Stream: wasmtime

Topic: FIPS Support

view this post on Zulip Mark Smith (May 05 2026 at 21:58):

I was directed here from the #spin channel in the CNCF Slack:
https://cloud-native.slack.com/archives/C089NJ9G1V0/p1778007085277469
and opened an issue to propose adding FIPS support to Wasmtime:
https://github.com/bytecodealliance/wasmtime/issues/13293
I'd be interested to hear what you think.

view this post on Zulip Chris Fallin (May 05 2026 at 22:06):

Thanks for filing that. I don't know much about FIPS other than that it's a quite heavyweight certification process. Am I right in reading the issue that Wasmtime itself wouldn't have to undergo any certification or whatnot, simply "using the right backend" is enough?

If it's as "simple" as configuring rustls+hyper correctly, and perhaps if you can show us a diff of what it would take, this seems plausible to me but @Pat Hickey would almost certainly have more detailed thoughts...

view this post on Zulip Mark Smith (May 05 2026 at 23:01):

Yeah, that's correct. As long as you're correctly using the module, you should be good.

view this post on Zulip Mark Smith (May 05 2026 at 23:03):

In terms of showing you a diff, unfortunately I don't know rust well enough to propose the necessary PR. I'm hoping it's as simple as following these rustls docs:
https://docs.rs/rustls/latest/rustls/manual/_06_fips/index.html

view this post on Zulip Mark Smith (May 05 2026 at 23:03):

(I'll add a link to those in the issue)

view this post on Zulip Chris Fallin (May 05 2026 at 23:06):

This is the sort of feature where we'd probably say "PRs welcome": we don't have the right combination of free time and highest-priority motivation to allocate our time, but we would welcome contributions

view this post on Zulip Mark Smith (May 05 2026 at 23:13):

Fair enough.
Getting up to speed enough to be able to contribute this myself could be a fun advent-of-code alternative at some point during the year.

view this post on Zulip Ralph (May 06 2026 at 11:57):

it would. The difficulty of the certification process is relative to the value it would provide companies using it. How that weighs on you is entirely up to you. it would be a great thing, yes. Most of us do not have FIPS needs.... yet.

view this post on Zulip Mark Smith (May 06 2026 at 19:23):

I don't think any certification of Wasmtime itself would be needed, since it would just be inheriting the NIST certification of the existing crypto module if it's done right.
For companies putting a product into FedRAMP, they'd still need to do the normal audit with ATO etc for their service as a whole, but this would remove a blocker for Wasmtime being used as a component of the implementation, when trying to satisfy the "data in transit" part of the SC-12 family of controls.

Last updated: May 26 2026 at 09:09 UTC