Public bug reported: [Impact]
On systems upgraded from Bionic to Focal, enabling FIPS via the ua tool will fail, due to the following error: Setting up ubuntu-fips (1.2.1) ... update-initramfs: Generating /boot/initrd.img-5.4.0-84-generic Failed to copy HMAC file "/usr/lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac". E: /usr/share/initramfs-tools/hooks/fips-libgcrypt failed with return 1. update-initramfs: failed for /boot/initrd.img-5.4.0-84-generic with 1. dpkg: error processing package ubuntu-fips (--configure): installed ubuntu-fips package post-installation script subprocess returned error exit status 1 This happens because we are trying to copy /usr/lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac which is actually placed at /lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac. This works normally because from Disco onward (which includes Focal), /lib is a symlink to /usr/lib, as per the UsrMerge scheme [1]: [1] https://wiki.debian.org/UsrMerge As per Dimitri's message to debian-devel [2]: > Given that at the moment in Ubuntu we are choosing to not > force-merge users on upgrade. [2] https://lwn.net/ml/debian- devel/CANBHLUhCjuSKNu5CzoPcProi0BkUjtCQ9crLU1Q9-=WDm-L==a...@mail.gmail.com/ It seems we need to support both usrmerge and non-usrmerged systems. In which case, non-usrmerge systems will install libgcrypt.so.20.hmac to /lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac. This is not limited to libgcrypt, as the following files in /usr/share/initramfs-tools/hooks need changing to support both /lib and /usr/lib: -rwxr-xr-x 1 root root 3171 Jul 30 2020 fips* -rwxr-xr-x 1 root root 631 Jul 8 2020 fips-libgcrypt* -rwxr-xr-x 1 root root 707 Sep 22 2020 fips-openssl* -rwxr-xr-x 1 root root 553 Mar 17 2021 ubuntu-fips* A workaround for the time being is to install the usrmerge package, and opt into usrmerged directories, and then enable FIPS. [Testcase] Start an 18.04.6 LTS system. Perform an upgrade to Focal with do-release-upgrade. Note the directory structure has no symlinks on reboot: $ ls -l / total 112 drwxr-xr-x 23 root root 4096 Sep 21 04:34 ./ drwxr-xr-x 23 root root 4096 Sep 21 04:34 ../ drwxr-xr-x 2 root root 12288 Sep 21 04:03 bin/ drwxr-xr-x 4 root root 4096 Sep 21 04:03 boot/ drwxr-xr-x 19 root root 3940 Sep 21 04:34 dev/ drwxr-xr-x 98 root root 12288 Sep 21 04:34 etc/ drwxr-xr-x 3 root root 4096 Sep 21 03:18 home/ drwxr-xr-x 23 root root 4096 Sep 21 03:49 lib/ drwxr-xr-x 2 root root 4096 Sep 21 03:35 lib64/ drwx------ 2 root root 16384 Aug 17 15:51 lost+found/ drwxr-xr-x 2 root root 4096 Aug 17 15:48 media/ drwxr-xr-x 2 root root 4096 Aug 17 15:48 mnt/ drwxr-xr-x 2 root root 4096 Aug 17 15:48 opt/ dr-xr-xr-x 223 root root 0 Sep 21 04:34 proc/ drwx------ 4 root root 4096 Sep 21 03:47 root/ drwxr-xr-x 28 root root 840 Sep 21 04:35 run/ drwxr-xr-x 2 root root 12288 Sep 21 04:03 sbin/ drwxr-xr-x 6 root root 4096 Sep 21 03:47 snap/ drwxr-xr-x 2 root root 4096 Aug 17 15:48 srv/ dr-xr-xr-x 13 root root 0 Sep 21 04:34 sys/ drwxrwxrwt 11 root root 4096 Sep 21 04:35 tmp/ drwxr-xr-x 12 root root 4096 Sep 21 03:42 usr/ drwxr-xr-x 13 root root 4096 Aug 17 15:51 var/ Attempt to enable FIPS $ sudo ua attach <token> $ sudo ua enable fips Setting up ubuntu-fips (1.2.1) ... update-initramfs: Generating /boot/initrd.img-5.4.0-84-generic Failed to copy HMAC file "/usr/lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac". E: /usr/share/initramfs-tools/hooks/fips-libgcrypt failed with return 1. update-initramfs: failed for /boot/initrd.img-5.4.0-84-generic with 1. dpkg: error processing package ubuntu-fips (--configure): installed ubuntu-fips package post-installation script subprocess returned error exit status 1 $ ls -l /usr/lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac ls: cannot access '/usr/lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac': No such file or directory $ ls -l /lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac -rw-r--r-- 1 root root 126 Jul 8 2020 /lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac [Where problems can occur] We need to be compatible with both systems upgraded from bionic to focal, and also new focal installs, which means we need to be okay with usrmerged and non usrmerged systems. If we change the initramfs script to point to /lib/x86_64-linux- gnu/.libgcrypt.so.20.hmac it should be safe, since on usrmerged systems it will follow the symlink to /usr/lib/x86_64-linux- gnu/.libgcrypt.so.20.hmac If a regression were to occur, it would affect users of FIPS, and if the system is not configured correctly, FIPS might not be able to enabled, and the kernel may refuse to start if it detects a configuration is wrong. I am unsure if missing hmac files will trigger that kernel check though. ** Affects: ubuntu-advantage-tools (Ubuntu) Importance: High Status: New ** Tags: sts ** Changed in: ubuntu-advantage-tools (Ubuntu) Importance: Undecided => High ** Tags added: sts -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1944403 Title: FIPS cannot be enabled on non usrmerged 20.04 systems To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1944403/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs