From b418a081a8feebe5740574a43a3364578c9e1c61 Mon Sep 17 00:00:00 2001 From: Wade Simmons Date: Fri, 25 Jul 2025 14:57:49 -0400 Subject: [PATCH] cleanup --- Makefile | 14 +++++++++----- README.md | 11 +++++++++-- 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/Makefile b/Makefile index 0053c74..9dffa0e 100644 --- a/Makefile +++ b/Makefile @@ -120,10 +120,6 @@ bin-pkcs11: BUILD_ARGS += -tags pkcs11 bin-pkcs11: CGO_ENABLED = 1 bin-pkcs11: bin -bin-fips140: GOENV += GOFIPS140=v1.0.0 -bin-fips140: LDFLAGS += -checklinkname=0 -bin-fips140: bin - bin: $(GOENV) go build $(BUILD_ARGS) -ldflags "$(LDFLAGS)" -o ./nebula${NEBULA_CMD_SUFFIX} ${NEBULA_CMD_PATH} $(GOENV) go build $(BUILD_ARGS) -ldflags "$(LDFLAGS)" -o ./nebula-cert${NEBULA_CMD_SUFFIX} ./cmd/nebula-cert @@ -219,6 +215,14 @@ ifeq ($(words $(MAKECMDGOALS)),1) @$(MAKE) service ${.DEFAULT_GOAL} --no-print-directory endif +fips140: + @echo > $(NULL_FILE) + $(eval GOENV += GOFIPS140=v1.0.0) + $(eval LDFLAGS += -checklinkname=0) +ifeq ($(words $(MAKECMDGOALS)),1) + @$(MAKE) fips140 ${.DEFAULT_GOAL} --no-print-directory +endif + bin-docker: bin build/linux-amd64/nebula build/linux-amd64/nebula-cert smoke-docker: bin-docker @@ -240,5 +244,5 @@ smoke-vagrant/%: bin-docker build/%/nebula cd .github/workflows/smoke/ && ./smoke-vagrant.sh $* .FORCE: -.PHONY: bench bench-cpu bench-cpu-long bin build-test-mobile e2e e2ev e2evv e2evvv e2evvvv proto release service smoke-docker smoke-docker-race test test-cov-html smoke-vagrant/% +.PHONY: bench bench-cpu bench-cpu-long bin build-test-mobile e2e e2ev e2evv e2evvv e2evvvv fips140 proto release service smoke-docker smoke-docker-race test test-cov-html smoke-vagrant/% .DEFAULT_GOAL := bin diff --git a/README.md b/README.md index fab9cff..4dbc095 100644 --- a/README.md +++ b/README.md @@ -143,17 +143,24 @@ To build nebula for a specific platform (ex, Windows): See the [Makefile](Makefile) for more details on build targets -## Curve P256 and BoringCrypto +## Curve P256, BoringCrypto and FIPS 140-3 mode The default curve used for cryptographic handshakes and signatures is Curve25519. This is the recommended setting for most users. If your deployment has certain compliance requirements, you have the option of creating your CA using `nebula-cert ca -curve P256` to use NIST Curve P256. The CA will then sign certificates using ECDSA P256, and any hosts using these certificates will use P256 for ECDH handshakes. -In addition, Nebula can be built using the [BoringCrypto GOEXPERIMENT](https://github.com/golang/go/blob/go1.20/src/crypto/internal/boring/README.md) by running either of the following make targets: +Nebula can be built using the [BoringCrypto GOEXPERIMENT](https://github.com/golang/go/blob/go1.20/src/crypto/internal/boring/README.md) by running either of the following make targets: ```sh make bin-boringcrypto make release-boringcrypto ``` +Nebula can also be built using the [FIPS 140-3](https://go.dev/doc/security/fips140) mode of Go by running either of the following make targets: + +```sh +make fips140 +make fips140 release +``` + This is not the recommended default deployment, but may be useful based on your compliance requirements. ## Credits