Re: [libvirt] [PATCH] qemu: always ask for -enable-fips
On 12/13/2013 09:26 AM, Daniel P. Berrange wrote:
> Could libvirt look at /proc/sys/crypto/fips_enabled itself, and
pass
> -enable-fips unconditionally (always: this means rejecting QEMUs that do
> not support FIPS mode if you're in FIPS mode) if it is enabled?
QEMU already looks at the /proc file itself - the -enable-fips option
is just enabling that bit of checking code.
But the point is that if libvirt looks at the file as its decision to
pass '-enable-fips', then we have the following situations:
old qemu (no -enable-fips, but also no checking of /proc), FIPS mode
off: libvirt does not pass -enable-fips, and qemu still boots (good, no
regression for people who don't care about fips)
old qemu, FIPS mode on: libvirt passes -enable-fips, and qemu fails to
boot for unrecognized option (good, since that version of qemu violates
FIPS)
old qemu, file not present: libvirt does not pass -enable-fips, qemu
still boots (good, no regression for people on non-Linux)
modern qemu (1.2 to present), FIPS mode off or file not present: libvirt
does not pass -enable-fips, and qemu still boots (good, no regression
for people who don't care about fips)
modern qemu, FIPS mode on: libvirt passes -enable-fips, qemu boots and
obeys fips (good, passes certification)
future qemu (adding an ability to probe for binary commands): libvirt
could be changed to take advantage of this, or stick to its existing
behavior, but the end result is the same that qemu will always be booted
in a FIPS-compliant mode when it matters
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
Attachments:
- signature.asc (application/pgp-signature — 621 bytes)