Re: [PATCH] os: deprecate the -enable-fips option and QEMU's FIPS enforcement

> But would it be correct? In order to have the advertised behavior of > "enable FIPS compliance just with procfs, no need to do anything in > QEMU" you need to disable VNC password authentication; so while > fips_set_state is an abomination, fips_get_state should remain. There's no need for fips_get_state. Once you build QEMU with libgcrypt, when VNC requests a DES cipher handle, gcrypt will return an error as that algorithm is forbidden in FIPS mode.

This is the primary reason for outsourcing all crypto to a separate library and ignoring the impls in QEMU. Claiming QEMU is FIPS compliant without using libgcrypt is a bit of joke since we don't do any self-tests of ciphers, hence this deprecation notice is warning people that libgcrypt is going to be mandatory if you care about FIPS.