Build Envoy with aws_lc on Power (ppc64le) (#38403)

Signed-off-by: James Jenkins <James.Jenkins@ibm.com>

README.md

@@ -94,6 +94,10 @@ positively or negatively.
 
 For further details please see our complete [security release process](SECURITY.md).
 
+### ppc64le builds
+
+Builds for the ppc64le architecture or using aws-lc are not covered by the envoy security policy. The ppc64le architecture is currently best-effort and not maintained by the Envoy maintainers.
+
 ## Releases
 
 For further details please see our [release process](https://github.com/envoyproxy/envoy/blob/main/RELEASES.md).

bazel/BUILD

@@ -310,6 +310,22 @@ selects.config_setting_group(
     ],
 )
 
+selects.config_setting_group(
+    name = "disable_http3_on_linux_ppc64le",
+    match_all = [
+        ":disable_http3",
+        ":linux_ppc64le",
+    ],
+)
+
+selects.config_setting_group(
+    name = "disable_http3_on_not_x86_ppc",
+    match_all = [
+        ":disable_http3",
+        ":not_x86_ppc",
+    ],
+)
+
 selects.config_setting_group(
     name = "disable_http3_on_windows_x86_64",
     match_all = [
@@ -352,6 +368,14 @@ selects.config_setting_group(
     ],
 )
 
+selects.config_setting_group(
+    name = "enable_http3_on_linux_ppc64le",
+    match_all = [
+        ":enable_http3",
+        ":linux_ppc64le",
+    ],
+)
+
 selects.config_setting_group(
     name = "enable_http3_on_windows_x86_64",
     match_all = [
@@ -503,6 +527,14 @@ selects.config_setting_group(
     ],
 )
 
+selects.config_setting_group(
+    name = "boringssl_fips_ppc",
+    match_all = [
+        ":boringssl_fips",
+        ":linux_ppc64le",
+    ],
+)
+
 config_setting(
     name = "zlib_ng",
     constraint_values = [
@@ -544,18 +576,21 @@ config_setting(
 # Alias pointing to the selected version of BoringSSL:
 # - BoringSSL FIPS from @boringssl_fips//:ssl,
 # - non-FIPS BoringSSL from @boringssl//:ssl.
+# - aws-lc from @aws_lc//:ssl
 alias(
     name = "boringssl",
     actual = select({
-        "//bazel:boringssl_fips": "@boringssl_fips//:ssl",
+        "//bazel:boringssl_fips_ppc": "@aws_lc//:ssl",
+        "//bazel:boringssl_fips_x86": "@boringssl_fips//:ssl",
         "//conditions:default": "@boringssl//:ssl",
     }),
 )
 
 alias(
     name = "boringcrypto",
     actual = select({
-        "//bazel:boringssl_fips": "@boringssl_fips//:crypto",
+        "//bazel:boringssl_fips_ppc": "@aws_lc//:crypto",
+        "//bazel:boringssl_fips_x86": "@boringssl_fips//:crypto",
         "//conditions:default": "@boringssl//:crypto",
     }),
 )
@@ -584,6 +619,14 @@ config_setting(
     ],
 )
 
+config_setting(
+    name = "linux_ppc64le",
+    constraint_values = [
+        "@platforms//cpu:ppc64le",
+        "@platforms//os:linux",
+    ],
+)
+
 config_setting(
     name = "linux_s390x",
     constraint_values = [
@@ -793,6 +836,22 @@ selects.config_setting_group(
     ],
 )
 
+selects.config_setting_group(
+    name = "not_x86_ppc",
+    match_any = [
+        ":darwin_arm64",
+        ":ios_arm64",
+        ":ios_arm64e",
+        ":ios_armv7",
+        ":ios_armv7s",
+        ":ios_i386",
+        ":ios_sim_arm64",
+        ":linux_aarch64",
+        ":linux_mips64",
+        ":linux_s390x",
+    ],
+)
+
 selects.config_setting_group(
     name = "not_x86",
     match_any = [
@@ -806,6 +865,7 @@ selects.config_setting_group(
         ":linux_aarch64",
         ":linux_mips64",
         ":linux_ppc",
+        ":linux_ppc64le",
         ":linux_s390x",
     ],
 )

bazel/external/BUILD

@@ -1,6 +1,9 @@
 licenses(["notice"])  # Apache 2
 
-exports_files(["boringssl_fips.genrule_cmd"])
+exports_files([
+    "aws_lc.genrule_cmd",
+    "boringssl_fips.genrule_cmd",
+])
 
 # Use a wrapper cc_library with an empty source source file to force
 # compilation of other cc_library targets that only list *.a sources.

bazel/external/aws_lc.BUILD

@@ -0,0 +1,34 @@
+licenses(["notice"])  # Apache 2
+
+cc_library(
+    name = "crypto",
+    srcs = [
+        "crypto/libcrypto.a",
+    ],
+    hdrs = glob(["include/openssl/*.h"]),
+    defines = ["BORINGSSL_FIPS"],
+    includes = ["include"],
+    visibility = ["//visibility:public"],
+)
+
+cc_library(
+    name = "ssl",
+    srcs = [
+        "ssl/libssl.a",
+    ],
+    hdrs = glob(["include/openssl/*.h"]),
+    includes = ["include"],
+    visibility = ["//visibility:public"],
+    deps = [":crypto"],
+)
+
+genrule(
+    name = "build",
+    srcs = glob(["**"]),
+    outs = [
+        "crypto/libcrypto.a",
+        "ssl/libssl.a",
+    ],
+    cmd = "$(location {}) $(location crypto/libcrypto.a) $(location ssl/libssl.a)".format("@envoy//bazel/external:aws_lc.genrule_cmd"),
+    tools = ["@envoy//bazel/external:aws_lc.genrule_cmd"],
+)

