Just for reference: "libgcrypt20 is not a FIPS certified library" was
quite unclear to me. Both Red Hat and Suse have finished FIPS
certifications for libgcrypt (for specific versions included in their
respective enterprise distributions). Afaict Ubuntu has not run through
this process at all, and
This bug was fixed in the package libgcrypt20 - 1.6.5-2ubuntu0.4
---
libgcrypt20 (1.6.5-2ubuntu0.4) xenial; urgency=medium
* Disable the library reading /proc/sys/crypto/fips_enabled file
and going into FIPS mode. This fixes a hang on boot when using a
FIPS-enabled kernel wi
The gvfs autopkgtest is also failing on vanilla gvfs - ignoring failure
and releasing.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1748310
Title:
[SRU][xenial]boot stalls looking for entropy in FI
Thanks for the testing and update, Alex!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1748310
Title:
[SRU][xenial]boot stalls looking for entropy in FIPS mode
To manage notifications about this bu
I have tested libgcrypt20_1.6.5-2ubuntu0.4 on roughly ten 16.04.3
desktop installations with encrypted root filesystems and the fips
modules enabled. This patch appears to correct the bug.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu
** Tags removed: verification-needed verification-needed-xenial
** Tags added: verification-done verification-done-xenial
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1748310
Title:
[SRU][xenial]bo
Details of the VM tested on.
cat /etc/os-release
NAME="Ubuntu"
VERSION="16.04.3 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.3 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/";
SUPPORT_URL="http://help.ubuntu.com/";
BUG_REPORT_URL="http://bugs.launchpad.net/ubun
I tested libgcrypt20 (1.6.5-2ubuntu0.4) from xenial-proposed with the following
configurations -
a) On a xenial VM running 16.04.3 server ISO with encrypted installation and
fips enabled, the package fixes boot delays. Tested with both fips=1 and fips=0
and both cases work with no issues.
b) On
Thanks Vineetha.
To clarify for any observers, here's my understanding:
Ubuntu doesn't ship with a FIPS kernel by default.
If a user does use a FIPS enabled kernel, then libgcrypt20 detects this
and activates its own FIPS mode.
libgcrypt20 in Xenial's FIPS mode requires using /dev/random, which
Hi Robie,
For any kernel shipped by Canonical (excluding the Canonical FIPS
kernel), /proc/sys/crypto/fips_enabled file does not exist.
The kernel has to be compiled with "CONFIG_CRYPTO_FIPS" for the file to
be even created and then based on the kernel command line parameters
fips=1 or fips=0, th
Hi Vineetha,
To help me understand the user impact, is /proc/sys/crypto/fips_enabled
ever 1 on any kernel shipped by Ubuntu itself (so excluding the
Canonical FIPS kernel)?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.
This bug was fixed in the package libgcrypt20 - 1.8.1-4ubuntu1
---
libgcrypt20 (1.8.1-4ubuntu1) bionic; urgency=medium
* Disable the library reading /proc/sys/crypto/fips_enabled file
and going into FIPS mode. libgcrypt is not a FIPS certified library.
(LP: #1748310)
- d
ACK on the debdiffs in comments #10 and #11. I've uploaded them to
bionic and to xenial for processing by the SRU team with a slight change
to the version number and LP tag.
Thanks!
** Changed in: libgcrypt20 (Ubuntu Xenial)
Status: New => In Progress
** Changed in: libgcrypt20 (Ubuntu)
** Attachment added: "debdiff.bionic"
https://bugs.launchpad.net/ubuntu/+source/libgcrypt20/+bug/1748310/+attachment/5056878/+files/debdiff.bionic
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1748
We have zeroed in on a better solution of disabling reading
fips_enabled file read on a FIPS system than the previous patches.
Please ignore the diffs in previous comments.
