On Fri, Dec 13, 2013 at 15:15:59 +0000, Daniel Berrange wrote: > On Fri, Dec 13, 2013 at 04:06:50PM +0100, Jiri Denemark wrote: > > On Fri, Dec 13, 2013 at 15:58:55 +0100, Michal Privoznik wrote: > > > On 05.12.2013 22:54, Eric Blake wrote: > > > > On a system that is enforcing FIPS, most libraries honor the > > > > current mode by default. Qemu, on the other hand, refused to > > > > honor FIPS mode unless you add the '-enable-fips' command > > > > line option; worse, this option is not discoverable via QMP, > > > > and is only present on binaries built for Linux. As far as > > > > I can tell, unconditionally using the option when it is > > > > available has no negative consequences (the option has no > > > > change to qemu behavior except when FIPS is enabled, at which > > > > point it cripples insecure VNC passwords which is the one thing > > > > that libvirt must not allow when FIPS is active). > > > > > > > > This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1035474 > > > > > > Sigh, oh boy, <your favorite swear-word>. ACK. > > > > Don't we want to wait for QEMU to decide what they should be doing with > > -enable-fips to make it detectable? If we push this patch, we can't > > basically move into detecting the option and enabling it only when > > detected since that could cause regressions for older QEMU version that > > supported the option but did not advertise it. If we just wait for the > > option to be detectable and enable it only when we detect its support in > > QEMU, we won't enable it for all possible QEMU versions but we won't > > regress in any way. > > QEMU already detects current FIPs enablement via the file > /proc/sys/crypto/fips_enabled, but only if you use --enable-fips. > This is really stupid given that all the crypto libraries that > QEMU uses unconditonally look at the proc file. So by having this > flag QEMU is in the insane situation where if FIPS is enabled then > part of QEMU will honour FIPS settings but other parts of QEMU will > not honour it until you pass --enable-fips. Insanity. So having > libvirt pass --enable-fips unconditionally fixes this insanity as > much as possible. Better yet if QEMU were to just remove the > pointless --enable-fips arg and just respect the fips_enabled > sysctl flag by default. Of course, I don't question this part. I just don't like the black magic we use to decide whether we can use -enable-fips or not and if we go this black route, we will have to stick with it even if QEMU provides a proper way of detecting -enable-fips. We could only use the detection in case our black magic decides the option is not supported. Jirka -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list