* Ubuntu provides fips certified kernels & openssl
* When vanilla cryptsetup observes fips kernel & openssl it fails to operate, at all
* It appears the fips awerness in cryptsetup package is obsolete and out of date - i.e. if none of the checks were present, it would actually behaved in a fips compliant way, but it currently instead fails.
[ Test Plan ]
* cherry-pick updated patches to cryptsetup to ensure it has correct modern fips mode detection
* observe that cryptsetup can create new encrypted volume successfully / unchanged behaviour on vanilla ubuntu
* observe that cryptsetup can create new encrypted volume successfully on fips ubuntu
[ Where problems could occur ]
* The change is confined to cryptsetup backend usage (typically openssl) and is related to detecting kernel & openssl modes. There is no other functional changes. But for example strace calls will look slightly different - as possibly observable with strace it will try to open /proc/sys/crypto/fips and call into additional openssl apis.
[ Impact ]
* Crytpsetup has some fips awerness
* Ubuntu provides fips certified kernels & openssl
* When vanilla cryptsetup observes fips kernel & openssl it fails to operate, at all
* It appears the fips awerness in cryptsetup package is obsolete and out of date - i.e. if none of the checks were present, it would actually behaved in a fips compliant way, but it currently instead fails.
[ Test Plan ]
* cherry-pick updated patches to cryptsetup to ensure it has correct modern fips mode detection
* observe that cryptsetup can create new encrypted volume successfully / unchanged behaviour on vanilla ubuntu
* observe that cryptsetup can create new encrypted volume successfully on fips ubuntu
[ Where problems could occur ]
* The change is confined to cryptsetup backend usage (typically openssl) and is related to detecting kernel & openssl modes. There is no other functional changes. But for example strace calls will look slightly different - as possibly observable with strace it will try to open /proc/sys/ crypto/ fips and call into additional openssl apis.
[ Other Info ]
* Detected during FIPS certification of Jammy