bazel/external/aws_lc.genrule_cmd

@@ -0,0 +1,166 @@
+#!/usr/bin/env bash
+
+set -e
+
+export CXXFLAGS=''
+export LDFLAGS=''
+
+# BoringSSL build as described in the Security Policy for BoringCrypto module (2022-05-06):
+# https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4407.pdf
+
+OS=`uname`
+ARCH=`uname -m`
+# This works only on Linux-x86_64, Linux-ppc64le, and Linux-aarch64.
+
+if [[ "$OS" != "Linux" || ("$ARCH" != "x86_64" && "$ARCH" != "aarch64" && "$ARCH" != "ppc64le") ]]; then
+  echo "ERROR: AWS-LC FIPS is currently supported only on Linux-x86_64, Linux-ppc64le, and Linux-aarch64."
+  exit 1
+fi
+
+
+# Bazel magic.
+# ROOT=$(dirname $(rootpath boringssl/BUILDING.md))/..
+ROOT=./external
+pushd "$ROOT"
+
+# Build tools requirements (from section 12.1 of https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4407.pdf):
+# - Clang compiler version 12.0.0 (https://releases.llvm.org/download.html)
+# - Go programming language version 1.16.5 (https://golang.org/dl/)
+# - Ninja build system version 1.10.2 (https://github.com/ninja-build/ninja/releases)
+# - Cmake version 3.20.1 (https://cmake.org/download/)
+
+# Override $PATH for build tools, to avoid picking up anything else.
+export PATH="$(dirname `which cmake`):/usr/bin:/bin"
+
+# Clang
+VERSION=14.0.0
+if [[ "$ARCH" == "x86_64" ]]; then
+  PLATFORM="x86_64-linux-gnu-ubuntu-20.04"
+  SHA256=61582215dafafb7b576ea30cc136be92c877ba1f1c31ddbbd372d6d65622fef5
+elif [[ "$ARCH" == "ppc64le" ]]; then
+  PLATFORM="powerpc64le-linux-ubuntu-18.04"
+  SHA256=2d504c4920885c86b306358846178bc2232dfac83b47c3b1d05861a8162980e6
+else
+  PLATFORM="aarch64-linux-gnu"
+  SHA256=1792badcd44066c79148ffeb1746058422cc9d838462be07e3cb19a4b724a1ee
+fi
+
+curl -sLO https://github.com/llvm/llvm-project/releases/download/llvmorg-"$VERSION"/clang+llvm-"$VERSION"-"$PLATFORM".tar.xz
+tar xf clang+llvm-"$VERSION"-"$PLATFORM".tar.xz
+
+export HOME="$PWD"
+printf "set(CMAKE_C_COMPILER \"clang\")\nset(CMAKE_CXX_COMPILER \"clang++\")\n" > ${HOME}/toolchain
+export PATH="$PWD/clang+llvm-$VERSION-$PLATFORM/bin:$PATH"
+
+if [[ `clang --version | head -1 | awk '{print $3}'` != "$VERSION" ]]; then
+  echo "ERROR: Clang version doesn't match. Expected: ${VERSION}, Got: $(clang --version)"
+  exit 1
+fi
+
+# Go
+VERSION=1.18.1
+if [[ "$ARCH" == "x86_64" ]]; then
+  PLATFORM="linux-amd64"
+  SHA256=b3b815f47ababac13810fc6021eb73d65478e0b2db4b09d348eefad9581a2334
+elif [[ "$ARCH" == "ppc64le" ]]; then
+	PLATFORM="linux-ppc64le"
+	SHA256=33db623d1eecf362fe365107c12efc90eff0b9609e0b3345e258388019cb552a
+else
+  PLATFORM="linux-arm64"
+  SHA256=56a91851c97fb4697077abbca38860f735c32b38993ff79b088dac46e4735633
+fi
+
+curl -sLO https://dl.google.com/go/go"$VERSION"."$PLATFORM".tar.gz \
+  && echo "$SHA256" go"$VERSION"."$PLATFORM".tar.gz | sha256sum --check
+tar xf go"$VERSION"."$PLATFORM".tar.gz
+
+export GOPATH="$PWD/gopath"
+export GOROOT="$PWD/go"
+export PATH="$GOPATH/bin:$GOROOT/bin:$PATH"
+
+if [[ `go version | awk '{print $3}'` != "go$VERSION" ]]; then
+  echo "ERROR: Go version doesn't match."
+  exit 1
+fi
+
+# Ninja
+VERSION=1.10.2
+SHA256=ce35865411f0490368a8fc383f29071de6690cbadc27704734978221f25e2bed
+curl -sLO https://github.com/ninja-build/ninja/archive/refs/tags/v"$VERSION".tar.gz \
+  && echo "$SHA256" v"$VERSION".tar.gz | sha256sum --check
+tar -xvf v"$VERSION".tar.gz
+cd ninja-"$VERSION"
+python3 ./configure.py --bootstrap
+
+export PATH="$PWD:$PATH"
+
+if [[ `ninja --version` != "$VERSION" ]]; then
+  echo "ERROR: Ninja version doesn't match."
+  exit 1
+fi
+cd ..
+
+# CMake
+VERSION=3.22.1
+if [[ "$ARCH" != "ppc64le" ]]; then
+	if [[ "$ARCH" == "x86_64" ]]; then
+		PLATFORM="linux-x86_64"
+		SHA256=73565c72355c6652e9db149249af36bcab44d9d478c5546fd926e69ad6b43640
+	else
+		PLATFORM="linux-aarch64"
+		SHA256=601443375aa1a48a1a076bda7e3cca73af88400463e166fffc3e1da3ce03540b
+	fi
+
+	curl -sLO https://github.com/Kitware/CMake/releases/download/v"$VERSION"/cmake-"$VERSION"-"$PLATFORM".tar.gz \
+		&& echo "$SHA256" cmake-"$VERSION"-"$PLATFORM".tar.gz | sha256sum --check
+	tar xf cmake-"$VERSION"-"$PLATFORM".tar.gz
+	export PATH="$PWD/cmake-$VERSION-$PLATFORM/bin:$PATH"
+else
+	PLATFORM="linux-ppc64le"
+	echo "Building cmake for ppc64le"
+
+	curl -sL -o cmake-$VERSION-$PLATFORM.tar.gz https://github.com/Kitware/CMake/releases/download/v"$VERSION"/cmake-"$VERSION".tar.gz
+	tar xf cmake-"$VERSION"-"$PLATFORM".tar.gz
+
+  cd cmake-"$VERSION"
+  ./bootstrap && make
+  export PATH="$PWD/bin:$PATH"
+  cd ..
+fi
+
+if [[ `cmake --version | head -n1` != "cmake version $VERSION" ]]; then
+  echo "PATH: $PATH"
+  echo "PLATFORM: $PLATFORM"
+  echo "ERROR: CMake version doesn't match. Expected: ${VERSION}, Got: $(cmake --version | head -n1)"
+  exit 1
+fi
+
+echo "Cmake installed successfully"
+echo "PWD: $PWD"
+
+# Clean after previous build.
+rm -rf aws_lc/build
+
+# Build BoringSSL.
+cd aws_lc
+
+# Setting -fPIC only affects the compilation of the non-module code in libcrypto.a,
+# because the FIPS module itself is already built with -fPIC.
+mkdir build && cd build && cmake -GNinja -DCMAKE_TOOLCHAIN_FILE=${HOME}/toolchain -DFIPS=1 -DCMAKE_BUILD_TYPE=Release -DCMAKE_C_FLAGS="-fPIC" -DCMAKE_CXX_FLAGS="-fPIC" ..
+ninja
+export GTEST_FILTER="-SSLTest.HostMatching"
+#ninja run_tests
+./crypto/crypto_test
+
+echo "created build directory and built aws_lc with ninja"
+
+# Verify correctness of the FIPS build.
+if [[ `tool/bssl isfips` != "1" ]]; then
+  echo "ERROR: BoringSSL tool didn't report FIPS build."
+  exit 1
+fi
+
+# Move compiled libraries to the expected destinations.
+popd
+mv $ROOT/aws_lc/build/crypto/libcrypto.a $1
+mv $ROOT/aws_lc/build/ssl/libssl.a $2

