FIPS kernels should default to fips mode
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[ Impact ]
* Ubuntu builds regular kernels without FIPS configuration enabled at compile time
* Canonical also builds FIPS kernels with FIPS configuration enabled at compile time, intended to only be used in FIPS mode
* Currently, due to upstream patches, this thus requires additional runtime configuration of bootloader to always specify `fips=1` to turn on FIPS mode at runtime, as it is off by default
* This adds additional complexity when performing autopkgtests, creating Ubuntu Core images, switching to/from Pro FIPS, drafting and verify security policy
* Instead all of this can be avoided, if fips=1 is the implicit default for the FIPS kernels.
* This has no effect on regular kernels
[ Test Plan ]
* generic kernel build should have no effect / no changes, as dead code is patched. I.e. /proc/sys/
* fips kernel build should have the following content in the /proc/sys/
+ without any fips= setting fips_enabled should be set to 1 (new behaviour)
+ with fips=1 setting fips_enabled should be set to 1 (double check existing behaviour)
+ with fips=0 setting fips_enabled should be set to 0 (double check existing behaviour)
* pro client can continue to set fips=1, just in case, as older certified fips kernels still require this setting.
[ Where problems could occur ]
* Some 3rd party tools do not consult /proc/sys/
[ Other Info ]
* Intention is to land this for noble; for the future noble fips kernels. FIPS Updates kernels, if at all possible.
This bug was fixed in the package linux - 6.8.0-11.11
---------------
linux (6.8.0-11.11) noble; urgency=medium
* noble/linux: 6.8.0-11.11 -proposed tracker (LP: #2053094)
* Miscellaneous Ubuntu changes
- [Packaging] riscv64: disable building unnecessary binary debs
-- Paolo Pisati <email address hidden> Wed, 14 Feb 2024 00:04:31 +0100