[libvirt] [PATCH] qemu: always ask for -enable-fips
Jiri Denemark
jdenemar at redhat.com
Fri Dec 13 15:06:50 UTC 2013
On Fri, Dec 13, 2013 at 15:58:55 +0100, Michal Privoznik wrote:
> On 05.12.2013 22:54, Eric Blake wrote:
> > On a system that is enforcing FIPS, most libraries honor the
> > current mode by default. Qemu, on the other hand, refused to
> > honor FIPS mode unless you add the '-enable-fips' command
> > line option; worse, this option is not discoverable via QMP,
> > and is only present on binaries built for Linux. As far as
> > I can tell, unconditionally using the option when it is
> > available has no negative consequences (the option has no
> > change to qemu behavior except when FIPS is enabled, at which
> > point it cripples insecure VNC passwords which is the one thing
> > that libvirt must not allow when FIPS is active).
> >
> > This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1035474
>
> Sigh, oh boy, <your favorite swear-word>. ACK.
Don't we want to wait for QEMU to decide what they should be doing with
-enable-fips to make it detectable? If we push this patch, we can't
basically move into detecting the option and enabling it only when
detected since that could cause regressions for older QEMU version that
supported the option but did not advertise it. If we just wait for the
option to be detectable and enable it only when we detect its support in
QEMU, we won't enable it for all possible QEMU versions but we won't
regress in any way.
Jirka
More information about the libvir-list
mailing list