From 92d30d1d325178ac24341ef83ecf36f3aa3cace7 Mon Sep 17 00:00:00 2001 From: Yongbo Jiang Date: Wed, 15 Nov 2023 14:45:46 +0800 Subject: [PATCH 1/2] This is an automated cherry-pick of #7275 close tikv/pd#7274 Signed-off-by: ti-chi-bot --- Makefile | 42 ++++++++++++++++++++++++++++++++++---- server/versioninfo/fips.go | 26 +++++++++++++++++++++++ 2 files changed, 64 insertions(+), 4 deletions(-) create mode 100644 server/versioninfo/fips.go diff --git a/Makefile b/Makefile index c874586ba5f..5b4d9bb9435 100644 --- a/Makefile +++ b/Makefile @@ -15,6 +15,8 @@ dev-basic: build check basic-test BUILD_FLAGS ?= BUILD_TAGS ?= BUILD_CGO_ENABLED := 0 +BUILD_TOOL_CGO_ENABLED := 0 +BUILD_GOEXPERIMENT ?= PD_EDITION ?= Community # Ensure PD_EDITION is set to Community or Enterprise before running build process. ifneq "$(PD_EDITION)" "Community" @@ -42,11 +44,26 @@ ifeq ($(PLUGIN), 1) BUILD_TAGS += with_plugin endif +<<<<<<< HEAD LDFLAGS += -X "$(PD_PKG)/server/versioninfo.PDReleaseVersion=$(shell git describe --tags --dirty --always)" LDFLAGS += -X "$(PD_PKG)/server/versioninfo.PDBuildTS=$(shell date -u '+%Y-%m-%d %I:%M:%S')" LDFLAGS += -X "$(PD_PKG)/server/versioninfo.PDGitHash=$(shell git rev-parse HEAD)" LDFLAGS += -X "$(PD_PKG)/server/versioninfo.PDGitBranch=$(shell git rev-parse --abbrev-ref HEAD)" LDFLAGS += -X "$(PD_PKG)/server/versioninfo.PDEdition=$(PD_EDITION)" +======= +ifeq ($(ENABLE_FIPS), 1) + BUILD_TAGS+=boringcrypto + BUILD_GOEXPERIMENT=boringcrypto + BUILD_CGO_ENABLED := 1 + BUILD_TOOL_CGO_ENABLED := 1 +endif + +LDFLAGS += -X "$(PD_PKG)/pkg/versioninfo.PDReleaseVersion=$(shell git describe --tags --dirty --always)" +LDFLAGS += -X "$(PD_PKG)/pkg/versioninfo.PDBuildTS=$(shell date -u '+%Y-%m-%d %I:%M:%S')" +LDFLAGS += -X "$(PD_PKG)/pkg/versioninfo.PDGitHash=$(shell git rev-parse HEAD)" +LDFLAGS += -X "$(PD_PKG)/pkg/versioninfo.PDGitBranch=$(shell git rev-parse --abbrev-ref HEAD)" +LDFLAGS += -X "$(PD_PKG)/pkg/versioninfo.PDEdition=$(PD_EDITION)" +>>>>>>> 181fdc95b (makefile: support build with `boringcrypto` to support Fips (#7275)) ifneq ($(DASHBOARD), 0) # Note: LDFLAGS must be evaluated lazily for these scripts to work correctly @@ -61,7 +78,13 @@ BUILD_BIN_PATH := $(shell pwd)/bin build: pd-server pd-ctl pd-recover +<<<<<<< HEAD tools: pd-tso-bench pd-heartbeat-bench regions-dump stores-dump +======= +build-fips: pd-server-fips pd-ctl-fips pd-recover-fips + +tools: pd-tso-bench pd-heartbeat-bench regions-dump stores-dump pd-api-bench +>>>>>>> 181fdc95b (makefile: support build with `boringcrypto` to support Fips (#7275)) PD_SERVER_DEP := ifeq ($(SWAGGER), 1) @@ -74,21 +97,28 @@ endif PD_SERVER_DEP += dashboard-ui pd-server: ${PD_SERVER_DEP} - CGO_ENABLED=$(BUILD_CGO_ENABLED) go build $(BUILD_FLAGS) -gcflags '$(GCFLAGS)' -ldflags '$(LDFLAGS)' -tags "$(BUILD_TAGS)" -o $(BUILD_BIN_PATH)/pd-server cmd/pd-server/main.go + GOEXPERIMENT=$(BUILD_GOEXPERIMENT) CGO_ENABLED=$(BUILD_CGO_ENABLED) go