Bug 1339526

Summary: [RFE] RHEV-H-NG should support to enable FIPS mode
Product: [oVirt] ovirt-node Reporter: Ying Cui <ycui>
Component: RFEsAssignee: Douglas Schilling Landgraf <dougsland>
Status: CLOSED NEXTRELEASE QA Contact: cshao <cshao>
Severity: high Docs Contact:
Priority: medium    
Version: 4.0CC: bugs, cshao, fdeutsch, huzhao, leiwang, mkalinin, rbarry, weiwang, yaniwang, ycui
Target Milestone: ovirt-4.0.2Keywords: FutureFeature
Target Release: 4.0Flags: fdeutsch: ovirt-4.1?
rule-engine: planning_ack?
fdeutsch: devel_ack+
ycui: testing_ack+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: redhat-release-virtualization-host-4.0-0.16.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-23 11:12:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Node RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ying Cui 2016-05-25 09:07:06 UTC 
Description of problem:
Vintage RHEV-H supports to enable FIPS mode as default, filling this RFE to ensure the RHEV-H NEXT also supports FIPS mode. The specific customers (typically government related) using FIPS are important.

In current RHEV-H NG build(rhev-hypervisor7-ng-3.6-20160518.0), at least it does not include dracut-fips package, can not enable FIPS in NGN as default.
Comment 1 Yaniv Kaul 2016-05-30 11:26:31 UTC 
Fabian - beyond the missing package, what is needed?
Comment 2 Fabian Deutsch 2016-05-30 13:41:07 UTC 
It's unclear - We need to investigate what the recommended procedure is on RHEL - then we can see what is needed on NGN.

Let me note that afaik FIPS is for a while now not working on vintage RHEV-H.
Comment 3 Ryan Barry 2016-07-07 12:40:56 UTC 
We need simply "dracut-fips" and a kernel argument:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/chap-Federal_Standards_and_Regulations.html
Comment 4 Ryan Barry 2016-07-07 14:47:50 UTC 
I would suggest that we include dracut-fips, and allow users to enable fips themselves, if desired.
Comment 5 cshao 2016-07-13 09:09:23 UTC 
Test version:
redhat-virtualization-host-4.0-20160708.0 
imgbased-0.7.2-0.1.el7ev.noarch
redhat-release-virtualization-host-4.0-0.13.el7.x86_64
cockpit-0.108-1.el7.x86_64


# rpm -qa | grep fips
dracut-fips-033-360.el7_2.1.x86_64
fipscheck-lib-1.4.1-5.el7.x86_64
fipscheck-1.4.1-5.el7.x86_64

RHVH include FIPS package now, so the bug is fixed, change bug status to VERIFIED.
Comment 6 Ying Cui 2016-07-13 12:12:00 UTC 
To safe verify this bug, also need to check installation RHVH when fips is enable. Move back to ON_QA.
Comment 7 cshao 2016-07-14 11:29:12 UTC 
(In reply to Ying Cui from comment #6)
> To safe verify this bug, also need to check installation RHVH when fips is
> enable. Move back to ON_QA.

Update some test scenario about fips=1,
1. Append fips=1 cmd, 
2. Anaconda install RHVH.
3. Login RHVH with root.
4. Login RHVH with nonroot.
5. Check grub.cfg

Test result:
1. Anaconda interactive install RHVH - pass
2. Login RHVH with root - pass
3. Login RHVH with nonroot - pass
4. Fips=1 is appear on grub.cfg

So the bug is fixed, change bug status to VERIFIED.