Bug 817067 - QEMU should disable VNC password auth when in FIPS 140-2 mode
QEMU should disable VNC password auth when in FIPS 140-2 mode
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm (Show other bugs)
7.0
All Linux
high Severity medium
: rc
: ---
Assigned To: Paul Moore
Virtualization Bugs
:
Depends On: 805676 817066 854384
Blocks: BaseOS-FIPS-Tracker
  Show dependency treegraph
 
Reported: 2012-04-27 11:05 EDT by Paul Moore
Modified: 2014-06-17 23:15 EDT (History)
12 users (show)

See Also:
Fixed In Version: qemu-kvm-1.5.3-6.el7
Doc Type: Bug Fix
Doc Text:
We should add a note to the release notes indicating that VNC password authentication is disabled when the system is operating in "FIPS mode" and the "-enable-fips" option is given to QEMU.
Story Points: ---
Clone Of: 817066
Environment:
Last Closed: 2014-06-13 06:55:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Paul Moore 2012-04-27 11:05:02 EDT
+++ This bug was initially created as a clone of Bug #817066 +++

Description of problem:
Unable to start KVM guests when running kernel in FIPS mode.

Version-Release number of selected component (if applicable):
RHEL 5.8 and previous.

How reproducible:
1. Install RHEL 5 up to 5.8
2. Follow steps in
https://access.redhat.com/knowledge/articles/38655

# cat /proc/sys/crypto/fips_enabled
1

3. # virsh create /etc/libvirt/qemu/fipstest1.xml 
error: Failed to create domain from /etc/libvirt/qemu/fipstest1.xml
error: internal error Process exited while reading console log output: libgcrypt DES cipher initialization error

--- Additional comment from pmoore@redhat.com on 2012-04-25 09:46:55 EDT ---

Beyond disabling VNC password authentication and emitting a syslog message about operating in "FIPS mode", QEMU will exit if configured to run as a password authenticated VNC server.  If QEMU is configured to run as an unauthenticated VNC server then it will continue to run as expected.
Comment 1 Bill Nottingham 2012-04-30 12:59:17 EDT
Just reading this - when running in secure FIPS-140 mode, we should make qemu/VNC less secure?
Comment 2 Paul Moore 2012-04-30 13:27:36 EDT
It is well established that VNC's password based authentication has a number of security faults; think of this change not as making qemu/VNC less secure, but rather as limiting/removing functionality which could lend a false sense of security to users.

It should also be noted that this doesn't affect the default qemu/libvirt/vnc behavior.  If started via libvirt, qemu's VNC server binds itself to localhost and doesn't use password authentication; it requires users to login to the host system before they can acces the VNC server.
Comment 3 Steve Grubb 2012-04-30 22:31:22 EDT
Paul, I think Bill is expressing the same concern that I mentioned on the original bz. Right now, if you select a DES based authentication, the application is aborted. It fails safely. My understanding of the fix is that it will now fail open. Meaning that instead of securely denying access, it now allows any access. My thoughts were that it should print a meaningful error message and exit. Under no circumstance should it fail such that there is no protection when protection was intended.
Comment 4 Steve Grubb 2012-04-30 22:36:55 EDT
bz 578629 also depends on this.
Comment 5 Paul Moore 2012-05-01 09:01:22 EDT
(In reply to comment #3)
> Paul, I think Bill is expressing the same concern that I mentioned on the
> original bz. Right now, if you select a DES based authentication, the
> application is aborted. It fails safely. My understanding of the fix is that it
> will now fail open. Meaning that instead of securely denying access, it now
> allows any access. My thoughts were that it should print a meaningful error
> message and exit. Under no circumstance should it fail such that there is no
> protection when protection was intended.

Steve, I believe your understanding is incorrect.  As explained in BZ 805676, comment 33:

 "... beyond disabling VNC password authentication and emitting a syslog
  message about operating in 'FIPS mode', QEMU will exit if configured to
  run as a password authenticated VNC server.  If QEMU is configured to run
  as an unauthenticated VNC server then it will continue to run as expected."

