Bug 1640192

Summary:	[RFE] Add fips=1 option to webadmin host kernel configuration
Product:	[oVirt] ovirt-engine	Reporter:	meital avital <mavital>
Component:	BLL.Virt	Assignee:	Tomasz Barański <tbaransk>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Beni Pelled <bpelled>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	future	CC:	bpelled, bugs, mavital, mperina, rdlugyhe, sbonazzo, sgoodman, tbaransk
Target Milestone:	ovirt-4.4.0	Keywords:	EasyFix, FutureFeature
Target Release:	---	Flags:	rbarry: ovirt-4.4? mavital: testing_plan_complete? rule-engine: planning_ack? rule-engine: devel_ack+ mavital: testing_ack+
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	rhv-4.4.0-29	Doc Type:	Enhancement
Doc Text:	Before this update, you could enable FIPS on a host. But because the engine was not aware of FIPS, it did not use the appropriate options with qemu when starting virtual machines, so the virtual machines were not fully operable. With this update, you can enable FIPS for a host in the Administration Portal, and the engine uses qemu with FIPS-compatible arguments. To enable FIPS for a host, in the Edit Host window, select the Kernel tab and check the FIPS mode checkbox.	Story Points:	---
Clone Of:		Environment:
Last Closed:	2020-08-05 06:10:09 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	Virt	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1692709
Bug Blocks:	1640357

Description meital avital 2018-10-17 14:10:52 UTC

Description:

As part of Supporting VMs with VNC console on a FIPS enabled hypervisor RFE (https://bugzilla.redhat.com/show_bug.cgi?id=1595536)
we need to add fips=1 to kernel command line manually.

It would be nice if we will have an option to modify it via webadmin -> host kernel tab, like other parameters we can modify currently (enabling IOMMU, nested virtualization etc.).

Comment 1 Ryan Barry 2018-10-17 14:15:09 UTC

Note that we'll also need `dracut-fips` included as a package, and `dracut -f` to be executed after this is changed.

Martin/Sandro -

Do you want separate bugs for these?

Comment 2 Martin Perina 2018-10-22 14:41:59 UTC

(In reply to Ryan Barry from comment #1)
> Note that we'll also need `dracut-fips` included as a package, and `dracut
> -f` to be executed after this is changed.
> 
> Martin/Sandro -
> 
> Do you want separate bugs for these?


So dracut-fips should be added as a dependency to ovirt-host package for 4.3, so we should probably have a bug mentioning this.

If you want to execute 'dracut -f', then it needs to be added to host-deploy ansible role (create a subrole for that), but I think it can be handled within this bug, as host-deploy role is part of engine.

And AFAIK host kernel parameters are maintained by virt team ...

Comment 3 Ryan Barry 2018-10-22 16:02:17 UTC

(In reply to Martin Perina from comment #2)
> (In reply to Ryan Barry from comment #1)
> And AFAIK host kernel parameters are maintained by virt team ...
They are. Just flipped it to get info :)

I'll open the other bugs

Comment 4 Ryan Barry 2019-01-21 14:53:55 UTC

Re-targeting to 4.3.1 since it is missing a patch, an acked blocker flag, or both

Comment 5 meital avital 2019-02-25 12:40:06 UTC

Reassigned:
After adding fips=1 to kernel command line, reinstalling  and rebooting the host, the host boot halt with the next screen output:
dracut: FATAL: FIPS integrity test failed
dracut: Refusing to continue
System halted.

Verification builds:
ovirt-engine-4.3.1.2-0.0.master.20190220155021.git90ab3d9.el7
vdsm-4.30.9-22.git86feae5.el7.x86_64
libvirt-client-4.5.0-10.el7_6.4.x86_64
qemu-kvm-ev-2.12.0-18.el7_6.3.1.x86_64
dracut-fips-033-554.el7.x86_64

Verification scenario:
1. Browse WebAdmin -> Compute -> Hosts -> edit host -> Kernal tab -> check "FIPS Mode" checkbox -> click "OK" button.
2. Following edit host -> kernel tab comment:
Move host to maintenance and reinstall it.
Reboot host.

After the host is rebooted, to boot hangs with "system halted" message.

comment:
The same issue observed when running  "dracut -f" command after host reinstall and rebooting the host.

Comment 6 Ryan Barry 2019-02-25 12:59:03 UTC

Is dracut-fips installed?

Comment 7 Tomasz Barański 2019-02-25 13:04:50 UTC

Hah!

This error is a confirmation, that the change actually worked! :)

I encountered that problem on some hosts and it's kinda unrelated. Grub seems to be baffled by fips mode for some reason and needs to be explicitly told where the boot partition is in the form of "boot=/dev/sda1" after "fips=1". Adding this is troublesome because:
1. We don't allow spaces in the kernel line, and we'd need to add "fips=1 boot=/dev/sda1" –– but is the space ban in the UI only?
2. Do we have any information on which partition is the starting one?

Maybe we could add a text box on the form for the boot partition and prepopulate it with '/dev/sda1'. The text box would be active only when Fips mode checkbox is checked.

Ideas?

Comment 8 meital avital 2019-02-26 14:34:41 UTC

(In reply to Ryan Barry from comment #6)
> Is dracut-fips installed?

yes, look on my comment #5, version section:
dracut-fips-033-554.el7.x86_64

Comment 11 Ryan Barry 2019-07-04 13:13:54 UTC

Note that this includes fips=1 only. Adding the correct boot= stanza will come as part of a separate bug

Comment 13 Steve Goodman 2020-04-27 15:40:11 UTC

I don't understand what was the situation before this bug and what is the situation after this bug fix.

Please fill in the blanks:


Before this update...

With this update...


I need to see:

Cause:

Consequence:

Fix:

Result:

Comment 14 Tomasz Barański 2020-04-28 08:50:11 UTC

Before this update FIPS could only be enabled manually on host. This caused problems, because oVirt/RHV was not aware of FIPS and did not use appropriate options with qemu.

With this update:
1. Fips can be turned on from the oVirt UI.
2. oVirt uses qemu with FIPS-compatible arguments.


I need to see a FIPS Mode checkbox in Host's Kernel options dialog. See screenshot here: https://imgur.com/a/7V8qrTG

Cause: this is a new functionality required to fully support FIPS-enabled hosts.

Consequence: if FIPS is enabled manually, VMs can be started, but some functionality does not work (e.g. VNC console).

Fix: add FIPS mode checkbox; make oVirt aware of FIPS mode on host.

Result: see above "With this update".

Comment 15 Steve Goodman 2020-04-28 09:52:45 UTC

Tomasz,

Please make sure that the doc text is accurate now.

Comment 16 Tomasz Barański 2020-04-28 10:23:17 UTC

This is not precise: "when starting the host, so the host did not start properly."

It should rather read something like "when starting VMs, so the VMs were not fully operable."

Comment 17 Beni Pelled 2020-06-16 13:19:04 UTC

Verified with:
- ovirt-engine-4.4.0-0.33.master.el8ev.noarch
- vdsm-4.40.13-1.el8ev.x86_64
- Host with RHEL 8.2

Verification steps:
1. Move a non-FIPS active host into maintenance mode
2. Under 'Edit > Kernel' press the Reset button and select 'FIPS mode'
3. 'fips=1 boot=UUID=<bood_pratition_UUID>' will be added to the 'Kernel command line'
4. Reinstall and restart the host

Result:
- The host is up and running as a FIPS host (verified by 'sysctl crypto.fips_enabled' and on the engine-UI)

Comment 18 Sandro Bonazzola 2020-08-05 06:10:09 UTC

This bugzilla is included in oVirt 4.4.0 release, published on May 20th 2020.

Since the problem described in this bug report should be
resolved in oVirt 4.4.0 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.