Public bug reported:
Running 'pro detach' removes the FIPS package(ubuntu-fips, ubuntu-aws-fips,
ubuntu-azure-fips, ubuntu-gcp-fips). The package's removal scripts unset
'fips=1' and 'bootdev' kernel boot parameters from grub configuration.
On Noble(24.04), this causes the system to fail to boot because initramfs
performs strict FIPS integrity checks. ( with LVM setup )
On Jammy (22.04), boot is not affected as initramfs does not enforce these
checks strictly.
In FIPSCommonEntitlement.remove_packages() is called unconditionally during
disable/detach (via repo.py RepoEntitlement._perform_disable()).
This method runs 'apt-get remove' on the FIPS package.
The package's removal scripts modify grub configuration, removing critical
kernel parameters needed for boot on Noble.
== Steps to Reproduce ==
1. Attach a Noble (24.04) machine to an Ubuntu Pro subscription
2. pro enable fips
3. Reboot (required for FIPS activation)
4. pro detach
5. Reboot
6. stuck while boot because can't find bootdev
== Expected Behavior ==
The system should boot normally. The FIPS package and its grub
configuration (fips=1, bootdev kernel parameters) should be preserved
so that the kernel can boot successfully.
== Actual Behavior ==
The FIPS package is removed during detach, which triggers its removal
scripts to unset fips=1 and bootdev from the kernel command line.
On the next reboot, the Noble initramfs fails strict FIPS checks and
the system does not boot.
** Affects: ubuntu-advantage-tools (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2140749
Title:
pro detach removes ubuntu-fips, breaking boot by unsetting fips=1
kernel parameter in Noble
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2140749/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
