[draft] feat: warn/confirm with user if enabling fips downgrades the kernel

features/enable_fips_pro.feature

@@ -118,7 +118,7 @@ Feature: FIPS enablement in PRO cloud based machines
            | focal   | FIPS         | fips         |https://esm.ubuntu.com/fips/ubuntu focal/main  |
            | focal   | FIPS Updates | fips-updates |https://esm.ubuntu.com/fips/ubuntu focal/main  |
 
-
+    @wip
     @slow
     @series.bionic
     @series.focal
@@ -142,6 +142,10 @@ Feature: FIPS enablement in PRO cloud based machines
         When I run `pro enable <fips-service> --assume-yes` with sudo
         Then stdout matches regexp:
             """
+            This will downgrade the kernel from X to new_version.
+            Warning: Downgrading the kernel may cause hardware failures.  Please ensure the
+            hardware is compatible with the new kernel version before proceeding.
+            Are you sure? (y/N)
             Updating <fips-name> package lists
             Installing <fips-name> packages
             <fips-name> enabled

uaclient/entitlements/fips.py

@@ -1,7 +1,10 @@
 import logging
 import os
+import re
 from itertools import groupby
-from typing import List, Optional, Tuple  # noqa: F401
+from typing import Callable, List, Optional, Tuple, Union  # noqa: F401
+
+import pkg_resources
 
 from uaclient import apt, event_logger, exceptions, messages, system, util
 from uaclient.clouds.identity import NoCloudTypeReason, get_cloud_type
@@ -167,6 +170,31 @@ def install_packages(
         :param cleanup_on_failure: Cleanup apt files if apt install fails.
         :param verbose: If true, print messages to stdout
         """
+
+        # Prior to installing packages, check if the kernel is being downgraded
+        # and if so verify that the user wants to continue
+        our_kernel_version_str = (
+            system.get_kernel_info().proc_version_signature_version
+        )
+        fips_kernel_policy = apt.get_apt_cache_policy_for_package("linux-fips")
+        m = re.search(
+            r"Candidate: (?P<kernel_version>\d+\.\d+\.\d+)", fips_kernel_policy
+        )
+        LOG.warning(f"Checking kernel versions: {our_kernel_version_str}")
+        if m is not None:
+            fips_kernel_version_str = m.group("kernel_version")
+            our_version = pkg_resources.parse_version(fips_kernel_version_str)
+            fips_version = pkg_resources.parse_version(our_kernel_version_str)
+            if fips_version < our_version:
+                if not util.prompt_for_confirmation(
+                    msg=messages.PROMPT_KERNEL_DOWNGRADE.format(
+                        current_version=our_kernel_version_str,
+                        new_version=fips_kernel_version_str,
+                    ),
+                    assume_yes=self.assume_yes,
+                ):
+                    return
+
         if verbose:
             event.info(
                 messages.INSTALLING_SERVICE_PACKAGES.format(title=self.title)

uaclient/entitlements/tests/test_fips.py

@@ -405,6 +405,12 @@ def test_enable_configures_apt_sources_and_auth_files(
                 retry_sleeps=apt.APT_RETRIES,
                 override_env_vars=None,
             ),
+            mock.call(
+                ["apt-cache", "policy", "linux-fips"],
+                capture=True,
+                retry_sleeps=apt.APT_RETRIES,
+                override_env_vars=None,
+            ),
         ]
         subp_calls += install_cmd
 
@@ -1104,7 +1110,6 @@ def test_install_packages_dont_fail_if_conditional_pkgs_not_installed(
         fips_entitlement_factory,
         event,
     ):
-
         conditional_pkgs = ["b", "c"]
         m_installed_pkgs.return_value = conditional_pkgs
         packages = ["a"]

uaclient/messages/__init__.py

@@ -1295,6 +1295,16 @@ class TxtColor:
     )
     + PROMPT_YES_NO
 )
+PROMPT_KERNEL_DOWNGRADE = (
+    t.gettext(
+    """\
+This will downgrade the kernel from {current_version} to {new_version}.
+Warning: Downgrading the kernel may cause hardware failures.  Please ensure the
+         hardware is compatible with the new kernel version before proceeding.
+"""
+    + PROMPT_YES_NO
+    )
+)
 FIPS_SYSTEM_REBOOT_REQUIRED = t.gettext(
     "FIPS support requires system reboot to complete configuration."
 )