Ubuntu
ubuntu-advantage-tools package

ua status incorrectly lists reboot required for pre-built FIPS cloud image

Bug #1972026 reported by Eric Cole
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-advantage-tools (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

[Impact]

This bug causes users to see an inaccurate message saying that a reboot is required when that is not true. It doesn't affect the operation of FIPS mode, but it is confusing.

The bug occurs because of a case we have in our postinst which checks for a certain condition where certain fips-related packages have an apt hold. In that scenario, we recommend a reboot where we remove the apt hold, using this method. This is from the original implementation of Pro FIPS images. The bug was introduced during a refactor of how we organize all of our strings in the package.

The fix is to remove the notice when it is no longer applicable. The updated version removes it on the suggested reboot, as well on calls to `ua status`, if it is not longer applicable.

[Test Plan]

To Reproduce:
```
lxc launch ubuntu-daily:focal f-1972026 --vm
lxc exec f-1972026 -- ua attach $YOUR_TOKEN
lxc exec f-1972026 -- ua enable fips
lxc exec f-1972026 -- apt-mark hold openssl
lxc exec f-1972026 -- dpkg-reconfigure ubuntu-advantage-tools
lxc exec f-1972026 -- ua status
# see "Reboot to FIPS kernel required"
lxc exec f-1972026 -- reboot
lxc exec f-1972026 -- ua status
# still see "Reboot to FIPS kernel required"
lxc exec f-1972026 -- apt-mark unhold openssl
lxc exec f-1972026 -- ua status
# still see "Reboot to FIPS kernel required"
```

To see that release 27.9 of ubuntu-advantage-tools fixes the problem, you can use the build in `ppa:ua-client/staging` for now (or once it is in -proposed, just enable proposed).

Continuing in the same VM from reproducing the bug:

```
lxc exec f-1972026 -- add-apt-repository ppa:ua-client/staging
lxc exec f-1972026 -- apt install ubuntu-advantage-tools
lxc exec f-1972026 -- ua status
# no longer see "Reboot to FIPS kernel required"
```

[Where problems could occur]

The fix is to call a function to remove the notice in a few places.

If we are removing the wrong notice, then this bug will continue to occur.

If we were overzealous in our calls to remove the notice, or missed a certain condition, we may now remove the notice when it is actually still pertinent.

By introducing new function calls in a couple places that read/write files and parse json, we introduce the risk of failures during those function calls. This could potentially cause an error during `ua status`.

[Other Info]

In the future, we should evaluate if this message is still needed in this scenario at all. It may no longer be necessary in the current implementations of Pro FIPS.

[Original Description]

Checking UA status on new Ubuntu 20.04 FIPS cloud image incorrectly lists "Reboot to FIPS kernel required"

Deploy a cloud FIPS image such as https://azuremarketplace.microsoft.com/en-us/marketplace/apps/canonical.0001-com-ubuntu-pro-focal-fips

After VM creation and booting perform:
----
>lsb_release -rd
Description: Ubuntu 20.04.4 LTS
Release: 20.04

>ua status
SERVICE ENTITLED STATUS DESCRIPTION
esm-apps yes enabled UA Apps: Extended Security Maintenance (ESM)
esm-infra yes enabled UA Infra: Extended Security Maintenance (ESM)
fips yes enabled NIST-certified core packages
fips-updates yes disabled NIST-certified core packages with priority security updates
livepatch yes n/a Canonical Livepatch service
usg yes disabled Security compliance and audit tools

NOTICES
Reboot to FIPS kernel required

Enable services with: ua enable <service>

                Account: 61acb9fc-62f4-4ff7-b760-xxxxxxxxxxxx
           Subscription: 61acb9fc-62f4-4ff7-b760-xxxxxxxxxxxx
            Valid until: 9999-12-31 00:00:00+00:00
Technical support level: essential
----

----
>ua version
u27.7~20.04.1

>cat /etc/cloud/build.info
build_name: pro-fips-server
serial: 20220215.1

----

After reboot, perform the same "ua status" command and the same notice "Reboot to FIPS kernel required" is displayed. However, FIPS kernel is loaded and UA shows enabled.

-------
>uname -a
Linux temp-test-01 5.4.0-1022-azure-fips #22+fips1-Ubuntu SMP Mon Dec 13 01:12:55 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
-------

Running apt shows no applicable updates available.

