Jammy verification:
Part 1:
FIPS enabled:
ubuntu@superb-doe:~$ cat /proc/sys/crypto/fips_enabled
1
Clevis version installed:
ubuntu@superb-doe:~$ apt list clevis
Listing... Done
clevis/jammy-proposed,now 18-1ubuntu1.1 amd64 [installed]
N: There is 1 additional version. Please use the '-a' switc
Understood. Reverting tag to verification-needed-jammy since I can't
effectively test this.
I'm being pushed for > 95% STIG compliance & local won't budge on the
FIPS disable call, so I guess I'm still stuck without tpm2 for the time
being.
** Tags removed: verification-failed-jammy
** Tags added
Chris, what you're describing is out of scope of the this launchpad
issue. It is purely to address the invalid alg selected when running in
fips mode. What you're describing is likely a result of the hmac
implementation of tmp2-tools's tpm2-tss, likely described here:
https://github.com/tpm2-softw
I did not set OPENSSL_FORCE_FIPS_MODE=0. I'm unable to do so because
"just disable FIPS" (even for one-off tasks) would net me CMMC and/or
STIG audit failures, the side effects of which I'm not keen on
experiencing. I have no issues with other clevis calls on jammy under
FIPS (clevis-tang, clevis-s
@ks-chrisu This looks like you are hitting a different bug related to tpm and
clevis.
Did you run the command with OPENSSL_FORCE_FIPS_MODE=0? As in the command
should be like the following:
$ sudo OPENSSL_FORCE_FIPS_MODE=0 clevis luks bind -d /dev/nvme0n1p3 tpm2
'{"hash":"sha256","key":"rsa","p
Proposed package update did not fix the issue for me.
VERSION TESTED:
clevis_18-1ubuntu1.1/jammy-proposed
TEST CASE:
1. Select existing workstation running 22.04/jammy with fips-updates enabled
2. Ensure all apt packages are up to date
3. Confirm fips mode is enabled:
cat /proc/sys/crypto/fip
Hello Kyler, or anyone else affected,
Accepted clevis into jammy-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/clevis/18-1ubuntu1.1
in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See
https://wiki.u
Built in ppa:vpa1977/plusone2[1], autopkgtests pass, testcase passes.
We need to remove reference to CLEVIS_FORCE_FIPS_MODE as it is replaced
by the check of fips_enabled file.
Nit: if fips_enabled file will ever contains something like "on" or "yes" the
script will be broken.
On the other hand
Hello,
Here is the new iteration of the patch. It will now automatically make use of
pbkdf2 when FIPS is enabled.
I also updated the description.
** Patch added: "jammy-clevis-fips.debdiff"
https://bugs.launchpad.net/ubuntu/jammy/+source/clevis/+bug/2073429/+attachment/5858220/+files/jammy-
** Description changed:
Thank you @kylerhornor for the original bug report
[impact]
current version of clevis on jammy uses argon2id instead of pbkdf2 for the
encryption algorithm which is not approved by the NIST. An upstream commit
(https://github.com/latchset/clevis/commit/7159630751
That is correct! Not sure how I missed that in my testing. I redid the
test on a fresh VM and indeed /proc/sys/crypto/fips_enabled is present.
I will rewrite the patch while making use of fips_enabled instead of the
env variable implemented.
Thank you for pointing this out.
--
You received this
It should exist if running the fips kernel and fips=1 is set as a
cmdline opt. It sets after the tcrypt tests run iirc.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2073429
Title:
Jammy clevis forc
I'm no expert on the FIPS enablement on Ubuntu, but are you sure that
/proc/sys/crypto/fips_enabled doesn't exist? This article [1], specific
to jammy, suggests it should and I've just fired up a test VM, which
seems to indicate it exists:
$ lxc launch ubuntu:j --vm -c limits.cpu=4 -c limits.memor
May not be the right tag, but it should at least get the attention of
someone who can review this.
