4 files changed, 34 insertions, 0 deletions

diff --git a/Makefile.build.mk b/Makefile.build.mk
index 88d74dbf..806d21db 100644
--- a/Makefile.build.mk
+++ b/Makefile.build.mk
@@ -1,5 +1,9 @@
 BINDIR := $(CURDIR)/bin
 GO_BUILD_TAGS   := continuous_profiler_stackdriver
+GO_BUILD_TAGS_FIPS := boringcrypto
+ifneq ($(GO_BUILD_TAGS),)
+	GO_BUILD_TAGS_FIPS := $(GO_BUILD_TAGS),$(GO_BUILD_TAGS_FIPS)
+endif
 
 # To compute a unique and deterministic value for GNU build-id, we build the Go binary a second time.
 # From the first build, we extract its unique and deterministic Go build-id, and use that to derive
@@ -40,3 +44,14 @@ clean:
 
 gitlab-pages: build
 	$Q cp -f $(BINDIR)/gitlab-pages .
+
+build-fips: .GOPATH/.ok
+	$Q GOBIN=$(BINDIR) CGO_ENABLED=1 go install $(if $V,-v) -ldflags="$(VERSION_FLAGS)" -tags "${GO_BUILD_TAGS_FIPS}" -buildmode exe $(IMPORT_PATH)
+ifndef WITHOUT_BUILD_ID
+	GO_BUILD_ID=$$( go tool buildid $(BINDIR)/gitlab-pages ) && \
+	GNU_BUILD_ID=$$( echo $$GO_BUILD_ID | sha1sum | cut -d' ' -f1 ) && \
+	$Q GOBIN=$(BINDIR) CGO_ENABLED=1 go install $(if $V,-v) -ldflags="$(VERSION_FLAGS) -B 0x$$GNU_BUILD_ID" -tags "${GO_BUILD_TAGS_FIPS}" -buildmode exe $(IMPORT_PATH)
+endif
+
+gitlab-pages-fips: build-fips
+	$Q cp -f $(BINDIR)/gitlab-pages .
diff --git a/internal/boring/boring.go b/internal/boring/boring.go
new file mode 100644
index 00000000..6e125210
--- /dev/null
+++ b/internal/boring/boring.go
@@ -0,0 +1,10 @@
+//go:build boringcrypto
+// +build boringcrypto
+
+package boring
+
+import "gitlab.com/gitlab-org/labkit/log"
+
+func CheckBoring() {
+	log.Info("FIPS mode is enabled. Using BoringSSL.")
+}
diff --git a/internal/boring/notboring.go b/internal/boring/notboring.go
new file mode 100644
index 00000000..6dbf3c39
--- /dev/null
+++ b/internal/boring/notboring.go
@@ -0,0 +1,7 @@
+//go:build !boringcrypto
+// +build !boringcrypto
+
+package boring
+
+func CheckBoring() {
+}
diff --git a/main.go b/main.go
index 79f4a1da..b7bfde17 100644
--- a/main.go
+++ b/main.go
@@ -10,6 +10,7 @@ import (
 	"gitlab.com/gitlab-org/labkit/errortracking"
 	"gitlab.com/gitlab-org/labkit/log"
 
+	"gitlab.com/gitlab-org/gitlab-pages/internal/boring"
 	cfg "gitlab.com/gitlab-org/gitlab-pages/internal/config"
 	"gitlab.com/gitlab-org/gitlab-pages/internal/logging"
 	"gitlab.com/gitlab-org/gitlab-pages/internal/validateargs"
@@ -73,6 +74,7 @@ func appMain() {
 	if err := os.Chdir(config.General.RootDir); err != nil {
 		fatal(err, "could not change directory into pagesRoot")
 	}
+	boring.CheckBoring()
 
 	runApp(config)
 }