Enable FIPS in ubuntu (by quqi99)
作者:张华 发表于:2025-09-08
版权声明:可以任意转载,转载时请务必以超链接形式标明文章原始出处和作者信息及本版权声明
(http://blog.csdn.net/quqi99 )
FIPS是一些US强制要求支持的一些加密算法, 会用在Linux Kernel (GA) Crypto API, GnUTLS, OpenSSL, libgcrypt, StrongSwan等组件上 - https://ubuntu.com/security/fips
命令"pro enable fips"提供的是一个静态的,经过认证的,长期稳定的FIPS环境, 它的核心是保持严格的合规性,因此几乎不更新. 而"pro enable fips-updates"提供的是一个能接收重要安全更新(如CVE补丁)的FIPS环境, 它在合规性和安全性之间取得了平衡.
hua@mi:~$ sudo pro enable fips-updates
One moment, checking your subscription first
This will install the FIPS packages including security updates.
Warning: This action can take some time and cannot be undone.
Are you sure? (y/N) y
Configuring APT access to FIPS Updates
Updating FIPS Updates package lists
This will downgrade the kernel from 6.14.0 to 6.8.0-79.79+fips1.
Warning: Downgrading the kernel may cause hardware failures. Please ensure thehardware is compatible with the new kernel version before proceeding.Are you sure? (y/N) y
Updating standard Ubuntu package lists
Installing FIPS Updates packages
Installing openssh-client openssh-server openssh-sftp-server
FIPS Updates enabled
A reboot is required to complete installhua@mi:~$ sudo reboot
重启后, 发现无法连接wifi, 那是正常的, https://documentation.ubuntu.com/security/docs/compliance/fips/how-to-enable-wifi/
hua@mi:~$ pro status --all
SERVICE ENTITLED STATUS DESCRIPTION
anbox-cloud yes disabled Scalable Android in the cloud
cc-eal yes n/a Common Criteria EAL2 Provisioning Packages
esm-apps yes enabled Expanded Security Maintenance for Applications
esm-infra yes disabled Expanded Security Maintenance for Infrastructure
fips yes n/a NIST-certified FIPS crypto packages
fips-preview yes n/a Preview of FIPS crypto packages undergoing certification with NIST
fips-updates yes enabled FIPS compliant crypto packages with stable security updates
landscape yes disabled Management and administration tool for Ubuntu
livepatch yes enabled Canonical Livepatch service
realtime-kernel yes disabled Ubuntu kernel with PREEMPT_RT patches integrated
├ generic yes disabled Generic version of the RT kernel (default)
├ intel-iotg yes n/a RT kernel optimized for Intel IOTG platform
└ raspi yes n/a 24.04 Real-time kernel optimised for Raspberry Pi
ros yes n/a Security Updates for the Robot Operating System
ros-updates yes n/a All Updates for the Robot Operating System
usg yes disabled Security compliance and audit toolshua@mi:~$ cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-6.8.0-79-fips root=UUID=85f2a693-835c-4a5f-9b97-3950c33b6127 ro intel_iommu=on btusb.enable_autosuspend=n usbcore.autosuspend=-1 mitigations=off nohpet nokaslr fips=1
hua@mi:~$ cat /proc/sys/crypto/fips_enabled
1hua@mi:~$ dpkg -l |grep fips
ii fips-initramfs 0.0.30 amd64 FIPS 140-3 kernel tests
ii linux-fips 6.8.0-79.79+fips1 amd64 Complete FIPS 140-3 Linux kernel and headers
ii linux-fips-headers-6.8.0-79 6.8.0-79.79+fips1 all Header files related to Linux kernel version 6.8.0
ii linux-fips-tools-6.8.0-79 6.8.0-79.79+fips1 amd64 Linux kernel version specific tools for version 6.8.0-79
ii linux-headers-6.8.0-79-fips 6.8.0-79.79+fips1 amd64 Linux kernel headers for version 6.8.0 on 64 bit x86 SMP
ii linux-headers-fips 6.8.0-79.79+fips1 amd64 FIPS 140-3 Linux kernel headers
ii linux-image-6.8.0-79-fips 6.8.0-79.79+fips1 amd64 Signed kernel image fips
ii linux-image-fips 6.8.0-79.79+fips1 amd64 FIPS 140-3 Linux kernel image
ii linux-image-hmac-6.8.0-79-fips 6.8.0-79.79+fips1 amd64 HMAC file for linux kernel image 6.8.0-79-fips
ii linux-modules-6.8.0-79-fips 6.8.0-79.79+fips1 amd64 Linux kernel extra modules for version 6.8.0 on 64 bit x86 SMP
ii linux-modules-extra-6.8.0-79-fips 6.8.0-79.79+fips1 amd64 Linux kernel extra modules for version 6.8.0 on 64 bit x86 SMP
ii linux-tools-6.8.0-79-fips 6.8.0-79.79+fips1 amd64 Linux kernel version specific tools for version 6.8.0-79
ii openssl-fips-module-3:amd64 3.0.13-0ubuntu3+Fips1 amd64 Secure Sockets Layer toolkit - FIPS module
rc ubuntu-fips 1.4.0~rc10+updates1 amd64 Install and configure linux-fips kernel and user space modules
ii ubuntu-fips-userspace 1.4.0~rc10+updates1 amd64 Install FIPS user space modules尝试FIPS禁用算法如md5会报错:
hua@mi:~$ openssl md5 /bin/ls
Error setting digest
4067E657997D0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:386:Global default library context, Algorithm (MD5 : 100), Properties ()
4067E657997D0000:error:03000086:digital envelope routines:evp_md_init_internal:initialization error:../crypto/evp/digest.c:254:
禁用它重启wifi还是不行, 那是因为默认进入了fips内核, 选一下non-fips内核进去之后删除fips内核即可.
hua@mi:~$ sudo pro disable fips-updates
This will disable the FIPS Updates entitlement but the FIPS Updates packages will remain installed.
Are you sure? (y/N) y
Removing APT access to FIPS Updates
Updating package lists
A reboot is required to complete disable operation.hua@mi:~$ cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-6.8.0-79-fips root=UUID=85f2a693-835c-4a5f-9b97-3950c33b6127 ro intel_iommu=on btusb.enable_autosuspend=n usbcore.autosuspend=-1 mitigations=off nohpet nokaslr
在网上能搜到说ubuntu 22.04已经支持了fips ( https://ubuntu.com/blog/fips-140-3-for-ubuntu-22-04lts ), 但搜不到ubuntu 24.04是否支持的官方文档. 问了一下, 得到了下列答复:
yes, fips-updates is available now, and pretty much good to go, as broken as it is
fips was retired, as all packages are now expected to get updates and not set in stone forevr
so use fips-updates as normal
但我搜了两个官方网页都说还没ready:
1, https://ubuntu.com/security/certifications/docs/2404
2, https://ubuntu.com/security/security-standards
继续问, 获得下列回复, 等于说还是没有ready嘛:
Its not actually certified yet, its still under review
its expected to pass
But the plain fips wont come back, it will just be fips-updates