[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [libvirt] [PATCH] qemu: always ask for -enable-fips
|
From: |
Eric Blake |
|
Subject: |
Re: [Qemu-devel] [libvirt] [PATCH] qemu: always ask for -enable-fips |
|
Date: |
Fri, 13 Dec 2013 09:15:17 -0700 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0 |
On 12/13/2013 08:15 AM, Daniel P. Berrange wrote:
> QEMU already detects current FIPs enablement via the file
> /proc/sys/crypto/fips_enabled, but only if you use --enable-fips.
> This is really stupid given that all the crypto libraries that
> QEMU uses unconditonally look at the proc file. So by having this
> flag QEMU is in the insane situation where if FIPS is enabled then
> part of QEMU will honour FIPS settings but other parts of QEMU will
> not honour it until you pass --enable-fips. Insanity. So having
> libvirt pass --enable-fips unconditionally fixes this insanity as
> much as possible. Better yet if QEMU were to just remove the
> pointless --enable-fips arg and just respect the fips_enabled
> sysctl flag by default.
Agreed that qemu's current stance is insane, and that libvirt being
forced to deal with it is not the ideal solution. But we've tried to
fight the battle of getting qemu to just enable the FIPS check
unconditionally (ie. make -enable-fips a no-op, still existing for
back-compat reasons, but behaving as if it were always requested), and
so far have not had any luck. I'd rather patch libvirt now than wait
for a future qemu (especially if it is still contentious to change the
qemu behavior).
Shall I go ahead and push this libvirt patch?
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature