** Description changed: + After some analysis, I found out that below LP + + Bug #2049082 “FIPS kernels should default to fips mode” : Bugs : linux package : Ubuntu + https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2049082 + + With Noble, fips=0 should be specified in kernel parameter because + fips=1 is default value. so we may modify the parameter when detaching + pro. I may upload the patch(if possible) for that. + + my idea is that ubuntu-fips metapkg add fips=0 when postrm. + + + ## + Running 'pro detach' removes the FIPS package(ubuntu-fips, ubuntu-aws-fips, ubuntu-azure-fips, ubuntu-gcp-fips). The package's removal scripts unset 'fips=1' and 'bootdev' kernel boot parameters from grub configuration. On Noble(24.04), this causes the system to fail to boot because initramfs performs strict FIPS integrity checks. ( with LVM setup ) On Jammy (22.04), boot is not affected as initramfs does not enforce these checks strictly. In FIPSCommonEntitlement.remove_packages() is called unconditionally during disable/detach (via repo.py RepoEntitlement._perform_disable()). This method runs 'apt-get remove' on the FIPS package. The package's removal scripts modify grub configuration, removing critical kernel parameters needed for boot on Noble. == Steps to Reproduce == 1. Attach a Noble (24.04) machine to an Ubuntu Pro subscription 2. pro enable fips 3. Reboot (required for FIPS activation) 4. pro detach 5. Reboot 6. stuck while boot because can't find bootdev == Expected Behavior == The system should boot normally. The FIPS package and its grub configuration (fips=1, bootdev kernel parameters) should be preserved so that the kernel can boot successfully. == Actual Behavior == The FIPS package is removed during detach, which triggers its removal scripts to unset fips=1 and bootdev from the kernel command line. On the next reboot, the Noble initramfs fails strict FIPS checks and the system does not boot.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2140749 Title: pro detach removes ubuntu-fips, breaking boot by unsetting fips=1 kernel parameter in Noble To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2140749/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
