[PATCH v2 1/8] softmmu: remove deprecated --enable-fips option

Users requiring FIPS support must build QEMU with either the libgcrypt or gnutls libraries as the crytography backend. Reviewed-by: Philippe Mathieu-Daudé <f4bug(a)amsat.org&gt; Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com&gt; --- docs/about/deprecated.rst | 12 ------------ docs/about/removed-features.rst | 11 +++++++++++ include/qemu/osdep.h | 3 --- os-posix.c | 8 -------- qemu-options.hx | 10 ---------- ui/vnc.c | 7 ------- util/osdep.c | 28 ---------------------------- 7 files changed, 11 insertions(+), 68 deletions(-) diff --git a/docs/about/deprecated.rst b/docs/about/deprecated.rst index 26d00812ba..a458dd453c 100644 --- a/docs/about/deprecated.rst +++ b/docs/about/deprecated.rst @@ -67,18 +67,6 @@ and will cause a warning. The replacement for the ``nodelay`` short-form boolean option is ``nodelay=on`` rather than ``delay=off``. -``--enable-fips`` (since 6.0) -''''''''''''''''''''''''''''' - -This option restricts usage of certain cryptographic algorithms when -the host is operating in FIPS mode. - -If FIPS compliance is required, QEMU should be built with the ``libgcrypt`` -library enabled as a cryptography provider. - -Neither the ``nettle`` library, or the built-in cryptography provider are -supported on FIPS enabled hosts. - ``-writeconfig`` (since 6.0) ''''''''''''''''''''''''''''' diff --git a/docs/about/removed-features.rst b/docs/about/removed-features.rst index cb0575fd49..6ca66f658d 100644 --- a/docs/about/removed-features.rst +++ b/docs/about/removed-features.rst @@ -336,6 +336,17 @@ for the RISC-V ``virt`` machine and ``sifive_u`` machine. The ``-no-quit`` was a synonym for ``-display ...,window-close=off`` which should be used instead. +``--enable-fips`` (removed in 7.0) +'''''''''''''''''''''''''''''''''' + +This option restricted usage of certain cryptographic algorithms when +the host is operating in FIPS mode. + +If FIPS compliance is required, QEMU should be built with the ``libgcrypt`` +or ``gnutls`` library enabled as a cryptography provider. + +Neither the ``nettle`` library, or the built-in cryptography provider are +supported on FIPS enabled hosts. QEMU Machine Protocol (QMP) commands ------------------------------------ diff --git a/include/qemu/osdep.h b/include/qemu/osdep.h index 7bcce3bceb..66e70e24ff 100644 --- a/include/qemu/osdep.h +++ b/include/qemu/osdep.h @@ -534,9 +534,6 @@ static inline void qemu_timersub(const struct timeval *val1, void qemu_set_cloexec(int fd); -void fips_set_state(bool requested); -bool fips_get_state(void); - /* Return a dynamically allocated pathname denoting a file or directory that is * appropriate for storing local state. * diff --git a/os-posix.c b/os-posix.c index ae6c9f2a5e..7cd662098e 100644 --- a/os-posix.c +++ b/os-posix.c @@ -151,14 +151,6 @@ int os_parse_cmd_args(int index, const char *optarg) case QEMU_OPTION_daemonize: daemonize = 1; break; -#if defined(CONFIG_LINUX) - case QEMU_OPTION_enablefips: - warn_report("-enable-fips is deprecated, please build QEMU with " - "the `libgcrypt` library as the cryptography provider " - "to enable FIPS compliance"); - fips_set_state(true); - break; -#endif default: return -1; } diff --git a/qemu-options.hx b/qemu-options.hx index 094a6c1d7c..cb0c58904b 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -4655,16 +4655,6 @@ HXCOMM Internal use DEF("qtest", HAS_ARG, QEMU_OPTION_qtest, "", QEMU_ARCH_ALL) DEF("qtest-log", HAS_ARG, QEMU_OPTION_qtest_log, "", QEMU_ARCH_ALL) -#ifdef __linux__ -DEF("enable-fips", 0, QEMU_OPTION_enablefips, - "-enable-fips enable FIPS 140-2 compliance\n", - QEMU_ARCH_ALL) -#endif -SRST -``-enable-fips`` - Enable FIPS 140-2 compliance mode. -ERST - DEF("msg", HAS_ARG, QEMU_OPTION_msg, "-msg [timestamp[=on|off]][,guest-name=[on|off]]\n" " control error message format\n" diff --git a/ui/vnc.c b/ui/vnc.c index 3ccd33dedc..82b28aec95 100644 --- a/ui/vnc.c +++ b/ui/vnc.c @@ -4051,13 +4051,6 @@ void vnc_display_open(const char *id, Error **errp) password = qemu_opt_get_bool(opts, "password", false); } if (password) { - if (fips_get_state()) { - error_setg(errp, - "VNC password auth disabled due to FIPS mode, " - "consider using the VeNCrypt or SASL authentication " - "methods as an alternative"); - goto fail; - } if (!qcrypto_cipher_supports( QCRYPTO_CIPHER_ALG_DES, QCRYPTO_CIPHER_MODE_ECB)) { error_setg(errp, diff --git a/util/osdep.c b/util/osdep.c index 723cdcb004..456df9e81a 100644 --- a/util/osdep.c +++ b/util/osdep.c @@ -43,8 +43,6 @@ extern int madvise(char *, size_t, int); #include "qemu/hw-version.h" #include "monitor/monitor.h" -static bool fips_enabled = false; - static const char *hw_version = QEMU_HW_VERSION; int socket_set_cork(int fd, int v) @@ -526,32 +524,6 @@ const char *qemu_hw_version(void) return hw_version; } -void fips_set_state(bool requested) -{ -#ifdef __linux__ - if (requested) { - FILE *fds = fopen("/proc/sys/crypto/fips_enabled", "r"); - if (fds != NULL) { - fips_enabled = (fgetc(fds) == '1'); - fclose(fds); - } - } -#else - fips_enabled = false; -#endif /* __linux__ */ - -#ifdef _FIPS_DEBUG - fprintf(stderr, "FIPS mode %s (requested %s)\n", - (fips_enabled ? "enabled" : "disabled"), - (requested ? "enabled" : "disabled")); -#endif -} - -bool fips_get_state(void) -{ - return fips_enabled; -} - #ifdef _WIN32 static void socket_cleanup(void) { -- 2.34.1