[libvirt] [PATCHv3] qemu: ask for -enable-fips when FIPS is required
Eric Blake
eblake at redhat.com
Wed Dec 18 15:03:42 UTC 2013
On 12/18/2013 03:59 AM, Peter Krempa wrote:
> On 12/17/13 19:36, Eric Blake wrote:
>> On a system that is enforcing FIPS, most libraries honor the
>> current mode by default. Qemu, on the other hand, refused to
>> honor FIPS mode unless you add the '-enable-fips' command
>> line option; worse, this option is not discoverable via QMP,
>> and is only present on binaries built for Linux. So, if we
>> detect FIPS mode, then we unconditionally ask for FIPS; either
>> qemu is new enough to have the option and then correctly
>> cripple insecure VNC passwords, or it is so old that we are
>> correctly avoiding a FIPS violation by preventing qemu from
>> starting. Meanwhile, if we don't detect FIPS mode, then
>> omitting the argument is safe whether the qemu has the option
>> (but it would do nothing because FIPS is disabled) or whether
>> qemu lacks the option (including in the case where we are not
>> running on Linux).
>>
>> The testsuite was a bit interesting: we don't want our test
>> to depend on whether it is being run in FIPS mode, so I had
>> to tweak things to set the capability bit outside of our
>> normal interaction with capability parsing.
>>
>> This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1035474
>>
> ACK. I verified that the detection works correctly when the file is
> present and contains the expected data.
Thanks; pushed.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 621 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20131218/accdc05b/attachment-0001.sig>
More information about the libvir-list
mailing list