[PATCHv3] qemu: ask for -enable-fips when FIPS is required

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On a system that is enforcing FIPS, most libraries honor the
current mode by default.  Qemu, on the other hand, refused to
honor FIPS mode unless you add the '-enable-fips' command
line option; worse, this option is not discoverable via QMP,
and is only present on binaries built for Linux.  So, if we
detect FIPS mode, then we unconditionally ask for FIPS; either
qemu is new enough to have the option and then correctly
cripple insecure VNC passwords, or it is so old that we are
correctly avoiding a FIPS violation by preventing qemu from
starting.  Meanwhile, if we don't detect FIPS mode, then
omitting the argument is safe whether the qemu has the option
(but it would do nothing because FIPS is disabled) or whether
qemu lacks the option (including in the case where we are not
running on Linux).

The testsuite was a bit interesting: we don't want our test
to depend on whether it is being run in FIPS mode, so I had
to tweak things to set the capability bit outside of our
normal interaction with capability parsing.

This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1035474

* src/qemu/qemu_capabilities.h (QEMU_CAPS_ENABLE_FIPS): New bit.
* src/qemu/qemu_capabilities.c (virQEMUCapsInitQMP): Conditionally
set capability according to detection of FIPS mode.
* src/qemu/qemu_command.c (qemuBuildCommandLine): Use it.
* tests/qemucapabilitiestest.c (testQemuCaps): Conditionally set
capability to test expected output.
* tests/qemucapabilitiesdata/caps_1.2.2-1.caps: Update list.
* tests/qemucapabilitiesdata/caps_1.6.0-1.caps: Likewise.

Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
---

v3: use virFileReadAll correctly

 src/qemu/qemu_capabilities.c                 | 27 ++++++++++++++++++++++++++-
 src/qemu/qemu_capabilities.h                 |  1 +
 src/qemu/qemu_command.c                      |  2 ++
 tests/qemucapabilitiesdata/caps_1.2.2-1.caps |  1 +
 tests/qemucapabilitiesdata/caps_1.6.0-1.caps |  1 +
 tests/qemucapabilitiestest.c                 | 20 +++++++++++++++-----
 6 files changed, 46 insertions(+), 6 deletions(-)

diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index 5e9c65e..4f64f87 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -245,7 +245,8 @@ VIR_ENUM_IMPL(virQEMUCaps, QEMU_CAPS_LAST,
               "kvm-pit-lost-tick-policy",

               "boot-strict", /* 160 */
-              "pvpanic", /* 161 */
+              "pvpanic",
+              "enable-fips",
     );

 struct _virQEMUCaps {
@@ -2630,6 +2631,30 @@ virQEMUCapsInitQMP(virQEMUCapsPtr qemuCaps,
     config.data.nix.path = monpath;
     config.data.nix.listen = false;

+    /* Qemu 1.2 and later have a binary flag -enable-fips that must be
+     * used for VNC auth to obey FIPS settings; but the flag only
+     * exists on Linux, and with no way to probe for it via QMP.  Our
+     * solution: if FIPS mode is required, then unconditionally use
+     * the flag, regardless of qemu version, for the following matrix:
+     *
+     *                          old QEMU            new QEMU
+     * FIPS enabled             doesn't start       VNC auth disabled
+     * FIPS disabled/missing    VNC auth enabled    VNC auth enabled
+     *
+     * Setting the flag here instead of in virQEMUCapsInitQMPMonitor
+     * or virQEMUCapsInitHelp also allows the testsuite to be
+     * independent of FIPS setting.
+     */
+    if (virFileExists("/proc/sys/crypto/fips_enabled")) {
+        char *buf = NULL;
+
+        if (virFileReadAll("/proc/sys/crypto/fips_enabled", 10, &buf) < 0)
+            goto cleanup;
+        if (STREQ(buf, "1\n"))
+            virQEMUCapsSet(qemuCaps, QEMU_CAPS_ENABLE_FIPS);
+        VIR_FREE(buf);
+    }
+
     VIR_DEBUG("Try to get caps via QMP qemuCaps=%p", qemuCaps);

