Red Hat Bugzilla – Bug 817066
QEMU should disable VNC password auth when in FIPS 140-2 mode
Last modified: 2013-11-21 00:45:29 EST
+++ This bug was initially created as a clone of Bug #805676 +++ Description of problem: Unable to start KVM guests when running kernel in FIPS mode. Version-Release number of selected component (if applicable): RHEL 5.8 and previous. How reproducible: 1. Install RHEL 5 up to 5.8 2. Follow steps in https://access.redhat.com/knowledge/articles/38655 # cat /proc/sys/crypto/fips_enabled 1 3. # virsh create /etc/libvirt/qemu/fipstest1.xml error: Failed to create domain from /etc/libvirt/qemu/fipstest1.xml error: internal error Process exited while reading console log output: libgcrypt DES cipher initialization error --- Additional comment from pmoore@redhat.com on 2012-04-25 09:46:55 EDT --- Beyond disabling VNC password authentication and emitting a syslog message about operating in "FIPS mode", QEMU will exit if configured to run as a password authenticated VNC server. If QEMU is configured to run as an unauthenticated VNC server then it will continue to run as expected.
We're late in the RHEL6.3 process and this is not critical, so I'm moving this to 6.4. If the patch is simple and necessary for the certification, feel free to add rhel-6.3.0? back, we can add it to 6.3 in a later snapshot (even via z-stream).
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: We should add a note to the release notes indicating that VNC password authentication is disabled when the system is operating in "FIPS mode".
With no progress yet upstream, I'm moving this to RHEL6.5.
A fix for this has been accepted upstream and a backport for RHEL6 has been posted for internal review.
Verify this bug on host: qemu-kvm-0.12.1.2-2.376.el6.x86_64 kernel-2.6.32-358.el6.x86_64 steps: 1. setup fips with the following steps a. mkinitrd --with-fips -f /boot/initrd-$(uname -r).img $(uname -r) b. Add “fips=1” to grub kernel boot line c. reboot guest d. # cat /proc/sys/crypto/fips_enabled 1 2. boot guest with: /usr/libexec/qemu-kvm -hda test.qcow2 -monitor stdio -vnc :0,password Result: qemu prompt: VNC password auth disabled due to FIPS mode, consider using the VeNCrypt or SASL authentication methods as an alternative Failed to start VNC server on ':0,password'
reproduce this bug on host: qemu-kvm-0.12.1.2-2.356.el6.x86_64 kernel-2.6.32-358.el6.x86_64 steps: 1. setup fips with the following steps a. mkinitrd --with-fips -f /boot/initrd-$(uname -r).img $(uname -r) b. Add “fips=1” to grub kernel boot line c. reboot guest d. # cat /proc/sys/crypto/fips_enabled 1 2. boot guest with: /usr/libexec/qemu-kvm -hda test.qcow2 -monitor stdio -vnc :0,password Result: qemu will boot up guest without error.
Verify steps should be: 1. setup fips with the following steps on HOST a. mkinitrd --with-fips -f /boot/initrd-$(uname -r).img $(uname -r) b. Add “fips=1” to grub kernel boot line 2. boot guest with: /usr/libexec/qemu-kvm -hda test.qcow2 -monitor stdio -vnc :0,password Result: qemu prompt: VNC password auth disabled due to FIPS mode, consider using the VeNCrypt or SASL authentication methods as an alternative Failed to start VNC server on ':0,password
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-1553.html