[Bug 2055825] Re: fips-updates: upgrade from 20.04 to 22.04 fails

Jürg Häfliger 2055825 at bugs.launchpad.net
Fri Apr 18 15:12:22 UTC 2025 

** Tags added: kernel-daily-bug

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubuntu-release-upgrader in
Ubuntu.
https://bugs.launchpad.net/bugs/2055825

Title:
  fips-updates: upgrade from 20.04 to 22.04 fails

Status in linux package in Ubuntu:
  Fix Committed
Status in ubuntu-release-upgrader package in Ubuntu:
  Invalid
Status in linux source package in Focal:
  Fix Committed
Status in ubuntu-release-upgrader source package in Focal:
  Invalid
Status in linux source package in Jammy:
  New
Status in ubuntu-release-upgrader source package in Jammy:
  Triaged

Bug description:
  SRU Justification

  [Impact]
  Some Focal systems with fips-updates enabled cannot be upgraded to Jammy. During
  the upgrade, there is a point where the userspace packages are upgraded to
  their Jammy version, but are run on a Focal FIPS kernel. Specifically, the
  Jammy version of libgcrypt relies on the getrandom syscall with the GRND_RESEED
  flag set. This flag, however, is only implemented on the Jammy FIPS kernel. So,
  when the Jammy version of libgcrypt is run alongside a Focal FIPS kernel,
  a fatal error occurs as below (trimmed for readability):

  ```
  Fatal: unexpected error from getentropy: Invalid argument
  fatal error in libgcrypt, file ../../src/misc.c, line 146, function _gcry_logv: internal error (fatal or bug)
  Aborted (core dumped)
  Processing triggers for mime-support (3.64ubuntu1) ...
  Processing triggers for initramfs-tools (0.136ubuntu6.7) ...
  update-initramfs: Generating /boot/initrd.img-5.4.0-1112-fips
  Processing triggers for libc-bin (2.35-0ubuntu3.8) ...
  Processing triggers for man-db (2.9.1-1) ...
  Errors were encountered while processing:
   systemd
   systemd-timesyncd
  Fatal: unexpected error from getentropy: Invalid argument
  fatal error in libgcrypt, file ../../src/misc.c, line 146, function _gcry_logv: internal error (fatal or bug)
  Fatal: unexpected error from getentropy: Invalid argument
  fatal error in libgcrypt, file ../../src/misc.c, line 146, function _gcry_logv: internal error (fatal or bug)

  Upgrade complete

  The upgrade has completed but there were errors during the upgrade
  process.
  ```

  After that, the system becomes unusable and running some commands
  (like shutdown) leads to errors:

  ```
  Fatal: unexpected error from getentropy: Invalid argument
  fatal error in libgcrypt, file ../../src/misc.c, line 146, function _gcry_logv: internal error (fatal or bug)
  Aborted (core dumped)
  ```

  [Fix]
  Focal FIPS kernel: have getrandom not reject the GRND_RESEED flag. For Focal
  systems, this flag should only be used during the upgrade process from Focal
  to Jammy, as the Jammy userspace packages running on the Focal kernel will rely
  on it.

  ubuntu-release-upgrader: block upgrades when a FIPS kernel without the
  aforementioned fix is running in FIPS mode.

  [Test]
  Summary: In a FIPS enabled machine using the fips-updates channel, test the
  upgrade from Focal to Jammy.

  To trigger the error, run the following commands:

  pro attach <your-token>
  pro enable fips --assume-yes
  pro enable fips-updates --assume-yes
  grub-reboot '1>2' # or any other command to boot into the -1024 kernel from the "fips" channel, obtained by enabling "fips" previously
  reboot
  sysctl crypto # Confirm the system is in FIPS mode
  uname -a      # Confirm you're running an unfixed version of a FIPS kernel
  apt upgrade -y
  do-release-upgrade

  [Where things could go wrong]
  Focal FIPS kernel: this touches the getrandom syscall, so we have many places
  where things could go wrong. However, we are just adding another possible flag
  for it, and not really adding/removing/altering any other functionality, so the
  regression potential is low.

  [Other info]
  - The system upgrades successfully if fips=0 is set in the kernel command line,
  which can be done by editing this parameter in /etc/default/grub.d/99-fips.cfg,
  running `upgrade-grub` afterwards and rebooting.
  - Running the latest available kernels from fips-updates should also lead to a
  successful upgrade.

  
  -------------------------------- Original Report -------------------------------
  Upgrade from 20.04 to 22.04 failed with "Fatal: unexpected error from getentropy: Invalid argument". We have fips-updates enabled thru Ubuntu pro subscription. Tried to upgrade from 18.04 to 22.04. Upgrade from 18.04 to 204 is successful but upgrade from 20.04 to 22.04 failed. Apt or do-release-upgrade commands no longer working after the upgrade failed so we have to restore the host to the Ubuntu 20.04 snapshots.

  # lsb_release -a
  No LSB modules are available.
  Distributor ID: Ubuntu
  Description:    Ubuntu 20.04.6 LTS
  Release:        20.04
  Codename:       focal

  Upgrade log:
  Processing triggers for libc-bin (2.35-0ubuntu3.6) ...
  Errors were encountered while processing:
   systemd
   ntfs-3g
   dbus
   libpam-systemd:amd64
   systemd-sysv
   libnss-systemd:amd64
   friendly-recovery
   samba-common-bin
   samba
   update-notifier-common
  Fatal: unexpected error from getentropy: Invalid argument
  fatal error in libgcrypt, file ../../src/misc.c, line 146, function _gcry_logv: internal error (fatal or bug)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2055825/+subscriptions

More information about the foundations-bugs mailing list