3:35 a.m.
v2:
- rebased patch 2 on current master
- sanitized testing of -enable-fips in qemuxml2argvtest
- reused existing QEMU_CAPS_ENABLE_FIPS flag with inverted logic
(saves us from having to remove it later and also doesn't add new
flag to new guests)
- qemuxml2argvtest now tests the output, which is more obvious on
qemu version bumps than qemucapabilitiestest
Daniel P. Berrangé (1):
qemu: stop passing -enable-fips to QEMU >= 5.2.0
Peter Krempa (1):
qemuxml2argvtest: Sanitize testing of '-enable-fips'
src/qemu/qemu_capabilities.c | 7 ++++
src/qemu/qemu_command.c | 12 +++++-
src/qemu/qemu_command.h | 2 +-
src/qemu/qemu_driver.c | 2 +-
src/qemu/qemu_process.c | 2 +-
.../caps_1.5.3.x86_64.xml | 1 +
.../caps_1.6.0.x86_64.xml | 1 +
.../caps_1.7.0.x86_64.xml | 1 +
.../caps_2.1.1.x86_64.xml | 1 +
.../caps_2.10.0.aarch64.xml | 1 +
.../caps_2.10.0.ppc64.xml | 1 +
.../caps_2.10.0.s390x.xml | 1 +
.../caps_2.10.0.x86_64.xml | 1 +
.../caps_2.11.0.s390x.xml | 1 +
.../caps_2.11.0.x86_64.xml | 1 +
.../caps_2.12.0.aarch64.xml | 1 +
.../caps_2.12.0.ppc64.xml | 1 +
.../caps_2.12.0.s390x.xml | 1 +
.../caps_2.12.0.x86_64.xml | 1 +
.../caps_2.4.0.x86_64.xml | 1 +
.../caps_2.5.0.x86_64.xml | 1 +
.../caps_2.6.0.aarch64.xml | 1 +
.../qemucapabilitiesdata/caps_2.6.0.ppc64.xml | 1 +
.../caps_2.6.0.x86_64.xml | 1 +
.../qemucapabilitiesdata/caps_2.7.0.s390x.xml | 1 +
.../caps_2.7.0.x86_64.xml | 1 +
.../qemucapabilitiesdata/caps_2.8.0.s390x.xml | 1 +
.../caps_2.8.0.x86_64.xml | 1 +
.../qemucapabilitiesdata/caps_2.9.0.ppc64.xml | 1 +
.../qemucapabilitiesdata/caps_2.9.0.s390x.xml | 1 +
.../caps_2.9.0.x86_64.xml | 1 +
.../qemucapabilitiesdata/caps_3.0.0.ppc64.xml | 1 +
.../caps_3.0.0.riscv32.xml | 1 +
.../caps_3.0.0.riscv64.xml | 1 +
.../qemucapabilitiesdata/caps_3.0.0.s390x.xml | 1 +
.../caps_3.0.0.x86_64.xml | 1 +
.../qemucapabilitiesdata/caps_3.1.0.ppc64.xml | 1 +
.../caps_3.1.0.x86_64.xml | 1 +
.../caps_4.0.0.aarch64.xml | 1 +
.../qemucapabilitiesdata/caps_4.0.0.ppc64.xml | 1 +
.../caps_4.0.0.riscv32.xml | 1 +
.../caps_4.0.0.riscv64.xml | 1 +
.../qemucapabilitiesdata/caps_4.0.0.s390x.xml | 1 +
.../caps_4.0.0.x86_64.xml | 1 +
.../caps_4.1.0.x86_64.xml | 1 +
.../caps_4.2.0.aarch64.xml | 1 +
.../qemucapabilitiesdata/caps_4.2.0.ppc64.xml | 1 +
.../qemucapabilitiesdata/caps_4.2.0.s390x.xml | 1 +
.../caps_4.2.0.x86_64.xml | 1 +
.../caps_5.0.0.aarch64.xml | 1 +
.../qemucapabilitiesdata/caps_5.0.0.ppc64.xml | 1 +
.../caps_5.0.0.riscv64.xml | 1 +
.../caps_5.0.0.x86_64.xml | 1 +
.../caps_5.1.0.x86_64.xml | 1 +
.../caps_5.2.0.x86_64.xml | 1 +
tests/qemuxml2argvdata/fips-enabled.args | 31 --------------
.../fips-enabled.x86_64-5.1.0.args | 40 ++++++++++++++++++
.../fips-enabled.x86_64-latest.args | 41 +++++++++++++++++++
tests/qemuxml2argvtest.c | 16 +++++---
tests/testutilsqemu.h | 2 +-
60 files changed, 163 insertions(+), 42 deletions(-)
delete mode 100644 tests/qemuxml2argvdata/fips-enabled.args
create mode 100644 tests/qemuxml2argvdata/fips-enabled.x86_64-5.1.0.args
create mode 100644 tests/qemuxml2argvdata/fips-enabled.x86_64-latest.args
--
2.26.2
3:35 a.m.
New subject: [PATCH v2 1/2] qemuxml2argvtest: Sanitize testing of '-enable-fips'
Rename 'FLAG_FIPS' to 'FLAG_FIPS_HOST' to signify that we are simulating
a host supporting fips mode and use the flag to assert 'enabeFips'
argument of 'qemuProcessCreatePretendCmdBuild' rather than passing it
via QEMU_CAPS_ENABLE_FIPS.
