We are not detecting the presence of FIPS from QEMU, but from procfs and that means it's not QEMU capability. It was decided that we will pass this flag to QEMU even if it's not supported by old QEMU binaries. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1135431 Signed-off-by: Pavel Hrdina <phrdina@xxxxxxxxxx> --- Note: The original bug is that we are not detecting whether libvirtd binary has been updated, we detect that only for QEMU binary. So you could update libvirt without updating QEMU and new capabilities that could already exists in QEMU, but was recently implemented in libvirt wasn't enabled. I'll post a patch to fix this bug. src/qemu/qemu_capabilities.c | 24 ------------------------ src/qemu/qemu_command.c | 25 +++++++++++++++++++++++-- 2 files changed, 23 insertions(+), 26 deletions(-) diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c index 9246813..5c3778d 100644 --- a/src/qemu/qemu_capabilities.c +++ b/src/qemu/qemu_capabilities.c @@ -3215,30 +3215,6 @@ virQEMUCapsInitQMP(virQEMUCapsPtr qemuCaps, config.data.nix.path = monpath; config.data.nix.listen = false; - /* Qemu 1.2 and later have a binary flag -enable-fips that must be - * used for VNC auth to obey FIPS settings; but the flag only - * exists on Linux, and with no way to probe for it via QMP. Our - * solution: if FIPS mode is required, then unconditionally use - * the flag, regardless of qemu version, for the following matrix: - * - * old QEMU new QEMU - * FIPS enabled doesn't start VNC auth disabled - * FIPS disabled/missing VNC auth enabled VNC auth enabled - * - * Setting the flag here instead of in virQEMUCapsInitQMPMonitor - * or virQEMUCapsInitHelp also allows the testsuite to be - * independent of FIPS setting. - */ - if (virFileExists("/proc/sys/crypto/fips_enabled")) { - char *buf = NULL; - - if (virFileReadAll("/proc/sys/crypto/fips_enabled", 10, &buf) < 0) - goto cleanup; - if (STREQ(buf, "1\n")) - virQEMUCapsSet(qemuCaps, QEMU_CAPS_ENABLE_FIPS); - VIR_FREE(buf); - } - VIR_DEBUG("Try to get caps via QMP qemuCaps=%p", qemuCaps); /* diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index f2e6e5a..3532518 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -7656,8 +7656,29 @@ qemuBuildCommandLine(virConnectPtr conn, if (!standalone) virCommandAddArg(cmd, "-S"); /* freeze CPU */ - if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_ENABLE_FIPS)) - virCommandAddArg(cmd, "-enable-fips"); + /* Qemu 1.2 and later have a binary flag -enable-fips that must be + * used for VNC auth to obey FIPS settings; but the flag only + * exists on Linux, and with no way to probe for it via QMP. Our + * solution: if FIPS mode is required, then unconditionally use + * the flag, regardless of qemu version, for the following matrix: + * + * old QEMU new QEMU + * FIPS enabled doesn't start VNC auth disabled + * FIPS disabled/missing VNC auth enabled VNC auth enabled + * + * Setting the flag here instead of in virQEMUCapsInitQMPMonitor + * or virQEMUCapsInitHelp also allows the testsuite to be + * independent of FIPS setting. + */ + if (virFileExists("/proc/sys/crypto/fips_enabled")) { + char *buf = NULL; + + if (virFileReadAll("/proc/sys/crypto/fips_enabled", 10, &buf) < 0) + goto error; + if (STREQ(buf, "1\n")) + virCommandAddArg(cmd, "-enable-fips"); + VIR_FREE(buf); + } if (qemuBuildMachineArgStr(cmd, def, qemuCaps) < 0) goto error; -- 1.8.5.5 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list