Ubuntu

FIPS 140-2 Enablement doesn't create fips_enabled File

Asked by Joe Schmeling

Executed the following command:
sudo ua enable fips-updates

Rebooted

ran: sudo cat /proc/sys/crypto/fips_enabled
results: /proc/sys/crypto/fips_enabled: No such file or directory

Results of: sudo ua status

SERVICE ENTITLED STATUS DESCRIPTION
esm-infra yes enabled Expanded Security Maintenance for Infrastructure
fips-updates yes enabled NIST-certified core packages with priority security updates
livepatch yes enabled Canonical Livepatch service
usg yes disabled Security compliance and audit tools

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Bernard Stafford (bernard010) said : 		#1

https://ubuntu.com/tutorials/using-the-ua-client-to-enable-fips#1-overview

Revision history for this message
Joe Schmeling (schjo06) said : 		#2

Those are the instructions I followed.

Not sure if it's related:

if I run dpkg --list | grep linux-image I see 5 fips linux images.

Running uname -r returns 5.15.0-53-generic

Thanks

Revision history for this message
Bernard Stafford (bernard010) said (last edit ): 		#3

ua status --all

Then reboot to put system into FIPS Mode
look for the entry. /proc/sys/crypto/fips_enabled
Finally, let’s check that FIPS is enabled by checking the /proc/sys/crypto/fips_enabled file and ensure it is set to “1”. If it is set to “0”, the FIPS modules will not run in FIPS mode. If the file is missing, the FIPS kernel is not installed. If it is not set to “1” when you check then the FIPS kernel may not have loaded. In this case try rebooting and check it again.
Do you have a 1 or a 0 ?
 check your status after reboot again.

Revision history for this message
Joe Schmeling (schjo06) said : 		#4

Same result:
sudo cat /proc/sys/crypto/fips_enabled
cat: /proc/sys/crypto/fips_enabled: No such file or directory

So I ran: dmesg | grep fips

which returned:

[ 0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-5.15.0-53-generic root=UUID=55c6a5a0-1b2d-4aca-9299-11183226c34d ro audit=1 quiet splash fips=1 vt.handoff=7
[ 0.057900] Kernel command line: BOOT_IMAGE=/boot/vmlinuz-5.15.0-53-generic root=UUID=55c6a5a0-1b2d-4aca-9299-11183226c34d ro audit=1 quiet splash fips=1 vt.handoff=7
[ 0.058025] Unknown kernel command line parameters "splash BOOT_IMAGE=/boot/vmlinuz-5.15.0-53-generic fips=1", will be passed to user space.
[ 6.357855] fips=1

"Unknown kernel command line parameters" doesn't seem like a good thing in this case.

Thanks!

Revision history for this message
Bernard Stafford (bernard010) said (last edit ): 		#5

https://askubuntu.com/questions/33416/how-do-i-disable-the-boot-splash-screen-and-only-show-kernel-and-boot-text-inst

https://wiki.ubuntu.com/Kernel/KernelBootParameters
  * That is just the Ubuntu logo on the screen during startup.
  Mine is detailed text during startup

Redo the: sudo ua enable fips-updates
Reboot and check again

Revision history for this message
Joe Schmeling (schjo06) said : 		#6

Sort of on the right track now based on your links. I managed to boot into fips mode and cat /proc/crypto/fips_enabled now returns 1

So I think my next step is to make the fips image the default image to boot into.

Thanks for the help!

Revision history for this message
Bernard Stafford (bernard010) said : 		#7

https://discourse.ubuntu.com/t/fips-certification-information/24745

https://discourse.ubuntu.com/t/ubuntu-fips-140-2-modules-faq/22816

Can you help with this problem?

Provide an answer of your own, or ask Joe Schmeling for more information if necessary.

To post a message you must log in.