Join Log in
Score:1
neninho avatar Ubuntu

Ubuntu FIPS broke package manager

fr flag
neninho

I enable ubuntu FIPS, and suddenly I am not able to install anything. Here is an error output sample. This happens with any package I try to install.

laptop@my-laptop:~$ sudo apt install -f gcc
Reading package lists... Done
Building dependency tree       
Reading state information... Done
gcc is already the newest version (4:9.3.0-1ubuntu2).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
2 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] y
Setting up initramfs-tools (0.136ubuntu6.6) ...
update-initramfs: deferring update (trigger activated)
Setting up linux-image-5.4.0-1007-fips (5.4.0-1007.8) ...
Processing triggers for initramfs-tools (0.136ubuntu6.6) ...
update-initramfs: Generating /boot/initrd.img-5.4.0-91-generic
Failed to copy HMAC file "/usr/lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac".
E: /usr/share/initramfs-tools/hooks/fips-libgcrypt failed with return 1.
update-initramfs: failed for /boot/initrd.img-5.4.0-91-generic with 1.
dpkg: error processing package initramfs-tools (--configure):
 installed initramfs-tools package post-installation script subprocess returned error exit status 1
Processing triggers for linux-image-5.4.0-1007-fips (5.4.0-1007.8) ...
/etc/kernel/postinst.d/dkms:
 * dkms: running auto installation service for kernel 5.4.0-1007-fips
   ...done.
/etc/kernel/postinst.d/initramfs-tools:
update-initramfs: Generating /boot/initrd.img-5.4.0-1007-fips
Failed to copy HMAC file "/usr/lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac".
E: /usr/share/initramfs-tools/hooks/fips-libgcrypt failed with return 1.
update-initramfs: failed for /boot/initrd.img-5.4.0-1007-fips with 1.
run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1
dpkg: error processing package linux-image-5.4.0-1007-fips (--configure):
 installed linux-image-5.4.0-1007-fips package post-installation script subprocess returned error exit status 1
Errors were encountered while processing:
 initramfs-tools
 linux-image-5.4.0-1007-fips
E: Sub-process /usr/bin/dpkg returned an error code (1)

I am using ubuntu 20.04 LTS, I upgraded with the do release upgrade

laptop@my-laptop:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.3 LTS
Release:    20.04
Codename:   focal
laptop@my-laptop:~$ sudo apt update 
Hit:1 http://dl.google.com/linux/chrome/deb stable InRelease
Hit:2 http://archive.ubuntu.com/ubuntu focal InRelease                                                                                                                               
Hit:3 https://packages.microsoft.com/repos/edge stable InRelease                                                                                                                                                  
Hit:4 https://packages.microsoft.com/repos/ms-teams stable InRelease                                                                                                                                              
Hit:5 https://deb.nodesource.com/node_15.x focal InRelease                                                                                                                                                        
Get:6 https://packages.microsoft.com/repos/code stable InRelease [10,4 kB]                                                                                                                                        
Hit:7 https://packages.cloud.google.com/apt cloud-sdk InRelease                                                                                                                                                   
Hit:8 http://ppa.launchpad.net/git-core/ppa/ubuntu focal InRelease                                                                                                                                                
Hit:9 http://ppa.launchpad.net/graphics-drivers/ppa/ubuntu focal InRelease                                                                                                                                        
Hit:10 http://ppa.launchpad.net/linuxuprising/apps/ubuntu focal InRelease                                                                                                                                         
Hit:11 https://repo.nordvpn.com/deb/nordvpn/debian stable InRelease                                                                                                                                               
Hit:12 http://ppa.launchpad.net/shevchuk/dnscrypt-proxy/ubuntu focal InRelease                                                                                                                                    
Hit:13 https://artifacts.elastic.co/packages/7.x/apt stable InRelease                                                                                                                                             
Get:14 https://esm.ubuntu.com/cis/ubuntu focal InRelease [3138 B]                                                                                                          
Get:15 https://esm.ubuntu.com/infra/ubuntu focal-infra-security InRelease [7426 B]                                                                                                 
Hit:16 https://packages.cloud.google.com/apt kubernetes-xenial InRelease                                                                             
Hit:17 https://download.sublimetext.com apt/stable/ InRelease                                
Get:18 https://packages.microsoft.com/repos/code stable/main amd64 Packages [64,0 kB]
Get:19 https://packages.microsoft.com/repos/code stable/main armhf Packages [64,9 kB]
Get:20 https://packages.microsoft.com/repos/code stable/main arm64 Packages [64,9 kB]          
Hit:21 https://ftp.postgresql.org/pub/pgadmin/pgadmin4/apt/focal pgadmin4 InRelease                                                                                                                               
Fetched 215 kB in 7s (30,1 kB/s)                                                                                                                                                                                  
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All packages are up to date.
laptop@my-laptop:~$ dpkg -L libgcrypt20 | grep .so.20.2.5
/usr/lib/x86_64-linux-gnu/libgcrypt.so.20.2.5
laptop@my-laptop:~$