build $(BUILD_FLAGS) -gcflags '$(GCFLAGS)' -ldflags '$(LDFLAGS)' -tags "$(BUILD_TAGS)" -o $(BUILD_BIN_PATH)/pd-server cmd/pd-server/main.go pd-server-basic: SWAGGER=0 DASHBOARD=0 $(MAKE) pd-server -.PHONY: build tools pd-server pd-server-basic +pd-server-fips: + ENABLE_FIPS=1 $(MAKE) pd-server + +.PHONY: build tools pd-server pd-server-basic pd-server-fips # Tools pd-ctl: - CGO_ENABLED=0 go build -gcflags '$(GCFLAGS)' -ldflags '$(LDFLAGS)' -o $(BUILD_BIN_PATH)/pd-ctl tools/pd-ctl/main.go + GOEXPERIMENT=$(BUILD_GOEXPERIMENT) CGO_ENABLED=$(BUILD_TOOL_CGO_ENABLED) go build -gcflags '$(GCFLAGS)' -ldflags '$(LDFLAGS)' -o $(BUILD_BIN_PATH)/pd-ctl tools/pd-ctl/main.go +pd-ctl-fips: + ENABLE_FIPS=1 $(MAKE) pd-ctl pd-tso-bench: cd tools/pd-tso-bench && CGO_ENABLED=0 go build -o $(BUILD_BIN_PATH)/pd-tso-bench main.go pd-recover: - CGO_ENABLED=0 go build -gcflags '$(GCFLAGS)' -ldflags '$(LDFLAGS)' -o $(BUILD_BIN_PATH)/pd-recover tools/pd-recover/main.go + GOEXPERIMENT=$(BUILD_GOEXPERIMENT) CGO_ENABLED=$(BUILD_TOOL_CGO_ENABLED) go build -gcflags '$(GCFLAGS)' -ldflags '$(LDFLAGS)' -o $(BUILD_BIN_PATH)/pd-recover tools/pd-recover/main.go +pd-recover-fips: + ENABLE_FIPS=1 $(MAKE) pd-recover pd-analysis: CGO_ENABLED=0 go build -gcflags '$(GCFLAGS)' -ldflags '$(LDFLAGS)' -o $(BUILD_BIN_PATH)/pd-analysis tools/pd-analysis/main.go pd-heartbeat-bench: @@ -100,7 +130,11 @@ regions-dump: stores-dump: CGO_ENABLED=0 go build -gcflags '$(GCFLAGS)' -ldflags '$(LDFLAGS)' -o $(BUILD_BIN_PATH)/stores-dump tools/stores-dump/main.go +<<<<<<< HEAD .PHONY: pd-ctl pd-tso-bench pd-recover pd-analysis pd-heartbeat-bench simulator regions-dump stores-dump +======= +.PHONY: pd-ctl pd-ctl-fips pd-tso-bench pd-recover pd-recover-fips pd-analysis pd-heartbeat-bench simulator regions-dump stores-dump pd-api-bench +>>>>>>> 181fdc95b (makefile: support build with `boringcrypto` to support Fips (#7275)) #### Docker image #### diff --git a/server/versioninfo/fips.go b/server/versioninfo/fips.go new file mode 100644 index 00000000000..02478b103fa --- /dev/null +++ b/server/versioninfo/fips.go @@ -0,0 +1,26 @@ +// Copyright 2023 TiKV Project Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +//go:build boringcrypto +// +build boringcrypto + +package versioninfo + +import ( + _ "crypto/tls/fipsonly" +) + +func init() { + PDReleaseVersion += "-fips" +} From 22483bdca286cc186e73ffe970b15a9ef33d51f6 Mon Sep 17 00:00:00 2001 From: Cabinfever_B Date: Fri, 24 Nov 2023 10:30:14 +0800 Subject: [PATCH 2/2] fix conflict Signed-off-by: Cabinfever_B --- Makefile | 25 ------------------------- 1 file changed, 25 deletions(-) diff --git a/Makefile b/Makefile index 5b4d9bb9435..ce6ffedeb92 100644 --- a/Makefile +++ b/Makefile @@ -44,13 +44,6 @@ ifeq ($(PLUGIN), 1) BUILD_TAGS += with_plugin endif -<<<<<<< HEAD -LDFLAGS += -X "$(PD_PKG)/server/versioninfo.PDReleaseVersion=$(shell git describe --tags --dirty --always)" -LDFLAGS += -X "$(PD_PKG)/server/versioninfo.PDBuildTS=$(shell date -u '+%Y-%m-%d %I:%M:%S')" -LDFLAGS += -X "$(PD_PKG)/server/versioninfo.PDGitHash=$(shell git rev-parse HEAD)" -LDFLAGS += -X "$(PD_PKG)/server/versioninfo.PDGitBranch=$(shell git rev-parse --abbrev-ref HEAD)" -LDFLAGS += -X "$(PD_PKG)/server/versioninfo.PDEdition=$(PD_EDITION)" -======= ifeq ($(ENABLE_FIPS), 1) BUILD_TAGS+=boringcrypto BUILD_GOEXPERIMENT=boringcrypto @@ -63,7 +56,6 @@ LDFLAGS += -X "$(PD_PKG)/pkg/versioninfo.PDBuildTS=$(shell date -u '+%Y-%m-%d %I LDFLAGS += -X "$(PD_PKG)/pkg/versioninfo.PDGitHash=$(shell git rev-parse HEAD)" LDFLAGS += -X "$(PD_PKG)/pkg/versioninfo.PDGitBranch=$(shell git rev-parse --abbrev-ref HEAD)" LDFLAGS += -X "$(PD_PKG)/pkg/versioninfo.PDEdition=$(PD_EDITION)" ->>>>>>> 181fdc95b (makefile: support build with `boringcrypto` to support Fips (#7275)) ifneq ($(DASHBOARD), 0) # Note: LDFLAGS must be evaluated lazily for these scripts to work correctly @@ -78,13 +70,7 @@ BUILD_BIN_PATH := $(shell pwd)/bin build: pd-server pd-ctl pd-recover -<<<<<<< HEAD tools: pd-tso-bench pd-heartbeat-bench regions-dump stores-dump -======= -build-fips: pd-server-fips pd-ctl-fips pd-recover-fips - -tools: pd-tso-bench pd-heartbeat-bench regions-dump stores-dump pd-api-bench ->>>>>>> 181fdc95b (makefile: support build with `boringcrypto` to support Fips (#7275)) PD_SERVER_DEP := ifeq ($(SWAGGER), 1) @@ -102,23 +88,16 @@ pd-server: ${PD_SERVER_DEP} pd-server-basic: SWAGGER=0 DASHBOARD=0 $(MAKE) pd-server -pd-server-fips: - ENABLE_FIPS=1 $(MAKE) pd-server - .PHONY: build tools pd-server pd-server-basic pd-server-fips # Tools pd-ctl: GOEXPERIMENT=$(BUILD_GOEXPERIMENT) CGO_ENABLED=$(BUILD_TOOL_CGO_ENABLED) go build -gcflags '$(GCFLAGS)' -ldflags '$(LDFLAGS)' -o $(BUILD_BIN_PATH)/pd-ctl tools/pd-ctl/main.go -pd-ctl-fips: - ENABLE_FIPS=1 $(MAKE) pd-ctl pd-tso-bench: cd tools/pd-tso-bench && CGO_ENABLED=0 go build -o $(BUILD_BIN_PATH)/pd-tso-bench main.go pd-recover: GOEXPERIMENT=$(BUILD_GOEXPERIMENT) CGO_ENABLED=$(BUILD_TOOL_CGO_ENABLED) go build -gcflags '$(GCFLAGS)' -ldflags '$(LDFLAGS)' -o $(BUILD_BIN_PATH)/pd-recover tools/pd-recover/main.go -pd-recover-fips: - ENABLE_FIPS=1 $(MAKE) pd-recover pd-analysis: CGO_ENABLED=0 go build -gcflags '$(GCFLAGS)' -ldflags '$(LDFLAGS)' -o $(BUILD_BIN_PATH)/pd-analysis tools/pd-analysis/main.go pd-heartbeat-bench: @@ -130,11 +109,7 @@ regions-dump: stores-dump: CGO_ENABLED=0 go build -gcflags '$(GCFLAGS)' -ldflags '$(LDFLAGS)' -o $(BUILD_BIN_PATH)/stores-dump tools/stores-dump/main.go -<<<<<<< HEAD .PHONY: pd-ctl pd-tso-bench pd-recover pd-analysis pd-heartbeat-bench simulator regions-dump stores-dump -======= -.PHONY: pd-ctl pd-ctl-fips pd-tso-bench pd-recover pd-recover-fips pd-analysis pd-heartbeat-bench simulator regions-dump stores-dump pd-api-bench ->>>>>>> 181fdc95b (makefile: support build with `boringcrypto` to support Fips (#7275)) #### Docker image ####