Comment 16 for bug 1748310

Revision history for this message
Robie Basak (racb) wrote :

Thanks Vineetha.

To clarify for any observers, here's my understanding:

Ubuntu doesn't ship with a FIPS kernel by default.

If a user does use a FIPS enabled kernel, then libgcrypt20 detects this and activates its own FIPS mode.

libgcrypt20 in Xenial's FIPS mode requires using /dev/random, which can block when using full disk encryption during early boot up. This issue is tracked in this bug. The Xenial version of libcrypt code is outdated with respect to latest FIPS 140-2 specifications and parts of it uses non-compliant algorithms.

Our fix is to disable libgcrypt20's FIPS mode, which is fine because it isn't certified anyway.

This shouldn't regress existing users because Ubuntu's kernel does not ship with FIPS enabled and so this mode in libgcrypt20 doesn't activate in the usual case anyway.

For users who are using a FIPS-enabled kernel, Vineetha and her team will perform SRU verification as normal to test the update once it is in proposed.

We've tweaked the changelog entry for the SRU a little to make it clear that users who aren't using a FIPS kernel shouldn't be affected by this SRU.