Bug 817066 - QEMU should disable VNC password auth when in FIPS 140-2 mode
QEMU should disable VNC password auth when in FIPS 140-2 mode
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: qemu-kvm (Show other bugs)
6.5
All Linux
high Severity medium
: rc
: ---
Assigned To: Paul Moore
Virtualization Bugs
:
Depends On: 805676 854384
Blocks: BaseOS-FIPS-Tracker 817067
  Show dependency treegraph
 
Reported: 2012-04-27 11:02 EDT by Paul Moore
Modified: 2013-11-21 00:45 EST (History)
12 users (show)

See Also:
Fixed In Version: qemu-kvm-0.12.1.2-2.361.el6
Doc Type: Bug Fix
Doc Text:
We should add a note to the release notes indicating that VNC password authentication is disabled when the system is operating in "FIPS mode".
Story Points: ---
Clone Of: 805676
: 817067 (view as bug list)
Environment:
Last Closed: 2013-11-21 00:45:29 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Paul Moore 2012-04-27 11:02:25 EDT
+++ This bug was initially created as a clone of Bug #805676 +++

Description of problem:
Unable to start KVM guests when running kernel in FIPS mode.

Version-Release number of selected component (if applicable):
RHEL 5.8 and previous.

How reproducible:
1. Install RHEL 5 up to 5.8
2. Follow steps in
https://access.redhat.com/knowledge/articles/38655

# cat /proc/sys/crypto/fips_enabled
1

3. # virsh create /etc/libvirt/qemu/fipstest1.xml 
error: Failed to create domain from /etc/libvirt/qemu/fipstest1.xml
error: internal error Process exited while reading console log output: libgcrypt DES cipher initialization error

--- Additional comment from pmoore@redhat.com on 2012-04-25 09:46:55 EDT ---

Beyond disabling VNC password authentication and emitting a syslog message about operating in "FIPS mode", QEMU will exit if configured to run as a password authenticated VNC server.  If QEMU is configured to run as an unauthenticated VNC server then it will continue to run as expected.
Comment 3 Ademar Reis 2012-04-30 14:40:49 EDT
We're late in the RHEL6.3 process and this is not critical, so I'm moving this to 6.4. If the patch is simple and necessary for the certification, feel free to add rhel-6.3.0? back, we can add it to 6.3 in a later snapshot (even via z-stream).
Comment 4 Paul Moore 2012-05-22 17:39:50 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
We should add a note to the release notes indicating that VNC password authentication is disabled when the system is operating in "FIPS mode".
Comment 6 Paul Moore 2012-07-31 11:14:41 EDT
With no progress yet upstream, I'm moving this to RHEL6.5.
Comment 7 Paul Moore 2012-08-10 17:07:50 EDT
A fix for this has been accepted upstream and a backport for RHEL6 has been posted for internal review.
Comment 19 mazhang 2013-06-25 01:15:15 EDT
Verify this bug on

host:
qemu-kvm-0.12.1.2-2.376.el6.x86_64
kernel-2.6.32-358.el6.x86_64

steps:
1. setup fips with the following steps
  a. mkinitrd --with-fips -f /boot/initrd-$(uname -r).img $(uname -r)
  b. Add “fips=1” to grub kernel boot line
  c. reboot guest
  d. # cat /proc/sys/crypto/fips_enabled
     1

2. boot guest with:
/usr/libexec/qemu-kvm -hda test.qcow2 -monitor stdio -vnc :0,password

Result:
qemu prompt:
VNC password auth disabled due to FIPS mode, consider using the VeNCrypt or SASL authentication methods as an alternative
Failed to start VNC server on ':0,password'
Comment 20 mazhang 2013-06-25 01:26:37 EDT
reproduce this bug on

host:
qemu-kvm-0.12.1.2-2.356.el6.x86_64
kernel-2.6.32-358.el6.x86_64

steps:
1. setup fips with the following steps
  a. mkinitrd --with-fips -f /boot/initrd-$(uname -r).img $(uname -r)
  b. Add “fips=1” to grub kernel boot line
  c. reboot guest
  d. # cat /proc/sys/crypto/fips_enabled
     1

2. boot guest with:
/usr/libexec/qemu-kvm -hda test.qcow2 -monitor stdio -vnc :0,password

Result:
qemu will boot up guest without error.
Comment 24 mazhang 2013-11-05 02:37:16 EST
Verify steps should be:
1. setup fips with the following steps on HOST
  a. mkinitrd --with-fips -f /boot/initrd-$(uname -r).img $(uname -r)
  b. Add “fips=1” to grub kernel boot line

2. boot guest with:
/usr/libexec/qemu-kvm -hda test.qcow2 -monitor stdio -vnc :0,password

Result:
qemu prompt:
VNC password auth disabled due to FIPS mode, consider using the VeNCrypt or SASL authentication methods as an alternative
Failed to start VNC server on ':0,password
Comment 26 errata-xmlrpc 2013-11-21 00:45:29 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-1553.html

Note You need to log in before you can comment on or make changes to this bug.