Golang crypto/internal/fips140,cmd/link: fips140 broken on RISC-V with -buildmode=pie

$ export GOFIPS140=v1.0.0
$ CGO_ENABLED=1 go build -work -x -mod=vendor -buildmode=pie -trimpath -ldflags '-X sigs.k8s.io/release-utils/version.gitVersion=2.5.3 -X sigs.k8s.io/release-utils/version.gitCommit=488ef8ceed5ab5d77379e9077a124a0d0df41d06 -X sigs.k8s.io/release-utils/version.gitTreeState=release -X sigs.k8s.io/release-utils/version.buildDate=2025-07-18T11:54:31Z -fipso=fips.o' -o cosign ./cmd/cosign
...
mkdir -p $WORK/b001/exe/
cd .
GOROOT='' /usr/lib64/go/1.25/pkg/tool/linux_riscv64/link -o $WORK/b001/exe/a.out -importcfg $WORK/b001/importcfg.link -installsuffix shared -fipso $WORK/b001/fips.o -X=runtime.godebugDefault=containermaxprocs=0,decoratemappings=0,fips140=on,tlssha1=1,updatemaxprocs=0,x509sha256skid=0 -buildmode=pie -buildid=YdBCliVHbgIwhf_PmFIV/iFXXcEKh67L09M2LW7tv/xLgdAbFK-18k9Ji2J4ZH/YdBCliVHbgIwhf_PmFIV -X sigs.k8s.io/release-utils/version.gitVersion=2.5.3 -X sigs.k8s.io/release-utils/version.gitCommit=488ef8ceed5ab5d77379e9077a124a0d0df41d06 -X sigs.k8s.io/release-utils/version.gitTreeState=release -X sigs.k8s.io/release-utils/version.buildDate=2025-07-18T11:54:31Z -fipso=fips.o -extld=gcc $WORK/b001/_pkg_.a
go tool buildid -w $WORK/b001/exe/a.out # internal
mv $WORK/b001/exe/a.out cosign
$ od -tx1z fips.o
0000000 67 6f 20 66 69 70 73 20 6f 62 6a 65 63 74 20 76  >go fips object v<
0000020 31 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >1...............<
0000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >................<
0000060 00 00                                            >..<
0000062
$ ./cosign version
panic: fips140: verification mismatch

goroutine 1 [running]:
crypto/internal/fips140/v1.0.0/check.init.0()
    crypto/internal/fips140/v1.0.0/check/check.go:92 +0x550

Comment From: gabyhelp

Related Issues

• crypto/internal/fips140: segfault from hmac memmove #70880 (closed)
• crypto/cipher:gofips140: unrecognized failures [consistent failure] #70497 (closed)
• cmd/link: invalid relocation R_RISCV_GOT_PCREL_ITYPE in fips code on riscv64 #74662 (closed)
• crypto/aes:gofips140: unrecognized failures [consistent failure] #70496 (closed)

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

Comment From: thepudds

Hi @andreas-schwab, what exact version and/or commit of Go is this (for example, the output of go version)?

Comment From: andreas-schwab

This is 1.25rc2.

Comment From: mknyszek

CC @golang/security

Comment From: rolandshoemaker

Given this is PIE, likely a problem with either the fips symbols not being contiguous, in the wrong place, or the hash being put somewhere unexpected.

Comment From: mengzhuo

cc @golang/riscv64