** Tags added: rls-jj-incoming
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2073429
Title:
Jammy
** Description changed:
Thank you @kylerhornor for the original bug report
[impact]
current version of clevis on jammy uses argon2id instead of pbkdf2 for the
encryption algorithm which is not approved by the NIST. An upstream commit
(https://github.com/latchset/clevis/commit/7159630751
Hello,
I have added a new option to clevis that allows the user to determine via an
environment variable if they wish to enable FIPS compatibility or not. Sadly on
jammy there is no '/proc/sys/crypto/fips_enabled' directory like on focal to
check if the system is meant to run in FIPS mode, so I
Thanks Robie, Ghadi, and Tobias for the discussion and reaching consensus on
the way forward.
I suggested something along these lines for the implementation in my initial
review, but I hadn't captured all the considerations and implications you
identified.
--
You received this bug notification
I was concerned that changing the default KDF for existing Ubuntu 22.04
users for FIPS reasons seemed inappropriate because some users might
object to that if (depending on their security perspective and who they
trust) they consider PBKDF2 to be a KDF downgrade. I appreciate that
upstream changed
Thanks, I see all remaining remarks from comment #9 are addressed. The
patch matches upstream, builds fine and passes local autopkgtests.
@Ghadi also provided additional evidence from the Security Engineering
team:
sespiros:
"Security standards might be able to provide a more authoritative answer
Hello Mauricio,
After some internal discussions with the security team, they have
confirmed the validity of the change, and also noted that this algorithm
is already in use in Ubuntu core.
Hope this helps!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is s
Hello Mauricio,
I have updated the Test plan to include another section that will help
confirm that clevis will still be able to decrypt argon2id devices.
Thank you for your feedback!
** Description changed:
Thank you @kylerhornor for the original bug report
[impact]
current version o
Hello Mauricio,
Thank you for the review!
I have applied the changes requested:
- undone the refresh of the other patch (apologies for not noticing that
earlier)
- renamed the patch to contain the lp prefix
- removed the "Author:" field and incorporated it in the "From:" field
I will work on a
Hi Kyler, Ghadi, Security team,
Thanks for the work on this, the SRU bug template, and the debdiff!
IMHO, this request (not necessarily the code changes) _has_ to
be reviewed by the Security Engineering team before proceeding.
(Security team: ref: SRU bug template and bugzilla comments 3-5)
..
- SRU bug template: OK/FIX
This looks really good, but please:
Add a test step to ensure that a device bound to clevis
_without_ the change (i.e., which used argon2id) _works_
_with_ the new change (which uses pbkdf2).
That is, check for no regressions to existing users.
- d/changelog:
Vers
Hi Vladimir,
Thank you for reviewing the patch!
I applied the requested changes, let me know how it looks.
** Patch added: "jammy-clevis.debdiff"
https://bugs.launchpad.net/ubuntu/+source/clevis/+bug/2073429/+attachment/5811101/+files/jammy-clevis.debdiff
--
You received this bug notifica
Hi,
Thank you
Would it be possible to make some minor changes to the attached debdiff:
d/changelog: Replace argon2id with pbkdf2 for fips compatibility (LP:
2073429) => (LP: #2073429)
d/p/explicitly_specify_pbkdf_iterations_to_cryptsetup.patch:
- run quilt refresh to avoid introducing spur
The issue was fixed upstream and available in version 20-1 in noble and
jammy.
** Also affects: clevis (Ubuntu Noble)
Importance: Undecided
Status: New
** Also affects: clevis (Ubuntu Oracular)
Importance: Undecided
Status: Confirmed
** Changed in: clevis (Ubuntu Noble)
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: clevis (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2073429
Title:
Jam
Attached is the patch for Jammy. The fix is already available is newer
releases
** Description changed:
+ Thank you @kylerhornor for the original bug report
+
+ [impact]
+ current version of clevis on jammy uses argon2id instead of pbkdf2 for the
encryption algorithm which is not approved by t
The attachment "luks.patch" seems to be a patch. If it isn't, please
remove the "patch" flag from the attachment, remove the "patch" tag, and
if you are a member of the ~ubuntu-reviewers, unsubscribe the team.
[This is an automated message performed by a Launchpad user owned by
~brian-murray, for
I think I made the patch file correctly..
** Patch added: "luks.patch"
https://bugs.launchpad.net/ubuntu/jammy/+source/clevis/+bug/2073429/+attachment/5798147/+files/luks.patch
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https
31 matches
Mail list logo