With the proposed patches qemu continues to fail safely, and not fail open.  Perhaps what is confusing you is that the proposed patches only cause qemu to fail when VNC password authentication is requested?  Or am I missing something?
Comment 6 Steve Grubb 2012-05-01 09:32:03 EDT
Maybe what is confusing is that VNC is considered unauthenticated and yet requires a DES based password. As long as we fail closed when it must, we are OK.
Comment 7 Paul Moore 2012-05-01 10:52:48 EDT
(In reply to comment #6)
> Maybe what is confusing is that VNC is considered unauthenticated and yet
> requires a DES based password.

I don't understand this statement.

> As long as we fail closed when it must, we are OK.

The proposed patch causes qemu to fail when the user requests DES based password authentication and the system is operating in FIPS mode.  I believe this is the right thing to do, and should satisfy your requirements.
Comment 8 Paul Moore 2012-05-22 17:39:26 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
We should add a note to the release notes indicating that VNC password authentication is disabled when the system is operating in "FIPS mode".
Comment 9 Paul Moore 2012-08-10 17:12:04 EDT
A fix for this has been accepted upstream; see commit 0f66998ff6d5d2133b9b08471a44e13b11119e50.
Comment 10 Paul Moore 2012-08-10 17:12:04 EDT
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1 +1 @@
-We should add a note to the release notes indicating that VNC password authentication is disabled when the system is operating in "FIPS mode".+We should add a note to the release notes indicating that VNC password authentication is disabled when the system is operating in "FIPS mode" and the "-enable-fips" option is given to QEMU.
Comment 12 Paul Moore 2013-09-26 17:22:57 EDT
This fix was pulled in as part of the QEMU 1.5-stable releases.  It is present in qemu-kvm-1.5.3-6.el7 and possibly earlier releases as well.
Comment 17 mazhang 2013-11-26 06:37:34 EST
Reproduce this bug with qemu-kvm-1.5.3-3.el7.x86_64.

host:
[root@localhost home]# rpm -qa |grep qemu
ipxe-roms-qemu-20130517-1.gitc4bce43.el7.noarch
qemu-img-1.5.3-3.el7.x86_64
qemu-kvm-common-1.5.3-3.el7.x86_64
qemu-kvm-1.5.3-3.el7.x86_64
qemu-kvm-tools-1.5.3-3.el7.x86_64
kernel-3.10.0-54.el7.x86_64

steps:
1 enable FIPS mode.
#yum install dracut-fips
#rpm -qa |grep dracut
dracut-network-033-40.el7.x86_64
dracut-033-40.el7.x86_64
dracut-fips-033-40.el7.x86_64
dracut-config-rescue-033-40.el7.x86_64

#setting configuring "PRELINKING=no" in the /etc/sysconfig/prelink configuration file

#prelink -u -a
#dracut -f

add "fips=1" and boot partition in kernel command line
linux16 /vmlinuz-3.10.0-54.el7.x86_64 root=/dev/mapper/rhel_intel--5205--32--1-root ro rd.lvm.lv=rhel_intel-5205-32-1/swap console=tty0 vconsole.keymap=us reboot=pci console=ttyS0,115200 vconsole.font=latarcyrheb-sun16 rd.lvm.lv=rhel_intel-5205-32-1/root biosdevname=0 crashkernel=256M LANG=en_US.UTF-8 fips=1 boot=/dev/sda1

2  boot guest with:
/usr/libexec/qemu-kvm -hda storage.qcow2 -monitor stdio -vnc :0,password

Result:
qemu will boot up guest without warning.

