[libvirt] [PATCH] qemu: always ask for -enable-fips

Michal Privoznik mprivozn at redhat.com
Fri Dec 13 14:58:55 UTC 2013 

On 05.12.2013 22:54, Eric Blake wrote:
> On a system that is enforcing FIPS, most libraries honor the
> current mode by default.  Qemu, on the other hand, refused to
> honor FIPS mode unless you add the '-enable-fips' command
> line option; worse, this option is not discoverable via QMP,
> and is only present on binaries built for Linux.  As far as
> I can tell, unconditionally using the option when it is
> available has no negative consequences (the option has no
> change to qemu behavior except when FIPS is enabled, at which
> point it cripples insecure VNC passwords which is the one thing
> that libvirt must not allow when FIPS is active).
> 
> This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1035474
> 
> * src/qemu/qemu_capabilities.h (QEMU_CAPS_ENABLE_FIPS): New bit.
> * src/qemu/qemu_capabilities.c (virQEMUCapsInitQMPBasic):
> Conditionally set capability.
> * src/qemu/qemu_command.c (qemuBuildCommandLine): Use it.
> * tests/qemucapabilitiestest.c (testQemuCaps): Unconditionally set
> capability.
> * tests/qemucapabilitiesdata/caps_1.2.2-1.caps: Update list.
> * tests/qemucapabilitiesdata/caps_1.3.1-1.caps: Likewise.
> * tests/qemucapabilitiesdata/caps_1.4.2-1.caps: Likewise.
> * tests/qemucapabilitiesdata/caps_1.5.3-1.caps: Likewise.
> * tests/qemucapabilitiesdata/caps_1.6.0-1.caps: Likewise.
> * tests/qemucapabilitiesdata/caps_1.6.50-1.caps: Likewise.
> 
> Signed-off-by: Eric Blake <eblake at redhat.com>
> ---
>  src/qemu/qemu_capabilities.c                  | 7 +++++++
>  src/qemu/qemu_capabilities.h                  | 1 +
>  src/qemu/qemu_command.c                       | 2 ++
>  tests/qemucapabilitiesdata/caps_1.2.2-1.caps  | 1 +
>  tests/qemucapabilitiesdata/caps_1.3.1-1.caps  | 1 +
>  tests/qemucapabilitiesdata/caps_1.4.2-1.caps  | 1 +
>  tests/qemucapabilitiesdata/caps_1.5.3-1.caps  | 1 +
>  tests/qemucapabilitiesdata/caps_1.6.0-1.caps  | 1 +
>  tests/qemucapabilitiesdata/caps_1.6.50-1.caps | 1 +
>  tests/qemucapabilitiestest.c                  | 6 ++++++
>  10 files changed, 22 insertions(+)

Sigh, oh boy, <your favorite swear-word>. ACK.

Michal

More information about the libvir-list mailing list