[Merge] ~magalilemes/ubuntu-release-upgrader:block-focal-fips into ubuntu-release-upgrader:ubuntu/jammy
Magali Lemes do Sacramento
mp+478097 at code.launchpad.net
Tue Dec 10 18:30:22 UTC 2024
Magali Lemes do Sacramento has proposed merging ~magalilemes/ubuntu-release-upgrader:block-focal-fips into ubuntu-release-upgrader:ubuntu/jammy.
Requested reviews:
Ubuntu Core Development Team (ubuntu-core-dev)
Related bugs:
Bug #2055825 in linux (Ubuntu): "fips-updates: upgrade from 20.04 to 22.04 fails"
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2055825
For more details, see:
https://code.launchpad.net/~magalilemes/ubuntu-release-upgrader/+git/ubuntu-release-upgrader/+merge/478097
In LP: #2055825, a user reported that upgrades from Focal to Jammy in
FIPS-enabled systems fail. This happened because, during the upgrade
process running the Focal FIPS kernel, Jammy's libgcrypt uses the
getrandom syscall with the GRND_RESEED flag which is only implemented
in the Jammy FIPS kernels.
This issue has been fixed in the Focal kernels (linux-fips >=
5.4.0-1104.114, linux-aws-fips >= 5.4.0-1130.140+fips1,
linux-azure-fips >= 5.4.0-1135.142+fips1 and linux-gcp-fips
>=5.4.0-1134.143+fips1). However, there might be systems using older
kernel versions in FIPS mode and upgrading them would lead to
failures.
With this patch applied, I've tested that upgrades are blocked when
running the following kernels in FIPS mode:
- linux-fips: 5.4.0-1024-fips
- linux-aws-fips: 5.4.0-1021-aws-fips
- linux-azure-fips: 5.4.0-1022-azure-fips
- linux-gcp-fips: 5.4.0-1021-gcp-fips
These are the versions found in the `fips` channel -- for instance,
anyone who's enabled `fips` through the Pro client should have one
of the kernel versions above and should be blocked from upgrading
if they have fips=1 in the kernel command line.
I also tested that when switching to fips=0 upgrades are not blocked.
--
Your team Ubuntu Core Development Team is requested to review the proposed merge of ~magalilemes/ubuntu-release-upgrader:block-focal-fips into ubuntu-release-upgrader:ubuntu/jammy.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: review-diff.txt
Type: text/x-diff
Size: 2578 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-reviews/attachments/20241210/476e2624/attachment.diff>
More information about the Ubuntu-reviews
mailing list