DistUpgrade: prevent FIPS enabled systems from upgrading to Jammy
Focal systems in FIPS mode running certain kernel versions cannot be
upgraded to Jammy. During the upgrade process, there is a point where
the userspace packages are upgraded to their Jammy version, but are run
on a Focal FIPS kernel. Specifically, the Jammy version of libgcrypt
relies on the getrandom syscall with the GRND_RESEED flag set. This
flag, however, is only implemented in the Jammy FIPS kernel. So, when
the Jammy version of libgcrypt is run alongside a Focal FIPS kernel, a
fatal error occurs.
This issue has been fixed on the kernel side by not rejecting the
GRND_RESEED flag. Even so, there may be users running kernel versions
without this fix, i.e., those running the certified FIPS kernel, which
doesn't contain any updates since it was published.
The GRND_RESEED flag is only used in FIPS mode, so prevent upgrades only
if the system is in FIPS mode and using a kernel version known to not
have the fix.
ubuntu-release-upgrader 1:22.04.17 was already released, but the changes
were not committed to git, so this needs to be re-released as 1:22.04.17
after importing the actual 1:22.04.17.