On 12/13/2013 09:22 AM, Paolo Bonzini wrote: > Il 13/12/2013 16:15, Daniel P. Berrange ha scritto: >> QEMU already detects current FIPs enablement via the file >> /proc/sys/crypto/fips_enabled, but only if you use --enable-fips. >> This is really stupid given that all the crypto libraries that >> QEMU uses unconditonally look at the proc file. So by having this >> flag QEMU is in the insane situation where if FIPS is enabled then >> part of QEMU will honour FIPS settings but other parts of QEMU will >> not honour it until you pass --enable-fips. Insanity. So having >> libvirt pass --enable-fips unconditionally fixes this insanity as >> much as possible. Better yet if QEMU were to just remove the >> pointless --enable-fips arg and just respect the fips_enabled >> sysctl flag by default. > > Could libvirt look at /proc/sys/crypto/fips_enabled itself, and pass > -enable-fips unconditionally (always: this means rejecting QEMUs that do > not support FIPS mode if you're in FIPS mode) if it is enabled? A little less blatant than hard-coding the solution in libvirt to trying the flag if compiled for Linux. I can do a v2 patch along those lines, for comparison, if desired. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list