bottlerocket-os · ginglis13 · Aug 15, 2024 · Aug 13, 2024 · Aug 13, 2024
diff --git a/Dockerfile b/Dockerfile
@@ -559,14 +559,14 @@ ENV AWS_LC_FIPS_VER="2.0.9"
 USER root
 RUN dnf -y install golang
 
-ENV GO121VER="1.21.12"
-ENV GO122VER="1.22.5"
+ENV GO123VER="1.23.0"
+ENV GO122VER="1.22.6"
 
 # =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^=
 
-FROM sdk-go-prep as sdk-go-1.21-prep
+FROM sdk-go-prep as sdk-go-1.23-prep
 
-ENV GOMAJOR="1.21"
+ENV GOMAJOR="1.23"
 
 USER builder
 
@@ -579,7 +579,7 @@ COPY ./patches/go-${GOMAJOR} /home/builder/patches-go
 COPY ./hashes/aws-lc /home/builder/hashes-aws-lc
 COPY ./patches/aws-lc /home/builder/patches-aws-lc
 
-RUN ./prep-go.sh --go-version=${GO121VER}
+RUN ./prep-go.sh --go-version=${GO123VER}
 
 WORKDIR /home/builder/aws-lc/build
 COPY ./configs/aws-lc/* .
@@ -610,13 +610,13 @@ COPY ./helpers/aws-lc/* .
 
 # =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^=
 
-FROM sdk-go-1.21-prep as sdk-go-1.21-aws-lc-x86_64
+FROM sdk-go-1.23-prep as sdk-go-1.23-aws-lc-x86_64
 ENV ARCH="x86_64"
 RUN ./build-aws-lc.sh --arch="${ARCH}" --go-dir="${HOME}/sdk-go"
 
 # =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^=
 
-FROM sdk-go-1.21-prep as sdk-go-1.21-aws-lc-aarch64
+FROM sdk-go-1.23-prep as sdk-go-1.23-aws-lc-aarch64
 ENV ARCH="aarch64"
 RUN ./build-aws-lc.sh --arch="${ARCH}" --go-dir="${HOME}/sdk-go"
 
@@ -634,20 +634,20 @@ RUN ./build-aws-lc.sh --arch="${ARCH}" --go-dir="${HOME}/sdk-go"
 
 # =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^=
 
-FROM sdk-go-1.21-prep as sdk-go-1.21
+FROM sdk-go-1.23-prep as sdk-go-1.23
 
-COPY --from=sdk-go-1.21-aws-lc-x86_64 \
+COPY --from=sdk-go-1.23-aws-lc-x86_64 \
  /home/builder/aws-lc/build/goboringcrypto_linux_amd64.syso \
  /home/builder/sdk-go/src/crypto/internal/boring/syso/goboringcrypto_linux_amd64.syso
 
-COPY --from=sdk-go-1.21-aws-lc-aarch64 \
+COPY --from=sdk-go-1.23-aws-lc-aarch64 \
  /home/builder/aws-lc/build/goboringcrypto_linux_arm64.syso \
  /home/builder/sdk-go/src/crypto/internal/boring/syso/goboringcrypto_linux_arm64.syso
 
 COPY ./helpers/go/* ./
 
 # Build Go - finally!
-RUN ./build-go.sh --go-version=${GO121VER}
+RUN ./build-go.sh --go-version=${GO123VER}
 
 # =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^=
 
@@ -1237,16 +1237,16 @@ COPY --chown=0:0 --from=sdk-rust \
  /usr/share/licenses/rust/
 
 # "sdk-go" has the Go toolchain and standard library builds.
-COPY --chown=0:0 --from=sdk-go-1.21 /home/builder/sdk-go/bin /usr/libexec/go-1.21/bin/
-COPY --chown=0:0 --from=sdk-go-1.21 /home/builder/sdk-go/lib /usr/libexec/go-1.21/lib/
-COPY --chown=0:0 --from=sdk-go-1.21 /home/builder/sdk-go/pkg /usr/libexec/go-1.21/pkg/
-COPY --chown=0:0 --from=sdk-go-1.21 /home/builder/sdk-go/src /usr/libexec/go-1.21/src/
-COPY --chown=0:0 --from=sdk-go-1.21 /home/builder/sdk-go/go.env /usr/libexec/go-1.21/go.env
-COPY --chown=0:0 --from=sdk-go-1.21 \
+COPY --chown=0:0 --from=sdk-go-1.23 /home/builder/sdk-go/bin /usr/libexec/go-1.23/bin/
+COPY --chown=0:0 --from=sdk-go-1.23 /home/builder/sdk-go/lib /usr/libexec/go-1.23/lib/
+COPY --chown=0:0 --from=sdk-go-1.23 /home/builder/sdk-go/pkg /usr/libexec/go-1.23/pkg/
+COPY --chown=0:0 --from=sdk-go-1.23 /home/builder/sdk-go/src /usr/libexec/go-1.23/src/
+COPY --chown=0:0 --from=sdk-go-1.23 /home/builder/sdk-go/go.env /usr/libexec/go-1.23/go.env
+COPY --chown=0:0 --from=sdk-go-1.23 \
  /home/builder/sdk-go/licenses/ \
- /usr/share/licenses/go-1.21/
+ /usr/share/licenses/go-1.23/
 