This prepares the testsuite for testing of -enable-fips deprecation in
qemu-5.2.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
tests/qemuxml2argvdata/fips-enabled.args | 31 --------------
.../fips-enabled.x86_64-5.1.0.args | 40 ++++++++++++++++++
.../fips-enabled.x86_64-latest.args | 41 +++++++++++++++++++
tests/qemuxml2argvtest.c | 11 +++--
tests/testutilsqemu.h | 2 +-
5 files changed, 87 insertions(+), 38 deletions(-)
delete mode 100644 tests/qemuxml2argvdata/fips-enabled.args
create mode 100644 tests/qemuxml2argvdata/fips-enabled.x86_64-5.1.0.args
create mode 100644 tests/qemuxml2argvdata/fips-enabled.x86_64-latest.args
diff --git a/tests/qemuxml2argvdata/fips-enabled.args
b/tests/qemuxml2argvdata/fips-enabled.args
deleted file mode 100644
index 91b32bd96c..0000000000
--- a/tests/qemuxml2argvdata/fips-enabled.args
+++ /dev/null
@@ -1,31 +0,0 @@
-LC_ALL=C \
-PATH=/bin \
-HOME=/tmp/lib/domain--1-QEMUGuest1 \
-USER=test \
-LOGNAME=test \
-XDG_DATA_HOME=/tmp/lib/domain--1-QEMUGuest1/.local/share \
-XDG_CACHE_HOME=/tmp/lib/domain--1-QEMUGuest1/.cache \
-XDG_CONFIG_HOME=/tmp/lib/domain--1-QEMUGuest1/.config \
-QEMU_AUDIO_DRV=none \
-/usr/bin/qemu-system-i386 \
--name QEMUGuest1 \
--S \
--enable-fips \
--machine pc,accel=tcg,usb=off,dump-guest-core=off \
--m 214 \
--realtime mlock=off \
--smp 1,sockets=1,cores=1,threads=1 \
--uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \
--display none \
--no-user-config \
--nodefaults \
--chardev socket,id=charmonitor,path=/tmp/lib/domain--1-QEMUGuest1/monitor.sock,\
-server,nowait \
--mon chardev=charmonitor,id=monitor,mode=control \
--rtc base=utc \
--no-shutdown \
--no-acpi \
--usb \
--drive file=/dev/HostVG/QEMUGuest1,format=raw,if=none,id=drive-ide0-0-0 \
--device ide-hd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=1 \
--device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3
diff --git a/tests/qemuxml2argvdata/fips-enabled.x86_64-5.1.0.args
b/tests/qemuxml2argvdata/fips-enabled.x86_64-5.1.0.args
new file mode 100644
index 0000000000..e0e416d391
--- /dev/null
+++ b/tests/qemuxml2argvdata/fips-enabled.x86_64-5.1.0.args
@@ -0,0 +1,40 @@
+LC_ALL=C \
+PATH=/bin \
+HOME=/tmp/lib/domain--1-QEMUGuest1 \
+USER=test \
+LOGNAME=test \
+XDG_DATA_HOME=/tmp/lib/domain--1-QEMUGuest1/.local/share \
+XDG_CACHE_HOME=/tmp/lib/domain--1-QEMUGuest1/.cache \
+XDG_CONFIG_HOME=/tmp/lib/domain--1-QEMUGuest1/.config \
+QEMU_AUDIO_DRV=none \
+/usr/bin/qemu-system-i386 \
+-name guest=QEMUGuest1,debug-threads=on \
+-S \
+-object secret,id=masterKey0,format=raw,\
+file=/tmp/lib/domain--1-QEMUGuest1/master-key.aes \
+-enable-fips \
+-machine pc-i440fx-5.1,accel=tcg,usb=off,dump-guest-core=off \
+-cpu qemu64 \
+-m 214 \
+-overcommit mem-lock=off \
+-smp 1,sockets=1,cores=1,threads=1 \
+-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \
+-display none \
+-no-user-config \
+-nodefaults \
+-chardev socket,id=charmonitor,fd=1729,server,nowait \
+-mon chardev=charmonitor,id=monitor,mode=control \
+-rtc base=utc \
+-no-shutdown \
+-no-acpi \
+-boot strict=on \
+-device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 \
+-blockdev
'{"driver":"host_device","filename":"/dev/HostVG/QEMUGuest1",\
+"node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"}'
\
+-blockdev
'{"node-name":"libvirt-1-format","read-only":false,"driver":"raw",\
+"file":"libvirt-1-storage"}' \
+-device ide-hd,bus=ide.0,unit=0,drive=libvirt-1-format,id=ide0-0-0,bootindex=1 \
+-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x2 \
+-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,\
+resourcecontrol=deny \
+-msg timestamp=on
diff --git a/tests/qemuxml2argvdata/fips-enabled.x86_64-latest.args
b/tests/qemuxml2argvdata/fips-enabled.x86_64-latest.args
new file mode 100644
index 0000000000..c06046c398
--- /dev/null
+++ b/tests/qemuxml2argvdata/fips-enabled.x86_64-latest.args
@@ -0,0 +1,41 @@
+LC_ALL=C \
+PATH=/bin \
+HOME=/tmp/lib/domain--1-QEMUGuest1 \
+USER=test \
+LOGNAME=test \
+XDG_DATA_HOME=/tmp/lib/domain--1-QEMUGuest1/.local/share \
+XDG_CACHE_HOME=/tmp/lib/domain--1-QEMUGuest1/.cache \
+XDG_CONFIG_HOME=/tmp/lib/domain--1-QEMUGuest1/.config \
+QEMU_AUDIO_DRV=none \
+/usr/bin/qemu-system-i386 \
+-name guest=QEMUGuest1,debug-threads=on \
+-S \
+-object secret,id=masterKey0,format=raw,\
+file=/tmp/lib/domain--1-QEMUGuest1/master-key.aes \
+-enable-fips \
+-machine pc,accel=tcg,usb=off,dump-guest-core=off,memory-backend=pc.ram \
+-cpu qemu64 \
+-m 214 \
+-object memory-backend-ram,id=pc.ram,size=224395264 \
+-overcommit mem-lock=off \
+-smp 1,sockets=1,cores=1,threads=1 \
+-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \
+-display none \
+-no-user-config \
+-nodefaults \
+-chardev socket,id=charmonitor,fd=1729,server,nowait \
+-mon chardev=charmonitor,id=monitor,mode=control \
+-rtc base=utc \
+-no-shutdown \
+-no-acpi \
+-boot strict=on \
+-device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 \
+-blockdev
'{"driver":"host_device","filename":"/dev/HostVG/QEMUGuest1",\
+"node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"}'
\
+-blockdev
'{"node-name":"libvirt-1-format","read-only":false,"driver":"raw",\
+"file":"libvirt-1-storage"}' \
+-device ide-hd,bus=ide.0,unit=0,drive=libvirt-1-format,id=ide0-0-0,bootindex=1 \
+-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x2 \
+-sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,\
+resourcecontrol=deny \
+-msg timestamp=on
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index abc982890f..cdd606cb42 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -380,7 +380,7 @@ testCheckExclusiveFlags(int flags)
{
virCheckFlags(FLAG_EXPECT_FAILURE |
FLAG_EXPECT_PARSE_ERROR |
- FLAG_FIPS |
+ FLAG_FIPS_HOST |
FLAG_REAL_CAPS |
FLAG_SKIP_LEGACY_CPUS |
FLAG_SLIRP_HELPER |
@@ -399,6 +399,7 @@ testCompareXMLToArgvCreateArgs(virQEMUDriverPtr drv,
unsigned int flags,
bool jsonPropsValidation)
{
+ bool enableFips = !!(flags & FLAG_FIPS_HOST);
size_t i;
if (qemuProcessCreatePretendCmdPrepare(drv, vm, migrateURI, false,
@@ -489,7 +490,7 @@ testCompareXMLToArgvCreateArgs(virQEMUDriverPtr drv,
}
return qemuProcessCreatePretendCmdBuild(drv, vm, migrateURI,
- (flags & FLAG_FIPS), false,
+ enableFips, false,
jsonPropsValidation);
}
@@ -610,9 +611,6 @@ testCompareXMLToArgv(const void *data)
virSetConnectSecret(conn);
virSetConnectStorage(conn);
- if (virQEMUCapsGet(info->qemuCaps, QEMU_CAPS_ENABLE_FIPS))
- flags |= FLAG_FIPS;
-
if (testCheckExclusiveFlags(info->flags) < 0)
goto cleanup;
@@ -2961,7 +2959,8 @@ mymain(void)
DO_TEST("panic-no-address",
QEMU_CAPS_DEVICE_PANIC);
- DO_TEST("fips-enabled", QEMU_CAPS_ENABLE_FIPS);
+ DO_TEST_CAPS_ARCH_VER_FULL("fips-enabled", "x86_64",
"5.1.0", ARG_FLAGS, FLAG_FIPS_HOST);
+ DO_TEST_CAPS_ARCH_LATEST_FULL("fips-enabled", "x86_64",
ARG_FLAGS, FLAG_FIPS_HOST);
DO_TEST("shmem", QEMU_CAPS_DEVICE_IVSHMEM);
DO_TEST("shmem-plain-doorbell", QEMU_CAPS_DEVICE_IVSHMEM,
diff --git a/tests/testutilsqemu.h b/tests/testutilsqemu.h
index 66f9cef48e..79af1be50d 100644
--- a/tests/testutilsqemu.h
+++ b/tests/testutilsqemu.h
@@ -48,7 +48,7 @@ typedef enum {
typedef enum {
FLAG_EXPECT_FAILURE = 1 << 0,
FLAG_EXPECT_PARSE_ERROR = 1 << 1,
- FLAG_FIPS = 1 << 2,
+ FLAG_FIPS_HOST = 1 << 2, /* simulate host with FIPS mode enabled */
FLAG_REAL_CAPS = 1 << 3,
FLAG_SKIP_LEGACY_CPUS = 1 << 4,
FLAG_SLIRP_HELPER = 1 << 5,
--
2.26.2
3:52 a.m.
New subject: [PATCH v2 1/2] qemuxml2argvtest: Sanitize testing of '-enable-fips'
On Wed, Oct 21, 2020 at 10:35:26AM +0200, Peter Krempa wrote:
Rename 'FLAG_FIPS' to 'FLAG_FIPS_HOST' to signify
that we are simulating
a host supporting fips mode and use the flag to assert 'enabeFips'
argument of 'qemuProcessCreatePretendCmdBuild' rather than passing it
via QEMU_CAPS_ENABLE_FIPS.
This prepares the testsuite for testing of -enable-fips deprecation in
qemu-5.2.
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
tests/qemuxml2argvdata/fips-enabled.args | 31 --------------
.../fips-enabled.x86_64-5.1.0.args | 40 ++++++++++++++++++
.../fips-enabled.x86_64-latest.args | 41 +++++++++++++++++++
tests/qemuxml2argvtest.c | 11 +++--
tests/testutilsqemu.h | 2 +-
5 files changed, 87 insertions(+), 38 deletions(-)
delete mode 100644 tests/qemuxml2argvdata/fips-enabled.args
create mode 100644 tests/qemuxml2argvdata/fips-enabled.x86_64-5.1.0.args
create mode 100644 tests/qemuxml2argvdata/fips-enabled.x86_64-latest.args
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
3:35 a.m.
New subject: [PATCH v2 2/2] qemu: stop passing -enable-fips to QEMU >= 5.2.0
From: Daniel P. Berrangé <berrange(a)redhat.com>
Use of the -enable-fips option is being deprecated in QEMU >= 5.2.0. If
FIPS compliance is required, QEMU must be built with libcrypt which will
unconditionally enforce it.
Thus there is no need for libvirt to pass -enable-fips to modern QEMU.
Unfortunately there was never any way to probe for -enable-fips in the
first instance, it was enabled by libvirt based on version number
originally, and then later unconditionally enabled when libvirt dropped
support for older QEMU. Similarly we now use a version number check to
decide when to stop passing -enable-fips.
