[Bug 2032659] Re: Correctly detect and use FIPS mode
Dimitri John Ledkov
2032659 at bugs.launchpad.net
Fri Oct 13 22:16:43 UTC 2023
** Description changed:
[ Impact ]
* Crytpsetup has some fips awerness
* Ubuntu provides fips certified kernels & openssl
* When vanilla cryptsetup observes fips kernel & openssl it fails to
operate, at all
* It appears the fips awerness in cryptsetup package is obsolete and
out of date - i.e. if none of the checks were present, it would actually
behaved in a fips compliant way, but it currently instead fails.
[ Test Plan ]
* cherry-pick updated patches to cryptsetup to ensure it has correct
modern fips mode detection
* observe that cryptsetup can create new encrypted volume successfully
/ unchanged behaviour on vanilla ubuntu
* observe that cryptsetup can create new encrypted volume successfully
- on fips ubuntu
+ on fips ubuntu (jammy fips-preview is already available internally and
+ to select external customers, also will be on esm.ubuntu.com/fips-
+ preview "soon" packages are there, but the auth is not)
[ Where problems could occur ]
* The change is confined to cryptsetup backend usage (typically
openssl) and is related to detecting kernel & openssl modes. There is no
other functional changes. But for example strace calls will look
slightly different - as possibly observable with strace it will try to
open /proc/sys/crypto/fips and call into additional openssl apis.
- * Note the pbkdf automatic benchmark is changed slightly, and thus will
+ * Note the pbkdf automatic benchmark is changed slightly, and thus will
produce slightly different results for newly created volumes. This
should not affect interoperability at the target resource usage / caps
remain the same.
[ Other Info ]
* Detected during FIPS certification of Jammy
[ Release Target Rationale ]
* Fix in Mantic to ensure that next LTS is capable of doing cryptsetup
in fips mode, when backend (openssl) is in fips mode
* Fix in Lunar is not needed, as Canonical does not provide FIPS
certification for Lunar releases. And it doesn't matter if cryptsetup is
or isn't FIPS capable in Lunar.
* Fix in Jammy is desired, to ensure that Jammy FIPS certified systems
can automatically create cryptsetup enabled devices
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/2032659
Title:
Correctly detect and use FIPS mode
Status in cryptsetup package in Ubuntu:
Fix Released
Status in cryptsetup source package in Jammy:
New
Status in cryptsetup source package in Lunar:
Won't Fix
Status in cryptsetup source package in Mantic:
Fix Released
Bug description:
[ Impact ]
* Crytpsetup has some fips awerness
* Ubuntu provides fips certified kernels & openssl
* When vanilla cryptsetup observes fips kernel & openssl it fails to
operate, at all
* It appears the fips awerness in cryptsetup package is obsolete and
out of date - i.e. if none of the checks were present, it would
actually behaved in a fips compliant way, but it currently instead
fails.
[ Test Plan ]
* cherry-pick updated patches to cryptsetup to ensure it has correct
modern fips mode detection
* observe that cryptsetup can create new encrypted volume
successfully / unchanged behaviour on vanilla ubuntu
* observe that cryptsetup can create new encrypted volume
successfully on fips ubuntu (jammy fips-preview is already available
internally and to select external customers, also will be on
esm.ubuntu.com/fips-preview "soon" packages are there, but the auth is
not)
[ Where problems could occur ]
* The change is confined to cryptsetup backend usage (typically
openssl) and is related to detecting kernel & openssl modes. There is
no other functional changes. But for example strace calls will look
slightly different - as possibly observable with strace it will try to
open /proc/sys/crypto/fips and call into additional openssl apis.
* Note the pbkdf automatic benchmark is changed slightly, and thus
will produce slightly different results for newly created volumes.
This should not affect interoperability at the target resource usage /
caps remain the same.
[ Other Info ]
* Detected during FIPS certification of Jammy
[ Release Target Rationale ]
* Fix in Mantic to ensure that next LTS is capable of doing
cryptsetup in fips mode, when backend (openssl) is in fips mode
* Fix in Lunar is not needed, as Canonical does not provide FIPS
certification for Lunar releases. And it doesn't matter if cryptsetup
is or isn't FIPS capable in Lunar.
* Fix in Jammy is desired, to ensure that Jammy FIPS certified
systems can automatically create cryptsetup enabled devices
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/2032659/+subscriptions
More information about the foundations-bugs
mailing list