[PATCH v2 0/2] qemu: stop passing -enable-fips to QEMU >= 5.2.0
v2: - rebased patch 2 on current master - sanitized testing of -enable-fips in qemuxml2argvtest - reused existing QEMU_CAPS_ENABLE_FIPS flag with inverted logic (saves us from having to remove it later and also doesn't add new flag to new guests) - qemuxml2argvtest now tests the output, which is more obvious on qemu version bumps than qemucapabilitiestest Daniel P. Berrangé (1): qemu: stop passing -enable-fips to QEMU >= 5.2.0 Peter Krempa (1): qemuxml2argvtest: Sanitize testing of '-enable-fips' src/qemu/qemu_capabilities.c | 7 ++++ src/qemu/qemu_command.c | 12 +++++- src/qemu/qemu_command.h | 2 +- src/qemu/qemu_driver.c | 2 +- src/qemu/qemu_process.c | 2 +- .../caps_1.5.3.x86_64.xml | 1 + .../caps_1.6.0.x86_64.xml | 1 + .../caps_1.7.0.x86_64.xml | 1 + .../caps_2.1.1.x86_64.xml | 1 + .../caps_2.10.0.aarch64.xml | 1 + .../caps_2.10.0.ppc64.xml | 1 + .../caps_2.10.0.s390x.xml | 1 + .../caps_2.10.0.x86_64.xml | 1 + .../caps_2.11.0.s390x.xml | 1 + .../caps_2.11.0.x86_64.xml | 1 + .../caps_2.12.0.aarch64.xml | 1 + .../caps_2.12.0.ppc64.xml | 1 + .../caps_2.12.0.s390x.xml | 1 + .../caps_2.12.0.x86_64.xml | 1 + .../caps_2.4.0.x86_64.xml | 1 + .../caps_2.5.0.x86_64.xml | 1 + .../caps_2.6.0.aarch64.xml | 1 + .../qemucapabilitiesdata/caps_2.6.0.ppc64.xml | 1 + .../caps_2.6.0.x86_64.xml | 1 + .../qemucapabilitiesdata/caps_2.7.0.s390x.xml | 1 + .../caps_2.7.0.x86_64.xml | 1 + .../qemucapabilitiesdata/caps_2.8.0.s390x.xml | 1 + .../caps_2.8.0.x86_64.xml | 1 + .../qemucapabilitiesdata/caps_2.9.0.ppc64.xml | 1 + .../qemucapabilitiesdata/caps_2.9.0.s390x.xml | 1 + .../caps_2.9.0.x86_64.xml | 1 + .../qemucapabilitiesdata/caps_3.0.0.ppc64.xml | 1 + .../caps_3.0.0.riscv32.xml | 1 + .../caps_3.0.0.riscv64.xml | 1 + .../qemucapabilitiesdata/caps_3.0.0.s390x.xml | 1 + .../caps_3.0.0.x86_64.xml | 1 + .../qemucapabilitiesdata/caps_3.1.0.ppc64.xml | 1 + .../caps_3.1.0.x86_64.xml | 1 + .../caps_4.0.0.aarch64.xml | 1 + .../qemucapabilitiesdata/caps_4.0.0.ppc64.xml | 1 + .../caps_4.0.0.riscv32.xml | 1 + .../caps_4.0.0.riscv64.xml | 1 + .../qemucapabilitiesdata/caps_4.0.0.s390x.xml | 1 + .../caps_4.0.0.x86_64.xml | 1 + .../caps_4.1.0.x86_64.xml | 1 + .../caps_4.2.0.aarch64.xml | 1 + .../qemucapabilitiesdata/caps_4.2.0.ppc64.xml | 1 + .../qemucapabilitiesdata/caps_4.2.0.s390x.xml | 1 + .../caps_4.2.0.x86_64.xml | 1 + .../caps_5.0.0.aarch64.xml | 1 + .../qemucapabilitiesdata/caps_5.0.0.ppc64.xml | 1 + .../caps_5.0.0.riscv64.xml | 1 + .../caps_5.0.0.x86_64.xml | 1 + .../caps_5.1.0.x86_64.xml | 1 + .../caps_5.2.0.x86_64.xml | 1 + tests/qemuxml2argvdata/fips-enabled.args | 31 -------------- .../fips-enabled.x86_64-5.1.0.args | 40 ++++++++++++++++++ .../fips-enabled.x86_64-latest.args | 41 +++++++++++++++++++ tests/qemuxml2argvtest.c | 16 +++++--- tests/testutilsqemu.h | 2 +- 60 files changed, 163 insertions(+), 42 deletions(-) delete mode 100644 tests/qemuxml2argvdata/fips-enabled.args create mode 100644 tests/qemuxml2argvdata/fips-enabled.x86_64-5.1.0.args create mode 100644 tests/qemuxml2argvdata/fips-enabled.x86_64-latest.args -- 2.26.2
Rename 'FLAG_FIPS' to 'FLAG_FIPS_HOST' to signify that we are simulating a host supporting fips mode and use the flag to assert 'enabeFips' argument of 'qemuProcessCreatePretendCmdBuild' rather than passing it via QEMU_CAPS_ENABLE_FIPS. This prepares the testsuite for testing of -enable-fips deprecation in qemu-5.2. Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- tests/qemuxml2argvdata/fips-enabled.args | 31 -------------- .../fips-enabled.x86_64-5.1.0.args | 40 ++++++++++++++++++ .../fips-enabled.x86_64-latest.args | 41 +++++++++++++++++++ tests/qemuxml2argvtest.c | 11 +++-- tests/testutilsqemu.h | 2 +- 5 files changed, 87 insertions(+), 38 deletions(-) delete mode 100644 tests/qemuxml2argvdata/fips-enabled.args create mode 100644 tests/qemuxml2argvdata/fips-enabled.x86_64-5.1.0.args create mode 100644 tests/qemuxml2argvdata/fips-enabled.x86_64-latest.args diff --git a/tests/qemuxml2argvdata/fips-enabled.args b/tests/qemuxml2argvdata/fips-enabled.args deleted file mode 100644 index 91b32bd96c..0000000000 --- a/tests/qemuxml2argvdata/fips-enabled.args +++ /dev/null @@ -1,31 +0,0 @@ -LC_ALL=C \ -PATH=/bin \ -HOME=/tmp/lib/domain--1-QEMUGuest1 \ -USER=test \ -LOGNAME=test \ -XDG_DATA_HOME=/tmp/lib/domain--1-QEMUGuest1/.local/share \ -XDG_CACHE_HOME=/tmp/lib/domain--1-QEMUGuest1/.cache \ -XDG_CONFIG_HOME=/tmp/lib/domain--1-QEMUGuest1/.config \ -QEMU_AUDIO_DRV=none \ -/usr/bin/qemu-system-i386 \ --name QEMUGuest1 \ --S \ --enable-fips \ --machine pc,accel=tcg,usb=off,dump-guest-core=off \ --m 214 \ --realtime mlock=off \ --smp 1,sockets=1,cores=1,threads=1 \ --uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \ --display none \ --no-user-config \ --nodefaults \ --chardev socket,id=charmonitor,path=/tmp/lib/domain--1-QEMUGuest1/monitor.sock,\ -server,nowait \ --mon chardev=charmonitor,id=monitor,mode=control \ --rtc base=utc \ --no-shutdown \ --no-acpi \ --usb \ --drive file=/dev/HostVG/QEMUGuest1,format=raw,if=none,id=drive-ide0-0-0 \ --device ide-hd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=1 \ --device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3 diff --git a/tests/qemuxml2argvdata/fips-enabled.x86_64-5.1.0.args b/tests/qemuxml2argvdata/fips-enabled.x86_64-5.1.0.args new file mode 100644 index 0000000000..e0e416d391 --- /dev/null +++ b/tests/qemuxml2argvdata/fips-enabled.x86_64-5.1.0.args @@ -0,0 +1,40 @@ +LC_ALL=C \ +PATH=/bin \ +HOME=/tmp/lib/domain--1-QEMUGuest1 \ +USER=test \ +LOGNAME=test \ +XDG_DATA_HOME=/tmp/lib/domain--1-QEMUGuest1/.local/share \ +XDG_CACHE_HOME=/tmp/lib/domain--1-QEMUGuest1/.cache \ +XDG_CONFIG_HOME=/tmp/lib/domain--1-QEMUGuest1/.config \ +QEMU_AUDIO_DRV=none \ +/usr/bin/qemu-system-i386 \ +-name guest=QEMUGuest1,debug-threads=on \ +-S \ +-object secret,id=masterKey0,format=raw,\ +file=/tmp/lib/domain--1-QEMUGuest1/master-key.aes \ +-enable-fips \ +-machine pc-i440fx-5.1,accel=tcg,usb=off,dump-guest-core=off \ +-cpu qemu64 \ +-m 214 \ +-overcommit mem-lock=off \ +-smp 1,sockets=1,cores=1,threads=1 \ +-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \ +-display none \ +-no-user-config \ +-nodefaults \ +-chardev socket,id=charmonitor,fd=1729,server,nowait \ +-mon chardev=charmonitor,id=monitor,mode=control \ +-rtc base=utc \ +-no-shutdown \ +-no-acpi \ +-boot strict=on \ +-device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 \ +-blockdev '{"driver":"host_device","filename":"/dev/HostVG/QEMUGuest1",\ +"node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"}' \ +-blockdev '{"node-name":"libvirt-1-format","read-only":false,"driver":"raw",\ +"file":"libvirt-1-storage"}' \ +-device ide-hd,bus=ide.0,unit=0,drive=libvirt-1-format,id=ide0-0-0,bootindex=1 \ +-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x2 \ +-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,\ +resourcecontrol=deny \ +-msg timestamp=on diff --git a/tests/qemuxml2argvdata/fips-enabled.x86_64-latest.args b/tests/qemuxml2argvdata/fips-enabled.x86_64-latest.args new file mode 100644 index 0000000000..c06046c398 --- /dev/null +++ b/tests/qemuxml2argvdata/fips-enabled.x86_64-latest.args @@ -0,0 +1,41 @@ +LC_ALL=C \ +PATH=/bin \ +HOME=/tmp/lib/domain--1-QEMUGuest1 \ +USER=test \ +LOGNAME=test \ +XDG_DATA_HOME=/tmp/lib/domain--1-QEMUGuest1/.local/share \ +XDG_CACHE_HOME=/tmp/lib/domain--1-QEMUGuest1/.cache \ +XDG_CONFIG_HOME=/tmp/lib/domain--1-QEMUGuest1/.config \ +QEMU_AUDIO_DRV=none \ +/usr/bin/qemu-system-i386 \ +-name guest=QEMUGuest1,debug-threads=on \ +-S \ +-object secret,id=masterKey0,format=raw,\ +file=/tmp/lib/domain--1-QEMUGuest1/master-key.aes \ +-enable-fips \ +-machine pc,accel=tcg,usb=off,dump-guest-core=off,memory-backend=pc.ram \ +-cpu qemu64 \ +-m 214 \ +-object memory-backend-ram,id=pc.ram,size=224395264 \ +-overcommit mem-lock=off \ +-smp 1,sockets=1,cores=1,threads=1 \ +-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \ +-display none \ +-no-user-config \ +-nodefaults \ +-chardev socket,id=charmonitor,fd=1729,server,nowait \ +-mon chardev=charmonitor,id=monitor,mode=control \ +-rtc base=utc \ +-no-shutdown \ +-no-acpi \ +-boot strict=on \ +-device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 \ +-blockdev '{"driver":"host_device","filename":"/dev/HostVG/QEMUGuest1",\ +"node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"}' \ +-blockdev '{"node-name":"libvirt-1-format","read-only":false,"driver":"raw",\ +"file":"libvirt-1-storage"}' \ +-device ide-hd,bus=ide.0,unit=0,drive=libvirt-1-format,id=ide0-0-0,bootindex=1 \ +-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x2 \ +-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,\ +resourcecontrol=deny \ +-msg timestamp=on diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c index abc982890f..cdd606cb42 100644 --- a/tests/qemuxml2argvtest.c +++ b/tests/qemuxml2argvtest.c @@ -380,7 +380,7 @@ testCheckExclusiveFlags(int flags) { virCheckFlags(FLAG_EXPECT_FAILURE | FLAG_EXPECT_PARSE_ERROR | - FLAG_FIPS | + FLAG_FIPS_HOST | FLAG_REAL_CAPS | FLAG_SKIP_LEGACY_CPUS | FLAG_SLIRP_HELPER | @@ -399,6 +399,7 @@ testCompareXMLToArgvCreateArgs(virQEMUDriverPtr drv, unsigned int flags, bool jsonPropsValidation) { + bool enableFips = !!(flags & FLAG_FIPS_HOST); size_t i; if (qemuProcessCreatePretendCmdPrepare(drv, vm, migrateURI, false, @@ -489,7 +490,7 @@ testCompareXMLToArgvCreateArgs(virQEMUDriverPtr drv, } return qemuProcessCreatePretendCmdBuild(drv, vm, migrateURI, - (flags & FLAG_FIPS), false, + enableFips, false, jsonPropsValidation); } @@ -610,9 +611,6 @@ testCompareXMLToArgv(const void *data) virSetConnectSecret(conn); virSetConnectStorage(conn); - if (virQEMUCapsGet(info->qemuCaps, QEMU_CAPS_ENABLE_FIPS)) - flags |= FLAG_FIPS; - if (testCheckExclusiveFlags(info->flags) < 0) goto cleanup; @@ -2961,7 +2959,8 @@ mymain(void) DO_TEST("panic-no-address", QEMU_CAPS_DEVICE_PANIC); - DO_TEST("fips-enabled", QEMU_CAPS_ENABLE_FIPS); + DO_TEST_CAPS_ARCH_VER_FULL("fips-enabled", "x86_64", "5.1.0", ARG_FLAGS, FLAG_FIPS_HOST); + DO_TEST_CAPS_ARCH_LATEST_FULL("fips-enabled", "x86_64", ARG_FLAGS, FLAG_FIPS_HOST); DO_TEST("shmem", QEMU_CAPS_DEVICE_IVSHMEM); DO_TEST("shmem-plain-doorbell", QEMU_CAPS_DEVICE_IVSHMEM, diff --git a/tests/testutilsqemu.h b/tests/testutilsqemu.h index 66f9cef48e..79af1be50d 100644 --- a/tests/testutilsqemu.h +++ b/tests/testutilsqemu.h @@ -48,7 +48,7 @@ typedef enum { typedef enum { FLAG_EXPECT_FAILURE = 1 << 0, FLAG_EXPECT_PARSE_ERROR = 1 << 1, - FLAG_FIPS = 1 << 2, + FLAG_FIPS_HOST = 1 << 2, /* simulate host with FIPS mode enabled */ FLAG_REAL_CAPS = 1 << 3, FLAG_SKIP_LEGACY_CPUS = 1 << 4, FLAG_SLIRP_HELPER = 1 << 5, -- 2.26.2
On Wed, Oct 21, 2020 at 10:35:26AM +0200, Peter Krempa wrote:
Rename 'FLAG_FIPS' to 'FLAG_FIPS_HOST' to signify that we are simulating a host supporting fips mode and use the flag to assert 'enabeFips' argument of 'qemuProcessCreatePretendCmdBuild' rather than passing it via QEMU_CAPS_ENABLE_FIPS.
