[Bug 1748310] [NEW] boot stalls looking for entropy in FIPS mode

Vineetha Hari Pai 1748310 at bugs.launchpad.net
Thu Feb 8 22:02:51 UTC 2018 

Public bug reported:

libgcrypt20 is not a FIPS certified library. On a machine running FIPS
enabled kernel, the library automatically goes into FIPS mode if
/proc/sys/crypto/fips_enabled=1. FIPS mode is not a configurable option
currently in the library. In FIPS mode, it runs self tests and integrity
checks  and it looks for quality entropy from /dev/random.

On encrypted installations, cryptsetup uses libgcrypt20. During boot on
an encrypted machine running in FIPS mode, cryptsetup invokes libgcrypt
and it stalls looking for quality entropy from /dev/random. This results
in significant delays during startup. The issue was reported by a FIPS
customer.

lsb_release -rd
Description:	Ubuntu 16.04.3 LTS
Release:	16.04

version - 1.6.5-2ubuntu0.3

** Affects: libgcrypt20 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libgcrypt20 in Ubuntu.
https://bugs.launchpad.net/bugs/1748310

Title:
  boot stalls looking for entropy in FIPS mode

Status in libgcrypt20 package in Ubuntu:
  New

Bug description:
  libgcrypt20 is not a FIPS certified library. On a machine running FIPS
  enabled kernel, the library automatically goes into FIPS mode if
  /proc/sys/crypto/fips_enabled=1. FIPS mode is not a configurable
  option currently in the library. In FIPS mode, it runs self tests and
  integrity checks  and it looks for quality entropy from /dev/random.

  On encrypted installations, cryptsetup uses libgcrypt20. During boot
  on an encrypted machine running in FIPS mode, cryptsetup invokes
  libgcrypt and it stalls looking for quality entropy from /dev/random.
  This results in significant delays during startup. The issue was
  reported by a FIPS customer.

  lsb_release -rd
  Description:	Ubuntu 16.04.3 LTS
  Release:	16.04

  version - 1.6.5-2ubuntu0.3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libgcrypt20/+bug/1748310/+subscriptions

More information about the foundations-bugs mailing list