Join Log in
Score:1
khgasd652k avatar Ubuntu

Ubuntu 20.04 LTS Failed Remove FIPS Packages

br flag
khgasd652k

I have Ubuntu 20.04 Server with FIPS Kernel and Package enabled. The problem is some of our application need specific version of openssl which is not compatible with the openssl provided by FIPS packages.

Thus, I try to remove the FIPS Kernel and Packages by doing:

sudo ua disable fips fips-updates

After that, I do the following to remove the FIPS Kernel:

  1. Set the boot to use Ubuntu, with Linux 5.4.0-100-generic kernel as the default kernel on /etc/default/grub
  2. Reboot the server
  3. Confirm that the kernel is on Linux 5.4.0-100-generic and not FIPS Kernel,
  4. Remove the FIPS kernel with the official method https://discourse.ubuntu.com/t/ubuntu-advantage-disabling-fips-manually/20738
  5. Reboot the server
  6. Now my server is on Linux 5.4.0-100-generic Kernel

But the problem is, I saw that there is still some packages with FIPS package:

$ sudo dpkg --list | grep fips   
ic  fips-initramfs-generic                0.0.15+generic1                            amd64        FIPS 140-2 kernel tests
ii  libgcrypt20:amd64                     1.8.5-5ubuntu1.fips.1.5                    amd64        LGPL Crypto library - runtime library
ii  libgcrypt20-hmac:amd64                1.8.5-5ubuntu1.fips.1.5                    amd64        FIPS HMAC integrity check files for libgcrypt20 library.
ii  libssl1.1:amd64                       1.1.1f-1ubuntu2.fips.7.2                   amd64        Secure Sockets Layer toolkit - shared libraries
ii  libssl1.1-hmac:amd64                  1.1.1f-1ubuntu2.fips.7.2                   amd64        Secure Sockets Layer toolkit - FIPS HMAC integrity check
rc  linux-image-5.4.0-1037-fips           5.4.0-1037.43                              amd64        Signed kernel image fips
rc  linux-modules-5.4.0-1037-fips         5.4.0-1037.43                              amd64        Linux kernel extra modules for version 5.4.0 on 64 bit x86 SMP
ic  linux-modules-extra-5.4.0-1037-fips   5.4.0-1037.43                              amd64        Linux kernel extra modules for version 5.4.0 on 64 bit x86 SMP
ii  openssh-client                        1:8.2p1-4ubuntu0.fips.0.2.1                amd64        secure shell (SSH) client, for secure access to remote machines
ii  openssh-server                        1:8.2p1-4ubuntu0.fips.0.2.1                amd64        secure shell (SSH) server, for secure access from remote machines
ii  openssh-sftp-server                   1:8.2p1-4ubuntu0.fips.0.2.1                amd64        secure shell (SSH) sftp server module, for SFTP access from remote machines
ii  openssl                               1.1.1f-1ubuntu2.fips.7.2                   amd64        Secure Sockets Layer toolkit - cryptographic utility
rc  ubuntu-fips                           1.2.4+updates1                             amd64        Install and configure linux-fips kernel and user space modules

While my UA Status is like this:

$ sudo ua status
SERVICE       ENTITLED  STATUS    DESCRIPTION
cc-eal        yes       n/a       Common Criteria EAL2 Provisioning Packages
cis           yes       disabled  Security compliance and audit tools
esm-infra     yes       enabled   UA Infra: Extended Security Maintenance (ESM)
fips          yes       n/a       NIST-certified core packages
fips-updates  yes       disabled  NIST-certified core packages with priority security updates
livepatch     yes       enabled   Canonical Livepatch service

NOTICES
FIPS kernel is running in a disabled state.
  To manually remove fips kernel: https://discourse.ubuntu.com/t/20738


Enable services with: ua enable <service>

How to remove all the FIPS packages and use the default Ubuntu provide?

Thank you

20
0 + 0
Score:0
khgasd652k avatar Ubuntu
br flag
khgasd652k

I have found a method to downgrade/uninstall the FIPS package below:

  1. Check FIPS packages installed on server

    $ sudo dpkg --list | grep fips

  2. Then, check the available version of each packages from Ubuntu repository

    $ sudo apt policy openssl libgcrypt20:amd64 libgcrypt20-hmac:amd64 libssl1.1:amd64 libssl1.1-hmac:amd64 openssh-client openssh-server openssh-sftp-server

    You will see some version of the packages available.

  3. Reinstall the package with specific version:

    $ sudo apt install openssl=1.1.1f-1ubuntu2.10 libgcrypt20=1.8.5-5ubuntu1.1 libssl1.1=1.1.1f-1ubuntu2.10 openssh-client=1:8.2p1-4ubuntu0.4 openssh-server=1:8.2p1-4ubuntu0.4 openssh-sftp-server=1:8.2p1-4ubuntu0.4

  4. Make sure all packages already updated to the latest version:

    $ sudo apt update && sudo apt dist-upgrade -y

  5. Reboot

If my method above is not safe/wrong, please reply or suggest the better solution.

Thank you

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.