I have updated the bug description now. The `sysctl crypto` command can be used to find out if a system is running in FIPS mode. I believe you should be able to test and trigger the error by following the commands I have just added to the [Test] section. The failure you'll see is now under the [Impact] section.
** Description changed: SRU Justification [Impact] - Focal systems with fips-updates enabled cannot be upgraded to Jammy. During + Some Focal systems with fips-updates enabled cannot be upgraded to Jammy. During the upgrade, there is a point where the userspace packages are upgraded to - their Jammy version, but are run on a Focal FIPS kernel. Specifically, the + their Jammy version, but are run on a Focal FIPS kernel. Specifically, the Jammy version of libgcrypt relies on the getrandom syscall with the GRND_RESEED flag set. This flag, however, is only implemented on the Jammy FIPS kernel. So, when the Jammy version of libgcrypt is run alongside a Focal FIPS kernel, - a fatal error occurs. + a fatal error occurs as below (trimmed for readability): + + ``` + Fatal: unexpected error from getentropy: Invalid argument + fatal error in libgcrypt, file ../../src/misc.c, line 146, function _gcry_logv: internal error (fatal or bug) + Aborted (core dumped) + Processing triggers for mime-support (3.64ubuntu1) ... + Processing triggers for initramfs-tools (0.136ubuntu6.7) ... + update-initramfs: Generating /boot/initrd.img-5.4.0-1112-fips + Processing triggers for libc-bin (2.35-0ubuntu3.8) ... + Processing triggers for man-db (2.9.1-1) ... + Errors were encountered while processing: + systemd + systemd-timesyncd + Fatal: unexpected error from getentropy: Invalid argument + fatal error in libgcrypt, file ../../src/misc.c, line 146, function _gcry_logv: internal error (fatal or bug) + Fatal: unexpected error from getentropy: Invalid argument + fatal error in libgcrypt, file ../../src/misc.c, line 146, function _gcry_logv: internal error (fatal or bug) + + Upgrade complete + + The upgrade has completed but there were errors during the upgrade + process. + ``` + + After that, the system becomes unusable and running some commands + (like shutdown) leads to errors: + + ``` + Fatal: unexpected error from getentropy: Invalid argument + fatal error in libgcrypt, file ../../src/misc.c, line 146, function _gcry_logv: internal error (fatal or bug) + Aborted (core dumped) + ``` [Fix] - Have getrandom not reject the GRND_RESEED flag. For Focal systems, this flag - should only be used during the upgrade process from Focal to Jammy, as the - Jammy userspace packages running on the Focal kernel will rely on it. + Focal FIPS kernel: have getrandom not reject the GRND_RESEED flag. For Focal + systems, this flag should only be used during the upgrade process from Focal + to Jammy, as the Jammy userspace packages running on the Focal kernel will rely + on it. + + ubuntu-release-upgrader: block upgrades when a FIPS kernel without the + aforementioned fix is running in FIPS mode. [Test] Summary: In a FIPS enabled machine using the fips-updates channel, test the upgrade from Focal to Jammy. + To trigger the error, run the following commands: + + pro attach <your-token> + pro enable fips --assume-yes + pro enable fips-updates --assume-yes + grub-reboot '1>2' # or any other command to boot into the -1024 kernel from the "fips" channel, obtained by enabling "fips" previously + reboot + sysctl crypto # Confirm the system is in FIPS mode + uname -a # Confirm you're running an unfixed version of a FIPS kernel + apt upgrade -y + do-release-upgrade + [Where things could go wrong] - This touches the getrandom syscall, so we have many places where things could - go wrong. However, we are just adding another possible flag for it, and not - really adding/removing/altering any other functionality, so the regression - potential is low. + Focal FIPS kernel: this touches the getrandom syscall, so we have many places + where things could go wrong. However, we are just adding another possible flag + for it, and not really adding/removing/altering any other functionality, so the + regression potential is low. + + [Other info] + - The system upgrades successfully if fips=0 is set in the kernel command line, + which can be done by editing this parameter in /etc/default/grub.d/99-fips.cfg, + running `upgrade-grub` afterwards and rebooting. + - Running the latest available kernels from fips-updates should also lead to a + successful upgrade. + -------------------------------- Original Report ------------------------------- Upgrade from 20.04 to 22.04 failed with "Fatal: unexpected error from getentropy: Invalid argument". We have fips-updates enabled thru Ubuntu pro subscription. Tried to upgrade from 18.04 to 22.04. Upgrade from 18.04 to 204 is successful but upgrade from 20.04 to 22.04 failed. Apt or do-release-upgrade commands no longer working after the upgrade failed so we have to restore the host to the Ubuntu 20.04 snapshots. # lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04.6 LTS Release: 20.04 Codename: focal Upgrade log: Processing triggers for libc-bin (2.35-0ubuntu3.6) ... Errors were encountered while processing: systemd ntfs-3g dbus libpam-systemd:amd64 systemd-sysv libnss-systemd:amd64 friendly-recovery samba-common-bin samba update-notifier-common Fatal: unexpected error from getentropy: Invalid argument fatal error in libgcrypt, file ../../src/misc.c, line 146, function _gcry_logv: internal error (fatal or bug) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2055825 Title: fips-updates: upgrade from 20.04 to 22.04 fails Status in linux package in Ubuntu: Fix Committed Status in ubuntu-release-upgrader package in Ubuntu: Invalid Status in linux source package in Focal: Fix Committed Status in ubuntu-release-upgrader source package in Focal: Incomplete Bug description: SRU Justification [Impact] Some Focal systems with fips-updates enabled cannot be upgraded to Jammy. During the upgrade, there is a point where the userspace packages are upgraded to their Jammy version, but are run on a Focal FIPS kernel. Specifically, the Jammy version of libgcrypt relies on the getrandom syscall with the GRND_RESEED flag set. This flag, however, is only implemented on the Jammy FIPS kernel. So, when the Jammy version of libgcrypt is run alongside a Focal FIPS kernel, a fatal error occurs as below (trimmed for readability): ``` Fatal: unexpected error from getentropy: Invalid argument fatal error in libgcrypt, file ../../src/misc.c, line 146, function _gcry_logv: internal error (fatal or bug) Aborted (core dumped) Processing triggers for mime-support (3.64ubuntu1) ... Processing triggers for initramfs-tools (0.136ubuntu6.7) ... update-initramfs: Generating /boot/initrd.img-5.4.0-1112-fips Processing triggers for libc-bin (2.35-0ubuntu3.8) ... Processing triggers for man-db (2.9.1-1) ... Errors were encountered while processing: systemd systemd-timesyncd Fatal: unexpected error from getentropy: Invalid argument fatal error in libgcrypt, file ../../src/misc.c, line 146, function _gcry_logv: internal error (fatal or bug) Fatal: unexpected error from getentropy: Invalid argument fatal error in libgcrypt, file ../../src/misc.c, line 146, function _gcry_logv: internal error (fatal or bug) Upgrade complete The upgrade has completed but there were errors during the upgrade process. ``` After that, the system becomes unusable and running some commands (like shutdown) leads to errors: ``` Fatal: unexpected error from getentropy: Invalid argument fatal error in libgcrypt, file ../../src/misc.c, line 146, function _gcry_logv: internal error (fatal or bug) Aborted (core dumped) ``` [Fix] Focal FIPS kernel: have getrandom not reject the GRND_RESEED flag. For Focal systems, this flag should only be used during the upgrade process from Focal to Jammy, as the Jammy userspace packages running on the Focal kernel will rely on it. ubuntu-release-upgrader: block upgrades when a FIPS kernel without the aforementioned fix is running in FIPS mode. [Test] Summary: In a FIPS enabled machine using the fips-updates channel, test the upgrade from Focal to Jammy. To trigger the error, run the following commands: pro attach <your-token> pro enable fips --assume-yes pro enable fips-updates --assume-yes grub-reboot '1>2' # or any other command to boot into the -1024 kernel from the "fips" channel, obtained by enabling "fips" previously reboot sysctl crypto # Confirm the system is in FIPS mode uname -a # Confirm you're running an unfixed version of a FIPS kernel apt upgrade -y do-release-upgrade [Where things could go wrong] Focal FIPS kernel: this touches the getrandom syscall, so we have many places where things could go wrong. However, we are just adding another possible flag for it, and not really adding/removing/altering any other functionality, so the regression potential is low. [Other info] - The system upgrades successfully if fips=0 is set in the kernel command line, which can be done by editing this parameter in /etc/default/grub.d/99-fips.cfg, running `upgrade-grub` afterwards and rebooting. - Running the latest available kernels from fips-updates should also lead to a successful upgrade. -------------------------------- Original Report ------------------------------- Upgrade from 20.04 to 22.04 failed with "Fatal: unexpected error from getentropy: Invalid argument". We have fips-updates enabled thru Ubuntu pro subscription. Tried to upgrade from 18.04 to 22.04. Upgrade from 18.04 to 204 is successful but upgrade from 20.04 to 22.04 failed. Apt or do-release-upgrade commands no longer working after the upgrade failed so we have to restore the host to the Ubuntu 20.04 snapshots. # lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04.6 LTS Release: 20.04 Codename: focal Upgrade log: Processing triggers for libc-bin (2.35-0ubuntu3.6) ... Errors were encountered while processing: systemd ntfs-3g dbus libpam-systemd:amd64 systemd-sysv libnss-systemd:amd64 friendly-recovery samba-common-bin samba update-notifier-common Fatal: unexpected error from getentropy: Invalid argument fatal error in libgcrypt, file ../../src/misc.c, line 146, function _gcry_logv: internal error (fatal or bug) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2055825/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
