Ubuntu PRO Focal on AWS and Azure should not install the generic FIPS kernel via ubuntu-fips metapackage
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ubuntu-advantage-tools (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Hirsute |
Fix Released
|
Undecided
|
Unassigned | ||
Impish |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
This bug impacts users on AWS or Azure, trying to enable FIPS/FIPS updates on Focal images. Trying to install a non-cloud-optimized FIPS kernel may lead to unwanted behavior on those clouds, including inability to boot to the systems.
Although Focal has a FIPS certified kernel, the AWS adapted kernel is not ready yet. There will be in the future a cloud-optimized version of the FIPS kernel, and then users will be able to install it.
With the applied fix, UA will show a message saying that the kernel is not available instead of showing any error. If the user really wants to install FIPS, there is a feature override ("allow_
[Test Case]
To verify that this issue is fixed by version 27.3, please run the following script:
-------
import os
from pycloudlib.
api = EC2(
tag="test-ec2",
access_
secret_
)
image_id = "ami-0ae1f7f35a
private_key_path = "ec2-{}
key_name = "test-key"
if key_name in api.list_keys():
api.
keypair = api.client.
with open(private_
stream.
os.chmod(
api.use_
vpc = api.get_
instance = api.launch(
print("--- Creating base instance")
print(instance.
print(instance.
print(instance.
print("
print("--- Updating ua package")
print(instance.
instance.
instance.
print(instance.
print(instance.
print("
instance.delete()
-------
This script depends on pycloudlib, which can be found here:
https:/
[Regression Potential]
This change needs to make sure that we indeed prevent the installation of non-cloud-optimized kernels. If a corner case shows up, the user might end up with a wrong kernel. This is unlikely because we are using cloud-init tools, present in AWS and Azure, to detect the cloud instance and effective blocking the install. If this detection fails, it means cloud-init has some problem and then, on AWS or Azure, the instance will have more problems than this one.
We need to make sure to keep track of the certification progress for the cloud adapted FIPS package, so we can enable it in the future, when it becomes available.
[Original Description]
For Ubuntu PRO on 20.04 (Focal) `ua enable fips` should only install a cloud-optimized ubuntu-aws-fips or ubuntu-azure-fips metapackage. Installing a non-cloud-optimized FIPS kernel on AWS and Azure could lead to inability to boot on certain instance types. Expectation is that Focal AWS and Azure images should disallow enabling either fips or fips-updates.
Expected behavior on Ubuntu PRO AWS and Azure Focal:
$ ua status | grep fips
fips no — NIST-certified FIPS modules
fips-updates no — Uncertified security updates to FIPS modules
$ sudo ua enable fips-updates
One moment, checking your subscription first
This system will NOT be considered FIPS certified, but will include security
and bug fixes to the FIPS packages.
Are you sure? (y/N) y
This subscription is not entitled to FIPS Updates.
For more information see: https:/
Actual behavior:
$ ua status | grep fips
fips yes disabled NIST-certified FIPS modules
fips-updates yes disabled Uncertified security updates to FIPS modules
$ sudo ua enable fips-updates
One moment, checking your subscription first
This system will NOT be considered FIPS certified, but will include security
and bug fixes to the FIPS packages.
Are you sure? (y/N) y
Updating package lists
Installing FIPS Updates packages
FIPS Updates enabled
A reboot is required to complete install
# see ubuntu-fips generic get installed which potentially degrades AWS and Azure environments
$ sudo grep install /var/log/
2021-08-13 22:19:07,344 - util.py:(506) [DEBUG]: Ran cmd: apt-get install --assume-yes -o Dpkg::Options:
description: | updated |
description: | updated |
Changed in ubuntu-advantage-tools (Ubuntu): | |
status: | Triaged → Incomplete |
Changed in ubuntu-advantage-tools (Ubuntu): | |
status: | Incomplete → Fix Committed |
The test case references a ppa and doesn't handle installing from -proposed, so isn't a suitable SRU test case...