** Description changed: [IMPACT] Most recent version of ubuntu-advantage-tool on github includes fips enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial Note: FIPS certified modules are only available for xenial. On other releases the tool will not install and configure fips. when "ubuntu-advantage enable-fips <token>" is issued from commandline, - configure the private PPA where the FIPS modules are located - install the FIPS modules from this PPA to the local machine from where the script is run - configure the bootloader to enable fips Upon successful completion of these steps, the customer then gets a message stating to reboot the machine to complete the fips enablement process. Without the script, customers must perform the steps manually. [FIX] Add enable-fips to advantage script. See debdiff below. [TEST] A test package is available: and it was tested by me on S390, PPC64EL and AMD64 architectures. [REGRESSION POTENTIAL] The patch adds a new features to ubuntu-advantage-tool in Xenial to enable fips. Current functionality was not altered. + + [FIPS TESTCASES] + These testcases assume you have installed ubuntu-advantage-tools with the proposed changes. + + XENIAL + + 1. Collect status before enabling fips + + type on commandline, + ubuntu-advantage status + + expect, + livepatch: disabled + + esm: disabled (not available) + + fips: disabled + + 2. Enable fips + Note: This will require a token or credentials to fips Private PPA, in + the form xxx:xxx + + type on commandline, + sudo ubuntu-advantage enable-fips xxx:xxx + + expect, + [sudo] password for ubuntu: + Running apt-get update... OK + Ubuntu FIPS PPA repository enabled. + Installing FIPS packages (this may take a while)... OK + Configuring FIPS... + Updating grub to enable fips... OK + Successfully configured FIPS. PLEASE REBOOT to complete FIPS enablement. + + type on commandline, + sudo reboot + + 3. Log back into system after reboot + + type on commandline, + ubuntu-advantage status + + expect, + livepatch: disabled + + esm: disabled (not available) + + fips: enabled + + + 4. verify fips kernel "4.4.0-1002-fips" has been installed + + type on commandline, + uname -a + + expect, + Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux + + + ZESTY + (Note that FIPS is not supported on zesty.) + + 1. Collect status before enabling fips + + type on commandline, + ubuntu-advantage status + + expect, + livepatch: disabled (not available) + + esm: disabled (not available) + + fips: disabled (not available) + + 2. Ensure that fips cannot be enabled on Zesty. + Note: This will require a token or credentials to fips Private PPA, in + the form xxx:xxx + + type on commandline, + sudo ubuntu-advantage enable-fips xxx:xxx + + expect, + Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty + + 3. Check that kernel is not fips kernel (4.4.0-1002-fips) + + type on commandline, + uname -a + + expect: + Linux ubuntu-zesty 4.10.0-19-generic #21-Ubuntu SMP Thu Apr 6 17:04:57 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719671 Title: [SRU][xenial] include recent version containing fips To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