Note that the qemu-5.2 capabilities are currently from the pre-release
version and will be updated once qemu-5.2 is released.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_capabilities.c | 7 +++++++
src/qemu/qemu_command.c | 12 +++++++++++-
src/qemu/qemu_command.h | 2 +-
src/qemu/qemu_driver.c | 2 +-
src/qemu/qemu_process.c | 2 +-
tests/qemucapabilitiesdata/caps_1.5.3.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_1.6.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_1.7.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.1.1.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.10.0.aarch64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.10.0.ppc64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.10.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_2.11.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.4.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.5.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.6.0.aarch64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.6.0.ppc64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.6.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.7.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_2.7.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.8.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_2.8.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.9.0.ppc64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_3.0.0.ppc64.xml | 1 +
tests/qemucapabilitiesdata/caps_3.0.0.riscv32.xml | 1 +
tests/qemucapabilitiesdata/caps_3.0.0.riscv64.xml | 1 +
tests/qemucapabilitiesdata/caps_3.0.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_3.0.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_3.1.0.ppc64.xml | 1 +
tests/qemucapabilitiesdata/caps_3.1.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_4.0.0.aarch64.xml | 1 +
tests/qemucapabilitiesdata/caps_4.0.0.ppc64.xml | 1 +
tests/qemucapabilitiesdata/caps_4.0.0.riscv32.xml | 1 +
tests/qemucapabilitiesdata/caps_4.0.0.riscv64.xml | 1 +
tests/qemucapabilitiesdata/caps_4.0.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_4.0.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_4.1.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_4.2.0.aarch64.xml | 1 +
tests/qemucapabilitiesdata/caps_4.2.0.ppc64.xml | 1 +
tests/qemucapabilitiesdata/caps_4.2.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_4.2.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_5.0.0.aarch64.xml | 1 +
tests/qemucapabilitiesdata/caps_5.0.0.ppc64.xml | 1 +
tests/qemucapabilitiesdata/caps_5.0.0.riscv64.xml | 1 +
tests/qemucapabilitiesdata/caps_5.0.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_5.1.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_5.2.0.x86_64.xml | 1 +
tests/qemuxml2argvtest.c | 5 +++++
56 files changed, 76 insertions(+), 4 deletions(-)
diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index e2957cf0b2..0af587b251 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -5153,6 +5153,13 @@ virQEMUCapsInitQMPVersionCaps(virQEMUCapsPtr qemuCaps)
/* TCG couldn't be disabled nor queried until QEMU 2.10 */
if (qemuCaps->version < 2010000)
virQEMUCapsSet(qemuCaps, QEMU_CAPS_TCG);
+
+ /* -enable-fips is deprecated in QEMU 5.2.0, and QEMU
+ * should be built with gcrypt to achieve FIPS compliance
+ * automatically / implicitly
+ */
+ if (qemuCaps->version < 5002000)
+ virQEMUCapsSet(qemuCaps, QEMU_CAPS_ENABLE_FIPS);
}
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 700f6d781c..db5a632586 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -1089,10 +1089,20 @@ qemuDiskConfigBlkdeviotuneEnabled(virDomainDiskDefPtr disk)
* old QEMU new QEMU
* FIPS enabled doesn't start VNC auth disabled
* FIPS disabled/missing VNC auth enabled VNC auth enabled
+ *
+ * In QEMU 5.2.0, use of -enable-fips was deprecated. In scenarios
+ * where FIPS is required, QEMU must be built against libgcrypt
+ * which automatically enforces FIPS compliance.
*/
bool
-qemuCheckFips(void)
+qemuCheckFips(virDomainObjPtr vm)
{
+ qemuDomainObjPrivatePtr priv = vm->privateData;
+ virQEMUCapsPtr qemuCaps = priv->qemuCaps;
+
+ if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_ENABLE_FIPS))
+ return false;
+
if (virFileExists("/proc/sys/crypto/fips_enabled")) {
g_autofree char *buf = NULL;
diff --git a/src/qemu/qemu_command.h b/src/qemu/qemu_command.h
index d452905fdf..5fa4d1ba8b 100644
--- a/src/qemu/qemu_command.h
+++ b/src/qemu/qemu_command.h
@@ -213,7 +213,7 @@ qemuDiskConfigBlkdeviotuneEnabled(virDomainDiskDefPtr disk);
bool
-qemuCheckFips(void);
+qemuCheckFips(virDomainObjPtr vm);
virJSONValuePtr qemuBuildHotpluggableCPUProps(const virDomainVcpuDef *vcpu)
ATTRIBUTE_NONNULL(1);
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index bb4a46be98..6d352bc34c 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -6512,7 +6512,7 @@ static char *qemuConnectDomainXMLToNative(virConnectPtr conn,
goto cleanup;
if (!(cmd = qemuProcessCreatePretendCmdBuild(driver, vm, NULL,
- qemuCheckFips(), true, false)))
+ qemuCheckFips(vm), true, false)))
goto cleanup;
ret = virCommandToString(cmd, false);
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index fae386917d..fd02cbe28b 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -6900,7 +6900,7 @@ qemuProcessLaunch(virConnectPtr conn,
incoming ? incoming->launchURI : NULL,
snapshot, vmop,
false,
- qemuCheckFips(),
+ qemuCheckFips(vm),
&nnicindexes, &nicindexes, 0)))
goto cleanup;
diff --git a/tests/qemucapabilitiesdata/caps_1.5.3.x86_64.xml
b/tests/qemucapabilitiesdata/caps_1.5.3.x86_64.xml
index 0b103f25dc..ad8ef54464 100644
--- a/tests/qemucapabilitiesdata/caps_1.5.3.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_1.5.3.x86_64.xml
@@ -62,6 +62,7 @@
