-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FIPS - dynamic linking on mac causes linking failures when running cargo installed executable. #495
Comments
Hello! Yeah, unfortunately this is a limitation of the AWS-LC FIPS build, which currently can only provide a static library on the Linux platform. The reason for this limitation is complicated; it relates to the FIPS requirement for an integrity check on the cryptographic module. We provide more information about the nature of our FIPS build and this integrity check here: https://github.com/aws/aws-lc/blob/main/crypto/fipsmodule/FIPS.md#integrity-test The solution you found is the only way I know of to manage this. You're right about us needing to improve our documentation around the shared FIPS build. I'll leave this issue open as a reminder for us to update our documentation. Thanks for contacting us about this! |
* Support for 'prebuilt-nasm' feature * Update READMEs * Update User Guide * Cleanup; Address #495 * PR Feedback * Update verbiage in aws-lc-sys/README and User Guide * Feedback: stricter bool env var parsing
You mentioned the scenario where someone uses |
The discussion here seems related: rust-lang/cargo#5077 |
Problem:
It seems that static linking for aws-lc when compiled in fips mode is only available on Linux. When compiled on Mac M1, the library is dynamically linked. The program can be run through
cargo run
, but if it's installed usingcargo install
, the libraries aren't installed with it, so it crashes on startup:Solution:
Right now the only way I've found to get this to work is to manually copy the dylib files into the same directory as the output executable and use install_name_tool to add @loader_path to the output executable's rpath:
After that it works. I'm unsure why this restriction exists outside of linux so am unsure if it's possible to statically link the fips library. At the very least if this is necessary it may be worthwhile to add documentation addressing this, and what the best approach is for installing fips versions of rust programs built with this library.
Requirements / Acceptance Criteria:
Provide documentation on the optimal way to install fips enabled rust programs on non-linux platforms.
interesting/important unit tests. N/A.
The text was updated successfully, but these errors were encountered: