Set the correct runtime flags for FIPS binaries (#930)

elad-solomon · justsmth · web-flow · commit 9fe1e15a6505 · 2025-11-10T13:08:17.000-08:00
* Set the correct runtime flags for FIPS binaries

Signed-off-by: Elad Solomon &lt;elad.solomon@wiz.io&gt;

* Some environments don't have CARGO_CFG_TARGET_FEATURE?

* Add MSVC +crt-static for FIPS in CI

---------

Signed-off-by: Elad Solomon &lt;elad.solomon@wiz.io&gt;
Co-authored-by: Justin Smith &lt;justsmth@amazon.com&gt;
diff --git a/.github/workflows/cross.yml b/.github/workflows/cross.yml
@@ -272,18 +272,26 @@ jobs:
 
   aws-lc-rs-windows-msvc:
     if: ${{ github.repository_owner == 'aws' }}
-    name: ${{ matrix.target }} - ${{ (matrix.crt_static == '1' && 'crt-static and /WX') || '/WX' }}
+    name: ${{ matrix.target }} ${{ (matrix.fips == '1' && '(FIPS)') || '' }} - ${{ (matrix.crt_static == '1' && 'crt-static and /WX') || '/WX' }}
     runs-on: windows-latest
     strategy:
       fail-fast: false
       matrix:
         target:
-          - "x86_64-pc-windows-msvc"
-          - "i686-pc-windows-msvc"
-          - "aarch64-pc-windows-msvc"
+          - 'x86_64-pc-windows-msvc'
+          - 'i686-pc-windows-msvc'
+          - 'aarch64-pc-windows-msvc'
         crt_static:
-          - "0"
-          - "1"
+          - '0'
+          - '1'
+        fips:
+          - '0'
+          - '1'
+        exclude:
+          - target: "i686-pc-windows-msvc"
+            fips: '1'
+          - target: "aarch64-pc-windows-msvc"
+            fips: '1'
     steps:
       - name: Install NASM
         if: ${{ matrix.target == 'x86_64-pc-windows-msvc' || matrix.target == 'i686-pc-windows-msvc' }}
@@ -311,9 +319,10 @@ jobs:
             echo "RUSTFLAGS=-Clink-arg=/WX" | Out-File -FilePath $env:GITHUB_ENV -Append
           }
       - name: Debug build
-        run: cargo ${{ env.ACTION_CARGO }} -p aws-lc-rs --all-targets --target ${{ matrix.target }} --features bindgen
+        run: cargo ${{ env.ACTION_CARGO }} -p aws-lc-rs --all-targets --target ${{ matrix.target }} --features bindgen${{ (matrix.fips == '1' && ',fips') || '' }}
       - name: Release Build for ${{ matrix.target }}
-        run: cargo ${{ env.ACTION_CARGO }} --release -p aws-lc-rs --all-targets --target ${{ matrix.target }}
+        run: cargo ${{ env.ACTION_CARGO }} --release -p aws-lc-rs --all-targets --target ${{ matrix.target }}${{ (matrix.fips == '1' && ' --features fips') || '' }}
+
   freebsd:
     if: github.repository_owner == 'aws'
     name: aws-lc-rs freebsd test
diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
@@ -72,8 +72,14 @@ jobs:
 
   windows-debug-crt-static-test:
     if: github.repository_owner == 'aws'
-    name: "Windows debug w/ crt-static Test"
+    name: "Windows debug ${{ matrix.cli }} w/ crt-static Test"
     runs-on: windows-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        cli:
+          - ''
+          - '--fips'
     steps:
       - uses: actions/checkout@v3
         with:
@@ -86,7 +92,7 @@ jobs:
         working-directory: ./aws-lc-rs
         shell: bash
         run: |
-          ./scripts/run-windows-debug-crt-static-test.sh
+          ./scripts/run-windows-debug-crt-static-test.sh ${{ matrix.cli }}
 
   ssl-test:
     if: github.repository_owner == 'aws'
diff --git a/aws-lc-fips-sys/CMakeLists.txt b/aws-lc-fips-sys/CMakeLists.txt
@@ -20,11 +20,25 @@ function(set_my_target_properties ...)
     endif()
 endfunction()
 
+option(AWS_LC_FIPS_SYS_STATIC_RUNTIME "Enable static MSVC runtime for FIPS binaries" OFF)
+
 if (BUILD_SHARED_LIBS AND FIPS)
     # FIPS_SHARED does not support unique function or data sections, but we can't set this from Rust
     # as cmake crate will postfix the C/CXX flags after our disablement nullifying them.
     set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fno-function-sections -fno-data-sections")
     set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fno-function-sections -fno-data-sections")
+
+    # FIPS_SHARED requires setting the static runtime flags manually due to limitations in cmake-rs and ninja generator.
+    if (MSVC AND AWS_LC_FIPS_SYS_STATIC_RUNTIME)
+        message(STATUS "Setting static MSVC runtime for FIPS binaries")
+        string(TOUPPER "${CMAKE_BUILD_TYPE}" CMAKE_BUILD_TYPE_UPPER)
+        set(STATIC_RUNTIME_FLAG "/MT")
+        if(CMAKE_BUILD_TYPE_UPPER STREQUAL "DEBUG")
+          set(STATIC_RUNTIME_FLAG "/MTd")
+        endif()
+        set(CMAKE_C_FLAGS_${CMAKE_BUILD_TYPE_UPPER} "${CMAKE_C_FLAGS_${CMAKE_BUILD_TYPE_UPPER}} ${STATIC_RUNTIME_FLAG}")
+        set(CMAKE_CXX_FLAGS_${CMAKE_BUILD_TYPE_UPPER} "${CMAKE_CXX_FLAGS_${CMAKE_BUILD_TYPE_UPPER}} ${STATIC_RUNTIME_FLAG}")
+    endif()
     add_definitions(-DBORINGSSL_SHARED_LIBRARY)
 endif()
 
diff --git a/aws-lc-fips-sys/builder/cmake_builder.rs b/aws-lc-fips-sys/builder/cmake_builder.rs
@@ -4,8 +4,8 @@
 use crate::OutputLib::{Crypto, RustWrapper, Ssl};
 use crate::{
     cargo_env, effective_target, emit_rustc_cfg, emit_warning, execute_command,
-    is_cpu_jitter_entropy, is_no_asm, option_env, target_arch, target_env, target_family,
-    target_os, target_underscored, target_vendor, OutputLibType, TestCommandResult,
+    is_cpu_jitter_entropy, is_crt_static, is_no_asm, option_env, target_arch, target_env,
+    target_family, target_os, target_underscored, target_vendor, OutputLibType, TestCommandResult,
 };
 use std::collections::HashMap;
 use std::env;
@@ -163,6 +163,11 @@ impl CmakeBuilder {
             cmake_cfg.define("CMAKE_BUILD_TYPE", "debug");
         }
 
+        if is_crt_static() {
+            // Need to set this flag to enable static runtime for FIPS binaries due to limitations in cmake-rs and ninja generator.
+            cmake_cfg.define("AWS_LC_FIPS_SYS_STATIC_RUNTIME", "ON");
+        }
+
         Self::verify_compiler_support(&cc_build.get_compiler());
 
         if let Some(prefix) = &self.build_prefix {
diff --git a/aws-lc-fips-sys/builder/main.rs b/aws-lc-fips-sys/builder/main.rs
@@ -474,6 +474,15 @@ fn prepare_cargo_cfg() {
     }
 }
 
+fn is_crt_static() -> bool {
+    // Some cross-compilation environment apparently don't have this defined.
+    if let Some(features) = option_env("CARGO_CFG_TARGET_FEATURE") {
+        features.contains("crt-static")
+    } else {
+        false
+    }
+}
+
 bindgen_available!(
     fn handle_bindgen(manifest_dir: &Path, prefix: &Option<String>) -> bool {
         if internal_bindgen_supported() && !is_external_bindgen() {
diff --git a/aws-lc-rs/scripts/run-windows-debug-crt-static-test.sh b/aws-lc-rs/scripts/run-windows-debug-crt-static-test.sh
@@ -2,6 +2,19 @@
 # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0 OR ISC
 
+# Parse command line arguments
+FIPS_MODE=false
+for arg in "$@"; do
+    case $arg in
+        --fips)
+            FIPS_MODE=true
+            shift
+            ;;
+        *)
+            ;;
+    esac
+done
+
 SRC_ROOT="${GITHUB_WORKSPACE:-$(git rev-parse --show-toplevel)}/aws-lc-rs"
 
 case `uname -s` in
@@ -17,7 +30,15 @@ pushd "${TMP_DIR}"
 cargo new --bin aws-lc-rs-test
 pushd aws-lc-rs-test
 
-cargo add aws-lc-rs rustls rustls-platform-verifier
+# Add aws-lc-rs with or without fips feature
+if [ "$FIPS_MODE" = true ]; then
+    cargo add aws-lc-rs --features fips
+else
+    cargo add aws-lc-rs
+fi
+
+cargo add rustls rustls-platform-verifier
+
 cat << EOF >> Cargo.toml
 [profile.release]
 debug = "limited"
