canonical-ubuntu-qa team mailing list archive

Thread
Date

[Bug 2057867] Re: ubuntu_kvm_smoke_test fail with B-FIPS kernel (dsa keys not allowed)

To: canonical-ubuntu-qa@xxxxxxxxxxxxxxxxxxx
From: Po-Hsu Lin <2057867@xxxxxxxxxxxxxxxxxx>
Date: Thu, 14 Mar 2024 03:42:34 -0000
Reply-to: Bug 2057867 <2057867@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

We will need to backport fix for https://bugs.launchpad.net/bugs/1936473 to uvtool on bionic.
https://code.launchpad.net/~paelzer/uvtool/+git/uvtool/+merge/405796

-- 
You received this bug notification because you are a member of Canonical
Platform QA Team, which is subscribed to ubuntu-kernel-tests.
https://bugs.launchpad.net/bugs/2057867

Title:
  ubuntu_kvm_smoke_test fail with B-FIPS kernel (dsa keys not allowed)

Status in ubuntu-kernel-tests:
  New

Bug description:
  After enabling the fips-dev ppa and using user-space tool there. The ubuntu_kvm_smoke_test starts failing with:
   + uvt-kvm create bjf-test release=bionic arch=s390x
   DSA keys are not allowed in FIPS mode

  Take a closer look inside /usr/lib/python2.7/dist-
  packages/uvtool/libvirt/kvm.py, which calls
  uvtool.ssh.generate_ssh_host_keys() from /usr/lib/python2.7/dist-
  packages/uvtool/ssh.py

  From ssh.py, you will find it will try to generate 4 different key
  types, includes "dsa":

  KEY_TYPES = ['rsa', 'dsa', 'ecdsa', 'ed25519']
  ...
  def generate_ssh_host_keys():
      cloud_init_result = {}
      known_hosts_result = []
      tmp_dir = tempfile.mkdtemp(prefix='uvt-kvm.sshtmp')
      try:
          for key_type in KEY_TYPES:
              private_path = os.path.join(tmp_dir, key_type)
              _keygen(key_type, private_path)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-kernel-tests/+bug/2057867/+subscriptions

References

[Bug 2057867] [NEW] ubuntu_kvm_smoke_test fail with B-FIPS kernel (dsa keys not allowed)
From: Po-Hsu Lin, 2024-03-14