Re: [PATCH] os: deprecate the -enable-fips option and QEMU's FIPS enforcement

Wednesday, 21 October 2020

On Tue, Oct 20, 2020 at 07:22:03PM +0200, Paolo Bonzini wrote:
...
 On 20/10/20 18:22, Daniel P. Berrangé wrote:
 > @@ -153,6 +153,9 @@ int os_parse_cmd_args(int index, const char *optarg)
 >          break;
 >  #if defined(CONFIG_LINUX)
 >      case QEMU_OPTION_enablefips:
 > +        warn_report("-enable-fips is deprecated, please build QEMU with
"
 > +                    "the `libgcrypt` library as the cryptography provider
"
 > +                    "to enable FIPS compliance");
 >          fips_set_state(true);
 >          break;
 >  #endif

 Should you also remove fips_set_state(true) and make fips_get_state()
 return the contents of /proc/sys/crypto/fips_enabled, so that VNC
 password authentication is disabled? 
I did think about doing that, but decided that since my intention is
to delete all trace of fips_get_state / fips_set_state at the end of
the deprecation period, that it'd be saner just to leave the semantics
unchanged during the deprecation period.

Deprecation notices shouldn't really be associated with changes in
functionality at time they are introduced.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Re: [PATCH] os: deprecate the -enable-fips option and QEMU's FIPS enforcement