Announcing FIPS 140-3 for Ubuntu Core22

With the release of the FIPS 140-3 certified cryptographic modules for Ubuntu 22.04 LTS, Canonical is building on its long tradition of enabling customers to deploy Ubuntu in the US Federal marketplace. FIPS 140-3 is a NIST standard that describes how to use cryptography securely, which includes a rigorous certification process to ensure that the implementation is correct. The Ubuntu 22.04 LTS crypto libraries have been through this process and are now available to use with an Ubuntu Pro subscription.

As part of this certification process, we have also included Ubuntu Core as a fully certified Operating Environment for the first time, starting with Ubuntu Core 22, and will continue to support Ubuntu Core with future FIPS certifications. In this article, we’ll explore what Ubuntu Core is, and how to use it with FIPS.

FIPS is available with an Ubuntu Pro subscription, along with enhanced security patching for up to 10 years across the Ubuntu software ecosystem, kernel Livepatch, the Landscape asset management tool and more. Ubuntu Pro is free for personal use on up to 5 machines, with individual pricing for device manufacturers.

What is Ubuntu Core?

Ubuntu Core is a minimal, containerized, and immutable version of Ubuntu designed for IoT, embedded devices, and appliances, built using snap packages. Snaps are Linux app packages that are self-contained, rigorously secure, and dependency-free.

At the heart of Ubuntu Core is a robust security model: every snap package is confined using strict sandboxing with digital signatures, and is fully transactional, enabling system rollback, self-healing, and updates with zero-touch deployment. The OS itself is immutable and read-only, and updates are delivered atomically, reducing operational risk and downtime. Ubuntu Core’s security features, such as secure boot, full disk encryption, and measured boot capabilities, enable device makers to easily deploy a hardware-rooted chain of trust and ensure system integrity from power-on to runtime.

Once developers have built and validated their snap application in their preferred environment, they create their production Ubuntu Core image that includes only the necessary snaps they need for their targeted application. Their production Ubuntu Core image can then be deployed to devices, reducing provisioning time in the manufacturing line while increasing assurance of reproducibility, confinement, and long-term support through up to 15 years of security maintenance. Ubuntu Core is designed for the full lifecycle of a device and integrates seamlessly with fleet management and automation tools, supporting scalable deployment and maintenance across a wide range of mission-critical use cases.

Ubuntu Core is gaining significant traction across the IoT and Industrial sectors, with deployments in manufacturing, home automation, agriculture, retail supply chain, robotics, and digital signage.

How to build snaps for Ubuntu Core

Canonical has put together a comprehensive toolchain called snapcraft for building snaps in a clear and consistent way. Snapcraft mandates a simple yaml file declaration to describe how to build a snap, and it includes numerous plugins for common build environments such as C/C++, Python, Golang, CMake, and many more.

Snaps are intended to be completely standalone apps that don’t require a litany of dependencies to be installed on the system. There is, however, a common set of system libraries that are bundled together in the “base” snap that is available to all other snaps on the system – this base snap is built from the corresponding Ubuntu LTS distribution, and is called core22 (the number reflects the Ubuntu LTS version, so core22 is built from Ubuntu 22.04 LTS).

What is a FIPS-enabled snap?

As part of the FIPS certification process for Ubuntu 22.04, we have also included the userspace cryptographic libraries within the core22 base snap (OpenSSL, libgcrypt, GnuTLS). The version of this core22 snap with the FIPS libraries is available from the snap store within the fips-updates/stable channel. You can see which channels are available for a particular snap using the snap info <snap> command, e.g. snap info core22.

Just as with classic Ubuntu 22.04 LTS FIPS, these modules require a FIPS kernel to be installed in order to provide a FIPS-validated source of entropy (random numbers). The FIPS kernel sets a dedicated flag in the proc filesystem to indicate that it’s running in FIPS mode, and the crypto modules detect this and thus run in FIPS mode as well:

$ cat /proc/sys/crypto/fips_enabled

1

This means that any application which links against the FIPS modules, such as OpenSSL, can directly use the FIPS-validated crypto algorithms without needing to undergo any modification, or additional NIST certification.

It is important to note that the core22 base includes OpenSSL, libgcrypt & GnuTLS, so when building a snap you should make sure you use these libraries and don’t include extra copies in the staging steps, as the snap would then not be able to function in FIPS mode.

