Re: [libvirt PATCH] qemu: stop passing -enable-fips to QEMU >= 5.2.0
On Tue, Oct 20, 2020 at 17:48:59 +0100, Daniel Berrange wrote:
Use of the -enable-fips option is being deprecated in QEMU >=
5.2.0. If
FIPS compliance is required, QEMU must be built with libcrypt which will
unconditionally enforce it.
Thus there is no need for libvirt to pass -enable-fips to modern QEMU.
Unfortunately there was never any way to probe for -enable-fips in the
first instance, it was enabled by libvirt based on version number
originally, and then later unconditionally enabled when libvirt dropped
support for older QEMU. Similarly we now use a version number check to
decide when to stop passing -enable-fips.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/qemu/qemu_capabilities.c | 8 ++++++++
src/qemu/qemu_capabilities.h | 1 +
src/qemu/qemu_command.c | 12 +++++++++++-
src/qemu/qemu_command.h | 2 +-
src/qemu/qemu_driver.c | 2 +-
src/qemu/qemu_process.c | 2 +-
6 files changed, 23 insertions(+), 4 deletions(-)
[...]
diff --git a/src/qemu/qemu_capabilities.h
b/src/qemu/qemu_capabilities.h
index 44c45589f0..2976879fa3 100644
--- a/src/qemu/qemu_capabilities.h
+++ b/src/qemu/qemu_capabilities.h
@@ -581,6 +581,7 @@ typedef enum { /* virQEMUCapsFlags grouping marker for syntax-check
*/
/* 380 */
QEMU_CAPS_USB_HOST_HOSTDEVICE, /* -device usb-host.hostdevice */
QEMU_CAPS_VIRTIO_BALLOON_FREE_PAGE_REPORTING, /*virtio balloon free-page-reporting
*/
+ QEMU_CAPS_FIPS_IMPLIED, /* -enable-fips is no longer required, delegate to gcrypt
*/
Another option would be to re-start using QEMU_CAPS_ENABLE_FIPS which is
currently used for questionable testing in qemuxml2argvtest.
Consider this a
Reviewed-by: Peter Krempa <pkrempa(a)redhat.com>
but I'll try looking at qemuxml2argvtest and it's usage of
QEMU_CAPS_ENABLE_FIPS in a moment to see whether it can be improved and
alternatively even test this change.