Ubuntu Pro UA fails to enable fips-updates on 20.04
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ubuntu-advantage-tools (Ubuntu) |
Fix Released
|
High
|
Lucas Albuquerque Medeiros de Moura | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Hirsute |
Fix Released
|
Undecided
|
Unassigned | ||
Impish |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
This bug impacts users on AWS, trying to enable FIPS/FIPS updates on Focal images. There is a missing package, 'ubuntu-aws-fips', which causes the installation to fail.
This package is missing because, although Focal has a FIPS certified kernel, the AWS adapted kernel is not ready yet. There will be in the future a cloud-optimized version of the FIPS kernel, and then users will be able to install it.
With the applied fix, UA will show a message saying that the kernel is not available instead of showing an error. If the user really wants to install FIPS, there is a feature override ("allow_
[Test Case]
To reproduce
- Spin an AWS instance using the Ubuntu 20.04 image.
- Attach a valid token
- Run `$ sudo ua enable fips` (or `fips-updates`)
To verify the fix:
1. Update to ubuntu-
2. Append the following to '/etc/ubuntu-
"""
features:
allow_
"""
and then run the command again. Verify that it installs a base FIPS kernel, without the -aws prefix.
[Regression Potential]
This change needs to make sure that we indeed prevent the installation of the non-existent package. If a corner case shows up, the user might end up with a wrong kernel. This is unlikely because we are using cloud-init tools, present in AWS, to detect the cloud instance and effective blocking the install. If this detection fails, it means cloud-init has some problem and then, on AWS, the instance will have more problems than this one.
We need to make sure to keep track of the certification progress for the cloud adapted FIPS package, so we can enable it in the future, when it becomes available.
[Original Description]
Using AWS AMI: ami-0193aa0a9df
Attempting to enable fips-updates with the ua command line tool fails with error that apt "Unable to locate package ubuntu-aws-fips."
Canonical has told me directly 20.04 is now FIPS 140-2 Level 1 certified.
Output:
ubuntu@
Description: Ubuntu 20.04.2 LTS
Release: 20.04
ubuntu@
27.2.2~20.04.1
ubuntu@
SERVICE ENTITLED STATUS DESCRIPTION
cc-eal yes n/a Common Criteria EAL2 Provisioning Packages
cis yes disabled Center for Internet Security Audit Tools
esm-apps yes disabled UA Apps: Extended Security Maintenance (ESM)
esm-infra yes disabled UA Infra: Extended Security Maintenance (ESM)
fips yes disabled NIST-certified core packages
fips-updates yes disabled NIST-certified core packages with priority security updates
livepatch yes disabled Canonical Livepatch service
Enable services with: ua enable <service>
Valid until: 9999-12-31 00:00:00+00:00
Technical support level: essential
ubuntu@
DEBUG: Executed with sys.argv: ['/usr/bin/ua', '--debug', 'enable', 'fips-updates']
This will install the FIPS core packages and will include priority updates
with security fixes.
Are you sure? (y/N) y
DEBUG: Writing file: /var/lib/
DEBUG: Writing file: /etc/apt/
DEBUG: Ran cmd: apt-cache policy, rc: 0 stderr: b''
DEBUG: Writing file: /etc/apt/
DEBUG: Writing file: /etc/apt/
DEBUG: Exporting GPG key /usr/share/
Updating package lists
DEBUG: Ran cmd: apt-get update, rc: 0 stderr: b''
DEBUG: Reading file: /var/lib/
Installing FIPS Updates packages
DEBUG: Failed running command 'apt-get install --assume-yes --allow-downgrades -o Dpkg::Options:
DEBUG: Failed running command 'apt-get install --assume-yes --allow-downgrades -o Dpkg::Options:
Retrying 3 more times.
DEBUG: Failed running command 'apt-get install --assume-yes --allow-downgrades -o Dpkg::Options:
DEBUG: Failed running command 'apt-get install --assume-yes --allow-downgrades -o Dpkg::Options:
Retrying 2 more times.
DEBUG: Failed running command 'apt-get install --assume-yes --allow-downgrades -o Dpkg::Options:
DEBUG: Failed running command 'apt-get install --assume-yes --allow-downgrades -o Dpkg::Options:
Retrying 1 more times.
DEBUG: Failed running command 'apt-get install --assume-yes --allow-downgrades -o Dpkg::Options:
DEBUG: Reading file: /etc/apt/
Updating package lists
DEBUG: Ran cmd: apt-get update, rc: 0 stderr: b''
Could not enable FIPS Updates.
DEBUG: Reading file: /var/lib/
DEBUG: Removing file: /var/lib/
Searching AWS marketplace I see that for Ubuntu 18, there are:
- Ubuntu Pro FIPS 18.04 LTS (offered by Canonical Group Ltd)
- Ubuntu Pro 18.04 LTS (offered by Amazon Web Services)
But for Ubuntu 20.04, a "Pro FIPS" variety does not exist, only Ubuntu Pro 20.04 LTS.
This is confusing from a user perspective.
- Why are there two separate AMIs if Ubuntu Pro is supposed to include the fips modules enabled through UA in the first place?
- Why can `fips` or `fips-updates` not be enabled using the Ubuntu Pro 20.04 LTS image?
- Why is an Ubuntu Pro FIPS 20.04 LTS missing entirely?