** Description changed: + [Impact] + + This bug causes users to see an inaccurate message saying that a reboot + is required when that is not true. It doesn't affect the operation of + FIPS mode, but it is confusing. + + The bug occurs because of a case we have in our postinst which checks + for a certain condition where certain fips-related packages have an apt + hold. In that scenario, we recommend a reboot where we remove the apt + hold, using this method. This is from the original implementation of Pro + FIPS images. The bug was introduced during a refactor of how we organize + all of our strings in the package. + + The fix is to remove the notice when it is no longer applicable. The + updated version removes it on the suggested reboot, as well on calls to + `ua status`, if it is not longer applicable. + + [Test Plan] + + To Reproduce: + ``` + lxc launch ubuntu-daily:focal f-1972026 --vm + lxc exec f-1972026 -- ua attach $YOUR_TOKEN + lxc exec f-1972026 -- ua enable fips + lxc exec f-1972026 -- apt-mark hold openssl + lxc exec f-1972026 -- dpkg-reconfigure ubuntu-advantage-tools + lxc exec f-1972026 -- ua status + # see "Reboot to FIPS kernel required" + lxc exec f-1972026 -- reboot + lxc exec f-1972026 -- ua status + # still see "Reboot to FIPS kernel required" + lxc exec f-1972026 -- apt-mark unhold openssl + lxc exec f-1972026 -- ua status + # still see "Reboot to FIPS kernel required" + ``` + + + To see that release 27.9 of ubuntu-advantage-tools fixes the problem, you can use the build in `ppa:ua-client/staging` for now (or once it is in -proposed, just enable proposed). + + Continuing in the same VM from reproducing the bug: + + ``` + lxc exec f-1972026 -- add-apt-repository ppa:ua-client/staging + lxc exec f-1972026 -- apt install ubuntu-advantage-tools + lxc exec f-1972026 -- ua status + # no longer see "Reboot to FIPS kernel required" + ``` + + [Where problems could occur] + + The fix is to call a function to remove the notice in a few places. + + If we are removing the wrong notice, then this bug will continue to + occur. + + If we were overzealous in our calls to remove the notice, or missed a + certain condition, we may now remove the notice when it is actually + still pertinent. + + By introducing new function calls in a couple places that read/write + files and parse json, we introduce the risk of failures during those + function calls. This could potentially cause an error during `ua + status`. + + [Other Info] + + In the future, we should evaluate if this message is still needed in this scenario at all. It may no longer be necessary in the current implementations of Pro FIPS. + + [Original Description] + Checking UA status on new Ubuntu 20.04 FIPS cloud image incorrectly lists "Reboot to FIPS kernel required" Deploy a cloud FIPS image such as https://azuremarketplace.microsoft.com/en- us/marketplace/apps/canonical.0001-com-ubuntu-pro-focal-fips After VM creation and booting perform: ---- >lsb_release -rd Description: Ubuntu 20.04.4 LTS Release: 20.04 >ua status SERVICE ENTITLED STATUS DESCRIPTION esm-apps yes enabled UA Apps: Extended Security Maintenance (ESM) esm-infra yes enabled UA Infra: Extended Security Maintenance (ESM) fips yes enabled NIST-certified core packages fips-updates yes disabled NIST-certified core packages with priority security updates livepatch yes n/a Canonical Livepatch service usg yes disabled Security compliance and audit tools NOTICES Reboot to FIPS kernel required Enable services with: ua enable <service> - Account: 61acb9fc-62f4-4ff7-b760-xxxxxxxxxxxx - Subscription: 61acb9fc-62f4-4ff7-b760-xxxxxxxxxxxx - Valid until: 9999-12-31 00:00:00+00:00 + Account: 61acb9fc-62f4-4ff7-b760-xxxxxxxxxxxx + Subscription: 61acb9fc-62f4-4ff7-b760-xxxxxxxxxxxx + Valid until: 9999-12-31 00:00:00+00:00 Technical support level: essential ---- ---- >ua version u27.7~20.04.1 >cat /etc/cloud/build.info build_name: pro-fips-server serial: 20220215.1 ---- After reboot, perform the same "ua status" command and the same notice "Reboot to FIPS kernel required" is displayed. However, FIPS kernel is loaded and UA shows enabled. ------- >uname -a Linux temp-test-01 5.4.0-1022-azure-fips #22+fips1-Ubuntu SMP Mon Dec 13 01:12:55 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux ------- Running apt shows no applicable updates available. ------------- >apt-get update Hit:1 http://azure.archive.ubuntu.com/ubuntu focal InRelease Hit:2 http://azure.archive.ubuntu.com/ubuntu focal-updates InRelease Hit:3 http://azure.archive.ubuntu.com/ubuntu focal-backports InRelease Hit:4 http://azure.archive.ubuntu.com/ubuntu focal-security InRelease Get:5 https://esm.ubuntu.com/apps/ubuntu focal-apps-security InRelease [7484 B] Get:6 https://esm.ubuntu.com/apps/ubuntu focal-apps-updates InRelease [7432 B] Hit:7 https://esm.ubuntu.com/infra/ubuntu focal-infra-security InRelease Hit:8 https://esm.ubuntu.com/infra/ubuntu focal-infra-updates InRelease Hit:9 https://esm.ubuntu.com/fips/ubuntu focal InRelease Fetched 14.9 kB in 6s (2357 B/s) Reading package lists... Done root@temp-test-01:~# apt list --upgradeable Listing... Done libgcrypt20-hmac/focal 1.8.5-5ubuntu1.fips.1.4 amd64 [upgradable from: 1.8.5-5ubuntu1.fips.1.1] libgcrypt20/focal 1.8.5-5ubuntu1.fips.1.4 amd64 [upgradable from: 1.8.5-5ubuntu1.fips.1.1] snapd/focal-updates 2.54.3+20.04.1ubuntu0.3 amd64 [upgradable from: 2.54.3+20.04.1ubuntu0.2] ------------ - Expected results: 1) ua status should properly report that a FIPS kernel is active. Is this a check that is failing? 2) lsb_release -rd should show that it is not just 20.04.4 LTS but 20.04.4 LTS FIPS Is this appropriate? FIPS is an enhancement of the mainstream LTS deployment. The more clear that it is a FIPS installation the better, no matter how you go about querying the system information. Is #1 seeing the results of #2 and thus reporting that a reboot to FIPS kernel is required?
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1972026 Title: ua status incorrectly lists reboot required for pre-built FIPS cloud image To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1972026/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
