On Fri, Dec 13, 2013 at 15:58:55 +0100, Michal Privoznik wrote:
> On 05.12.2013 22:54, Eric Blake wrote:
> > On a system that is enforcing FIPS, most libraries honor the
> > current mode by default. Qemu, on the other hand, refused to
> > honor FIPS mode unless you add the '-enable-fips' command
> > line option; worse, this option is not discoverable via QMP,
> > and is only present on binaries built for Linux. As far as
> > I can tell, unconditionally using the option when it is
> > available has no negative consequences (the option has no
> > change to qemu behavior except when FIPS is enabled, at which
> > point it cripples insecure VNC passwords which is the one thing
> > that libvirt must not allow when FIPS is active).
> >
> > This fixes
https://bugzilla.redhat.com/show_bug.cgi?id=1035474
>
> Sigh, oh boy, <your favorite swear-word>. ACK.
Don't we want to wait for QEMU to decide what they should be doing with
-enable-fips to make it detectable? If we push this patch, we can't
basically move into detecting the option and enabling it only when
detected since that could cause regressions for older QEMU version that
supported the option but did not advertise it. If we just wait for the
option to be detectable and enable it only when we detect its support in
QEMU, we won't enable it for all possible QEMU versions but we won't
regress in any way.
QEMU already detects current FIPs enablement via the file
/proc/sys/crypto/fips_enabled, but only if you use --enable-fips.
This is really stupid given that all the crypto libraries that
QEMU uses unconditonally look at the proc file. So by having this
flag QEMU is in the insane situation where if FIPS is enabled then
part of QEMU will honour FIPS settings but other parts of QEMU will
not honour it until you pass --enable-fips. Insanity. So having
libvirt pass --enable-fips unconditionally fixes this insanity as
much as possible. Better yet if QEMU were to just remove the
pointless --enable-fips arg and just respect the fips_enabled
sysctl flag by default.
Regards,
Daniel
--
|: