ubuntu-kernel-tests

ubuntu_kvm_smoke_test fail with FIPS kernel (dsa keys not allowed)

Bug #2057867 reported by Po-Hsu Lin on 2024-03-14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	ubuntu-kernel-tests	New	Undecided	Unassigned

Bug Description

After enabling the fips-dev ppa and using user-space tool there. The ubuntu_kvm_smoke_test starts failing with:
+ uvt-kvm create bjf-test release=bionic arch=s390x
DSA keys are not allowed in FIPS mode

Take a closer look inside /usr/lib/python2.7/dist-packages/uvtool/libvirt/kvm.py, which calls uvtool.ssh.generate_ssh_host_keys() from /usr/lib/python2.7/dist-packages/uvtool/ssh.py

From ssh.py, you will find it will try to generate 4 different key types, includes "dsa":

KEY_TYPES = ['rsa', 'dsa', 'ecdsa', 'ed25519']
...
def generate_ssh_host_keys():
    cloud_init_result = {}
    known_hosts_result = []
    tmp_dir = tempfile.mkdtemp(prefix='uvt-kvm.sshtmp')
    try:
        for key_type in KEY_TYPES:
            private_path = os.path.join(tmp_dir, key_type)
            _keygen(key_type, private_path)

Tags:

Revision history for this message

Po-Hsu Lin (cypressyew) wrote on 2024-03-14:

We will need to backport fix for https://bugs.launchpad.net/bugs/1936473 to uvtool on bionic.
https://code.launchpad.net/~paelzer/uvtool/+git/uvtool/+merge/405796

Po-Hsu Lin (cypressyew) on 2024-06-03

summary:	- ubuntu_kvm_smoke_test fail with B-FIPS kernel (dsa keys not allowed) + ubuntu_kvm_smoke_test fail with FIPS kernel (dsa keys not allowed)
tags:	added: jammy sru-20240429

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.