FIPS for Ubuntu
Canonical has certified several of Ubuntu’s cryptographic modules at Level 1 for Ubuntu 16.04 and 18.04. Some modules for Ubuntu 20.04 have been certified, but some are still undergoing the NIST certification process.
Until the OpenSSL and Strongswan packages for Ubuntu 20.04 make it through the NIST certification process, the
ua enable fips[-updates] installation is unavailable for Ubuntu 20.04.
20.04 Architectures Certified
20.04 Platform Models Certified
- Supermicro SYS-1019P-WTR
20.04 Modules Certified
- Kernel Crypto API - NIST Kernel Crypto Security Policy (#3928)
- OpenSSL - NIST OpenSSL Security Policy (#3966)
- OpenSSH Client - OpenSSH now uses OpenSSL for cryptography.
- OpenSSH Server - OpenSSH now uses OpenSSL for cryptography.
- Strongswan - Pending.
- AWS Kernel Crypto API - Pending.
- Azure Kernel Crypto API - Pending.
- GCP Kernel Crypto API - Pending.
- IBM-GT Kernel Crypto API - Pending.
- Libgcrypt - NIST Libgcrypt Security Policy (#3902)
18.04 Architectures Certified
18.04 Platform Models Certified
- Supermicro SYS-5018R-WR
- IBM z/VM running on IBM z/14
18.04 Modules Certified
- Kernel Crypto API - NIST Kernel Crypto Security Policy (#3647)
- OpenSSL - NIST OpenSSL Security Policy (#3980)
- OpenSSH Client - NIST OpenSSH Client Security Policy (#3633)
- OpenSSH Server - NIST OpenSSH Server Security Policy (#3632)
- Strongswan - NIST Strongswan Security Policy (#3648)
- AWS Kernel Crypto API - NIST AWS Kernel Crypto Security Policy (#3664)
- Azure Kernel Crypto API - NIST Azure Kernel Crypto Security Policy (#3683)
- GCP Kernel Crypto API - NIST GCP Kernel Crypto Security Policy (#3954)
- IBM-GT Kernel Crypto API - Pending.
- Libgcrypt - NIST Libgcrypt Security Policy (#3748)
16.04 Architectures Certified
16.04 Platform Models Certified
- IBM Power System S822L (PowerNV 8247-22L)
- IBM Power System S822LC (PowerNV 8001-22C)
- IBM Power System S822LC (PowerNV 8335-GTB)
- Supermicro SYS-5018R-WR
- IBM z13 (running on LPAR)
16.04 Modules Certified
- Kernel Crypto API - NIST Kernel Crypto Security Policy (#3724)
- OpenSSL - NIST OpenSSL Security Policy (#3725)
- OpenSSH Client - NIST OpenSSH Client Security Policy (#2907)
- OpenSSH Server - NIST OpenSSH Server Security Policy (#2906)
- Strongswan - NIST Strongswan Security Policy (#2978)
Our approach in certifications
Each FIPS 140-2 certificate is valid for 5 years, however vulnerabilities happen, and it is our intention to publish fixed packages quickly, irrespective of their certification status. We therefore provide two alternative streams to obtain the validated packages. An option to install the certified packages and include regular updates with security fixes that we intend to include in the next recertification, called the ‘fips-updates’ stream, and an option to install the certified cryptographic packages called the ‘fips’ stream.
We recommend to always install vulnerability fixes in your system by enabling the ‘fips-updates’ stream that includes them. The packages from ‘fips-updates’ option are updated to include high and critical security fixes during the whole product lifecycle including the Extended Security Maintenance phase.
The following instructions enable the ‘fips-updates’ repository; to get the FIPS validated packages without security updates you can run these alternative commands.
Enable FIPS with the Ubuntu-Advantage tool
FIPS configuration can be enabled automatically via the Ubuntu Advantage Tool (also known as “UA tool” or “UA client”) on bare metal, virtual, and cloud environments. Version 27.0 or higher of the UA tool is required to use this method. If the UA tool is installed, the UA tool can provide its version.
apt can be used to install the latest version.
sudo apt update && sudo apt install ubuntu-advantage-tools
Access to the FIPS repositories is controlled by a token associated with an Ubuntu Advantage subscription.
Obtain the UA Token
This step is not necessary in Ubuntu PRO images
Login at ubuntu.com/advantage using the Ubuntu One account tied to your UA-I subscription.
Under the “Your paid subscriptions” header, click on the down-arrow in the “machines” column for the row of your subscription. This may already be expanded.
Find your token from within the provided attach command in the format of
sudo ua attach <TOKEN>. Save this token to complete the process below.
Attach the system to the Ubuntu Advantage service.
sudo ua attach <TOKEN>
- Enable FIPS including security updates.
sudo ua enable fips-updates
- Verify that the system is attached to UA and has FIPS enabled.
sudo ua status
- Please proceed to the reboot section.
The ua client will install the necessary packages for the FIPS mode, including the kernel and the bootloader. After this step you MUST reboot to put the system into FIPS mode. The reboot will boot into the FIPS-supported kernel and create the
/proc/sys/crypto/fips_enabled entry which tells the FIPS certified modules to run in FIPS mode. If you do not reboot after installing and configuring the bootloader, FIPS mode is not yet enabled.
To verify that FIPS is enabled after the reboot check the
/proc/sys/crypto/fips_enabled file and ensure it is set to 1. If it is set to 0, the FIPS modules will not run in FIPS mode. If the file is missing, the FIPS kernel is not installed, you can verify that FIPS has been properly enabled with the
ua status command.
FIPS and livepatching
The Livepatch service is enabled by default while attaching the system to the Ubuntu Advantage service. Livepatch and FIPS are not compatible, so it will be necessary to disable Livepatch when prompted.
Enabling strict FIPS
We recommend enabling the ‘fips-updates’ option that includes security fixes. However we provide the option to install the validated packages that are only updated on revalidation.
After using the UA tool to attach your token, enable FIPS mode in the UA tool as shown below.
sudo ua enable fips
It is now necessary to reboot the system to run the updated kernel.
Announcement Mailing List
A mailing list is used to announce patches and news related to the FIPS packages and certifications. To request to join the mailing list, please send “join” in the email body to email@example.com. Announcements will be sent to the email address firstname.lastname@example.org from an “@canonical.com” email address.
Ubuntu Pro FIPS Systems
Please review the specific section for Ubuntu Pro FIPS systems rather than following the instructions in this page.
Ubuntu FIPS in Containers
Please review the specific section for Ubuntu FIPS in Containers rather than following the instructions in this page.