Bug 2089301
| Summary: | Windows 11 can't run on clusters in FIPS mode | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Container Native Virtualization (CNV) | Reporter: | vsibirsk | ||||
| Component: | Virtualization | Assignee: | Jed Lejosne <jlejosne> | ||||
| Status: | VERIFIED --- | QA Contact: | Kedar Bidarkar <kbidarka> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 4.11.0 | CC: | acardace, apinnick, dholler, fdeutsch, jlejosne, marcandre.lureau, mtessun, qizhu, sgott, ycui | ||||
| Target Milestone: | --- | Keywords: | TestOnly | ||||
| Target Release: | 4.14.0 | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Known Issue | |||||
| Doc Text: |
Windows 11 virtual machines do not boot on clusters running in link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/security_hardening/index#con_federal-information-processing-standard-fips_assembly_installing-the-system-in-fips-mode[FIPS mode]. Windows 11 requires a TPM (trusted platform module) device by default. However, the `swtpm` (software TPM emulator) package is incompatible with FIPS.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | Type: | Bug | |||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 2097939, 2090219, 2097947 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
This is very odd, I'll deploy a 4.11 cluster and try to reproduce. Thanks! I wasn't able to reproduce this issue, using the latest 4.11 nightlies of OCP and CNV. Any chance I could get access to your cluster? Thank you. Thank you @vsibirsk for giving me access to your cluster. I was able to find the error in the swtpm logs: libtpms/tpm2: Entering failure mode; code: 6, location: TestSymmetricAlgorithm line 230 libtpms/tpm2: TPM2_Process: Entered failure mode through command: 80 01 00 00 00 0b 00 00 01 43 00 The last 3 bytes indicate a partial self test command (TPM2_SelfTest(fullTest=NO)). After that, the TPM chip is non-functional. This is the code for portion of the test that fails: https://github.com/stefanberger/libtpms/blob/721f6c2e3319dbd65ac420350de878f5660a38d4/src/tpm2/AlgorithmTests.c#L285 The issue unfortunately does not reproduce in upstream KubeVirt, making it really hard to debug. It might be a missing component in virt-launcher, like a library, or something preventing the test, like maybe crypto-policies? I will keep searching. Hi Jed, short question: As the issue does only reproduce downstream, can you also check that plain RHEL is working (Same VM setup but on RHEL not RHCOS/OCP Virt)? Just to ensure it really is KubeVirt related and not a generic RHEL issue. Thanks! Martin Thanks Martin for the great suggestion! I just created a session-mode VM in RHEL 8.6 with EFI and emulated TPM-TIS 2.0. There is no error in the swtpm logs and the VM is able to access the chip. So the good news is that the issue is CNV(/RHCOS?) related, the bad news is that I have no idea what could be causing it... My best lead was crypto-policies, but RHEL 8 has them, and even when switched to the stricter "FUTURE" system-wide policy swtpm still works fine. We found the source of the issue. The cluster used by the reporter was FIPS-enabled, and swtpm is not compatible with FIPS. Deferring this to 4.12 because the layered product fix isn't ready yet. We are blocked on an external dependency (swtpm) and hence deferring it to 4.13. The swtpm version in KubeVirt 1.0 should include the necessary fixed. Moving to ON_QA. Tested on
Openshift version: 4.14.0-ec.3
CNV version: 4.14.0
HCO image: brew.registry.redhat.io/rh-osbs/iib:531794
Tested with Windows11 and Windows2k22 with tpm: {} in VM spec
Create, start, mirgate VM all works OK
TPM check passes during OS install
|
Created attachment 1882372 [details] vm and dv yamls Description of problem: Even with tpm: {} in VM spec, Windows 11 installer still gives error "This PC can't run Windows 11" Version-Release number of selected component (if applicable): cnv 4.11 How reproducible: 100% Steps to Reproduce: (VM and DV yamls attached) 1.Create VM with attached dv with windows installer iso as cd-rom 2.Start VM and go through windows installer process Actual results: Windows installer will be at minimum sys req verifier Expected results: Windows OS is installed Additional info: Installer fails specifically on TPM device validation, since if this check is disabled in installer registry, the installation continues without issues