Public bug reported:
[ Impact ]
* Ubuntu builds regular kernels without FIPS configuration enabled at compile
time
* Canonical also builds FIPS kernels with FIPS configuration enabled at
compile time, intended to only be used in FIPS mode
* Currently, due to upstream patches, this thus requires additional runtime
configuration of bootloader to always specify `fips=1` to turn on FIPS mode at
runtime, as it is off by default
* This adds additional complexity when performing autopkgtests, creating
Ubuntu Core images, switching to/from Pro FIPS, drafting and verify security
policy
* Instead all of this can be avoided, if fips=1 is the implicit default for
the FIPS kernels.
* This has no effect on regular kernels
[ Test Plan ]
* generic kernel build should have no effect / no changes, as dead code
is patched. I.e. /proc/sys/crypto/fips_enabled not present
* fips kernel build should have the following content in the
/proc/sys/crypto/fips_enabled file:
+ without any fips= setting fips_enabled should be set to 1 (new behaviour)
+ with fips=1 setting fips_enabled should be set to 1 (double check existing
behaviour)
+ with fips=0 setting fips_enabled should be set to 0 (double check existing
behaviour)
* pro client can continue to set fips=1, just in case, as older
certified fips kernels still require this setting.
[ Where problems could occur ]
* Some 3rd party tools do not consult /proc/sys/crypto/fips_enabled and
rely on access to the kernel cmdline "fips=1", they are wrong, but also
there is no current intention to break any such users, as pro client
will continue to set fips=1 for now.
[ Other Info ]
* Intention is to land this for noble; for the future noble fips kernels. FIPS
Updates kernels, if at all possible.
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Tags: fips
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2049082
Title:
FIPS kernels should default to fips mode
Status in linux package in Ubuntu:
New
Bug description:
[ Impact ]
* Ubuntu builds regular kernels without FIPS configuration enabled at
compile time
* Canonical also builds FIPS kernels with FIPS configuration enabled at
compile time, intended to only be used in FIPS mode
* Currently, due to upstream patches, this thus requires additional runtime
configuration of bootloader to always specify `fips=1` to turn on FIPS mode at
runtime, as it is off by default
* This adds additional complexity when performing autopkgtests, creating
Ubuntu Core images, switching to/from Pro FIPS, drafting and verify security
policy
* Instead all of this can be avoided, if fips=1 is the implicit default for
the FIPS kernels.
* This has no effect on regular kernels
[ Test Plan ]
* generic kernel build should have no effect / no changes, as dead
code is patched. I.e. /proc/sys/crypto/fips_enabled not present
* fips kernel build should have the following content in the
/proc/sys/crypto/fips_enabled file:
+ without any fips= setting fips_enabled should be set to 1 (new behaviour)
+ with fips=1 setting fips_enabled should be set to 1 (double check
existing behaviour)
+ with fips=0 setting fips_enabled should be set to 0 (double check
existing behaviour)
* pro client can continue to set fips=1, just in case, as older
certified fips kernels still require this setting.
[ Where problems could occur ]
* Some 3rd party tools do not consult /proc/sys/crypto/fips_enabled
and rely on access to the kernel cmdline "fips=1", they are wrong, but
also there is no current intention to break any such users, as pro
client will continue to set fips=1 for now.
[ Other Info ]
* Intention is to land this for noble; for the future noble fips kernels.
FIPS Updates kernels, if at all possible.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2049082/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
