[Bug 2032659] [NEW] Correctly detect and use FIPS mode

Dimitri John Ledkov 2032659 at bugs.launchpad.net
Tue Aug 22 13:30:49 UTC 2023 

Public bug reported:

[ Impact ]

 * Crytpsetup has some fips awerness

 * Ubuntu provides fips certified kernels & openssl

 * When vanilla cryptsetup observes fips kernel & openssl it fails to
operate, at all

 * It appears the fips awerness in cryptsetup package is obsolete and
out of date - i.e. if none of the checks were present, it would actually
behaved in a fips compliant way, but it currently instead fails.

[ Test Plan ]

 * cherry-pick updated patches to cryptsetup to ensure it has correct
modern fips mode detection

 * observe that cryptsetup can create new encrypted volume successfully
/ unchanged behaviour on vanilla ubuntu

 * observe that cryptsetup can create new encrypted volume successfully
on fips ubuntu

[ Where problems could occur ]

 * The change is confined to cryptsetup backend usage (typically
openssl) and is related to detecting kernel & openssl modes. There is no
other functional changes. But for example strace calls will look
slightly different - as possibly observable with strace it will try to
open /proc/sys/crypto/fips and call into additional openssl apis.

[ Other Info ]
 
 * Detected during FIPS certification of Jammy

** Affects: cryptsetup (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/2032659

Title:
  Correctly detect and use FIPS mode

Status in cryptsetup package in Ubuntu:
  New

Bug description:
  [ Impact ]

   * Crytpsetup has some fips awerness

   * Ubuntu provides fips certified kernels & openssl

   * When vanilla cryptsetup observes fips kernel & openssl it fails to
  operate, at all

   * It appears the fips awerness in cryptsetup package is obsolete and
  out of date - i.e. if none of the checks were present, it would
  actually behaved in a fips compliant way, but it currently instead
  fails.

  [ Test Plan ]

   * cherry-pick updated patches to cryptsetup to ensure it has correct
  modern fips mode detection

   * observe that cryptsetup can create new encrypted volume
  successfully / unchanged behaviour on vanilla ubuntu

   * observe that cryptsetup can create new encrypted volume
  successfully on fips ubuntu

  [ Where problems could occur ]

   * The change is confined to cryptsetup backend usage (typically
  openssl) and is related to detecting kernel & openssl modes. There is
  no other functional changes. But for example strace calls will look
  slightly different - as possibly observable with strace it will try to
  open /proc/sys/crypto/fips and call into additional openssl apis.

  [ Other Info ]
   
   * Detected during FIPS certification of Jammy

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/2032659/+subscriptions

More information about the foundations-bugs mailing list