Now that we store the state of the host FIPS mode setting in the qemu
driver object, we don't need to outsource the logic into
'qemuCheckFips'.
Additionally since we no longer support very old qemu's which would not
yet have --enable-fips we can drop the part of the comment about very
old qemus.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_command.c | 41 +++++++++++++---------------------------
src/qemu/qemu_command.h | 5 -----
src/qemu/qemu_driver.c | 4 +---
src/qemu/qemu_process.c | 3 ---
src/qemu/qemu_process.h | 1 -
tests/qemuxml2argvtest.c | 9 +--------
6 files changed, 15 insertions(+), 48 deletions(-)
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index c48575f78c..8705f0018c 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -1769,32 +1769,6 @@ qemuDiskConfigBlkdeviotuneEnabled(virDomainDiskDef *disk)
}
-/* QEMU 1.2 and later have a binary flag -enable-fips that must be
- * used for VNC auth to obey FIPS settings; but the flag only
- * exists on Linux, and with no way to probe for it via QMP. Our
- * solution: if FIPS mode is required, then unconditionally use
- * the flag, regardless of qemu version, for the following matrix:
- *
- * old QEMU new QEMU
- * FIPS enabled doesn't start VNC auth disabled
- * FIPS disabled/missing VNC auth enabled VNC auth enabled
- *
- * In QEMU 5.2.0, use of -enable-fips was deprecated. In scenarios
- * where FIPS is required, QEMU must be built against libgcrypt
- * which automatically enforces FIPS compliance.
- */
-bool
-qemuCheckFips(virDomainObj *vm)
-{
- qemuDomainObjPrivate *priv = vm->privateData;
-
- if (!virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_ENABLE_FIPS))
- return false;
-
- return priv->driver->hostFips;
-}
-
-
/**
* qemuDiskBusIsSD:
* @bus: disk bus
@@ -10417,7 +10391,6 @@ qemuBuildCommandLine(virDomainObj *vm,
const char *migrateURI,
virDomainMomentObj *snapshot,
virNetDevVPortProfileOp vmop,
- bool enableFips,
size_t *nnicindexes,
int **nicindexes,
unsigned int flags)
@@ -10478,7 +10451,19 @@ qemuBuildCommandLine(virDomainObj *vm,
if (qemuBuildPflashBlockdevCommandLine(cmd, priv) < 0)
return NULL;
- if (enableFips)
+ /* QEMU 1.2 and later have a binary flag -enable-fips that must be
+ * used for VNC auth to obey FIPS settings; but the flag only
+ * exists on Linux, and with no way to probe for it via QMP. Our
+ * solution: if FIPS mode is required, then unconditionally use the flag.
+ *
+ * In QEMU 5.2.0, use of -enable-fips was deprecated. In scenarios
+ * where FIPS is required, QEMU must be built against libgcrypt
+ * which automatically enforces FIPS compliance.
+ *
+ * Note this is the only use of driver->hostFips.
+ */
+ if (driver->hostFips &&
+ virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_ENABLE_FIPS))
virCommandAddArg(cmd, "-enable-fips");
if (qemuBuildMachineCommandLine(cmd, cfg, def, qemuCaps, priv) < 0)
diff --git a/src/qemu/qemu_command.h b/src/qemu/qemu_command.h
index db5b532cb8..72b0401c7b 100644
--- a/src/qemu/qemu_command.h
+++ b/src/qemu/qemu_command.h
@@ -51,7 +51,6 @@ virCommand *qemuBuildCommandLine(virDomainObj *vm,
const char *migrateURI,
virDomainMomentObj *snapshot,
virNetDevVPortProfileOp vmop,
- bool enableFips,
size_t *nnicindexes,
int **nicindexes,
unsigned int flags);
@@ -214,10 +213,6 @@ int qemuGetDriveSourceString(virStorageSource *src,
bool
qemuDiskConfigBlkdeviotuneEnabled(virDomainDiskDef *disk);
-
-bool
-qemuCheckFips(virDomainObj *vm);
-
virJSONValue *qemuBuildHotpluggableCPUProps(const virDomainVcpuDef *vcpu)
ATTRIBUTE_NONNULL(1);
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 8097dcf144..2ca264d9f9 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -6391,9 +6391,7 @@ static char *qemuConnectDomainXMLToNative(virConnectPtr conn,
if (qemuConnectDomainXMLToNativePrepareHost(vm) < 0)
return NULL;
- if (!(cmd = qemuProcessCreatePretendCmdBuild(vm, NULL,
- qemuCheckFips(vm),
- commandlineflags)))
+ if (!(cmd = qemuProcessCreatePretendCmdBuild(vm, NULL, commandlineflags)))
return NULL;
return virCommandToString(cmd, false);
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index fbad1254a0..d50cf2e6be 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -7448,7 +7448,6 @@ qemuProcessLaunch(virConnectPtr conn,
if (!(cmd = qemuBuildCommandLine(vm,
incoming ? "defer" : NULL,
snapshot, vmop,
- qemuCheckFips(vm),
&nnicindexes, &nicindexes, 0)))
goto cleanup;
@@ -7947,14 +7946,12 @@ qemuProcessCreatePretendCmdPrepare(virQEMUDriver *driver,
virCommand *
qemuProcessCreatePretendCmdBuild(virDomainObj *vm,
const char *migrateURI,
- bool enableFips,
unsigned int flags)
{
return qemuBuildCommandLine(vm,
migrateURI,
NULL,
VIR_NETDEV_VPORT_PROFILE_OP_NO_OP,
- enableFips,
NULL,
NULL,
flags);
diff --git a/src/qemu/qemu_process.h b/src/qemu/qemu_process.h
index 9856da3bb5..2387fcdcdc 100644
--- a/src/qemu/qemu_process.h
+++ b/src/qemu/qemu_process.h
@@ -99,7 +99,6 @@ int qemuProcessCreatePretendCmdPrepare(virQEMUDriver *driver,
virCommand *qemuProcessCreatePretendCmdBuild(virDomainObj *vm,
const char *migrateURI,
- bool enableFips,
unsigned int flags);
int qemuProcessInit(virQEMUDriver *driver,
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index 2385fa1209..50aea47a68 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -386,11 +386,9 @@ testCompareXMLToArgvCreateArgs(virQEMUDriver *drv,
unsigned int flags)
{
qemuDomainObjPrivate *priv = vm->privateData;
- bool enableFips;
size_t i;
drv->hostFips = flags & FLAG_FIPS_HOST;
- enableFips = drv->hostFips;
if (qemuProcessCreatePretendCmdPrepare(drv, vm, migrateURI,
VIR_QEMU_PROCESS_START_COLD) < 0)
@@ -486,12 +484,7 @@ testCompareXMLToArgvCreateArgs(virQEMUDriver *drv,
}
}
- /* we can't use qemuCheckFips() directly as it queries host state */
- if (!virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_ENABLE_FIPS))
- enableFips = false;
-
- return qemuProcessCreatePretendCmdBuild(vm, migrateURI,
- enableFips, 0);
+ return qemuProcessCreatePretendCmdBuild(vm, migrateURI, 0);
}
--
2.35.3