On Wed, Oct 21, 2020 at 11:51:10AM +0200, Paolo Bonzini wrote: > On 21/10/20 10:38, Daniel P. Berrangé wrote: > > On Tue, Oct 20, 2020 at 07:22:03PM +0200, Paolo Bonzini wrote: > >> On 20/10/20 18:22, Daniel P. Berrangé wrote: > >>> @@ -153,6 +153,9 @@ int os_parse_cmd_args(int index, const char *optarg) > >>> break; > >>> #if defined(CONFIG_LINUX) > >>> case QEMU_OPTION_enablefips: > >>> + warn_report("-enable-fips is deprecated, please build QEMU with " > >>> + "the `libgcrypt` library as the cryptography provider " > >>> + "to enable FIPS compliance"); > >>> fips_set_state(true); > >>> break; > >>> #endif > >> > >> Should you also remove fips_set_state(true) and make fips_get_state() > >> return the contents of /proc/sys/crypto/fips_enabled, so that VNC > >> password authentication is disabled? > > > > I did think about doing that, but decided that since my intention is > > to delete all trace of fips_get_state / fips_set_state at the end of > > the deprecation period, that it'd be saner just to leave the semantics > > unchanged during the deprecation period. > > But would it be correct? In order to have the advertised behavior of > "enable FIPS compliance just with procfs, no need to do anything in > QEMU" you need to disable VNC password authentication; so while > fips_set_state is an abomination, fips_get_state should remain. There's no need for fips_get_state. Once you build QEMU with libgcrypt, when VNC requests a DES cipher handle, gcrypt will return an error as that algorithm is forbidden in FIPS mode. This is the primary reason for outsourcing all crypto to a separate library and ignoring the impls in QEMU. Claiming QEMU is FIPS compliant without using libgcrypt is a bit of joke since we don't do any self-tests of ciphers, hence this deprecation notice is warning people that libgcrypt is going to be mandatory if you care about FIPS. > > Deprecation notices shouldn't really be associated with changes in > > functionality at time they are introduced. > > I think you can consider it a bugfix since no one sets fips_enabled > without knowing what they're doing. I just would rather not change semantics of something that we are intending to remove Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|