On 21/10/20 12:17, Daniel P. Berrangé wrote:
But would it be correct? In order to have the advertised behavior of "enable FIPS compliance just with procfs, no need to do anything in QEMU" you need to disable VNC password authentication; so while fips_set_state is an abomination, fips_get_state should remain. There's no need for fips_get_state. Once you build QEMU with libgcrypt, when VNC requests a DES cipher handle, gcrypt will return an error as that algorithm is forbidden in FIPS mode.
Oh, I thought we were still using our own code for the modified DES but it _is_ actually using gcrypt or nettle if available. Sorry for the noise.
This is the primary reason for outsourcing all crypto to a separate library and ignoring the impls in QEMU.
Claiming QEMU is FIPS compliant without using libgcrypt is a bit of joke since we don't do any self-tests of ciphers, hence this deprecation notice is warning people that libgcrypt is going to be mandatory if you care about FIPS.
Yes, agreed. Paolo