[FFe]: Include FIPS into the ubuntu-advantage tool

Bug #1718291 reported by Joy Latten on 2017-09-19
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-advantage-tools (Ubuntu)

Bug Description

This is a request for a feature freeze exception to include FIPS into the ubuntu-advantage-tool package.

This will allow UA customers to use the ubuntu-advantage script to do the following
when "ubuntu-advantage enable-fips <token>" is issued from commandline,

 - configure the private PPA where the FIPS modules are located
 - install the FIPS modules from this PPA to the local machine from where the script is run
 - configure the bootloader to enable fips

Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.

Without the script, customers must perform the steps manually.

The following fips packages are installed:
linux-fips, fips-initramfs (fips kernel)
openssl, libssl1.0.0, libssl1.0.0-hmac
openssh-server, openssh-server-hmac
openssh-client, openssh-client-hmac
strongswan, strongswan-hmac

The patchset to include fips into ubuntu-advantage-tools includes
  - additional code to script to support "enable-fips" option/flag
  - additional code to script to support "is-fips-enabled" which reports if fips is
    enabled or not
  - additional code to support "status" for fips
  - addition to man page
  - additional testcases for fips
  - the fips private ppa keyring

**NOTE: The enable-fips component of the script will only work/run on xenial. FIPS modules are currently certified for xenial only. The intention is to upload to artful (althought doesn't enable fips on artful) in preparation for a xenial SRU.

Andreas Hasenack (ahasenack) wrote :
Joy Latten (j-latten) wrote :
Andreas Hasenack (ahasenack) wrote :
Andreas Hasenack (ahasenack) wrote :

Note binary files are not represented in that debdiff (keyring files)

tags: added: patch
Joy Latten (j-latten) on 2017-09-20
description: updated
Joy Latten (j-latten) wrote :
Joy Latten (j-latten) wrote :

Build log from artful P8 VM

Joy Latten (j-latten) wrote :

install v9 and upgrade to v10 on artful P8 VM and run script to enable fips

Joy Latten (j-latten) wrote :

tox results on artful P8 VM

Joy Latten (j-latten) wrote :
description: updated
tags: added: upgrade-software-version
Joy Latten (j-latten) wrote :

Just a note that the build.log mentioned in comment #6 above, has both the output of "debuild -S -uc -us" and the output of "dpkg-buildpackage -uc -us". My apologies for not providing better demarcation between the two outputs.

Steve Langasek (vorlon) wrote :

This is an entirely new feature which should have no impact on existing functionality. FFe granted.

Changed in ubuntu-advantage-tools (Ubuntu):
status: New → Triaged
Nish Aravamudan (nacc) wrote :


Changed in ubuntu-advantage-tools (Ubuntu):
status: Triaged → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-advantage-tools - 10

ubuntu-advantage-tools (10) artful; urgency=medium

  * New upstream release with FIPS support (LP: #1718291)

 -- Andreas Hasenack <email address hidden> Tue, 19 Sep 2017 18:33:03 -0300

Changed in ubuntu-advantage-tools (Ubuntu):
status: Fix Committed → Fix Released
information type: Public → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers