Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FIPS - dynamic linking on mac causes linking failures when running cargo installed executable. #495

Open
rmullin-apptio opened this issue Aug 13, 2024 · 3 comments
Assignees
Labels
documentation Improvements or additions to documentation

Comments

@rmullin-apptio
Copy link

Problem:

It seems that static linking for aws-lc when compiled in fips mode is only available on Linux. When compiled on Mac M1, the library is dynamically linked. The program can be run through cargo run, but if it's installed using cargo install, the libraries aren't installed with it, so it crashes on startup:

» ./rust-fips-test                                                                                                                                                                  
dyld[53187]: Library not loaded: @rpath/libaws_lc_fips_0_12_11_crypto.dylib
  Referenced from: <A3DAE490-6F88-3CA7-9D27-464C9314D5D8> /Users/ryan/src/rust-fips-test/target/debug/rust-fips-test
  Reason: no LC_RPATH's found
[1]    53187 abort      ./rust-fips-test

Solution:

Right now the only way I've found to get this to work is to manually copy the dylib files into the same directory as the output executable and use install_name_tool to add @loader_path to the output executable's rpath:

cp build/aws-lc-fips-sys-2da5c751fdbe11cd/out/build/artifacts/libaws_lc_fips_0_12_11_crypto.dylib .
cp build/aws-lc-fips-sys-2da5c751fdbe11cd/out/build/artifacts/libaws_lc_fips_0_12_11_rust_wrapper.dylib .
install_name_tool -add_rpath @loader_path ./the-executable

After that it works. I'm unsure why this restriction exists outside of linux so am unsure if it's possible to statically link the fips library. At the very least if this is necessary it may be worthwhile to add documentation addressing this, and what the best approach is for installing fips versions of rust programs built with this library.

  • Does this change any public APIs? No
  • Which algorithm(s) will this impact? None

Requirements / Acceptance Criteria:

Provide documentation on the optimal way to install fips enabled rust programs on non-linux platforms.

  • RFC links: N/A
  • Related Issues: It appears this behavior was added in this PR
  • Will the Usage Guide or other documentation need to be updated? Yes
  • Testing: How will this change be tested? Call out new integration tests, functional tests, or particularly
    interesting/important unit tests. N/A.
@justsmth
Copy link
Contributor

Hello!

Yeah, unfortunately this is a limitation of the AWS-LC FIPS build, which currently can only provide a static library on the Linux platform.

The reason for this limitation is complicated; it relates to the FIPS requirement for an integrity check on the cryptographic module. We provide more information about the nature of our FIPS build and this integrity check here: https://github.com/aws/aws-lc/blob/main/crypto/fipsmodule/FIPS.md#integrity-test

The solution you found is the only way I know of to manage this. You're right about us needing to improve our documentation around the shared FIPS build.

I'll leave this issue open as a reminder for us to update our documentation. Thanks for contacting us about this!

@justsmth justsmth self-assigned this Aug 14, 2024
@justsmth justsmth added the documentation Improvements or additions to documentation label Aug 14, 2024
justsmth added a commit to justsmth/aws-lc-rs that referenced this issue Sep 3, 2024
justsmth added a commit to justsmth/aws-lc-rs that referenced this issue Sep 4, 2024
justsmth added a commit that referenced this issue Sep 5, 2024
* Support for 'prebuilt-nasm' feature

* Update READMEs

* Update User Guide

* Cleanup; Address #495

* PR Feedback

* Update verbiage in aws-lc-sys/README and User Guide

* Feedback: stricter bool env var parsing
@justsmth justsmth changed the title dynamic linking on mac causes linking failures when running cargo installed executable. FIPS - dynamic linking on mac causes linking failures when running cargo installed executable. Sep 6, 2024
@justsmth
Copy link
Contributor

justsmth commented Sep 6, 2024

You mentioned the scenario where someone uses cargo install to install a crate that has a dependency on aws-lc-rs with the "fips" feature. With this next release the User Guide will mention that the "fips" build for MacOS & Windows produce shared libraries, but this doesn't fully address the specific issue you had. I'll try to look into this some more next week.

@justsmth
Copy link
Contributor

justsmth commented Sep 6, 2024

The discussion here seems related: rust-lang/cargo#5077

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Improvements or additions to documentation
Projects
None yet
Development

No branches or pull requests

2 participants