| 2022-07-18 19:30:33 |
Kyler Hornor |
description |
[Summary]
A feature was added to allow for post-install enablement for oem-enabled devices via update manager:
https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1908050
While this works great for some situations, it can lead to users unexpectedly installing the oem meta package + associated kernel, overwriting an existing fips installation, as the "Improved hardware support" bundle may not be noticed when operating update-manager
[Expected Behavior]
For non linux-generic running installs, the post-install oem enablement functionality should not trigger, nor should it add the additional repositories to the client's sources.list.d.
[Observed Behavior]
sources.list.d is updated and "Improved hardware support" is allowed as an option in update-manager, which leads to clients unexpectedly losing compliance in fips environments.
[Replication Steps]
(Using Dell Inc. Precision 7920 Tower/060K5C)
1. Install from current focal ISO
2. Attach a ua subscription
3. Enable the fips-updates service
4. Reboot the system, login the desktop and wait for a while. The notification will pop up and it will show "Improved hardware support" on the certified machines that has the OEM metapackage support.
5. Click through the update-manager prompt and install the oem packages
6. Reboot check fips status
As the oem kernel is 5.14, it will be chosen over the fips 5.4 by default. unattended-upgrades will eventually remove the fips kernel as well, given enough time. |
[Overall Summary]
Converting to cover all oem/fips compatibility issues with ua/installers/update-manager. These projects are mostly silo'd, so when they all converge it creates a confusing and frustrating experience for the user.
At it's core, the problem is that both fips and oem us GRUB_FLAVOUR_ORDER to select the preferred kernel to boot from, disregarding versioning.
The main issues are:
1. ubuntu-drivers should not attempt to `oem-ify` a `fipsified` machine
2. ua tool should not attempt to `fipsify` an oem machine
3. subiquity should mention that drivers page is potentially making machine realtime & fips incompatible
Below are some reproducible examples of issues:
---
(Subiquity installer case)
[Summary]
A recent change to the subiquity snap adds support for installing oem drivers at time of instance install. If the user installs these packages, then attempts to install the fips packages post-install, fips will install as expected, but the system will always boot to the oem kernel.
[Expected Behavior]
Messaging should clearly indicate that installing the oem packages will make the environment incompatible with fips/RT kernel/ etc.
[Observed Behavior]
Subiquity just offers additional drivers, without clarifying the compatibility complications.
[Replication Steps]
(Using Dell Inc. Precision 7920 Tower/060K5C)
1. Install from current focal ISO
2. Confirm driver installation on the oem gui page
3. Install ua client/fips
4. Reboot
5. Observe kernel version (oem)
---
(update-manager case)
[Summary]
A feature was added to allow for post-install enablement for oem-enabled devices via update manager:
https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1908050
While this works great for some situations, it can lead to users unexpectedly installing the oem meta package + associated kernel, overwriting an existing fips installation, as the "Improved hardware support" bundle may not be noticed when operating update-manager
[Expected Behavior]
For non linux-generic running installs, the post-install oem enablement functionality should not trigger, nor should it add the additional repositories to the client's sources.list.d.
[Observed Behavior]
sources.list.d is updated and "Improved hardware support" is allowed as an option in update-manager, which leads to clients unexpectedly losing compliance in fips environments.
[Replication Steps]
(Using Dell Inc. Precision 7920 Tower/060K5C)
1. Install from current focal ISO
2. Attach a ua subscription
3. Enable the fips-updates service
4. Reboot the system, login the desktop and wait for a while. The notification will pop up and it will show "Improved hardware support" on the certified machines that has the OEM metapackage support.
5. Click through the update-manager prompt and install the oem packages
6. Reboot check fips status
oem's config in /etc/default/grub.d/* does not have a number prefix, and thus will always override 99-ubuntu-fips.cfg when calling update-grub. |
|
