On 05.12.2013 22:54, Eric Blake wrote: > On a system that is enforcing FIPS, most libraries honor the > current mode by default. Qemu, on the other hand, refused to > honor FIPS mode unless you add the '-enable-fips' command > line option; worse, this option is not discoverable via QMP, > and is only present on binaries built for Linux. As far as > I can tell, unconditionally using the option when it is > available has no negative consequences (the option has no > change to qemu behavior except when FIPS is enabled, at which > point it cripples insecure VNC passwords which is the one thing > that libvirt must not allow when FIPS is active). > > This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1035474 > > * src/qemu/qemu_capabilities.h (QEMU_CAPS_ENABLE_FIPS): New bit. > * src/qemu/qemu_capabilities.c (virQEMUCapsInitQMPBasic): > Conditionally set capability. > * src/qemu/qemu_command.c (qemuBuildCommandLine): Use it. > * tests/qemucapabilitiestest.c (testQemuCaps): Unconditionally set > capability. > * tests/qemucapabilitiesdata/caps_1.2.2-1.caps: Update list. > * tests/qemucapabilitiesdata/caps_1.3.1-1.caps: Likewise. > * tests/qemucapabilitiesdata/caps_1.4.2-1.caps: Likewise. > * tests/qemucapabilitiesdata/caps_1.5.3-1.caps: Likewise. > * tests/qemucapabilitiesdata/caps_1.6.0-1.caps: Likewise. > * tests/qemucapabilitiesdata/caps_1.6.50-1.caps: Likewise. > > Signed-off-by: Eric Blake <eblake@xxxxxxxxxx> > --- > src/qemu/qemu_capabilities.c | 7 +++++++ > src/qemu/qemu_capabilities.h | 1 + > src/qemu/qemu_command.c | 2 ++ > tests/qemucapabilitiesdata/caps_1.2.2-1.caps | 1 + > tests/qemucapabilitiesdata/caps_1.3.1-1.caps | 1 + > tests/qemucapabilitiesdata/caps_1.4.2-1.caps | 1 + > tests/qemucapabilitiesdata/caps_1.5.3-1.caps | 1 + > tests/qemucapabilitiesdata/caps_1.6.0-1.caps | 1 + > tests/qemucapabilitiesdata/caps_1.6.50-1.caps | 1 + > tests/qemucapabilitiestest.c | 6 ++++++ > 10 files changed, 22 insertions(+) Sigh, oh boy, <your favorite swear-word>. ACK. Michal -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list