[Kernel-packages] [Bug 2049082] Re: FIPS kernels should default to fips mode

[Launchpad Bug Tracker]

This bug was fixed in the package linux - 6.8.0-11.11

---------------
linux (6.8.0-11.11) noble; urgency=medium
  * noble/linux: 6.8.0-11.11 -proposed tracker (LP: #2053094)

  * Miscellaneous Ubuntu changes
    - [Packaging] riscv64: disable building unnecessary binary debs

 -- Paolo Pisati <paolo.pis...@canonical.com>  Wed, 14 Feb 2024 00:04:31
+0100

** Changed in: linux (Ubuntu)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2049082

Title:
  FIPS kernels should default to fips mode

Status in linux package in Ubuntu:
  Fix Released

Bug description:
  [ Impact ]

   * Ubuntu builds regular kernels without FIPS configuration enabled at 
compile time
   * Canonical also builds FIPS kernels with FIPS configuration enabled at 
compile time, intended to only be used in FIPS mode
   * Currently, due to upstream patches, this thus requires additional runtime 
configuration of bootloader to always specify `fips=1` to turn on FIPS mode at 
runtime, as it is off by default
   * This adds additional complexity when performing autopkgtests, creating 
Ubuntu Core images, switching to/from Pro FIPS, drafting and verify security 
policy
   * Instead all of this can be avoided, if fips=1 is the implicit default for 
the FIPS kernels.
   * This has no effect on regular kernels

  [ Test Plan ]

   * generic kernel build should have no effect / no changes, as dead
  code is patched. I.e. /proc/sys/crypto/fips_enabled not present

   * fips kernel build should have the following content in the 
/proc/sys/crypto/fips_enabled file:
     + without any fips= setting fips_enabled should be set to 1 (new behaviour)
     + with fips=1 setting fips_enabled should be set to 1 (double check 
existing behaviour)
     + with fips=0 setting fips_enabled should be set to 0 (double check 
existing behaviour)

   * pro client can continue to set fips=1, just in case, as older
  certified fips kernels still require this setting.

  [ Where problems could occur ]

   * Some 3rd party tools do not consult /proc/sys/crypto/fips_enabled
  and rely on access to the kernel cmdline "fips=1", they are wrong, but
  also there is no current intention to break any such users, as pro
  client will continue to set fips=1 for now.

  [ Other Info ]
   
   * Intention is to land this for noble; for the future noble fips kernels. 
FIPS Updates kernels, if at all possible.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2049082/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp