On 21/10/20 12:17, Daniel P. Berrangé wrote: >> But would it be correct? In order to have the advertised behavior of >> "enable FIPS compliance just with procfs, no need to do anything in >> QEMU" you need to disable VNC password authentication; so while >> fips_set_state is an abomination, fips_get_state should remain. > There's no need for fips_get_state. Once you build QEMU with > libgcrypt, when VNC requests a DES cipher handle, gcrypt will > return an error as that algorithm is forbidden in FIPS mode. Oh, I thought we were still using our own code for the modified DES but it _is_ actually using gcrypt or nettle if available. Sorry for the noise. > This is the primary reason for outsourcing all crypto to a > separate library and ignoring the impls in QEMU. > > Claiming QEMU is FIPS compliant without using libgcrypt is a > bit of joke since we don't do any self-tests of ciphers, hence > this deprecation notice is warning people that libgcrypt is > going to be mandatory if you care about FIPS. Yes, agreed. Paolo
