aws · skmcgrail · Dec 11, 2023 · Nov 17, 2023
@@ -21,12 +21,16 @@ A *ring*-compatible crypto library using the cryptographic operations provided b
 We do not recommend directly relying on these bindings.
 
 ### [aws-lc-fips-sys](aws-lc-fips-sys/README.md)
-**Autogenerated** Low-level AWS-LC bindings for the Rust programming language. Providing **experimental** FIPS support.
-We do not recommend directly relying on these bindings. This crate
-uses [AWS-LC](https://github.com/aws/aws-lc/tree/fips-2022-11-02),
-which been submitted to an accredited lab for FIPS validation testing, and upon completion will be submitted to NIST
-for certification. Once NIST grants a validation certificate to AWS-LC, we will make an announcement to Rust developers
-on how to leverage the FIPS mode using [aws-lc-rs](https://crates.io/crates/aws-lc-rs).
+**Autogenerated** Low-level AWS-LC bindings for the Rust programming language, providing FIPS support.
+We do not recommend directly relying on these bindings. This crate provides bindings to
+[AWS-LC-FIPS 2.x](https://github.com/aws/aws-lc/tree/fips-2022-11-02), which has completed
+FIPS validation testing by an accredited lab and has been submitted to NIST for certification. The static build of AWS-LC-FIPS
+is used. (See [README](./aws-lc-fips-sys/README.md)).  
+
+Refer to the [NIST Cryptographic Module Validation Program's Modules In Progress List](https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List)
+for the latest status of the static or dynamic AWS-LC Cryptographic Module. A complete list of supported operating environments will be
+made available in the vendor security policy once the validation certificate has been issued. We will also update our release notes
+and documentation to reflect any changes in FIPS certification status.
 
 ## Build
 

@@ -8,10 +8,20 @@
 [Documentation](https://github.com/aws/aws-lc).
 
 ## FIPS
-This crate uses [AWS-LC](https://github.com/aws/aws-lc/tree/fips-2022-11-02), which been submitted to an accredited lab
-for FIPS validation testing, and upon completion will be submitted to NIST for certification. Once NIST grants a
-validation certificate to AWS-LC, we will make an announcement to Rust developers on how to leverage the FIPS mode
-using [aws-lc-rs](https://crates.io/crates/aws-lc-rs).
+
+This crate provides bindings to [AWS-LC-FIPS 2.x](https://github.com/aws/aws-lc/tree/fips-2022-11-02), which has completed
+FIPS validation testing by an accredited lab and has been submitted to NIST for certification. The static build of AWS-LC-FIPS
+is used.
+
+| Supported Targets |
+| --- |
+| x86_64-unknown-linux-gnu |
+| aarch64-unknown-linux-gnu |
+
+Refer to the [NIST Cryptographic Module Validation Program's Modules In Progress List](https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List)
+for the latest status of the static or dynamic AWS-LC Cryptographic Module. A complete list of supported operating environments will be
+made available in the vendor security policy once the validation certificate has been issued. We will also update our release notes
+and documentation to reflect any changes in FIPS certification status.
 
 ## Release Support
 

@@ -34,40 +34,48 @@ See our [User Guide](https://awslabs.github.io/aws-lc-rs/) for guidance on insta
 
 ## Feature Flags
 
-##### - alloc (default) ####
+##### alloc (default)
 Allows implementation to allocate values of arbitrary size. (The meaning of this feature differs
 from the "alloc" feature of *ring*.) Currently, this is required by the `io::writer` module.
 
-##### - ring-io (default) ####
+##### ring-io (default)
 Enable feature to access the  `io`  module.
 
-##### - ring-sig-verify (default) ####
+##### ring-sig-verify (default)
 Enable feature to preserve compatibility with ring's `signature::VerificationAlgorithm::verify`
 function. This adds a requirement on `untrusted = "0.7.1"`.
 
-##### - fips ####
-**EXPERIMENTAL** Enable this feature to have aws-lc-rs use the
-[*aws-lc-fips-sys*](https://crates.io/crates/aws-lc-fips-sys) crate for the cryptographic
-implementations. The *aws-lc-fips-sys* crate provides bindings to the FIPS variant of
-[*AWS-LC*](https://github.com/aws/aws-lc). AWS-LC has been submitted to an accredited lab
-for FIPS validation testing, and upon completion will be submitted to NIST for certification.
-Once NIST grants a validation certificate to AWS-LC, we will make an announcement to Rust
-developers on how to leverage the FIPS mode. This feature is currently only available on Linux.
+##### fips
+Enable this feature to have aws-lc-rs use the [*aws-lc-fips-sys*](https://crates.io/crates/aws-lc-fips-sys)
+crate for the cryptographic implementations. The *aws-lc-fips-sys* crate provides bindings to
+[AWS-LC-FIPS 2.x](https://github.com/aws/aws-lc/tree/fips-2022-11-02), which has completed
+FIPS validation testing by an accredited lab and has been submitted to NIST for certification.
+The static build of AWS-LC-FIPS is used.
 
-##### - asan ####
+| Supported Targets |
+| --- |
+| x86_64-unknown-linux-gnu |
+| aarch64-unknown-linux-gnu |
+
+Refer to the [NIST Cryptographic Module Validation Program's Modules In Progress List](https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List)
+for the latest status of the static or dynamic AWS-LC Cryptographic Module. A complete list of supported operating environments will be
+made available in the vendor security policy once the validation certificate has been issued. We will also update our release notes
+and documentation to reflect any changes in FIPS certification status.
+
+##### asan
 Performs an "address sanitizer" build. This can be used to help detect memory leaks. See the
 ["Address Sanitizer" section](https://doc.rust-lang.org/beta/unstable-book/compiler-flags/sanitizer.html#addresssanitizer)
 of the [Rust Unstable Book](https://doc.rust-lang.org/beta/unstable-book/).
 
