[Bug 2032659] Re: Correctly detect and use FIPS mode
Brian Murray
2032659 at bugs.launchpad.net
Tue Oct 17 21:06:34 UTC 2023
Hello Dimitri, or anyone else affected,
Accepted cryptsetup into jammy-proposed. The package will build now and
be available at
https://launchpad.net/ubuntu/+source/cryptsetup/2:2.4.3-1ubuntu1.2 in a
few hours, and then in the -proposed repository.
Please help us by testing this new package. See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed. Your feedback will aid us getting this
update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
jammy to verification-done-jammy. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-jammy. In either case, without details of your testing we will
not be able to proceed.
Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance for helping!
N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.
** Description changed:
[ Impact ]
- * Crytpsetup has some fips awerness
+ * Crytpsetup has some fips awareness
* Ubuntu provides fips certified kernels & openssl
* When vanilla cryptsetup observes fips kernel & openssl it fails to
operate, at all
* It appears the fips awerness in cryptsetup package is obsolete and
out of date - i.e. if none of the checks were present, it would actually
behaved in a fips compliant way, but it currently instead fails.
[ Test Plan ]
* cherry-pick updated patches to cryptsetup to ensure it has correct
modern fips mode detection
* observe that cryptsetup can create new encrypted volume successfully
/ unchanged behaviour on vanilla ubuntu
* observe that cryptsetup can create new encrypted volume successfully
on fips ubuntu (jammy fips-preview is already available internally and
to select external customers, also will be on esm.ubuntu.com/fips-
preview "soon" packages are there, but the auth is not)
[ Where problems could occur ]
* The change is confined to cryptsetup backend usage (typically
openssl) and is related to detecting kernel & openssl modes. There is no
other functional changes. But for example strace calls will look
slightly different - as possibly observable with strace it will try to
open /proc/sys/crypto/fips and call into additional openssl apis.
* Note the pbkdf automatic benchmark is changed slightly, and thus will
produce slightly different results for newly created volumes. This
should not affect interoperability at the target resource usage / caps
remain the same.
[ Other Info ]
* Detected during FIPS certification of Jammy
[ Release Target Rationale ]
* Fix in Mantic to ensure that next LTS is capable of doing cryptsetup
in fips mode, when backend (openssl) is in fips mode
* Fix in Lunar is not needed, as Canonical does not provide FIPS
certification for Lunar releases. And it doesn't matter if cryptsetup is
or isn't FIPS capable in Lunar.
* Fix in Jammy is desired, to ensure that Jammy FIPS certified systems
can automatically create cryptsetup enabled devices
** Description changed:
[ Impact ]
* Crytpsetup has some fips awareness
* Ubuntu provides fips certified kernels & openssl
* When vanilla cryptsetup observes fips kernel & openssl it fails to
operate, at all
- * It appears the fips awerness in cryptsetup package is obsolete and
+ * It appears the fips awareness in cryptsetup package is obsolete and
out of date - i.e. if none of the checks were present, it would actually
behaved in a fips compliant way, but it currently instead fails.
[ Test Plan ]
* cherry-pick updated patches to cryptsetup to ensure it has correct
modern fips mode detection
* observe that cryptsetup can create new encrypted volume successfully
/ unchanged behaviour on vanilla ubuntu
* observe that cryptsetup can create new encrypted volume successfully
on fips ubuntu (jammy fips-preview is already available internally and
to select external customers, also will be on esm.ubuntu.com/fips-
preview "soon" packages are there, but the auth is not)
[ Where problems could occur ]
* The change is confined to cryptsetup backend usage (typically
openssl) and is related to detecting kernel & openssl modes. There is no
other functional changes. But for example strace calls will look
slightly different - as possibly observable with strace it will try to
open /proc/sys/crypto/fips and call into additional openssl apis.
* Note the pbkdf automatic benchmark is changed slightly, and thus will
produce slightly different results for newly created volumes. This
should not affect interoperability at the target resource usage / caps
remain the same.
[ Other Info ]
* Detected during FIPS certification of Jammy
[ Release Target Rationale ]
* Fix in Mantic to ensure that next LTS is capable of doing cryptsetup
in fips mode, when backend (openssl) is in fips mode
* Fix in Lunar is not needed, as Canonical does not provide FIPS
certification for Lunar releases. And it doesn't matter if cryptsetup is
or isn't FIPS capable in Lunar.
* Fix in Jammy is desired, to ensure that Jammy FIPS certified systems
can automatically create cryptsetup enabled devices
** Changed in: cryptsetup (Ubuntu Jammy)
Status: New => Fix Committed
** Tags added: verification-needed verification-needed-jammy
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/2032659
Title:
Correctly detect and use FIPS mode
Status in cryptsetup package in Ubuntu:
Fix Released
Status in cryptsetup source package in Jammy:
Fix Committed
Status in cryptsetup source package in Lunar:
Won't Fix
Status in cryptsetup source package in Mantic:
Fix Released
Bug description:
[ Impact ]
* Crytpsetup has some fips awareness
* Ubuntu provides fips certified kernels & openssl
* When vanilla cryptsetup observes fips kernel & openssl it fails to
operate, at all
* It appears the fips awareness in cryptsetup package is obsolete and
out of date - i.e. if none of the checks were present, it would
actually behaved in a fips compliant way, but it currently instead
fails.
[ Test Plan ]
* cherry-pick updated patches to cryptsetup to ensure it has correct
modern fips mode detection
* observe that cryptsetup can create new encrypted volume
successfully / unchanged behaviour on vanilla ubuntu
* observe that cryptsetup can create new encrypted volume
successfully on fips ubuntu (jammy fips-preview is already available
internally and to select external customers, also will be on
esm.ubuntu.com/fips-preview "soon" packages are there, but the auth is
not)
[ Where problems could occur ]
* The change is confined to cryptsetup backend usage (typically
openssl) and is related to detecting kernel & openssl modes. There is
no other functional changes. But for example strace calls will look
slightly different - as possibly observable with strace it will try to
open /proc/sys/crypto/fips and call into additional openssl apis.
* Note the pbkdf automatic benchmark is changed slightly, and thus
will produce slightly different results for newly created volumes.
This should not affect interoperability at the target resource usage /
caps remain the same.
[ Other Info ]
* Detected during FIPS certification of Jammy
[ Release Target Rationale ]
* Fix in Mantic to ensure that next LTS is capable of doing
cryptsetup in fips mode, when backend (openssl) is in fips mode
* Fix in Lunar is not needed, as Canonical does not provide FIPS
certification for Lunar releases. And it doesn't matter if cryptsetup
is or isn't FIPS capable in Lunar.
* Fix in Jammy is desired, to ensure that Jammy FIPS certified
systems can automatically create cryptsetup enabled devices
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/2032659/+subscriptions
More information about the foundations-bugs
mailing list