This prepares the testsuite for testing of -enable-fips deprecation in qemu-5.2.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- tests/qemuxml2argvdata/fips-enabled.args | 31 -------------- .../fips-enabled.x86_64-5.1.0.args | 40 ++++++++++++++++++ .../fips-enabled.x86_64-latest.args | 41 +++++++++++++++++++ tests/qemuxml2argvtest.c | 11 +++-- tests/testutilsqemu.h | 2 +- 5 files changed, 87 insertions(+), 38 deletions(-) delete mode 100644 tests/qemuxml2argvdata/fips-enabled.args create mode 100644 tests/qemuxml2argvdata/fips-enabled.x86_64-5.1.0.args create mode 100644 tests/qemuxml2argvdata/fips-enabled.x86_64-latest.args
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
From: Daniel P. Berrangé <berrange@redhat.com> Use of the -enable-fips option is being deprecated in QEMU >= 5.2.0. If FIPS compliance is required, QEMU must be built with libcrypt which will unconditionally enforce it. Thus there is no need for libvirt to pass -enable-fips to modern QEMU. Unfortunately there was never any way to probe for -enable-fips in the first instance, it was enabled by libvirt based on version number originally, and then later unconditionally enabled when libvirt dropped support for older QEMU. Similarly we now use a version number check to decide when to stop passing -enable-fips. Note that the qemu-5.2 capabilities are currently from the pre-release version and will be updated once qemu-5.2 is released. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- src/qemu/qemu_capabilities.c | 7 +++++++ src/qemu/qemu_command.c | 12 +++++++++++- src/qemu/qemu_command.h | 2 +- src/qemu/qemu_driver.c | 2 +- src/qemu/qemu_process.c | 2 +- tests/qemucapabilitiesdata/caps_1.5.3.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_1.6.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_1.7.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_2.1.1.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_2.10.0.aarch64.xml | 1 + tests/qemucapabilitiesdata/caps_2.10.0.ppc64.xml | 1 + tests/qemucapabilitiesdata/caps_2.10.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.11.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_2.4.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_2.5.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_2.6.0.aarch64.xml | 1 + tests/qemucapabilitiesdata/caps_2.6.0.ppc64.xml | 1 + tests/qemucapabilitiesdata/caps_2.6.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_2.7.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.7.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_2.8.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.8.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_2.9.0.ppc64.xml | 1 + tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_3.0.0.ppc64.xml | 1 + tests/qemucapabilitiesdata/caps_3.0.0.riscv32.xml | 1 + tests/qemucapabilitiesdata/caps_3.0.0.riscv64.xml | 1 + tests/qemucapabilitiesdata/caps_3.0.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_3.0.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_3.1.0.ppc64.xml | 1 + tests/qemucapabilitiesdata/caps_3.1.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_4.0.0.aarch64.xml | 1 + tests/qemucapabilitiesdata/caps_4.0.0.ppc64.xml | 1 + tests/qemucapabilitiesdata/caps_4.0.0.riscv32.xml | 1 + tests/qemucapabilitiesdata/caps_4.0.0.riscv64.xml | 1 + tests/qemucapabilitiesdata/caps_4.0.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_4.0.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_4.1.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_4.2.0.aarch64.xml | 1 + tests/qemucapabilitiesdata/caps_4.2.0.ppc64.xml | 1 + tests/qemucapabilitiesdata/caps_4.2.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_4.2.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_5.0.0.aarch64.xml | 1 + tests/qemucapabilitiesdata/caps_5.0.0.ppc64.xml | 1 + tests/qemucapabilitiesdata/caps_5.0.0.riscv64.xml | 1 + tests/qemucapabilitiesdata/caps_5.0.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_5.1.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_5.2.0.x86_64.xml | 1 + tests/qemuxml2argvtest.c | 5 +++++ 56 files changed, 76 insertions(+), 4 deletions(-) diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c index e2957cf0b2..0af587b251 100644 --- a/src/qemu/qemu_capabilities.c +++ b/src/qemu/qemu_capabilities.c @@ -5153,6 +5153,13 @@ virQEMUCapsInitQMPVersionCaps(virQEMUCapsPtr qemuCaps) /* TCG couldn't be disabled nor queried until QEMU 2.10 */ if (qemuCaps->version < 2010000) virQEMUCapsSet(qemuCaps, QEMU_CAPS_TCG); + + /* -enable-fips is deprecated in QEMU 5.2.0, and QEMU + * should be built with gcrypt to achieve FIPS compliance + * automatically / implicitly + */ + if (qemuCaps->version < 5002000) + virQEMUCapsSet(qemuCaps, QEMU_CAPS_ENABLE_FIPS); } diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 700f6d781c..db5a632586 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -1089,10 +1089,20 @@ qemuDiskConfigBlkdeviotuneEnabled(virDomainDiskDefPtr disk) * old QEMU new QEMU * FIPS enabled doesn't start VNC auth disabled * FIPS disabled/missing VNC auth enabled VNC auth enabled + * + * In QEMU 5.2.0, use of -enable-fips was deprecated. In scenarios + * where FIPS is required, QEMU must be built against libgcrypt + * which automatically enforces FIPS compliance. */ bool -qemuCheckFips(void) +qemuCheckFips(virDomainObjPtr vm) { + qemuDomainObjPrivatePtr priv = vm->privateData; + virQEMUCapsPtr qemuCaps = priv->qemuCaps; + + if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_ENABLE_FIPS)) + return false; + if (virFileExists("/proc/sys/crypto/fips_enabled")) { g_autofree char *buf = NULL; diff --git a/src/qemu/qemu_command.h b/src/qemu/qemu_command.h index d452905fdf..5fa4d1ba8b 100644 --- a/src/qemu/qemu_command.h +++ b/src/qemu/qemu_command.h @@ -213,7 +213,7 @@ qemuDiskConfigBlkdeviotuneEnabled(virDomainDiskDefPtr disk); bool -qemuCheckFips(void); +qemuCheckFips(virDomainObjPtr vm); virJSONValuePtr qemuBuildHotpluggableCPUProps(const virDomainVcpuDef *vcpu) ATTRIBUTE_NONNULL(1); diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index bb4a46be98..6d352bc34c 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -6512,7 +6512,7 @@ static char *qemuConnectDomainXMLToNative(virConnectPtr conn, goto cleanup; if (!(cmd = qemuProcessCreatePretendCmdBuild(driver, vm, NULL, - qemuCheckFips(), true, false))) + qemuCheckFips(vm), true, false))) goto cleanup; ret = virCommandToString(cmd, false); diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index fae386917d..fd02cbe28b 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -6900,7 +6900,7 @@ qemuProcessLaunch(virConnectPtr conn, incoming ? incoming->launchURI : NULL, snapshot, vmop, false, - qemuCheckFips(), + qemuCheckFips(vm), &nnicindexes, &nicindexes, 0))) goto cleanup; diff --git a/tests/qemucapabilitiesdata/caps_1.5.3.x86_64.xml b/tests/qemucapabilitiesdata/caps_1.5.3.x86_64.xml index 0b103f25dc..ad8ef54464 100644 --- a/tests/qemucapabilitiesdata/caps_1.5.3.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_1.5.3.x86_64.xml @@ -62,6 +62,7 @@ <flag name='kvm-pit-lost-tick-policy'/> <flag name='boot-strict'/> <flag name='pvpanic'/> + <flag name='enable-fips'/> <flag name='usb-kbd'/> <flag name='usb-audio'/> <flag name='splash-timeout'/> diff --git a/tests/qemucapabilitiesdata/caps_1.6.0.x86_64.xml b/tests/qemucapabilitiesdata/caps_1.6.0.x86_64.xml index 0361f343ec..a9650bfa58 100644 --- a/tests/qemucapabilitiesdata/caps_1.6.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_1.6.0.x86_64.xml @@ -65,6 +65,7 @@ <flag name='kvm-pit-lost-tick-policy'/> <flag name='boot-strict'/> <flag name='pvpanic'/> + <flag name='enable-fips'/> <flag name='spice-file-xfer-disable'/> <flag name='usb-kbd'/> <flag name='msg-timestamp'/> diff --git a/tests/qemucapabilitiesdata/caps_1.7.0.x86_64.xml b/tests/qemucapabilitiesdata/caps_1.7.0.x86_64.xml index 439219fa2e..b53c2f977f 100644 --- a/tests/qemucapabilitiesdata/caps_1.7.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_1.7.0.x86_64.xml @@ -66,6 +66,7 @@ <flag name='kvm-pit-lost-tick-policy'/> <flag name='boot-strict'/> <flag name='pvpanic'/> + <flag name='enable-fips'/> <flag name='spice-file-xfer-disable'/> <flag name='usb-kbd'/> <flag name='msg-timestamp'/> diff --git a/tests/qemucapabilitiesdata/caps_2.1.1.x86_64.xml b/tests/qemucapabilitiesdata/caps_2.1.1.x86_64.xml index 050e3c7059..97b29df47d 100644 --- a/tests/qemucapabilitiesdata/caps_2.1.1.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_2.1.1.x86_64.xml @@ -68,6 +68,7 @@ <flag name='kvm-pit-lost-tick-policy'/> <flag name='boot-strict'/> <flag name='pvpanic'/> + <flag name='enable-fips'/> <flag name='spice-file-xfer-disable'/> <flag name='usb-kbd'/> <flag name='msg-timestamp'/> diff --git a/tests/qemucapabilitiesdata/caps_2.10.0.aarch64.xml b/tests/qemucapabilitiesdata/caps_2.10.0.aarch64.xml index b0fcbc4218..34a4c2b3a5 100644 --- a/tests/qemucapabilitiesdata/caps_2.10.0.aarch64.xml +++ b/tests/qemucapabilitiesdata/caps_2.10.0.aarch64.xml @@ -50,6 +50,7 @@ <flag name='virtio-mmio'/> <flag name='ich9-intel-hda'/> <flag name='boot-strict'/> + <flag name='enable-fips'/> <flag name='usb-kbd'/> <flag name='msg-timestamp'/> <flag name='active-commit'/> diff --git a/tests/qemucapabilitiesdata/caps_2.10.0.ppc64.xml b/tests/qemucapabilitiesdata/caps_2.10.0.ppc64.xml index edf01d2e2f..7f8e9106ea 100644 --- a/tests/qemucapabilitiesdata/caps_2.10.0.ppc64.xml +++ b/tests/qemucapabilitiesdata/caps_2.10.0.ppc64.xml @@ -49,6 +49,7 @@ <flag name='virtio-mmio'/> <flag name='ich9-intel-hda'/> <flag name='boot-strict'/> + <flag name='enable-fips'/> <flag name='usb-kbd'/> <flag name='msg-timestamp'/> <flag name='active-commit'/> diff --git a/tests/qemucapabilitiesdata/caps_2.10.0.s390x.xml b/tests/qemucapabilitiesdata/caps_2.10.0.s390x.xml index 98a3c0eec2..7b3d75976f 100644 --- a/tests/qemucapabilitiesdata/caps_2.10.0.s390x.xml +++ b/tests/qemucapabilitiesdata/caps_2.10.0.s390x.xml @@ -31,6 +31,7 @@ <flag name='drive-discard'/> <flag name='virtio-mmio'/> <flag name='boot-strict'/> + <flag name='enable-fips'/> <flag name='msg-timestamp'/> <flag name='active-commit'/> <flag name='change-backing-file'/> diff --git a/tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml b/tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml index 98b1a94349..b31acd3571 100644 --- a/tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml @@ -68,6 +68,7 @@ <flag name='kvm-pit-lost-tick-policy'/> <flag name='boot-strict'/> <flag name='pvpanic'/> + <flag name='enable-fips'/> <flag name='spice-file-xfer-disable'/> <flag name='usb-kbd'/> <flag name='msg-timestamp'/> diff --git a/tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml b/tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml index 0391f4b81e..59a6cdf360 100644 --- a/tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml +++ b/tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml @@ -31,6 +31,7 @@ <flag name='drive-discard'/> <flag name='virtio-mmio'/> <flag name='boot-strict'/> + <flag name='enable-fips'/> <flag name='msg-timestamp'/> <flag name='active-commit'/> <flag name='change-backing-file'/> diff --git a/tests/qemucapabilitiesdata/caps_2.11.0.x86_64.xml b/tests/qemucapabilitiesdata/caps_2.11.0.x86_64.xml index 9eaafb4ba6..9e8868f032 100644 --- a/tests/qemucapabilitiesdata/caps_2.11.