Making Go Program FIPS 140-2 Compliant with BoringCrypto

I’m working on making our company’s Go program, which relies on crypto/tls for HTTP-related purposes, FIPS 140-2 compliant. We are considering using BoringCrypto but I’d like to confirm a few observations and assumptions to ensure we’re on the right path.

  1. My understanding is that, starting with Go version 1.19, we can switch from the standard Go crypto package to BoringCrypto by setting the environment variables BUILD_GOEXPERIMENT=boringcrypto and BUILD_CGO_ENABLED=1 before running go build. Is this the correct approach to make the switch?
  2. I’ve come across some discussions suggesting that our program needs to import _ "crypto/tls/fipsonly" to restrict all TLS configurations to FIPS-approved settings. Can someone confirm if this step is necessary for ensuring FIPS 140-2 compliance when using BoringCrypto?
  3. In my research, I found that the security policy (p19) under BoringCrypto’s FIPS certificate provides detailed steps for building, compiling, and linking the BoringCrypto module to BoringSSL. Additionally, BoringCrypto’s script located under src/crypto/internal/boring seems to follow these steps using the same tools mentioned in the document to compile BoringSSL and build the goboringcrypto.syso. Therefore, my assumption is that for Go v1.19 and above, setting BUILD_GOEXPERIMENT=boringcrypto ensures that the Go program will use BoringCrypto, statically linked to the goboringcrypto.syso, to utilize FIPS 140-2 Approved Algorithms/functions.

Could anyone confirm if my understanding is correct and if this is sufficient for FIPS 140-2 compliance?
I would greatly appreciate any insights or corrections to the above points.