[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH 00/10] Consolidate crypto APIs & implementations

From: Gonglei
Subject: Re: [Qemu-devel] [PATCH 00/10] Consolidate crypto APIs & implementations
Date: Fri, 22 May 2015 19:50:03 +0800
User-agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Thunderbird/31.4.0

On 2015/5/22 19:37, Daniel P. Berrange wrote:
> On Fri, May 22, 2015 at 07:29:05PM +0800, Gonglei wrote:
>> On 2015/5/21 18:56, Daniel P. Berrange wrote:
>>> This small series covers the crypto consolidation patches
>>> I previously posted as part of a larger RFC for the TLS work
>>>   https://lists.nongnu.org/archive/html/qemu-devel/2015-04/msg02038.html
>>> Currently there are a 5 main places in QEMU which use some
>>> form of cryptographic hash or cipher algorithm. These are
>>> the quorum block driver (hash), qcow[2] block driver (cipher),
>>> VNC password auth (cipher), VNC websockets (hash) and some
>>> of the CPU instruction emulation (cipher).
>>> For ciphers the code is using the in-tree implementations
>>> of AES and/or the RFB cripple-DES. While there is nothing
>>> broken about these implementations, it is none the less
>>> desirable to be able to use the GNUTLS provided impls in
>>> cases whre we are already linking to GNUTLS. This will
>>> allow QEMU to use FIPS certified implementations, which
>>> have been well audited, have some protection against
>>> side-channel leakage and are generally actively maintained
>>> by people knowledgable about encryption.
>> Can we use OpenSSL library in Qemu? If not, that's because of the license?
> There are differing opinions on OpenSSL licensing. Personally I consider
> it to be GPL incompatible because I don't accept the suggestion that openssl
> is exempt under the system libraries clause. In any case QEMU is already
> using GNUTLS and IME it has a more friendly API with better documentation
> than openssl or nss.
> That all said, one benefit of the crypto consolidation is that it makes it
> more feasible to plug in alternative crypto libraries, because all the
> gnutls specific code is isolated in one place, instead of spread across
> the entire codebase. I don't intend to do any work to support other
> crypto libraries though as I don't think there's any compelling benefit
> to them.
OK, I see, thanks.
BTW do you have a github branch which can be easier to test?


reply via email to

[Prev in Thread] Current Thread [Next in Thread]