[Bug 1978890] Re: Post-Install enablement of OEM-enabled devices will overwrite FIPs

Kyler Hornor 1978890 at bugs.launchpad.net
Fri Jun 17 15:56:17 UTC 2022 

** Attachment added: "screenshot of "Software Updater" gui with the "Improved Hardware Support" oem metapackage present."
   https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1978890/+attachment/5597996/+files/oem.png

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to update-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1978890

Title:
  Post-Install enablement of OEM-enabled devices will overwrite FIPs

Status in update-manager package in Ubuntu:
  New

Bug description:
  [Summary]
  A feature was added to allow for post-install enablement for oem-enabled devices via update manager: 
  https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1908050

  While this works great for some situations, it can lead to users
  unexpectedly installing the oem meta package + associated kernel,
  overwriting an existing fips installation, as the "Improved hardware
  support" bundle may not be noticed when operating update-manager

  [Expected Behavior]
  For non linux-generic running installs, the post-install oem enablement functionality should not trigger, nor should it add the additional repositories to the client's sources.list.d.

  [Observed Behavior]
  sources.list.d is updated and "Improved hardware support" is allowed as an option in update-manager, which leads to clients unexpectedly losing compliance in fips environments.

  [Replication Steps]
  (Using Dell Inc. Precision 7920 Tower/060K5C)
  1. Install from current focal ISO
  2. Attach a ua subscription
  3. Enable the fips-updates service
  4. Reboot the system, login the desktop and wait for a while. The notification will pop up and it will show "Improved hardware support" on the certified machines that has the OEM metapackage support.
  5. Click through the update-manager prompt and install the oem packages
  6. Reboot check fips status

  As the oem kernel is 5.14, it will be chosen over the fips 5.4 by
  default. unattended-upgrades will eventually remove the fips kernel as
  well, given enough time.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1978890/+subscriptions

More information about the foundations-bugs mailing list