[PATCH] os: deprecate the -enable-fips option and QEMU's FIPS enforcement
Daniel P. Berrangé
berrange at redhat.com
Wed Oct 21 10:17:43 UTC 2020
On Wed, Oct 21, 2020 at 11:51:10AM +0200, Paolo Bonzini wrote:
> On 21/10/20 10:38, Daniel P. Berrangé wrote:
> > On Tue, Oct 20, 2020 at 07:22:03PM +0200, Paolo Bonzini wrote:
> >> On 20/10/20 18:22, Daniel P. Berrangé wrote:
> >>> @@ -153,6 +153,9 @@ int os_parse_cmd_args(int index, const char *optarg)
> >>> break;
> >>> #if defined(CONFIG_LINUX)
> >>> case QEMU_OPTION_enablefips:
> >>> + warn_report("-enable-fips is deprecated, please build QEMU with "
> >>> + "the `libgcrypt` library as the cryptography provider "
> >>> + "to enable FIPS compliance");
> >>> fips_set_state(true);
> >>> break;
> >>> #endif
> >>
> >> Should you also remove fips_set_state(true) and make fips_get_state()
> >> return the contents of /proc/sys/crypto/fips_enabled, so that VNC
> >> password authentication is disabled?
> >
> > I did think about doing that, but decided that since my intention is
> > to delete all trace of fips_get_state / fips_set_state at the end of
> > the deprecation period, that it'd be saner just to leave the semantics
> > unchanged during the deprecation period.
>
> But would it be correct? In order to have the advertised behavior of
> "enable FIPS compliance just with procfs, no need to do anything in
> QEMU" you need to disable VNC password authentication; so while
> fips_set_state is an abomination, fips_get_state should remain.
There's no need for fips_get_state. Once you build QEMU with
libgcrypt, when VNC requests a DES cipher handle, gcrypt will
return an error as that algorithm is forbidden in FIPS mode.
This is the primary reason for outsourcing all crypto to a
separate library and ignoring the impls in QEMU.
Claiming QEMU is FIPS compliant without using libgcrypt is a
bit of joke since we don't do any self-tests of ciphers, hence
this deprecation notice is warning people that libgcrypt is
going to be mandatory if you care about FIPS.
> > Deprecation notices shouldn't really be associated with changes in
> > functionality at time they are introduced.
>
> I think you can consider it a bugfix since no one sets fips_enabled
> without knowing what they're doing.
I just would rather not change semantics of something that we are
intending to remove
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvir-list
mailing list