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='usb-kbd'/>
<flag name='usb-audio'/>
<flag name='splash-timeout'/>
diff --git a/tests/qemucapabilitiesdata/caps_1.6.0.x86_64.xml
b/tests/qemucapabilitiesdata/caps_1.6.0.x86_64.xml
index 0361f343ec..a9650bfa58 100644
--- a/tests/qemucapabilitiesdata/caps_1.6.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_1.6.0.x86_64.xml
@@ -65,6 +65,7 @@
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
diff --git a/tests/qemucapabilitiesdata/caps_1.7.0.x86_64.xml
b/tests/qemucapabilitiesdata/caps_1.7.0.x86_64.xml
index 439219fa2e..b53c2f977f 100644
--- a/tests/qemucapabilitiesdata/caps_1.7.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_1.7.0.x86_64.xml
@@ -66,6 +66,7 @@
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
diff --git a/tests/qemucapabilitiesdata/caps_2.1.1.x86_64.xml
b/tests/qemucapabilitiesdata/caps_2.1.1.x86_64.xml
index 050e3c7059..97b29df47d 100644
--- a/tests/qemucapabilitiesdata/caps_2.1.1.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.1.1.x86_64.xml
@@ -68,6 +68,7 @@
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
diff --git a/tests/qemucapabilitiesdata/caps_2.10.0.aarch64.xml
b/tests/qemucapabilitiesdata/caps_2.10.0.aarch64.xml
index b0fcbc4218..34a4c2b3a5 100644
--- a/tests/qemucapabilitiesdata/caps_2.10.0.aarch64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.10.0.aarch64.xml
@@ -50,6 +50,7 @@
<flag name='virtio-mmio'/>
<flag name='ich9-intel-hda'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
diff --git a/tests/qemucapabilitiesdata/caps_2.10.0.ppc64.xml
b/tests/qemucapabilitiesdata/caps_2.10.0.ppc64.xml
index edf01d2e2f..7f8e9106ea 100644
--- a/tests/qemucapabilitiesdata/caps_2.10.0.ppc64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.10.0.ppc64.xml
@@ -49,6 +49,7 @@
<flag name='virtio-mmio'/>
<flag name='ich9-intel-hda'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
diff --git a/tests/qemucapabilitiesdata/caps_2.10.0.s390x.xml
b/tests/qemucapabilitiesdata/caps_2.10.0.s390x.xml
index 98a3c0eec2..7b3d75976f 100644
--- a/tests/qemucapabilitiesdata/caps_2.10.0.s390x.xml
+++ b/tests/qemucapabilitiesdata/caps_2.10.0.s390x.xml
@@ -31,6 +31,7 @@
<flag name='drive-discard'/>
<flag name='virtio-mmio'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
<flag name='change-backing-file'/>
diff --git a/tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml
b/tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml
index 98b1a94349..b31acd3571 100644
--- a/tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml
@@ -68,6 +68,7 @@
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
diff --git a/tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml
b/tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml
index 0391f4b81e..59a6cdf360 100644
--- a/tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml
+++ b/tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml
@@ -31,6 +31,7 @@
<flag name='drive-discard'/>
<flag name='virtio-mmio'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
<flag name='change-backing-file'/>
diff --git a/tests/qemucapabilitiesdata/caps_2.11.0.x86_64.xml
b/tests/qemucapabilitiesdata/caps_2.11.0.x86_64.xml
index 9eaafb4ba6..9e8868f032 100644
--- a/tests/qemucapabilitiesdata/caps_2.11.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.11.0.x86_64.xml
@@ -68,6 +68,7 @@
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml
b/tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml
index a5d6dc3bef..c36324ca92 100644
--- a/tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml
@@ -50,6 +50,7 @@
<flag name='virtio-mmio'/>
<flag name='ich9-intel-hda'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml
b/tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml
index d1ed9f6e28..e35f440bf7 100644
--- a/tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml
@@ -49,6 +49,7 @@
<flag name='virtio-mmio'/>
<flag name='ich9-intel-hda'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml
b/tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml
index cef6ebb9ad..a679d8cc05 100644
--- a/tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml
+++ b/tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml
@@ -31,6 +31,7 @@
<flag name='drive-discard'/>
<flag name='virtio-mmio'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
<flag name='change-backing-file'/>
diff --git a/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml
b/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml
index 6d48699e3e..4b5f660e18 100644
--- a/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml
@@ -68,6 +68,7 @@
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
diff --git a/tests/qemucapabilitiesdata/caps_2.4.0.x86_64.xml
b/tests/qemucapabilitiesdata/caps_2.4.0.x86_64.xml
index 310f69499f..64aeaeef5b 100644
--- a/tests/qemucapabilitiesdata/caps_2.4.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.4.0.x86_64.xml
@@ -68,6 +68,7 @@
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
diff --git a/tests/qemucapabilitiesdata/caps_2.5.0.x86_64.xml
b/tests/qemucapabilitiesdata/caps_2.5.0.x86_64.xml
index af9b9e96fd..51c3c00cb7 100644
--- a/tests/qemucapabilitiesdata/caps_2.5.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.5.0.x86_64.xml
@@ -68,6 +68,7 @@
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
diff --git a/tests/qemucapabilitiesdata/caps_2.6.0.aarch64.xml
b/tests/qemucapabilitiesdata/caps_2.6.0.aarch64.xml
index ec17ca5c27..5f74659837 100644
--- a/tests/qemucapabilitiesdata/caps_2.6.0.aarch64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.6.0.aarch64.xml
@@ -52,6 +52,7 @@
<flag name='virtio-mmio'/>
<flag name='ich9-intel-hda'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