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_2.11.0.x86_64.xml @@ -68,6 +68,7 @@ <flag name='kvm-pit-lost-tick-policy'/> <flag name='boot-strict'/> <flag name='pvpanic'/> + <flag name='enable-fips'/> <flag name='spice-file-xfer-disable'/> <flag name='usb-kbd'/> <flag name='msg-timestamp'/> diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml b/tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml index a5d6dc3bef..c36324ca92 100644 --- a/tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml +++ b/tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml @@ -50,6 +50,7 @@ <flag name='virtio-mmio'/> <flag name='ich9-intel-hda'/> <flag name='boot-strict'/> + <flag name='enable-fips'/> <flag name='usb-kbd'/> <flag name='msg-timestamp'/> <flag name='active-commit'/> diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml b/tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml index d1ed9f6e28..e35f440bf7 100644 --- a/tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml +++ b/tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml @@ -49,6 +49,7 @@ <flag name='virtio-mmio'/> <flag name='ich9-intel-hda'/> <flag name='boot-strict'/> + <flag name='enable-fips'/> <flag name='usb-kbd'/> <flag name='msg-timestamp'/> <flag name='active-commit'/> diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml b/tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml index cef6ebb9ad..a679d8cc05 100644 --- a/tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml +++ b/tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml @@ -31,6 +31,7 @@ <flag name='drive-discard'/> <flag name='virtio-mmio'/> <flag name='boot-strict'/> + <flag name='enable-fips'/> <flag name='msg-timestamp'/> <flag name='active-commit'/> <flag name='change-backing-file'/> diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml b/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml index 6d48699e3e..4b5f660e18 100644 --- a/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml @@ -68,6 +68,7 @@ <flag name='kvm-pit-lost-tick-policy'/> <flag name='boot-strict'/> <flag name='pvpanic'/> + <flag name='enable-fips'/> <flag name='spice-file-xfer-disable'/> <flag name='usb-kbd'/> <flag name='msg-timestamp'/> diff --git a/tests/qemucapabilitiesdata/caps_2.4.0.x86_64.xml b/tests/qemucapabilitiesdata/caps_2.4.0.x86_64.xml index 310f69499f..64aeaeef5b 100644 --- a/tests/qemucapabilitiesdata/caps_2.4.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_2.4.0.x86_64.xml @@ -68,6 +68,7 @@ <flag name='kvm-pit-lost-tick-policy'/> <flag name='boot-strict'/> <flag name='pvpanic'/> + <flag name='enable-fips'/> <flag name='spice-file-xfer-disable'/> <flag name='usb-kbd'/> <flag name='msg-timestamp'/> diff --git a/tests/qemucapabilitiesdata/caps_2.5.0.x86_64.xml b/tests/qemucapabilitiesdata/caps_2.5.0.x86_64.xml index af9b9e96fd..51c3c00cb7 100644 --- a/tests/qemucapabilitiesdata/caps_2.5.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_2.5.0.x86_64.xml @@ -68,6 +68,7 @@ <flag name='kvm-pit-lost-tick-policy'/> <flag name='boot-strict'/> <flag name='pvpanic'/> + <flag name='enable-fips'/> <flag name='spice-file-xfer-disable'/> <flag name='usb-kbd'/> <flag name='msg-timestamp'/> diff --git a/tests/qemucapabilitiesdata/caps_2.6.0.aarch64.xml b/tests/qemucapabilitiesdata/caps_2.6.0.aarch64.xml index ec17ca5c27..5f74659837 100644 --- a/tests/qemucapabilitiesdata/caps_2.6.0.aarch64.xml +++ b/tests/qemucapabilitiesdata/caps_2.6.0.aarch64.xml @@ -52,6 +52,7 @@ <flag name='virtio-mmio'/> <flag name='ich9-intel-hda'/> <flag name='boot-strict'/> + <flag name='enable-fips'/> <flag name='usb-kbd'/> <flag name='msg-timestamp'/> <flag name='active-commit'/> diff --git a/tests/qemucapabilitiesdata/caps_2.6.0.ppc64.xml b/tests/qemucapabilitiesdata/caps_2.6.0.ppc64.xml index 13e6df006e..1f5ccbcd08 100644 --- a/tests/qemucapabilitiesdata/caps_2.6.0.ppc64.xml +++ b/tests/qemucapabilitiesdata/caps_2.6.0.ppc64.xml @@ -49,6 +49,7 @@ <flag name='virtio-mmio'/> <flag name='ich9-intel-hda'/> <flag name='boot-strict'/> + <flag name='enable-fips'/> <flag name='usb-kbd'/> <flag name='msg-timestamp'/> <flag name='active-commit'/> diff --git a/tests/qemucapabilitiesdata/caps_2.6.0.x86_64.xml b/tests/qemucapabilitiesdata/caps_2.6.0.x86_64.xml index c25731997e..a6419f1efb 100644 --- a/tests/qemucapabilitiesdata/caps_2.6.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_2.6.0.x86_64.xml @@ -68,6 +68,7 @@ <flag name='kvm-pit-lost-tick-policy'/> <flag name='boot-strict'/> <flag name='pvpanic'/> + <flag name='enable-fips'/> <flag name='spice-file-xfer-disable'/> <flag name='usb-kbd'/> <flag name='msg-timestamp'/> diff --git a/tests/qemucapabilitiesdata/caps_2.7.0.s390x.xml b/tests/qemucapabilitiesdata/caps_2.7.0.s390x.xml index 2421b46f35..b46e16c0d8 100644 --- a/tests/qemucapabilitiesdata/caps_2.7.0.s390x.xml +++ b/tests/qemucapabilitiesdata/caps_2.7.0.s390x.xml @@ -31,6 +31,7 @@ <flag name='drive-discard'/> <flag name='virtio-mmio'/> <flag name='boot-strict'/> + <flag name='enable-fips'/> <flag name='msg-timestamp'/> <flag name='active-commit'/> <flag name='change-backing-file'/> diff --git a/tests/qemucapabilitiesdata/caps_2.7.0.x86_64.xml b/tests/qemucapabilitiesdata/caps_2.7.0.x86_64.xml index 9f25bd17ec..984b62b7b3 100644 --- a/tests/qemucapabilitiesdata/caps_2.7.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_2.7.0.x86_64.xml @@ -68,6 +68,7 @@ <flag name='kvm-pit-lost-tick-policy'/> <flag name='boot-strict'/> <flag name='pvpanic'/> + <flag name='enable-fips'/> <flag name='spice-file-xfer-disable'/> <flag name='usb-kbd'/> <flag name='msg-timestamp'/> diff --git a/tests/qemucapabilitiesdata/caps_2.8.0.s390x.xml b/tests/qemucapabilitiesdata/caps_2.8.0.s390x.xml index 8c63aeec07..cda8d08c4d 100644 --- a/tests/qemucapabilitiesdata/caps_2.8.0.s390x.xml +++ b/tests/qemucapabilitiesdata/caps_2.8.0.s390x.xml @@ -31,6 +31,7 @@ <flag name='drive-discard'/> <flag name='virtio-mmio'/> <flag name='boot-strict'/> + <flag name='enable-fips'/> <flag name='msg-timestamp'/> <flag name='active-commit'/> <flag name='change-backing-file'/> diff --git a/tests/qemucapabilitiesdata/caps_2.8.0.x86_64.xml b/tests/qemucapabilitiesdata/caps_2.8.0.x86_64.xml index 4e022e2d84..855a1a7392 100644 --- a/tests/qemucapabilitiesdata/caps_2.8.