| 2022-05-19 19:12:02 |
Grant Orndorff |
description |
Checking UA status on new Ubuntu 20.04 FIPS cloud image incorrectly lists "Reboot to FIPS kernel required"
Deploy a cloud FIPS image such as https://azuremarketplace.microsoft.com/en-us/marketplace/apps/canonical.0001-com-ubuntu-pro-focal-fips
After VM creation and booting perform:
----
>lsb_release -rd
Description: Ubuntu 20.04.4 LTS
Release: 20.04
>ua status
SERVICE ENTITLED STATUS DESCRIPTION
esm-apps yes enabled UA Apps: Extended Security Maintenance (ESM)
esm-infra yes enabled UA Infra: Extended Security Maintenance (ESM)
fips yes enabled NIST-certified core packages
fips-updates yes disabled NIST-certified core packages with priority security updates
livepatch yes n/a Canonical Livepatch service
usg yes disabled Security compliance and audit tools
NOTICES
Reboot to FIPS kernel required
Enable services with: ua enable <service>
Account: 61acb9fc-62f4-4ff7-b760-xxxxxxxxxxxx
Subscription: 61acb9fc-62f4-4ff7-b760-xxxxxxxxxxxx
Valid until: 9999-12-31 00:00:00+00:00
Technical support level: essential
----
----
>ua version
u27.7~20.04.1
>cat /etc/cloud/build.info
build_name: pro-fips-server
serial: 20220215.1
----
After reboot, perform the same "ua status" command and the same notice "Reboot to FIPS kernel required" is displayed. However, FIPS kernel is loaded and UA shows enabled.
-------
>uname -a
Linux temp-test-01 5.4.0-1022-azure-fips #22+fips1-Ubuntu SMP Mon Dec 13 01:12:55 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
-------
Running apt shows no applicable updates available.
-------------
>apt-get update
Hit:1 http://azure.archive.ubuntu.com/ubuntu focal InRelease
Hit:2 http://azure.archive.ubuntu.com/ubuntu focal-updates InRelease
Hit:3 http://azure.archive.ubuntu.com/ubuntu focal-backports InRelease
Hit:4 http://azure.archive.ubuntu.com/ubuntu focal-security InRelease
Get:5 https://esm.ubuntu.com/apps/ubuntu focal-apps-security InRelease [7484 B]
Get:6 https://esm.ubuntu.com/apps/ubuntu focal-apps-updates InRelease [7432 B]
Hit:7 https://esm.ubuntu.com/infra/ubuntu focal-infra-security InRelease
Hit:8 https://esm.ubuntu.com/infra/ubuntu focal-infra-updates InRelease
Hit:9 https://esm.ubuntu.com/fips/ubuntu focal InRelease
Fetched 14.9 kB in 6s (2357 B/s)
Reading package lists... Done
root@temp-test-01:~# apt list --upgradeable
Listing... Done
libgcrypt20-hmac/focal 1.8.5-5ubuntu1.fips.1.4 amd64 [upgradable from: 1.8.5-5ubuntu1.fips.1.1]
libgcrypt20/focal 1.8.5-5ubuntu1.fips.1.4 amd64 [upgradable from: 1.8.5-5ubuntu1.fips.1.1]
snapd/focal-updates 2.54.3+20.04.1ubuntu0.3 amd64 [upgradable from: 2.54.3+20.04.1ubuntu0.2]
------------
Expected results:
1) ua status should properly report that a FIPS kernel is active.
Is this a check that is failing?
2) lsb_release -rd should show that it is not just 20.04.4 LTS but 20.04.4 LTS FIPS
Is this appropriate? FIPS is an enhancement of the mainstream LTS deployment. The more clear that it is a FIPS installation the better, no matter how you go about querying the system information.
Is #1 seeing the results of #2 and thus reporting that a reboot to FIPS kernel is required? |
[Impact]
This bug causes users to see an inaccurate message saying that a reboot is required when that is not true. It doesn't affect the operation of FIPS mode, but it is confusing.
The bug occurs because of a case we have in our postinst which checks for a certain condition where certain fips-related packages have an apt hold. In that scenario, we recommend a reboot where we remove the apt hold, using this method. This is from the original implementation of Pro FIPS images. The bug was introduced during a refactor of how we organize all of our strings in the package.
The fix is to remove the notice when it is no longer applicable. The updated version removes it on the suggested reboot, as well on calls to `ua status`, if it is not longer applicable.
[Test Plan]
To Reproduce:
```
lxc launch ubuntu-daily:focal f-1972026 --vm
lxc exec f-1972026 -- ua attach $YOUR_TOKEN
lxc exec f-1972026 -- ua enable fips
lxc exec f-1972026 -- apt-mark hold openssl
lxc exec f-1972026 -- dpkg-reconfigure ubuntu-advantage-tools
lxc exec f-1972026 -- ua status
# see "Reboot to FIPS kernel required"
lxc exec f-1972026 -- reboot
lxc exec f-1972026 -- ua status
# still see "Reboot to FIPS kernel required"
lxc exec f-1972026 -- apt-mark unhold openssl
lxc exec f-1972026 -- ua status
# still see "Reboot to FIPS kernel required"
```
To see that release 27.9 of ubuntu-advantage-tools fixes the problem, you can use the build in `ppa:ua-client/staging` for now (or once it is in -proposed, just enable proposed).
