Thanks, I see all remaining remarks from comment #9 are addressed. The patch matches upstream, builds fine and passes local autopkgtests.
@Ghadi also provided additional evidence from the Security Engineering team: sespiros: "Security standards might be able to provide a more authoritative answer but it looks good to me. imo this falls more into the bug category rather than a FIPS related change and separately I don't think it would be worth for instance solving it differently (like lowering the memory cost of pbkdf and keep using argon) since this helps with FIPS, it is a universe package (lower priority) and we are also not using clevis in our own FDE. I also don't think it should count as a security update. My first thought of potential breakage of existing ubuntu users that have already used clevis with keys generated with the old format, seem to have already been discussed in the SRU." chrisccoulson: "clevis isn't something we really care about or support, but I guess the change is ok given the justification that the entropy supplied to the KDF is high (we already made a similar change in Ubuntu Core for this reason). FTR, we did have someone request that the default KDF for cryptsetup be changed from argon2i (at the time - it's argon2id now) to pbkdf2 in order to satisfy FIPS requirements, and we declined that because it's primary input is low entropy user passphrases, and we didn't see weakening security to meet certification requirements as a good trade off" (Internal reference: https://chat.canonical.com/canonical/pl/pyi7wbx33irrfp1b5zbz79uagc) LGTM. Sponsored for SRU review and unsubscribed ~ubuntu-sponsors. https://launchpad.net/ubuntu/jammy/+queue?queue_state=1&queue_text=clevis -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2073429 Title: Jammy clevis forces argon2id for keyslots To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clevis/+bug/2073429/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
