Bug 1760938

Summary: Integrate FIPS compliancy changes for libtpms
Product: Red Hat Enterprise Linux Advanced Virtualization Reporter: John Ferlan <jferlan>
Component: libtpmsAssignee: Marc-Andre Lureau <marcandre.lureau>
Status: CLOSED ERRATA QA Contact: Qinghua Cheng <qcheng>
Severity: high Docs Contact:
Priority: high    
Version: 8.1CC: coli, ddepaula, jinzhao, juzhang, knoel, marcandre.lureau, mtessun, yanqzhan
Target Milestone: rcKeywords: FutureFeature
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: libtpms-0.7.0-1.20191018gitdc116933b7.module+el8.2.0+4673+ff4b3b61 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-05 09:50:34 UTC Type: Feature Request
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description John Ferlan 2019-10-11 18:48:49 UTC 
Description of problem:

The current libtpms for RHEL AV 8.1 is not FIPS compliant. In order to undergo a FIPS review, changes from upstream:

https://github.com/stefanberger/libtpms/issues/51

will need to be backported/integrated.
Comment 1 Marc-Andre Lureau 2019-10-30 21:33:39 UTC 
I updated dist-git libtpms package to 0.7.0-1.20191018gitdc116933b7, which has all the known FIPS-required changes known so far.

Danilo, is it part of the rhel av 8.1.1 module already?
Comment 2 Danilo de Paula 2019-11-15 14:20:50 UTC 
curl -s "https://mbs.engineering.redhat.com/module-build-service/1/module-builds/?name=virt&stream=8.1&state=5&base_module_br_stream=el8.1.1" | grep libtpms
"nvr": "libtpms-0.7.0-1.20191018gitdc116933b7.module+el8.1.1+4465+eb77c0ac"

So yes

And, for the record, 8.2 as well:
libtpms-0.7.0-1.20191018gitdc116933b7.module+el8.2.0+4673+ff4b3b61
Comment 3 Marc-Andre Lureau 2019-11-16 10:33:50 UTC 
Danilo, you will take care of adding to errata and moving to MODIFIED?
Comment 4 Marc-Andre Lureau 2019-11-16 10:34:16 UTC 
rather ONQA
Comment 6 Danilo de Paula 2019-12-06 13:28:26 UTC 
BZ already part of the errata, cleaning the request.
Comment 8 Qinghua Cheng 2020-02-03 13:21:15 UTC 
Hi Marc-Andre,

To my understanding of this bug, it is a crypto function changes in
libtpms. Is there any suggested tests or any use cases that I can use
to verify this bug?

Or execute vtpm function tests is ok to verify it ?

Thanks,
Qinghua Cheng
Comment 9 Marc-Andre Lureau 2020-02-07 23:42:54 UTC 
Nothing special can be tested, it is some internal crypto functions that have been replaced with OpenSSL, and it's an on-going effort. (see upstream bug https://github.com/stefanberger/libtpms/issues/51)
Comment 11 Qinghua Cheng 2020-03-11 09:24:08 UTC 
Libvirt QE and qume QE tested on Linux and Windows guests. No regression bug found. Change the status to verified. 

Linux test is PASS, results: 
https://libvirt-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/libvirt-RHEL-8.2-runtest-x86_64-function-tpm_emulator/4/testReport/

Window guest test result is PASS.
Comment 13 errata-xmlrpc 2020-05-05 09:50:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2017