Enabling FIPS with the pro tool

Security Certification Documentation
1

FIPS configuration can be enabled automatically via the Ubuntu Advantage tool after attaching your subscription. To install the tool type the following commands.

sudo apt update
sudo apt install ubuntu-advantage-tools

Attach the subscription

NOTE: This step is not necessary in Ubuntu PRO images.

The FIPS packages are available on Ubuntu Pro or with an Ubuntu Advantage subscription. To attach your subscription follow the steps on the official Ubuntu guide.

Enable FIPS

NOTE: Switching the system to contain the FIPS certified packages cannot be easily undone. We recommend to use a testing system for experimentation before trying on production.

We recommend enabling the ‘fips-updates’ option that includes security fixes timely before the packages are re-certified. However we provide the option to install the validated packages that are only updated on re-validation.

Including timely security updates

  1. Enable FIPS including security updates.
    sudo pro enable fips-updates
  2. Verify that the system is attached to pro and has FIPS enabled.
    sudo pro status
  3. Please proceed to the reboot section.

Strictly with the certified packages

  1. Enable FIPS.
    sudo pro enable fips
  2. Verify that the system is attached to pro and has FIPS enabled.
    sudo pro status
  3. Please proceed to the reboot section.

Reboot

The pro client will install the necessary packages for the FIPS mode, including the kernel and the bootloader. After this step you MUST reboot to put the system into FIPS mode. The reboot will boot into the FIPS-supported kernel and create the /proc/sys/crypto/fips_enabled entry which tells the FIPS certified modules to run in FIPS mode. If you do not reboot after installing and configuring the bootloader, FIPS mode is not yet enabled.

To verify that FIPS is enabled after the reboot check the /proc/sys/crypto/fips_enabled file and ensure it is set to 1. If it is set to 0, the FIPS modules will not run in FIPS mode. If the file is missing, the FIPS kernel is not installed, you can verify that FIPS has been properly enabled with the pro status command.

FIPS and livepatching

The Livepatch service is enabled by default while attaching the system to the Ubuntu Advantage service. Livepatch and the fips stream are not compatible, so it will be disabled. Livepatch is available on the fips-updates stream.

1 Like
2

It would be good to explicitly state that a new and separate fips kernel is generated and that it will have to be explicitly selected in GRUB when booting. I spent a lot of time troubleshooting why /proc/sys/crypto didn’t even exist even though sudo ua status showed fips was enabled.

3

Hi, just to mention that since UA was renamed to Ubuntu Pro, the commands in this guide should all be changed from sudo ua <x> to sudo pro <x> instead.

4

Thank you @sally-makin, I updated all references to ua to pro!

1 Like