diff --git a/features/enable_fips_pro.feature b/features/enable_fips_pro.feature index 20e0cf5cbc..2b80598d3a 100644 --- a/features/enable_fips_pro.feature +++ b/features/enable_fips_pro.feature @@ -118,7 +118,7 @@ Feature: FIPS enablement in PRO cloud based machines | focal | FIPS | fips |https://esm.ubuntu.com/fips/ubuntu focal/main | | focal | FIPS Updates | fips-updates |https://esm.ubuntu.com/fips/ubuntu focal/main | - + @wip @slow @series.bionic @series.focal @@ -142,6 +142,10 @@ Feature: FIPS enablement in PRO cloud based machines When I run `pro enable --assume-yes` with sudo Then stdout matches regexp: """ + This will downgrade the kernel from X to new_version. + Warning: Downgrading the kernel may cause hardware failures. Please ensure the + hardware is compatible with the new kernel version before proceeding. + Are you sure? (y/N) Updating package lists Installing packages enabled diff --git a/uaclient/entitlements/fips.py b/uaclient/entitlements/fips.py index 80cda9f849..3818462024 100644 --- a/uaclient/entitlements/fips.py +++ b/uaclient/entitlements/fips.py @@ -1,7 +1,10 @@ import logging import os +import re from itertools import groupby -from typing import List, Optional, Tuple # noqa: F401 +from typing import Callable, List, Optional, Tuple, Union # noqa: F401 + +import pkg_resources from uaclient import apt, event_logger, exceptions, messages, system, util from uaclient.clouds.identity import NoCloudTypeReason, get_cloud_type @@ -167,6 +170,31 @@ def install_packages( :param cleanup_on_failure: Cleanup apt files if apt install fails. :param verbose: If true, print messages to stdout """ + + # Prior to installing packages, check if the kernel is being downgraded + # and if so verify that the user wants to continue + our_kernel_version_str = ( + system.get_kernel_info().proc_version_signature_version + ) + fips_kernel_policy = apt.get_apt_cache_policy_for_package("linux-fips") + m = re.search( + r"Candidate: (?P\d+\.\d+\.\d+)", fips_kernel_policy + ) + LOG.warning(f"Checking kernel versions: {our_kernel_version_str}") + if m is not None: + fips_kernel_version_str = m.group("kernel_version") + our_version = pkg_resources.parse_version(fips_kernel_version_str) + fips_version = pkg_resources.parse_version(our_kernel_version_str) + if fips_version < our_version: + if not util.prompt_for_confirmation( + msg=messages.PROMPT_KERNEL_DOWNGRADE.format( + current_version=our_kernel_version_str, + new_version=fips_kernel_version_str, + ), + assume_yes=self.assume_yes, + ): + return + if verbose: event.info( messages.INSTALLING_SERVICE_PACKAGES.format(title=self.title) diff --git a/uaclient/entitlements/tests/test_fips.py b/uaclient/entitlements/tests/test_fips.py index d27d5a78b3..6f9347d91a 100644 --- a/uaclient/entitlements/tests/test_fips.py +++ b/uaclient/entitlements/tests/test_fips.py @@ -405,6 +405,12 @@ def test_enable_configures_apt_sources_and_auth_files( retry_sleeps=apt.APT_RETRIES, override_env_vars=None, ), + mock.call( + ["apt-cache", "policy", "linux-fips"], + capture=True, + retry_sleeps=apt.APT_RETRIES, + override_env_vars=None, + ), ] subp_calls += install_cmd @@ -1104,7 +1110,6 @@ def test_install_packages_dont_fail_if_conditional_pkgs_not_installed( fips_entitlement_factory, event, ): - conditional_pkgs = ["b", "c"] m_installed_pkgs.return_value = conditional_pkgs packages = ["a"] diff --git a/uaclient/messages/__init__.py b/uaclient/messages/__init__.py index 0c0f553989..c57b3b8520 100644 --- a/uaclient/messages/__init__.py +++ b/uaclient/messages/__init__.py @@ -1295,6 +1295,16 @@ class TxtColor: ) + PROMPT_YES_NO ) +PROMPT_KERNEL_DOWNGRADE = ( + t.gettext( + """\ +This will downgrade the kernel from {current_version} to {new_version}. +Warning: Downgrading the kernel may cause hardware failures. Please ensure the + hardware is compatible with the new kernel version before proceeding. +""" + + PROMPT_YES_NO + ) +) FIPS_SYSTEM_REBOOT_REQUIRED = t.gettext( "FIPS support requires system reboot to complete configuration." )