-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-10.1
-
No
-
None
-
rhel-virt-core
-
None
-
False
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
None
What were you trying to do that didn't work?
Without "encryption_key" in the server.info and client.info, VM can not start with native TLS encryption on chardev TCP transports
(the "encryption_key" was removed since https://gitlab.com/redhat/rhel/src/libvirt/-/merge_requests/282/diffs)
Please provide the package NVR for which bug is seen:
libvirt-11.5.0-4.el10.x86_64
gnutls-3.8.10-2.el10.x86_64
qemu-kvm-10.0.0-12.el10.x86_64
How reproducible:
100%
Steps to reproduce
1. Refer to https://libvirt.org/kbase/tlscerts.html to setup the Certificate Authority (CA)
# mkdir cert; cd cert # certtool --generate-privkey > cakey.pem # cat ca.info cn = ca.redhat.com ca cert_signing_key # certtool --generate-self-signed --load-privkey cakey.pem --template ca.info --outfile cacert.pem # certtool -i --infile cacert.pem | grep Algorithm Subject Public Key Algorithm: RSA Algorithm Security Level: High (3072 bits) Signature Algorithm: RSA-SHA256
2. Generate server certificate without "encryption_key":
# mkdir server ; cd server # certtool --generate-privkey > serverkey.pem # cp ~/cert/cakey.pem ./ # cp ~/cert/cacert.pem ./ # cat server.info organization = Red Hat state = London country = GB cn = kvm-08-guest32.lab.eng.rdu2.dc.redhat.com dns_name = kvm-08-guest32.lab.eng.rdu2.dc.redhat.com ip_address = 127.0.0.1 dns_name = localhost tls_www_server signing_key # certtool --generate-certificate --load-privkey serverkey.pem --load-ca-certificate cacert.pem --load-ca-privkey cakey.pem --template server.info --outfile servercert.pem # certtool -i --infile servercert.pem | grep Algorithm Subject Public Key Algorithm: RSA Algorithm Security Level: High (3072 bits) Signature Algorithm: RSA-SHA256
3. Generate client certificate
# mkdir /etc/pki/libvirt-chardev/ # cp ~/cert/cacert.pem /etc/pki/libvirt-chardev/ # cp ~/cert/cakey.pem /etc/pki/libvirt-chardev/ # cd /etc/pki/libvirt-chardev/ # cat client.info country = GB state = London locality = London organization = Red Hat cn = qemu tls_www_client signing_key # certtool --generate-privkey > clientkey.pem # certtool --generate-certificate --load-privkey clientkey.pem --load-ca-certificate cacert.pem --load-ca-privkey cakey.pem --template client.info --outfile clientcert.pem # mv clientcert.pem client-cert.pem # mv clientkey.pem client-key.pem # mv cacert.pem ca-cert.pem # certtool -i --infile client-cert.pem | grep Algorithm Subject Public Key Algorithm: RSA Algorithm Security Level: High (3072 bits) Signature Algorithm: RSA-SHA256
4. Run guntls-serv as a server, and qemu as client:
# cd ~/server # gnutls-serv --echo --x509cafile cacert.pem --x509keyfile serverkey.pem --x509certfile servercert.pem
in another terminal:
# virsh dumpxml rhel --xpath //serial <serial type="tcp"> <source mode="connect" host="127.0.0.1" service="5556" tls="yes"/> <protocol type="raw"/> <target type="isa-serial" port="0"> <model name="isa-serial"/> </target> </serial> # virsh start rhel error: Failed to start domain 'rhel' error: internal error: process exited while connecting to monitor: 2025-08-25T15:11:39.103696Z qemu-kvm: Certificate /etc/pki/libvirt-chardev/client-cert.pem usage does not permit key encipherment
5. when adding the "encryption_key" into the server.info and client.info, the vm can start successfully. And there is console info in the gnutls-serv side, but there are errors that are constantly generated like:
grub> [2Jcmd: 59 bytes command: grub> [01;01H 127 bytes command: grub> [8;056;240t0bytes command: grub> [2Jcmd: 127 bytes command: \redhat\shimx64.efi: loading Boot0003 "redhat" from HD(1,GPT,0542D2EF-5761-4385-BB77-60AFC11DE6DC,0 grub> ed cmd: 59 bytes command: error: ../../grub-core/script/function.c:119:can't find command `[01'. t\shimx64.efi starting Boot0003 "redhat" from HD(1,GPT,0542D2EF-5761-4385-BB77-60AFC11DE6DC,0x800,0 error: ../../grub-core/script/function.c:119:can't find command `[01'. error: ../../grub-core/script/function.c:119:can't find command `BdsDxe:'. error:[m./../grub-core/script/function.c:119:can't find command `01HBdsDxe:'. error:[30m../grub-core/script/function.c:119:can't find command `BdsDxe:'. grub> [40mmd: 42 bytes command: ction.c:119:can't find command `01HBdsDxe:'. grub> [2Jcmd: 76 bytes command: grub> [01;01H 76 bytes command: grub> [0mcmd: 59 bytes command: grub> [37mmd: 127 bytes command: grub> [40mmd: 59 bytes command: grub> [02;72HGRUB version 2.12d: grub> ed cmd: 76 bytes command: error: ../../grub-core/script/function.c:119:can't find command `[02'. error: ../../grub-core/script/function.c:119:can't find command `[02'.
Expected results
With TLS1.3, VM should start successfully without "encryption_key"
Actual results
For default algorithm RSA without "encryption_key" in server.info and client.info, the vm can not start; with "encryption_key", VM can start and connected, but there are error prompts continuously in the server side;
When using “--key-type=mldsa65”, the VM always fails to start with the same error message like below, regardless of whether encryption_key is present.
“qemu-kvm: Certificate /etc/pki/libvirt-chardev/client-cert.pem usage does not permit key encipherment”
- relates to
-
-
- Release Pending
-
