Comment 0 for bug 1978890
Revision history for this message
| Kyler Hornor (kylerhornor) wrote Post-Install enablement of OEM-enabled devices will overwrite FIPs | #0 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
[Summary]
A feature was added to allow for post-install enablement for oem-enabled devices via update manager:
https:/
While this works great for some situations, it can lead to users unexpectedly installing the oem meta package + associated kernel, overwriting an existing fips installation, as the "Improved hardware support" bundle may not be noticed when operating update-manager
[Expected Behavior]
For non linux-generic running installs, the post-install oem enablement functionality should not trigger, nor should it add the additional repositories to the client's sources.list.d.
[Observed Behavior]
sources.list.d is updated and "Improved hardware support" is allowed as an option in update-manager, which leads to clients unexpectedly losing compliance in fips environments.
[Replication Steps]
(Using Dell Inc. Precision 7920 Tower/060K5C)
1. Install from current focal ISO
2. Attach a ua subscription
3. Enable the fips-updates service
4. Reboot the system, login the desktop and wait for a while. The notification will pop up and it will show "Improved hardware support" on the certified machines that has the OEM metapackage support.
5. Click through the update-manager prompt and install the oem packages
6. Reboot check fips status
As the oem kernel is 5.14, it will be chosen over the fips 5.4 by default. unattended-upgrades will eventually remove the fips kernel as well, given enough time.