Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2080516

Summary: Libcryptsetup must check only for '/proc/sys/crypto/fips_enabled' to detect system in FIPS mode
Product: Red Hat Enterprise Linux 9 Reporter: James Ralston <ralston>
Component: cryptsetupAssignee: Ondrej Kozina <okozina>
Status: CLOSED ERRATA QA Contact: guazhang <guazhang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: agk, gmazyland, guazhang, jbrassow, jpazdziora, jstodola, okozina, prajnoha, ssorce
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: cryptsetup-2.4.3-5.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2118654 (view as bug list) Environment:
Last Closed: 2022-11-15 11:23:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2118654    

Description James Ralston 2022-04-29 21:38:24 UTC 
Description of problem:

I installed a RHEL9 beta system by booting the installer USB flash drive, augmenting the kernel command line in GRUB with fips=1, continuing the boot, and selecting encryption in the anaconda storage menu.

The resulting system showed that the LUKS filesystem was initialized with the argon2id PBKDF for the LUKS keyslot:

$ cryptsetup luksDump /dev/nvme0n1p3
…
Keyslots:
  0: luks2
        Key:        512 bits
        Priority:   normal
        Cipher:     aes-xts-plain64
        Cipher key: 512 bits
        PBKDF:      argon2id
        Time cost:  12
        Memory:     1048576
        Threads:    4

But in FIPS mode, crypsetup(8) itself claims that pbkdf2 is the default:

$ cryptsetup --help
…
Default compiled-in key and passphrase parameters:
        Maximum keyfile size: 8192kB, Maximum interactive passphrase length 512 (characters)
Default PBKDF for LUKS1: pbkdf2, iteration time: 2000 (ms)
Default PBKDF for LUKS2: pbkdf2
        Iteration time: 2000, Memory required: 0kB, Parallel threads: 0

Not only that, if I manually create a LUKS filesystem on the command line when in FIPS mode, without specifying the PBKDF, cryptsetup chooses pbkdf2. And if I attempt to force it to argon2id, it refuses:

$ cryptsetup luksFormat --pbkdf argon2id /dev/sda 
Enter passphrase for /dev/sda: 
Verify passphrase: 
Only PBKDF2 is supported in FIPS mode.
Failed to set pbkdf parameters.

So… how did anaconda manage to create a LUKS filesystem with argon2id for the PBKDF when I booted the installer in FIPS mode?

(And yes, I verified that the installer was running in FIPS mode, via the command shell.)

I notice that on a non-FIPS Fedora 35 system, with cryptsetup 2.4.3, "cryptsetup --help" asserts that argon2id is the default PBKDF.

The version of cryptsetup that was on the RHEL9 beta installer was:

cryptsetup-2.4.0-2.el9_b.x86_64.rpm

But I notice the current version is:

cryptsetup-2.4.3-4.el9.x86_64

…and one of the changelog entries:

* Thu Feb 17 2022 Ondrej Kozina <okozina> - 2.4.3-2
- Various FIPS related fixes.
- Resolves: #2051630

So I suspect what happened here is that cryptsetup-2.4.0-2.el9_b chose the default PBKDF without paying attention to FIPS mode, but cryptsetup-2.4.3-4.el9 now correctly pays attention to FIPS mode and correctly defaults to pbkdf2 (and refuses to use argon2id if the user attempts to specify it). So when RHEL9 final is installed in FIPS mode, the resulting LUKS filesystem will use FIPS-approved encryption/hash algorithms via the kernel and/or OpenSSL, and because both will be FIPS-validated, the resulting FDE will be FIPS-validated.

