[PATCH] os: deprecate the -enable-fips option and QEMU's FIPS enforcement

John Snow jsnow at redhat.com
Thu Oct 22 14:04:20 UTC 2020

On 10/21/20 6:17 AM, Daniel P. Berrangé wrote:
> Claiming QEMU is FIPS compliant without using libgcrypt is a
> bit of joke since we don't do any self-tests of ciphers, hence
> this deprecation notice is warning people that libgcrypt is
> going to be mandatory if you care about FIPS.

FWIW this is my main problem with this flag: we read the value in procfs 
and then use this to change precisely one behavior for one of our 
components. It doesn't really ... do what the name might imply it does.

Leaving that business to the crypto libraries is indeed the correct 
thing to do.


Reviewed-by: John Snow <jsnow at redhat.com>

More information about the libvir-list mailing list