diff --git a/tests/qemucapabilitiesdata/caps_2.6.0.ppc64.xml
b/tests/qemucapabilitiesdata/caps_2.6.0.ppc64.xml
index 13e6df006e..1f5ccbcd08 100644
--- a/tests/qemucapabilitiesdata/caps_2.6.0.ppc64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.6.0.ppc64.xml
@@ -49,6 +49,7 @@
<flag name='virtio-mmio'/>
<flag name='ich9-intel-hda'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
diff --git a/tests/qemucapabilitiesdata/caps_2.6.0.x86_64.xml
b/tests/qemucapabilitiesdata/caps_2.6.0.x86_64.xml
index c25731997e..a6419f1efb 100644
--- a/tests/qemucapabilitiesdata/caps_2.6.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.6.0.x86_64.xml
@@ -68,6 +68,7 @@
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
diff --git a/tests/qemucapabilitiesdata/caps_2.7.0.s390x.xml
b/tests/qemucapabilitiesdata/caps_2.7.0.s390x.xml
index 2421b46f35..b46e16c0d8 100644
--- a/tests/qemucapabilitiesdata/caps_2.7.0.s390x.xml
+++ b/tests/qemucapabilitiesdata/caps_2.7.0.s390x.xml
@@ -31,6 +31,7 @@
<flag name='drive-discard'/>
<flag name='virtio-mmio'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
<flag name='change-backing-file'/>
diff --git a/tests/qemucapabilitiesdata/caps_2.7.0.x86_64.xml
b/tests/qemucapabilitiesdata/caps_2.7.0.x86_64.xml
index 9f25bd17ec..984b62b7b3 100644
--- a/tests/qemucapabilitiesdata/caps_2.7.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.7.0.x86_64.xml
@@ -68,6 +68,7 @@
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
diff --git a/tests/qemucapabilitiesdata/caps_2.8.0.s390x.xml
b/tests/qemucapabilitiesdata/caps_2.8.0.s390x.xml
index 8c63aeec07..cda8d08c4d 100644
--- a/tests/qemucapabilitiesdata/caps_2.8.0.s390x.xml
+++ b/tests/qemucapabilitiesdata/caps_2.8.0.s390x.xml
@@ -31,6 +31,7 @@
<flag name='drive-discard'/>
<flag name='virtio-mmio'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
<flag name='change-backing-file'/>
diff --git a/tests/qemucapabilitiesdata/caps_2.8.0.x86_64.xml
b/tests/qemucapabilitiesdata/caps_2.8.0.x86_64.xml
index 4e022e2d84..855a1a7392 100644
--- a/tests/qemucapabilitiesdata/caps_2.8.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.8.0.x86_64.xml
@@ -68,6 +68,7 @@
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
diff --git a/tests/qemucapabilitiesdata/caps_2.9.0.ppc64.xml
b/tests/qemucapabilitiesdata/caps_2.9.0.ppc64.xml
index e72611e0a8..94e990da0f 100644
--- a/tests/qemucapabilitiesdata/caps_2.9.0.ppc64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.9.0.ppc64.xml
@@ -49,6 +49,7 @@
<flag name='virtio-mmio'/>
<flag name='ich9-intel-hda'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
diff --git a/tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml
b/tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml
index b48dc98501..9cdcb9988a 100644
--- a/tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml
+++ b/tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml
@@ -31,6 +31,7 @@
<flag name='drive-discard'/>
<flag name='virtio-mmio'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
<flag name='change-backing-file'/>
diff --git a/tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml
b/tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml
index d7b2d0633d..2990242a18 100644
--- a/tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml
@@ -68,6 +68,7 @@
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
diff --git a/tests/qemucapabilitiesdata/caps_3.0.0.ppc64.xml
b/tests/qemucapabilitiesdata/caps_3.0.0.ppc64.xml
index e4a560bac5..65999c8f77 100644
--- a/tests/qemucapabilitiesdata/caps_3.0.0.ppc64.xml
+++ b/tests/qemucapabilitiesdata/caps_3.0.0.ppc64.xml
@@ -48,6 +48,7 @@
<flag name='usb-storage.removable'/>
<flag name='ich9-intel-hda'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
diff --git a/tests/qemucapabilitiesdata/caps_3.0.0.riscv32.xml
b/tests/qemucapabilitiesdata/caps_3.0.0.riscv32.xml
index 71f9b0c37f..0b87d591a8 100644
--- a/tests/qemucapabilitiesdata/caps_3.0.0.riscv32.xml
+++ b/tests/qemucapabilitiesdata/caps_3.0.0.riscv32.xml
@@ -21,6 +21,7 @@
<flag name='drive-discard'/>
<flag name='virtio-mmio'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
<flag name='change-backing-file'/>
diff --git a/tests/qemucapabilitiesdata/caps_3.0.0.riscv64.xml
b/tests/qemucapabilitiesdata/caps_3.0.0.riscv64.xml
index 279078d541..595b2cb171 100644
--- a/tests/qemucapabilitiesdata/caps_3.0.0.riscv64.xml
+++ b/tests/qemucapabilitiesdata/caps_3.0.0.riscv64.xml
@@ -21,6 +21,7 @@
<flag name='drive-discard'/>
<flag name='virtio-mmio'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
<flag name='change-backing-file'/>
diff --git a/tests/qemucapabilitiesdata/caps_3.0.0.s390x.xml
b/tests/qemucapabilitiesdata/caps_3.0.0.s390x.xml
index f1ed34c612..79494a95bb 100644
--- a/tests/qemucapabilitiesdata/caps_3.0.0.s390x.xml
+++ b/tests/qemucapabilitiesdata/caps_3.0.0.s390x.xml
@@ -32,6 +32,7 @@
<flag name='mem-merge'/>
<flag name='drive-discard'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
<flag name='change-backing-file'/>
diff --git a/tests/qemucapabilitiesdata/caps_3.0.0.x86_64.xml
b/tests/qemucapabilitiesdata/caps_3.0.0.x86_64.xml
index ae1836b28f..7d37e4f6a2 100644
--- a/tests/qemucapabilitiesdata/caps_3.0.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_3.0.0.x86_64.xml
@@ -67,6 +67,7 @@
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
diff --git a/tests/qemucapabilitiesdata/caps_3.1.0.ppc64.xml
b/tests/qemucapabilitiesdata/caps_3.1.0.ppc64.xml
index 0dc0393c22..30e8c2dc2e 100644
--- a/tests/qemucapabilitiesdata/caps_3.1.0.ppc64.xml
+++ b/tests/qemucapabilitiesdata/caps_3.1.0.ppc64.xml
@@ -49,6 +49,7 @@
<flag name='usb-storage.removable'/>
<flag name='ich9-intel-hda'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
