Public bug reported: For Ubuntu PRO on 20.04 (Focal) `ua enable fips` should only install a cloud-optimized ubuntu-aws-fips or ubuntu-azure-fips metapackage. Installing a non-cloud-optimized FIPS kernel on AWS and Azure could lead to inability to boot on certain instance types. Expectation is that Focal AWS and Azure images should disallow enabling either fips or fips- updates.
Expected behavior on Ubuntu PRO AWS and Azure Focal: $ ua status | grep fips fips no — NIST-certified FIPS modules fips-updates no — Uncertified security updates to FIPS modules $ sudo ua enable fips-updates One moment, checking your subscription first This system will NOT be considered FIPS certified, but will include security and bug fixes to the FIPS packages. Are you sure? (y/N) y This subscription is not entitled to FIPS Updates. For more information see: https://ubuntu.com/advantage Actual behavior: $ ua status | grep fips fips yes disabled NIST-certified FIPS modules fips-updates yes disabled Uncertified security updates to FIPS modules $ sudo ua enable fips-updates One moment, checking your subscription first This system will NOT be considered FIPS certified, but will include security and bug fixes to the FIPS packages. Are you sure? (y/N) y Updating package lists Installing FIPS Updates packages FIPS Updates enabled A reboot is required to complete install # see ubuntu-fips generic get installed which potentially degrades AWS and Azure environments $ sudo grep install /var/log/ubuntu-advantage.log 2021-08-13 22:19:07,344 - util.py:(506) [DEBUG]: Ran cmd: apt-get install --assume-yes -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" ubuntu-fips openssh-client openssh-client-hmac openssh-server openssh-server-hmac openssh-client openssh-client-hmac openssh-server openssh-server-hmac, rc: 0 stderr: b'' ** Affects: ubuntu-advantage-tools (Ubuntu) Importance: Undecided Status: Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1939932 Title: Ubuntu PRO Focal on AWS and Azure should not install the generic FIPS kernel via ubuntu-fips metapackage To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1939932/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
