Description: As part of Supporting VMs with VNC console on a FIPS enabled hypervisor RFE (https://bugzilla.redhat.com/show_bug.cgi?id=1595536) we need to add fips=1 to kernel command line manually. It would be nice if we will have an option to modify it via webadmin -> host kernel tab, like other parameters we can modify currently (enabling IOMMU, nested virtualization etc.).
Note that we'll also need `dracut-fips` included as a package, and `dracut -f` to be executed after this is changed. Martin/Sandro - Do you want separate bugs for these?
(In reply to Ryan Barry from comment #1) > Note that we'll also need `dracut-fips` included as a package, and `dracut > -f` to be executed after this is changed. > > Martin/Sandro - > > Do you want separate bugs for these? So dracut-fips should be added as a dependency to ovirt-host package for 4.3, so we should probably have a bug mentioning this. If you want to execute 'dracut -f', then it needs to be added to host-deploy ansible role (create a subrole for that), but I think it can be handled within this bug, as host-deploy role is part of engine. And AFAIK host kernel parameters are maintained by virt team ...
(In reply to Martin Perina from comment #2) > (In reply to Ryan Barry from comment #1) > And AFAIK host kernel parameters are maintained by virt team ... They are. Just flipped it to get info :) I'll open the other bugs
Re-targeting to 4.3.1 since it is missing a patch, an acked blocker flag, or both
Reassigned: After adding fips=1 to kernel command line, reinstalling and rebooting the host, the host boot halt with the next screen output: dracut: FATAL: FIPS integrity test failed dracut: Refusing to continue System halted. Verification builds: ovirt-engine-4.3.1.2-0.0.master.20190220155021.git90ab3d9.el7 vdsm-4.30.9-22.git86feae5.el7.x86_64 libvirt-client-4.5.0-10.el7_6.4.x86_64 qemu-kvm-ev-2.12.0-18.el7_6.3.1.x86_64 dracut-fips-033-554.el7.x86_64 Verification scenario: 1. Browse WebAdmin -> Compute -> Hosts -> edit host -> Kernal tab -> check "FIPS Mode" checkbox -> click "OK" button. 2. Following edit host -> kernel tab comment: Move host to maintenance and reinstall it. Reboot host. After the host is rebooted, to boot hangs with "system halted" message. comment: The same issue observed when running "dracut -f" command after host reinstall and rebooting the host.
Is dracut-fips installed?
Hah! This error is a confirmation, that the change actually worked! :) I encountered that problem on some hosts and it's kinda unrelated. Grub seems to be baffled by fips mode for some reason and needs to be explicitly told where the boot partition is in the form of "boot=/dev/sda1" after "fips=1". Adding this is troublesome because: 1. We don't allow spaces in the kernel line, and we'd need to add "fips=1 boot=/dev/sda1" –– but is the space ban in the UI only? 2. Do we have any information on which partition is the starting one? Maybe we could add a text box on the form for the boot partition and prepopulate it with '/dev/sda1'. The text box would be active only when Fips mode checkbox is checked. Ideas?
(In reply to Ryan Barry from comment #6) > Is dracut-fips installed? yes, look on my comment #5, version section: dracut-fips-033-554.el7.x86_64
Note that this includes fips=1 only. Adding the correct boot= stanza will come as part of a separate bug
I don't understand what was the situation before this bug and what is the situation after this bug fix. Please fill in the blanks: Before this update... With this update... I need to see: Cause: Consequence: Fix: Result:
Before this update FIPS could only be enabled manually on host. This caused problems, because oVirt/RHV was not aware of FIPS and did not use appropriate options with qemu. With this update: 1. Fips can be turned on from the oVirt UI. 2. oVirt uses qemu with FIPS-compatible arguments. I need to see a FIPS Mode checkbox in Host's Kernel options dialog. See screenshot here: https://imgur.com/a/7V8qrTG Cause: this is a new functionality required to fully support FIPS-enabled hosts. Consequence: if FIPS is enabled manually, VMs can be started, but some functionality does not work (e.g. VNC console). Fix: add FIPS mode checkbox; make oVirt aware of FIPS mode on host. Result: see above "With this update".
Tomasz, Please make sure that the doc text is accurate now.
This is not precise: "when starting the host, so the host did not start properly." It should rather read something like "when starting VMs, so the VMs were not fully operable."
Verified with: - ovirt-engine-4.4.0-0.33.master.el8ev.noarch - vdsm-4.40.13-1.el8ev.x86_64 - Host with RHEL 8.2 Verification steps: 1. Move a non-FIPS active host into maintenance mode 2. Under 'Edit > Kernel' press the Reset button and select 'FIPS mode' 3. 'fips=1 boot=UUID=<bood_pratition_UUID>' will be added to the 'Kernel command line' 4. Reinstall and restart the host Result: - The host is up and running as a FIPS host (verified by 'sysctl crypto.fips_enabled' and on the engine-UI)
This bugzilla is included in oVirt 4.4.0 release, published on May 20th 2020. Since the problem described in this bug report should be resolved in oVirt 4.4.0 release, it has been closed with a resolution of CURRENT RELEASE. If the solution does not work for you, please open a new bug report.