[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] os: deprecate the -enable-fips option and QEMU's FIPS enforc

From: Paolo Bonzini
Subject: Re: [PATCH] os: deprecate the -enable-fips option and QEMU's FIPS enforcement
Date: Wed, 21 Oct 2020 13:47:18 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.3.1

On 21/10/20 12:17, Daniel P. Berrangé wrote:
>> But would it be correct?  In order to have the advertised behavior of
>> "enable FIPS compliance just with procfs, no need to do anything in
>> QEMU" you need to disable VNC password authentication; so while
>> fips_set_state is an abomination, fips_get_state should remain.
> There's no need for fips_get_state. Once you build QEMU with
> libgcrypt, when  VNC requests a DES cipher handle, gcrypt will
> return an error as that algorithm is forbidden in FIPS mode.

Oh, I thought we were still using our own code for the modified DES but
it _is_ actually using gcrypt or nettle if available.  Sorry for the noise.

> This is the primary reason for outsourcing all crypto to a
> separate library and ignoring the impls in QEMU.
> Claiming QEMU is FIPS compliant without using libgcrypt is a
> bit of joke since we don't do any self-tests of ciphers, hence
> this deprecation notice is warning people that libgcrypt is
> going to be mandatory if you care about FIPS.

Yes, agreed.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]