Ubuntu Advantage: Disabling FIPS manually

Server
#1

Enabling FIPS using Ubuntu Advantage installs a FIPS-certified kernel as well as a number of cryptographic packages and pins those packages to ensure the system remains FIPS-compliant.

FIPS can be disabled on the system using ubuntu-advantage-tools version 26.0 or later with the following commands:

sudo ua disable fips
sudo reboot

This will disable FIPS compliance on the machine by unsetting GRUB configuration which will deactivate “FIPS mode” for related cryptographic modules. It will not remove the FIPS kernel.

In some cloud images, AWS and Azure, the machine will continue to boot into the linux-aws-fips or linux-azure-fips kernel respectively because the kernel version is higher than the default linux-azure or linux-aws kernel in those images.

If desired, the inactive cloud-optimized FIPS kernel can be removed:

  • Confirm that your cloud-optimized kernel linux-aws or linux-azure is installed and bootable on that system
  • Remove the cloud-optimized fips kernel on the machine and reboot
CLOUD_OPTIMIZED_FIPS=`dpkg-query -W -f='${Package}\n'| egrep (linux-azure-fips|linux-aws-fips)`
sudo apt-get remove $CLOUD_OPTIMIZED_FIPS
sudo reboot
#2

We also need an apt upgrade in here for the other crypto packages to upgrade to their non-fips versions correct?

#3

I wonder if ppa-purge would help.

#4

@chad.smith @rick_h I am thinking about modifying this text to not directly refer to clouds, since this problem can also happen on desktop machines. My idea is to be generic enough on how we handle it.

My proposal is to modify the later paragraphs into:

In some systems, the machine will continue to boot into the FIPS kernel
because the kernel version is higher than the default kernel in those images.

If desired, the inactive FIPS kernel can be removed:

  • Confirm that you have another kernel installed and bootable on that system
  • Remove the FIPS kernel on the machine and reboot
 FIPS_KERNEL_PKGS=`dpkg-query -W -f='${Package}\n'| egrep linux-.*-fips`
 sudo apt-get remove $FIPS_KERNEL_PKGS
 sudo reboot