[libvirt] [PATCH] qemu: always ask for -enable-fips

Fri Dec 13 15:22:15 UTC 2013

On Fri, Dec 13, 2013 at 15:15:59 +0000, Daniel Berrange wrote:
> On Fri, Dec 13, 2013 at 04:06:50PM +0100, Jiri Denemark wrote:
> > On Fri, Dec 13, 2013 at 15:58:55 +0100, Michal Privoznik wrote:
> > > On 05.12.2013 22:54, Eric Blake wrote:
> > > > On a system that is enforcing FIPS, most libraries honor the
> > > > current mode by default.  Qemu, on the other hand, refused to
> > > > honor FIPS mode unless you add the '-enable-fips' command
> > > > line option; worse, this option is not discoverable via QMP,
> > > > and is only present on binaries built for Linux.  As far as
> > > > I can tell, unconditionally using the option when it is
> > > > available has no negative consequences (the option has no
> > > > change to qemu behavior except when FIPS is enabled, at which
> > > > point it cripples insecure VNC passwords which is the one thing
> > > > that libvirt must not allow when FIPS is active).
> > > > 
> > > > This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1035474
> > > 
> > > Sigh, oh boy, <your favorite swear-word>. ACK.
> > 
> > Don't we want to wait for QEMU to decide what they should be doing with
> > -enable-fips to make it detectable? If we push this patch, we can't
> > basically move into detecting the option and enabling it only when
> > detected since that could cause regressions for older QEMU version that
> > supported the option but did not advertise it. If we just wait for the
> > option to be detectable and enable it only when we detect its support in
> > QEMU, we won't enable it for all possible QEMU versions but we won't
> > regress in any way.
> 
> QEMU already detects current FIPs enablement via the file
> /proc/sys/crypto/fips_enabled, but only if you use --enable-fips.
> This is really stupid given that all the crypto libraries that
> QEMU uses unconditonally look at the proc file. So by having this
> flag QEMU is in the insane situation where if FIPS is enabled then
> part of QEMU will honour FIPS settings but other parts of QEMU will
> not honour it until you pass --enable-fips. Insanity. So having
> libvirt pass --enable-fips unconditionally fixes this insanity as
> much as possible. Better yet if QEMU were to just remove the
> pointless --enable-fips arg and just respect the fips_enabled
> sysctl flag by default.

Of course, I don't question this part. I just don't like the black magic
we use to decide whether we can use -enable-fips or not and if we go
this black route, we will have to stick with it even if QEMU provides a
proper way of detecting -enable-fips. We could only use the detection in
case our black magic decides the option is not supported.

Jirka