add ubuntu 24.04 fips example

mauromorales · mauromorales · commit 6fd0c8a50b94 · 2025-08-07T14:31:44.000+02:00
Signed-off-by: Mauro Morales &lt;mauro.morales@spectrocloud.com&gt;
diff --git a/examples/builds/ubuntu-24.04-fips/Dockerfile b/examples/builds/ubuntu-24.04-fips/Dockerfile
@@ -0,0 +1,30 @@
+FROM quay.io/kairos/kairos-init:v0.5.8 AS kairos-init
+
+FROM ubuntu:24.04
+ARG VERSION=v0.0.1
+
+RUN --mount=type=bind,from=kairos-init,src=/kairos-init,dst=/kairos-init \
+    /kairos-init -l debug -s install --version "${VERSION}"
+# Remove default kernel that Kairos-init installs
+RUN apt-get remove -y linux-base linux-image-generic-hwe-24.04 && apt-get autoremove -y
+## THIS comes from the Ubuntu documentation: https://canonical-ubuntu-pro-client.readthedocs-hosted.com/en/latest/tutorials/create_a_fips_docker_image.html
+## I've just added "linux-image-fips" in the package list
+## If you want to use secureboot with fips, you need to install the shim-signed package
+## from the Ubuntu PRO repos as its signed with adifferent key
+RUN --mount=type=secret,id=pro-attach-config \
+    apt-get update \
+    && apt-get install --no-install-recommends -y ubuntu-advantage-tools ca-certificates \
+    && pro attach --attach-config /run/secrets/pro-attach-config \
+    && apt-get upgrade -y \
+    && apt-get install -y strongswan openssh-client openssh-server linux-image-fips shim-signed \
+    && pro detach --assume-yes
+
+# Copy the custom dracut modules.fips that includes 2 missing modules
+COPY modules.fips /tmp/modules.fips
+RUN kernel=$(ls /lib/modules | head -n1) && mv /tmp/modules.fips /lib/modules/${kernel}/modules.fips
+
+RUN --mount=type=bind,from=kairos-init,src=/kairos-init,dst=/kairos-init \
+    /kairos-init -l debug -s init --version "${VERSION}"
+
+# Symlink kernel HMAC
+RUN kernel=$(ls /boot/vmlinuz-* | head -n1) && ln -sf ."${kernel#/boot/}".hmac /boot/.vmlinuz.hmac
diff --git a/examples/builds/ubuntu-24.04-fips/README.md b/examples/builds/ubuntu-24.04-fips/README.md
@@ -0,0 +1,35 @@
+# Kairos Ubuntu jammy fips
+
+- Edit `pro-attach-config.yaml` with your token
+- run `bash build.sh`
+- start the ISO with qemu `bash run.sh`
+
+The system is not enabling FIPS by default in kernel space. 
+
+To Install with `fips` you need a cloud-config file similar to this one adding `fips=1` to the boot options:
+
+```yaml
+#cloud-config
+
+install:
+  # ...
+  # Set grub options
+  grub_options:
+    # additional Kernel option cmdline to apply
+    extra_cmdline: "fips=1"
+```
+
+Notes:
+- The modules.fips file is needed as Ubuntu has an older version of dracut which is missing 2 modules in the initramfs.
+- The LiveCD is not running in fips mode, you can enable it by appending `fips=1` to the kernel command line in the boot menu.
+
+## Verify FIPS is enabled
+
+After install, you can verify that fips is enabled by running:
+
+```bash
+kairos@localhost:~$ cat /proc/sys/crypto/fips_enabled
+1
+kairos@localhost:~$ uname -r
+5.15.0-140-fips
+```
diff --git a/examples/builds/ubuntu-24.04-fips/build.sh b/examples/builds/ubuntu-24.04-fips/build.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -ex
+
+# Build the container image
+docker build --secret id=pro-attach-config,src=pro-attach-config.yaml -t ubuntu-24.04-fips .
+
+# Build ISO from that container
+docker run --rm -ti \
+-v "$PWD"/build:/tmp/auroraboot \
+-v /var/run/docker.sock:/var/run/docker.sock \
+quay.io/kairos/auroraboot:v0.5.0 \
+--set container_image=docker://ubuntu-24.04-fips \
+--set "disable_http_server=true" \
+--set "disable_netboot=true" \
+--set "state_dir=/tmp/auroraboot"
diff --git a/examples/builds/ubuntu-24.04-fips/modules.fips b/examples/builds/ubuntu-24.04-fips/modules.fips
@@ -0,0 +1 @@
+ecc ecdh sha1 sha224 sha256 sha384 sha512 sha3-224 sha3-256 sha3-384 sha3-512 crc32c crct10dif ghash cipher_null des3_ede aes cfb ecb cbc ctr xts gcm ccm authenc hmac cmac ofb cts deflate lzo zlib ansi_cprng aead cryptomgr tcrypt crypto_user
diff --git a/examples/builds/ubuntu-24.04-fips/pro-attach-config.yaml b/examples/builds/ubuntu-24.04-fips/pro-attach-config.yaml
@@ -0,0 +1,3 @@
+token: <YOUR_TOKEN> 
+enable_services:
+  - fips-updates
diff --git a/examples/builds/ubuntu-24.04-fips/run.sh b/examples/builds/ubuntu-24.04-fips/run.sh
@@ -0,0 +1,9 @@
+qemu-img create -f qcow2 disk.img 40g
+
+qemu-system-x86_64 -m 8096 -smp cores=2 -nographic -cpu host -enable-kvm \
+-serial mon:stdio -rtc base=utc,clock=rt \
+-chardev socket,path=qga.sock,server,nowait,id=qga0 \
+-device virtio-serial \
+-device virtserialport,chardev=qga0,name=org.qemu.guest_agent.0 \
+-drive if=virtio,media=disk,file=disk.img \
+-drive if=ide,media=cdrom,file=build/kairos.iso

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+ecc ecdh sha1 sha224 sha256 sha384 sha512 sha3-224 sha3-256 sha3-384 sha3-512 crc32c crct10dif ghash cipher_null des3_ede aes cfb ecb cbc ctr xts gcm ccm authenc hmac cmac ofb cts deflate lzo zlib ansi_cprng aead cryptomgr tcrypt crypto_user`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+token: <YOUR_TOKEN>`
	`2`	`+enable_services:`
	`3`	`+ - fips-updates`