[Bug 1719671] Re: [SRU][xenial] include recent version containing fips and livepatch
Eric Desrochers
eric.desrochers at canonical.com
Wed Oct 18 20:45:30 UTC 2017
** Tags added: livepatch
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1719671
Title:
[SRU][xenial] include recent version containing fips and livepatch
Status in ubuntu-advantage-tools package in Ubuntu:
Fix Released
Status in ubuntu-advantage-tools source package in Xenial:
New
Status in ubuntu-advantage-tools source package in Zesty:
New
Bug description:
[IMPACT]
Most recent version of ubuntu-advantage-tool on github includes fips and livepatch enablement. The fips enablement will allow customers to easily install and configure Canonical's FIPS certified modules on xenial, whereas livepatch allows customers to patch the kernel without a reboot.
This SRU will cover both new features.
Note: FIPS certified modules and livepatch are only available for
xenial. On other releases the tool will not install and configure fips
or livepatch.
[FIPS DESCRIPTION]
when "ubuntu-advantage enable-fips <token>" is issued from commandline,
- configure the private PPA where the FIPS modules are located
- install the FIPS modules from this PPA to the local machine from where the script is run
- configure the bootloader to enable fips
Upon successful completion of these steps, the customer then gets a message stating to reboot
the machine to complete the fips enablement process.
Without the script, customers must perform the steps manually.
[LIVEPATCH DESCRIPTION]
TBW
[FIX]
Add enable-fips to advantage script. See debdiff below.
[TEST]
A test package is available: and it was tested by me on S390, PPC64EL and AMD64 architectures.
[REGRESSION POTENTIAL]
The patch adds a new features to ubuntu-advantage-tool in Xenial to enable fips and livepatch. Current functionality was not altered.
[FIPS TESTCASES]
These testcases assume you have installed ubuntu-advantage-tools with the proposed changes.
XENIAL
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: disabled
2. Enable fips
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
[sudo] password for ubuntu:
Running apt-get update... OK
Ubuntu FIPS PPA repository enabled.
Installing FIPS packages (this may take a while)... OK
Configuring FIPS...
Updating grub to enable fips... OK
Successfully configured FIPS. PLEASE REBOOT to complete FIPS enablement.
type on commandline,
sudo reboot
3. Log back into system after reboot
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled
esm: disabled (not available)
fips: enabled
4. verify fips kernel "4.4.0-1002-fips" has been installed
type on commandline,
uname -a
expect,
Linux xenialguest 4.4.0-1002-fips #2-Ubuntu SMP Thu Apr 27 19:37:46 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ZESTY
(Note that FIPS is not supported on zesty.)
1. Collect status before enabling fips
type on commandline,
ubuntu-advantage status
expect,
livepatch: disabled (not available)
esm: disabled (not available)
fips: disabled (not available)
2. Ensure that fips cannot be enabled on Zesty.
Note: This will require a token or credentials to fips Private PPA, in
the form xxx:xxx
type on commandline,
sudo ubuntu-advantage enable-fips xxx:xxx
expect,
Sorry, but Canonical FIPS 140-2 Modules is not supported on zesty
3. Check that kernel is not fips kernel (4.4.0-1002-fips)
type on commandline,
uname -a
expect:
Linux ubuntu-zesty 4.10.0-19-generic #21-Ubuntu SMP Thu Apr 6 17:04:57 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1719671/+subscriptions
More information about the Ubuntu-sponsors
mailing list