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_2.8.0.x86_64.xml @@ -68,6 +68,7 @@ <flag name='kvm-pit-lost-tick-policy'/> <flag name='boot-strict'/> <flag name='pvpanic'/> + <flag name='enable-fips'/> <flag name='spice-file-xfer-disable'/> <flag name='usb-kbd'/> <flag name='msg-timestamp'/> diff --git a/tests/qemucapabilitiesdata/caps_2.9.0.ppc64.xml b/tests/qemucapabilitiesdata/caps_2.9.0.ppc64.xml index e72611e0a8..94e990da0f 100644 --- a/tests/qemucapabilitiesdata/caps_2.9.0.ppc64.xml +++ b/tests/qemucapabilitiesdata/caps_2.9.0.ppc64.xml @@ -49,6 +49,7 @@ <flag name='virtio-mmio'/> <flag name='ich9-intel-hda'/> <flag name='boot-strict'/> + <flag name='enable-fips'/> <flag name='usb-kbd'/> <flag name='msg-timestamp'/> <flag name='active-commit'/> diff --git a/tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml b/tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml index b48dc98501..9cdcb9988a 100644 --- a/tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml +++ b/tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml @@ -31,6 +31,7 @@ <flag name='drive-discard'/> <flag name='virtio-mmio'/> <flag name='boot-strict'/> + <flag name='enable-fips'/> <flag name='msg-timestamp'/> <flag name='active-commit'/> <flag name='change-backing-file'/> diff --git a/tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml b/tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml index d7b2d0633d..2990242a18 100644 --- a/tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml @@ -68,6 +68,7 @@ <flag name='kvm-pit-lost-tick-policy'/> <flag name='boot-strict'/> <flag name='pvpanic'/> + <flag name='enable-fips'/> <flag name='spice-file-xfer-disable'/> <flag name='usb-kbd'/> <flag name='msg-timestamp'/> diff --git a/tests/qemucapabilitiesdata/caps_3.0.0.ppc64.xml b/tests/qemucapabilitiesdata/caps_3.0.0.ppc64.xml index e4a560bac5..65999c8f77 100644 --- a/tests/qemucapabilitiesdata/caps_3.0.0.ppc64.xml +++ b/tests/qemucapabilitiesdata/caps_3.0.0.ppc64.xml @@ -48,6 +48,7 @@ <flag name='usb-storage.removable'/> <flag name='ich9-intel-hda'/> <flag name='boot-strict'/> + <flag name='enable-fips'/> <flag name='usb-kbd'/> <flag name='msg-timestamp'/> <flag name='active-commit'/> diff --git a/tests/qemucapabilitiesdata/caps_3.0.0.riscv32.xml b/tests/qemucapabilitiesdata/caps_3.0.0.riscv32.xml index 71f9b0c37f..0b87d591a8 100644 --- a/tests/qemucapabilitiesdata/caps_3.0.0.riscv32.xml +++ b/tests/qemucapabilitiesdata/caps_3.0.0.riscv32.xml @@ -21,6 +21,7 @@ <flag name='drive-discard'/> <flag name='virtio-mmio'/> <flag name='boot-strict'/> + <flag name='enable-fips'/> <flag name='msg-timestamp'/> <flag name='active-commit'/> <flag name='change-backing-file'/> diff --git a/tests/qemucapabilitiesdata/caps_3.0.0.riscv64.xml b/tests/qemucapabilitiesdata/caps_3.0.0.riscv64.xml index 279078d541..595b2cb171 100644 --- a/tests/qemucapabilitiesdata/caps_3.0.0.riscv64.xml +++ b/tests/qemucapabilitiesdata/caps_3.0.0.riscv64.xml @@ -21,6 +21,7 @@ <flag name='drive-discard'/> <flag name='virtio-mmio'/> <flag name='boot-strict'/> + <flag name='enable-fips'/> <flag name='msg-timestamp'/> <flag name='active-commit'/> <flag name='change-backing-file'/> diff --git a/tests/qemucapabilitiesdata/caps_3.0.0.s390x.xml b/tests/qemucapabilitiesdata/caps_3.0.0.s390x.xml index f1ed34c612..79494a95bb 100644 --- a/tests/qemucapabilitiesdata/caps_3.0.0.s390x.xml +++ b/tests/qemucapabilitiesdata/caps_3.0.0.s390x.xml @@ -32,6 +32,7 @@ <flag name='mem-merge'/> <flag name='drive-discard'/> <flag name='boot-strict'/> + <flag name='enable-fips'/> <flag name='msg-timestamp'/> <flag name='active-commit'/> <flag name='change-backing-file'/> diff --git a/tests/qemucapabilitiesdata/caps_3.0.0.x86_64.xml b/tests/qemucapabilitiesdata/caps_3.0.0.x86_64.xml index ae1836b28f..7d37e4f6a2 100644 --- a/tests/qemucapabilitiesdata/caps_3.0.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_3.0.0.x86_64.xml @@ -67,6 +67,7 @@ <flag name='kvm-pit-lost-tick-policy'/> <flag name='boot-strict'/> <flag name='pvpanic'/> + <flag name='enable-fips'/> <flag name='spice-file-xfer-disable'/> <flag name='usb-kbd'/> <flag name='msg-timestamp'/> diff --git a/tests/qemucapabilitiesdata/caps_3.1.0.ppc64.xml b/tests/qemucapabilitiesdata/caps_3.1.0.ppc64.xml index 0dc0393c22..30e8c2dc2e 100644 --- a/tests/qemucapabilitiesdata/caps_3.1.0.ppc64.xml +++ b/tests/qemucapabilitiesdata/caps_3.1.0.ppc64.xml @@ -49,6 +49,7 @@ <flag name='usb-storage.removable'/> <flag name='ich9-intel-hda'/> <flag name='boot-strict'/> + <flag name='enable-fips'/> <flag name='usb-kbd'/> <flag name='msg-timestamp'/> <flag name='active-commit'/> diff --git a/tests/qemucapabilitiesdata/caps_3.1.0.x86_64.xml b/tests/qemucapabilitiesdata/caps_3.1.0.x86_64.xml index d4ff21fdac..6d1e612bfc 100644 --- a/tests/qemucapabilitiesdata/caps_3.1.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_3.1.0.x86_64.xml @@ -67,6 +67,7 @@ <flag name='kvm-pit-lost-tick-policy'/> <flag name='boot-strict'/> <flag name='pvpanic'/> + <flag name='enable-fips'/> <flag name='spice-file-xfer-disable'/> <flag name='usb-kbd'/> <flag name='msg-timestamp'/> diff --git a/tests/qemucapabilitiesdata/caps_4.0.0.aarch64.xml b/tests/qemucapabilitiesdata/caps_4.0.0.aarch64.xml index 404a39af03..29e8222c18 100644 --- a/tests/qemucapabilitiesdata/caps_4.0.0.aarch64.xml +++ b/tests/qemucapabilitiesdata/caps_4.0.0.aarch64.xml @@ -52,6 +52,7 @@ <flag name='virtio-mmio'/> <flag name='ich9-intel-hda'/> <flag name='boot-strict'/> + <flag name='enable-fips'/> <flag name='usb-kbd'/> <flag name='msg-timestamp'/> <flag name='active-commit'/> diff --git a/tests/qemucapabilitiesdata/caps_4.0.0.ppc64.xml b/tests/qemucapabilitiesdata/caps_4.0.0.ppc64.xml index cb0232173c..83f3074dd8 100644 --- a/tests/qemucapabilitiesdata/caps_4.0.0.ppc64.xml +++ b/tests/qemucapabilitiesdata/caps_4.0.0.ppc64.xml @@ -51,6 +51,7 @@ <flag name='usb-storage.removable'/> <flag