diff --git a/tests/qemucapabilitiesdata/caps_3.1.0.x86_64.xml
b/tests/qemucapabilitiesdata/caps_3.1.0.x86_64.xml
index d4ff21fdac..6d1e612bfc 100644
--- a/tests/qemucapabilitiesdata/caps_3.1.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_3.1.0.x86_64.xml
@@ -67,6 +67,7 @@
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
diff --git a/tests/qemucapabilitiesdata/caps_4.0.0.aarch64.xml
b/tests/qemucapabilitiesdata/caps_4.0.0.aarch64.xml
index 404a39af03..29e8222c18 100644
--- a/tests/qemucapabilitiesdata/caps_4.0.0.aarch64.xml
+++ b/tests/qemucapabilitiesdata/caps_4.0.0.aarch64.xml
@@ -52,6 +52,7 @@
<flag name='virtio-mmio'/>
<flag name='ich9-intel-hda'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
diff --git a/tests/qemucapabilitiesdata/caps_4.0.0.ppc64.xml
b/tests/qemucapabilitiesdata/caps_4.0.0.ppc64.xml
index cb0232173c..83f3074dd8 100644
--- a/tests/qemucapabilitiesdata/caps_4.0.0.ppc64.xml
+++ b/tests/qemucapabilitiesdata/caps_4.0.0.ppc64.xml
@@ -51,6 +51,7 @@
<flag name='usb-storage.removable'/>
<flag name='ich9-intel-hda'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
diff --git a/tests/qemucapabilitiesdata/caps_4.0.0.riscv32.xml
b/tests/qemucapabilitiesdata/caps_4.0.0.riscv32.xml
index 11475306f9..614cd8ab0f 100644
--- a/tests/qemucapabilitiesdata/caps_4.0.0.riscv32.xml
+++ b/tests/qemucapabilitiesdata/caps_4.0.0.riscv32.xml
@@ -55,6 +55,7 @@
<flag name='virtio-mmio'/>
<flag name='ich9-intel-hda'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
diff --git a/tests/qemucapabilitiesdata/caps_4.0.0.riscv64.xml
b/tests/qemucapabilitiesdata/caps_4.0.0.riscv64.xml
index 608590a35b..14877ca5c2 100644
--- a/tests/qemucapabilitiesdata/caps_4.0.0.riscv64.xml
+++ b/tests/qemucapabilitiesdata/caps_4.0.0.riscv64.xml
@@ -55,6 +55,7 @@
<flag name='virtio-mmio'/>
<flag name='ich9-intel-hda'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
diff --git a/tests/qemucapabilitiesdata/caps_4.0.0.s390x.xml
b/tests/qemucapabilitiesdata/caps_4.0.0.s390x.xml
index f4d20169e0..92998c8d89 100644
--- a/tests/qemucapabilitiesdata/caps_4.0.0.s390x.xml
+++ b/tests/qemucapabilitiesdata/caps_4.0.0.s390x.xml
@@ -32,6 +32,7 @@
<flag name='mem-merge'/>
<flag name='drive-discard'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
<flag name='change-backing-file'/>
diff --git a/tests/qemucapabilitiesdata/caps_4.0.0.x86_64.xml
b/tests/qemucapabilitiesdata/caps_4.0.0.x86_64.xml
index e3f83372c2..8fde984e11 100644
--- a/tests/qemucapabilitiesdata/caps_4.0.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_4.0.0.x86_64.xml
@@ -67,6 +67,7 @@
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
diff --git a/tests/qemucapabilitiesdata/caps_4.1.0.x86_64.xml
b/tests/qemucapabilitiesdata/caps_4.1.0.x86_64.xml
index c32d8ea5d8..339b3d176b 100644
--- a/tests/qemucapabilitiesdata/caps_4.1.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_4.1.0.x86_64.xml
@@ -67,6 +67,7 @@
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
diff --git a/tests/qemucapabilitiesdata/caps_4.2.0.aarch64.xml
b/tests/qemucapabilitiesdata/caps_4.2.0.aarch64.xml
index 11a964ed39..c90c9aafd5 100644
--- a/tests/qemucapabilitiesdata/caps_4.2.0.aarch64.xml
+++ b/tests/qemucapabilitiesdata/caps_4.2.0.aarch64.xml
@@ -52,6 +52,7 @@
<flag name='virtio-mmio'/>
<flag name='ich9-intel-hda'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
diff --git a/tests/qemucapabilitiesdata/caps_4.2.0.ppc64.xml
b/tests/qemucapabilitiesdata/caps_4.2.0.ppc64.xml
index 60aef01f7b..578b28fdaf 100644
--- a/tests/qemucapabilitiesdata/caps_4.2.0.ppc64.xml
+++ b/tests/qemucapabilitiesdata/caps_4.2.0.ppc64.xml
@@ -51,6 +51,7 @@
<flag name='usb-storage.removable'/>
<flag name='ich9-intel-hda'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
diff --git a/tests/qemucapabilitiesdata/caps_4.2.0.s390x.xml
b/tests/qemucapabilitiesdata/caps_4.2.0.s390x.xml
index 76e2747b65..7142736174 100644
--- a/tests/qemucapabilitiesdata/caps_4.2.0.s390x.xml
+++ b/tests/qemucapabilitiesdata/caps_4.2.0.s390x.xml
@@ -32,6 +32,7 @@
<flag name='mem-merge'/>
<flag name='drive-discard'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
<flag name='change-backing-file'/>
diff --git a/tests/qemucapabilitiesdata/caps_4.2.0.x86_64.xml
b/tests/qemucapabilitiesdata/caps_4.2.0.x86_64.xml
index fd63a0ee02..1907fb5ae7 100644
--- a/tests/qemucapabilitiesdata/caps_4.2.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_4.2.0.x86_64.xml
@@ -68,6 +68,7 @@
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
diff --git a/tests/qemucapabilitiesdata/caps_5.0.0.aarch64.xml
b/tests/qemucapabilitiesdata/caps_5.0.0.aarch64.xml
index 928af2a01c..28cbd7ab70 100644
--- a/tests/qemucapabilitiesdata/caps_5.0.0.aarch64.xml
+++ b/tests/qemucapabilitiesdata/caps_5.0.0.aarch64.xml
@@ -54,6 +54,7 @@
<flag name='virtio-mmio'/>
<flag name='ich9-intel-hda'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
diff --git a/tests/qemucapabilitiesdata/caps_5.0.0.ppc64.xml
b/tests/qemucapabilitiesdata/caps_5.0.0.ppc64.xml
index e8668a25a9..34e38516f0 100644
--- a/tests/qemucapabilitiesdata/caps_5.0.0.ppc64.xml
+++ b/tests/qemucapabilitiesdata/caps_5.0.0.ppc64.xml
@@ -52,6 +52,7 @@
<flag name='usb-storage.removable'/>
<flag name='ich9-intel-hda'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
diff --git a/tests/qemucapabilitiesdata/caps_5.0.0.riscv64.xml
b/tests/qemucapabilitiesdata/caps_5.0.0.riscv64.xml
index 85a8a46dac..cc5c83de8c 100644
--- a/tests/qemucapabilitiesdata/caps_5.0.0.riscv64.xml
+++ b/tests/qemucapabilitiesdata/caps_5.0.0.riscv64.xml
@@ -55,6 +55,7 @@
<flag name='virtio-mmio'/>
<flag name='ich9-intel-hda'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
diff --git a/tests/qemucapabilitiesdata/caps_5.0.0.x86_64.xml
