Il 13/12/2013 17:26, Daniel P. Berrange ha scritto:
On Fri, Dec 13, 2013 at 05:22:30PM +0100, Paolo Bonzini wrote:
> Il 13/12/2013 16:15, Daniel P. Berrange ha scritto:
>> QEMU already detects current FIPs enablement via the file
>> /proc/sys/crypto/fips_enabled, but only if you use --enable-fips.
>> This is really stupid given that all the crypto libraries that
>> QEMU uses unconditonally look at the proc file. So by having this
>> flag QEMU is in the insane situation where if FIPS is enabled then
>> part of QEMU will honour FIPS settings but other parts of QEMU will
>> not honour it until you pass --enable-fips. Insanity. So having
>> libvirt pass --enable-fips unconditionally fixes this insanity as
>> much as possible. Better yet if QEMU were to just remove the
>> pointless --enable-fips arg and just respect the fips_enabled
>> sysctl flag by default.
>
> Could libvirt look at /proc/sys/crypto/fips_enabled itself, and pass
> -enable-fips unconditionally (always: this means rejecting QEMUs that do
> not support FIPS mode if you're in FIPS mode) if it is enabled?
QEMU already looks at the /proc file itself - the -enable-fips option
is just enabling that bit of checking code.
Yes, but we cannot always pass -enable-fips because that would
completely break old QEMU that doesn't have the option.
If libvirt checks the /proc file too, we have:
old QEMU new QEMU
FIPS enabled doesn't start VNC auth disabled
FIPS disabled VNC auth enabled VNC auth enabled
It also has the side effect of passing the option only on Linux, without
the ugly #ifdef.
Paolo