[Group.of.nepali.translators] [Bug 1748310] Re: [SRU][xenial]boot stalls looking for entropy in FIPS mode

2018-03-12 Thread Launchpad Bug Tracker 
This bug was fixed in the package libgcrypt20 - 1.6.5-2ubuntu0.4

---
libgcrypt20 (1.6.5-2ubuntu0.4) xenial; urgency=medium

  * Disable the library reading /proc/sys/crypto/fips_enabled file
and going into FIPS mode. This fixes a hang on boot when using a
FIPS-enabled kernel with encrypted installations (LP: #1748310)
- debian/patches/disable_fips_enabled_read.patch

 -- Vineetha Pai   Fri, 16 Feb 2018
13:31:19 -0500

** Changed in: libgcrypt20 (Ubuntu Xenial)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1748310

Title:
  [SRU][xenial]boot stalls looking for entropy in FIPS mode

Status in libgcrypt20 package in Ubuntu:
  Fix Released
Status in libgcrypt20 source package in Xenial:
  Fix Released

Bug description:
  [IMPACT]
  libgcrypt20 is not a FIPS certified library. On a machine running FIPS 
enabled kernel, the library by default goes into FIPS mode if 
/proc/sys/crypto/fips_enabled=1. FIPS mode is not a configurable compile option 
currently in the library. Hence FIPS code paths are always executed on a FIPS 
enabled machine. In FIPS mode, it runs self tests and integrity checks and it 
looks for quality entropy from /dev/random. Additionally in desktop 
environments, gnome keyring daemon also queries libgcrypt for /dev/random 
entropy, slowing down the GUI startup.  

  On encrypted installations, cryptsetup uses libgcrypt20. During boot
  on an encrypted machine running in FIPS mode, cryptsetup invokes
  libgcrypt and it stalls looking for quality entropy from /dev/random.
  This results in significant delays during startup. The issue was
  reported by a FIPS customer.

  The issue impacts libgcrypt versions in xenial and bionic.

  lsb_release -rd
  Description:  Ubuntu 16.04.3 LTS
  Release:  16.04

  version - 1.6.5-2ubuntu0.3

  lsb_release -rd
  Description:  Ubuntu Bionic Beaver (development branch)
  Release:  18.04

  version - 1.8.1-4

  [FIX]
  This fix proposes to disable libgcrypt reading /proc/sys/crypto/fips_enabled. 
We only want fips certified modules
  reading this file and running in fips mode. libgcrypt is not one of our
  fips certified modules, so should not be reading this along with our fips 
certified modules to determine whether to run in fips mode. The libgcrypt fips 
code in xenial is outdated and some algorithms are no longer allowed by recent 
FIPS 140-2 standards.

  However, users do have the option to create a /etc/gcrypt/fips_enabled
  file, manually, and force libgcrypt to run in fips mode. We propose to
  leave this as is, so as to not regress anyone who is using this option.
  We believe a user who uses this option is doing so with awareness.

  [TEST]
  Tested on a VM installed with xenial desktop iso and one with xenial server 
iso. Enabled full disk encryption during install. Tested with and without FIPS. 
No delays were observed during boot after the fix patch was applied.

  Tested on a VM installed with Bionic development release version of
  desktop ISO with full disk encryption. Installed the xenial FIPS
  kernel and installed the fixed libgcrypt and did not observe any
  delays during the boot.

  With FIPS enabled on encrypted install, without the patch fix, the
  boot stalls before and after prompting for decryption password. In
  desktop installations, a delay is observed during the GUI startup as
  well.

  [REGRESSION POTENTIAL]
  The regression potential for this is small. A fips kernel is required to
  create /proc/sys/crypto/fips_enabled. For users forcing fips mode via
  /etc/gcrypt/fips_enabled or the control option in libgcrypt, nothing has
  changed.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libgcrypt20/+bug/1748310/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1748310] Re: [SRU][xenial]boot stalls looking for entropy in FIPS mode

2018-02-20 Thread Launchpad Bug Tracker 
This bug was fixed in the package libgcrypt20 - 1.8.1-4ubuntu1

---
libgcrypt20 (1.8.1-4ubuntu1) bionic; urgency=medium

  * Disable the library reading /proc/sys/crypto/fips_enabled file
and going into FIPS mode. libgcrypt is not a FIPS certified library.
(LP: #1748310)
- debian/patches/disable_fips_enabled_read.patch

 -- Vineetha Pai   Fri, 16 Feb 2018
13:45:04 -0500

** Changed in: libgcrypt20 (Ubuntu)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1748310

Title:
  [SRU][xenial]boot stalls looking for entropy in FIPS mode

Status in libgcrypt20 package in Ubuntu:
  Fix Released
Status in libgcrypt20 source package in Xenial:
  In Progress

Bug description:
  [IMPACT]
  libgcrypt20 is not a FIPS certified library. On a machine running FIPS 
enabled kernel, the library by default goes into FIPS mode if 
/proc/sys/crypto/fips_enabled=1. FIPS mode is not a configurable compile option 
currently in the library. Hence FIPS code paths are always executed on a FIPS 
enabled machine. In FIPS mode, it runs self tests and integrity checks and it 
looks for quality entropy from /dev/random. Additionally in desktop 
environments, gnome keyring daemon also queries libgcrypt for /dev/random 
entropy, slowing down the GUI startup.  

