Rather than re-query all the time we can cache the state of FIPS of the
host as it will not change during the runtime of the guest.
Introduce a 'hostFips' flag to 'virQEMUDriver' and move the code
checking the state from 'qemuCheckFips' to 'qemuStateInitialize' and
also populate 'hostFips' in qemuxml2argvtest.
Signed-off-by: Peter Krempa <pkrempa@xxxxxxxxxx>
---
src/qemu/qemu_command.c | 14 ++------------
src/qemu/qemu_conf.h | 1 +
src/qemu/qemu_driver.c | 9 +++++++++
tests/qemuxml2argvtest.c | 5 ++++-
4 files changed, 16 insertions(+), 13 deletions(-)
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index d3b3603fbe..3e9db271b1 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -1787,21 +1787,11 @@ bool
qemuCheckFips(virDomainObj *vm)
{
qemuDomainObjPrivate *priv = vm->privateData;
- virQEMUCaps *qemuCaps = priv->qemuCaps;
- if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_ENABLE_FIPS))
+ if (!virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_ENABLE_FIPS))
return false;
- if (virFileExists("/proc/sys/crypto/fips_enabled")) {
- g_autofree char *buf = NULL;
-
- if (virFileReadAll("/proc/sys/crypto/fips_enabled", 10, &buf) < 0)
- return false;
- if (STREQ(buf, "1\n"))
- return true;
- }
-
- return false;
+ return priv->driver->hostFips;
}
diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index c71a666aea..5e752d075e 100644
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -251,6 +251,7 @@ struct _virQEMUDriver {
/* Immutable values */
bool privileged;
char *embeddedRoot;
+ bool hostFips; /* FIPS mode is enabled on the host */
/* Immutable pointers. Caller must provide locking */
virStateInhibitCallback inhibitCallback;
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 4f6b295859..96ca67dfca 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -735,6 +735,15 @@ qemuStateInitialize(bool privileged,
if (qemuMigrationDstErrorInit(qemu_driver) < 0)
goto error;
+ /* qemu-5.1 and older requires use of '-enable-fips' flag when the host
+ * is in FIPS mode. We store whether FIPS is enabled */
+ if (virFileExists("/proc/sys/crypto/fips_enabled")) {
+ g_autofree char *buf = NULL;
+
+ if (virFileReadAll("/proc/sys/crypto/fips_enabled", 10, &buf) > 0)
+ qemu_driver->hostFips = STREQ(buf, "1\n");
+ }
+
if (privileged) {
g_autofree char *channeldir = NULL;
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index 8d0d4acca9..385448b57a 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -386,9 +386,12 @@ testCompareXMLToArgvCreateArgs(virQEMUDriver *drv,
unsigned int flags)
{
qemuDomainObjPrivate *priv = vm->privateData;
- bool enableFips = !!(flags & FLAG_FIPS_HOST);
+ bool enableFips;
size_t i;
+ drv->hostFips = flags & FLAG_FIPS_HOST;
+ enableFips = drv->hostFips;
+
if (qemuProcessCreatePretendCmdPrepare(drv, vm, migrateURI,
VIR_QEMU_PROCESS_START_COLD) < 0)
return NULL;
--
2.35.3
