Skip to content

feat: add boringcrypto builds for linux #9528

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Sep 5, 2023
Merged

feat: add boringcrypto builds for linux #9528

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c470245
feat: add boringcrypto builds for linux
spikecurtis Sep 5, 2023
dbb504f
strip debug symbols, add BoringCryto to buildinfo
spikecurtis Sep 5, 2023
d79bdc6
Fix TestVersion
spikecurtis Sep 5, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions .github/workflows/release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,22 @@ jobs:
AC_APIKEY_ID: ${{ secrets.AC_APIKEY_ID }}
AC_APIKEY_FILE: /tmp/apple_apikey.p8

- name: Check Boring Crypto
run: |
set -euo pipefail

version="$(./scripts/version.sh)"
go tool nm build/coder_"$version"_linux_amd64 | grep "_Cfunc__goboringcrypto_" &>/dev/null
if [[ "$?" == "1" ]]; then
echo "build/coder_${version}_linux_amd64 is not built with Boring Crypto"
exit 1
fi
go tool nm build/coder-slim_"$version"_linux_amd64 | grep "_Cfunc__goboringcrypto_" &>/dev/null
if [[ "$?" == "1" ]]; then
echo "build/coder-slim_${version}_linux_amd64 is not built with Boring Crypto"
exit 1
fi

- name: Delete Apple Developer certificate and API key
run: rm -f /tmp/{apple_cert.p12,apple_cert_password.txt,apple_apikey.p8}

Expand Down
17 changes: 17 additions & 0 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,17 @@ CODER_ARCH_IMAGE_PREREQUISITES := \
build/coder_$(VERSION)_%.tar.gz
endif

# used to decide if we can build with boringcrypto
ifeq ($(OS),Windows_NT)
local_os:=Windows
local_arch:="" #ignored, no boringcrypto support for Windows
else
local_os:=$(shell uname -s)
local_arch:=$(shell uname -m)
endif
ifeq ($(local_arch),x86_64)
local_arch:=amd64
endif

clean:
rm -rf build site/out
Expand Down Expand Up @@ -222,6 +233,12 @@ $(CODER_ALL_BINARIES): go.mod go.sum \
build_args+=(--slim)
fi

# boringcrypto is only supported on Linux
# boringcrypto uses CGO, which isn't supported when cross compiling architectures
if [[ "$$os" == "linux" ]] && [[ "${local_os}" == "Linux" ]] && [[ "$$arch" == "${local_arch}" ]]; then
build_args+=(--boringcrypto)
fi

./scripts/build_go.sh "$${build_args[@]}"

if [[ "$$mode" == "slim" ]]; then
Expand Down
29 changes: 25 additions & 4 deletions scripts/build_go.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

# This script builds a single Go binary of Coder with the given parameters.
#
# Usage: ./build_go.sh [--version 1.2.3-devel+abcdef] [--os linux] [--arch amd64] [--output path/to/output] [--slim] [--agpl]
# Usage: ./build_go.sh [--version 1.2.3-devel+abcdef] [--os linux] [--arch amd64] [--output path/to/output] [--slim] [--agpl] [--boringcrypto]
#
# Defaults to linux:amd64 with slim disabled, but can be controlled with GOOS,
# GOARCH and CODER_SLIM_BUILD=1. If no version is specified, defaults to the
Expand All @@ -22,6 +22,9 @@
#
# If the --agpl parameter is specified, builds only the AGPL-licensed code (no
# Coder enterprise features).
#
# If the --boringcrypto parameter is specified, builds use boringcrypto instead of
# the standard go crypto libraries.

set -euo pipefail
# shellcheck source=scripts/lib.sh
Expand All @@ -34,8 +37,9 @@ slim="${CODER_SLIM_BUILD:-0}"
sign_darwin="${CODER_SIGN_DARWIN:-0}"
output_path=""
agpl="${CODER_BUILD_AGPL:-0}"
boringcrypto=${CODER_BUILD_BORINGCRYPTO:-0}

args="$(getopt -o "" -l version:,os:,arch:,output:,slim,agpl,sign-darwin -- "$@")"
args="$(getopt -o "" -l version:,os:,arch:,output:,slim,agpl,sign-darwin,boringcrypto -- "$@")"
eval set -- "$args"
while true; do
case "$1" in
Expand Down Expand Up @@ -68,6 +72,10 @@ while true; do
sign_darwin=1
shift
;;
--boringcrypto)
boringcrypto=1
shift
;;
--)
shift
break
Expand All @@ -94,11 +102,16 @@ if [[ "$sign_darwin" == 1 ]]; then
fi

ldflags=(
-s
-w
-X "'github.com/coder/coder/v2/buildinfo.tag=$version'"
)

# For boringcrypto we want to leave the symbols so we can verify it was build correctly for
# FIPS compliance. This adds a few MiB to the binary.
if [[ "$boringcrypto" == 0 ]]; then
ldflags+=(-s)
fi

# We use ts_omit_aws here because on Linux it prevents Tailscale from importing
# github.com/aws/aws-sdk-go-v2/aws, which adds 7 MB to the binary.
TS_EXTRA_SMALL="ts_omit_aws,ts_omit_bird,ts_omit_tap,ts_omit_kube"
Expand Down Expand Up @@ -140,7 +153,15 @@ cmd_path="./enterprise/cmd/coder"
if [[ "$agpl" == 1 ]]; then
cmd_path="./cmd/coder"
fi
CGO_ENABLED=0 GOOS="$os" GOARCH="$arch" GOARM="$arm_version" go build \

cgo=0
goexp=""
if [[ "$boringcrypto" == 1 ]]; then
cgo=1
goexp="boringcrypto"
fi

GOEXPERIMENT="$goexp" CGO_ENABLED="$cgo" GOOS="$os" GOARCH="$arch" GOARM="$arm_version" go build \
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does -boringcrypto also need to be added to go build args?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nope, I tested coder version on a binary I built. GOEXPERIMENT=boringcrypto is enough.

"${build_args[@]}" \
"$cmd_path" 1>&2

Expand Down