[Bug 2032659] Re: Correctly detect and use FIPS mode
Dimitri John Ledkov
2032659 at bugs.launchpad.net
Tue Aug 22 17:17:28 UTC 2023
** Also affects: cryptsetup (Ubuntu Mantic)
Importance: Undecided
Status: New
** Also affects: cryptsetup (Ubuntu Lunar)
Importance: Undecided
Status: New
** Also affects: cryptsetup (Ubuntu Jammy)
Importance: Undecided
Status: New
** Changed in: cryptsetup (Ubuntu Lunar)
Status: New => Won't Fix
** Description changed:
[ Impact ]
- * Crytpsetup has some fips awerness
+ * Crytpsetup has some fips awerness
- * Ubuntu provides fips certified kernels & openssl
+ * Ubuntu provides fips certified kernels & openssl
- * When vanilla cryptsetup observes fips kernel & openssl it fails to
+ * When vanilla cryptsetup observes fips kernel & openssl it fails to
operate, at all
- * It appears the fips awerness in cryptsetup package is obsolete and
+ * It appears the fips awerness in cryptsetup package is obsolete and
out of date - i.e. if none of the checks were present, it would actually
behaved in a fips compliant way, but it currently instead fails.
[ Test Plan ]
- * cherry-pick updated patches to cryptsetup to ensure it has correct
+ * cherry-pick updated patches to cryptsetup to ensure it has correct
modern fips mode detection
- * observe that cryptsetup can create new encrypted volume successfully
+ * observe that cryptsetup can create new encrypted volume successfully
/ unchanged behaviour on vanilla ubuntu
- * observe that cryptsetup can create new encrypted volume successfully
+ * observe that cryptsetup can create new encrypted volume successfully
on fips ubuntu
[ Where problems could occur ]
- * The change is confined to cryptsetup backend usage (typically
+ * The change is confined to cryptsetup backend usage (typically
openssl) and is related to detecting kernel & openssl modes. There is no
other functional changes. But for example strace calls will look
slightly different - as possibly observable with strace it will try to
open /proc/sys/crypto/fips and call into additional openssl apis.
[ Other Info ]
-
- * Detected during FIPS certification of Jammy
+
+ * Detected during FIPS certification of Jammy
+
+ [ Release Target Rationale ]
+
+ * Fix in Mantic to ensure that next LTS is capable of doing cryptsetup
+ in fips mode, when backend (openssl) is in fips mode
+
+ * Fix in Lunar is not needed, as Canonical does not provide FIPS
+ certification for Lunar releases. And it doesn't matter if cryptsetup is
+ or isn't FIPS capable in Lunar.
+
+ * Fix in Jammy is desired, to ensure that Jammy FIPS certified systems
+ can automatically create cryptsetup enabled devices
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/2032659
Title:
Correctly detect and use FIPS mode
Status in cryptsetup package in Ubuntu:
New
Status in cryptsetup source package in Jammy:
New
Status in cryptsetup source package in Lunar:
Won't Fix
Status in cryptsetup source package in Mantic:
New
Bug description:
[ Impact ]
* Crytpsetup has some fips awerness
* Ubuntu provides fips certified kernels & openssl
* When vanilla cryptsetup observes fips kernel & openssl it fails to
operate, at all
* It appears the fips awerness in cryptsetup package is obsolete and
out of date - i.e. if none of the checks were present, it would
actually behaved in a fips compliant way, but it currently instead
fails.
[ Test Plan ]
* cherry-pick updated patches to cryptsetup to ensure it has correct
modern fips mode detection
* observe that cryptsetup can create new encrypted volume
successfully / unchanged behaviour on vanilla ubuntu
* observe that cryptsetup can create new encrypted volume
successfully on fips ubuntu
[ Where problems could occur ]
* The change is confined to cryptsetup backend usage (typically
openssl) and is related to detecting kernel & openssl modes. There is
no other functional changes. But for example strace calls will look
slightly different - as possibly observable with strace it will try to
open /proc/sys/crypto/fips and call into additional openssl apis.
[ Other Info ]
* Detected during FIPS certification of Jammy
[ Release Target Rationale ]
* Fix in Mantic to ensure that next LTS is capable of doing
cryptsetup in fips mode, when backend (openssl) is in fips mode
* Fix in Lunar is not needed, as Canonical does not provide FIPS
certification for Lunar releases. And it doesn't matter if cryptsetup
is or isn't FIPS capable in Lunar.
* Fix in Jammy is desired, to ensure that Jammy FIPS certified
systems can automatically create cryptsetup enabled devices
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/2032659/+subscriptions
More information about the foundations-bugs
mailing list