[Bug 2032659] Re: Correctly detect and use FIPS mode

Dimitri John Ledkov 2032659 at bugs.launchpad.net
Wed Oct 18 21:17:52 UTC 2023 

Using jammy daily iso built with proposed packages 20231018

cryptsetup	2:2.4.3-1ubuntu1.2
cryptsetup-bin	2:2.4.3-1ubuntu1.2
cryptsetup-initramfs	2:2.4.3-1ubuntu1.2
libcryptsetup12:amd64	2:2.4.3-1ubuntu1.2

Install and booted encrypted system were fine.

Running cryptsetup luksFormat on sample disks with that version versus
1.1 (previous sru) yielded identical or statistically insignificant
results for the benchmarks, meaning same minimal security guarantees are
preserved. In default vanilla install.

This complete vanilla Ubuntu tests. Will do FIPS tests next.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/2032659

Title:
  Correctly detect and use FIPS mode

Status in cryptsetup package in Ubuntu:
  Fix Released
Status in cryptsetup source package in Jammy:
  Fix Committed
Status in cryptsetup source package in Lunar:
  Won't Fix
Status in cryptsetup source package in Mantic:
  Fix Released

Bug description:
  [ Impact ]

   * Crytpsetup has some fips awareness

   * Ubuntu provides fips certified kernels & openssl

   * When vanilla cryptsetup observes fips kernel & openssl it fails to
  operate, at all

   * It appears the fips awareness in cryptsetup package is obsolete and
  out of date - i.e. if none of the checks were present, it would
  actually behaved in a fips compliant way, but it currently instead
  fails.

  [ Test Plan ]

   * cherry-pick updated patches to cryptsetup to ensure it has correct
  modern fips mode detection

   * observe that cryptsetup can create new encrypted volume
  successfully / unchanged behaviour on vanilla ubuntu

   * observe that cryptsetup can create new encrypted volume
  successfully on fips ubuntu (jammy fips-preview is already available
  internally and to select external customers, also will be on
  esm.ubuntu.com/fips-preview "soon" packages are there, but the auth is
  not)

  [ Where problems could occur ]

   * The change is confined to cryptsetup backend usage (typically
  openssl) and is related to detecting kernel & openssl modes. There is
  no other functional changes. But for example strace calls will look
  slightly different - as possibly observable with strace it will try to
  open /proc/sys/crypto/fips and call into additional openssl apis.

   * Note the pbkdf automatic benchmark is changed slightly, and thus
  will produce slightly different results for newly created volumes.
  This should not affect interoperability at the target resource usage /
  caps remain the same.

  [ Other Info ]

   * Detected during FIPS certification of Jammy

  [ Release Target Rationale ]

   * Fix in Mantic to ensure that next LTS is capable of doing
  cryptsetup in fips mode, when backend (openssl) is in fips mode

   * Fix in Lunar is not needed, as Canonical does not provide FIPS
  certification for Lunar releases. And it doesn't matter if cryptsetup
  is or isn't FIPS capable in Lunar.

   * Fix in Jammy is desired, to ensure that Jammy FIPS certified
  systems can automatically create cryptsetup enabled devices

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/2032659/+subscriptions

More information about the foundations-bugs mailing list