It took me a few days, but I was able to come up with one potential solution. On each of the hypervisors I modified /usr/libexec/vdsm/vm_libvirt_hook.py (vdsm) to include the following: --- before: /usr/libexec/vdsm/vm_libvirt_hook.py.bak +++ after: /usr/libexec/vdsm/vm_libvirt_hook.py @@ -5,8 +5,23 @@ import sys import xml.etree.ElementTree as ET +import logging from vdsm.virt.vmdevices import storage +from vdsm.common import commands + + +# Read FIPS status using sysctl +def _get_fips_enabled(): + SYSCTL_FIPS_COMMAND = ["/usr/sbin/sysctl", "crypto.fips_enabled"], + + try: + output = commands.run(*SYSCTL_FIPS_COMMAND) + enabled = output.split(b'=')[1].strip() + return enabled == b'1' + except Exception as e: + logging.error("Could not read FIPS status with sysctl: %s", e) + return False # dynamic_ownership workaround (required for 4.2 incoming migrations) @@ -34,6 +49,12 @@ passwd = graphics.attrib['passwd'] if len(passwd) > 8: graphics.set('passwd', passwd[:8]) + # VNC console authentication requests fail when migrating VMs to a + # destination where FIPS is enforced. Let's remove the passwd attribute + # to make libvirt start qemu-kvm without "-vnc password=on". + fips = _get_fips_enabled() + if fips: + graphics.attrib.pop('passwd') The _get_fips_enabled() function is a copy of _getFipsEnabled() from /usr/lib/python3.6/site-packages/vdsm/host/caps.py (vdsm-python). Perhaps a check can be added to libvirt directly to see if FIPS mode is enforced, and if so, skip the password=on [1] option for qemu. -- [1] https://github.com/libvirt/libvirt/blob/v8.0.0/src/qemu/qemu_command.c#L8295