** Also affects: libgcrypt20 (Ubuntu Xenial)
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
[SRU][xenial]boot stalls looking for entropy in FIPS mode
Status in libgcrypt20 package in Ubuntu:
Status in libgcrypt20 source package in Xenial:
libgcrypt20 is not a FIPS certified library. On a machine running FIPS
enabled kernel, the library by default goes into FIPS mode if
/proc/sys/crypto/fips_enabled=1. FIPS mode is not a configurable compile option
currently in the library. Hence FIPS code paths are always executed on a FIPS
enabled machine. In FIPS mode, it runs self tests and integrity checks and it
looks for quality entropy from /dev/random.
On encrypted installations, cryptsetup uses libgcrypt20. During boot
on an encrypted machine running in FIPS mode, cryptsetup invokes
libgcrypt and it stalls looking for quality entropy from /dev/random.
This results in significant delays during startup. The issue was
reported by a FIPS customer.
This issue impacts xenial's version of libgcrypt. In later version of
libgcrypt in Bionic, the entropy device is a global configurable
option via /etc/gcrypt/random.conf config file. The config setting
"only-urandom" can be used to set the entropy device to /dev/urandom
globally in libgcrypt.
Description: Ubuntu 16.04.3 LTS
version - 1.6.5-2ubuntu0.3
Get entropy from /dev/urandom device in FIPS mode. This does not block.
Tested on a VM installed with xenial desktop iso and one with xenial server
iso. Enabled full disk encryption during install. Tested with and without FIPS.
No delays were observed during boot after the fix patch was applied.
With FIPS enabled on encrypted install, without the patch fix, the
boot stalls before and after prompting for decryption password.
The regression potential for this is small. This patch does not take away
current functionality. It changes the entropy device in FIPS mode to
/dev/urandom to get faster entropy.
To manage notifications about this bug go to:
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : firstname.lastname@example.org
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help : https://help.launchpad.net/ListHelp