Correctly detect and use FIPS mode

Bug #2032659 reported by Dimitri John Ledkov
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cryptsetup (Ubuntu)
Status tracked in Mantic
Jammy
Fix Committed
Undecided
Unassigned
Lunar
Won't Fix
Undecided
Unassigned
Mantic
Fix Released
Undecided
Unassigned

Bug Description

[ Impact ]

 * Crytpsetup has some fips awareness

 * Ubuntu provides fips certified kernels & openssl

 * When vanilla cryptsetup observes fips kernel & openssl it fails to operate, at all

 * It appears the fips awareness in cryptsetup package is obsolete and out of date - i.e. if none of the checks were present, it would actually behaved in a fips compliant way, but it currently instead fails.

[ Test Plan ]

 * cherry-pick updated patches to cryptsetup to ensure it has correct modern fips mode detection

 * observe that cryptsetup can create new encrypted volume successfully / unchanged behaviour on vanilla ubuntu

 * observe that cryptsetup can create new encrypted volume successfully on fips ubuntu (jammy fips-preview is already available internally and to select external customers, also will be on esm.ubuntu.com/fips-preview "soon" packages are there, but the auth is not)

[ Where problems could occur ]

 * The change is confined to cryptsetup backend usage (typically openssl) and is related to detecting kernel & openssl modes. There is no other functional changes. But for example strace calls will look slightly different - as possibly observable with strace it will try to open /proc/sys/crypto/fips and call into additional openssl apis.

 * Note the pbkdf automatic benchmark is changed slightly, and thus will produce slightly different results for newly created volumes. This should not affect interoperability at the target resource usage / caps remain the same.

[ Other Info ]

 * Detected during FIPS certification of Jammy

[ Release Target Rationale ]

 * Fix in Mantic to ensure that next LTS is capable of doing cryptsetup in fips mode, when backend (openssl) is in fips mode

 * Fix in Lunar is not needed, as Canonical does not provide FIPS certification for Lunar releases. And it doesn't matter if cryptsetup is or isn't FIPS capable in Lunar.

 * Fix in Jammy is desired, to ensure that Jammy FIPS certified systems can automatically create cryptsetup enabled devices

Changed in cryptsetup (Ubuntu Lunar):
status: New → Won't Fix
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cryptsetup - 2:2.6.1-4ubuntu2

---------------
cryptsetup (2:2.6.1-4ubuntu2) mantic; urgency=medium

  * Compile-in support for a FIPS mode. LP: #2032659

 -- Dimitri John Ledkov <email address hidden> Tue, 22 Aug 2023 16:06:53 +0100

Changed in cryptsetup (Ubuntu Mantic):
status: New → Fix Released
description: updated
description: updated
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Dimitri, or anyone else affected,

Accepted cryptsetup into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/cryptsetup/2:2.4.3-1ubuntu1.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

description: updated
description: updated
Changed in cryptsetup (Ubuntu Jammy):
status: New → Fix Committed
tags: added: verification-needed verification-needed-jammy
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Using jammy daily iso built with proposed packages 20231018

cryptsetup 2:2.4.3-1ubuntu1.2
cryptsetup-bin 2:2.4.3-1ubuntu1.2
cryptsetup-initramfs 2:2.4.3-1ubuntu1.2
libcryptsetup12:amd64 2:2.4.3-1ubuntu1.2

Install and booted encrypted system were fine.

Running cryptsetup luksFormat on sample disks with that version versus 1.1 (previous sru) yielded identical or statistically insignificant results for the benchmarks, meaning same minimal security guarantees are preserved. In default vanilla install.

This complete vanilla Ubuntu tests. Will do FIPS tests next.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

core22 snap is not using cryptsetup from the ubuntu archive and instead uses a forked crytpsetup with ICE feature enabled.

which is inline enabled in https://launchpad.net/~ubuntu-security/+archive/ubuntu/fde-ice

that build of cryptsetup should be redone on not of this SRU update.

Also I am questioning why Ubuntu Core 22 supports cryptsetup with ICE features, and Ubuntu 22.04 classic does not, given such enablement is likely benefitial on classic systems too.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.