[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCH] Move the FIPS detection from capabilities



We are not detecting the presence of FIPS from QEMU, but from procfs and
that means it's not QEMU capability. It was decided that we will pass
this flag to QEMU even if it's not supported by old QEMU binaries.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1135431

Signed-off-by: Pavel Hrdina <phrdina redhat com>
---

Note: The original bug is that we are not detecting whether libvirtd
binary has been updated, we detect that only for QEMU binary. So you
could update libvirt without updating QEMU and new capabilities that could
already exists in QEMU, but was recently implemented in libvirt wasn't
enabled. I'll post a patch to fix this bug.

 src/qemu/qemu_capabilities.c | 24 ------------------------
 src/qemu/qemu_command.c      | 25 +++++++++++++++++++++++--
 2 files changed, 23 insertions(+), 26 deletions(-)

diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index 9246813..5c3778d 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -3215,30 +3215,6 @@ virQEMUCapsInitQMP(virQEMUCapsPtr qemuCaps,
     config.data.nix.path = monpath;
     config.data.nix.listen = false;
 
-    /* Qemu 1.2 and later have a binary flag -enable-fips that must be
-     * used for VNC auth to obey FIPS settings; but the flag only
-     * exists on Linux, and with no way to probe for it via QMP.  Our
-     * solution: if FIPS mode is required, then unconditionally use
-     * the flag, regardless of qemu version, for the following matrix:
-     *
-     *                          old QEMU            new QEMU
-     * FIPS enabled             doesn't start       VNC auth disabled
-     * FIPS disabled/missing    VNC auth enabled    VNC auth enabled
-     *
-     * Setting the flag here instead of in virQEMUCapsInitQMPMonitor
-     * or virQEMUCapsInitHelp also allows the testsuite to be
-     * independent of FIPS setting.
-     */
-    if (virFileExists("/proc/sys/crypto/fips_enabled")) {
-        char *buf = NULL;
-
-        if (virFileReadAll("/proc/sys/crypto/fips_enabled", 10, &buf) < 0)
-            goto cleanup;
-        if (STREQ(buf, "1\n"))
-            virQEMUCapsSet(qemuCaps, QEMU_CAPS_ENABLE_FIPS);
-        VIR_FREE(buf);
-    }
-
     VIR_DEBUG("Try to get caps via QMP qemuCaps=%p", qemuCaps);
 
     /*
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index f2e6e5a..3532518 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -7656,8 +7656,29 @@ qemuBuildCommandLine(virConnectPtr conn,
     if (!standalone)
         virCommandAddArg(cmd, "-S"); /* freeze CPU */
 
-    if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_ENABLE_FIPS))
-        virCommandAddArg(cmd, "-enable-fips");
+    /* Qemu 1.2 and later have a binary flag -enable-fips that must be
+     * used for VNC auth to obey FIPS settings; but the flag only
+     * exists on Linux, and with no way to probe for it via QMP.  Our
+     * solution: if FIPS mode is required, then unconditionally use
+     * the flag, regardless of qemu version, for the following matrix:
+     *
+     *                          old QEMU            new QEMU
+     * FIPS enabled             doesn't start       VNC auth disabled
+     * FIPS disabled/missing    VNC auth enabled    VNC auth enabled
+     *
+     * Setting the flag here instead of in virQEMUCapsInitQMPMonitor
+     * or virQEMUCapsInitHelp also allows the testsuite to be
+     * independent of FIPS setting.
+     */
+    if (virFileExists("/proc/sys/crypto/fips_enabled")) {
+        char *buf = NULL;
+
+        if (virFileReadAll("/proc/sys/crypto/fips_enabled", 10, &buf) < 0)
+            goto error;
+        if (STREQ(buf, "1\n"))
+            virCommandAddArg(cmd, "-enable-fips");
+        VIR_FREE(buf);
+    }
 
     if (qemuBuildMachineArgStr(cmd, def, qemuCaps) < 0)
         goto error;
-- 
1.8.5.5


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]