-------------
>apt-get update
Hit:1 http://azure.archive.ubuntu.com/ubuntu focal InRelease
Hit:2 http://azure.archive.ubuntu.com/ubuntu focal-updates InRelease
Hit:3 http://azure.archive.ubuntu.com/ubuntu focal-backports InRelease
Hit:4 http://azure.archive.ubuntu.com/ubuntu focal-security InRelease
Get:5 https://esm.ubuntu.com/apps/ubuntu focal-apps-security InRelease [7484 B]
Get:6 https://esm.ubuntu.com/apps/ubuntu focal-apps-updates InRelease [7432 B]
Hit:7 https://esm.ubuntu.com/infra/ubuntu focal-infra-security InRelease
Hit:8 https://esm.ubuntu.com/infra/ubuntu focal-infra-updates InRelease
Hit:9 https://esm.ubuntu.com/fips/ubuntu focal InRelease
Fetched 14.9 kB in 6s (2357 B/s)
Reading package lists... Done
root@temp-test-01:~# apt list --upgradeable
Listing... Done
libgcrypt20-hmac/focal 1.8.5-5ubuntu1.fips.1.4 amd64 [upgradable from: 1.8.5-5ubuntu1.fips.1.1]
libgcrypt20/focal 1.8.5-5ubuntu1.fips.1.4 amd64 [upgradable from: 1.8.5-5ubuntu1.fips.1.1]
snapd/focal-updates 2.54.3+20.04.1ubuntu0.3 amd64 [upgradable from: 2.54.3+20.04.1ubuntu0.2]

------------

Expected results:
1) ua status should properly report that a FIPS kernel is active.
Is this a check that is failing?

2) lsb_release -rd should show that it is not just 20.04.4 LTS but 20.04.4 LTS FIPS
Is this appropriate? FIPS is an enhancement of the mainstream LTS deployment. The more clear that it is a FIPS installation the better, no matter how you go about querying the system information.

Is #1 seeing the results of #2 and thus reporting that a reboot to FIPS kernel is required?

See original description
Tags: focal
Revision history for this message
Lucas Albuquerque Medeiros de Moura (lamoura) wrote :

Hi Eric,

No, the problem here is that the FIPS message you are seeing:
Reboot to FIPS kernel required

Is not being properly removed by our tool. We will fix this in a subsequent release of UA.
Not that this doesn't cause the lsb_release issue you mentioned at all. Additionally, the lsb_release command output is not related to ubuntu-advantage-tools at all.

Also, `lsb_release` source the information from /etc/lsb-release, which fields identify the OS distribution and FIPS enablement is not a separate OS product. However, we can discuss this more if needed

Changed in ubuntu-advantage-tools (Ubuntu):
status: New → Confirmed
Grant Orndorff (orndorffgrant)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-advantage-tools - 27.9~22.10.1

---------------
ubuntu-advantage-tools (27.9~22.10.1) kinetic; urgency=medium

  * d/rules
    - remove trusty specific code
    - remove ua-license-check.{timer,service,path}
    - install ubuntu-advantage.service
    - only on xenial: install ubuntu-advantage-cloud-id-shim.service
  * d/tools.preinst: remove old config field to avoid warnings in logs
  * d/tools.postinst
    - remove trusty specific code
    - print warnings if /etc/os-release doesn't have required fields
    - hardcode service list instead of exec-ing python3 for old migration
    - refactor python to avoid instantiating UAConfig extra times
    - refactor python to always use messages module for strings
    - rm the old marker file that triggered ua-license-check.path
    - remove unnecessary deb-systemd-helper check in ua-messaging cleanup
    - clean up old ua-license-check state
    - run new cloud-id-shim script
  * d/tools/postrm
    - clean up ubuntu-advantage-daemon log files
  * New upstream release 27.9 (LP: #1973099)
    - cli:
      + for json formatted output, include additional_info for some errors
      + new subcommand `ua refresh messages` to update motd and apt messages
    - daemon:
      + replace ua-license-check timer with ubuntu-advantage.service daemon
      + detects on-boot if pro license was added and runs auto-attach
      + only runs on gcp and does not continuously long-poll by default for now
    - enable:
      + fix error message on wrong service name when unattached
    - fips:
      + allow enabling generic fips kernel on azure by default
      + clean up fips reboot message (LP: #1972026)
    - fix:
      + handle errors during attach process
      + fix bug where enable or detach during a fix failed (LP: #1969809)
      + fix bug where attempting to fix some CVEs would never finish
    - performance:
      + remove unnecessary UAConfig object instantiation (also cleans up logs)
      + cache "apt-cache policy" output to avoid unnecessary subp calls
    - proxy:
      + apt_http(s)_proxy renamed to global_apt_http(s)_proxy
      + apt_http(s)_proxy config var names will still work
      + new ua_apt_http(s)_proxy for only ua-related apt traffic (LP: #1956764)
      + global_apt_http(s)_proxy and ua_apt_http(s)_proxy cannot be set at the
        same time
    - realtime: adjust warning to clarify that a manual revert is possible
    - refresh: a normal `ua refresh` will also update motd and apt messages
    - security-status: add counts of packages from each archive component
    - status: check if contract has updated and notify user to run "ua refresh"

 -- Grant Orndorff <email address hidden> Wed, 11 May 2022 13:04:46 -0400

Changed in ubuntu-advantage-tools (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.