Public bug reported: Checking UA status on new Ubuntu 20.04 FIPS cloud image incorrectly lists "Reboot to FIPS kernel required"
Deploy a cloud FIPS image such as https://azuremarketplace.microsoft.com/en- us/marketplace/apps/canonical.0001-com-ubuntu-pro-focal-fips After VM creation and booting perform: ---- >lsb_release -rd Description: Ubuntu 20.04.4 LTS Release: 20.04 >ua status SERVICE ENTITLED STATUS DESCRIPTION esm-apps yes enabled UA Apps: Extended Security Maintenance (ESM) esm-infra yes enabled UA Infra: Extended Security Maintenance (ESM) fips yes enabled NIST-certified core packages fips-updates yes disabled NIST-certified core packages with priority security updates livepatch yes n/a Canonical Livepatch service usg yes disabled Security compliance and audit tools NOTICES Reboot to FIPS kernel required Enable services with: ua enable <service> Account: 61acb9fc-62f4-4ff7-b760-xxxxxxxxxxxx Subscription: 61acb9fc-62f4-4ff7-b760-xxxxxxxxxxxx Valid until: 9999-12-31 00:00:00+00:00 Technical support level: essential ---- ---- >ua version u27.7~20.04.1 >cat /etc/cloud/build.info build_name: pro-fips-server serial: 20220215.1 ---- After reboot, perform the same "ua status" command and the same notice "Reboot to FIPS kernel required" is displayed. However, FIPS kernel is loaded and UA shows enabled. ------- >uname -a Linux temp-test-01 5.4.0-1022-azure-fips #22+fips1-Ubuntu SMP Mon Dec 13 01:12:55 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux ------- Running apt shows no applicable updates available. ------------- >apt-get update Hit:1 http://azure.archive.ubuntu.com/ubuntu focal InRelease Hit:2 http://azure.archive.ubuntu.com/ubuntu focal-updates InRelease Hit:3 http://azure.archive.ubuntu.com/ubuntu focal-backports InRelease Hit:4 http://azure.archive.ubuntu.com/ubuntu focal-security InRelease Get:5 https://esm.ubuntu.com/apps/ubuntu focal-apps-security InRelease [7484 B] Get:6 https://esm.ubuntu.com/apps/ubuntu focal-apps-updates InRelease [7432 B] Hit:7 https://esm.ubuntu.com/infra/ubuntu focal-infra-security InRelease Hit:8 https://esm.ubuntu.com/infra/ubuntu focal-infra-updates InRelease Hit:9 https://esm.ubuntu.com/fips/ubuntu focal InRelease Fetched 14.9 kB in 6s (2357 B/s) Reading package lists... Done root@temp-test-01:~# apt list --upgradeable Listing... Done libgcrypt20-hmac/focal 1.8.5-5ubuntu1.fips.1.4 amd64 [upgradable from: 1.8.5-5ubuntu1.fips.1.1] libgcrypt20/focal 1.8.5-5ubuntu1.fips.1.4 amd64 [upgradable from: 1.8.5-5ubuntu1.fips.1.1] snapd/focal-updates 2.54.3+20.04.1ubuntu0.3 amd64 [upgradable from: 2.54.3+20.04.1ubuntu0.2] ------------ Expected results: 1) ua status should properly report that a FIPS kernel is active. Is this a check that is failing? 2) lsb_release -rd should show that it is not just 20.04.4 LTS but 20.04.4 LTS FIPS Is this appropriate? FIPS is an enhancement of the mainstream LTS deployment. The more clear that it is a FIPS installation the better, no matter how you go about querying the system information. Is #1 seeing the results of #2 and thus reporting that a reboot to FIPS kernel is required? ** Affects: ubuntu-advantage-tools (Ubuntu) Importance: Undecided Status: New ** Tags: focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1972026 Title: ua status incorrectly lists reboot required for pre-built FIPS cloud image To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1972026/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
