[Bug 1939932] Re: Ubuntu PRO Focal on AWS and Azure should not install the generic FIPS kernel via ubuntu-fips metapackage

Renan Rodrigo Thu, 23 Sep 2021 06:35:53 -0700

** Description changed:

- For Ubuntu PRO on 20.04 (Focal) `ua enable fips` should only install a
- cloud-optimized ubuntu-aws-fips or ubuntu-azure-fips metapackage.
- Installing a non-cloud-optimized FIPS kernel on AWS and Azure could lead
- to inability to boot on certain instance types. Expectation is that
- Focal AWS and Azure images should disallow enabling either fips or fips-
- updates.
+ [Impact]
  
+ This bug impacts users on AWS or Azure, trying to enable FIPS/FIPS
+ updates on Focal images. Trying to install a non-cloud-optimized FIPS
+ kernel may lead to unwanted behavior on those clouds, including
+ inability to boot to the systems.
  
- Expected behavior on Ubuntu PRO AWS and Azure Focal: 
+ Although Focal has a FIPS certified kernel, the AWS adapted kernel is
+ not ready yet. There will be in the future a cloud-optimized version of
+ the FIPS kernel, and then users will be able to install it.
+ 
+ With the applied fix, UA will show a message saying that the kernel is
+ not available instead of showing any error. If the user really wants to
+ install FIPS, there is a feature override
+ ("allow_default_fips_metapackage_on_focal_cloud") which will install the
+ default kernel, but this is the user's choice, and not recommended.
+ 
+ [Test Case]
+ The original description has steps to reproduce. To verify the fix, install 
ubuntu-advantage-tools 27.3 and check for the expected behavior described.
+ 
+ [Regression Potential]
+ This change needs to make sure that we indeed prevent the installation of 
non-cloud-optimized kernels. If a corner case shows up, the user might end up 
with a wrong kernel. This is unlikely because we are using cloud-init tools, 
present in AWS and Azure, to detect the cloud instance and effective blocking 
the install. If this detection fails, it means cloud-init has some problem and 
then, on AWS or Azure, the instance will have more problems than this one.
+ 
+ We need to make sure to keep track of the certification progress for the
+ cloud adapted FIPS package, so we can enable it in the future, when it
+ becomes available.
+ 
+ [Original Description]
+ For Ubuntu PRO on 20.04 (Focal) `ua enable fips` should only install a 
cloud-optimized ubuntu-aws-fips or ubuntu-azure-fips metapackage. Installing a 
non-cloud-optimized FIPS kernel on AWS and Azure could lead to inability to 
boot on certain instance types. Expectation is that Focal AWS and Azure images 
should disallow enabling either fips or fips-updates.
+ 
+ Expected behavior on Ubuntu PRO AWS and Azure Focal:
  $ ua status | grep fips
- fips          no                —      NIST-certified FIPS modules
- fips-updates  no                —      Uncertified security updates to FIPS 
modules
+ fips no — NIST-certified FIPS modules
+ fips-updates no — Uncertified security updates to FIPS modules
  
  $ sudo ua enable fips-updates
  One moment, checking your subscription first
  This system will NOT be considered FIPS certified, but will include security
  and bug fixes to the FIPS packages.
  Are you sure? (y/N) y
  This subscription is not entitled to FIPS Updates.
  For more information see: https://ubuntu.com/advantage
  
- 
  Actual behavior:
  $ ua status | grep fips
- fips          yes                disabled           NIST-certified FIPS 
modules
- fips-updates  yes                disabled           Uncertified security 
updates to FIPS modules
+ fips yes disabled NIST-certified FIPS modules
+ fips-updates yes disabled Uncertified security updates to FIPS modules
  
  $ sudo ua enable fips-updates
  One moment, checking your subscription first
  This system will NOT be considered FIPS certified, but will include security
  and bug fixes to the FIPS packages.
  Are you sure? (y/N) y
  Updating package lists
  Installing FIPS Updates packages
  FIPS Updates enabled
  A reboot is required to complete install
  
  # see ubuntu-fips generic get installed which potentially degrades AWS and 
Azure environments
- $  sudo grep install /var/log/ubuntu-advantage.log
+ $ sudo grep install /var/log/ubuntu-advantage.log
  2021-08-13 22:19:07,344 - util.py:(506) [DEBUG]: Ran cmd: apt-get install 
--assume-yes -o Dpkg::Options::="--force-confdef" -o 
Dpkg::Options::="--force-confold" ubuntu-fips openssh-client 
openssh-client-hmac openssh-server openssh-server-hmac openssh-client 
openssh-client-hmac openssh-server openssh-server-hmac, rc: 0 stderr: b''


-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1939932

Title:
  Ubuntu PRO Focal on AWS and Azure should not install the generic FIPS
  kernel via ubuntu-fips metapackage

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1939932/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1939932] Re: Ubuntu PRO Focal on AWS and Azure should not install the generic FIPS kernel via ubuntu-fips metapackage

Reply via email to