search

canonical / ubuntu-pro-client

Ubuntu Pro Client for offerings from Canonical
https://canonical-ubuntu-pro-client.readthedocs-hosted.com/en/latest/
GNU General Public License v3.0
52 stars 73 forks source link

Bug: enable fips-preview on raspberry pi fails - `pro` should not allow enabling any fips variant on a raspberry pi #3336

Open bryopsida opened 5 days ago

bryopsida commented 5 days ago

Description of the bug

When attempting to enable the fips-preview service on a raspberry pi 4, via sudo pro enable fips-preview, it fails.

Expected behavior

The fips installation to succeed and correctly configure the fips kernel to be used on next boot with fips mode enabled.

Current behavior

sudo pro enable fips-preview fails with apt error

To Reproduce

1) Install ubuntu server 22.04.5 64 bit using rpi-imager onto a sd card for a raspberry pi 2) attach a pro subscription 3) run sudo pro enable fips-preview

This will fail with error message

Unexpected APT error.
Failed running command 'apt-get install --assume-yes --allow-downgrades -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" ubuntu-fips' [exit(100)]. Message: E: Sub-process /usr/bin/dpkg returned an error code (1)

See /var/log/ubuntu-advantage.log
Could not enable FIPS Preview.

System information:

Additional context

The apt install fails because /boot/grub does not exist.

If I run mkdir /boot/grub and then pro enable fips-preview it completes but it does not correctly setup the kernel to be booted. The reason being is it has placed the kernel at /boot/ instead of /boot/firmware.

If I do the following from the boot directory it setups booting the kernel

sudo cp ./initrd.img ./firmware/
sudo cp ./vmlinuz ./firmware/

After doing the following and rebooting it correctly uses the kernel.

$ uname -s -r -v -i -p
Linux 5.15.0-73-fips #80+fips1-Ubuntu SMP Thu Jun 1 21:01:51 UTC 2023 aarch64 aarch64

The next issue is fips mode is not enabled.

$ cat /proc/sys/crypto/fips_enabled
0
$ fips-mode-setup --check 
Installation of FIPS modules is not completed.
FIPS mode is disabled.

To try and remedy this I add fips=1 to /boot/firmware/cmdline.txt

After doing this last step the system does not boot which I suspect fips=0 isn't recognized as something valid when getting passed through the boot sequence https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#boot-sequence.

orndorffgrant commented 4 days ago

Hello @bryopsida

Unfortunately, fips is not supported on raspberry pis. The fips kernel is based on the generic kernel and missing various raspi patches.

I'll leave this issue open, but re-title it to represent that pro should not allow you to try to enable fips on a raspberry pi, since it will not work.

bryopsida commented 3 days ago

FWIW it was able to boot and have network access with the fips kernel. It wasn't until I tried to set fips=1 in cmdline.txt that it failed to boot.