[libvirt] [PATCH] qemu: always ask for -enable-fips
Eric Blake
eblake at redhat.com
Fri Dec 13 16:26:13 UTC 2013
On 12/13/2013 09:22 AM, Paolo Bonzini wrote:
> Il 13/12/2013 16:15, Daniel P. Berrange ha scritto:
>> QEMU already detects current FIPs enablement via the file
>> /proc/sys/crypto/fips_enabled, but only if you use --enable-fips.
>> This is really stupid given that all the crypto libraries that
>> QEMU uses unconditonally look at the proc file. So by having this
>> flag QEMU is in the insane situation where if FIPS is enabled then
>> part of QEMU will honour FIPS settings but other parts of QEMU will
>> not honour it until you pass --enable-fips. Insanity. So having
>> libvirt pass --enable-fips unconditionally fixes this insanity as
>> much as possible. Better yet if QEMU were to just remove the
>> pointless --enable-fips arg and just respect the fips_enabled
>> sysctl flag by default.
>
> Could libvirt look at /proc/sys/crypto/fips_enabled itself, and pass
> -enable-fips unconditionally (always: this means rejecting QEMUs that do
> not support FIPS mode if you're in FIPS mode) if it is enabled?
A little less blatant than hard-coding the solution in libvirt to trying
the flag if compiled for Linux. I can do a v2 patch along those lines,
for comparison, if desired.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 621 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20131213/fe25cfd9/attachment-0001.sig>
More information about the libvir-list
mailing list