Bug 817066 - QEMU should disable VNC password auth when in FIPS 140-2 mode
Summary: QEMU should disable VNC password auth when in FIPS 140-2 mode
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: qemu-kvm
Version: 6.5
Hardware: All
OS: Linux
high
medium
Target Milestone: rc
: ---
Assignee: Paul Moore
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On: 805676 854384
Blocks: BaseOS-FIPS-Tracker 817067
TreeView+ depends on / blocked
 
Reported: 2012-04-27 15:02 UTC by Paul Moore
Modified: 2013-11-21 05:45 UTC (History)
12 users (show)

Fixed In Version: qemu-kvm-0.12.1.2-2.361.el6
Doc Type: Bug Fix
Doc Text:
We should add a note to the release notes indicating that VNC password authentication is disabled when the system is operating in "FIPS mode".
Clone Of: 805676
: 817067 (view as bug list)
Environment:
Last Closed: 2013-11-21 05:45:29 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:1553 0 normal SHIPPED_LIVE Important: qemu-kvm security, bug fix, and enhancement update 2013-11-20 21:40:29 UTC

Description Paul Moore 2012-04-27 15:02:25 UTC
+++ This bug was initially created as a clone of Bug #805676 +++

Description of problem:
Unable to start KVM guests when running kernel in FIPS mode.

Version-Release number of selected component (if applicable):
RHEL 5.8 and previous.

How reproducible:
1. Install RHEL 5 up to 5.8
2. Follow steps in
https://access.redhat.com/knowledge/articles/38655

# cat /proc/sys/crypto/fips_enabled
1

3. # virsh create /etc/libvirt/qemu/fipstest1.xml 
error: Failed to create domain from /etc/libvirt/qemu/fipstest1.xml
error: internal error Process exited while reading console log output: libgcrypt DES cipher initialization error

--- Additional comment from pmoore@redhat.com on 2012-04-25 09:46:55 EDT ---

Beyond disabling VNC password authentication and emitting a syslog message about operating in "FIPS mode", QEMU will exit if configured to run as a password authenticated VNC server.  If QEMU is configured to run as an unauthenticated VNC server then it will continue to run as expected.

Comment 3 Ademar Reis 2012-04-30 18:40:49 UTC
We're late in the RHEL6.3 process and this is not critical, so I'm moving this to 6.4. If the patch is simple and necessary for the certification, feel free to add rhel-6.3.0? back, we can add it to 6.3 in a later snapshot (even via z-stream).

Comment 4 Paul Moore 2012-05-22 21:39:50 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
We should add a note to the release notes indicating that VNC password authentication is disabled when the system is operating in "FIPS mode".

Comment 6 Paul Moore 2012-07-31 15:14:41 UTC
With no progress yet upstream, I'm moving this to RHEL6.5.

Comment 7 Paul Moore 2012-08-10 21:07:50 UTC
A fix for this has been accepted upstream and a backport for RHEL6 has been posted for internal review.

Comment 19 mazhang 2013-06-25 05:15:15 UTC
Verify this bug on

host:
qemu-kvm-0.12.1.2-2.376.el6.x86_64
kernel-2.6.32-358.el6.x86_64

steps:
1. setup fips with the following steps
  a. mkinitrd --with-fips -f /boot/initrd-$(uname -r).img $(uname -r)
  b. Add “fips=1” to grub kernel boot line
  c. reboot guest
  d. # cat /proc/sys/crypto/fips_enabled
     1

2. boot guest with:
/usr/libexec/qemu-kvm -hda test.qcow2 -monitor stdio -vnc :0,password

Result:
qemu prompt:
VNC password auth disabled due to FIPS mode, consider using the VeNCrypt or SASL authentication methods as an alternative
Failed to start VNC server on ':0,password'

Comment 20 mazhang 2013-06-25 05:26:37 UTC
reproduce this bug on

host:
qemu-kvm-0.12.1.2-2.356.el6.x86_64
kernel-2.6.32-358.el6.x86_64

steps:
1. setup fips with the following steps
  a. mkinitrd --with-fips -f /boot/initrd-$(uname -r).img $(uname -r)
  b. Add “fips=1” to grub kernel boot line
  c. reboot guest
  d. # cat /proc/sys/crypto/fips_enabled
     1

2. boot guest with:
/usr/libexec/qemu-kvm -hda test.qcow2 -monitor stdio -vnc :0,password

Result:
qemu will boot up guest without error.

Comment 24 mazhang 2013-11-05 07:37:16 UTC
Verify steps should be:
1. setup fips with the following steps on HOST
  a. mkinitrd --with-fips -f /boot/initrd-$(uname -r).img $(uname -r)
  b. Add “fips=1” to grub kernel boot line

2. boot guest with:
/usr/libexec/qemu-kvm -hda test.qcow2 -monitor stdio -vnc :0,password

Result:
qemu prompt:
VNC password auth disabled due to FIPS mode, consider using the VeNCrypt or SASL authentication methods as an alternative
Failed to start VNC server on ':0,password

Comment 26 errata-xmlrpc 2013-11-21 05:45:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-1553.html


Note You need to log in before you can comment on or make changes to this bug.