Last changed
Get notified of upcoming product changes, critical vulnerability notifications and patches and more.
Sign InContainer image for building Go applications with FIPS
The image is available on cgr.dev
:
This image provides go toolchain that produces FIPS compliant binaries. It is go toolchain compiled with microsoft/go patches applied. The image itself has the go
binary itself compiled in FIPS compliant mode, and contains a CMVP certified OpenSSL FIPS provider.
The image has recommended environment variables set to compile binaries in enforcing mode.
CGO_ENABLED=1
GOFIPS=1
GOEXPERIMENT=systemcrypto
GOFLAGS=-tags=requirefips
Further documentation is available from upstream:
Whilst Chainguard's edition of OpenSSL FIPS is recommended, the resulting binaries are vendor-agnostic and can be used at runtime with OpenSSL FIPS providers on other OpenSSL FIPS hosts.
FIPS compliance is achieved by not using any native golang cryptographic functionality and redirecting all calls to OpenSSL at runtime.
If no other cryptographic algorithms are implemented or used, certification status will depend on the runtime OpenSSL FIPS certification. For Chainguard that is #4282 and the submitted rebrand of that.
Default execution of the container has all of the recommended flags preset. The toolchain defaults to GOEXPERIMENT=systemcrypto
, even when GOEXPERIMENT
variable is unset.
CGO_ENABLED=1
-tags=requirefips
OR use GOFIPS=1
at runtimecgr.dev/chainguard-private/glibc-openssl-fips
image)This section contains two examples of how you can use the Go FIPS Chainguard Image to build an example Go application. For more information on working with this Image, check out our Getting Started with the Go Chainguard Image guide.
Start interractive shell in the go-msft-fips
image:
User root
is used here, to perform tampering with the FIPS module selfcheck after compiling and running the application.
Install a golang demo application helloserver
:
Observe toolchain flags used to build the binary:
This indicates the binary was built with 1.23.1
version of go, with X:systemcrypto
experiment enabled as an indicator that OpenSSL will be in use at runtime.
Observe further build settings used on the binary:
Observe the following settings are in place:
build CGO_ENABLED=1
enables access to OpenSSL via CGObuild GOEXPERIMENT=systemcrypto
enables systemcrypto experimentbuild -tags=requirefips
ensures FIPS mode is enforced at the binary startupVerify that OpenSSL symbols are used by the binary:
Note that golang-fips/openssl/v2 are the underlying bindings for all the available APIs, even if individual binary may not use all of them.
Verify binary execution with suitable OpenSSL FIPS provider (use Ctrl+C
to terminate):
Now tamper with the fips provider to observe failure to start the application in FIPS mode
As you can see above helloserver
panics when on startup OpenSSL FIPS fails self tests.
Now restore fipsmodule.cnf
to get back into operational state:
The following example Dockerfile builds a helloserver program in Go and copies it on top of the cgr.dev/chainguard-private/glibc-openssl-fips:latest
base image:
Run the following command to build the demo image and tag it as go-helloserver-fips
:
Now you can run the image with:
Chainguard Images contain software packages that are direct or transitive dependencies. The following licenses were found in the "latest" version of this image:
Apache-2.0
BSD-2-Clause
BSD-3-Clause
GCC-exception-3.1
GPL-2.0-only
GPL-2.0-or-later
GPL-3.0-or-later
For a complete list of licenses, please refer to this Image's SBOM.
Software license agreementThis is a FIPS validated image for FedRAMP compliance.
This image is STIG hardened and scanned against the DISA General Purpose Operating System SRG with reports available.
Learn more about STIGsGet started with STIGs