-##### - bindgen ####
+##### bindgen
 Causes `aws-lc-sys` or `aws-lc-fips-sys` to generates fresh bindings for AWS-LC instead of using
 the pre-generated bindings. This feature requires `libclang` to be installed. See the
 [requirements](https://rust-lang.github.io/rust-bindgen/requirements.html)
 for [rust-bindgen](https://github.com/rust-lang/rust-bindgen)
 
 ## *ring*-compatibility
 
-Although this library attempts to be fully compatible with *ring*, there are a few places where our
+Although this library attempts to be fully compatible with *ring* (v0.16.x), there are a few places where our
 behavior is observably different.
 
 * Our implementation requires the `std` library. We currently do not support a
@@ -90,7 +98,6 @@ for ring that provides FIPS support and is compatible with the ring API. Rust de
 prescribed cryptographic requirements can seamlessly integrate aws-lc-rs into their applications
 and deploy them into AWS Regions.
 
-
 ### Contributor Quickstart for Amazon Linux 2023
 
 For those who would like to contribute to our project or build it directly from our repository,

@@ -12,7 +12,7 @@ a few more packages may be needed. The listing below shows the steps needed for
 building and testing our project locally.
 ```shell
 # Install dependencies needed for build and testing
-sudo yum install -y cmake3 clang git clang-libs golang openssl-devel
+sudo yum install -y cmake3 clang git clang-libs golang openssl-devel perl-FindBin
 
 # Install Rust
 curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

@@ -34,40 +34,48 @@
 //!
 //! # Feature Flags
 //!
-//! #### - alloc (default) ####
+//! #### alloc (default)
 //! Allows implementation to allocate values of arbitrary size. (The meaning of this feature differs
 //! from the "alloc" feature of *ring*.) Currently, this is required by the `io::writer` module.
 //!
-//! #### - ring-io (default) ####
+//! #### ring-io (default)
 //! Enable feature to access the  `io`  module.
 //!
-//! #### - ring-sig-verify (default) ####
+//! #### ring-sig-verify (default)
 //! Enable feature to preserve compatibility with ring's `signature::VerificationAlgorithm::verify`
 //! function. This adds a requirement on `untrusted = "0.7.1"`.
 //!
-//! #### - fips ####
-//! **EXPERIMENTAL** Enable this feature to have aws-lc-rs use the
-//! [*aws-lc-fips-sys*](https://crates.io/crates/aws-lc-fips-sys) crate for the cryptographic
-//! implementations. The *aws-lc-fips-sys* crate provides bindings to the FIPS variant of
-//! [*AWS-LC*](https://github.com/aws/aws-lc). AWS-LC has been submitted to an accredited lab
-//! for FIPS validation testing, and upon completion will be submitted to NIST for certification.
-//! Once NIST grants a validation certificate to AWS-LC, we will make an announcement to Rust
-//! developers on how to leverage the FIPS mode. This feature is currently only available on Linux.
+//! #### fips
+//! Enable this feature to have aws-lc-rs use the [*aws-lc-fips-sys*](https://crates.io/crates/aws-lc-fips-sys)
+//! crate for the cryptographic implementations. The *aws-lc-fips-sys* crate provides bindings to
+//! [AWS-LC-FIPS 2.x](https://github.com/aws/aws-lc/tree/fips-2022-11-02), which has completed
+//! FIPS validation testing by an accredited lab and has been submitted to NIST for certification.
+//! The static build of AWS-LC-FIPS is used.
 //!
-//! #### - asan ####
+//! | Supported Targets |
+//! | --- |
+//! | x86_64-unknown-linux-gnu |
+//! | aarch64-unknown-linux-gnu |
+//!
+//! Refer to the [NIST Cryptographic Module Validation Program's Modules In Progress List](https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List)
+//! for the latest status of the static or dynamic AWS-LC Cryptographic Module. A complete list of supported operating environments will be
+//! made available in the vendor security policy once the validation certificate has been issued. We will also update our release notes
+//! and documentation to reflect any changes in FIPS certification status.
+//!
+//! #### asan
 //! Performs an "address sanitizer" build. This can be used to help detect memory leaks. See the
 //! ["Address Sanitizer" section](https://doc.rust-lang.org/beta/unstable-book/compiler-flags/sanitizer.html#addresssanitizer)
 //! of the [Rust Unstable Book](https://doc.rust-lang.org/beta/unstable-book/).
 //!
-//! #### - bindgen ####
+//! #### bindgen
 //! Causes `aws-lc-sys` or `aws-lc-fips-sys` to generates fresh bindings for AWS-LC instead of using
 //! the pre-generated bindings. This feature requires `libclang` to be installed. See the
 //! [requirements](https://rust-lang.github.io/rust-bindgen/requirements.html)
 //! for [rust-bindgen](https://github.com/rust-lang/rust-bindgen)
 //!
 //! # *ring*-compatibility
 //!
-//! Although this library attempts to be fully compatible with *ring*, there are a few places where our
+//! Although this library attempts to be fully compatible with *ring* (v0.16.x), there are a few places where our
 //! behavior is observably different.
 //!
 //! * Our implementation requires the `std` library. We currently do not support a