-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add debug.BuildSetting
entries corresponding to crypto backend usage
#963
Comments
Maybe this is also a nice way to do: This would let it be reliably machine-readable without any parsing logic. |
Hmm, there is already a boring/backend-specific mechanism that puts a byte sequence in the binary. We could use/extend this rather than using buildinfo: https://github.com/golang/go/blob/master/src/crypto/internal/boring/sig/sig_amd64.s Those sig sequence has always been in boring releases (Go 1.8+), and buildinfo is more recent (Go 1.18+). I'm not sure if one is actually easier to read than another (while avoiding false positives), when considering how something like BinSkim might implement it. I don't think we could use that as-is: we need to be able to distinguish OpenSSL/CNG usage from Boring usage. We would need to at least add one more sig for "a backend implemented by microsoft/go is in use". Maybe a worse issue is that if crypto is not used at all, the sig won't be present. This could be a problem if the scanner only looks for "uses OpenSSL" rather than "uses OpenSSL or no crypto is used". Also: to keep the policy simple internally, we might want to enforce that a Go program is built such that it would use OpenSSL/CNG if it were to use crypto. This way the team building the Go app will know right away that they need to adjust the build, rather than (potentially) waiting until they add a dependency on crypto and only finding out then (potentially in an unclear context). As far as human use goes, it's nice to see this in the buildinfo with a standard |
There's some conversation internally about whether we need to do this (for e.g. BinSkim), or if CodeQL already has enough info to detect backends. ("Proposal for new golang query to detect approved usage of crypto" email thread.) But I'm realizing that IMO, we should do this regardless of what the internal scanning tools need. (In 1.22.) /cc @microsoft/golang-compiler CodeQL runs during compilation, and can't be used to investigate a compiled program. BinSkim is (in my experience) awkward to configure for quick sanity checks. Giving our users the ability to run the built-in tool Some teams may also be motivated to build their own checks into their builds. It might be considered too late if BinSkim detects a problem (perhaps more too late if CodeQL ends up being the internal tool of choice--because the report wouldn't block a build as far as I know). I think that even if this isn't used in an automated check, teams inside Microsoft that are rebuilding OSS repositories using upstream build scripts will want to make sure that the GOEXPERIMENT made it where it needed to go and had the intended effect. Examining the outputs--even just checking it once, manually--would be a lot easier with this functionality. Along these lines: we should make sure |
Notes from sync:
|
go version -m example
reports the go experiment and some other info that can most likely be used to figure out whether a crypto module was used to buildexample
, but it isn't straightforward. I think we can fairly easily add this info in a more consistent way:https://pkg.go.dev/runtime/debug#BuildSetting
This works as expected with
go version -m
, and other tools can probably be adapted to read the data directly from Go binaries if necessary (e.g. a Go toolset isn't present).The text was updated successfully, but these errors were encountered: