On Fri, Dec 13, 2013 at 15:58:55 +0100, Michal Privoznik wrote:
On 05.12.2013 22:54, Eric Blake wrote:
> On a system that is enforcing FIPS, most libraries honor the
> current mode by default. Qemu, on the other hand, refused to
> honor FIPS mode unless you add the '-enable-fips' command
> line option; worse, this option is not discoverable via QMP,
> and is only present on binaries built for Linux. As far as
> I can tell, unconditionally using the option when it is
> available has no negative consequences (the option has no
> change to qemu behavior except when FIPS is enabled, at which
> point it cripples insecure VNC passwords which is the one thing
> that libvirt must not allow when FIPS is active).
>
> This fixes
https://bugzilla.redhat.com/show_bug.cgi?id=1035474
Sigh, oh boy, <your favorite swear-word>. ACK.
Don't we want to wait for QEMU to decide what they should be doing with
-enable-fips to make it detectable? If we push this patch, we can't
basically move into detecting the option and enabling it only when
detected since that could cause regressions for older QEMU version that
supported the option but did not advertise it. If we just wait for the
option to be detectable and enable it only when we detect its support in
QEMU, we won't enable it for all possible QEMU versions but we won't
regress in any way.
Jirka