FIPS for Ubuntu

Certification information

Canonical has certified several of Ubuntu’s cryptographic modules at Level 1 for Ubuntu 16.04 and 18.04. Some modules for Ubuntu 20.04 have been certified, but some are still undergoing the NIST certification process.

Until the OpenSSL and Strongswan packages for Ubuntu 20.04 make it through the NIST certification process, the ua enable fips[-updates] installation is unavailable for Ubuntu 20.04.

20.04 Architectures Certified

  • amd64

20.04 Platform Models Certified

  • Supermicro SYS-1019P-WTR

20.04 Modules Certified

  • Kernel Crypto API - NIST Kernel Crypto Security Policy (#3928)
  • OpenSSL - Pending.
  • OpenSSH Client - OpenSSH now uses OpenSSL for cryptography.
  • OpenSSH Server - OpenSSH now uses OpenSSL for cryptography.
  • Strongswan - Pending.
  • AWS Kernel Crypto API - Pending.
  • Azure Kernel Crypto API - Pending.
  • GCP Kernel Crypto API - Pending.
  • IBM-GT Kernel Crypto API - Pending.
  • Libgcrypt - NIST Libgcrypt Security Policy (#3902)

18.04 Architectures Certified

  • amd64
  • s390x

18.04 Platform Models Certified

  • Supermicro SYS-5018R-WR
  • IBM z/VM running on IBM z/14

18.04 Modules Certified

16.04 Architectures Certified

  • amd64
  • ppc64el
  • s390x

16.04 Platform Models Certified

  • IBM Power System S822L (PowerNV 8247-22L)
  • IBM Power System S822LC (PowerNV 8001-22C)
  • IBM Power System S822LC (PowerNV 8335-GTB)
  • Supermicro SYS-5018R-WR
  • IBM z13 (running on LPAR)

16.04 Modules Certified

Announcement Mailing List

A mailing list is used to announce patches and news related to the FIPS packages and certifications. To request to join the mailing list, please send "join" in the email body to ubuntu-certs-announce-request@lists.canonical.com. Announcements will be sent to the email address ubuntu-certs-announce@lists.canonical.com from an "@canonical.com" email address.

Ubuntu Pro FIPS Systems

Please review the specific section for Ubuntu Pro FIPS systems rather than following the instructions in this page.

Ubuntu FIPS in Docker Containers

Please review the specific section for Ubuntu FIPS in Docker Containers rather than following the instructions in this page.

Ubuntu-Advantage Tool Installation

FIPS configuration can be enabled automatically via the Ubuntu Advantage Tool (also known as "UA tool" or "UA client") on bare metal, virtual, and cloud environments. Version 27.0 or higher of the UA tool is required to use this method. If the UA tool is installed, the UA tool can provide its version.

ua version

If necessary, apt can be used to install the latest version.

sudo apt update && sudo apt install ubuntu-advantage-tools

Access to the FIPS repositories is controlled by a token associated with an Ubuntu Advantage subscription.

Ubuntu PRO FIPS images for AWS and Azure already have an attached Ubuntu Advantage token with FIPS active. Launching any PRO FIPS images will not need further action. See this page for more information.

Ubuntu PRO images for AWS, Azure, and GCP already have an attached token, so step #1 in "Setting up the FIPS repository with the UA tool" can be skipped.

Obtaining UA Token

  1. Login at ubuntu.com/advantage using the Ubuntu One account tied to your UA-I subscription.
  2. Under the "Your paid subscriptions" header, click on the down-arrow in the "machines" column for the row of your subscription. This may already be expanded.
  3. Find your token from within the provided attach command in the format of sudo ua attach <TOKEN>. Save this token to complete the process below.

Setting up the FIPS packages with the UA tool

  1. Attach the system to the Ubuntu Advantage service.

    sudo ua attach <TOKEN>

  2. Enable the FIPS configuration.

    sudo ua enable fips

  3. Verify that the system is attached to UA and has FIPS enabled.

    sudo ua status

  4. Please proceed to the reboot section.

The Livepatch service is enabled by default while attaching the system to the Ubuntu Advantage service. Livepatch and FIPS are not compatible, so it will be necessary to disable Livepatch when prompted._

The uncertified FIPS-Updates packages may also be enabled by running an additional command.

Reboot

Upon successfully updating the bootloader (via installation of ubuntu-fips), the system is now ready to be rebooted. You MUST reboot to put the system into FIPS mode. The reboot will boot into the FIPS-supported kernel and create the /proc/sys/crypto/fips_enabled entry which tells the FIPS certified modules to run in FIPS mode. If you fail to reboot after installing and configuring the bootloader, the certified modules will NOT run in FIPS mode.

To verify that FIPS is enabled after the reboot:

Check the /proc/sys/crypto/fips_enabled file and ensure it is set to 1. If it is set to 0, the FIPS modules will not run in FIPS mode. If the file is missing, the FIPS kernel is not installed.

Updates to FIPS

NOTE: The FIPS-Updates packages are not FIPS Certified

Canonical makes updates to FIPS certified modules available in a separate PPA under ubuntu-advantage. The updated modules are NOT FIPS certified. The updates include bug fixes, CVE fixes and/or enhancements applied on top of the certified FIPS code.

After using the UA tool to enable FIPS as found earlier in this page, simply enable the FIPS-Updates component in the UA tool to use the FIPS-Updates packages on the system.

sudo ua enable fips-updates

It is now necessary to reboot the system to run the updated kernel.

© 2018 Canonical Ltd. Ubuntu and Canonical are registered trademarks of Canonical Ltd.