Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1712325

Summary: [RFE] Auto-detect FIPS mode on host
Product: [oVirt] vdsm Reporter: Liran Rotenberg <lrotenbe>
Component: GeneralAssignee: Tomasz Barański <tbaransk>
Status: CLOSED CURRENTRELEASE QA Contact: Beni Pelled <bpelled>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.30.15CC: ahadas, bugs, mavital, michal.skrivanek, rbarry, tbaransk
Target Milestone: ovirt-4.4.1Flags: rbarry: ovirt-4.4?
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: rhv-4.4.0-29 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-08 08:26:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Virt RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1712481, 1919809    

Description Liran Rotenberg 2019-05-21 10:51:36 UTC 
Description of problem:
In case the FIPS enabled in the host
$ printf '%s\n' "$(cat /proc/cmdline)" | grep -o '\fips=1'
Will result in: fips=1

Version-Release number of selected component (if applicable):
vdsm-4.30.15-1.el7ev.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Intruction in BZ 1595536(https://bugzilla.redhat.com/show_bug.cgi?id=1595536#c16)
2. Try to verify it without enabling FIPS mode in the engine.

Actual results:
VDSM doesn't recognize the host is set with FIPS. According to steps, the VM won't run.

Expected results:
VDSM will recognize if the host is in FIPS mode, regardless the engine settings. The VM will start and run.

Additional info:
This is related to BZ 1595536 and BZ 1695567.
Comment 1 Ryan Barry 2019-05-21 11:24:35 UTC 
Note that /proc/cmdline isn't a reliable way to see whether or not a host is in FIPS-enforcing mode, since it's possible that it will not load (because dracut-fips is not installed, root= is not specified, or other)

Checking for FIPS in dmesg is, though, or /proc/sys/crypto/fips_enabled, which is a simple boolean we can report though vdsDynamic easily enough
Comment 2 Michal Skrivanek 2019-05-22 11:01:09 UTC 
but the point is, i guess, that it should be reported in caps like any other capability. currently we only have the kernel's param which is...not exactly that
Comment 3 Tomasz Barański 2019-08-06 10:45:04 UTC 
What should happen, when the engine learns that a host has FIPS enabled? Should it automatically turn the kernel flag on?
Comment 4 Ryan Barry 2019-08-06 10:57:32 UTC 
Just to appropriately flag the host in engine. Let's not worry about touching the cmdline.

In order for the host to be in FIPS mode, the karg must be set anyway. This bug is for the reverse -- to let engine know whether it's *really* in FIPS mode or not, no matter what engine thinks the cmdline is.
Comment 6 Beni Pelled 2020-04-22 15:33:40 UTC 
Verified with:
- Red Hat Enterprise Linux 8.2 (Ootpa)
- RHV 4.4.0-0.32.master.el8ev
- libvirt-6.0.0-17.module+el8.2.0+6257+0d066c28.x86_64
- vdsm-4.40.13-1.el8ev.x86_64

Verification steps:
1. Enable FIPS on a host
2. Connect the host to the engine (without specifying fips under kernel tab)
3. Run VM on the new host

Result:
- The host is successfully added to the engine and FIPS is enabled as shown under 'Hosts > <new_host> > General > FIPS mode enabled' and '<new_host> > Edit > Kernel > Current kernel CMD line'
- VM runs successfully
Comment 7 Sandro Bonazzola 2020-07-08 08:26:00 UTC 
This bugzilla is included in oVirt 4.4.1 release, published on July 8th 2020.

Since the problem described in this bug report should be resolved in oVirt 4.4.1 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.