-COPY --chown=0:0 --from=sdk-go-1.21 \
+COPY --chown=0:0 --from=sdk-go-1.23 \
  /home/builder/aws-lc/LICENSE \
  /usr/share/licenses/aws-lc/LICENSE
 
@@ -1373,7 +1373,7 @@ COPY ./wrappers/go/gofips /usr/bin/gofips
 
 # Add Go programs to $PATH and sync timestamps to avoid rebuilds.
 RUN \
- find /usr/libexec/go-1.21 -type f -exec touch -r /usr/libexec/go-1.21/bin/go {} \+ && \
+ find /usr/libexec/go-1.23 -type f -exec touch -r /usr/libexec/go-1.23/bin/go {} \+ && \
  find /usr/libexec/go-1.22 -type f -exec touch -r /usr/libexec/go-1.22/bin/go {} \+
 
 # Strip and add tools to the path.
@@ -1424,7 +1424,7 @@ USER builder
 WORKDIR /home/builder
 
 # Set the default Go major version.
-ENV GO_MAJOR="1.21"
+ENV GO_MAJOR="1.23"
 
 # In NSS 3.101, lib::pkix was enabled as the default X.509 validator.
 # This causes signature checking of secureboot artifacts to fail during build.

diff --git a/hashes/go-1.21 b/hashes/go-1.21
diff --git a/hashes/go-1.22 b/hashes/go-1.22
@@ -1,2 +1,2 @@
-# https://go.dev/dl/go1.22.5.src.tar.gz
-SHA512 (go1.22.5.src.tar.gz) = 798c2bd5d59be1fb5d7af98893fa7bb68322117facfdee546a37175ec5e8be634f2bed2d8d0e7d4d0555b354c8e9d72b3829c39670d3be2d2328376a00a48576
+# https://go.dev/dl/go1.22.6.src.tar.gz
+SHA512 (go1.22.6.src.tar.gz) = 59f84ba390203271d9fe2d3f04624449d54d3bb73c2b6e54b5f7dc9e9e2dce2192bae07ef56a2afee871cff84d457b90f8a00f4433e072028b97af987f3799e1
diff --git a/hashes/go-1.23 b/hashes/go-1.23
@@ -0,0 +1,2 @@
+# https://go.dev/dl/go1.23.0.src.tar.gz
+SHA512 (go1.23.0.src.tar.gz) = 5822124ca570662ac8dcec32a79196520ce355fe421d83372f8b8a97b3811de0739edcd7080a23f845cf700a6a26f3af6c93278f6ce485b93120afdd4f6c4f47
diff --git a/patches/go-1.21/0002-Always-restrict-boringcrypto-crypto-tls-to-FIPS.patch b/patches/go-1.21/0002-Always-restrict-boringcrypto-crypto-tls-to-FIPS.patch
diff --git a/...gcypto-build-compatible-with-aws-lc.patch → ...gcypto-build-compatible-with-aws-lc.patch b/...gcypto-build-compatible-with-aws-lc.patch → ...gcypto-build-compatible-with-aws-lc.patch
diff --git a/patches/go-1.23/0002-Always-restrict-boringcrypto-crypto-tls-to-FIPS.patch b/patches/go-1.23/0002-Always-restrict-boringcrypto-crypto-tls-to-FIPS.patch
@@ -0,0 +1,44 @@
+From 5256a813afbb9c0f7d7ae00544ae1cbaeafb7f1e Mon Sep 17 00:00:00 2001
+From: Gavin Inglis <giinglis@amazon.com>
+Date: Tue, 13 Aug 2024 22:00:50 +0000
+Subject: [PATCH] Always restrict boringcrypto crypto/tls to FIPS
+
+Signed-off-by: Ben Cressey <bcressey@amazon.com>
+[giinglis: update for Go 1.23]
+Signed-off-by: Gavin Inglis <giinglis@amazon.com>
+---
+ src/crypto/tls/boring.go | 5 ++++-
+ src/go/build/deps_test.go | 1 +
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/crypto/tls/boring.go b/src/crypto/tls/boring.go
+index c44ae92f25..dae77b8f2e 100644
+--- a/src/crypto/tls/boring.go
++++ b/src/crypto/tls/boring.go
+@@ -6,7 +6,10 @@
+
+ package tls
+
+-import "crypto/internal/boring/fipstls"
++import (
++ "crypto/internal/boring/fipstls"
++ _ "crypto/tls/fipsonly"
++)
+
+ // needFIPS returns fipstls.Required(), which is not available without the
+ // boringcrypto build tag.
+diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go
+index 441cf8d051..01aa89ff04 100644
+--- a/src/go/build/deps_test.go
++++ b/src/go/build/deps_test.go
+@@ -521,6 +521,7 @@ var depsRules = `
+ < crypto/x509/internal/macos
+ < crypto/x509/pkix;
+
++ crypto/tls/fipsonly,
+ crypto/internal/boring/fipstls, crypto/x509/pkix
+ < crypto/x509
+ < crypto/tls;
+-- 
+2.43.0
+