[PATCH 05/11] qemu: Store state of FIPS in virQEMUDriver

Mon May 16 15:12:35 UTC 2022

Rather than re-query all the time we can cache the state of FIPS of the
host as it will not change during the runtime of the guest.

Introduce a 'hostFips' flag to 'virQEMUDriver' and move the code
checking the state from 'qemuCheckFips' to 'qemuStateInitialize' and
also populate 'hostFips' in qemuxml2argvtest.

Signed-off-by: Peter Krempa <pkrempa at redhat.com>
---
 src/qemu/qemu_command.c  | 14 ++------------
 src/qemu/qemu_conf.h     |  1 +
 src/qemu/qemu_driver.c   |  9 +++++++++
 tests/qemuxml2argvtest.c |  5 ++++-
 4 files changed, 16 insertions(+), 13 deletions(-)

diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index d3b3603fbe..3e9db271b1 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -1787,21 +1787,11 @@ bool
 qemuCheckFips(virDomainObj *vm)
 {
     qemuDomainObjPrivate *priv = vm->privateData;
-    virQEMUCaps *qemuCaps = priv->qemuCaps;

-    if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_ENABLE_FIPS))
+    if (!virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_ENABLE_FIPS))
         return false;

-    if (virFileExists("/proc/sys/crypto/fips_enabled")) {
-        g_autofree char *buf = NULL;
-
-        if (virFileReadAll("/proc/sys/crypto/fips_enabled", 10, &buf) < 0)
-            return false;
-        if (STREQ(buf, "1\n"))
-            return true;
-    }
-
-    return false;
+    return priv->driver->hostFips;
 }


diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index c71a666aea..5e752d075e 100644
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -251,6 +251,7 @@ struct _virQEMUDriver {
     /* Immutable values */
     bool privileged;
     char *embeddedRoot;
+    bool hostFips; /* FIPS mode is enabled on the host */

     /* Immutable pointers. Caller must provide locking */
     virStateInhibitCallback inhibitCallback;
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 4f6b295859..96ca67dfca 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -735,6 +735,15 @@ qemuStateInitialize(bool privileged,
     if (qemuMigrationDstErrorInit(qemu_driver) < 0)
         goto error;

+    /* qemu-5.1 and older requires use of '-enable-fips' flag when the host
+     * is in FIPS mode. We store whether FIPS is enabled */
+    if (virFileExists("/proc/sys/crypto/fips_enabled")) {
+        g_autofree char *buf = NULL;
+
+        if (virFileReadAll("/proc/sys/crypto/fips_enabled", 10, &buf) > 0)
+            qemu_driver->hostFips = STREQ(buf, "1\n");
+    }
+
     if (privileged) {
         g_autofree char *channeldir = NULL;

diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index 8d0d4acca9..385448b57a 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -386,9 +386,12 @@ testCompareXMLToArgvCreateArgs(virQEMUDriver *drv,
                                unsigned int flags)
 {
     qemuDomainObjPrivate *priv = vm->privateData;
-    bool enableFips = !!(flags & FLAG_FIPS_HOST);
+    bool enableFips;
     size_t i;

+    drv->hostFips = flags & FLAG_FIPS_HOST;
+    enableFips = drv->hostFips;
+
     if (qemuProcessCreatePretendCmdPrepare(drv, vm, migrateURI,
                                            VIR_QEMU_PROCESS_START_COLD) < 0)
         return NULL;
-- 
2.35.3

