Enable FIPS in ubuntu (by quqi99)

发布于:2025-09-09 ⋅ 阅读:(19) ⋅ 点赞:(0)

作者:张华 发表于:2025-09-08
版权声明:可以任意转载,转载时请务必以超链接形式标明文章原始出处和作者信息及本版权声明
(http://blog.csdn.net/quqi99 )

FIPS是一些US强制要求支持的一些加密算法, 会用在Linux Kernel (GA) Crypto API, GnUTLS, OpenSSL, libgcrypt, StrongSwan等组件上 - https://ubuntu.com/security/fips

命令"pro enable fips"提供的是一个静态的,经过认证的,长期稳定的FIPS环境, 它的核心是保持严格的合规性,因此几乎不更新. 而"pro enable fips-updates"提供的是一个能接收重要安全更新(如CVE补丁)的FIPS环境, 它在合规性和安全性之间取得了平衡.

hua@mi:~$ sudo pro enable fips-updates
One moment, checking your subscription first
This will install the FIPS packages including security updates.
Warning: This action can take some time and cannot be undone.
Are you sure? (y/N) y
Configuring APT access to FIPS Updates
Updating FIPS Updates package lists
This will downgrade the kernel from 6.14.0 to 6.8.0-79.79+fips1.
Warning: Downgrading the kernel may cause hardware failures.  Please ensure the
         hardware is compatible with the new kernel version before proceeding.

Are you sure? (y/N) y
Updating standard Ubuntu package lists
Installing FIPS Updates packages
Installing openssh-client openssh-server openssh-sftp-server
FIPS Updates enabled
A reboot is required to complete install

hua@mi:~$ sudo reboot

重启后, 发现无法连接wifi, 那是正常的, https://documentation.ubuntu.com/security/docs/compliance/fips/how-to-enable-wifi/

hua@mi:~$ pro status --all
SERVICE          ENTITLED  STATUS       DESCRIPTION
anbox-cloud      yes       disabled     Scalable Android in the cloud
cc-eal           yes       n/a          Common Criteria EAL2 Provisioning Packages
esm-apps         yes       enabled      Expanded Security Maintenance for Applications
esm-infra        yes       disabled     Expanded Security Maintenance for Infrastructure
fips             yes       n/a          NIST-certified FIPS crypto packages
fips-preview     yes       n/a          Preview of FIPS crypto packages undergoing certification with NIST
fips-updates     yes       enabled      FIPS compliant crypto packages with stable security updates
landscape        yes       disabled     Management and administration tool for Ubuntu
livepatch        yes       enabled      Canonical Livepatch service
realtime-kernel  yes       disabled     Ubuntu kernel with PREEMPT_RT patches integrated
├ generic        yes       disabled     Generic version of the RT kernel (default)
├ intel-iotg     yes       n/a          RT kernel optimized for Intel IOTG platform
└ raspi          yes       n/a          24.04 Real-time kernel optimised for Raspberry Pi
ros              yes       n/a          Security Updates for the Robot Operating System
ros-updates      yes       n/a          All Updates for the Robot Operating System
usg              yes       disabled     Security compliance and audit tools

hua@mi:~$ cat /proc/cmdline 
BOOT_IMAGE=/boot/vmlinuz-6.8.0-79-fips root=UUID=85f2a693-835c-4a5f-9b97-3950c33b6127 ro intel_iommu=on btusb.enable_autosuspend=n usbcore.autosuspend=-1 mitigations=off nohpet nokaslr fips=1
hua@mi:~$ cat /proc/sys/crypto/fips_enabled 
1

