commit f6280729af74d7fbc7f0942959a65e80d611a612
author Adam Langley <agl@chromium.org> Fri Feb 07 11:44:57 2025 -0800
committer Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> Fri Feb 07 12:10:21 2025 -0800
tree 777f2ed4a5cdd040ee9f7694dd9f3d61b0d99dca
parent 0bb19f6126cb446d8e42f27038f9b0a0534ad1b0

FIPS.md: add build instructions for the update stream.

Change-Id: I18cdf3c402623d8c833d017dd0148946f5dfee5a
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/76027
Auto-Submit: Adam Langley <agl@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Bob Beck <bbe@google.com>

crypto/fipsmodule/FIPS.md

diff --git a/crypto/fipsmodule/FIPS.md b/crypto/fipsmodule/FIPS.md
index 2fbc96c..6ffd5c9 100644
--- a/crypto/fipsmodule/FIPS.md
+++ b/crypto/fipsmodule/FIPS.md
@@ -22,6 +22,21 @@
 
 BoringSSL's `main` branch is the update stream for the module. We intend to perform validations such that all changes to the module are submitted to the CMVP within six months, as required by FRR7.
 
+The installation instructions, which are found in the security policy for the validated module stream, are as follows for the update stream:
+
+```sh
+printf "set(CMAKE_C_COMPILER \"clang\")\nset(CMAKE_CXX_COMPILER \"clang++\")\n" > ${HOME}/toolchain
+git clone https://boringssl.googlesource.com/boringssl
+cd boringssl
+mkdir build && cd build
+cmake -GNinja -DCMAKE_TOOLCHAIN_FILE=${HOME}/toolchain -DFIPS=1 -DCMAKE_BUILD_TYPE=Release ..
+ninja && ninja run_tests
+```
+
+The latest stable versions of Clang, Go, Ninja, and CMake should be used.
+
+On the upstream stream, `FIPS_version` will return zero to indicate that it is not the validated module stream.
+
 ## Running ACVP tests
 
 See `util/fipstools/acvp/ACVP.md` for details of how ACVP testing is done.