FIPS for Ubuntu

Certification information

Canonical has certified several of Ubuntu’s cryptographic modules at Level 1 for Ubuntu 16.04, 18.04 and 20.04.

20.04 Architectures Certified

  • amd64

20.04 Platform Models Certified

  • Supermicro SYS-1019P-WTR

20.04 Modules Certified

18.04 Architectures Certified

  • amd64
  • s390x

18.04 Platform Models Certified

  • Supermicro SYS-5018R-WR
  • IBM z/VM running on IBM z/14

18.04 Modules Certified

16.04 Architectures Certified

  • amd64
  • ppc64el
  • s390x

16.04 Platform Models Certified

  • IBM Power System S822L (PowerNV 8247-22L)
  • IBM Power System S822LC (PowerNV 8001-22C)
  • IBM Power System S822LC (PowerNV 8335-GTB)
  • Supermicro SYS-5018R-WR
  • IBM z13 (running on LPAR)

16.04 Modules Certified

Our approach in certifications

Each FIPS 140-2 certificate is valid for 5 years, however vulnerabilities happen, and it is our intention to publish fixed packages quickly, irrespective of their certification status. We therefore provide two alternative streams to obtain the validated packages. An option to install the certified packages and include regular updates with security fixes that we intend to include in the next recertification, called the ‘fips-updates’ stream, and an option to install the certified cryptographic packages called the ‘fips’ stream.

We recommend to always install vulnerability fixes in your system by enabling the ‘fips-updates’ stream that includes them. The packages from ‘fips-updates’ option are updated to include high and critical security fixes during the whole product lifecycle including the Extended Security Maintenance phase.

The following instructions enable the ‘fips-updates’ repository; to get the FIPS validated packages without security updates you can run these alternative commands.

Enable FIPS with the Ubuntu-Advantage tool

FIPS configuration can be enabled automatically via the Ubuntu Advantage Tool (also known as “UA tool” or “UA client”) on bare metal, virtual, and cloud environments. Version 27.0 or higher of the UA tool is required to use this method. If the UA tool is installed, the UA tool can provide its version.

ua version

If necessary, apt can be used to install the latest version.

sudo apt update && sudo apt install ubuntu-advantage-tools

Access to the FIPS repositories is controlled by a token associated with an Ubuntu Advantage subscription.

Obtain the UA Token

This step is not necessary in Ubuntu PRO images

  1. Login at ubuntu.com/advantage using the Ubuntu One account tied to your UA-I subscription.

  2. Under the “Your paid subscriptions” header, click on the down-arrow in the “machines” column for the row of your subscription. This may already be expanded.

  3. Find your token from within the provided attach command in the format of sudo ua attach <TOKEN>. Save this token to complete the process below.

  4. Attach the system to the Ubuntu Advantage service.
    sudo ua attach <TOKEN>

Enable FIPS

  1. Enable FIPS including security updates.
    sudo ua enable fips-updates
  2. Verify that the system is attached to UA and has FIPS enabled.
    sudo ua status
  3. Please proceed to the reboot section.

Reboot

The ua client will install the necessary packages for the FIPS mode, including the kernel and the bootloader. After this step you MUST reboot to put the system into FIPS mode. The reboot will boot into the FIPS-supported kernel and create the /proc/sys/crypto/fips_enabled entry which tells the FIPS certified modules to run in FIPS mode. If you do not reboot after installing and configuring the bootloader, FIPS mode is not yet enabled.

To verify that FIPS is enabled after the reboot check the /proc/sys/crypto/fips_enabled file and ensure it is set to 1. If it is set to 0, the FIPS modules will not run in FIPS mode. If the file is missing, the FIPS kernel is not installed, you can verify that FIPS has been properly enabled with the ua status command.

FIPS and livepatching

The Livepatch service is enabled by default while attaching the system to the Ubuntu Advantage service. Livepatch and FIPS are not compatible, so it will be necessary to disable Livepatch when prompted.

Enabling strict FIPS

We recommend enabling the ‘fips-updates’ option that includes security fixes. However we provide the option to install the validated packages that are only updated on revalidation.

After using the UA tool to attach your token, enable FIPS mode in the UA tool as shown below.

sudo ua enable fips

It is now necessary to reboot the system to run the updated kernel.

More information

Announcement Mailing List

A mailing list is used to announce patches and news related to the FIPS packages and certifications. To request to join the mailing list, please send “join” in the email body to ubuntu-certs-announce-request@lists.canonical.com. Announcements will be sent to the email address ubuntu-certs-announce@lists.canonical.com from an “@canonical.com” email address.

Ubuntu Pro FIPS Systems

Please review the specific section for Ubuntu Pro FIPS systems rather than following the instructions in this page.

Ubuntu FIPS in Containers

Please review the specific section for Ubuntu FIPS in Containers rather than following the instructions in this page.

Last updated 12 days ago. Help improve this document in the forum.