Bug 2089301 - Windows 11 can't run on clusters in FIPS mode
Summary: Windows 11 can't run on clusters in FIPS mode
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Container Native Virtualization (CNV)
Classification: Red Hat
Component: Virtualization
Version: 4.11.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.14.0
Assignee: Jed Lejosne
QA Contact: Kedar Bidarkar
URL:
Whiteboard:
Depends On: 2090219 2097939 2097947
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-05-23 11:41 UTC by vsibirsk
Modified: 2023-12-06 02:03 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Windows 11 virtual machines now boot on clusters running in FIPS mode. (BZ#2089301)
Clone Of:
Environment:
Last Closed: 2023-11-08 14:05:03 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
vm and dv yamls (1.74 KB, application/zip)
2022-05-23 11:41 UTC, vsibirsk
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker CLOUDBLD-11261 0 None None None 2022-10-11 20:25:58 UTC
Red Hat Issue Tracker CNV-18526 0 None None None 2022-11-09 13:48:38 UTC
Red Hat Product Errata RHSA-2023:6817 0 None None None 2023-11-08 14:05:28 UTC

Description vsibirsk 2022-05-23 11:41:29 UTC
Created attachment 1882372 [details]
vm and dv yamls

Description of problem:
Even with tpm: {} in VM spec, Windows 11 installer still gives error "This PC can't run Windows 11"

Version-Release number of selected component (if applicable):
cnv 4.11

How reproducible:
100%

Steps to Reproduce:
(VM and DV yamls attached)
1.Create VM with attached dv with windows installer iso as cd-rom
2.Start VM and go through windows installer process

Actual results:
Windows installer will be at minimum sys req verifier

Expected results:
Windows OS is installed

Additional info:
Installer fails specifically on TPM device validation, since if this check is disabled in installer registry, the installation continues without issues

Comment 1 Jed Lejosne 2022-05-23 13:23:05 UTC
This is very odd, I'll deploy a 4.11 cluster and try to reproduce.
Thanks!

Comment 2 Jed Lejosne 2022-05-23 15:09:49 UTC
I wasn't able to reproduce this issue, using the latest 4.11 nightlies of OCP and CNV.
Any chance I could get access to your cluster?
Thank you.

Comment 3 Jed Lejosne 2022-05-23 19:23:15 UTC
Thank you @vsibirsk for giving me access to your cluster.

I was able to find the error in the swtpm logs:

libtpms/tpm2: Entering failure mode; code: 6, location: TestSymmetricAlgorithm line 230
libtpms/tpm2: TPM2_Process: Entered failure mode through command:
80 01 00 00 00 0b 00 00 01 43 00 

The last 3 bytes indicate a partial self test command (TPM2_SelfTest(fullTest=NO)).
After that, the TPM chip is non-functional.
This is the code for portion of the test that fails:
https://github.com/stefanberger/libtpms/blob/721f6c2e3319dbd65ac420350de878f5660a38d4/src/tpm2/AlgorithmTests.c#L285

The issue unfortunately does not reproduce in upstream KubeVirt, making it really hard to debug.
It might be a missing component in virt-launcher, like a library, or something preventing the test, like maybe crypto-policies?

I will keep searching.

Comment 4 Martin Tessun 2022-05-24 08:21:57 UTC
Hi Jed,

short question: As the issue does only reproduce downstream, can you also check that plain RHEL is working (Same VM setup but on RHEL not RHCOS/OCP Virt)?
Just to ensure it really is KubeVirt related and not a generic RHEL issue.

Thanks!
Martin

Comment 5 Jed Lejosne 2022-05-24 15:35:16 UTC
Thanks Martin for the great suggestion!
I just created a session-mode VM in RHEL 8.6 with EFI and emulated TPM-TIS 2.0. There is no error in the swtpm logs and the VM is able to access the chip.
So the good news is that the issue is CNV(/RHCOS?) related, the bad news is that I have no idea what could be causing it...
My best lead was crypto-policies, but RHEL 8 has them, and even when switched to the stricter "FUTURE" system-wide policy swtpm still works fine.

Comment 6 Jed Lejosne 2022-05-24 19:02:14 UTC
We found the source of the issue.
The cluster used by the reporter was FIPS-enabled, and swtpm is not compatible with FIPS.

Comment 7 sgott 2022-05-27 13:36:22 UTC
Deferring this to 4.12 because the layered product fix isn't ready yet.

Comment 15 Kedar Bidarkar 2022-11-09 13:33:44 UTC
We are blocked on an external dependency (swtpm) and hence deferring it to 4.13.

Comment 18 Jed Lejosne 2023-06-05 14:01:39 UTC
The swtpm version in KubeVirt 1.0 should include the necessary fixed. Moving to ON_QA.

Comment 19 vsibirsk 2023-07-17 08:17:42 UTC
Tested on
Openshift version: 4.14.0-ec.3
CNV version: 4.14.0
HCO image: brew.registry.redhat.io/rh-osbs/iib:531794

Tested with Windows11 and Windows2k22 with tpm: {} in VM spec
Create, start, mirgate VM all works OK
TPM check passes during OS install

Comment 23 errata-xmlrpc 2023-11-08 14:05:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Virtualization 4.14.0 Images security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:6817


Note You need to log in before you can comment on or make changes to this bug.