[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] os: deprecate the -enable-fips option and QEMU's FIPS enforc

From: John Snow
Subject: Re: [PATCH] os: deprecate the -enable-fips option and QEMU's FIPS enforcement
Date: Thu, 22 Oct 2020 10:04:20 -0400
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.11.0

On 10/21/20 6:17 AM, Daniel P. Berrangé wrote:
Claiming QEMU is FIPS compliant without using libgcrypt is a
bit of joke since we don't do any self-tests of ciphers, hence
this deprecation notice is warning people that libgcrypt is
going to be mandatory if you care about FIPS.

FWIW this is my main problem with this flag: we read the value in procfs and then use this to change precisely one behavior for one of our components. It doesn't really ... do what the name might imply it does.

Leaving that business to the crypto libraries is indeed the correct thing to do.


Reviewed-by: John Snow <jsnow@redhat.com>

reply via email to

[Prev in Thread] Current Thread [Next in Thread]