  On encrypted installations, cryptsetup uses libgcrypt20. During boot
  on an encrypted machine running in FIPS mode, cryptsetup invokes
  libgcrypt and it stalls looking for quality entropy from /dev/random.
  This results in significant delays during startup. The issue was
  reported by a FIPS customer.

  The issue impacts libgcrypt versions in xenial and bionic.

  lsb_release -rd
  Description:  Ubuntu 16.04.3 LTS
  Release:  16.04

  version - 1.6.5-2ubuntu0.3

  lsb_release -rd
  Description:  Ubuntu Bionic Beaver (development branch)
  Release:  18.04

  version - 1.8.1-4

  [FIX]
  This fix proposes to disable libgcrypt reading /proc/sys/crypto/fips_enabled. 
We only want fips certified modules
  reading this file and running in fips mode. libgcrypt is not one of our
  fips certified modules, so should not be reading this along with our fips 
certified modules to determine whether to run in fips mode. The libgcrypt fips 
code in xenial is outdated and some algorithms are no longer allowed by recent 
FIPS 140-2 standards.

  However, users do have the option to create a /etc/gcrypt/fips_enabled
  file, manually, and force libgcrypt to run in fips mode. We propose to
  leave this as is, so as to not regress anyone who is using this option.
  We believe a user who uses this option is doing so with awareness.

  [TEST]
  Tested on a VM installed with xenial desktop iso and one with xenial server 
iso. Enabled full disk encryption during install. Tested with and without FIPS. 
No delays were observed during boot after the fix patch was applied.

  Tested on a VM installed with Bionic development release version of
  desktop ISO with full disk encryption. Installed the xenial FIPS
  kernel and installed the fixed libgcrypt and did not observe any
  delays during the boot.

  With FIPS enabled on encrypted install, without the patch fix, the
  boot stalls before and after prompting for decryption password. In
  desktop installations, a delay is observed during the GUI startup as
  well.

  [REGRESSION POTENTIAL]
  The regression potential for this is small. A fips kernel is required to
  create /proc/sys/crypto/fips_enabled. For users forcing fips mode via
  /etc/gcrypt/fips_enabled or the control option in libgcrypt, nothing has
  changed.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libgcrypt20/+bug/1748310/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

[Group.of.nepali.translators] [Bug 1748310] Re: [SRU][xenial]boot stalls looking for entropy in FIPS mode

2018-02-13 Thread Marc Deslauriers 
** Also affects: libgcrypt20 (Ubuntu Xenial)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1748310

Title:
  [SRU][xenial]boot stalls looking for entropy in FIPS mode

Status in libgcrypt20 package in Ubuntu:
  New
Status in libgcrypt20 source package in Xenial:
  New

Bug description:
  [IMPACT]
  libgcrypt20 is not a FIPS certified library. On a machine running FIPS 
enabled kernel, the library by default goes into FIPS mode if 
/proc/sys/crypto/fips_enabled=1. FIPS mode is not a configurable compile option 
currently in the library. Hence FIPS code paths are always executed on a FIPS 
enabled machine. In FIPS mode, it runs self tests and integrity checks and it 
looks for quality entropy from /dev/random.

  On encrypted installations, cryptsetup uses libgcrypt20. During boot
  on an encrypted machine running in FIPS mode, cryptsetup invokes
  libgcrypt and it stalls looking for quality entropy from /dev/random.
  This results in significant delays during startup. The issue was
  reported by a FIPS customer.

  This issue impacts xenial's version of libgcrypt. In later version of
  libgcrypt in Bionic, the entropy device is a global configurable
  option via /etc/gcrypt/random.conf config file. The config setting
  "only-urandom" can be used to set the entropy device to /dev/urandom
  globally in libgcrypt.

  lsb_release -rd
  Description:  Ubuntu 16.04.3 LTS
  Release:  16.04

  version - 1.6.5-2ubuntu0.3

  [FIX]
  Get entropy from /dev/urandom device in FIPS mode. This does not block.

  [TEST]
  Tested on a VM installed with xenial desktop iso and one with xenial server 
iso. Enabled full disk encryption during install. Tested with and without FIPS. 
No delays were observed during boot after the fix patch was applied.

  With FIPS enabled on encrypted install, without the patch fix, the
  boot stalls before and after prompting for decryption password.

  [REGRESSION POTENTIAL]
  The regression potential for this is small. This patch does not take away 
current functionality. It changes the entropy device in FIPS mode to 
/dev/urandom to get faster entropy.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libgcrypt20/+bug/1748310/+subscriptions

___
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp