** Description changed:
libgcrypt20 is not a FIPS certified library. On a machine running FIPS
enabled kernel, the library by default goes into FIPS mode if
/proc/sys/crypto/fips_enabled=1. FIPS mode is not a configurable compile option
currently in the library. Hence FIPS code paths are always executed on a FIPS
enabled machine. In FIPS mode, it runs self tests and integrity checks and it
looks for quality entropy from /dev/random.
On encrypted installations, cryptsetup uses libgcrypt20. During boot on
an encrypted machine running in FIPS mode, cryptsetup invokes libgcrypt
and it stalls looking for quality entropy from /dev/random. This results
in significant delays during startup. The issue was reported by a FIPS
The issue impacts libgcrypt versions in xenial and bionic.
Description: Ubuntu 16.04.3 LTS
version - 1.6.5-2ubuntu0.3
Description: Ubuntu Bionic Beaver (development branch)
version - 1.8.1-4
- Disable the two self tests that require entropy from /dev/random during boot
in FIPS mode.
+ Disable the two self tests that require entropy from /dev/random in FIPS
mode. This will prevent delays during boot.
Tested on a VM installed with xenial desktop iso and one with xenial server
iso. Enabled full disk encryption during install. Tested with and without FIPS.
No delays were observed during boot after the fix patch was applied.
+ Tested on a VM installed with Bionic development release version of
+ desktop ISO with full disk encryption. Installed the xenial FIPS kernel
+ and installed the fixed libgcrypt and did not observe any delays during
+ the boot.
With FIPS enabled on encrypted install, without the patch fix, the boot
stalls before and after prompting for decryption password.
The regression potential for this is small. The two self tests disabled does
not impact any other functionality available in fips mode and non-fips mode of
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
[SRU][xenial]boot stalls looking for entropy in FIPS mode
To manage notifications about this bug go to:
ubuntu-bugs mailing list