Bug 2089301

Summary: Windows 11 can't run on clusters in FIPS mode
Product: Container Native Virtualization (CNV) Reporter: vsibirsk
Component: VirtualizationAssignee: Jed Lejosne <jlejosne>
Status: CLOSED ERRATA QA Contact: Kedar Bidarkar <kbidarka>
Severity: high Docs Contact:
Priority: high    
Version: 4.11.0CC: acardace, apinnick, aspauldi, dholler, fdeutsch, jlejosne, marcandre.lureau, mtessun, qizhu, sgott, ycui
Target Milestone: ---Keywords: TestOnly
Target Release: 4.14.0   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Windows 11 virtual machines now boot on clusters running in FIPS mode. (BZ#2089301)
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-08 14:05:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 2090219, 2097939, 2097947    
Bug Blocks:    
Description Flags
vm and dv yamls none

Description vsibirsk 2022-05-23 11:41:29 UTC
Created attachment 1882372 [details]
vm and dv yamls

Description of problem:
Even with tpm: {} in VM spec, Windows 11 installer still gives error "This PC can't run Windows 11"

Version-Release number of selected component (if applicable):
cnv 4.11

How reproducible:

Steps to Reproduce:
(VM and DV yamls attached)
1.Create VM with attached dv with windows installer iso as cd-rom
2.Start VM and go through windows installer process

Actual results:
Windows installer will be at minimum sys req verifier

Expected results:
Windows OS is installed

Additional info:
Installer fails specifically on TPM device validation, since if this check is disabled in installer registry, the installation continues without issues

Comment 1 Jed Lejosne 2022-05-23 13:23:05 UTC
This is very odd, I'll deploy a 4.11 cluster and try to reproduce.

Comment 2 Jed Lejosne 2022-05-23 15:09:49 UTC
I wasn't able to reproduce this issue, using the latest 4.11 nightlies of OCP and CNV.
Any chance I could get access to your cluster?
Thank you.

Comment 3 Jed Lejosne 2022-05-23 19:23:15 UTC
Thank you @vsibirsk for giving me access to your cluster.

I was able to find the error in the swtpm logs:

libtpms/tpm2: Entering failure mode; code: 6, location: TestSymmetricAlgorithm line 230
libtpms/tpm2: TPM2_Process: Entered failure mode through command:
80 01 00 00 00 0b 00 00 01 43 00 

The last 3 bytes indicate a partial self test command (TPM2_SelfTest(fullTest=NO)).
After that, the TPM chip is non-functional.
This is the code for portion of the test that fails:

The issue unfortunately does not reproduce in upstream KubeVirt, making it really hard to debug.
It might be a missing component in virt-launcher, like a library, or something preventing the test, like maybe crypto-policies?

I will keep searching.

Comment 4 Martin Tessun 2022-05-24 08:21:57 UTC
Hi Jed,

short question: As the issue does only reproduce downstream, can you also check that plain RHEL is working (Same VM setup but on RHEL not RHCOS/OCP Virt)?
Just to ensure it really is KubeVirt related and not a generic RHEL issue.


Comment 5 Jed Lejosne 2022-05-24 15:35:16 UTC
Thanks Martin for the great suggestion!
I just created a session-mode VM in RHEL 8.6 with EFI and emulated TPM-TIS 2.0. There is no error in the swtpm logs and the VM is able to access the chip.
So the good news is that the issue is CNV(/RHCOS?) related, the bad news is that I have no idea what could be causing it...
My best lead was crypto-policies, but RHEL 8 has them, and even when switched to the stricter "FUTURE" system-wide policy swtpm still works fine.

Comment 6 Jed Lejosne 2022-05-24 19:02:14 UTC
We found the source of the issue.
The cluster used by the reporter was FIPS-enabled, and swtpm is not compatible with FIPS.

Comment 7 sgott 2022-05-27 13:36:22 UTC
Deferring this to 4.12 because the layered product fix isn't ready yet.

Comment 15 Kedar Bidarkar 2022-11-09 13:33:44 UTC
We are blocked on an external dependency (swtpm) and hence deferring it to 4.13.

Comment 18 Jed Lejosne 2023-06-05 14:01:39 UTC
The swtpm version in KubeVirt 1.0 should include the necessary fixed. Moving to ON_QA.

Comment 19 vsibirsk 2023-07-17 08:17:42 UTC
Tested on
Openshift version: 4.14.0-ec.3
CNV version: 4.14.0
HCO image: brew.registry.redhat.io/rh-osbs/iib:531794

Tested with Windows11 and Windows2k22 with tpm: {} in VM spec
Create, start, mirgate VM all works OK
TPM check passes during OS install

Comment 23 errata-xmlrpc 2023-11-08 14:05:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Virtualization 4.14.0 Images security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.