Ubuntu Advantage: Disabling FIPS manually

Enabling FIPS using Ubuntu Advantage installs a FIPS-certified kernel as well as a number of cryptographic packages and pins those packages to ensure the system remains FIPS-compliant.

FIPS can be disabled on the system using ubuntu-advantage-tools version 26.0 or later with the following commands:

sudo ua disable fips
sudo reboot

This will disable FIPS compliance on the machine by unsetting GRUB configuration which will deactivate “FIPS mode” for related cryptographic modules. It will not remove the FIPS kernel. On most systems, the non-FIPS packages will be a higher version and auto-updated next time you run an apt upgrade.

In some systems, especially cloud images such as on AWS and Azure, the machine will continue to boot into the linux-aws-fips or linux-azure-fips kernel respectively because the kernel version is higher than the default linux-azure or linux-aws kernel in those images.

If there is an alternative kernel available on the system to boot with, you can remove the FIPS-specific kernel:

  • Confirm that you system has a non-FIPS kernel, if on the cloud look for a cloud-optimized kernel linux-aws or linux-azure.
  • Remove the fips kernel on the machine and reboot
FIPS_KERNELS=`dpkg-query -W -f='${Package}\n'| egrep linux-.*-fips`
sudo apt-get remove $FIPS_KERNELS
sudo reboot

We also need an apt upgrade in here for the other crypto packages to upgrade to their non-fips versions correct?

I wonder if ppa-purge would help.

I don’t think it’s true about package versions being numerically higher on the non-fips content. We had someone accidentally enable fips-updates on our organization key for UA and the systems that picked up automatic updates installed all of the fips packages.

We had to go back and manually clean this up by booting into an old kernel and then running these commands:

apt remove linux-headers-fips linux-image-4.15.0-1114-fips linux-image-hmac-4.15.0-1114-fips linux-modules-4.15.0-1114-fips linux-modules-extra-4.15.0-1114-fips linux-fips-headers-4.15.0-1114 linux-headers-4.15.0-1114-fips

apt install openssh-client=1:7.6p1-4ubuntu0.7+esm2 openssh-server=1:7.6p1-4ubuntu0.7+esm2 openssh-sftp-server=1:7.6p1-4ubuntu0.7+esm2 openssl=1.1.1-1ubuntu2.1~18.04.23+esm1 kcapi-tools=1.0.3-2 libgcrypt20:amd64=1.8.1-4ubuntu1.3 libkcapi1:amd64=1.0.3-2 libssl1.1:amd64=1.1.1-1ubuntu2.1~18.04.23+esm1

dpkg --purge ubuntu-fips fips-initramfs linux-image-4.15.0-1114-fips linux-modules-4.15.0-1114-fips linux-modules-extra-4.15.0-1114-fips

It was a huge pain.