Public bug reported:
Hello! In doing some testing, it was discovered that, upon enabling
fips-updates on an AWS instance in their US Gov't cloud, it will install the
generic FIPS packages rather than the AWS-specific debs:
---
ubuntu@ip-172-31-20-210:~$ cat /run/cloud-init/cloud-id
aws-gov
ubuntu@ip-172-31-20-210:~$ sudo pro enable fips-updates
One moment, checking your subscription first
This will install the FIPS packages including security updates.
Warning: This action can take some time and cannot be undone.
Are you sure? (y/N) y
The "generic" variant of fips-updates is based on the "generic" Ubuntu
kernel but this machine is running the "aws" kernel.
The "aws" kernel may have significant hardware support
differences from "generic" fips-updates.
Warning: Installing generic fips-updates may result in lost hardware support
and may prevent the system from booting.
---
Continuing on will indeed just give generic FIPS packages:
---
ubuntu@ip-172-31-20-210:~$ dpkg -l|grep fips
ii fips-initramfs 0.0.30
amd64 FIPS 140-3 kernel tests
ii linux-fips 6.8.0-106.106+fips1
amd64 Complete FIPS 140-3 Linux kernel and headers
ii linux-fips-headers-6.8.0-106 6.8.0-106.106+fips1
all Header files related to Linux kernel version 6.8.0
ii linux-fips-tools-6.8.0-106 6.8.0-106.106+fips1
amd64 Linux kernel version specific tools for version 6.8.0-106
ii linux-headers-6.8.0-106-fips 6.8.0-106.106+fips1
amd64 Linux kernel headers for version 6.8.0 on 64 bit x86 SMP
ii linux-headers-fips 6.8.0-106.106+fips1
amd64 FIPS 140-3 Linux kernel headers
ii linux-image-6.8.0-106-fips 6.8.0-106.106+fips1
amd64 Signed kernel image fips
ii linux-image-fips 6.8.0-106.106+fips1
amd64 FIPS 140-3 Linux kernel image
ii linux-image-hmac-6.8.0-106-fips 6.8.0-106.106+fips1
amd64 HMAC file for linux kernel image 6.8.0-106-fips
ii linux-modules-6.8.0-106-fips 6.8.0-106.106+fips1
amd64 Linux kernel extra modules for version 6.8.0 on 64 bit x86 SMP
ii linux-modules-extra-6.8.0-106-fips 6.8.0-106.106+fips1
amd64 Linux kernel extra modules for version 6.8.0 on 64 bit x86 SMP
ii linux-tools-6.8.0-106-fips 6.8.0-106.106+fips1
amd64 Linux kernel version specific tools for version 6.8.0-106
ii openssl-fips-module-3:amd64 3.0.13-0ubuntu3.6+Fips1
amd64 Secure Sockets Layer toolkit - FIPS module
ii ubuntu-fips 1.4.0~rc12+updates0
amd64 Install and configure linux-fips kernel and user space modules
ii ubuntu-fips-userspace 1.4.0~rc12+updates0
amd64 Install FIPS user space modules
---
In internal discussions it was discovered that the contracts server is
only aware of the "aws" cloud, and indeed on a normal AWS instance this
behavior is not seen. I'm opening this LP pursuant that discussion to
explore reconfiguring the Pro client to present an "aws-gov" instance as
simply "aws" to the contracts server so the correct deb's are queued up
for installation.
Thank you!
** Affects: ubuntu-advantage-tools (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2144693
Title:
Ubuntu Pro Client does not install AWS FIPS bits on aws-gov cloud
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2144693/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
