On Tue, Oct 20, 2020 at 17:48:59 +0100, Daniel Berrange wrote:
> Use of the -enable-fips option is being deprecated in QEMU >= 5.2.0. If
> FIPS compliance is required, QEMU must be built with libcrypt which will
> unconditionally enforce it.
>
> Thus there is no need for libvirt to pass -enable-fips to modern QEMU.
> Unfortunately there was never any way to probe for -enable-fips in the
> first instance, it was enabled by libvirt based on version number
> originally, and then later unconditionally enabled when libvirt dropped
> support for older QEMU. Similarly we now use a version number check to
> decide when to stop passing -enable-fips.
>
> Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>
> ---
> src/qemu/qemu_capabilities.c | 8 ++++++++
> src/qemu/qemu_capabilities.h | 1 +
> src/qemu/qemu_command.c | 12 +++++++++++-
> src/qemu/qemu_command.h | 2 +-
> src/qemu/qemu_driver.c | 2 +-
> src/qemu/qemu_process.c | 2 +-
> 6 files changed, 23 insertions(+), 4 deletions(-)
[...]
> diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
> index 44c45589f0..2976879fa3 100644
> --- a/src/qemu/qemu_capabilities.h
> +++ b/src/qemu/qemu_capabilities.h
> @@ -581,6 +581,7 @@ typedef enum { /* virQEMUCapsFlags grouping marker for syntax-check */
> /* 380 */
> QEMU_CAPS_USB_HOST_HOSTDEVICE, /* -device usb-host.hostdevice */
> QEMU_CAPS_VIRTIO_BALLOON_FREE_PAGE_REPORTING, /*virtio balloon free-page-reporting */
> + QEMU_CAPS_FIPS_IMPLIED, /* -enable-fips is no longer required, delegate to gcrypt */
>
Another option would be to re-start using QEMU_CAPS_ENABLE_FIPS which is
currently used for questionable testing in qemuxml2argvtest.
Consider this a
Reviewed-by: Peter Krempa <pkrempa@xxxxxxxxxx>
but I'll try looking at qemuxml2argvtest and it's usage of
QEMU_CAPS_ENABLE_FIPS in a moment to see whether it can be improved and
alternatively even test this change.