name='ich9-intel-hda'/> <flag name='boot-strict'/> + <flag name='enable-fips'/> <flag name='usb-kbd'/> <flag name='msg-timestamp'/> <flag name='active-commit'/> diff --git a/tests/qemucapabilitiesdata/caps_4.0.0.riscv32.xml b/tests/qemucapabilitiesdata/caps_4.0.0.riscv32.xml index 11475306f9..614cd8ab0f 100644 --- a/tests/qemucapabilitiesdata/caps_4.0.0.riscv32.xml +++ b/tests/qemucapabilitiesdata/caps_4.0.0.riscv32.xml @@ -55,6 +55,7 @@ <flag name='virtio-mmio'/> <flag name='ich9-intel-hda'/> <flag name='boot-strict'/> + <flag name='enable-fips'/> <flag name='spice-file-xfer-disable'/> <flag name='usb-kbd'/> <flag name='msg-timestamp'/> diff --git a/tests/qemucapabilitiesdata/caps_4.0.0.riscv64.xml b/tests/qemucapabilitiesdata/caps_4.0.0.riscv64.xml index 608590a35b..14877ca5c2 100644 --- a/tests/qemucapabilitiesdata/caps_4.0.0.riscv64.xml +++ b/tests/qemucapabilitiesdata/caps_4.0.0.riscv64.xml @@ -55,6 +55,7 @@ <flag name='virtio-mmio'/> <flag name='ich9-intel-hda'/> <flag name='boot-strict'/> + <flag name='enable-fips'/> <flag name='spice-file-xfer-disable'/> <flag name='usb-kbd'/> <flag name='msg-timestamp'/> diff --git a/tests/qemucapabilitiesdata/caps_4.0.0.s390x.xml b/tests/qemucapabilitiesdata/caps_4.0.0.s390x.xml index f4d20169e0..92998c8d89 100644 --- a/tests/qemucapabilitiesdata/caps_4.0.0.s390x.xml +++ b/tests/qemucapabilitiesdata/caps_4.0.0.s390x.xml @@ -32,6 +32,7 @@ <flag name='mem-merge'/> <flag name='drive-discard'/> <flag name='boot-strict'/> + <flag name='enable-fips'/> <flag name='msg-timestamp'/> <flag name='active-commit'/> <flag name='change-backing-file'/> diff --git a/tests/qemucapabilitiesdata/caps_4.0.0.x86_64.xml b/tests/qemucapabilitiesdata/caps_4.0.0.x86_64.xml index e3f83372c2..8fde984e11 100644 --- a/tests/qemucapabilitiesdata/caps_4.0.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_4.0.0.x86_64.xml @@ -67,6 +67,7 @@ <flag name='kvm-pit-lost-tick-policy'/> <flag name='boot-strict'/> <flag name='pvpanic'/> + <flag name='enable-fips'/> <flag name='spice-file-xfer-disable'/> <flag name='usb-kbd'/> <flag name='msg-timestamp'/> diff --git a/tests/qemucapabilitiesdata/caps_4.1.0.x86_64.xml b/tests/qemucapabilitiesdata/caps_4.1.0.x86_64.xml index c32d8ea5d8..339b3d176b 100644 --- a/tests/qemucapabilitiesdata/caps_4.1.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_4.1.0.x86_64.xml @@ -67,6 +67,7 @@ <flag name='kvm-pit-lost-tick-policy'/> <flag name='boot-strict'/> <flag name='pvpanic'/> + <flag name='enable-fips'/> <flag name='spice-file-xfer-disable'/> <flag name='usb-kbd'/> <flag name='msg-timestamp'/> diff --git a/tests/qemucapabilitiesdata/caps_4.2.0.aarch64.xml b/tests/qemucapabilitiesdata/caps_4.2.0.aarch64.xml index 11a964ed39..c90c9aafd5 100644 --- a/tests/qemucapabilitiesdata/caps_4.2.0.aarch64.xml +++ b/tests/qemucapabilitiesdata/caps_4.2.0.aarch64.xml @@ -52,6 +52,7 @@ <flag name='virtio-mmio'/> <flag name='ich9-intel-hda'/> <flag name='boot-strict'/> + <flag name='enable-fips'/> <flag name='usb-kbd'/> <flag name='msg-timestamp'/> <flag name='active-commit'/> diff --git a/tests/qemucapabilitiesdata/caps_4.2.0.ppc64.xml b/tests/qemucapabilitiesdata/caps_4.2.0.ppc64.xml index 60aef01f7b..578b28fdaf 100644 --- a/tests/qemucapabilitiesdata/caps_4.2.0.ppc64.xml +++ b/tests/qemucapabilitiesdata/caps_4.2.0.ppc64.xml @@ -51,6 +51,7 @@ <flag name='usb-storage.removable'/> <flag name='ich9-intel-hda'/> <flag name='boot-strict'/> + <flag name='enable-fips'/> <flag name='usb-kbd'/> <flag name='msg-timestamp'/> <flag name='active-commit'/> diff --git a/tests/qemucapabilitiesdata/caps_4.2.0.s390x.xml b/tests/qemucapabilitiesdata/caps_4.2.0.s390x.xml index 76e2747b65..7142736174 100644 --- a/tests/qemucapabilitiesdata/caps_4.2.0.s390x.xml +++ b/tests/qemucapabilitiesdata/caps_4.2.0.s390x.xml @@ -32,6 +32,7 @@ <flag name='mem-merge'/> <flag name='drive-discard'/> <flag name='boot-strict'/> + <flag name='enable-fips'/> <flag name='msg-timestamp'/> <flag name='active-commit'/> <flag name='change-backing-file'/> diff --git a/tests/qemucapabilitiesdata/caps_4.2.0.x86_64.xml b/tests/qemucapabilitiesdata/caps_4.2.0.x86_64.xml index fd63a0ee02..1907fb5ae7 100644 --- a/tests/qemucapabilitiesdata/caps_4.2.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_4.2.0.x86_64.xml @@ -68,6 +68,7 @@ <flag name='kvm-pit-lost-tick-policy'/> <flag name='boot-strict'/> <flag name='pvpanic'/> + <flag name='enable-fips'/> <flag name='spice-file-xfer-disable'/> <flag name='usb-kbd'/> <flag name='msg-timestamp'/> diff --git a/tests/qemucapabilitiesdata/caps_5.0.0.aarch64.xml b/tests/qemucapabilitiesdata/caps_5.0.0.aarch64.xml index 928af2a01c..28cbd7ab70 100644 --- a/tests/qemucapabilitiesdata/caps_5.0.0.aarch64.xml +++ b/tests/qemucapabilitiesdata/caps_5.0.0.aarch64.xml @@ -54,6 +54,7 @@ <flag name='virtio-mmio'/> <flag name='ich9-intel-hda'/> <flag name='boot-strict'/> + <flag name='enable-fips'/> <flag name='usb-kbd'/> <flag name='msg-timestamp'/> <flag name='active-commit'/> diff --git a/tests/qemucapabilitiesdata/caps_5.0.0.ppc64.xml b/tests/qemucapabilitiesdata/caps_5.0.0.ppc64.xml index e8668a25a9..34e38516f0 100644 --- a/tests/qemucapabilitiesdata/caps_5.0.0.ppc64.xml +++ b/tests/qemucapabilitiesdata/caps_5.0.0.ppc64.xml @@ -52,6 +52,7 @@ <flag name='usb-storage.removable'/> <flag name='ich9-intel-hda'/> <flag name='boot-strict'/> + <flag name='enable-fips'/> <flag name='usb-kbd'/> <flag name='msg-timestamp'/> <flag name='active-commit'/> diff --git a/tests/qemucapabilitiesdata/caps_5.0.0.riscv64.xml b/tests/qemucapabilitiesdata/caps_5.0.0.riscv64.xml index 85a8a46dac..cc5c83de8c 100644 --- a/tests/qemucapabilitiesdata/caps_5.0.0.riscv64.xml +++ b/tests/qemucapabilitiesdata/caps_5.0.0.riscv64.xml @@ -55,6 +55,7 @@ <flag name='virtio-mmio'/> <flag name='ich9-intel-hda'/> <flag name='boot-strict'/> + <flag name='enable-fips'/> <flag name='spice-file-xfer-disable'/> <flag name='usb-kbd'/> <flag name='msg-timestamp'/> diff --git a/tests/qemucapabilitiesdata/caps_5.0.0.x86_64.xml b/tests/qemucapabilitiesdata/caps_5.0.0.x86_64.xml index 546b9b0422..20643488c9 100644 --- a/tests/qemucapabilitiesdata/caps_5.0.