From c4b8050ba1cdb45835d1460b69fc758b0b63f206 Mon Sep 17 00:00:00 2001 From: Justin W Smith <103147162+justsmth@users.noreply.github.com> Date: Tue, 17 Dec 2024 14:06:12 -0500 Subject: [PATCH] Update Readme on FIPS version changes (#636) --- aws-lc-fips-sys/README.md | 66 ++++++++++++++++++++++++--------------- aws-lc-rs/README.md | 29 ++++++++++++----- aws-lc-rs/src/lib.rs | 29 ++++++++++++----- 3 files changed, 82 insertions(+), 42 deletions(-) diff --git a/aws-lc-fips-sys/README.md b/aws-lc-fips-sys/README.md index 958d864f952..447bd40c40f 100644 --- a/aws-lc-fips-sys/README.md +++ b/aws-lc-fips-sys/README.md @@ -3,41 +3,52 @@ [![crates.io](https://img.shields.io/crates/v/aws-lc-fips-sys.svg)](https://crates.io/crates/aws-lc-fips-sys) [![GitHub](https://img.shields.io/badge/GitHub-awslabs%2Faws--lc--rs-blue)](https://github.com/awslabs/aws-lc-rs) -**Autogenerated** low-level AWS-LC FIPS bindings for the Rust programming language. We do not recommend directly relying on these bindings. +**Autogenerated** low-level AWS-LC FIPS bindings for the Rust programming language. We do not recommend directly relying +on these bindings. [Documentation](https://github.com/aws/aws-lc). ## FIPS -This crate provides bindings to [AWS-LC-FIPS 2.x](https://github.com/aws/aws-lc/tree/fips-2022-11-02), which has completed -FIPS validation testing by an accredited lab and has been submitted to NIST for certification. The static build of AWS-LC-FIPS -is used. +The aws-lc-fips-sys crate provides bindings to the latest version of the AWS-LC-FIPS module that +has completed FIPS validation testing by an accredited lab and has been submitted to NIST for +certification. This will continue to be the case as we periodically submit new versions of +the AWS-LC-FIPS module to NIST for certification. Currently, aws-lc-fips-sys binds to +[AWS-LC-FIPS 3.0.x](https://github.com/aws/aws-lc/tree/fips-2024-09-27). -| Supported Targets | -| --- | -| x86_64-unknown-linux-gnu | -| aarch64-unknown-linux-gnu | +Consult with your local FIPS compliance team to determine the version of AWS-LC-FIPS module that you require. Consumers +needing to remain on a previous version of the AWS-LC-FIPS module should pin to specific versions of aws-lc-rs to avoid +automatically being upgraded to a newer module version. +(See [cargo’s documentation](https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html) +on how to specify dependency versions.) -Refer to the [NIST Cryptographic Module Validation Program's Modules In Progress List](https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List) -for the latest status of the static or dynamic AWS-LC Cryptographic Module. A complete list of supported operating environments will be -made available in the vendor security policy once the validation certificate has been issued. We will also update our release notes -and documentation to reflect any changes in FIPS certification status. +| AWS-LC-FIPS module | aws-lc-rs | +|--------------------|-----------| +| 2.0.x | \<1.12.0 | +| 3.0.x | *latest* | -## Release Support +Refer to the +[NIST Cryptographic Module Validation Program's Modules In Progress List](https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List) +for the latest status of the static or dynamic AWS-LC Cryptographic Module. Please see the +[FIPS.md in the aws-lc repository](https://github.com/aws/aws-lc/blob/main/crypto/fipsmodule/FIPS.md) +for relevant security policies and information on supported operating environments. +We will also update our release notes and documentation to reflect any changes in FIPS certification status. -This crate pulls in the source code of the latest AWS-LC FIPS branch to build with it. Bindings for platforms we officially support are pre-generated. -The platforms which `aws-lc-fips-sys` builds on is limited to the platforms where the AWS-LC FIPS static build is supported. +## Building and Bindings + +This crate contains source code from a FIPS branch of AWS-LC for building and for bindings generation. A +specialized FIPS build is performed. Bindings for some platforms are pre-generated. ### Pregenerated Bindings Availability -Targets ---------------------- -aarch64_apple_darwin -aarch64_unknown_linux_gnu -aarch64_unknown_linux_musl -x86_64_apple_darwin -x86_64_unknown_linux_gnu -x86_64_unknown_linux_musl +| Targets | +|----------------------------| +| aarch64_apple_darwin | +| aarch64_unknown_linux_gnu | +| aarch64_unknown_linux_musl | +| x86_64_apple_darwin | +| x86_64_unknown_linux_gnu | +| x86_64_unknown_linux_musl | ### Prebuilt NASM objects @@ -45,15 +56,18 @@ Prebuilt NASM objects are *not* available for this crate. ### Tested AWS-LC FIPS Build Environments -`aws-lc-fips-sys` currently relies on the AWS-LC FIPS static build, please see our CI documentation at [AWS-LC](https://github.com/aws/aws-lc/tree/main/tests/ci#unit-tests). +`aws-lc-fips-sys` currently relies on the AWS-LC FIPS static build, please see our CI documentation +at [AWS-LC](https://github.com/aws/aws-lc/tree/main/tests/ci#unit-tests). ## Build Prerequisites -Since this crate builds AWS-LC as a native library, all build tools needed to build AWS-LC are applicable to `aws-lc-fips-sys` as well. This includes Go and Perl, which are hard dependencies for the AWS-LC FIPS build. +Since this crate builds AWS-LC as a native library, all build tools needed to build AWS-LC are applicable to +`aws-lc-fips-sys` as well. This includes Go and Perl, which are hard dependencies for the AWS-LC FIPS build. [Building AWS-LC](https://github.com/aws/aws-lc/blob/main/BUILDING.md) -If you use a different build combination for FIPS and would like us to support it, please open an