[libvirt PATCH] qemu: stop passing -enable-fips to QEMU >= 5.2.0

[Peter Krempa]

On Tue, Oct 20, 2020 at 17:48:59 +0100, Daniel Berrange wrote:
> Use of the -enable-fips option is being deprecated in QEMU >= 5.2.0. If
> FIPS compliance is required, QEMU must be built with libcrypt which will
> unconditionally enforce it.
> 
> Thus there is no need for libvirt to pass -enable-fips to modern QEMU.
> Unfortunately there was never any way to probe for -enable-fips in the
> first instance, it was enabled by libvirt based on version number
> originally, and then later unconditionally enabled when libvirt dropped
> support for older QEMU. Similarly we now use a version number check to
> decide when to stop passing -enable-fips.
> 
> Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
> ---
>  src/qemu/qemu_capabilities.c |  8 ++++++++
>  src/qemu/qemu_capabilities.h |  1 +
>  src/qemu/qemu_command.c      | 12 +++++++++++-
>  src/qemu/qemu_command.h      |  2 +-
>  src/qemu/qemu_driver.c       |  2 +-
>  src/qemu/qemu_process.c      |  2 +-
>  6 files changed, 23 insertions(+), 4 deletions(-)

[...]

> diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
> index 44c45589f0..2976879fa3 100644
> --- a/src/qemu/qemu_capabilities.h
> +++ b/src/qemu/qemu_capabilities.h
> @@ -581,6 +581,7 @@ typedef enum { /* virQEMUCapsFlags grouping marker for syntax-check */
>      /* 380 */
>      QEMU_CAPS_USB_HOST_HOSTDEVICE, /* -device usb-host.hostdevice */
>      QEMU_CAPS_VIRTIO_BALLOON_FREE_PAGE_REPORTING, /*virtio balloon free-page-reporting */
> +    QEMU_CAPS_FIPS_IMPLIED, /* -enable-fips is no longer required, delegate to gcrypt */
>  

Another option would be to re-start using QEMU_CAPS_ENABLE_FIPS which is
currently used for questionable testing in qemuxml2argvtest.

Consider this a

Reviewed-by: Peter Krempa <pkrempa at redhat.com>

but I'll try looking at qemuxml2argvtest and it's usage of
QEMU_CAPS_ENABLE_FIPS in a moment to see whether it can be improved and
alternatively even test this change.