On 12/13/2013 09:26 AM, Daniel P. Berrange wrote: >> Could libvirt look at /proc/sys/crypto/fips_enabled itself, and pass >> -enable-fips unconditionally (always: this means rejecting QEMUs that do >> not support FIPS mode if you're in FIPS mode) if it is enabled? > > QEMU already looks at the /proc file itself - the -enable-fips option > is just enabling that bit of checking code. But the point is that if libvirt looks at the file as its decision to pass '-enable-fips', then we have the following situations: old qemu (no -enable-fips, but also no checking of /proc), FIPS mode off: libvirt does not pass -enable-fips, and qemu still boots (good, no regression for people who don't care about fips) old qemu, FIPS mode on: libvirt passes -enable-fips, and qemu fails to boot for unrecognized option (good, since that version of qemu violates FIPS) old qemu, file not present: libvirt does not pass -enable-fips, qemu still boots (good, no regression for people on non-Linux) modern qemu (1.2 to present), FIPS mode off or file not present: libvirt does not pass -enable-fips, and qemu still boots (good, no regression for people who don't care about fips) modern qemu, FIPS mode on: libvirt passes -enable-fips, qemu boots and obeys fips (good, passes certification) future qemu (adding an ability to probe for binary commands): libvirt could be changed to take advantage of this, or stick to its existing behavior, but the end result is the same that qemu will always be booted in a FIPS-compliant mode when it matters -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list