Impact: The kernel crypto API rejects weak XTS keys in FIPS mode and the current version of cryptsetup in xenial do some tests with a zeroed key to check cipher availability in the kernel. These two behaviors combined make impossible to use disk encryption with XTS while using a kernel in FIPS mode.
SRU Justification:
Impact: The kernel crypto API rejects weak XTS keys in FIPS mode and the current version of cryptsetup in xenial do some tests with a zeroed key to check cipher availability in the kernel. These two behaviors combined make impossible to use disk encryption with XTS while using a kernel in FIPS mode.
Fix: apply the following fix to cryptsetup:
https:/ /gitlab. com/cryptsetup/ cryptsetup/ commit/ 3c2135b36bbc52d 052e4ced7c94dc4 981eb07a53
Testcase: Try to setup disk encryption with XTS while the kernel is in FIPS mode.