Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
DescriptionRichard W.M. Jones
2018-09-03 13:24:19 UTC
+++ This bug was initially created as a clone of Bug #1624313 +++
Description of problem:
Can't install virtio for network in win2008r2 and win7 guest after v2v conversion
Version-Release number of selected component (if applicable):
virt-v2v-1.38.2-11.el7.x86_64
libguestfs-1.38.2-11.el7.x86_64
libvirt-4.5.0-7.el7.x86_64
qemu-kvm-rhev-2.12.0-12.el7.x86_64
virtio-win-1.9.6-1.el7.noarch
How reproducible:
100%
--- Additional comment from Yan Vugenfirer on 2018-09-03 07:20:55 EDT ---
I think it relates to the fact that now MS is issuing only SHA2 certificates and the images might not be updated to the latest security updates.
For info here:
https://docs.microsoft.com/en-us/security-updates/securityadvisories/2014/2949927 ,
Brief explanation:
1. Drivers for Win7 and Windows 2008R2 were signed with SHA1 signature. And those versions of Windows couldn't correctly parse SHA2 signatures.
2. MS decided that SHA1 is no longer secured and rolled out security updates. From this point drivers could be either SHA1 or SHA2 signed.
3. At some point, MS stopped issuing completely SHA1 certificates (https://support.microsoft.com/en-us/help/3123479/microsoft-security-advisory-deprecation-of-sha-1-hashing-algorithm-for)
4. Attaching signature details for Win7 x64 NetKVM driver
So the solution is to update the images to include SHA2 support.
--- Additional comment from Richard W.M. Jones on 2018-09-03 07:46:34 EDT ---
Does this mean we'll no longer be able to support Windows 7 & 2008R2?
Or did they issue updates to those versions of Windows to allow them
to support SHA2 certs?
In any case this will require some virt-v2v docs changes ...
--- Additional comment from Yan Vugenfirer on 2018-09-03 09:15:52 EDT ---
Updates are downloadable from https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2015/3033929
Comment 3Richard W.M. Jones
2018-09-03 13:32:29 UTC
Verify bug with builds:
libguestfs-1.40.2-1.el7.x86_64
virt-v2v-1.40.2-1.el7.x86_64
Steps:
1.Install latest virt-v2v on RHEL7.7 server.
2.Open virt-v2v manual paper and search info with keyword "SHA-2"
# man virt-v2v|grep "SHA-2" -A 5
Support for SHA-2 certificates in Windows 7 and Windows Server 2008 R2
Later versions of the Windows virtio drivers are signed using SHA-2 certificates (instead of
SHA-1). The original shipping Windows 7 and Windows Server 2008 R2 did not understand SHA-2
certificates and so the Windows virtio drivers will not install properly.
To fix this you must apply SHA-2 Code Signing Support from:
https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2015/3033929 before
converting the guest.
For further information see: https://bugzilla.redhat.com/show_bug.cgi?id=1624878
Result:
V2V man page has updated the description about "support for SHA-2 certs required for converting Windows 7 and 2008 R2 guests"
Verify bug with builds:
virt-v2v-1.40.2-2.el7.x86_64
libguestfs-1.40.2-2.el7.x86_64
Steps:
1.Install latest virt-v2v on RHEL7.7 server.
2.Open virt-v2v manual paper and search info with keyword "SHA-2"
# man virt-v2v|grep "SHA-2" -A 5
Support for SHA-2 certificates in Windows 7 and Windows Server 2008 R2
Later versions of the Windows virtio drivers are signed using SHA-2 certificates (instead of
SHA-1). The original shipping Windows 7 and Windows Server 2008 R2 did not understand SHA-2
certificates and so the Windows virtio drivers will not install properly.
To fix this you must apply SHA-2 Code Signing Support from:
https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2015/3033929 before
converting the guest.
For further information see: https://bugzilla.redhat.com/show_bug.cgi?id=1624878
Result:
V2V man page has updated the description about "support for SHA-2 certs required for converting Windows 7 and 2008 R2 guests",so change the bug from ON_QA to VERIFIED
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHEA-2019:2096