz": "7706dcc20f083f621ba891eb82864e980ae352f34add33753100085d12ab91ec",
     "https://storage.googleapis.com/public-bazel-artifacts/c-deps/20230105-170607/libproj_foreign.macosarm.20230105-170607.tar.gz": "1ab617eb51b017d27d71ba08a065b6a08ef5410e9aa5554669196b7cf28214c1",
     "https://storage.googleapis.com/public-bazel-artifacts/c-deps/20230105-170607/libproj_foreign.windows.20230105-170607.tar.gz": "b819b17740b2a3418d62d2f6db8b245094458180e1e5e301e9f0f4257696fef5",
+    "https://storage.googleapis.com/public-bazel-artifacts/go-fips/20230127-044832/go1.19.4.linux-amd64-fips.tar.gz": "ae787622e5288b78e1675979c2a348a12363765f0fe788b7cda2c7a92ff5c66e",
+    "https://storage.googleapis.com/public-bazel-artifacts/go-fips/20230127-044832/go1.19.4.linux-arm64-fips.tar.gz": "60c3ff60470b383d1cf30d9a08592e4b2e5154368dc630648c7133bd19bd9f4f",
     "https://storage.googleapis.com/public-bazel-artifacts/go/20221219-000617/go1.19.4.darwin-amd64.tar.gz": "6fa1e9087b36fba65625869c885ca9c6f1db734306d8e74836b212248c20d55d",
     "https://storage.googleapis.com/public-bazel-artifacts/go/20221219-000617/go1.19.4.darwin-arm64.tar.gz": "bb3bc5d7655b9637cfe2b5e90055dee93b0ead50e2ffd091df320d1af1ca853f",
     "https://storage.googleapis.com/public-bazel-artifacts/go/20221219-000617/go1.19.4.freebsd-amd64.tar.gz": "84489ebb63f1757b79574d7345c647bd40bc6414cecb868c93e24476c2d2b9b6",

build/teamcity/internal/release/build-and-publish-patched-go-fips.sh

@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+google_credentials="$GOOGLE_EPHEMERAL_CREDENTIALS"
+dir="$(dirname $(dirname $(dirname $(dirname "${0}"))))"
+source "$dir/teamcity-support.sh"  # for log_into_gcloud
+log_into_gcloud
+
+set -x
+
+this_dir="$(cd "$(dirname "${0}")"; pwd)"
+toplevel="$(dirname $(dirname $(dirname $(dirname $this_dir))))"
+
+mkdir -p "${toplevel}"/artifacts
+# TODO: pin docker image version
+DOCKER_IMAGE=registry.access.redhat.com/ubi8/go-toolset:latest
+
+tc_start_block "Build Go toolchains (linux/amd64)" 
+docker run --rm -i ${tty-} -v $this_dir/build-and-publish-patched-go:/bootstrap \
+  -v "${toplevel}"/artifacts:/artifacts \
+  --user root \
+  --platform linux/amd64 \
+  $DOCKER_IMAGE /bootstrap/impl-fips.sh
+tc_end_block "Build Go toolchains (linux/amd64)"
+
+# TODO: do we care to cross build without the qemu llayer? Last I tried, th
+# compiler was complaining about some missing headers.
+tc_start_block "Build Go toolchains (linux/arm64)" 
+docker run --rm -i ${tty-} -v $this_dir/build-and-publish-patched-go:/bootstrap \
+  -v "${toplevel}"/artifacts:/artifacts \
+  --user root \
+  --platform linux/arm64 \
+  $DOCKER_IMAGE /bootstrap/impl-fips.sh
+tc_end_block "Build Go toolchains (linux/arm64)"
+
+tc_start_block "Publish artifacts"
+loc=$(date +%Y%m%d-%H%M%S)
+for FILE in `find $root/artifacts -name '*.tar.gz'`; do
+    BASE=$(basename $FILE)
+    gsutil cp $FILE gs://public-bazel-artifacts/go-fips/$loc/$BASE
+done
+tc_end_block "Publish artifacts"
+
+tc_end_block "Print checksums"
+sha256sum $root/artifacts/*.tar.gz
+echo "urls = [\"https://storage.googleapis.com/public-bazel-artifacts/go-fips/$loc/{}\"],"
+tc_start_block "Print checksums"

