Go and FIPS 140-2 on Red Hat Enterprise Linux

Go and FIPS 140-2 on Red Hat Enterprise Linux

Red Hat provides the Go programming language to Red Hat Enterprise Linux customers via the go-toolset package. If this package is new to you, and you want to learn more, check out some of the previous articles that have been written for some background.

The go-toolset package is currently shipping Go version 1.11.x, with Red Hat planning to ship 1.12.x in Fall 2019. Currently, the go-toolset package only provides the Go toolchain (e.g., the compiler and associated tools like gofmt); however, we are looking into adding other tools to provide a more complete and full-featured Go development environment.

In this article, I will talk about some of the improvements, changes, and exciting new features for go-toolset that we have been working on. These changes bring many upstream improvements and CVE fixes, as well as new features that we have been developing internally alongside upstream.

FIPS 140-2 validated cryptography

We are excited to announce that we plan to ship go-toolset with a new feature that allows Go to bypass the standard library cryptographic routines and instead call into a FIPS 140-2 validated cryptographic library. When your RHEL system is booted in FIPS mode, Go will instead call into OpenSSL via a new package that bridges between Go and OpenSSL. You can also enable it manually by setting GOLANG_FIPS=1 in your environment.

This new feature builds on top of pre-existing upstream work (which instead calls into BoringSSL) and adds a few new features such as:

  • Ability to call into OpenSSL (v1.0.2 and v1.1.1)
  • Adherence to modern, up-to-date FIPS standards
  • Runtime detection of systems FIPS settings
  • Ability to enable FIPS mode manually
  • Stricter TLS that automatically uses only FIPS-approved ciphers
  • And more to come!

This new feature of using OpenSSL for cryptography is only enabled if your system is booted in FIPS mode or if you explicitly enable it via GOLANG_FIPS=1; otherwise, there is no change and the standard library cryptography will be used. If you want to opt out of this feature altogether, you can build your programs with -tags no_openssl to disable it completely and build using pure upstream standard library cryptography. We are continuing to develop this feature and intend to propose new functionality in Go 2 to allow for using a FIPS-validated cryptographic module in a standardized way.

Using go-toolset

Getting started on RHEL7

First, enable the correct repos:

yum-config-manager --enable rhel-7-server-devtools-rpms && \
yum-config-manager --enable rhel-7-server-rpms && \
yum-config-manager --enable rhel-7-server-optional-rpms

Next, install the package:

yum install -y go-toolset-1.11

Package go-toolset in RHEL7 provides Go as a Software Collection. To use the version of Go you have installed, you must enable it:

scl enable go-toolset-1.11 go version

Getting started on RHEL8

For RHEL8, go-toolset is provided via the AppStream. To get started, simply type:

yum install go-toolset

This will install the Go 1.11.x toolchain.

Notice that you do not have to specify the major.minor version as in RHEL7. Because the go-toolset is being shipped as a module in the AppStream, you are automatically subscribed to the RHEL8 stream, meaning any updates to the Go toolchain shipped on that stream are delivered directly to you.

Additionally, the RHEL8 module is no longer a Software Collection. This means that in order to use your newly installed Go toolchain, you simply use the Go command as normal:

go version

Opting out

To completely bypass and compile out all of these changes, you can build your programs with -tags no_openssl.

For example:

go build -tags no_openssl

Wrapping up

Here at Red Hat, we work hard to improve the tools our customers use by both providing and innovating new features and contributing back to the community. Stay tuned for updates on this work and more exciting news related to Go!