[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] os: deprecate the -enable-fips option and QEMU's FIPS enforc
|
From: |
Paolo Bonzini |
|
Subject: |
Re: [PATCH] os: deprecate the -enable-fips option and QEMU's FIPS enforcement |
|
Date: |
Wed, 21 Oct 2020 13:47:18 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.3.1 |
On 21/10/20 12:17, Daniel P. Berrangé wrote:
>> But would it be correct? In order to have the advertised behavior of
>> "enable FIPS compliance just with procfs, no need to do anything in
>> QEMU" you need to disable VNC password authentication; so while
>> fips_set_state is an abomination, fips_get_state should remain.
> There's no need for fips_get_state. Once you build QEMU with
> libgcrypt, when VNC requests a DES cipher handle, gcrypt will
> return an error as that algorithm is forbidden in FIPS mode.
Oh, I thought we were still using our own code for the modified DES but
it _is_ actually using gcrypt or nettle if available. Sorry for the noise.
> This is the primary reason for outsourcing all crypto to a
> separate library and ignoring the impls in QEMU.
>
> Claiming QEMU is FIPS compliant without using libgcrypt is a
> bit of joke since we don't do any self-tests of ciphers, hence
> this deprecation notice is warning people that libgcrypt is
> going to be mandatory if you care about FIPS.
Yes, agreed.
Paolo
Re: [PATCH] os: deprecate the -enable-fips option and QEMU's FIPS enforcement, Thomas Huth, 2020/10/21