b/tests/qemucapabilitiesdata/caps_5.0.0.x86_64.xml
index 546b9b0422..20643488c9 100644
--- a/tests/qemucapabilitiesdata/caps_5.0.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_5.0.0.x86_64.xml
@@ -68,6 +68,7 @@
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
diff --git a/tests/qemucapabilitiesdata/caps_5.1.0.x86_64.xml
b/tests/qemucapabilitiesdata/caps_5.1.0.x86_64.xml
index 9ebd7ea582..f4c7a518c9 100644
--- a/tests/qemucapabilitiesdata/caps_5.1.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_5.1.0.x86_64.xml
@@ -68,6 +68,7 @@
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
diff --git a/tests/qemucapabilitiesdata/caps_5.2.0.x86_64.xml
b/tests/qemucapabilitiesdata/caps_5.2.0.x86_64.xml
index 975f00b5e1..3931924abe 100644
--- a/tests/qemucapabilitiesdata/caps_5.2.0.x86_64.xml
+++ b/tests/qemucapabilitiesdata/caps_5.2.0.x86_64.xml
@@ -68,6 +68,7 @@
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index cdd606cb42..9f62d55a80 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -399,6 +399,7 @@ testCompareXMLToArgvCreateArgs(virQEMUDriverPtr drv,
unsigned int flags,
bool jsonPropsValidation)
{
+ qemuDomainObjPrivatePtr priv = vm->privateData;
bool enableFips = !!(flags & FLAG_FIPS_HOST);
size_t i;
@@ -489,6 +490,10 @@ testCompareXMLToArgvCreateArgs(virQEMUDriverPtr drv,
}
}
+ /* we can't use qemuCheckFips() directly as it queries host state */
+ if (!virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_ENABLE_FIPS))
+ enableFips = false;
+
return qemuProcessCreatePretendCmdBuild(drv, vm, migrateURI,
enableFips, false,
jsonPropsValidation);
--
2.26.2
3:53 a.m.
New subject: [PATCH v2 2/2] qemu: stop passing -enable-fips to QEMU >= 5.2.0
On Wed, Oct 21, 2020 at 10:35:27AM +0200, Peter Krempa wrote:
From: Daniel P. Berrangé <berrange(a)redhat.com>
Use of the -enable-fips option is being deprecated in QEMU >= 5.2.0. If
FIPS compliance is required, QEMU must be built with libcrypt which will
unconditionally enforce it.
Thus there is no need for libvirt to pass -enable-fips to modern QEMU.
Unfortunately there was never any way to probe for -enable-fips in the
first instance, it was enabled by libvirt based on version number
originally, and then later unconditionally enabled when libvirt dropped
support for older QEMU. Similarly we now use a version number check to
decide when to stop passing -enable-fips.
Note that the qemu-5.2 capabilities are currently from the pre-release
version and will be updated once qemu-5.2 is released.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/qemu/qemu_capabilities.c | 7 +++++++
src/qemu/qemu_command.c | 12 +++++++++++-
src/qemu/qemu_command.h | 2 +-
src/qemu/qemu_driver.c | 2 +-
src/qemu/qemu_process.c | 2 +-
tests/qemucapabilitiesdata/caps_1.5.3.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_1.6.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_1.7.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.1.1.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.10.0.aarch64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.10.0.ppc64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.10.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_2.10.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.11.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_2.11.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.aarch64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.ppc64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_2.12.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.4.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.5.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.6.0.aarch64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.6.0.ppc64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.6.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.7.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_2.7.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.8.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_2.8.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.9.0.ppc64.xml | 1 +
tests/qemucapabilitiesdata/caps_2.9.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_3.0.0.ppc64.xml | 1 +
tests/qemucapabilitiesdata/caps_3.0.0.riscv32.xml | 1 +
tests/qemucapabilitiesdata/caps_3.0.0.riscv64.xml | 1 +
tests/qemucapabilitiesdata/caps_3.0.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_3.0.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_3.1.0.ppc64.xml | 1 +
tests/qemucapabilitiesdata/caps_3.1.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_4.0.0.aarch64.xml | 1 +
tests/qemucapabilitiesdata/caps_4.0.0.ppc64.xml | 1 +
tests/qemucapabilitiesdata/caps_4.0.0.riscv32.xml | 1 +
tests/qemucapabilitiesdata/caps_4.0.0.riscv64.xml | 1 +
tests/qemucapabilitiesdata/caps_4.0.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_4.0.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_4.1.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_4.2.0.aarch64.xml | 1 +
tests/qemucapabilitiesdata/caps_4.2.0.ppc64.xml | 1 +
tests/qemucapabilitiesdata/caps_4.2.0.s390x.xml | 1 +
tests/qemucapabilitiesdata/caps_4.2.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_5.0.0.aarch64.xml | 1 +
tests/qemucapabilitiesdata/caps_5.0.0.ppc64.xml | 1 +
tests/qemucapabilitiesdata/caps_5.0.0.riscv64.xml | 1 +
tests/qemucapabilitiesdata/caps_5.0.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_5.1.0.x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_5.2.0.x86_64.xml | 1 +
tests/qemuxml2argvtest.c | 5 +++++
56 files changed, 76 insertions(+), 4 deletions(-)
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
1495
days inactive
1495
days old
4 comments
2 participants
participants (2)
-
Daniel P. Berrangé -
Peter Krempa