Errors or typos? Topics missing? Hard to read? Let us know.
This guide walks you through the steps to deploy an Ubuntu machine with a FIPS-compliant kernel. The FIPS kernel comes with all Ubuntu Pro subscriptions for Ubuntu 22.04 LTS. There is also a tutorial on how to get access to the Ubuntu FIPS-compliant kernel.
Install FIPS kernel
The kernel FIPS kernel isn’t directly integrated into MAAS. Instead, cloud-init is used to first deploy a generic kernel. Then cloud-init installs the FIPS kernel and reboots the machine to enable it. Be aware that after MAAS marks the machine as DEPLOYED, there will be a delay while cloud-init completes and the machine reboots.
Sequence of events
- Machine deploys with Ubuntu 22.04 LTS and a generic kernel.
- Machine reboots.
- Bootloader instructed to boot from disk.
- Host requests MAAS for configuration.
- MAAS sends cloud-init config to host.
- Cloud-init activates Ubuntu Pro.
- Ubuntu Pro agent installs the FIPS kernel.
- Another reboot enables the new kernel.
- System is ready for use.
What you’ll need
- Valid Ubuntu Pro token (find yours at Ubuntu Pro Dashboard^^*^^).
- MAAS 3.2 or later with Ubuntu 22.04 LTS images.
- A host compatible with Ubuntu FIPS-compliant kernel.
- Internet connection.
Offline installation of the kernel FIPS-compliant kernel is not supported currently.
Deploy FIPS kernel
Perform these steps in the MAAS UI:
-
Enlist and commission the host: Do this as you normally would.
-
Initiate deployment: Select the host and click
Deploy
. -
Choose OS and release: Opt for
Ubuntu
andUbuntu 22.04 LTS "Jammy Jellyfish"
. -
Configure cloud-init: Select
Cloud-init user-data
and use the following templates. Replace<ubuntu_pro_token>
with your valid token.cloud-init
>= 24.1
#cloud-config
ubuntu_pro:
token: <ubuntu_pro_token>
enable:
- fips-updates
2. `cloud-init` < 24.1
#cloud-config
package_update: true
package_upgrade: true
runcmd:
- pro attach <ubuntu_pro_token>
- yes | pro enable fips-updates
- Start deployment: Click
Start deployment for machine
.
Verify deployment
After deployment, execute these commands on the host to confirm RT kernel activation:
-
Run
cat /proc/sys/crypto/fips_enabled
on the machine. A return value of 1 indicates FIPS mode is active. -
Check the output of
sudo pro status
to confirm thatfips-preview
andfips-updates
are enabled.
Your machine should now be up and running with a FIPS-compliant kernel.
Last updated 4 months ago.