Ubuntu FIPS 破坏了软件包管理器

Ubuntu FIPS 破坏了软件包管理器

我启用了 ubuntu FIPS,突然无法安装任何东西。这是一个错误输出示例。我尝试安装的任何软件包都会发生这种情况。

laptop@my-laptop:~$ sudo apt install -f gcc
Reading package lists... Done
Building dependency tree       
Reading state information... Done
gcc is already the newest version (4:9.3.0-1ubuntu2).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
2 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] y
Setting up initramfs-tools (0.136ubuntu6.6) ...
update-initramfs: deferring update (trigger activated)
Setting up linux-image-5.4.0-1007-fips (5.4.0-1007.8) ...
Processing triggers for initramfs-tools (0.136ubuntu6.6) ...
update-initramfs: Generating /boot/initrd.img-5.4.0-91-generic
Failed to copy HMAC file "/usr/lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac".
E: /usr/share/initramfs-tools/hooks/fips-libgcrypt failed with return 1.
update-initramfs: failed for /boot/initrd.img-5.4.0-91-generic with 1.
dpkg: error processing package initramfs-tools (--configure):
 installed initramfs-tools package post-installation script subprocess returned error exit status 1
Processing triggers for linux-image-5.4.0-1007-fips (5.4.0-1007.8) ...
/etc/kernel/postinst.d/dkms:
 * dkms: running auto installation service for kernel 5.4.0-1007-fips
   ...done.
/etc/kernel/postinst.d/initramfs-tools:
update-initramfs: Generating /boot/initrd.img-5.4.0-1007-fips
Failed to copy HMAC file "/usr/lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac".
E: /usr/share/initramfs-tools/hooks/fips-libgcrypt failed with return 1.
update-initramfs: failed for /boot/initrd.img-5.4.0-1007-fips with 1.
run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1
dpkg: error processing package linux-image-5.4.0-1007-fips (--configure):
 installed linux-image-5.4.0-1007-fips package post-installation script subprocess returned error exit status 1
Errors were encountered while processing:
 initramfs-tools
 linux-image-5.4.0-1007-fips
E: Sub-process /usr/bin/dpkg returned an error code (1)

我正在使用 Ubuntu 20.04 LTS,我升级了do release upgrade

laptop@my-laptop:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.3 LTS
Release:    20.04
Codename:   focal
laptop@my-laptop:~$ sudo apt update 
Hit:1 http://dl.google.com/linux/chrome/deb stable InRelease
Hit:2 http://archive.ubuntu.com/ubuntu focal InRelease                                                                                                                               
Hit:3 https://packages.microsoft.com/repos/edge stable InRelease                                                                                                                                                  
Hit:4 https://packages.microsoft.com/repos/ms-teams stable InRelease                                                                                                                                              
Hit:5 https://deb.nodesource.com/node_15.x focal InRelease                                                                                                                                                        
Get:6 https://packages.microsoft.com/repos/code stable InRelease [10,4 kB]                                                                                                                                        
Hit:7 https://packages.cloud.google.com/apt cloud-sdk InRelease                                                                                                                                                   
Hit:8 http://ppa.launchpad.net/git-core/ppa/ubuntu focal InRelease                                                                                                                                                
Hit:9 http://ppa.launchpad.net/graphics-drivers/ppa/ubuntu focal InRelease                                                                                                                                        
Hit:10 http://ppa.launchpad.net/linuxuprising/apps/ubuntu focal InRelease                                                                                                                                         
Hit:11 https://repo.nordvpn.com/deb/nordvpn/debian stable InRelease                                                                                                                                               
Hit:12 http://ppa.launchpad.net/shevchuk/dnscrypt-proxy/ubuntu focal InRelease                                                                                                                                    
Hit:13 https://artifacts.elastic.co/packages/7.x/apt stable InRelease                                                                                                                                             
Get:14 https://esm.ubuntu.com/cis/ubuntu focal InRelease [3138 B]                                                                                                          
Get:15 https://esm.ubuntu.com/infra/ubuntu focal-infra-security InRelease [7426 B]                                                                                                 
Hit:16 https://packages.cloud.google.com/apt kubernetes-xenial InRelease                                                                             
Hit:17 https://download.sublimetext.com apt/stable/ InRelease                                
Get:18 https://packages.microsoft.com/repos/code stable/main amd64 Packages [64,0 kB]
Get:19 https://packages.microsoft.com/repos/code stable/main armhf Packages [64,9 kB]
Get:20 https://packages.microsoft.com/repos/code stable/main arm64 Packages [64,9 kB]          
Hit:21 https://ftp.postgresql.org/pub/pgadmin/pgadmin4/apt/focal pgadmin4 InRelease                                                                                                                               
Fetched 215 kB in 7s (30,1 kB/s)                                                                                                                                                                                  
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All packages are up to date.
laptop@my-laptop:~$ dpkg -L libgcrypt20 | grep .so.20.2.5
/usr/lib/x86_64-linux-gnu/libgcrypt.so.20.2.5
laptop@my-laptop:~$ 

