Re: [Qemu-devel] [PATCH 00/10] Consolidate crypto APIs & implementations

["Daniel P. Berrange" <berrange@redhat.com>]

On Fri, May 22, 2015 at 07:50:03PM +0800, Gonglei wrote:
> On 2015/5/22 19:37, Daniel P. Berrange wrote:
> > On Fri, May 22, 2015 at 07:29:05PM +0800, Gonglei wrote:
> >> On 2015/5/21 18:56, Daniel P. Berrange wrote:
> >>> This small series covers the crypto consolidation patches
> >>> I previously posted as part of a larger RFC for the TLS work
> >>>
> >>>   https://lists.nongnu.org/archive/html/qemu-devel/2015-04/msg02038.html
> >>>
> >>> Currently there are a 5 main places in QEMU which use some
> >>> form of cryptographic hash or cipher algorithm. These are
> >>> the quorum block driver (hash), qcow[2] block driver (cipher),
> >>> VNC password auth (cipher), VNC websockets (hash) and some
> >>> of the CPU instruction emulation (cipher).
> >>>
> >>> For ciphers the code is using the in-tree implementations
> >>> of AES and/or the RFB cripple-DES. While there is nothing
> >>> broken about these implementations, it is none the less
> >>> desirable to be able to use the GNUTLS provided impls in
> >>> cases whre we are already linking to GNUTLS. This will
> >>> allow QEMU to use FIPS certified implementations, which
> >>> have been well audited, have some protection against
> >>> side-channel leakage and are generally actively maintained
> >>> by people knowledgable about encryption.
> >>>
> >> Can we use OpenSSL library in Qemu? If not, that's because of the license?
> > 
> > There are differing opinions on OpenSSL licensing. Personally I consider
> > it to be GPL incompatible because I don't accept the suggestion that openssl
> > is exempt under the system libraries clause. In any case QEMU is already
> > using GNUTLS and IME it has a more friendly API with better documentation
> > than openssl or nss.
> > 
> > That all said, one benefit of the crypto consolidation is that it makes it
> > more feasible to plug in alternative crypto libraries, because all the
> > gnutls specific code is isolated in one place, instead of spread across
> > the entire codebase. I don't intend to do any work to support other
> > crypto libraries though as I don't think there's any compelling benefit
> > to them.
> > 
> OK, I see, thanks.
> BTW do you have a github branch which can be easier to test?

This small series is here:

   https://github.com/berrange/qemu/tree/qemu-crypto-v1

It is ultimately part of a much larger (work in progress) series I have here:

  https://github.com/berrange/qemu/tree/qemu-io-channel-12

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|