build/teamcity/internal/release/build-and-publish-patched-go/impl-fips.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+set -xeuo pipefail
+
+# TODO: create a fork?
+GO_FIPS_REPO=https://github.com/golang-fips/go
+GO_FIPS_COMMIT=go1.19-fips-release
+
+
+# Install build dependencies
+yum install git golang golang-bin openssl openssl-devel -y
+cat /etc/os-release
+go version
+openssl version
+git config --global user.name "golang-fips ci"
+git config --global user.email "<>"
+
+mkdir /workspace
+cd /workspace
+git clone $GO_FIPS_REPO go
+cd go
+git checkout $GO_FIPS_COMMIT
+# Lower the requirements in case we need to bootstrap with an older Go version
+sed -i "s/go mod tidy/go mod tidy -go=1.16/g" scripts/create-secondary-patch.sh
+./scripts/full-initialize-repo.sh
+./scripts/configure-crypto-tests.sh
+cd go/src
+# Apply the CRL patch
+patch -p2 < /bootstrap/diff.patch
+./make.bash -v
+cd ../..
+GOVERS=$(go/bin/go env GOVERSION)
+GOOS=$(go/bin/go env GOOS)
+GOARCH=$(go/bin/go env GOARCH)
+# Add the "-fips" suffix so we don't have the same basename with our regular Go toolchain.
+tar cf - go | gzip -9 > /artifacts/$GOVERS.$GOOS-$GOARCH-fips.tar.gz

pkg/release/build.go

@@ -46,6 +46,8 @@ func SuffixFromPlatform(platform Platform) string {
 	switch platform {
 	case PlatformLinux:
 		return ".linux-2.6.32-gnu-amd64"
+	case PlatformLinuxFIPS:
+		return ".linux-2.6.32-gnu-amd64-fips"
 	case PlatformLinuxArm:
 		return ".linux-3.7.10-gnu-arm64"
 	case PlatformMacOS:
@@ -67,6 +69,8 @@ func CrossConfigFromPlatform(platform Platform) string {
 	switch platform {
 	case PlatformLinux:
 		return "crosslinuxbase"
+	case PlatformLinuxFIPS:
+		return "crosslinuxfipsbase"
 	case PlatformLinuxArm:
 		return "crosslinuxarmbase"
 	case PlatformMacOS:
@@ -86,6 +90,8 @@ func TargetTripleFromPlatform(platform Platform) string {
 	switch platform {
 	case PlatformLinux:
 		return "x86_64-pc-linux-gnu"
+	case PlatformLinuxFIPS:
+		return "x86_64-pc-linux-gnu"
 	case PlatformLinuxArm:
 		return "aarch64-unknown-linux-gnu"
 	case PlatformMacOS:
@@ -102,7 +108,7 @@ func TargetTripleFromPlatform(platform Platform) string {
 // SharedLibraryExtensionFromPlatform returns the shared library extensions for a given Platform.
 func SharedLibraryExtensionFromPlatform(platform Platform) string {
 	switch platform {
-	case PlatformLinux, PlatformLinuxArm:
+	case PlatformLinux, PlatformLinuxArm, PlatformLinuxFIPS:
 		return ".so"
 	case PlatformWindows:
 		return ".dll"
@@ -179,7 +185,7 @@ func MakeRelease(platform Platform, opts BuildOptions, pkgDir string) error {
 		return err
 	}
 
-	if platform == PlatformLinux {
+	if platform == PlatformLinux || platform == PlatformLinuxFIPS || platform == PlatformLinuxArm {
 		suffix := SuffixFromPlatform(platform)
 		binaryName := "./cockroach" + suffix
 
@@ -238,6 +244,8 @@ type Platform int
 const (
 	// PlatformLinux is the Linux x86_64 target.
 	PlatformLinux Platform = iota
+	// PlatformLinuxFIPS is the Linux x86_64 target built with FIPS support.
+	PlatformLinuxFIPS
 	// PlatformLinuxArm is the Linux aarch64 target.
 	PlatformLinuxArm
 	// PlatformMacOS is the Darwin x86_64 target.