From: Markus Armbruster <armbru@redhat.com>
To: Gerd Hoffmann <kraxel@redhat.com>
Cc: "Daniel P. Berrange" <berrange@redhat.com>,
John Snow <jsnow@redhat.com>, qemu-devel <qemu-devel@nongnu.org>
Subject: Re: -enablefips
Date: Wed, 24 Jun 2020 10:34:03 +0200 [thread overview]
Message-ID: <878sgcdfr8.fsf@dusky.pond.sub.org> (raw)
In-Reply-To: <20200624064954.jmkqonjbqfhso5dr@sirius.home.kraxel.org> (Gerd Hoffmann's message of "Wed, 24 Jun 2020 08:49:54 +0200")
Gerd Hoffmann <kraxel@redhat.com> writes:
> On Tue, Jun 23, 2020 at 11:51:09PM -0400, John Snow wrote:
>> I never knew what this option did, but the answer is ... strange!
>>
>> It's only defined for linux, in os-posix.c. When called, it calls
>> fips_set_state(true), located in osdep.c.
>>
>> This will read /proc/sys/crypto/fips_enabled and set the static global
>> 'fips_enabled' to true if this setting is on.
>
> IIRC the idea is to have a global switch to enable fips compilance for
> the whole distro. RH specific. rhel-7 kernel has it. rhel-8 kernel
> too, so it probably isn't obsolete. Not present in mainline kernels.
>
> I'm wondering what the point of the -enablefips switch is. Shouldn't
> qemu check /proc/sys/crypto/fips_enabled unconditionally instead?
The switch feels rather silly to me. If you take the trouble to put
your host in FIPS mode, requiring -enable-fips to make QEMU to actually
honor it makes no sense. If you don't, QEMU's -enable-fips has no
effect.
I may well misremember things (it's been years), but I vaguely recall
-enable-fips being a lame compromise between "this ought to be upstream"
and "FIPS is stupid, and I want nothing of it".
>> (Tangent: what does *this* setting actually control? Should QEMU
>> meaningfully change its behavior when it's set?)
>
> fips is a security policy ...
>
>> This static global is exposed via the getter fips_get_state(). This
>> function is called only by vnc.c, and appears to disable the use of the
>> password option for -vnc.
>
> ... yes, "no passwords" is one of the rules. There are probably more.
>
>> (If we really do want to keep it, it should probably go under -global
>> somewhere instead to help reduce flag clutter, but we'd need to have a
>> chat about what fips compliance means for literally every other spot in
>> QEMU that is capable of using or receiving a cleartext password.)
>
> Yep. IIRC for spice this is handled in libspice-server. We need to
> look at blockdev encryption I guess. Any other places where qemu uses
> passwords directly? I think we don't have to worry about indirect usage
> (sasl).
I'd expect the SASL libraries to honor FIPS mode by themselves. But
best ask someone who actually knows how FIPS mode is supposed to work.
next prev parent reply other threads:[~2020-06-24 8:35 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-24 3:51 -enablefips John Snow
2020-06-24 6:49 ` -enablefips Gerd Hoffmann
2020-06-24 8:34 ` Markus Armbruster [this message]
2020-06-24 8:58 ` -enablefips Daniel P. Berrangé
2020-06-24 15:09 ` -enablefips John Snow
2020-06-24 9:05 ` -enablefips Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=878sgcdfr8.fsf@dusky.pond.sub.org \
--to=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=jsnow@redhat.com \
--cc=kraxel@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.