Users requiring FIPS support must build QEMU with either the libgcrypt or gnutls libraries as the crytography backend. Reviewed-by: Philippe Mathieu-Daudé <f4bug@xxxxxxxxx> Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx> --- docs/about/deprecated.rst | 12 ------------ docs/about/removed-features.rst | 11 +++++++++++ include/qemu/osdep.h | 3 --- os-posix.c | 8 -------- qemu-options.hx | 10 ---------- ui/vnc.c | 7 ------- util/osdep.c | 28 ---------------------------- 7 files changed, 11 insertions(+), 68 deletions(-) diff --git a/docs/about/deprecated.rst b/docs/about/deprecated.rst index cf02ef6821..257cc15f82 100644 --- a/docs/about/deprecated.rst +++ b/docs/about/deprecated.rst @@ -67,18 +67,6 @@ and will cause a warning. The replacement for the ``nodelay`` short-form boolean option is ``nodelay=on`` rather than ``delay=off``. -``--enable-fips`` (since 6.0) -''''''''''''''''''''''''''''' - -This option restricts usage of certain cryptographic algorithms when -the host is operating in FIPS mode. - -If FIPS compliance is required, QEMU should be built with the ``libgcrypt`` -library enabled as a cryptography provider. - -Neither the ``nettle`` library, or the built-in cryptography provider are -supported on FIPS enabled hosts. - ``-writeconfig`` (since 6.0) ''''''''''''''''''''''''''''' diff --git a/docs/about/removed-features.rst b/docs/about/removed-features.rst index 4b831ea291..a66f4b73b2 100644 --- a/docs/about/removed-features.rst +++ b/docs/about/removed-features.rst @@ -336,6 +336,17 @@ for the RISC-V ``virt`` machine and ``sifive_u`` machine. The ``-no-quit`` was a synonym for ``-display ...,window-close=off`` which should be used instead. +``--enable-fips`` (removed in 7.1) +'''''''''''''''''''''''''''''''''' + +This option restricted usage of certain cryptographic algorithms when +the host is operating in FIPS mode. + +If FIPS compliance is required, QEMU should be built with the ``libgcrypt`` +or ``gnutls`` library enabled as a cryptography provider. + +Neither the ``nettle`` library, or the built-in cryptography provider are +supported on FIPS enabled hosts. QEMU Machine Protocol (QMP) commands ------------------------------------ diff --git a/include/qemu/osdep.h b/include/qemu/osdep.h index baaa23c156..52d81c027b 100644 --- a/include/qemu/osdep.h +++ b/include/qemu/osdep.h @@ -553,9 +553,6 @@ int qemu_pipe(int pipefd[2]); void qemu_set_cloexec(int fd); -void fips_set_state(bool requested); -bool fips_get_state(void); - /* Return a dynamically allocated directory path that is appropriate for storing * local state. * diff --git a/os-posix.c b/os-posix.c index faf6e6978b..1b746dba97 100644 --- a/os-posix.c +++ b/os-posix.c @@ -150,14 +150,6 @@ int os_parse_cmd_args(int index, const char *optarg) case QEMU_OPTION_daemonize: daemonize = 1; break; -#if defined(CONFIG_LINUX) - case QEMU_OPTION_enablefips: - warn_report("-enable-fips is deprecated, please build QEMU with " - "the `libgcrypt` library as the cryptography provider " - "to enable FIPS compliance"); - fips_set_state(true); - break; -#endif default: return -1; } diff --git a/qemu-options.hx b/qemu-options.hx index 34e9b32a5c..1764eebfaf 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -4673,16 +4673,6 @@ HXCOMM Internal use DEF("qtest", HAS_ARG, QEMU_OPTION_qtest, "", QEMU_ARCH_ALL) DEF("qtest-log", HAS_ARG, QEMU_OPTION_qtest_log, "", QEMU_ARCH_ALL) -#ifdef __linux__ -DEF("enable-fips", 0, QEMU_OPTION_enablefips, - "-enable-fips enable FIPS 140-2 compliance\n", - QEMU_ARCH_ALL) -#endif -SRST -``-enable-fips`` - Enable FIPS 140-2 compliance mode. -ERST - DEF("msg", HAS_ARG, QEMU_OPTION_msg, "-msg [timestamp[=on|off]][,guest-name=[on|off]]\n" " control error message format\n" diff --git a/ui/vnc.c b/ui/vnc.c index badf1d7664..1347e27b5b 100644 --- a/ui/vnc.c +++ b/ui/vnc.c @@ -4059,13 +4059,6 @@ void vnc_display_open(const char *id, Error **errp) password = qemu_opt_get_bool(opts, "password", false); } if (password) { - if (fips_get_state()) { - error_setg(errp, - "VNC password auth disabled due to FIPS mode, " - "consider using the VeNCrypt or SASL authentication " - "methods as an alternative"); - goto fail; - } if (!qcrypto_cipher_supports( QCRYPTO_CIPHER_ALG_DES, QCRYPTO_CIPHER_MODE_ECB)) { error_setg(errp, diff --git a/util/osdep.c b/util/osdep.c index c7aec36f22..60fcbbaebe 100644 --- a/util/osdep.c +++ b/util/osdep.c @@ -31,8 +31,6 @@ #include "qemu/hw-version.h" #include "monitor/monitor.h" -static bool fips_enabled = false; - static const char *hw_version = QEMU_HW_VERSION; int socket_set_cork(int fd, int v) @@ -514,32 +512,6 @@ const char *qemu_hw_version(void) return hw_version; } -void fips_set_state(bool requested) -{ -#ifdef __linux__ - if (requested) { - FILE *fds = fopen("/proc/sys/crypto/fips_enabled", "r"); - if (fds != NULL) { - fips_enabled = (fgetc(fds) == '1'); - fclose(fds); - } - } -#else - fips_enabled = false; -#endif /* __linux__ */ - -#ifdef _FIPS_DEBUG - fprintf(stderr, "FIPS mode %s (requested %s)\n", - (fips_enabled ? "enabled" : "disabled"), - (requested ? "enabled" : "disabled")); -#endif -} - -bool fips_get_state(void) -{ - return fips_enabled; -} - #ifdef _WIN32 static void socket_cleanup(void) { -- 2.35.1