bazel/protobuf.patch

@@ -1,8 +1,8 @@
 diff --git a/BUILD.bazel b/BUILD.bazel
-index 32b26cbdc..e28b8e387 100644
+index 32b26cbdc..a5e7a554c 100644
 --- a/BUILD.bazel
 +++ b/BUILD.bazel
-@@ -229,14 +229,79 @@ alias(
+@@ -229,14 +229,88 @@ alias(
      visibility = ["//visibility:public"],
  )
 
@@ -35,6 +35,14 @@ index 32b26cbdc..e28b8e387 100644
 +)
 +
 +config_setting(
++    name = "linux-ppcle_64",
++    constraint_values = [
++	"@platforms//os:linux",
++	"@platforms//cpu:ppc64le",
++    ],
++)
++
++config_setting(
 +    name = "osx-aarch_64",
 +    constraint_values = [
 +        "@platforms//os:osx",
@@ -64,6 +72,7 @@ index 32b26cbdc..e28b8e387 100644
 +    actual = select({
 +        ":linux-aarch_64": "@com_google_protobuf_protoc_linux_aarch_64//:protoc",
 +        ":linux-x86_64": "@com_google_protobuf_protoc_linux_x86_64//:protoc",
++        ":linux-ppcle_64": "@com_google_protobuf_protoc_linux_ppcle_64//:protoc",
 +        ":osx-aarch_64": "@com_google_protobuf_protoc_osx_aarch_64//:protoc",
 +        ":osx-x86_64": "@com_google_protobuf_protoc_osx_x86_64//:protoc",
 +        ":win64": "@com_google_protobuf_protoc_win64//:protoc",