Nix awslc-fips 2024

[dougch]

Release Summary:

Resolved issues:

n/a

Description of changes:

Add in a nix build of aws-lc-fips.

Call-outs:

Aws-LC-FIPS version is from https://github.com/aws/aws-lc/tree/fips-2024-09-27

Testing:

CI job doesn't exist for this libcrypto, ad-hoc job: https://us-west-2.console.aws.amazon.com/codesuite/codebuild/024603541914/projects/s2nUnitNix/batch/s2nUnitNix%3Ae476183a-58e7-4443-8be6-ec30d25d76d2?region=us-west-2

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[maddeleine]

These next couple of changes seem unrelated to awslc-fips? What's happening here?

[dougch]

iirc, the shellHook couldn't be appended to, so in order to change one value(PS1), the whole thing had to be redefined. There is one irreverent comment on 183 I'll remove though..

[lrstewart]

Which version of awslc-fips is this? The one our CI calls "awslc-fips" or the one it calls "awslc-fips-2022"? Or is this a completely different version?

[maddeleine]

PR says it's fips-2024-09-27

[lrstewart]

And I'm guessing that's not the "awslc-fips" used by the rest of the CI? Is the inconsistency a potential problem? Which version of awslc-fips SHOULD we be testing with?

[maddeleine]

Yeah, the rest of the CI is 2022. My preference is to test with the newest version though. Not sure why we're able to upgrade our nix awslc version easier than the rest of the CI.

[dougch]

Theoretically there is an aws-lc-fips release per year, and they are pretty stationary after release. This one is the ML-KEM and 140-3 validation flavor. Let discuss the SHOULD question offline, but we should add latest regardless.

[dougch]

Reworking this to add version numbers