Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 1624878 - Update v2v docs to describe support for SHA 2 certs required for converting Windows 7 and 2008 R2 guests
Update v2v docs to describe support for SHA 2 certs required for converting W...
Status: POST
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libguestfs (Show other bugs)
7.6
x86_64 Unspecified
high Severity high
: rc
: ---
Assigned To: Richard W.M. Jones
Virtualization Bugs
V2V
: Regression, ZStream
Depends On:
Blocks: 1632788
  Show dependency treegraph
 
Reported: 2018-09-03 09:24 EDT by Richard W.M. Jones
Modified: 2018-09-25 10:30 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1624313
: 1632788 (view as bug list)
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Richard W.M. Jones 2018-09-03 09:24:19 EDT
+++ This bug was initially created as a clone of Bug #1624313 +++

Description of problem:
Can't install virtio for network in win2008r2 and win7 guest after v2v conversion

Version-Release number of selected component (if applicable):
virt-v2v-1.38.2-11.el7.x86_64
libguestfs-1.38.2-11.el7.x86_64
libvirt-4.5.0-7.el7.x86_64
qemu-kvm-rhev-2.12.0-12.el7.x86_64
virtio-win-1.9.6-1.el7.noarch

How reproducible:
100%

--- Additional comment from Yan Vugenfirer on 2018-09-03 07:20:55 EDT ---

I think it relates to the fact that now MS is issuing only SHA2 certificates and the images might not be updated to the latest security updates.

For info here:
https://docs.microsoft.com/en-us/security-updates/securityadvisories/2014/2949927 , 

Brief explanation:
1. Drivers for Win7 and Windows 2008R2 were signed with SHA1 signature. And those versions of Windows couldn't correctly parse SHA2 signatures.

2. MS decided that SHA1 is no longer secured and rolled out security updates. From this point drivers could be either SHA1 or SHA2 signed.

3. At some point, MS stopped issuing completely SHA1 certificates (https://support.microsoft.com/en-us/help/3123479/microsoft-security-advisory-deprecation-of-sha-1-hashing-algorithm-for)

4. Attaching signature details for Win7 x64 NetKVM driver

So the solution is to update the images to include SHA2 support.

--- Additional comment from Richard W.M. Jones on 2018-09-03 07:46:34 EDT ---

Does this mean we'll no longer be able to support Windows 7 & 2008R2?
Or did they issue updates to those versions of Windows to allow them
to support SHA2 certs?

In any case this will require some virt-v2v docs changes ...

--- Additional comment from Yan Vugenfirer on 2018-09-03 09:15:52 EDT ---

Updates are downloadable from https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2015/3033929
Comment 4 Richard W.M. Jones 2018-09-03 13:38:10 EDT
Upstream in
741ef228cd8d17bd1a8a60a2cfa83c3937120ede

Note You need to log in before you can comment on or make changes to this bug.