     /*
diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
index bbf4972..efb3f43 100644
--- a/src/qemu/qemu_capabilities.h
+++ b/src/qemu/qemu_capabilities.h
@@ -200,6 +200,7 @@ enum virQEMUCapsFlags {
     QEMU_CAPS_KVM_PIT_TICK_POLICY = 159, /* kvm-pit.lost_tick_policy */
     QEMU_CAPS_BOOT_STRICT        = 160, /* -boot strict */
     QEMU_CAPS_DEVICE_PANIC       = 161, /* -device pvpanic */
+    QEMU_CAPS_ENABLE_FIPS        = 162, /* -enable-fips */

     QEMU_CAPS_LAST,                   /* this must always be the last item */
 };
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index a80559e..d723dc8 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -7747,6 +7747,8 @@ qemuBuildCommandLine(virConnectPtr conn,
         }
     }
     virCommandAddArg(cmd, "-S"); /* freeze CPU */
+    if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_ENABLE_FIPS))
+        virCommandAddArg(cmd, "-enable-fips");

     if (qemuBuildMachineArgStr(cmd, def, qemuCaps) < 0)
         goto error;
diff --git a/tests/qemucapabilitiesdata/caps_1.2.2-1.caps b/tests/qemucapabilitiesdata/caps_1.2.2-1.caps
index 73a561d..c3ae814 100644
--- a/tests/qemucapabilitiesdata/caps_1.2.2-1.caps
+++ b/tests/qemucapabilitiesdata/caps_1.2.2-1.caps
@@ -112,4 +112,5 @@
     <flag name='usb-storage'/>
     <flag name='usb-storage.removable'/>
     <flag name='kvm-pit-lost-tick-policy'/>
+    <flag name='enable-fips'/>
   </qemuCaps>
diff --git a/tests/qemucapabilitiesdata/caps_1.6.0-1.caps b/tests/qemucapabilitiesdata/caps_1.6.0-1.caps
index c7ce591..2d50cf9 100644
--- a/tests/qemucapabilitiesdata/caps_1.6.0-1.caps
+++ b/tests/qemucapabilitiesdata/caps_1.6.0-1.caps
@@ -138,4 +138,5 @@
     <flag name='boot-strict'/>
     <flag name='pvpanic'/>
     <flag name='reboot-timeout'/>
+    <flag name='enable-fips'/>
   </qemuCaps>
diff --git a/tests/qemucapabilitiestest.c b/tests/qemucapabilitiestest.c
index d912171..3b34f78 100644
--- a/tests/qemucapabilitiestest.c
+++ b/tests/qemucapabilitiestest.c
@@ -31,6 +31,7 @@ typedef testQemuData *testQemuDataPtr;
 struct _testQemuData {
     virDomainXMLOptionPtr xmlopt;
     const char *base;
+    bool fips;
 };

 static qemuMonitorTestPtr
@@ -192,6 +193,12 @@ testQemuCaps(const void *opaque)
                                   qemuMonitorTestGetMonitor(mon)) < 0)
         goto cleanup;

+    /* So that our test does not depend on the contents of /proc, we
+     * hoisted the setting of ENABLE_FIPS to virQEMUCapsInitQMP.  But
+     * we do want to test the effect of that flag.  */
+    if (data->fips)
+        virQEMUCapsSet(capsComputed, QEMU_CAPS_ENABLE_FIPS);
+
     if (testQemuCapsCompare(capsProvided, capsComputed) < 0)
         goto cleanup;

@@ -227,16 +234,19 @@ mymain(void)

     data.xmlopt = xmlopt;

-#define DO_TEST(name) \
-    data.base = name; \
-    if (virtTestRun(name, testQemuCaps, &data) < 0) \
+#define DO_TEST_FULL(name, use_fips)                 \
+    data.base = name;                                \
+    data.fips = use_fips;                            \
+    if (virtTestRun(name, testQemuCaps, &data) < 0)  \
         ret = -1

-    DO_TEST("caps_1.2.2-1");
+#define DO_TEST(name) DO_TEST_FULL(name, false)
+
+    DO_TEST_FULL("caps_1.2.2-1", true);
     DO_TEST("caps_1.3.1-1");
     DO_TEST("caps_1.4.2-1");
     DO_TEST("caps_1.5.3-1");
-    DO_TEST("caps_1.6.0-1");
+    DO_TEST_FULL("caps_1.6.0-1", true);
     DO_TEST("caps_1.6.50-1");

     virObjectUnref(xmlopt);
-- 
1.8.4.2

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]