Ubuntu
linux package

Latest Azure optimised fips-updates kernel 4.15.0-2007-azure-fips leaves instance in unbootable state

Bug #1893985 reported by David Coronel on 2020-09-02

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Fix Committed	Undecided	Unassigned

Bug Description

In Azure, updating an instance to the latest Azure optimised fips-updates kernel (4.15.0-2007-azure-fips) leaves the system in an unbootable state.

The serial console shows the following and reboots:

Checking kernel image: /boot/vmlinuz-4.15.0-2007-azure-fips
Kernel integrity check failed
Rebooting automatically due to panic= boot argument

This is with the instance type Standard D2s v3

Steps to reproduce (with the UA client in Ubuntu Pro):

-Launch an Ubuntu Pro 18.04 instance on AWS on a Standard D2s v3 instance

sudo add-apt-repository ppa:canonical-server/ua-client-daily --yes
sudo apt install ubuntu-advantage-tools ubuntu-advantage-pro --yes
sudo ua disable livepatch
sudo ua enable fips-updates --beta
sudo apt install linux-azure-fips

KERNEL=$(awk -F"'" '/menuentry.*azure-fips/ { print $(NF-1); exit }' /boot/grub/grub.cfg)

sudo tee /etc/default/grub.d/99-fips.cfg << __EOF__
GRUB_DEFAULT="Advanced options for Ubuntu>$KERNEL"
GRUB_CMDLINE_LINUX_DEFAULT="\$GRUB_CMDLINE_LINUX_DEFAULT fips=1"
__EOF__

sudo update-grub
sudo reboot

-Look at serial console in Azure Portal

Attaching screenshot of error before kernel panic and auto reboot.

Here is the list of packages installed with the action:

