Re: [libvirt] [PATCHV2] qemu: ask for -enable-fips when FIPS is required

On 12/13/13 19:51, Eric Blake wrote: > On a system that is enforcing FIPS, most libraries honor the > current mode by default. Qemu, on the other hand, refused to > honor FIPS mode unless you add the '-enable-fips' command > line option; worse, this option is not discoverable via QMP, > and is only present on binaries built for Linux. So, if we > detect FIPS mode, then we unconditionally ask for FIPS; either > qemu is new enough to have the option and then correctly > cripple insecure VNC passwords, or it is so old that we are > correctly avoiding a FIPS violation by preventing qemu from > starting. Meanwhile, if we don't detect FIPS mode, then > omitting the argument is safe whether the qemu has the option > (but it would do nothing because FIPS is disabled) or whether > qemu lacks the option (including in the case where we are not > running on Linux). >

> + if (virFileExists("/proc/sys/crypto/fips_enabled")) { > + char buf[sizeof("1\n")]; No need for the above buffer as virFileReadAll actually allocates the buffer itself.