The xenial build and test runs are here -
https://launchpadlibrarian.net/357322446/buildlog_ubuntu-xenial-
amd64.libgcrypt20
** Attachment added: "debdiff.xenial"
https://bugs.launchpad.net/ubuntu/+source/libgcrypt20/+bug/1748310/+attachment/5056857/+files/debdiff.xenial
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1748
** Description changed:
[IMPACT]
- libgcrypt20 is not a FIPS certified library. On a machine running FIPS
enabled kernel, the library by default goes into FIPS mode if
/proc/sys/crypto/fips_enabled=1. FIPS mode is not a configurable compile option
currently in the library. Hence FIPS code pat
** Description changed:
[IMPACT]
libgcrypt20 is not a FIPS certified library. On a machine running FIPS
enabled kernel, the library by default goes into FIPS mode if
/proc/sys/crypto/fips_enabled=1. FIPS mode is not a configurable compile option
currently in the library. Hence FIPS code pat
xenial debdiff
** Attachment added: "debdiff.xenial"
https://bugs.launchpad.net/ubuntu/+source/libgcrypt20/+bug/1748310/+attachment/5055411/+files/debdiff.xenial
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchp
Please ignore earlier comments. The fix was updated to remove self
tests.
The build logs and tests run for xenial is here -
https://launchpadlibrarian.net/357025470/buildlog_ubuntu-xenial-
amd64.libgcrypt20_1.6.5-2ubuntu0.3+xenial.1_BUILDING.txt.gz
--
You received this bug notification because y
xenial package build is available on my ppa here -
https://launchpad.net/~vineetha/+archive/ubuntu/gcrypt-xenial/
** Description changed:
[IMPACT]
libgcrypt20 is not a FIPS certified library. On a machine running FIPS
enabled kernel, the library by default goes into FIPS mode if
/proc/sys/c
bionic debdiff
** Attachment added: "debdiff.bionic"
https://bugs.launchpad.net/ubuntu/+source/libgcrypt20/+bug/1748310/+attachment/5055412/+files/debdiff.bionic
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchp
The build logs and tests run for bionic is on my ppa here -
https://launchpadlibrarian.net/357038358/buildlog_ubuntu-bionic-amd64.libgcrypt20_1.8.1-4+bionic.1_BUILDING.txt.gz
The package build is available here -
https://launchpad.net/~vineetha/+archive/ubuntu/libgcrypt-bionic
--
You received t
** Description changed:
[IMPACT]
libgcrypt20 is not a FIPS certified library. On a machine running FIPS
enabled kernel, the library by default goes into FIPS mode if
/proc/sys/crypto/fips_enabled=1. FIPS mode is not a configurable compile option
currently in the library. Hence FIPS code pat
** Also affects: libgcrypt20 (Ubuntu Xenial)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1748310
Title:
[SRU][xenial]boot stalls looking for entropy in
Please read comment #1 as build log and test run.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1748310
Title:
[SRU][xenial]boot stalls looking for entropy in FIPS mode
To manage notifications abou
** Description changed:
[IMPACT]
libgcrypt20 is not a FIPS certified library. On a machine running FIPS
enabled kernel, the library by default goes into FIPS mode if
/proc/sys/crypto/fips_enabled=1. FIPS mode is not a configurable compile option
currently in the library. Hence FIPS code pat
build log is here in my ppa -
https://launchpad.net/~vineetha/+archive/ubuntu/test-ppa/+build/14330187
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1748310
Title:
[SRU][xenial]boot stalls looking f
debdiff.xenial
** Attachment added: "debdiff.xenial"
https://bugs.launchpad.net/ubuntu/+source/libgcrypt20/+bug/1748310/+attachment/5052125/+files/debdiff.xenial
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchp
** Description changed:
- libgcrypt20 is not a FIPS certified library. On a machine running FIPS
- enabled kernel, the library automatically goes into FIPS mode if
- /proc/sys/crypto/fips_enabled=1. FIPS mode is not a configurable option
- currently in the library. In FIPS mode, it runs self tests
** Summary changed:
- boot stalls looking for entropy in FIPS mode
+ [SRU][xenial]boot stalls looking for entropy in FIPS mode
** Changed in: libgcrypt20 (Ubuntu)
Assignee: (unassigned) => Vineetha Hari Pai (vineetha)
--
You received this bug notification because you are a member of Ubuntu
31 matches
Mail list logo
