This bug was fixed in the package linux - 6.8.0-11.11
---------------
linux (6.8.0-11.11) noble; urgency=medium
* noble/linux: 6.8.0-11.11 -proposed tracker (LP: #2053094)
* Miscellaneous Ubuntu changes
- [Packaging] riscv64: disable building unnecessary binary debs
-- Paolo Pisati <[email protected]> Wed, 14 Feb 2024 00:04:31
+0100
** Changed in: linux (Ubuntu)
Status: New => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2049082
Title:
FIPS kernels should default to fips mode
Status in linux package in Ubuntu:
Fix Released
Bug description:
[ Impact ]
* Ubuntu builds regular kernels without FIPS configuration enabled at
compile time
* Canonical also builds FIPS kernels with FIPS configuration enabled at
compile time, intended to only be used in FIPS mode
* Currently, due to upstream patches, this thus requires additional runtime
configuration of bootloader to always specify `fips=1` to turn on FIPS mode at
runtime, as it is off by default
* This adds additional complexity when performing autopkgtests, creating
Ubuntu Core images, switching to/from Pro FIPS, drafting and verify security
policy
* Instead all of this can be avoided, if fips=1 is the implicit default for
the FIPS kernels.
* This has no effect on regular kernels
[ Test Plan ]
* generic kernel build should have no effect / no changes, as dead
code is patched. I.e. /proc/sys/crypto/fips_enabled not present
* fips kernel build should have the following content in the
/proc/sys/crypto/fips_enabled file:
+ without any fips= setting fips_enabled should be set to 1 (new behaviour)
+ with fips=1 setting fips_enabled should be set to 1 (double check
existing behaviour)
+ with fips=0 setting fips_enabled should be set to 0 (double check
existing behaviour)
* pro client can continue to set fips=1, just in case, as older
certified fips kernels still require this setting.
[ Where problems could occur ]
* Some 3rd party tools do not consult /proc/sys/crypto/fips_enabled
and rely on access to the kernel cmdline "fips=1", they are wrong, but
also there is no current intention to break any such users, as pro
client will continue to set fips=1 for now.
[ Other Info ]
* Intention is to land this for noble; for the future noble fips kernels.
FIPS Updates kernels, if at all possible.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2049082/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
