[Bug 1715010] Re: Fix XTS encryption with FIPS enabled kernels
Brian Murray
brian at ubuntu.com
Thu Sep 7 16:51:07 UTC 2017
** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial
** Description changed:
SRU Justification:
Impact: The kernel crypto API rejects weak XTS keys in FIPS mode and
the current version of cryptsetup in xenial do some tests with a zeroed
key to check cipher availability in the kernel. These two behaviors
combined make impossible to use disk encryption with XTS while using a
kernel in FIPS mode.
Fix: apply the following fix to cryptsetup:
https://gitlab.com/cryptsetup/cryptsetup/commit/3c2135b36bbc52d052e4ced7c94dc4981eb07a53
Testcase: Try to setup disk encryption with XTS while the kernel is in
FIPS mode.
+
+ N.B.: This is not yet fixed in artful so cannot be released.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/1715010
Title:
Fix XTS encryption with FIPS enabled kernels
Status in cryptsetup package in Ubuntu:
Fix Committed
Status in cryptsetup source package in Xenial:
Fix Committed
Bug description:
SRU Justification:
Impact: The kernel crypto API rejects weak XTS keys in FIPS mode and
the current version of cryptsetup in xenial do some tests with a
zeroed key to check cipher availability in the kernel. These two
behaviors combined make impossible to use disk encryption with XTS
while using a kernel in FIPS mode.
Fix: apply the following fix to cryptsetup:
https://gitlab.com/cryptsetup/cryptsetup/commit/3c2135b36bbc52d052e4ced7c94dc4981eb07a53
Testcase: Try to setup disk encryption with XTS while the kernel is in
FIPS mode.
N.B.: This is not yet fixed in artful so cannot be released.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1715010/+subscriptions
More information about the foundations-bugs
mailing list