Bug 1746518
| Summary: | Tangd cannot generate usable keys when FIPS is enabled | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Megan Towey <mtowey> |
| Component: | tang | Assignee: | Sergio Correia <scorreia> |
| Status: | CLOSED DUPLICATE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.0 | CC: | dapospis, jcall |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-10-02 12:44:50 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
(In reply to Megan Towey from comment #0) [snip] > [root@fips77server ~]# clevis encrypt tang '{"url":"localhost"}' < plain3.txt > The advertisement contains the following signing keys: > > -3SF-7wQoXguTlv-EXeM3MGjeXs > > Do you wish to trust these keys? [ynYN] y > [root@fips77server ~]# echo $? > 1 > [root@fips77server ~]# Hi Megan, could you please try the following: # systemctl restart tangd-update.service and then try again the clevis encrypt command? Hey Sergio,
Looks like that succeeded:
[root@fips77server ~]# sysctl crypto.fips_enabled
crypto.fips_enabled = 1
[root@fips77server ~]# systemctl restart tangd.socket
[root@fips77server ~]# ls /var/db/tang/
c2yj5LMHCEE_p03J4KWdviGnZBk.jwk ty6HKTRwTdKFsloOWso0hX9SxwY.jwk
[root@fips77server ~]# clevis encrypt tang '{"url":"192.168.100.152"}' < plain3.txt
The advertisement contains the following signing keys:
c2yj5LMHCEE_p03J4KWdviGnZBk
Do you wish to trust these keys? [ynYN] y
[root@fips77server ~]# echo $?
1
[root@fips77server ~]# systemctl restart tangd-update.service
[root@fips77server ~]# clevis encrypt tang '{"url":"192.168.100.152"}' < plain3.txt
The advertisement contains the following signing keys:
c2yj5LMHCEE_p03J4KWdviGnZBk
Do you wish to trust these keys? [ynYN] y
eyJhbGciOiJFQ0RILUVTIiwiY2xldmlzIjp7InBpbiI6InRhbmciLCJ0YW5nIjp7ImFkdiI6eyJrZXlzIjpbeyJhbGciOiJFUzUxMiIsImNydiI6IlAtNTIxIiwia2V5X29wcyI6WyJ2ZXJpZnkiXSwia3R5IjoiRUMiLCJ4IjoiQWFsNzVVQWVfc0NnVTFneGJFeURTRFdDblpGWFR2V0pGTWw0V3JCYy1GeDkzX2syUXhXZFB5dURiMW1uZHlSdXVSWFprMzZsVUtmaWRTZTZjcjFSUWlKTSIsInkiOiJBV1p6d3cxMDZ1Z2IyS1pMVEZVUDFLSlNWc2psUm1oNUtlZVVKMlhsRVB6Qi1FQkJMNXBzNS1NMmZFc3NzeFE0d1ZacEVKdUM4OXJodlZiTWJBV1dWY2JjIn0seyJhbGciOiJFQ01SIiwiY3J2IjoiUC01MjEiLCJrZXlfb3BzIjpbImRlcml2ZUtleSJdLCJrdHkiOiJFQyIsIngiOiJBRjJhbElscmhqOUVvcHlxZ2pwdXppbG9VVFpUMGt5Y2FRZ3hKek5IY1JjektHbF9PZGxFN1YxVThGZ2RCUjVfaU11UUY3UlgzWGJfOW1JWUhqNVZEbzc1IiwieSI6IkFHdFpGS2J3akhnaEJFdmluYW5zX1lnb2xFN0gwNjZndXp3X0o5Y2hwcWd0LWFZVTBZZXpUSXBpUzdBVW5kd0cwbXR1c2xrOXUzZ3BxaDV4Sk1qdWx5bjMifV19LCJ1cmwiOiIxOTIuMTY4LjEwMC4xNTIifX0sImVuYyI6IkEyNTZHQ00iLCJlcGsiOnsiY3J2IjoiUC01MjEiLCJrdHkiOiJFQyIsIngiOiJBWkZUNmliSUtTTjNCRWtDd3YtNlJKaWRNYjFKTUpoei1ROC1laUFhNVN0bjVhNHI3M0I1Ujktam92VHNjQ2FIVlFYc1c3b2ZQcWZCNHl0OWVaZWp5cWxXIiwieSI6IkFDck9QZDRncmtkMEhOSkUzU0NZUk5BZEN5aTVna2ljZVdmWnZ1SmMxTFlYeGdYVU41bXlyal9yc0djLS10MjdtM3QydjFkeDVHelNDem43Z1BWckpzWWMifSwia2lkIjoidHk2SEtUUndUZEtGc2xvT1dzbzBoWDlTeHdZIn0..M9-OapEUL0iaex4U.JrkbQb9l0MzvumIyuFXFn-xGdwYm.01s2xKUtOUMdMIoX6QDdfw
Also confirmed the same was the case when the clevis client was on a separate system.
Can you explain why restarting that service was necessary?
Glad to know it worked. This seems to be the bug described in https://github.com/latchset/tang/issues/23 The proper solution will probably involve moving the generation of keys into tang itself, as Nathaniel suggested in one of the comments. As this is not FIPS-specific, I am closing this as a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1703445. *** This bug has been marked as a duplicate of bug 1703445 *** |
Description of problem: When FIPS is enabled, tangd fails to generate usable keys. Any attempts to encrypt files or perform a LUKS bind with clevis will fail as a result. Version-Release number of selected component (if applicable): kernel-3.10.0-1062.el7.x86_64 tang-6-1.el7.x86_64 dracut-fips-aesni-033-564.el7.x86_64 fipscheck-1.4.1-6.el7.x86_64 dracut-fips-033-564.el7.x86_64 fipscheck-lib-1.4.1-6.el7.x86_64 How reproducible: Every time you try to use keys generated by tang when FIPS is enabled. Steps to Reproduce: 1. Enable FIPS 2. Install tang, generate keys 3. Attempt to use clevis to encrypt a file (either on localhost or separate system with clevis installed) Actual results: [root@fips77server ~]# sysctl crypto.fips_enabled crypto.fips_enabled = 1 [root@fips77server ~]# rm /var/db/tang/* rm: remove regular file ‘/var/db/tang/cUAjXN-ka1NqKOBghS_9RW58ito.jwk’? y rm: remove regular file ‘/var/db/tang/LcusJ-773Zf9JMcleBEWLsimvp8.jwk’? y [root@fips77server ~]# systemctl restart tangd.socket [root@fips77server ~]# ls /var/db/tang/ -3SF-7wQoXguTlv-EXeM3MGjeXs.jwk n16ZY2jyfZ3X2WO2IFfoAvcHjRo.jwk [root@fips77server ~]# clevis encrypt tang '{"url":"localhost"}' < plain3.txt The advertisement contains the following signing keys: -3SF-7wQoXguTlv-EXeM3MGjeXs Do you wish to trust these keys? [ynYN] y [root@fips77server ~]# echo $? 1 [root@fips77server ~]# Expected results: [root@fips77server ~]# clevis encrypt tang '{"url":"localhost"}' < plain3.txt The advertisement contains the following signing keys: GA7-x9s1HROERB0lDe2lticfN-8 Do you wish to trust these keys? [ynYN] y eyJhbGciOiJFQ0RILUVTIiwiY2xldmlzIjp7InBpbiI6InRhbmciLCJ0YW5nIjp7ImFkdiI6eyJrZXlzIjpbeyJhbGciOiJFUzUxMiIsImNydiI6IlAtNTIxIiwia2V5X29wcyI6WyJ2ZXJpZnkiXSwia3R5IjoiRUMiLCJ4IjoiQUVndU95bER5cjFfdFZPSXpFZDJMQWNFWGdPNjJpWTFEN2J2YTE0SGNsd3dNbU9JWkE0X01JbVRnWFZoWldtY3JhVU9qSWF0RjQxbVo4UkpTY05ldUJDVyIsInkiOiJBSTRNN000dS1Za1ZIWmdKWE5tUGxBUmF6eVY0dGQ3dU56aUUzaUZkQUdBT2M3WWhpMi1kTTdJMVllUnJTOTA5MzZXd0h5R2FSRXk1TEF4cXRzbi1pYm5qIn0seyJhbGciOiJFQ01SIiwiY3J2IjoiUC01MjEiLCJrZXlfb3BzIjpbImRlcml2ZUtleSJdLCJrdHkiOiJFQyIsIngiOiJBZlNzaGg1Z2ttbEtNZU5GMnNnaXVqZk41LUIzTU00ZHlpTU1PcWFCek9UR3VkLTBIdDVQOEJsYnRfWlljOUF6dzBMdmZvQnVxVWxYNTdHTUpQYzc3NnRMIiwieSI6IkFRRHFqMU1aVncweHhRWlZkME1Ca1ZtMVpTMWNIVmp3NjZGd2UyTDJ5b2xIcVBFUC0zZ3I2WjBRU09jYVFCYjBrLVZ2Ri1YT2tCaGlxQ2hka3ZMZUh2R0YifV19LCJ1cmwiOiJsb2NhbGhvc3QifX0sImVuYyI6IkEyNTZHQ00iLCJlcGsiOnsiY3J2IjoiUC01MjEiLCJrdHkiOiJFQyIsIngiOiJBSmNlbkx0ckE1aHpqM3RJd0MzNGVwWHF5emljQjROaWk4S3dsRTBBZmMxelRzSENxa3dWb0k3V09kSVdxWmpRNVpYN3RhU0hIUjhVUjdiVXRKakZUYU94IiwieSI6IkFjeXB1RU1xX05odm82eWZYbm9oZG80dEt0MlpiZ2FhXzJkeXJCWDYxZjRnTUJueE5hSENtRk1lZW5BaXNyS1N4azFSQUJSN2ZDUzl5ZlJHZWZqMzZ0WnQifSwia2lkIjoiWThqWXVNQXV4b2kzNExma3Q5TTRrbnY4YnM4In0..gvk_gwn7dNRKYFPj.6yLRi7C2fJFXs7JKKrZiA-6_Bn77.cW1AM8Gq1Ff4jh0jsGmZBQ [root@fips77server ~]# echo $? 0 Additional info: There is a workaround available, involving generating a key on a non-FIPS enabled system and moving it over to the FIPS enabled server or disabling, generating keys, and re-enabling FIPS. If any additional data is required, I can provide it. I have a few VMs set up for reproducing this issue.