[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] os: deprecate the -enable-fips option and QEMU's FIPS enforc
From: |
Daniel P . Berrangé |
Subject: |
Re: [PATCH] os: deprecate the -enable-fips option and QEMU's FIPS enforcement |
Date: |
Wed, 21 Oct 2020 09:38:03 +0100 |
User-agent: |
Mutt/1.14.6 (2020-07-11) |
On Tue, Oct 20, 2020 at 07:22:03PM +0200, Paolo Bonzini wrote:
> On 20/10/20 18:22, Daniel P. Berrangé wrote:
> > @@ -153,6 +153,9 @@ int os_parse_cmd_args(int index, const char *optarg)
> > break;
> > #if defined(CONFIG_LINUX)
> > case QEMU_OPTION_enablefips:
> > + warn_report("-enable-fips is deprecated, please build QEMU with "
> > + "the `libgcrypt` library as the cryptography provider "
> > + "to enable FIPS compliance");
> > fips_set_state(true);
> > break;
> > #endif
>
> Should you also remove fips_set_state(true) and make fips_get_state()
> return the contents of /proc/sys/crypto/fips_enabled, so that VNC
> password authentication is disabled?
I did think about doing that, but decided that since my intention is
to delete all trace of fips_get_state / fips_set_state at the end of
the deprecation period, that it'd be saner just to leave the semantics
unchanged during the deprecation period.
Deprecation notices shouldn't really be associated with changes in
functionality at time they are introduced.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
Re: [PATCH] os: deprecate the -enable-fips option and QEMU's FIPS enforcement, Thomas Huth, 2020/10/21