[Bug 2032659] Re: Correctly detect and use FIPS mode

Dimitri John Ledkov 2032659 at bugs.launchpad.net
Wed Nov 1 22:30:30 UTC 2023 

cryptsetup is refreshed in snappy-dev/image superseding what was done in
~ubuntu-security/fde-ice which should not have been ever used for core22
builds. It can be left unchanged now for archival purposes.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/2032659

Title:
  Correctly detect and use FIPS mode

Status in cryptsetup package in Ubuntu:
  Fix Released
Status in cryptsetup source package in Jammy:
  Fix Committed
Status in cryptsetup source package in Lunar:
  Won't Fix
Status in cryptsetup source package in Mantic:
  Fix Released

Bug description:
  [ Impact ]

   * Crytpsetup has some fips awareness

   * Ubuntu provides fips certified kernels & openssl

   * When vanilla cryptsetup observes fips kernel & openssl it fails to
  operate, at all

   * It appears the fips awareness in cryptsetup package is obsolete and
  out of date - i.e. if none of the checks were present, it would
  actually behaved in a fips compliant way, but it currently instead
  fails.

  [ Test Plan ]

   * cherry-pick updated patches to cryptsetup to ensure it has correct
  modern fips mode detection

   * observe that cryptsetup can create new encrypted volume
  successfully / unchanged behaviour on vanilla ubuntu

   * observe that cryptsetup can create new encrypted volume
  successfully on fips ubuntu (jammy fips-preview is already available
  internally and to select external customers, also will be on
  esm.ubuntu.com/fips-preview "soon" packages are there, but the auth is
  not)

  [ Where problems could occur ]

   * The change is confined to cryptsetup backend usage (typically
  openssl) and is related to detecting kernel & openssl modes. There is
  no other functional changes. But for example strace calls will look
  slightly different - as possibly observable with strace it will try to
  open /proc/sys/crypto/fips and call into additional openssl apis.

   * Note the pbkdf automatic benchmark is changed slightly, and thus
  will produce slightly different results for newly created volumes.
  This should not affect interoperability at the target resource usage /
  caps remain the same.

  [ Other Info ]

   * Detected during FIPS certification of Jammy

  [ Release Target Rationale ]

   * Fix in Mantic to ensure that next LTS is capable of doing
  cryptsetup in fips mode, when backend (openssl) is in fips mode

   * Fix in Lunar is not needed, as Canonical does not provide FIPS
  certification for Lunar releases. And it doesn't matter if cryptsetup
  is or isn't FIPS capable in Lunar.

   * Fix in Jammy is desired, to ensure that Jammy FIPS certified
  systems can automatically create cryptsetup enabled devices

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/2032659/+subscriptions

More information about the foundations-bugs mailing list