RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1135431 - libvirt should pass "-enable-fips" to QEMU
Summary: libvirt should pass "-enable-fips" to QEMU
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt
Version: 7.1
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Pavel Hrdina
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On: 1035474
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-29 09:53 UTC by Luyao Huang
Modified: 2015-03-05 07:43 UTC (History)
16 users (show)

Fixed In Version: libvirt-1.2.8-4.el7
Doc Type: Bug Fix
Doc Text:
Clone Of: 1035474
Environment:
Last Closed: 2015-03-05 07:43:36 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0323 0 normal SHIPPED_LIVE Low: libvirt security, bug fix, and enhancement update 2015-03-05 12:10:54 UTC

Comment 1 Luyao Huang 2014-08-29 09:59:36 UTC 
I have found this problem with libvirt-1.2.7-2.el7.x86_64 and found  libvirt-1.1.29 didn't have this problem ,seems this is a regression bug. 
Bug 1035474 is closed,so clone a bug for RHEL7.1
Comment 3 Jiri Denemark 2014-08-29 11:55:32 UTC 
When cloning a bug, please, try to thing about what you are doing and remove everything which is not relevant to the new bug. Not to mention that in this specific case the bug description does not contain anything that we could start with. However, instead of closing this bug and requiring a new one to be created, let's just add the relevant info to this bug (since I suspect this is not a bug anyway).

So, could you tell us the exact steps you did and what was the result that makes you think this bug is back?
Comment 4 Luyao Huang 2014-08-30 02:47:23 UTC 
(In reply to Jiri Denemark from comment #3)
> When cloning a bug, please, try to thing about what you are doing and remove
> everything which is not relevant to the new bug. Not to mention that in this
> specific case the bug description does not contain anything that we could
> start with. 
Thanks for your a advice.

> However, instead of closing this bug and requiring a new one to
> be created, let's just add the relevant info to this bug (since I suspect
> this is not a bug anyway).
> 
> So, could you tell us the exact steps you did and what was the result that
> makes you think this bug is back?

I just do the same thing with Bug 1035474 comment 12.

step(Today is not workday,i will offer version and other information which get from my machine on next Monday):

1. Prepare a guest using vnc and with a password.

2. Enable FIPS mode.
#yum install dracut-fips
#rpm -qa |grep dracut
dracut-network-033-40.el7.x86_64
dracut-033-40.el7.x86_64    
dracut-fips-033-40.el7.x86_64
dracut-config-rescue-033-40.el7.x86_64
#setting configuring "PRELINKING=no" in the /etc/sysconfig/prelink configuration file
#prelink -u -a
#dracut -f

# reboot 

add "fips=1" and boot partition (my machine is /dev/sda2) in kernel command line
in grub2

linux16 /vmlinuz-3.10.0-54.el7.x86_64 root=/dev/mapper/rhel_intel--5205--32--1-root ro rd.lvm.lv=rhel_intel-5205-32-1/swap console=tty0 vconsole.keymap=us reboot=pci console=ttyS0,115200 vconsole.font=latarcyrheb-sun16 rd.lvm.lv=rhel_intel-5205-32-1/root biosdevname=0 crashkernel=256M LANG=en_US.UTF-8 fips=1 boot=/dev/sda2

3. Check fips:
# cat /proc/sys/crypto/fips_enabled
1

4.check libvirt version
# rpm -q libvirt
libvirt-1.2.7-2.el7.x86_64

5.# virsh dumpxml test6

guest have vnc password

6.# virsh start test6
Domain test6 started

7.check in qemu cmdline there is no " -enable-fips"
# ps -ef|grep test6

8.# virt-manager

should use vnc password to log in  guest

9.# virsh destroy test6
Domain test6 destroyed

10.remove vnc password and do step 6 7 there is no "-enable-fips"

And to make sure it is a regression ,downgrade to rhel7.0 release version

11.# rpm -q libvirt

libvirt-1.1.1-29.el7.x86_64

12.# service libvirtd restart

13.# virsh dumpxml test6

guest have vnc password

14.# virsh start test6
error: Failed to start domain test6
error: internal error: early end of file from monitor: possible problem:
qemu-kvm: Failed to start VNC server on `unix:/var/lib/libvirt/qemu/test6.vnc,password': VNC password auth disabled due to FIPS mode, consider using the VeNCrypt or SASL authentication methods as an alternative


15.remove vnc password and start guest

# virsh start test6 
Domain test6 started

17.check in qemu cmdline ,can find " -enable-fips"
# ps -ef|grep test6
Comment 5 Luyao Huang 2014-09-01 06:45:08 UTC 
Some thing maybe useful:
# cat /proc/sys/crypto/fips_enabled 
1

