feat: warn/confirm with user if enabling fips downgrades the kernel

This change adds a new message prompting the user to confirm if enabling
fips downgrades the kernel.

features/enable_fips_pro.feature

@@ -18,8 +18,12 @@ Feature: FIPS enablement in PRO cloud based machines
             fips-updates  +yes +disabled +FIPS compliant crypto packages with stable security updates
             """
             When I run `pro enable <fips-service> --assume-yes` with sudo
-            Then stdout contains substring:
+            Then stdout matches regexp:
                 """
+                This will downgrade the kernel from .+ to .+\.
+                Warning: Downgrading the kernel may cause hardware failures.  Please ensure the
+                         hardware is compatible with the new kernel version before proceeding.
+
                 Updating <fips-name> package lists
                 Installing <fips-name> packages
                 Updating standard Ubuntu package lists
@@ -75,8 +79,12 @@ Feature: FIPS enablement in PRO cloud based machines
             fips-updates  +yes +disabled +FIPS compliant crypto packages with stable security updates
             """
             When I run `pro enable <fips-service> --assume-yes` with sudo
-            Then stdout contains substring:
+            Then stdout matches regexp:
                 """
+                This will downgrade the kernel from .+ to .+\.
+                Warning: Downgrading the kernel may cause hardware failures.  Please ensure the
+                         hardware is compatible with the new kernel version before proceeding.
+
                 Updating <fips-name> package lists
                 Installing <fips-name> packages
                 Updating standard Ubuntu package lists
@@ -114,7 +122,6 @@ Feature: FIPS enablement in PRO cloud based machines
            | focal   | azure.pro    | FIPS         | fips         |https://esm.ubuntu.com/fips/ubuntu focal/main  |
            | focal   | azure.pro    | FIPS Updates | fips-updates |https://esm.ubuntu.com/fips/ubuntu focal/main  |
 
-
     @slow
     Scenario Outline: Attached enable of FIPS in an ubuntu GCP PRO vm
         Given a `<release>` `<machine_type>` machine with ubuntu-advantage-tools installed
@@ -133,13 +140,16 @@ Feature: FIPS enablement in PRO cloud based machines
             fips-updates  +yes +disabled +FIPS compliant crypto packages with stable security updates
             """
         When I run `pro enable <fips-service> --assume-yes` with sudo
-        Then stdout contains substring:
+        Then stdout matches regexp:
             """
-            Updating <fips-name> package lists
+            This will downgrade the kernel from .+ to .+\.
+            Warning: Downgrading the kernel may cause hardware failures.  Please ensure the
+                     hardware is compatible with the new kernel version before proceeding.
+
             Installing <fips-name> packages
             Updating standard Ubuntu package lists
             <fips-name> enabled
-            A reboot is required to complete install.
+            A reboot is required to complete install\.
             """
         When I run `pro status --all` with sudo
         Then stdout matches regexp:

types-requirements.txt

@@ -2,3 +2,4 @@ mypy
 types-PyYAML
 types-toml
 types-pycurl
+types-setuptools

uaclient/apt.py

@@ -246,6 +246,18 @@ def get_apt_cache_policy(
     )
 
 
+def get_apt_cache_policy_for_package(
+    package: str,
+    error_msg: Optional[str] = None,
+    override_env_vars: Optional[Dict[str, str]] = None,
+) -> str:
+    return run_apt_command(
+        cmd=["apt-cache", "policy", package],
+        error_msg=error_msg,
+        override_env_vars=override_env_vars,
+    )
+
+
 class PreserveAptCfg:
     def __init__(self, apt_func):
         self.apt_func = apt_func

uaclient/entitlements/fips.py

@@ -1,7 +1,10 @@
 import logging
 import os
+import re
 from itertools import groupby
-from typing import List, Optional, Tuple  # noqa: F401
+from typing import Callable, List, Optional, Tuple, Union  # noqa: F401
+
+import pkg_resources
 
 from uaclient import apt, event_logger, exceptions, messages, system, util
 from uaclient.clouds.identity import NoCloudTypeReason, get_cloud_type
@@ -167,6 +170,46 @@ def install_packages(
         :param cleanup_on_failure: Cleanup apt files if apt install fails.
         :param verbose: If true, print messages to stdout
         """
+
+        # Prior to installing packages, check if the kernel is being downgraded
+        # and if so verify that the user wants to continue
+        our_full_kernel_str = (
+            system.get_kernel_info().proc_version_signature_version
+        )
+        if our_full_kernel_str is None:
+            LOG.warning("Cannot gather kernel information")
+            return
+        our_m = re.search(
+            r"(?P<kernel_version>\d+\.\d+\.\d+)", our_full_kernel_str
+        )
+        fips_kernel_policy = apt.get_apt_cache_policy_for_package("linux-fips")
+        fips_m = re.search(
+            r"Candidate: (?P<kernel_version>\d+\.\d+\.\d+)", fips_kernel_policy
+        )
+        if fips_m is not None and our_m is not None:
+            our_kernel_version_str = our_m.group("kernel_version")
+            fips_kernel_version_str = fips_m.group("kernel_version")
+            our_version = pkg_resources.parse_version(our_kernel_version_str)
+            fips_version = pkg_resources.parse_version(fips_kernel_version_str)
+            if fips_version < our_version:
+                event.info(
+                    messages.KERNEL_DOWNGRADE_WARNING.format(
+                        current_version=our_kernel_version_str,
+                        new_version=fips_kernel_version_str,
+                    )
+                )
+                if not util.prompt_for_confirmation(
+                    msg=messages.PROMPT_YES_NO,
+                    assume_yes=self.assume_yes,
+                ):
+                    return
+        else:
+            LOG.warning(
+                "Cannot gather kernel information for {cur} and {fips}".format(
+                    cur=our_full_kernel_str, fips=fips_kernel_policy
+                )
+            )
+
         if verbose:
             event.info(
                 messages.INSTALLING_SERVICE_PACKAGES.format(title=self.title)

uaclient/entitlements/tests/test_fips.py

@@ -405,6 +405,12 @@ def test_enable_configures_apt_sources_and_auth_files(
                 retry_sleeps=apt.APT_RETRIES,
                 override_env_vars=None,
             ),
+            mock.call(
+                ["apt-cache", "policy", "linux-fips"],
+                capture=True,
+                retry_sleeps=apt.APT_RETRIES,
+                override_env_vars=None,
+            ),
         ]
         subp_calls += install_cmd
 
@@ -1104,7 +1110,6 @@ def test_install_packages_dont_fail_if_conditional_pkgs_not_installed(
         fips_entitlement_factory,
         event,
     ):
-
         conditional_pkgs = ["b", "c"]
         m_installed_pkgs.return_value = conditional_pkgs
         packages = ["a"]

uaclient/messages/__init__.py

@@ -1300,6 +1300,13 @@ class TxtColor:
     )
     + PROMPT_YES_NO
 )
+KERNEL_DOWNGRADE_WARNING = t.gettext(
+    """\
+This will downgrade the kernel from {current_version} to {new_version}.
+Warning: Downgrading the kernel may cause hardware failures.  Please ensure the
+         hardware is compatible with the new kernel version before proceeding.
+"""
+)
 FIPS_SYSTEM_REBOOT_REQUIRED = t.gettext(
     "FIPS support requires system reboot to complete configuration."
 )