[fips] use aws-lc-fips-sys crypto lib for rustls

Igor Smolyar · igorscs · commit 86047cdf3510 · 2026-01-10T00:04:42.000Z
Add FIPS build support wire fips feature into pipeline-manager/adapters,
enable FIPS builds in CI (skip on musl as fips are dynamic only),
and include Go in build images/docs so aws-lc-fips-sys can compile.

When rustls’s fips feature enabled , it pulls in aws-lc-rs with
the fips feature, which links against aws-lc-fips-sys (FIPS crypto module).
diff --git a/.github/workflows/build-rust.yml b/.github/workflows/build-rust.yml
@@ -4,7 +4,8 @@ on:
   workflow_call:
 
 env:
-  CARGO_FLAGS: "--release --locked --all-targets --features pubsub-emulator-test,iceberg-tests-fs,iceberg-tests-glue"
+  CARGO_FLAGS: "--release --locked --all-targets"
+  CARGO_FEATURES_BASE: "pubsub-emulator-test,iceberg-tests-fs,iceberg-tests-glue"
   FELDERA_PLATFORM_VERSION_SUFFIX: ${{ github.sha }}
   RUSTC_WRAPPER: sccache
   SCCACHE_CACHE_SIZE: ${{ vars.SCCACHE_CACHE_SIZE }}
@@ -67,7 +68,12 @@ jobs:
 
       - name: Build Rust binaries
         run: |
-          cargo build ${{ env.CARGO_FLAGS }} --target=${{ matrix.target }}
+          FEATURES="${{ env.CARGO_FEATURES_BASE }}"
+          case "${{ matrix.target }}" in
+            *musl*) ;; # OpenSSL’s FIPS mode is implemented as a dynamically loaded provider (fips.so)
+            *) FEATURES="$FEATURES,fips" ;;
+          esac
+          cargo build ${{ env.CARGO_FLAGS }} --features "$FEATURES" --target=${{ matrix.target }}
 
       - name: Print sccache stats
         run: |
@@ -77,10 +83,15 @@ jobs:
       - name: Collect executables
         id: collect
         run: |
+          FEATURES="${{ env.CARGO_FEATURES_BASE }}"
+          case "${{ matrix.target }}" in
+            *musl*) ;; # OpenSSL’s FIPS mode is implemented as a dynamically loaded provider (fips.so)
+            *) FEATURES="$FEATURES,fips" ;;
+          esac
           # Run again with --message-format=json to list out executables
           # (No real recompile since nothing has changed).
           # Then transform newlines to spaces for the artifact step.
-          EXES=$(cargo build ${{ env.CARGO_FLAGS }} --target=${{ matrix.target }} --message-format=json \
+          EXES=$(cargo build ${{ env.CARGO_FLAGS }} --features "$FEATURES" --target=${{ matrix.target }} --message-format=json \
             | jq -r '.executable | select(. != null)' | tr '\n' ' ')
           echo "Found executables: $EXES"
           # Save it as an output variable for subsequent steps
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/README.md b/README.md
@@ -113,6 +113,7 @@ To run Feldera from sources, ensure at least 6 GB of free space in the sources d
 - cmake
 - libssl-dev
 - libsasl2-dev
+- golang-go (required to build aws-lc-fips-sys when using rustls FIPS)
 - pkg-config
 - libzstd-dev
 - clang
diff --git a/crates/adapters/Cargo.toml b/crates/adapters/Cargo.toml
@@ -25,6 +25,7 @@ default = [
     "with-redis",
     "with-nats",
 ]
+fips = ["rustls/fips"]
 with-kafka = ["rdkafka"]
 with-deltalake = ["deltalake", "deltalake-catalog-unity"]
 with-iceberg = ["feldera-iceberg"]
diff --git a/crates/pipeline-manager/Cargo.toml b/crates/pipeline-manager/Cargo.toml
@@ -117,6 +117,7 @@ tikv-jemallocator = { workspace = true, features = ["profiling", "unprefixed_mal
 default = ["postgresql_embedded"]
 feldera-enterprise = []
 runtime-version = []
+fips = ["rustls/fips"]
 
 [build-dependencies]
 change-detection = { workspace = true }
diff --git a/deploy/Dockerfile b/deploy/Dockerfile
@@ -13,6 +13,8 @@ RUN apt update --fix-missing && apt install \
   # pkg-config is required for cargo to find libssl
   libssl-dev pkg-config \
   cmake \
+  # Go is required to build aws-lc-fips-sys when rustls is built with FIPS
+  golang-go \
   # rdkafka dependency needs libsasl2-dev zlib and a CXX compiler
   libsasl2-dev zlib1g-dev build-essential \
   # To install rust
diff --git a/deploy/build.Dockerfile b/deploy/build.Dockerfile
@@ -19,6 +19,8 @@ RUN apt-get update --fix-missing && apt-get install -y \
     # pkg-config is required for cargo to find libssl
     libssl-dev pkg-config \
     cmake \
+    # Go is required to build aws-lc-fips-sys when rustls is built with FIPS
+    golang-go \
     # rdkafka dependency needs libsasl2-dev and a CXX compiler
     libsasl2-dev libzstd-dev zlib1g-dev build-essential \
     # bindgen needs this (at least the dec crate uses bindgen)

Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,7 @@ default = [`
`25`	`25`	`"with-redis",`
`26`	`26`	`"with-nats",`
`27`	`27`	`]`
	`28`	`+fips = ["rustls/fips"]`
`28`	`29`	`with-kafka = ["rdkafka"]`
`29`	`30`	`with-deltalake = ["deltalake", "deltalake-catalog-unity"]`
`30`	`31`	`with-iceberg = ["feldera-iceberg"]`