An example snap build

We’ve created an example snap that shows the OpenSSL crypto providers that are installed. By default, OpenSSL uses its regular “base” provider, but in FIPS mode it also has a dedicated “fips” provider. Check out the code GitHub:

$ git clone https://github.com/henrycoggillcnc/fipstestsnap.git

This application is built against OpenSSL – see the CMakeLists.txt directive:

target_link_libraries(server PUBLIC microhttpd crypto)

The snapcraft definition includes the OpenSSL development libraries, but does not stage the OpenSSL runtime libraries, as these are provided within the core22 base snap:

parts:

  server:

    source: .

    plugin: cmake

    build-packages:

      – libmicrohttpd-dev

      – libssl-dev

    stage-packages:

      – libmicrohttpd12

Testing on classic Ubuntu in FIPS mode

Snaps can run on classic Ubuntu or Ubuntu Core (as well as many other Linux environments), and it is simplest to develop and test them on classic Ubuntu systems. In order for snaps to become available in the public snapstore they need to be reviewed by Canonical’s security team. You can also build and install snaps locally though:

$ sudo snap install –dangerous –jailmode testsnap_1_amd64.snap

The –dangerous flag tells snapd to not check the signature and security assertions for the snap. These are normally enabled through the snapstore publishing process. The –jailmode flag tells snapd to still enforce the snap’s security confinement (–dangerous also disables security confinement). Again, this is needed for testing purposes only.

For FIPS mode, the system requires both the kernel and userspace libraries to be FIPS enabled. Canonical provides the necessary packages with an Ubuntu Pro subscription, and you can install them using the Pro client, turning the system into FIPS mode:

$ sudo pro enable fips-updates

Our example test snap will run on non-FIPS and FIPS systems, and it lists the OpenSSL providers that are loaded. By default it shows the “base” provider, but on FIPS-enabled systems it also shows the “fips” provider.

Another easy method to test applications on FIPS systems is to use multipass. Launch an Ubuntu 22.04 instance, enable FIPS, install the core22 FIPS base, install the example test snap, and check the results.

$ multipass launch jammy -n jammyfips -c 2 -m 2g -d 15g

$ multipass shell jammyfips

$ sudo pro attach <pro token>

$ sudo pro enable fips-updates

$ sudo reboot

$ multipass transfer testsnap_1_amd64.snap jammyfips:

$ multipass shell jammyfips

$ sudo snap install core22 –channel fips-updates/stable

$ sudo snap install –dangerous –jailmode testsnap_1_amd64.snap

Ubuntu Core with FIPS

To build an Ubuntu Core image, you begin by defining a model assertion, which is a signed JSON document that specifies the structure of the image – including the base system, kernel, gadget, and application snaps – along with device identity and security policies. This model declares which snaps are included and how they interact. Using the ubuntu-image tool, the image is then assembled based on this model, pulling the declared snaps from the Snap Store or a specified source. The result is a reproducible, signed image that is ready for secure deployment to devices.

An Ubuntu Core image is built up from 4 key snaps: 

• Gadget snap – this defines the layout of the system and includes hardware configuration
• Kernel snap – the Ubuntu Linux kernel
• Snapd – the runtime engine for snaps and Ubuntu Core
• Base snap – core libraries and components that provide basic Linux functionality

In order to have a fully FIPS-enabled version of Ubuntu Core, all the snaps need to be built in FIPS mode, apart from the gadget snap which doesn’t contain cryptographic functionality. Canonical has built these FIPS-enabled snaps and they are now available through your Ubuntu Pro subscription.

Something to bear in mind for IoT systems is whether a custom kernel is required. The FIPS-enabled kernel that we take through the lengthy FIPS validation process is based on the stock Ubuntu kernel version that is published with each new LTS release. This means that if the stock kernel supports the hardware platform then the FIPS kernel will too; However, if the stock kernel does not support the hardware platform, then the FIPS kernel will not support it either.

Canonical’s IoT professional services team is on hand to guide customers through this journey, providing support, customizations, hardware enablement, and access to specialized builds such as these FIPS snaps.

By engaging with our IoT team, you can get your own Dedicated Snap Store in order to control the publishing and availability of your custom snap applications, manage accounts and device authentication.

Conclusion

Ubuntu Core is an exciting new approach to Linux security, combining the latest developments in immutability, strict confinement, and application delivery, and customers from all across the IoT world are discovering these benefits. We’re pleased to extend Canonical’s FIPS compliance capabilities to the Ubuntu Core ecosystem and enable even more usage of Core in regulated environments. Please get in touch to learn more about Ubuntu Core, FIPS 140, and how our IoT professional services team can help you get up and running in this exciting new world of secure and minimal Linux systems.

Resources

• Ubuntu Core documentation
• Snapcraft documentation
• Ubuntu FIPS documentation
• IoT professional services
• Ubuntu 22.04 LTS FIPS release
• Ubuntu Core success stories