Re: [libvirt] [PATCH] qemu: always ask for -enable-fips

Il 13/12/2013 16:15, Daniel P. Berrange ha scritto: > QEMU already detects current FIPs enablement via the file > /proc/sys/crypto/fips_enabled, but only if you use --enable-fips. > This is really stupid given that all the crypto libraries that > QEMU uses unconditonally look at the proc file. So by having this > flag QEMU is in the insane situation where if FIPS is enabled then > part of QEMU will honour FIPS settings but other parts of QEMU will > not honour it until you pass --enable-fips. Insanity. So having > libvirt pass --enable-fips unconditionally fixes this insanity as > much as possible. Better yet if QEMU were to just remove the > pointless --enable-fips arg and just respect the fips_enabled > sysctl flag by default. Could libvirt look at /proc/sys/crypto/fips_enabled itself, and pass -enable-fips unconditionally (always: this means rejecting QEMUs that do not support FIPS mode if you're in FIPS mode) if it is enabled?