But failed verify this bug with qemu-kvm-1.5.3-19.el7.x86_64.
After update qemu-kvm package, executed "/usr/libexec/qemu-kvm -hda storage.qcow2 -monitor stdio -vnc :0,password", qemu-kvm process boot up,
not found the warning.
Comment 18 Paul Moore 2013-11-26 10:52:46 EST
Can you please confirm that the system was operating in FIPS mode by cat'ing the "fips_enabled" file in /proc?

 # cat /proc/sys/crypto/fips_enabled
Comment 19 mazhang 2013-11-26 21:01:53 EST
[root@intel-5205-32-1 ~]# cat /proc/sys/crypto/fips_enabled 
1
[root@intel-5205-32-1 ~]# cd /home/
[root@intel-5205-32-1 home]# /usr/libexec/qemu-kvm -hda storage.qcow2 -monitor stdio -vnc :0,password
QEMU 1.5.3 monitor - type 'help' for more information
(qemu) q
[root@intel-5205-32-1 home]# rpm -qa |grep qemu
qemu-guest-agent-1.5.3-19.el7.x86_64
qemu-kvm-tools-1.5.3-19.el7.x86_64
ipxe-roms-qemu-20130517-1.gitc4bce43.el7.noarch
qemu-kvm-common-1.5.3-19.el7.x86_64
qemu-kvm-1.5.3-19.el7.x86_64
qemu-kvm-debuginfo-1.5.3-19.el7.x86_64
qemu-img-1.5.3-19.el7.x86_64
Comment 20 Paul Moore 2013-11-27 10:19:20 EST
My apologies, I should have noticed this sooner; please add "-enable-fips" to the QEMU command line.
Comment 21 mazhang 2013-11-27 21:11:28 EST
Thanks, Verify this bug with qemu-kvm-1.5.3-19.el7.x86_64

host:
qemu-kvm-1.5.3-19.el7.x86_64
kernel-3.10.0-54.el7.x86_64

Result:
# /usr/libexec/qemu-kvm -hda storage.qcow2 -monitor stdio -vnc :0,password --enable-fips
QEMU 1.5.3 monitor - type 'help' for more information
(qemu) qemu-kvm: Failed to start VNC server on `:0,password': VNC password auth disabled due to FIPS mode, consider using the VeNCrypt or SASL authentication methods as an alternative

1 This bug has been fixed.
2 Seems rhel6 not support "-enable-fips" flag, will you backport this flag to rhel6 ?
Comment 23 Paul Moore 2013-12-02 17:42:58 EST
(In reply to mazhang from comment #21)
> Seems rhel6 not support "-enable-fips" flag, will you backport this flag
> to rhel6 ?

QEMU/FIPS support for RHEL6 was addressed in BZ #817066.
Comment 24 mazhang 2013-12-03 00:39:15 EST
Hi Paul,

Sorry, make you misunderstanding, QEMU/FIPS support for RHEL6.
But I meant the flag "--enable-fips" in RHEL6.5 qemu-kvm command line.
As I tried, RHEL6.5 qemu-kvm did not support this flag, but RHEL7 did.
So support QEMU/FIPS without "--enable-fips" in RHEL6.5 command line was expected?

Btw, does this affect spice with password?

Thanks,
Mazhang.
Comment 25 Paul Moore 2013-12-03 08:31:47 EST
(In reply to mazhang from comment #24)
> Hi Paul,
> 
> Sorry, make you misunderstanding, QEMU/FIPS support for RHEL6.
> But I meant the flag "--enable-fips" in RHEL6.5 qemu-kvm command line.
> As I tried, RHEL6.5 qemu-kvm did not support this flag, but RHEL7 did.
> So support QEMU/FIPS without "--enable-fips" in RHEL6.5 command line was
> expected?

No, the "-enable-fips" option is only needed with RHEL7; the FIPS logic is enabled by default in RHEL6.

Sorry for the confusion.

> Btw, does this affect spice with password?

No, the "-enable-fips" only affects the VNC password at this time.
Comment 26 Ludek Smid 2014-06-13 06:55:11 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.