Ubuntu FIPS 140-2 Modules FAQ

Can I use livepatch to update or patch Ubuntu’s FIPS kernel?

No, livepatch does not support patching the FIPs kernel. They should not be enabled on the same system.

Are the FIPS modules a drop in replacement?

Yes, the FIPS 140-2 certified modules should be a drop in replacement.

However, note that FIPS 140-2 does not allow particular algorithms, thus they will not be available in FIPS mode. Applications trying to access these algorithms from FIPS crypto modules such as libcrypto or kernel cryptoapi, may experience segfaults or other unknown behaviours. Please consult the Security Policy for the various FIPS modules to see what is and isn’t allowed.

Can I use openvpn on my FIPS 140-2 enabled system?

Openvpn prior to version 2.4 uses MD5 for its internal hash algorithm and for the TLS PRF. FIPS 140-2 permits MD5 for PRF. However, openvpn must convey to FIPS openssl module that MD5 is ok for PRF, and currently it doesn’t.

Canonical has provided a fix such that openvpn conveys to FIPS openssl module to use MD5 for PRF since current FIPS 140-2 allows this. The openvpn package on xenial must be updated to 2.3.10-1ubuntu2.2 to acquire this fix.

How do I get debug packages for FIPS?

Add debug line,

deb https://username:password@private-ppa.launchpad.net/ubuntu-advantage/fips-updates/ubuntu xenial main/debug #Personal access of to FIPS Updates

Install package you are trying to debug, for example: openssl-dbgsym,

sudo apt install openssl-dbgsym

For additional info, see https://wiki.ubuntu.com/Debug%20Symbol%20Packages

How do I get the source?

Make sure you have a source entry,

deb https://username:password@private-ppa.launchpad.net/ubuntu-advantage/fips-updates/ubuntu xenial main #Personal access of to FIPS Updates

deb-src https://username:password@private-ppa.launchpad.net/ubuntu-advantage/fips-updates/ubuntu xenial main #Personal access of to FIPS Updates

then run,

sudo apt update && sudo apt install dpkg-dev

Let’s say you want to get the source of the openssl package:

apt-get source openssl

How do I see a changelog?

For the FIPS packages the changelogs are installed locally. For example, the libssl1.0.0 (openssl) package changelog is installed in /usr/share/doc/libss1.0.0 directory.

What applications are known to work?

NOTE: This does not mean we have reviewed them for FIPS compliance.

What applications are known to not work?

  • OpenVPN prior to version 2.3.10-1ubuntu2.2 on xenial crashes. Update to 2.3.10-1ubuntu2.2 or later to acquire a fix.

What applications are known to not be FIPS Compliant?

These may work, but also won’t get the benefits from FIPS packages

  • Firefox
  • Cups
  • Wget
  • Full disk encryption

Is FIPS applicable to both desktop and server?

Yes, with some caveats.

  • We have not certified any specific desktop hardware
  • Some applications do not use the system openssl so they will not get any benefits from a FIPS openssl (Firefox is the most obvious example)
  • Other items in the desktop may use cryptography that has not been FIPS evaluated.

Can I use full disk encryption on a FIPS-enabled system?

Yes, but updates to libgcrypt and cryptsetup are needed to successfully use full disk encryption on a FIPS-enabled xenial system.

  • cryptsetup version 2:1.6.6-5ubuntu2.1 or later
  • libgcrypt version 1.6.5-2ubuntu0.4 or later

How do I tell if FIPS is enabled on my system?

cat /proc/sys/crypto/fips_enabled

If the content is a 1, then FIPS is enabled on the local system. Any FIPS modules will run in FIPS-mode on the system.

If the content is a 0, then FIPS is not enabled on the local system. Any FIPS modules on the system will not run in FIPS-mode.

How can I tell if FIPS packages are installed on my system?

dpkg -l | grep fips

How do you come up with the FIPS versions? Do they include CVEs?

The Ubuntu FIPS packages are forks of those in the Ubuntu archives with FIPS changes on top. Ubuntu CVE tracker https://people.canonical.com/~ubuntu-security/cve/ shows the CVEs addressed by release for an archive source package. By using the base version of a FIPS package, the CVEs addressed in a FIPS package can be deduced.

  • FIPS kernel

    Look into the changelog file, "/usr/share/doc/linux-headers-$(uname -r)/changelog.Debian.gz", and find the archive package version used to fork. It will be in square brackets.

    linux-fips (4.4.0-1005.5) xenial; urgency=medium
    
    * CVE-2017-5715 (Spectre v2 retpoline)
    - [Config] disable retpoline checks for first upload
    
    [ Ubuntu: 4.4.0-116.140 ]
    

    All CVEs fixed in 4.4.0-116.140 or earlier are available in the FIPS version.

    The cve status by releases for the Ubuntu kernel package is at, https://people.canonical.com/~ubuntu-security/cve/pkg/linux.html

  • FIPS userspace modules

    FIPS userspace modules are versioned, *.fips.x.y, here x is the ubuntu version of the debian package, from which the fork occurred. The y indicates the number of iterations of the FIPS package.

    For example, openssl, 1.0.2g-1ubuntu4.fips.4.15.1 is a fork of 1.0.2g-1ubuntu4.15. The fips package has only one iteration which is the set of fips patches applied after the fork from the archive. All CVEs fixed in 1.0.2g-1ubuntu4.15 or earlier will be available in the FIPS version.

    You can check the ubuntu-cve-tracker to see all the cves tracked against OpenSSL, https://people.canonical.com/~ubuntu-security/cve/pkg/openssl.html

    You can also search on the status of a single CVE on this page, https://people.canonical.com/~ubuntu-security/cve/