(gdb) p virQEMUCapsGet(qemuCaps, QEMU_CAPS_ENABLE_FIPS)
$1 = false
(gdb) p *qemuCaps
$3 = {
  object = {
    u = {
      dummy_align1 = 7700611098, 
      dummy_align2 = 0x1cafe001a, 
      s = {
        magic = 3405643802, 
        refs = 1
      }
    }, 
    klass = 0x7f9a081a6f80
  }, 
  usedQMP = true, 
  binary = 0x0, 
  ctime = 0, 
  flags = 0x7f9a04007400, 
  version = 2001000, 
  kvmVersion = 0, 
  arch = VIR_ARCH_X86_64, 
  ncpuDefinitions = 26, 
  cpuDefinitions = 0x7f9a04002240, 
  nmachineTypes = 8, 
  machineTypes = 0x7f9a0400f920, 
  machineAliases = 0x7f9a040070d0, 
  machineMaxCpus = 0x7f9a04009030
}

# ps aux|grep test2
qemu     11816 25.0  3.6 3628720 257112 ?      Sl   14:33   0:13 /usr/libexec/qemu-kvm -name test2 -S -machine pc-i440fx-rhel7.0.0,accel=kvm,usb=off -m 1024 -realtime mlock=off -smp 2,maxcpus=4,sockets=4,cores=1,threads=1 -uuid 2264db2c-57c2-412e-9f6b-398b57e6a448 -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/test2.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown -boot strict=on -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x5 -drive file=/var/lib/libvirt/images/test2.img,if=none,id=drive-virtio-disk0,format=raw,cache=none -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -netdev tap,fd=26,id=hostnet0,vhost=on,vhostfd=23 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=52:54:00:06:5a:5a,bus=pci.0,addr=0x3 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -chardev spicevmc,id=charchannel0,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.spice.0 -device usb-tablet,id=input0 -vnc 127.0.0.1:0,password -k en-us -device qxl-vga,id=video0,ram_size=67108864,vram_size=67108864,bus=pci.0,addr=0x2 -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x7 -msg timestamp=on

These messages are get from a guest with vnc password  and i found if downgrade libvirt version to 1.1.1-29, this issue disappeared ,then update to 1.2.7-2 ,this issue also disappeared(very strange).So i prepared a machine which do not install libvirt before to do this test (install 1.2.7-2 and do comment 4),also found this issue.
Comment 6 Pavel Hrdina 2014-09-19 07:22:59 UTC 
Fixed upstream

commit da7799d879fd037849f820667b9b610bf94b6262
Author: Pavel Hrdina <phrdina>
Date:   Thu Sep 18 17:38:32 2014 +0200

    Move the FIPS detection from capabilities
    
    We are not detecting the presence of FIPS from QEMU, but from procfs and
    that means it's not QEMU capability. It was decided that we will pass
    this flag to QEMU even if it's not supported by old QEMU binaries.
    
    This patch also reverts changes done by commit a21cfb0f to
    qemucapabilitestest and implements a new test case in qemuxml2argvtest.
    
    Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1135431
    
    Signed-off-by: Pavel Hrdina <phrdina>
Comment 9 Luyao Huang 2014-10-08 03:59:39 UTC 
Verify this bug with libvirt-1.2.8-4.el7.x86_64

Steps:

1.# cat /proc/sys/crypto/fips_enabled
1

2.# rpm -q libvirt
libvirt-1.2.8-4.el7.x86_64

3.# virsh dumpxml --security-info raw |grep gra
    <graphics type='vnc' port='-1' autoport='yes' passwd='123456'/>


4.# virsh dumpxml raw |grep gra ^C


5.# virsh start raw
error: Failed to start domain raw
error: internal error: early end of file from monitor: possible problem:
2014-10-08T03:41:11.161447Z qemu-kvm: Failed to start VNC server on `127.0.0.1:0,password': VNC password auth disabled due to FIPS mode, consider using the VeNCrypt or SASL authentication methods as an alternative

6.remove password
# virsh edit raw
Domain raw XML configuration edited.

7.# virsh start raw
Domain raw started

8.can found -enable-fips
# ps aux|grep raw
qemu      4214  117  0.4 1672272 34548 ?       Sl   11:41   0:04 /usr/libexec/qemu-kvm -name raw -S -enable-fips -machine pc-i440fx-rhel7.0.0,accel=kvm,usb=off -m 1024 -realtime mlock=off -smp 1,sockets=1,cores=1,threads=1 -uuid c92efd79-1808-43c0-8aef-f31257f54421 -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/raw.monitor,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown -boot strict=on -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x5 -drive file=/var/lib/libvirt/images/raw.img,if=none,id=drive-virtio-disk0,format=raw,cache=none -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x6,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -chardev pty,id=charserial0 -device isa-serial,chardev=charserial0,id=serial0 -chardev spicevmc,id=charchannel0,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.spice.0 -device usb-tablet,id=input0 -vnc 127.0.0.1:0 -device qxl-vga,id=video0,ram_size=67108864,vram_size=67108864,bus=pci.0,addr=0x2 -device intel-hda,id=sound0,bus=pci.0,addr=0x4 -device hda-duplex,id=sound0-codec0,bus=sound0.0,cad=0 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x7 -msg timestamp=on
Comment 11 errata-xmlrpc 2015-03-05 07:43:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0323.html
Note You need to log in before you can comment on or make changes to this bug.