пятница

[Bug 2049082] Re: FIPS kernels should default to fips mode

This bug is awaiting verification that the linux-gke/6.8.0-1004.7 kernel
in -proposed solves the problem. Please test the kernel and update this
bug with the results. If the problem is solved, change the tag
'verification-needed-noble-linux-gke' to 'verification-done-noble-linux-
gke'. If the problem still exists, change the tag 'verification-needed-
noble-linux-gke' to 'verification-failed-noble-linux-gke'.


If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.


See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!


** Tags added: kernel-spammed-noble-linux-gke-v2 verification-needed-noble-linux-gke

--
You received this bug notification because you are subscribed to linux
in Ubuntu.
Matching subscriptions: Bgg, Bmail, Nb
https://bugs.launchpad.net/bugs/2049082

Title:
FIPS kernels should default to fips mode

Status in linux package in Ubuntu:
Fix Released

Bug description:
[ Impact ]

* Ubuntu builds regular kernels without FIPS configuration enabled at compile time
* Canonical also builds FIPS kernels with FIPS configuration enabled at compile time, intended to only be used in FIPS mode
* Currently, due to upstream patches, this thus requires additional runtime configuration of bootloader to always specify `fips=1` to turn on FIPS mode at runtime, as it is off by default
* This adds additional complexity when performing autopkgtests, creating Ubuntu Core images, switching to/from Pro FIPS, drafting and verify security policy
* Instead all of this can be avoided, if fips=1 is the implicit default for the FIPS kernels.
* This has no effect on regular kernels

[ Test Plan ]

* generic kernel build should have no effect / no changes, as dead
code is patched. I.e. /proc/sys/crypto/fips_enabled not present

* fips kernel build should have the following content in the /proc/sys/crypto/fips_enabled file:
+ without any fips= setting fips_enabled should be set to 1 (new behaviour)
+ with fips=1 setting fips_enabled should be set to 1 (double check existing behaviour)
+ with fips=0 setting fips_enabled should be set to 0 (double check existing behaviour)

* pro client can continue to set fips=1, just in case, as older
certified fips kernels still require this setting.

[ Where problems could occur ]

* Some 3rd party tools do not consult /proc/sys/crypto/fips_enabled
and rely on access to the kernel cmdline "fips=1", they are wrong, but
also there is no current intention to break any such users, as pro
client will continue to set fips=1 for now.

[ Other Info ]

* Intention is to land this for noble; for the future noble fips kernels. FIPS Updates kernels, if at all possible.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2049082/+subscriptions

Комментариев нет:

Отправить комментарий