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_5.0.0.x86_64.xml @@ -68,6 +68,7 @@ <flag name='kvm-pit-lost-tick-policy'/> <flag name='boot-strict'/> <flag name='pvpanic'/> + <flag name='enable-fips'/> <flag name='spice-file-xfer-disable'/> <flag name='usb-kbd'/> <flag name='msg-timestamp'/> diff --git a/tests/qemucapabilitiesdata/caps_5.1.0.x86_64.xml b/tests/qemucapabilitiesdata/caps_5.1.0.x86_64.xml index 9ebd7ea582..f4c7a518c9 100644 --- a/tests/qemucapabilitiesdata/caps_5.1.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_5.1.0.x86_64.xml @@ -68,6 +68,7 @@ <flag name='kvm-pit-lost-tick-policy'/> <flag name='boot-strict'/> <flag name='pvpanic'/> + <flag name='enable-fips'/> <flag name='spice-file-xfer-disable'/> <flag name='usb-kbd'/> <flag name='msg-timestamp'/> diff --git a/tests/qemucapabilitiesdata/caps_5.2.0.x86_64.xml b/tests/qemucapabilitiesdata/caps_5.2.0.x86_64.xml index 975f00b5e1..3931924abe 100644 --- a/tests/qemucapabilitiesdata/caps_5.2.0.x86_64.xml +++ b/tests/qemucapabilitiesdata/caps_5.2.0.x86_64.xml @@ -68,6 +68,7 @@ <flag name='kvm-pit-lost-tick-policy'/> <flag name='boot-strict'/> <flag name='pvpanic'/> + <flag name='enable-fips'/> <flag name='spice-file-xfer-disable'/> <flag name='usb-kbd'/> <flag name='msg-timestamp'/> diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c index cdd606cb42..9f62d55a80 100644 --- a/tests/qemuxml2argvtest.c +++ b/tests/qemuxml2argvtest.c @@ -399,6 +399,7 @@ testCompareXMLToArgvCreateArgs(virQEMUDriverPtr drv, unsigned int flags, bool jsonPropsValidation) { + qemuDomainObjPrivatePtr priv = vm->privateData; bool enableFips = !!(flags & FLAG_FIPS_HOST); size_t i; @@ -489,6 +490,10 @@ testCompareXMLToArgvCreateArgs(virQEMUDriverPtr drv, } } + /* we can't use qemuCheckFips() directly as it queries host state */ + if (!virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_ENABLE_FIPS)) + enableFips = false; + return qemuProcessCreatePretendCmdBuild(drv, vm, migrateURI, enableFips, false, jsonPropsValidation); -- 2.26.2
On Wed, Oct 21, 2020 at 10:35:27AM +0200, Peter Krempa wrote:
From: Daniel P. Berrangé <berrange@redhat.com>
Use of the -enable-fips option is being deprecated in QEMU >= 5.2.0. If FIPS compliance is required, QEMU must be built with libcrypt which will unconditionally enforce it.
Thus there is no need for libvirt to pass -enable-fips to modern QEMU. Unfortunately there was never any way to probe for -enable-fips in the first instance, it was enabled by libvirt based on version number originally, and then later unconditionally enabled when libvirt dropped support for older QEMU. Similarly we now use a version number check to decide when to stop passing -enable-fips.
Note that the qemu-5.2 capabilities are currently from the pre-release version and will be updated once qemu-5.2 is released.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- src/qemu/qemu_capabilities.c | 7 +++++++ src/qemu/qemu_command.c | 12 +++++++++++- src/qemu/qemu_command.h | 2 +- src/qemu/qemu_driver.c | 2 +- src/qemu/qemu_process.c | 2 +- tests/qemucapabilitiesdata/caps_1.5.3.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_1.6.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_1.7.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_2.1.1.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_2.10.0.aarch64.xml | 1 + tests/qemucapabilitiesdata/caps_2.10.0.ppc64.xml | 1 + tests/qemucapabilitiesdata/caps_2.10.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.11.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_2.4.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_2.5.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_2.6.0.aarch64.xml | 1 + tests/qemucapabilitiesdata/caps_2.6.0.ppc64.xml | 1 + tests/qemucapabilitiesdata/caps_2.6.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_2.7.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.7.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_2.8.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.8.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_2.9.0.ppc64.xml | 1 + tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_3.0.0.ppc64.xml | 1 + tests/qemucapabilitiesdata/caps_3.0.0.riscv32.xml | 1 + tests/qemucapabilitiesdata/caps_3.0.0.riscv64.xml | 1 + tests/qemucapabilitiesdata/caps_3.0.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_3.0.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_3.1.0.ppc64.xml | 1 + tests/qemucapabilitiesdata/caps_3.1.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_4.0.0.aarch64.xml | 1 + tests/qemucapabilitiesdata/caps_4.0.0.ppc64.xml | 1 + tests/qemucapabilitiesdata/caps_4.0.0.riscv32.xml | 1 + tests/qemucapabilitiesdata/caps_4.0.0.riscv64.xml | 1 + tests/qemucapabilitiesdata/caps_4.0.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_4.0.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_4.1.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_4.2.0.aarch64.xml | 1 + tests/qemucapabilitiesdata/caps_4.2.0.ppc64.xml | 1 + tests/qemucapabilitiesdata/caps_4.2.0.s390x.xml | 1 + tests/qemucapabilitiesdata/caps_4.2.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_5.0.0.aarch64.xml | 1 + tests/qemucapabilitiesdata/caps_5.0.0.ppc64.xml | 1 + tests/qemucapabilitiesdata/caps_5.0.0.riscv64.xml | 1 + tests/qemucapabilitiesdata/caps_5.0.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_5.1.0.x86_64.xml | 1 + tests/qemucapabilitiesdata/caps_5.2.0.x86_64.xml | 1 + tests/qemuxml2argvtest.c | 5 +++++ 56 files changed, 76 insertions(+), 4 deletions(-)
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
participants (2)
-
Daniel P. Berrangé -
Peter Krempa