philo-he commented on code in PR #12178: URL: https://github.com/apache/gluten/pull/12178#discussion_r3327137881
########## docs/get-started/VeloxDynamicOpenSSL.md: ########## @@ -0,0 +1,49 @@ +--- +layout: page +title: Dynamic OpenSSL with FIPS Support in vcpkg Build +nav_order: 8 +parent: Getting-Started +--- + +# Dynamic OpenSSL with FIPS Support in vcpkg Build + +## Overview + +By default, Gluten's vcpkg build statically links OpenSSL into the native libraries (`libvelox.so` and `libgluten.so`). However, in environments requiring FIPS (Federal Information Processing Standards) compliance or dynamic OpenSSL linking, Gluten now supports building with dynamically linked OpenSSL. + +This feature is particularly useful for: +- **FIPS compliance**: Organizations requiring FIPS 140-2/140-3 validated cryptographic modules +- **Security updates**: Easier OpenSSL security patching without rebuilding Gluten +- **System integration**: Using system-provided OpenSSL libraries + +## Prerequisites + +- vcpkg-based build system (requires `enable_vcpkg=ON`) +- OpenSSL development libraries installed on the system +- Supported platforms: x86_64 and aarch64 Linux + +## Building with Dynamic OpenSSL + +### Basic Build Command + +To enable dynamic OpenSSL linking with FIPS support, set the `VCPKG_DYNAMIC_OPENSSL` environment variable: + +```bash +export VCPKG_DYNAMIC_OPENSSL=ON +./dev/buildbundle-veloxbe.sh --enable_vcpkg=ON +``` + +## How It Works + +When `VCPKG_DYNAMIC_OPENSSL=ON` is set: + +1. **vcpkg Configuration**: The `dynamic-openssl` feature is enabled in `vcpkg.json`, which includes OpenSSL with FIPS support +2. **Triplet Override**: Custom vcpkg triplets (`x64-linux-avx.cmake` and `arm64-linux-neon.cmake`) detect the environment variable and switch OpenSSL from static to dynamic linkage +3. **Build Process**: The `init.sh` script adds the `--x-feature=dynamic-openssl` flag to vcpkg install +4. **Library Packaging**: OpenSSL shared libraries are excluded from static linking but must be available at runtime Review Comment: Should we add the following explicit clarification for users? * At runtime, LD_LIBRARY_PATH should point to the OS-provided OpenSSL package, which includes libssl.so, libcrypto.so, and the FIPS-certified fips.so, so that these libraries are loaded instead of the ones built at compile time by vcpkg. * Users should ensure compatibility between the OpenSSL libraries (libssl.so and libcrypto.so) used at link time and those available at runtime. We recommend using the same major version to avoid potential compatibility issues. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
