[Bug 1719671] Re: [SRU][xenial] include recent version containing fips

Joy Latten joy.latten at canonical.com
Tue Oct 17 20:38:23 UTC 2017 

** Description changed:

  [IMPACT]
  Most recent version of ubuntu-advantage-tool on github includes fips enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial
  
  Note: FIPS certified modules are only available for xenial. On other
  releases the tool will not install and configure fips.
  
  when "ubuntu-advantage enable-fips <token>" is issued from commandline,
  
   - configure the private PPA where the FIPS modules are located
   - install the FIPS modules from this PPA to the local machine from where the script is run
   - configure the bootloader to enable fips
  
  Upon successful completion of these steps, the customer then gets a message stating to reboot
  the machine to complete the fips enablement process.
  
  Without the script, customers must perform the steps manually.
  
  [FIX]
  
  Add enable-fips to advantage script. See debdiff below.
  
  [TEST]
  A test package is available: and it was tested by me on S390, PPC64EL and AMD64 architectures.
  
  [REGRESSION POTENTIAL]
  The patch adds a new features to ubuntu-advantage-tool in Xenial to enable fips. Current functionality was not altered.
+ 
+ [FIPS TESTCASES]
+ These testcases assume you have installed ubuntu-advantage-tools with the proposed changes. 
+ 
+ XENIAL
+ 
+ 1. Collect status before enabling fips
+ 
+ type on commandline, 
+     ubuntu-advantage status
+ 
+ expect,
+     livepatch: disabled
+ 
+     esm: disabled (not available)
+ 
+     fips: disabled
+ 
+ 2. Enable fips
+ Note: This will require a token or credentials to fips Private PPA, in
+ the form xxx:xxx
+ 
+ type on commandline, 
+     sudo ubuntu-advantage enable-fips xxx:xxx
+ 
+ expect,
+     [sudo] password for ubuntu:
+     Running apt-get update... OK
+     Ubuntu FIPS PPA repository enabled.
+     Installing FIPS packages (this may take a while)... OK
+     Configuring FIPS...
+     Updating grub to enable fips... OK
+     Successfully configured FIPS. PLEASE REBOOT to complete FIPS enablement.
+ 
+ type on commandline,
+     sudo reboot
+ 
+ 3. Log back into system after reboot
+ 
+ type on commandline,
+     ubuntu-advantage status
+ 
+ expect,
+     livepatch: disabled
+ 
+     esm: disabled (not available)
+ 
+     fips: enabled
+ 
+ 
+ 4. verify fips kernel "4.4.0-1002-fips" has been installed
+ 
+ type on commandline,
+     uname -a
+ 
+ expect,
+     Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC  2017 x86_64 x86_64 x86_64 GNU/Linux
+ 
+ 
+ ZESTY
+ (Note that FIPS is not supported on zesty.)
+ 
+ 1. Collect status before enabling fips
+ 
+ type on commandline,
+     ubuntu-advantage status
+ 
+ expect,
+     livepatch: disabled (not available)
+ 
+     esm: disabled (not available)
+ 
+     fips: disabled (not available)
+ 
+ 2. Ensure that fips cannot be enabled on Zesty.
+ Note: This will require a token or credentials to fips Private PPA, in
+ the form xxx:xxx
+ 
+ type on commandline,
+     sudo ubuntu-advantage enable-fips xxx:xxx
+ 
+ expect,
+     Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
+ 
+ 3. Check that kernel is not fips kernel (4.4.0-1002-fips)
+ 
+ type on commandline,
+     uname -a
+ 
+ expect:
+     Linux ubuntu-zesty 4.10.0-19-generic #21-Ubuntu SMP Thu Apr 6 17:04:57 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1719671

Title:
  [SRU][xenial] include recent version containing fips

Status in ubuntu-advantage-tools package in Ubuntu:
  Fix Released
Status in ubuntu-advantage-tools source package in Xenial:
  New
Status in ubuntu-advantage-tools source package in Zesty:
  New

Bug description:
  [IMPACT]
  Most recent version of ubuntu-advantage-tool on github includes fips enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial

  Note: FIPS certified modules are only available for xenial. On other
  releases the tool will not install and configure fips.

  when "ubuntu-advantage enable-fips <token>" is issued from
  commandline,

   - configure the private PPA where the FIPS modules are located
   - install the FIPS modules from this PPA to the local machine from where the script is run
   - configure the bootloader to enable fips

  Upon successful completion of these steps, the customer then gets a message stating to reboot
  the machine to complete the fips enablement process.

  Without the script, customers must perform the steps manually.

  [FIX]

  Add enable-fips to advantage script. See debdiff below.

  [TEST]
  A test package is available: and it was tested by me on S390, PPC64EL and AMD64 architectures.

  [REGRESSION POTENTIAL]
  The patch adds a new features to ubuntu-advantage-tool in Xenial to enable fips. Current functionality was not altered.

  [FIPS TESTCASES]
  These testcases assume you have installed ubuntu-advantage-tools with the proposed changes. 

  XENIAL

  1. Collect status before enabling fips

  type on commandline, 
      ubuntu-advantage status

  expect,
      livepatch: disabled

      esm: disabled (not available)

      fips: disabled

  2. Enable fips
  Note: This will require a token or credentials to fips Private PPA, in
  the form xxx:xxx

  type on commandline, 
      sudo ubuntu-advantage enable-fips xxx:xxx

  expect,
      [sudo] password for ubuntu:
      Running apt-get update... OK
      Ubuntu FIPS PPA repository enabled.
      Installing FIPS packages (this may take a while)... OK
      Configuring FIPS...
      Updating grub to enable fips... OK
      Successfully configured FIPS. PLEASE REBOOT to complete FIPS enablement.

  type on commandline,
      sudo reboot

  3. Log back into system after reboot

  type on commandline,
      ubuntu-advantage status

  expect,
      livepatch: disabled

      esm: disabled (not available)

      fips: enabled

  
  4. verify fips kernel "4.4.0-1002-fips" has been installed

  type on commandline,
      uname -a

  expect,
      Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC  2017 x86_64 x86_64 x86_64 GNU/Linux

  
  ZESTY
  (Note that FIPS is not supported on zesty.)

  1. Collect status before enabling fips

  type on commandline,
      ubuntu-advantage status

  expect,
      livepatch: disabled (not available)

      esm: disabled (not available)

      fips: disabled (not available)

  2. Ensure that fips cannot be enabled on Zesty.
  Note: This will require a token or credentials to fips Private PPA, in
  the form xxx:xxx

  type on commandline,
      sudo ubuntu-advantage enable-fips xxx:xxx

  expect,
      Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty

  3. Check that kernel is not fips kernel (4.4.0-1002-fips)

  type on commandline,
      uname -a

  expect:
      Linux ubuntu-zesty 4.10.0-19-generic #21-Ubuntu SMP Thu Apr 6 17:04:57 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions

More information about the Ubuntu-sponsors mailing list