Ubuntu
cryptsetup package

Fix XTS encryption with FIPS enabled kernels

Bug #1715010 reported by Marcelo Cerri
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cryptsetup (Ubuntu)
Fix Released
Medium
Marcelo Cerri
Xenial
Fix Released
Undecided
Unassigned
Zesty
Triaged
Medium
Unassigned

Bug Description

SRU Justification:

Impact: The kernel crypto API rejects weak XTS keys in FIPS mode and the current version of cryptsetup in xenial do some tests with a zeroed key to check cipher availability in the kernel. These two behaviors combined make impossible to use disk encryption with XTS while using a kernel in FIPS mode.

Fix: apply the following fix to cryptsetup:

https://gitlab.com/cryptsetup/cryptsetup/commit/3c2135b36bbc52d052e4ced7c94dc4981eb07a53

Testcase: Try to setup disk encryption with XTS while the kernel is in FIPS mode.

N.B.: This is not yet fixed in artful so cannot be released.

See original description
Marcelo Cerri (mhcerri)
Changed in cryptsetup (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

We'll have to wait with releasing the xenial change until the artful's 2:1.7.3-4ubuntu1 version migrates to the release pocket.

By the way - seeing this bug, doesn't this also affect zesty?

Changed in cryptsetup (Ubuntu):
status: In Progress → Fix Committed
Changed in cryptsetup (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed verification-needed-xenial
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Marcelo, or anyone else affected,

Accepted cryptsetup into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/cryptsetup/2:1.6.6-5ubuntu2.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Joy Latten (j-latten) wrote :

Hi, I installed the proposed cryptsetup and ran the common criteria testcases for cryptsetup, that before had failed. My environment includes the fips-supported kernel and modules. With the new cryptsetup, all the common criteria cryptsetup testcases passed.

Brian Murray (brian-murray)
tags: added: verification-done-xenial
removed: verification-needed-xenial
description: updated
Brian Murray (brian-murray)
Changed in cryptsetup (Ubuntu):
status: Fix Committed → Fix Released
Changed in cryptsetup (Ubuntu Zesty):
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cryptsetup - 2:1.6.6-5ubuntu2.1

---------------
cryptsetup (2:1.6.6-5ubuntu2.1) xenial; urgency=medium

  * d/p/fips-fix-luksformat-with-recent-kernels -- fix luksFormat with recent
    FIPS enabled kernels. (LP: #1715010)

 -- Marcelo Henrique Cerri <email address hidden> Thu, 10 Aug 2017 10:49:02 -0300

Changed in cryptsetup (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for cryptsetup has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.