Bug 1035474

Summary: libvirt should pass "-enable-fips" to QEMU
Product: Red Hat Enterprise Linux 7 Reporter: Paul Moore <pmoore>
Component: libvirtAssignee: Eric Blake <eblake>
Status: CLOSED CURRENTRELEASE QA Contact: Virtualization Bugs <virt-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: acathrow, ajia, berrange, codong, dyuan, eblake, juzhang, mazhang, mjenner, mzhan, rjones, zpeng
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libvirt-1.1.1-18.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1135431 (view as bug list) Environment:
Last Closed: 2014-06-13 09:44:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1135431    

Description Paul Moore 2013-11-27 21:18:21 UTC 
Description of problem:
When we added FIPS-140 detection logic to QEMU, upstream wanted it off by default so the FIPS logic is only enabled when the "-enable-fips" option is passed to QEMU.  While upstream may want to disable FIPS by default, in RHEL we should ensure that the FIPS detection logic is enabled by default.

The related QEMU FIPS bugzilla/feature-request for RHEL7 is BZ #817067.
Comment 2 Daniel Berrangé 2013-11-28 10:21:46 UTC 
This flag in QEMU is utterly retarded and should not exist. If the host is running in FIPS mode (as indicated by the kernel) then QEMU should use FIPS mode unconditionally to match what the crypto libraries are already doing. If the host isn't FIPS mode then it should not do anything. This flag is a solution in search of a purpose.
Comment 3 Paul Moore 2013-12-02 22:38:49 UTC 
(In reply to Daniel Berrange from comment #2)
> This flag in QEMU is utterly retarded and should not exist. If the host is
> running in FIPS mode (as indicated by the kernel) then QEMU should use FIPS
> mode unconditionally to match what the crypto libraries are already doing.
> If the host isn't FIPS mode then it should not do anything. This flag is a
> solution in search of a purpose.

I agree that the flag is ridiculous, but upstream made it a requirement on accepting the FIPS detection code.  On the virt-devel list, we are currently discussing the possibility of making the "-enable-fips" option default to "on", but that would diverge from upstream.
Comment 4 Eric Blake 2013-12-05 21:11:01 UTC 
Does qemu even provide a way to query whether the command line option exists or not?  Without a QMP query method, the only way to find out is to try qemu with it, and on failure fall back to avoiding it, which is painful if the option ever gets removed in future versions.  I agree that libvirt should always supply the option for older qemu, though.
Comment 5 Paul Moore 2013-12-05 21:19:14 UTC 
(In reply to Eric Blake from comment #4)
> Does qemu even provide a way to query whether the command line option exists
> or not?

To the best of my knowledge, no.

> Without a QMP query method, the only way to find out is to try qemu
> with it, and on failure fall back to avoiding it, which is painful if the
> option ever gets removed in future versions.  I agree that libvirt should
> always supply the option for older qemu, though.

Considering that upstream was very insistent that the command line option be added, I find it very doubtful that it would be removed in the future.
Comment 6 Eric Blake 2013-12-05 21:56:53 UTC 
Upstream proposed patch:
https://www.redhat.com/archives/libvir-list/2013-December/msg00353.html
Comment 7 Eric Blake 2013-12-13 23:54:38 UTC 
Upstream v2:
https://www.redhat.com/archives/libvir-list/2013-December/msg00833.html
Comment 8 Eric Blake 2013-12-18 15:23:57 UTC 
Option 1 in POST:
http://post-office.corp.redhat.com/archives/rhvirt-patches/2013-December/msg00812.html

although it may be worth waiting for option 2, which backports vircapabilitestest, for comparison.
Comment 10 Eric Blake 2013-12-19 02:54:46 UTC 
Option 2 turned out to be rather invasive; I'd rather skip the qemucapabilitiestest in the option 1 backport than introduce the additional risk of 20+ patches to enhance the testsuite.
Comment 12 CongDong 2014-01-09 05:48:13 UTC 
Can reproduce with:
libvirt-1.1.1-17.el7.x86_64

Steps:

1. Prepare a guest using vnc and with a password.

2. Enable FIPS mode.
#yum install dracut-fips
#rpm -qa |grep dracut
dracut-network-033-40.el7.x86_64
dracut-033-40.el7.x86_64
dracut-fips-033-40.el7.x86_64
dracut-config-rescue-033-40.el7.x86_64
#setting configuring "PRELINKING=no" in the /etc/sysconfig/prelink configuration file
#prelink -u -a
#dracut -f

add "fips=1" and boot partition in kernel command line

linux16 /vmlinuz-3.10.0-54.el7.x86_64 root=/dev/mapper/rhel_intel--5205--32--1-root ro rd.lvm.lv=rhel_intel-5205-32-1/swap console=tty0 vconsole.keymap=us reboot=pci console=ttyS0,115200 vconsole.font=latarcyrheb-sun16 rd.lvm.lv=rhel_intel-5205-32-1/root biosdevname=0 crashkernel=256M LANG=en_US.UTF-8 fips=1 boot=/dev/sda1

reboot host

3. Check fips:
# cat /proc/sys/crypto/fips_enabled
1

4. Try to start the guest.
# virsh start $vm

5. Check the qemu cmdline
# ps -ef | grep $vm

Result:
The guest start successfully, and there is no "-enable-fips" in qemu cmdline.


Verify with:
libvirt-1.1.1-18.el7.x86_64

Steps:
As the steps above.

Result:
1.
The guest cannot start, get error:
error: Failed to start domain rhel6u5
error: internal error: early end of file from monitor: possible problem:
qemu-kvm: Failed to start VNC server on `unix:/var/lib/libvirt/qemu/rhel6u5.vnc,password': VNC password auth disabled due to FIPS mode, consider using the VeNCrypt or SASL authentication methods as an alternative
2.If delete the vnc-passwd,and try to start the guest , the guest can start successfully.
And can find "-enable-fips" in qemu cmdline like:
qemu      4128     1 28 11:46 ?        00:00:18 /usr/libexec/qemu-kvm -name rhel6u5 -S -enable-fips -machine pc-i440fx-rhel7.0.0,accel=kvm,usb=off -m 1024 -realtime mlock=off -smp 2,sockets=2,cores=1,threads=1 -uuid 6c58ee29-3c2c-431e-93b2-403409566272 -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/rhel6u5.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown -boot strict=on -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x5 -drive file=/var/lib/libvirt/images/rhel6u5.img,if=none,id=drive-virtio-disk0,format=raw,cache=none -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -netdev tap,fd=23,id=hostnet0,vhost=on,vhostfd=24 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:e1:59:9e,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -vnc unix:/var/lib/libvirt/qemu/rhel6u5.vnc -vga cirrus -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x7
3.
The guest can start if disable fips mode and there is no "-enable-fips" in qemu cmdline.

As the result, set VERIFIED.
Comment 13 Ludek Smid 2014-06-13 09:44:51 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.