FIPS for Ubuntu

Certification information

Canonical has certified several of Ubuntu’s cryptographic modules at Level 1 for Ubuntu 16.04 and 18.04.

16.04 Architectures Certified

  • amd64
  • ppc64el
  • s390x

16.04 Platform Models Certified

  • IBM Power System S822L (PowerNV 8247-22L)
  • IBM Power System S822LC (PowerNV 8001-22C)
  • IBM Power System S822LC (PowerNV 8335-GTB)
  • Supermicro SYS-5018R-WR
  • IBM z13 (running on LPAR)

16.04 Modules Certified

18.04 Architectures Certified

  • amd64
  • s390x

18.04 Platform Models Certified

  • Supermicro SYS-5018R-WR
  • IBM z/VM running on IBM z/14

18.04 Modules Certified

Obtaining FIPS from Canonical and Finding Access Password

Canonical’s FIPS 140-2 Certified Modules are available to customers who have purchased qualifying Ubuntu Advantage products. The modules are available as packages in a private Launchpad PPA. Each package in the PPA is signed with a unique PGP key to ensure authenticity.

  1. Determine your Launchpad username by going to launchpad.net/~
  2. Request access to the FIPS PPA by logging in to support.canonical.com and following the instructions on the Contact Us tab to create a new case.
  3. It may take up to 48 hours, but you will be notified once your access has been granted.
  4. Click this link to view your Private PPA subscriptions
  5. Under Archive locate the FIPS (ppa:ubuntu-advantage/fips) line and click View on the right
  6. Click on the appropriate option on the "Choose your Ubuntu version" drop-down menu next to "Display sources.list entries for:" before proceeding the 'deb' line.
  7. Locate the line starting with deb https://<your-launchpad-id>:<PPA-password>@, where <your-launchpad-id>:<PPA-password> represent your personal Launchpad username and the encoded password created for this PPA.
  8. Select and copy the PPA password. Your Launchpad ID and the specific PPA password will be used in future steps.

There is currently one manual method for installing the FIPS 140-2 Certified Modules on Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.

Manual Installation

Setting up the FIPS repository

  1. Add the unique PPA PGP key onto the system. If your system is able to access the internet but this command fails, try replacing the keyserver parameter with "hkp://keyserver.ubuntu.com:80" in this command.

    sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys A166877412DAC26E73CEBF3FF6C280178D13028C

  2. Create the file /etc/apt/auth.conf.d/fips-ppa.conf with credentials to access the private PPA. The contents of the file should appear similar to the following lines. Use your Launchpad ID and personal PPA password acquired previously in this file.

    machine private-ppa.launchpad.net/ubuntu-advantage/fips/ubuntu login <Launchpad ID> password <PPA password>

  3. Set better permissions for the newly created file.

    sudo chmod 0600 /etc/apt/auth.conf.d/fips-ppa.conf

  4. Add the FIPS PPA repository to the system that the FIPS 140-2 Certified Modules will be installed on. The following command is a single line. Replace "<VERSION>" with either "bionic" or "xenial" to match your system's Ubuntu version.

    sudo add-apt-repository -u 'deb https://private-ppa.launchpad.net/ubuntu-advantage/fips/ubuntu <VERSION> main'

  5. To avoid FIPS packages being overwritten by non-FIPS versions in the Ubuntu repositories, pin the FIPS PPA packages on the system. Add the following lines to /etc/apt/preferences.d/ubuntu-fips, replacing "<VERSION>" appropriately ("bionic" or "xenial").

    Package: * Pin: release o=LP-PPA-ubuntu-advantage-fips, n=<VERSION> Pin-Priority: 1001

  6. Now that a new repository and signing key has been added, apt's cache needs to be updated.

    sudo apt update

Install the packages

Install the certified modules along with the corresponding HMAC packages. Please note, if you do not install the separate HMAC packages, the modules will fail to be configured in FIPS mode. The HMAC packages contain a hash for each module. This hash allows the module to perform the FIPS 140-2 requirement of integrity checking at startup. If a module fails to check its integrity, it will not run in FIPS mode.

The following command should be run to install FIPS packages to an Ubuntu 16.04 LTS system:

sudo apt install openssh-client openssh-client-hmac openssh-server openssh-server-hmac openssl libssl1.0.0 libssl1.0.0-hmac fips-initramfs linux-fips strongswan strongswan-hmac

For Ubuntu 18.04 LTS, use the following command to install FIPS packages:

sudo apt install openssh-client openssh-client-hmac openssh-server openssh-server-hmac openssl libssl1.1 libssl1.1-hmac fips-initramfs linux-fips

Note for both 16.04 and 18.04: The linux-fips package includes the Kernel Crypto API HMAC package.

