[libvirt] [PATCHV2] qemu: ask for -enable-fips when FIPS is required

Peter Krempa pkrempa at redhat.com
Mon Dec 16 08:46:19 UTC 2013 

On 12/13/13 19:51, Eric Blake wrote:
> On a system that is enforcing FIPS, most libraries honor the
> current mode by default.  Qemu, on the other hand, refused to
> honor FIPS mode unless you add the '-enable-fips' command
> line option; worse, this option is not discoverable via QMP,
> and is only present on binaries built for Linux.  So, if we
> detect FIPS mode, then we unconditionally ask for FIPS; either
> qemu is new enough to have the option and then correctly
> cripple insecure VNC passwords, or it is so old that we are
> correctly avoiding a FIPS violation by preventing qemu from
> starting.  Meanwhile, if we don't detect FIPS mode, then
> omitting the argument is safe whether the qemu has the option
> (but it would do nothing because FIPS is disabled) or whether
> qemu lacks the option (including in the case where we are not
> running on Linux).
> 
> The testsuite was a bit interesting: we don't want our test
> to depend on whether it is being run in FIPS mode, so I had
> to tweak things to set the capability bit outside of our
> normal interaction with capability parsing.
> 
> This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1035474
> 
> * src/qemu/qemu_capabilities.h (QEMU_CAPS_ENABLE_FIPS): New bit.
> * src/qemu/qemu_capabilities.c (virQEMUCapsInitQMP): Conditionally
> set capability according to detection of FIPS mode.
> * src/qemu/qemu_command.c (qemuBuildCommandLine): Use it.
> * tests/qemucapabilitiestest.c (testQemuCaps): Conditionally set
> capability to test expected output.
> * tests/qemucapabilitiesdata/caps_1.2.2-1.caps: Update list.
> * tests/qemucapabilitiesdata/caps_1.6.0-1.caps: Likewise.
> 
> Signed-off-by: Eric Blake <eblake at redhat.com>
> ---
>  src/qemu/qemu_capabilities.c                 | 28 +++++++++++++++++++++++++++-
>  src/qemu/qemu_capabilities.h                 |  1 +
>  src/qemu/qemu_command.c                      |  2 ++
>  tests/qemucapabilitiesdata/caps_1.2.2-1.caps |  1 +
>  tests/qemucapabilitiesdata/caps_1.6.0-1.caps |  1 +
>  tests/qemucapabilitiestest.c                 | 20 +++++++++++++++-----
>  6 files changed, 47 insertions(+), 6 deletions(-)
> 
> diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
> index 5e9c65e..9470814 100644
> --- a/src/qemu/qemu_capabilities.c
> +++ b/src/qemu/qemu_capabilities.c

...

> @@ -2630,6 +2631,31 @@ virQEMUCapsInitQMP(virQEMUCapsPtr qemuCaps,
>      config.data.nix.path = monpath;
>      config.data.nix.listen = false;
> 
> +    /* Qemu 1.2 and later have a binary flag -enable-fips that must be
> +     * used for VNC auth to obey FIPS settings; but the flag only
> +     * exists on Linux, and with no way to probe for it via QMP.  Our
> +     * solution: if FIPS mode is required, then unconditionally use
> +     * the flag, regardless of qemu version, for the following matrix:
> +     *
> +     *                          old QEMU            new QEMU
> +     * FIPS enabled             doesn't start       VNC auth disabled
> +     * FIPS disabled/missing    VNC auth enabled    VNC auth enabled
> +     *
> +     * Setting the flag here instead of in virQEMUCapsInitQMPMonitor
> +     * or virQEMUCapsInitHelp also allows the testsuite to be
> +     * independent of FIPS setting.
> +     */
> +    if (virFileExists("/proc/sys/crypto/fips_enabled")) {
> +        char buf[sizeof("1\n")];

No need for the above buffer as virFileReadAll actually allocates the
buffer itself.

> +        char *ptr = buf;

This is bogous and will be overwritten, instead ptr should be
initialized to NULL.

> +
> +        if (virFileReadAll("/proc/sys/crypto/fips_enabled",
> +                           sizeof(buf), &ptr) < 0)
> +            goto cleanup;
> +        if (*buf == '1')

This line should compare *ptr instead of *buf which wasn't initialized.
Also I'd rather use STREQ and a bit larger buffer.

> +            virQEMUCapsSet(qemuCaps, QEMU_CAPS_ENABLE_FIPS);
> +    }
> +

You also need to free the pointer allocated by virFileReadAll.

>      VIR_DEBUG("Try to get caps via QMP qemuCaps=%p", qemuCaps);
> 
>      /*

Peter


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20131216/93b0c383/attachment-0001.sig>

More information about the libvir-list mailing list