[Bug 2032659] Re: Correctly detect and use FIPS mode

Launchpad Bug Tracker 2032659 at bugs.launchpad.net
Sat Aug 26 13:51:27 UTC 2023 

This bug was fixed in the package cryptsetup - 2:2.6.1-4ubuntu2

---------------
cryptsetup (2:2.6.1-4ubuntu2) mantic; urgency=medium

  * Compile-in support for a FIPS mode. LP: #2032659

 -- Dimitri John Ledkov <dimitri.ledkov at canonical.com>  Tue, 22 Aug 2023
16:06:53 +0100

** Changed in: cryptsetup (Ubuntu Mantic)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/2032659

Title:
  Correctly detect and use FIPS mode

Status in cryptsetup package in Ubuntu:
  Fix Released
Status in cryptsetup source package in Jammy:
  New
Status in cryptsetup source package in Lunar:
  Won't Fix
Status in cryptsetup source package in Mantic:
  Fix Released

Bug description:
  [ Impact ]

   * Crytpsetup has some fips awerness

   * Ubuntu provides fips certified kernels & openssl

   * When vanilla cryptsetup observes fips kernel & openssl it fails to
  operate, at all

   * It appears the fips awerness in cryptsetup package is obsolete and
  out of date - i.e. if none of the checks were present, it would
  actually behaved in a fips compliant way, but it currently instead
  fails.

  [ Test Plan ]

   * cherry-pick updated patches to cryptsetup to ensure it has correct
  modern fips mode detection

   * observe that cryptsetup can create new encrypted volume
  successfully / unchanged behaviour on vanilla ubuntu

   * observe that cryptsetup can create new encrypted volume
  successfully on fips ubuntu

  [ Where problems could occur ]

   * The change is confined to cryptsetup backend usage (typically
  openssl) and is related to detecting kernel & openssl modes. There is
  no other functional changes. But for example strace calls will look
  slightly different - as possibly observable with strace it will try to
  open /proc/sys/crypto/fips and call into additional openssl apis.

  [ Other Info ]

   * Detected during FIPS certification of Jammy

  [ Release Target Rationale ]

   * Fix in Mantic to ensure that next LTS is capable of doing
  cryptsetup in fips mode, when backend (openssl) is in fips mode

   * Fix in Lunar is not needed, as Canonical does not provide FIPS
  certification for Lunar releases. And it doesn't matter if cryptsetup
  is or isn't FIPS capable in Lunar.

   * Fix in Jammy is desired, to ensure that Jammy FIPS certified
  systems can automatically create cryptsetup enabled devices

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/2032659/+subscriptions

More information about the foundations-bugs mailing list