Can you please be more verbose with the test plan?
How do you confirm that the system is FIPS-enabled? Is this something I
should be able to test myself in a VM? If so, how do I enable "fips-
updates?" What is the failure mode I should see before testing your
proposed version of ubuntu-release-upgrader?
** Changed in: ubuntu-release-upgrader (Ubuntu)
Status: Confirmed => Invalid
** Changed in: ubuntu-release-upgrader (Ubuntu Focal)
Status: In Progress => Incomplete
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2055825
Title:
fips-updates: upgrade from 20.04 to 22.04 fails
Status in linux package in Ubuntu:
Fix Committed
Status in ubuntu-release-upgrader package in Ubuntu:
Invalid
Status in linux source package in Focal:
Fix Committed
Status in ubuntu-release-upgrader source package in Focal:
Incomplete
Bug description:
SRU Justification
[Impact]
Focal systems with fips-updates enabled cannot be upgraded to Jammy. During
the upgrade, there is a point where the userspace packages are upgraded to
their Jammy version, but are run on a Focal FIPS kernel. Specifically, the
Jammy version of libgcrypt relies on the getrandom syscall with the
GRND_RESEED
flag set. This flag, however, is only implemented on the Jammy FIPS kernel.
So,
when the Jammy version of libgcrypt is run alongside a Focal FIPS kernel,
a fatal error occurs.
[Fix]
Have getrandom not reject the GRND_RESEED flag. For Focal systems, this flag
should only be used during the upgrade process from Focal to Jammy, as the
Jammy userspace packages running on the Focal kernel will rely on it.
[Test]
Summary: In a FIPS enabled machine using the fips-updates channel, test the
upgrade from Focal to Jammy.
[Where things could go wrong]
This touches the getrandom syscall, so we have many places where things could
go wrong. However, we are just adding another possible flag for it, and not
really adding/removing/altering any other functionality, so the regression
potential is low.
-------------------------------- Original Report
-------------------------------
Upgrade from 20.04 to 22.04 failed with "Fatal: unexpected error from
getentropy: Invalid argument". We have fips-updates enabled thru Ubuntu pro
subscription. Tried to upgrade from 18.04 to 22.04. Upgrade from 18.04 to 204
is successful but upgrade from 20.04 to 22.04 failed. Apt or do-release-upgrade
commands no longer working after the upgrade failed so we have to restore the
host to the Ubuntu 20.04 snapshots.
# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.6 LTS
Release: 20.04
Codename: focal
Upgrade log:
Processing triggers for libc-bin (2.35-0ubuntu3.6) ...
Errors were encountered while processing:
systemd
ntfs-3g
dbus
libpam-systemd:amd64
systemd-sysv
libnss-systemd:amd64
friendly-recovery
samba-common-bin
samba
update-notifier-common
Fatal: unexpected error from getentropy: Invalid argument
fatal error in libgcrypt, file ../../src/misc.c, line 146, function
_gcry_logv: internal error (fatal or bug)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2055825/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