issue to us at [AWS-LC](https://github.com/aws/aws-lc/issues/new?assignees=&labels=&template=build-issue.md&title=). +If you use a different build combination for FIPS and would like us to support it, please open an issue to us +at [AWS-LC](https://github.com/aws/aws-lc/issues/new?assignees=&labels=&template=build-issue.md&title=). ## Security Notification Process diff --git a/aws-lc-rs/README.md b/aws-lc-rs/README.md index 691ed571060..5dfec9209d4 100644 --- a/aws-lc-rs/README.md +++ b/aws-lc-rs/README.md @@ -45,17 +45,30 @@ function. This adds a requirement on `untrusted = "0.7.1"`. ##### fips Enable this feature to have aws-lc-rs use the [*aws-lc-fips-sys*](https://crates.io/crates/aws-lc-fips-sys) -crate for the cryptographic implementations. The *aws-lc-fips-sys* crate provides bindings to -[AWS-LC-FIPS 2.x](https://github.com/aws/aws-lc/tree/fips-2022-11-02), which has completed -FIPS validation testing by an accredited lab and has been submitted to NIST for certification. -The static build of AWS-LC-FIPS is used. +crate for the cryptographic implementations. The aws-lc-fips-sys crate provides bindings to the +latest version of the AWS-LC-FIPS module that has completed FIPS validation testing by an +accredited lab and has been submitted to NIST for certification. This will continue to be the +case as we periodically submit new versions of the AWS-LC-FIPS module to NIST for certification. +Currently, aws-lc-fips-sys binds to +[AWS-LC-FIPS 3.0.x](https://github.com/aws/aws-lc/tree/fips-2024-09-27). + +Consult with your local FIPS compliance team to determine the version of AWS-LC-FIPS module that you require. Consumers +needing to remain on a previous version of the AWS-LC-FIPS module should pin to specific versions of aws-lc-rs to avoid +automatically being upgraded to a newer module version. +(See [cargo’s documentation](https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html) +on how to specify dependency versions.) + +| AWS-LC-FIPS module | aws-lc-rs | +|--------------------|-----------| +| 2.0.x | \<1.12.0 | +| 3.0.x | *latest* | Refer to the [NIST Cryptographic Module Validation Program's Modules In Progress List](https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List) -for the latest status of the static or dynamic AWS-LC Cryptographic Module. A complete list of supported operating -environments will be made available in the vendor security policy once the validation certificate has been issued. We -will also update our release notes -and documentation to reflect any changes in FIPS certification status. +for the latest status of the static or dynamic AWS-LC Cryptographic Module. Please see the +[FIPS.md in the aws-lc repository](https://github.com/aws/aws-lc/blob/main/crypto/fipsmodule/FIPS.md) +for relevant security policies and information on supported operating environments. +We will also update our release notes and documentation to reflect any changes in FIPS certification status. ##### asan diff --git a/aws-lc-rs/src/lib.rs b/aws-lc-rs/src/lib.rs index 421f6d8838d..e4a303b5dab 100644 --- a/aws-lc-rs/src/lib.rs +++ b/aws-lc-rs/src/lib.rs @@ -47,17 +47,30 @@ //! #### fips //! //! Enable this feature to have aws-lc-rs use the [*aws-lc-fips-sys*](https://crates.io/crates/aws-lc-fips-sys) -//! crate for the cryptographic implementations. The *aws-lc-fips-sys* crate provides bindings to -//! [AWS-LC-FIPS 2.x](https://github.com/aws/aws-lc/tree/fips-2022-11-02), which has completed -//! FIPS validation testing by an accredited lab and has been submitted to NIST for certification. -//! The static build of AWS-LC-FIPS is used. +//! crate for the cryptographic implementations. The aws-lc-fips-sys crate provides bindings to the +//! latest version of the AWS-LC-FIPS module that has completed FIPS validation testing by an +//! accredited lab and has been submitted to NIST for certification. This will continue to be the +//! case as we periodically submit new versions of the AWS-LC-FIPS module to NIST for certification. +//! Currently, aws-lc-fips-sys binds to +//! [AWS-LC-FIPS 3.0.x](https://github.com/aws/aws-lc/tree/fips-2024-09-27). +//! +//! Consult with your local FIPS compliance team to determine the version of AWS-LC-FIPS module that you require. Consumers +//! needing to remain on a previous version of the AWS-LC-FIPS module should pin to specific versions of aws-lc-rs to avoid +//! automatically being upgraded to a newer module version. +//! (See [cargo’s documentation](https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html) +//! on how to specify dependency versions.) +//! +//! | AWS-LC-FIPS module | aws-lc-rs | +//! |--------------------|-----------| +//! | 2.0.x | \<1.12.0 | +//! | 3.0.x | *latest* | //! //! Refer to the //! [NIST Cryptographic Module Validation Program's Modules In Progress List](https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List) -//! for the latest status of the static or dynamic AWS-LC Cryptographic Module. A complete list of supported operating -//! environments will be made available in the vendor security policy once the validation certificate has been issued. We -//! will also update our release notes -//! and documentation to reflect any changes in FIPS certification status. +//! for the latest status of the static or dynamic AWS-LC Cryptographic Module. Please see the +//! [FIPS.md in the aws-lc repository](https://github.com/aws/aws-lc/blob/main/crypto/fipsmodule/FIPS.md) +//! for relevant security policies and information on supported operating environments. +//! We will also update our release notes and documentation to reflect any changes in FIPS certification status. //! //! #### asan //!