[SRU][xenial]boot stalls looking for entropy in FIPS mode
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libgcrypt20 (Ubuntu) |
Fix Released
|
Undecided
|
Vineetha Kamath | ||
Xenial |
Fix Released
|
Undecided
|
Vineetha Kamath |
Bug Description
[IMPACT]
libgcrypt20 is not a FIPS certified library. On a machine running FIPS enabled kernel, the library by default goes into FIPS mode if /proc/sys/
On encrypted installations, cryptsetup uses libgcrypt20. During boot on an encrypted machine running in FIPS mode, cryptsetup invokes libgcrypt and it stalls looking for quality entropy from /dev/random. This results in significant delays during startup. The issue was reported by a FIPS customer.
The issue impacts libgcrypt versions in xenial and bionic.
lsb_release -rd
Description: Ubuntu 16.04.3 LTS
Release: 16.04
version - 1.6.5-2ubuntu0.3
lsb_release -rd
Description: Ubuntu Bionic Beaver (development branch)
Release: 18.04
version - 1.8.1-4
[FIX]
This fix proposes to disable libgcrypt reading /proc/sys/
reading this file and running in fips mode. libgcrypt is not one of our
fips certified modules, so should not be reading this along with our fips certified modules to determine whether to run in fips mode. The libgcrypt fips code in xenial is outdated and some algorithms are no longer allowed by recent FIPS 140-2 standards.
However, users do have the option to create a /etc/gcrypt/
file, manually, and force libgcrypt to run in fips mode. We propose to
leave this as is, so as to not regress anyone who is using this option.
We believe a user who uses this option is doing so with awareness.
[TEST]
Tested on a VM installed with xenial desktop iso and one with xenial server iso. Enabled full disk encryption during install. Tested with and without FIPS. No delays were observed during boot after the fix patch was applied.
Tested on a VM installed with Bionic development release version of desktop ISO with full disk encryption. Installed the xenial FIPS kernel and installed the fixed libgcrypt and did not observe any delays during the boot.
With FIPS enabled on encrypted install, without the patch fix, the boot stalls before and after prompting for decryption password. In desktop installations, a delay is observed during the GUI startup as well.
[REGRESSION POTENTIAL]
The regression potential for this is small. A fips kernel is required to
create /proc/sys/
/etc/gcrypt/
changed.
tags: | added: xenial |
summary: |
- boot stalls looking for entropy in FIPS mode + [SRU][xenial]boot stalls looking for entropy in FIPS mode |
Changed in libgcrypt20 (Ubuntu): | |
assignee: | nobody → Vineetha Hari Pai (vineetha) |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
tags: |
added: verification-done verification-done-xenial removed: verification-needed verification-needed-xenial |
build log is here in my ppa - https:/ /launchpad. net/~vineetha/ +archive/ ubuntu/ test-ppa/ +build/ 14330187