base-files amd64 10.1ubuntu2.9
libpam0g amd64 1.1.8-3.6ubuntu2.18.04.2
libpam-modules-bin amd64 1.1.8-3.6ubuntu2.18.04.2
libpam-modules amd64 1.1.8-3.6ubuntu2.18.04.2
libnss-systemd amd64 237-3ubuntu10.42
libsystemd0 amd64 237-3ubuntu10.42
libpam-systemd amd64 237-3ubuntu10.42
systemd amd64 237-3ubuntu10.42
udev amd64 237-3ubuntu10.42
libudev1 amd64 237-3ubuntu10.42
kmod amd64 24-1ubuntu3.5
libkmod2 amd64 24-1ubuntu3.5
libpam-runtime all 1.1.8-3.6ubuntu2.18.04.2
systemd-sysv amd64 237-3ubuntu10.42
python-samba amd64 2:4.7.6+dfsg~ubuntu-0ubuntu2.18
samba-common-bin amd64 2:4.7.6+dfsg~ubuntu-0ubuntu2.18
samba-common all 2:4.7.6+dfsg~ubuntu-0ubuntu2.18
samba-libs amd64 2:4.7.6+dfsg~ubuntu-0ubuntu2.18
libwbclient0 amd64 2:4.7.6+dfsg~ubuntu-0ubuntu2.18
iproute2 amd64 4.15.0-2ubuntu1.2
libisc-export169 amd64 1:9.11.3+dfsg-1ubuntu1.13
libdns-export1100 amd64 1:9.11.3+dfsg-1ubuntu1.13
libirs160 amd64 1:9.11.3+dfsg-1ubuntu1.13
bind9-host amd64 1:9.11.3+dfsg-1ubuntu1.13
dnsutils amd64 1:9.11.3+dfsg-1ubuntu1.13
libbind9-160 amd64 1:9.11.3+dfsg-1ubuntu1.13
libisccfg160 amd64 1:9.11.3+dfsg-1ubuntu1.13
libisccc160 amd64 1:9.11.3+dfsg-1ubuntu1.13
libdns1100 amd64 1:9.11.3+dfsg-1ubuntu1.13
libisc169 amd64 1:9.11.3+dfsg-1ubuntu1.13
liblwres160 amd64 1:9.11.3+dfsg-1ubuntu1.13
libpcap0.8 amd64 1.8.1-6ubuntu1.18.04.2
libx11-data all 2:1.6.4-3ubuntu0.3
libx11-6 amd64 2:1.6.4-3ubuntu0.3
grub-efi-amd64 amd64 2.02-2ubuntu8.18
grub2-common amd64 2.02-2ubuntu8.18
shim-signed amd64 1.37~18.04.6+15+1533136590.3beb971-0ubuntu1
grub-efi-amd64-signed amd64 1.93.20+2.02-2ubuntu8.18
grub-efi-amd64-bin amd64 2.02-2ubuntu8.18
grub-pc-bin amd64 2.02-2ubuntu8.18
grub-common amd64 2.02-2ubuntu8.18
libgssapi-krb5-2 amd64 1.16-2ubuntu0.1+esm1
python3-problem-report all 2.20.9-0ubuntu7.17
python3-apport all 2.20.9-0ubuntu7.17
apport all 2.20.9-0ubuntu7.17
bcache-tools amd64 1.0.8-2ubuntu0.18.04.1
curl amd64 7.58.0-2ubuntu3.10
libcurl4 amd64 7.58.0-2ubuntu3.10
libcurl3-gnutls amd64 7.58.0-2ubuntu3.10
linux-modules-5.4.0-1023-azure amd64 5.4.0-1023.23~18.04.1
linux-image-5.4.0-1023-azure amd64 5.4.0-1023.23~18.04.1
libkrb5-3 amd64 1.16-2ubuntu0.1+esm1
libkrb5support0 amd64 1.16-2ubuntu0.1+esm1
libk5crypto3 amd64 1.16-2ubuntu0.1+esm1
krb5-locales all 1.16-2ubuntu0.1+esm1
linux-modules-4.15.0-2007-azure-fips amd64 4.15.0-2007.8
linux-modules-extra-5.4.0-1023-azure amd64 5.4.0-1023.23~18.04.1
linux-azure amd64 5.4.0.1023.7
linux-image-azure amd64 5.4.0.1023.7
linux-azure-5.4-headers-5.4.0-1023 all 5.4.0-1023.23~18.04.1
linux-image-4.15.0-2007-azure-fips amd64 4.15.0-2007.8
linux-headers-5.4.0-1023-azure amd64 5.4.0-1023.23~18.04.1
linux-headers-azure amd64 5.4.0.1023.7
linux-tools-common all 4.15.0-115.116
linux-azure-5.4-tools-5.4.0-1023 amd64 5.4.0-1023.23~18.04.1
linux-azure-fips amd64 4.15.0.2007.7
linux-image-azure-fips amd64 4.15.0.2007.7
linux-azure-fips-headers-4.15.0-2007 all 4.15.0-2007.8
linux-tools-5.4.0-1023-azure amd64 5.4.0-1023.23~18.04.1
linux-tools-azure amd64 5.4.0.1023.7
linux-cloud-tools-common all 4.15.0-115.116
linux-azure-5.4-cloud-tools-5.4.0-1023 amd64 5.4.0-1023.23~18.04.1
linux-cloud-tools-5.4.0-1023-azure amd64 5.4.0-1023.23~18.04.1
linux-cloud-tools-azure amd64 5.4.0.1023.7
software-properties-common all 0.96.24.32.14
python3-software-properties all 0.96.24.32.14
linux-headers-4.15.0-2007-azure-fips amd64 4.15.0-2007.8
linux-headers-azure-fips amd64 4.15.0.2007.7
linux-azure-fips-tools-4.15.0-2007 amd64 4.15.0-2007.8
linux-tools-4.15.0-2007-azure-fips amd64 4.15.0-2007.8
linux-tools-azure-fips amd64 4.15.0.2007.7
linux-azure-fips-cloud-tools-4.15.0-2007 amd64 4.15.0-2007.8
linux-cloud-tools-4.15.0-2007-azure-fips amd64 4.15.0-2007.8
linux-cloud-tools-azure-fips amd64 4.15.0.2007.7
linux-image-unsigned-hmac-4.15.0-2007-azure-fips amd64 4.15.0-2007.8

Revision history for this message

David Coronel (davecore) wrote on 2020-09-02:

Screenshot Edit (608.0 KiB, image/png)

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-09-02:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in linux (Ubuntu):
status:	New → Confirmed

Marcelo Cerri (mhcerri) on 2020-09-03

Changed in linux (Ubuntu):
status:	Confirmed → Fix Committed

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Screenshot Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package