Configure FIPS mode

Upon successful installation of the certified modules and HMAC packages, the system needs to be configured to instruct the modules to run in FIPS mode.

  • If the system has a separate boot partition, proceed to Separate boot partition.
  • If the system does not have a separate boot partition, proceed to either Configure ppc64el and amd64 architectures or Configure s390x architecture sections.
Separate boot partition

View /etc/fstab and find the entry containing “/boot” and the associated UUID. Note the UUID as it will be needed later.

An example /etc/fstab, with the “/boot” entry highlighted:

# /etc/fstab: static file system information. # # Use 'blkid' to print the universally unique identifier for a # device; this may be used with UUID= as a more robust way to name devices # that works even if disks are added and removed. See fstab(5). # # <file system> <mount point> <type> <options> <dump> <pass> # / was on /dev/vda3 during installation UUID=3eabf0c6-f4a2-4212-8b3e-7918bbcabfcf / ext4 errors=remount-ro 0 1 # /boot was on /dev/vda1 during installation UUID=96e8fdc4-c03b-4a34-b5ee-1e5a1cac9e8c /boot ext2 defaults 0 2 # swap was on /dev/vda5 during installation UUID=a0de8f81-5750-4ade-8a8b-64b6441cddf0 none swap sw 0

Depending on the system’s architecture, proceed to either of the following sections: Configure ppc64el and amd64 architectures Configure s390x architecture

Configure ppc64el and amd64 architectures

Configure the GRUB bootloader to use FIPS by default.

  1. Create the directory /etc/default/grub.d, if it does not already exist.

    mkdir /etc/default/grub.d

  2. Switch to the directory.

    cd /etc/default/grub.d

  3. Create and edit a file named “99-fips.cfg”.

    nano 99-fips.cfg

  4. Depending on your configuration, you will choose one of the options below to place in “99-fips.cfg”.

    a. Without a separate boot partition.

    GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT fips=1"

    b. With a separate boot partition, place the boot UUID that was noted earlier in the highlighted section.

    GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT fips=1 bootdev=UUID=Insert boot UUID"

  5. Update the GRUB bootloader with thew new configuration.

    sudo update-grub

  6. Proceed to the Reboot section.

Configure s390x architecture

Configure the Zipl bootloader to use FIPS by default.

  1. Edit /etc/zipl.conf, and add “fips=1”. Example:

    [ubuntu] target = /boot image = /boot/vmlinuz ramdisk = /boot/initrd.img parameters = root=UUID=dfd315ca-c76c-4a76-9e3f-462cb919c572 crashkernel=196M fips=1

  2. If the system has a separate boot partition, the boot UUID must be added to the “parameters” line for the FIPS kernel.

    [ubuntu] target = /boot image = /boot/vmlinuz ramdisk = /boot/initrd.img parameters = root=UUID=dfd315ca-c76c-4a76-9e3f-462cb919c572 crashkernel=196M fips=1 bootdev=UUID=Insert Boot UUID

  3. Update Zipl This ipdates the bootloader with the new configuration.

    sudo zipl

  4. Proceed to the Reboot section.

Auto-boot GRUB to FIPS kernel

On systems with non-FIPS kernels, the non-FIPS kernels tend to be versioned newer, thus GRUB boots to the non-FIPS kernels automatically. On kernels coming from the FIPS PPA (rather than the FIPS-Updates PPA), this can be resolved by changing the GRUB configuration in /etc/default/grub according to the following:

  • On Xenial, change the line starting with "GRUB_DEFAULT" to GRUB_DEFAULT="Advanced options for Ubuntu>Ubuntu, with Linux 4.4.0-1002-fips"
  • On Bionic, change the line starting with "GRUB_DEFAULT" to GRUB_DEFAULT="Advanced options for Ubuntu>Ubuntu, with Linux 4.15.0-1011-fips"

Remember to run sudo update-grub for these changes to take effect!

Reboot

Upon successfully updating the bootloader, the system is now ready to be rebooted. You MUST reboot to put the system into FIPS mode. The reboot will boot into the FIPS-supported kernel and create the /proc/sys/crypto/fips_enabled entry which tells the FIPS certified modules to run in FIPS mode. If you fail to reboot after installing and configuring the bootloader, the certified modules will NOT run in FIPS mode.

To verify that FIPS is enabled after the reboot:

Check the /proc/sys/crypto/fips_enabled file and ensure it is set to 1. If it is set to 0, the FIPS modules will not run in FIPS mode.

© 2018 Canonical Ltd. Ubuntu and Canonical are registered trademarks of Canonical Ltd.