Continuing in the same VM from reproducing the bug:
```
lxc exec f-1972026 -- add-apt-repository ppa:ua-client/staging
lxc exec f-1972026 -- apt install ubuntu-advantage-tools
lxc exec f-1972026 -- ua status
# no longer see "Reboot to FIPS kernel required"
```
[Where problems could occur]
The fix is to call a function to remove the notice in a few places.
If we are removing the wrong notice, then this bug will continue to occur.
If we were overzealous in our calls to remove the notice, or missed a certain condition, we may now remove the notice when it is actually still pertinent.
By introducing new function calls in a couple places that read/write files and parse json, we introduce the risk of failures during those function calls. This could potentially cause an error during `ua status`.
[Other Info]
In the future, we should evaluate if this message is still needed in this scenario at all. It may no longer be necessary in the current implementations of Pro FIPS.
[Original Description]
Checking UA status on new Ubuntu 20.04 FIPS cloud image incorrectly lists "Reboot to FIPS kernel required"
Deploy a cloud FIPS image such as https://azuremarketplace.microsoft.com/en-us/marketplace/apps/canonical.0001-com-ubuntu-pro-focal-fips
After VM creation and booting perform:
----
>lsb_release -rd
Description: Ubuntu 20.04.4 LTS
Release: 20.04
>ua status
SERVICE ENTITLED STATUS DESCRIPTION
esm-apps yes enabled UA Apps: Extended Security Maintenance (ESM)
esm-infra yes enabled UA Infra: Extended Security Maintenance (ESM)
fips yes enabled NIST-certified core packages
fips-updates yes disabled NIST-certified core packages with priority security updates
livepatch yes n/a Canonical Livepatch service
usg yes disabled Security compliance and audit tools
NOTICES
Reboot to FIPS kernel required
Enable services with: ua enable <service>
Account: 61acb9fc-62f4-4ff7-b760-xxxxxxxxxxxx
Subscription: 61acb9fc-62f4-4ff7-b760-xxxxxxxxxxxx
Valid until: 9999-12-31 00:00:00+00:00
Technical support level: essential
----
----
>ua version
u27.7~20.04.1
>cat /etc/cloud/build.info
build_name: pro-fips-server
serial: 20220215.1
----
After reboot, perform the same "ua status" command and the same notice "Reboot to FIPS kernel required" is displayed. However, FIPS kernel is loaded and UA shows enabled.
-------
>uname -a
Linux temp-test-01 5.4.0-1022-azure-fips #22+fips1-Ubuntu SMP Mon Dec 13 01:12:55 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
-------
Running apt shows no applicable updates available.
-------------
>apt-get update
Hit:1 http://azure.archive.ubuntu.com/ubuntu focal InRelease
Hit:2 http://azure.archive.ubuntu.com/ubuntu focal-updates InRelease
Hit:3 http://azure.archive.ubuntu.com/ubuntu focal-backports InRelease
Hit:4 http://azure.archive.ubuntu.com/ubuntu focal-security InRelease
Get:5 https://esm.ubuntu.com/apps/ubuntu focal-apps-security InRelease [7484 B]
Get:6 https://esm.ubuntu.com/apps/ubuntu focal-apps-updates InRelease [7432 B]
Hit:7 https://esm.ubuntu.com/infra/ubuntu focal-infra-security InRelease
Hit:8 https://esm.ubuntu.com/infra/ubuntu focal-infra-updates InRelease
Hit:9 https://esm.ubuntu.com/fips/ubuntu focal InRelease
Fetched 14.9 kB in 6s (2357 B/s)
Reading package lists... Done
root@temp-test-01:~# apt list --upgradeable
Listing... Done
libgcrypt20-hmac/focal 1.8.5-5ubuntu1.fips.1.4 amd64 [upgradable from: 1.8.5-5ubuntu1.fips.1.1]
libgcrypt20/focal 1.8.5-5ubuntu1.fips.1.4 amd64 [upgradable from: 1.8.5-5ubuntu1.fips.1.1]
snapd/focal-updates 2.54.3+20.04.1ubuntu0.3 amd64 [upgradable from: 2.54.3+20.04.1ubuntu0.2]
------------
Expected results:
1) ua status should properly report that a FIPS kernel is active.
Is this a check that is failing?
2) lsb_release -rd should show that it is not just 20.04.4 LTS but 20.04.4 LTS FIPS
Is this appropriate? FIPS is an enhancement of the mainstream LTS deployment. The more clear that it is a FIPS installation the better, no matter how you go about querying the system information.
Is #1 seeing the results of #2 and thus reporting that a reboot to FIPS kernel is required? |
|