 hua@mi:~$ dpkg -l |grep fips
ii  fips-initramfs                                   0.0.30                                     amd64        FIPS 140-3 kernel tests
ii  linux-fips                                       6.8.0-79.79+fips1                          amd64        Complete FIPS 140-3 Linux kernel and headers
ii  linux-fips-headers-6.8.0-79                      6.8.0-79.79+fips1                          all          Header files related to Linux kernel version 6.8.0
ii  linux-fips-tools-6.8.0-79                        6.8.0-79.79+fips1                          amd64        Linux kernel version specific tools for version 6.8.0-79
ii  linux-headers-6.8.0-79-fips                      6.8.0-79.79+fips1                          amd64        Linux kernel headers for version 6.8.0 on 64 bit x86 SMP
ii  linux-headers-fips                               6.8.0-79.79+fips1                          amd64        FIPS 140-3 Linux kernel headers
ii  linux-image-6.8.0-79-fips                        6.8.0-79.79+fips1                          amd64        Signed kernel image fips
ii  linux-image-fips                                 6.8.0-79.79+fips1                          amd64        FIPS 140-3 Linux kernel image
ii  linux-image-hmac-6.8.0-79-fips                   6.8.0-79.79+fips1                          amd64        HMAC file for linux kernel image 6.8.0-79-fips
ii  linux-modules-6.8.0-79-fips                      6.8.0-79.79+fips1                          amd64        Linux kernel extra modules for version 6.8.0 on 64 bit x86 SMP
ii  linux-modules-extra-6.8.0-79-fips                6.8.0-79.79+fips1                          amd64        Linux kernel extra modules for version 6.8.0 on 64 bit x86 SMP
ii  linux-tools-6.8.0-79-fips                        6.8.0-79.79+fips1                          amd64        Linux kernel version specific tools for version 6.8.0-79
ii  openssl-fips-module-3:amd64                      3.0.13-0ubuntu3+Fips1                      amd64        Secure Sockets Layer toolkit - FIPS module
rc  ubuntu-fips                                      1.4.0~rc10+updates1                        amd64        Install and configure linux-fips kernel and user space modules
ii  ubuntu-fips-userspace                            1.4.0~rc10+updates1                        amd64        Install FIPS user space modules

尝试FIPS禁用算法如md5会报错:

hua@mi:~$ openssl md5 /bin/ls
Error setting digest
4067E657997D0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:386:Global default library context, Algorithm (MD5 : 100), Properties ()
4067E657997D0000:error:03000086:digital envelope routines:evp_md_init_internal:initialization error:../crypto/evp/digest.c:254:

禁用它重启wifi还是不行, 那是因为默认进入了fips内核, 选一下non-fips内核进去之后删除fips内核即可.

hua@mi:~$ sudo pro disable fips-updates
This will disable the FIPS Updates entitlement but the FIPS Updates packages will remain installed.
Are you sure? (y/N) y
Removing APT access to FIPS Updates
Updating package lists
A reboot is required to complete disable operation.

hua@mi:~$ cat /proc/cmdline 
BOOT_IMAGE=/boot/vmlinuz-6.8.0-79-fips root=UUID=85f2a693-835c-4a5f-9b97-3950c33b6127 ro intel_iommu=on btusb.enable_autosuspend=n usbcore.autosuspend=-1 mitigations=off nohpet nokaslr

在网上能搜到说ubuntu 22.04已经支持了fips ( https://ubuntu.com/blog/fips-140-3-for-ubuntu-22-04lts ), 但搜不到ubuntu 24.04是否支持的官方文档. 问了一下, 得到了下列答复:

yes, fips-updates is available now, and pretty much good to go, as broken as it is
fips was retired, as all packages are now expected to get updates and not set in stone forevr
so use fips-updates as normal

但我搜了两个官方网页都说还没ready:
1, https://ubuntu.com/security/certifications/docs/2404
2, https://ubuntu.com/security/security-standards

继续问, 获得下列回复, 等于说还是没有ready嘛:

Its not actually certified yet, its still under review
its expected to pass
But the plain fips wont come back, it will just be fips-updates

网站公告

今日签到

点亮在社区的每一天
去签到

热门文章

最新发布