Is my assessment correct? Was fixing the default PBKDF in FIPS mode one of the changes that is now in cryptsetup-2.4.3-4.el9?
Comment 1 Ondrej Kozina 2022-06-21 09:57:17 UTC 
There (In reply to James Ralston from comment #0)
> Description of problem:
> 
> I installed a RHEL9 beta system by booting the installer USB flash drive,
> augmenting the kernel command line in GRUB with fips=1, continuing the boot,
> and selecting encryption in the anaconda storage menu.
> 
> The resulting system showed that the LUKS filesystem was initialized with
> the argon2id PBKDF for the LUKS keyslot:
> 
> $ cryptsetup luksDump /dev/nvme0n1p3
> …
> Keyslots:
>   0: luks2
>         Key:        512 bits
>         Priority:   normal
>         Cipher:     aes-xts-plain64
>         Cipher key: 512 bits
>         PBKDF:      argon2id
>         Time cost:  12
>         Memory:     1048576
>         Threads:    4

It seems the installation environment was not properly configured for fips. Libcryptsetup requires these files to exist
with the later containing '1' value to properly report fips
compliant pbkdf default parameters: '/etc/system-fips' and '/proc/sys/crypto/fips_enabled'.
Comment 2 Jan Stodola 2022-06-21 10:43:01 UTC 
I can confirm that creating an empty /etc/system-fips file in the installation environment results in PBKDF:pbkdf2 being used for the encrypted device created in FIPS mode. Tested on RHEL-9.0 GA
Comment 3 Jan Pazdziora (Red Hat) 2022-06-27 09:13:13 UTC 
At the same time, https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.0_release_notes/deprecated_functionality#deprecated-functionality_security says

  /etc/system-fips is now deprecated

  Support for indicating FIPS mode through the /etc/system-fips file has been removed, and the file will not be included in future versions of RHEL. To install RHEL in FIPS mode, add the fips=1 parameter to the kernel command line during the system installation. You can check whether RHEL operates in FIPS mode by using the fips-mode-setup --check command.
Comment 10 Ondrej Kozina 2022-08-10 11:39:15 UTC 
Fixed upstream in https://gitlab.com/cryptsetup/cryptsetup/-/merge_requests/365
Comment 11 guazhang@redhat.com 2022-08-15 08:02:26 UTC 
Hi


Looks the bug just reproduce in anaconda environment. 

[anaconda root@storageqe-69 ~]# sysctl crypto.fips_enabled 
crypto.fips_enabled = 1
[anaconda root@storageqe-69 ~]# 
[anaconda root@storageqe-69 ~]# 
[anaconda root@storageqe-69 ~]# dd if=/dev/zero of=test.tar bs=1M count=100
100+0 records in
100+0 records out
104857600 bytes (105 MB, 100 MiB) copied, 0.0537773 s, 1.9 GB/s
[anaconda root@storageqe-69 ~]# cryptsetup luksFormat --pbkdf argon2id  test.tar -q 
Enter passphrase for test.tar: 
[anaconda root@storageqe-69 ~]# cryptsetup luksDump  test.tar | grep PBKDF
        PBKDF:      argon2id


check the --help output, the default luks2 PBKDF is argon2id
...
Default compiled-in key and passphrase parameters:
        Maximum keyfile size: 8192kB, Maximum interactive passphrase length 512 (characters)
Default PBKDF for LUKS1: pbkdf2, iteration time: 2000 (ms)
Default PBKDF for LUKS2: argon2id
...

[anaconda root@storageqe-69 ~]# cryptsetup -V
cryptsetup 2.4.3



but how to test cryptsetup-2.4.3-5.el9 in anaconda ?
Comment 21 errata-xmlrpc 2022-11-15 11:23:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (cryptsetup bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8399
Comment 22 Ondrej Kozina 2023-05-11 09:52:37 UTC 
After the installation it can be fixed by running following command:

cryptsetup luksConvertKey /dev/nvmeXnYpZ

The command above will change pbkdf parameters to appropriate default values (pbkdf2 function, targeting 2 seconds unlock time if system runs in FIPS mode) for keyslot unlocked by user provided passphrase. New keyslot binary area is written with data containing same volume key but it will be protected by new KEK derived from passphrase using pbkdf2 function.

It can be applied to specific keyslot by adding -S<keyslot_id> parameter to the command above.