coder · spikecurtis · Sep 5, 2023 · Sep 5, 2023 · Sep 5, 2023 · Sep 5, 2023
diff --git a/Makefile b/Makefile
@@ -105,6 +105,9 @@ CODER_ARCH_IMAGE_PREREQUISITES := \
 	build/coder_$(VERSION)_%.tar.gz
 endif
 
+# used to decide if we can build with boringcrypto
+local_os:=$(shell go env GOHOSTOS)
+local_arch:=$(shell go env GOHOSTARCH)
 
 clean:
 	rm -rf build site/out
@@ -222,6 +225,12 @@ $(CODER_ALL_BINARIES): go.mod go.sum \
 		build_args+=(--slim)
 	fi
 
+	# boringcrypto is only supported on Linux
+	# boringcrypto uses CGO, which isn't supported when cross compiling architectures
+	if [[ "$$os" == "linux" ]] && [[ "${local_os}" == "linux" ]] && [[ "$$arch" == "${local_arch}" ]]; then
+		build_args+=(--boringcrypto)
+	fi
+
 	./scripts/build_go.sh "$${build_args[@]}"
 
 	if [[ "$$mode" == "slim" ]]; then

diff --git a/buildinfo/boring.go b/buildinfo/boring.go
@@ -0,0 +1,7 @@
+//go:build boringcrypto
+
+package buildinfo
+
+import "crypto/boring"
+
+var boringcrypto = boring.Enabled()
diff --git a/buildinfo/buildinfo.go b/buildinfo/buildinfo.go
@@ -87,6 +87,10 @@ func IsAGPL() bool {
 	return strings.Contains(agpl, "t")
 }
 
+func IsBoringCrypto() bool {
+	return boringcrypto
+}
+
 // ExternalURL returns a URL referencing the current Coder version.
 // For production builds, this will link directly to a release.
 // For development builds, this will link to a commit.

diff --git a/buildinfo/notboring.go b/buildinfo/notboring.go
@@ -0,0 +1,5 @@
+//go:build !boringcrypto
+
+package buildinfo
+
+var boringcrypto = false
diff --git a/cli/version.go b/cli/version.go
@@ -13,11 +13,12 @@ import (
 // versionInfo wraps the stuff we get from buildinfo so that it's
 // easier to emit in different formats.
 type versionInfo struct {
-	Version     string    `json:"version"`
-	BuildTime   time.Time `json:"build_time"`
-	ExternalURL string    `json:"external_url"`
-	Slim        bool      `json:"slim"`
-	AGPL        bool      `json:"agpl"`
+	Version      string    `json:"version"`
+	BuildTime    time.Time `json:"build_time"`
+	ExternalURL  string    `json:"external_url"`
+	Slim         bool      `json:"slim"`
+	AGPL         bool      `json:"agpl"`
+	BoringCrypto bool      `json:"boring_crypto"`
 }
 
 // String() implements Stringer
@@ -28,6 +29,9 @@ func (vi versionInfo) String() string {
 		_, _ = str.WriteString("(AGPL) ")
 	}
 	_, _ = str.WriteString(vi.Version)
+	if vi.BoringCrypto {
+		_, _ = str.WriteString(" BoringCrypto")
+	}
 
 	if !vi.BuildTime.IsZero() {
 		_, _ = str.WriteString(" " + vi.BuildTime.Format(time.UnixDate))
@@ -45,11 +49,12 @@ func (vi versionInfo) String() string {
 func defaultVersionInfo() *versionInfo {
 	buildTime, _ := buildinfo.Time()
 	return &versionInfo{
-		Version:     buildinfo.Version(),
-		BuildTime:   buildTime,
-		ExternalURL: buildinfo.ExternalURL(),
-		Slim:        buildinfo.IsSlim(),
-		AGPL:        buildinfo.IsAGPL(),
+		Version:      buildinfo.Version(),
+		BuildTime:    buildTime,
+		ExternalURL:  buildinfo.ExternalURL(),
+		Slim:         buildinfo.IsSlim(),
+		AGPL:         buildinfo.IsAGPL(),
+		BoringCrypto: buildinfo.IsBoringCrypto(),
 	}
 }
 

diff --git a/scripts/build_go.sh b/scripts/build_go.sh
@@ -2,7 +2,7 @@
 
 # This script builds a single Go binary of Coder with the given parameters.
 #
-# Usage: ./build_go.sh [--version 1.2.3-devel+abcdef] [--os linux] [--arch amd64] [--output path/to/output] [--slim] [--agpl]
+# Usage: ./build_go.sh [--version 1.2.3-devel+abcdef] [--os linux] [--arch amd64] [--output path/to/output] [--slim] [--agpl] [--boringcrypto]
 #
 # Defaults to linux:amd64 with slim disabled, but can be controlled with GOOS,
 # GOARCH and CODER_SLIM_BUILD=1. If no version is specified, defaults to the
@@ -22,6 +22,9 @@
 #
 # If the --agpl parameter is specified, builds only the AGPL-licensed code (no
 # Coder enterprise features).
+#
+# If the --boringcrypto parameter is specified, builds use boringcrypto instead of
+# the standard go crypto libraries.
 
 set -euo pipefail
 # shellcheck source=scripts/lib.sh
@@ -34,8 +37,9 @@ slim="${CODER_SLIM_BUILD:-0}"
 sign_darwin="${CODER_SIGN_DARWIN:-0}"
 output_path=""
 agpl="${CODER_BUILD_AGPL:-0}"
+boringcrypto=${CODER_BUILD_BORINGCRYPTO:-0}
 
-args="$(getopt -o "" -l version:,os:,arch:,output:,slim,agpl,sign-darwin -- "$@")"
+args="$(getopt -o "" -l version:,os:,arch:,output:,slim,agpl,sign-darwin,boringcrypto -- "$@")"
 eval set -- "$args"
 while true; do
 	case "$1" in
@@ -68,6 +72,10 @@ while true; do
 		sign_darwin=1
 		shift
 		;;
+	--boringcrypto)
+		boringcrypto=1
+		shift
+		;;
 	--)
 		shift
 		break
@@ -140,7 +148,15 @@ cmd_path="./enterprise/cmd/coder"
 if [[ "$agpl" == 1 ]]; then
 	cmd_path="./cmd/coder"
 fi
-CGO_ENABLED=0 GOOS="$os" GOARCH="$arch" GOARM="$arm_version" go build \
+
+cgo=0
+goexp=""
+if [[ "$boringcrypto" == 1 ]]; then
+	cgo=1
+	goexp="boringcrypto"
+fi
+
+GOEXPERIMENT="$goexp" CGO_ENABLED="$cgo" GOOS="$os" GOARCH="$arch" GOARM="$arm_version" go build \
 	"${build_args[@]}" \
 	"$cmd_path" 1>&2