I tried to disable fips, but the issue remain the same

laptop@my-laptop:~$ ua status --all
SERVICE       ENTITLED  STATUS    DESCRIPTION
cc-eal        yes       n/a       Common Criteria EAL2 Provisioning Packages
cis           yes       enabled   Center for Internet Security Audit Tools
esm-apps      no        —         UA Apps: Extended Security Maintenance (ESM)
esm-infra     yes       enabled   UA Infra: Extended Security Maintenance (ESM)
fips          yes       disabled  NIST-certified core packages
fips-updates  yes       disabled  NIST-certified core packages with priority security updates
livepatch     yes       enabled   Canonical Livepatch service
ros           no        —         Security Updates for the Robot Operating System
ros-updates   no        —         All Updates for the Robot Operating System

Enable services with: ua enable <service>

Adding more information as per @Someone request

laptop@my-laptop:~$ sudo chmod +x /usr/share/initramfs-tools/hooks/fips-libgcrypt
laptop@my-laptop:~$ sudo apt -f install
Reading package lists... Done
Building dependency tree       
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
2 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Setting up initramfs-tools (0.136ubuntu6.6) ...
update-initramfs: deferring update (trigger activated)
Setting up linux-image-5.4.0-1007-fips (5.4.0-1007.8) ...
Processing triggers for initramfs-tools (0.136ubuntu6.6) ...
update-initramfs: Generating /boot/initrd.img-5.4.0-91-generic
Failed to copy HMAC file "/usr/lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac".
E: /usr/share/initramfs-tools/hooks/fips-libgcrypt failed with return 1.
update-initramfs: failed for /boot/initrd.img-5.4.0-91-generic with 1.
dpkg: error processing package initramfs-tools (--configure):
 installed initramfs-tools package post-installation script subprocess returned error exit status 1
Processing triggers for linux-image-5.4.0-1007-fips (5.4.0-1007.8) ...
/etc/kernel/postinst.d/dkms:
 * dkms: running auto installation service for kernel 5.4.0-1007-fips
   ...done.
/etc/kernel/postinst.d/initramfs-tools:
update-initramfs: Generating /boot/initrd.img-5.4.0-1007-fips
Failed to copy HMAC file "/usr/lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac".
E: /usr/share/initramfs-tools/hooks/fips-libgcrypt failed with return 1.
update-initramfs: failed for /boot/initrd.img-5.4.0-1007-fips with 1.
run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1
dpkg: error processing package linux-image-5.4.0-1007-fips (--configure):
 installed linux-image-5.4.0-1007-fips package post-installation script subprocess returned error exit status 1
Errors were encountered while processing:
 initramfs-tools
 linux-image-5.4.0-1007-fips
E: Sub-process /usr/bin/dpkg returned an error code (1)
laptop@my-laptop:~$

and here the libgcrypt versions on my Ubuntu:

laptop@my-laptop:~$ ls -a /usr/lib/x86_64-linux-gnu/ | grep libgcrypt
libgcrypt.so.20
libgcrypt.so.20.2.5
laptop@my-laptop:~$

I am not sure what am I doing wrong here. Thanks in advance for your help.

72
0 + 0
apt
Someone avatar
my flag
Someone
Welcome to Ask Ubuntu! Please [edit] to include the output of `sudo apt -f install` and `lsb_release -a` followed by `sudo apt update`
1
Reply
Someone avatar
my flag
Someone
Was your system first Bionic? Did you upgraded it via `do release upgrade`? Please [edit] to include `dpkg -L libgcrypt20 | grep .so.20.2.5`
0
Reply
neninho avatar
fr flag
neninho
Hello @Someone, yes my system was initially Bionic, and I upgrade it to focal, about 2 years ago, I edit the question to include the commands requested. Thanks
0
Reply
Someone avatar
my flag
Someone
@neniho OK! can you run `chmod +x /usr/share/initramfs-tools/hooks/fips-libgcrypt` followed by `sudo apt -f install` and report back?
0
Reply
neninho avatar
fr flag
neninho
Hi @Someone, thanks for your help so far, the problem is still the same, I edit the question to include them, as I can't do it in the comments
0
Reply
Someone avatar
my flag
Someone
Thanks for the outputs! I would also appreciate the output of `ls -a /usr/lib/x86_64-linux-gnu/ | grep libgcrypt`
0
Reply
neninho avatar
fr flag
neninho
Done, included the results here and in the question itself, Thanks again ```laptop@my-laptop:~$ ls -a /usr/lib/x86_64-linux-gnu/ | grep libgcrypt libgcrypt.so.20 libgcrypt.so.20.2.5```
0
Reply
Score:0
neninho avatar Ubuntu
fr flag
neninho

Finally, I was able to make it work, unfortunately, some manual steps were required. first I removed the ubuntu fips kernel (used the UKUU for that) next I remove the FIPS stuff

FIPS_KERNELS=`dpkg-query -W -f='${Package}\n'| egrep linux-.*-fips`
sudo apt-get remove $FIPS_KERNELS
sudo reboot

After that I deleted all the kernel entries I wasn't using from:

/boot

and finally deleted all the fips entries from

sudo su
cd /usr/share/initramfs-tools/hooks/
rm -rf fips*

I am not sure if all the steps were required, but it worked for me.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.