我尝试禁用 fips,但问题仍然存在

laptop@my-laptop:~$ ua status --all
SERVICE       ENTITLED  STATUS    DESCRIPTION
cc-eal        yes       n/a       Common Criteria EAL2 Provisioning Packages
cis           yes       enabled   Center for Internet Security Audit Tools
esm-apps      no        —         UA Apps: Extended Security Maintenance (ESM)
esm-infra     yes       enabled   UA Infra: Extended Security Maintenance (ESM)
fips          yes       disabled  NIST-certified core packages
fips-updates  yes       disabled  NIST-certified core packages with priority security updates
livepatch     yes       enabled   Canonical Livepatch service
ros           no        —         Security Updates for the Robot Operating System
ros-updates   no        —         All Updates for the Robot Operating System

Enable services with: ua enable <service>

根据@Someone 的要求添加更多信息

laptop@my-laptop:~$ sudo chmod +x /usr/share/initramfs-tools/hooks/fips-libgcrypt
laptop@my-laptop:~$ sudo apt -f install
Reading package lists... Done
Building dependency tree       
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
2 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Setting up initramfs-tools (0.136ubuntu6.6) ...
update-initramfs: deferring update (trigger activated)
Setting up linux-image-5.4.0-1007-fips (5.4.0-1007.8) ...
Processing triggers for initramfs-tools (0.136ubuntu6.6) ...
update-initramfs: Generating /boot/initrd.img-5.4.0-91-generic
Failed to copy HMAC file "/usr/lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac".
E: /usr/share/initramfs-tools/hooks/fips-libgcrypt failed with return 1.
update-initramfs: failed for /boot/initrd.img-5.4.0-91-generic with 1.
dpkg: error processing package initramfs-tools (--configure):
 installed initramfs-tools package post-installation script subprocess returned error exit status 1
Processing triggers for linux-image-5.4.0-1007-fips (5.4.0-1007.8) ...
/etc/kernel/postinst.d/dkms:
 * dkms: running auto installation service for kernel 5.4.0-1007-fips
   ...done.
/etc/kernel/postinst.d/initramfs-tools:
update-initramfs: Generating /boot/initrd.img-5.4.0-1007-fips
Failed to copy HMAC file "/usr/lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac".
E: /usr/share/initramfs-tools/hooks/fips-libgcrypt failed with return 1.
update-initramfs: failed for /boot/initrd.img-5.4.0-1007-fips with 1.
run-parts: /etc/kernel/postinst.d/initramfs-tools exited with return code 1
dpkg: error processing package linux-image-5.4.0-1007-fips (--configure):
 installed linux-image-5.4.0-1007-fips package post-installation script subprocess returned error exit status 1
Errors were encountered while processing:
 initramfs-tools
 linux-image-5.4.0-1007-fips
E: Sub-process /usr/bin/dpkg returned an error code (1)
laptop@my-laptop:~$ 

这里是我的 Ubuntu 上的 libgcrypt 版本:

laptop@my-laptop:~$ ls -a /usr/lib/x86_64-linux-gnu/ | grep libgcrypt
libgcrypt.so.20
libgcrypt.so.20.2.5
laptop@my-laptop:~$ 

我不确定我在这里做错了什么。提前感谢您的帮助。

答案1

最后,我终于让它工作了,不幸的是,需要一些手动步骤。首先,我删除了 ubuntu fips 内核(为此使用了 UKUU),然后我删除了 FIPS 内容

FIPS_KERNELS=`dpkg-query -W -f='${Package}\n'| egrep linux-.*-fips`
sudo apt-get remove $FIPS_KERNELS
sudo reboot

之后我删除了所有我没有使用的内核条目:

/boot

最后删除了所有 fips 条目

sudo su
cd /usr/share/initramfs-tools/hooks/
rm -rf fips*

我不确定是否需要所有步骤,但它对我来说有效。

相关内容