From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:51354) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YvloJ-0004gw-D3 for qemu-devel@nongnu.org; Fri, 22 May 2015 08:12:20 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YvloG-0001NY-5t for qemu-devel@nongnu.org; Fri, 22 May 2015 08:12:19 -0400 Received: from mx1.redhat.com ([209.132.183.28]:44288) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YvloF-0001NO-VP for qemu-devel@nongnu.org; Fri, 22 May 2015 08:12:16 -0400 Date: Fri, 22 May 2015 13:12:09 +0100 From: "Daniel P. Berrange" Message-ID: <20150522121209.GL14428@redhat.com> References: <1432205817-16414-1-git-send-email-berrange@redhat.com> <555F1301.8070900@huawei.com> <20150522113721.GI14428@redhat.com> <555F17EB.1010401@huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <555F17EB.1010401@huawei.com> Subject: Re: [Qemu-devel] [PATCH 00/10] Consolidate crypto APIs & implementations Reply-To: "Daniel P. Berrange" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Gonglei Cc: Kevin Wolf , Paolo Bonzini , qemu-devel@nongnu.org, Gerd Hoffmann On Fri, May 22, 2015 at 07:50:03PM +0800, Gonglei wrote: > On 2015/5/22 19:37, Daniel P. Berrange wrote: > > On Fri, May 22, 2015 at 07:29:05PM +0800, Gonglei wrote: > >> On 2015/5/21 18:56, Daniel P. Berrange wrote: > >>> This small series covers the crypto consolidation patches > >>> I previously posted as part of a larger RFC for the TLS work > >>> > >>> https://lists.nongnu.org/archive/html/qemu-devel/2015-04/msg02038.html > >>> > >>> Currently there are a 5 main places in QEMU which use some > >>> form of cryptographic hash or cipher algorithm. These are > >>> the quorum block driver (hash), qcow[2] block driver (cipher), > >>> VNC password auth (cipher), VNC websockets (hash) and some > >>> of the CPU instruction emulation (cipher). > >>> > >>> For ciphers the code is using the in-tree implementations > >>> of AES and/or the RFB cripple-DES. While there is nothing > >>> broken about these implementations, it is none the less > >>> desirable to be able to use the GNUTLS provided impls in > >>> cases whre we are already linking to GNUTLS. This will > >>> allow QEMU to use FIPS certified implementations, which > >>> have been well audited, have some protection against > >>> side-channel leakage and are generally actively maintained > >>> by people knowledgable about encryption. > >>> > >> Can we use OpenSSL library in Qemu? If not, that's because of the license? > > > > There are differing opinions on OpenSSL licensing. Personally I consider > > it to be GPL incompatible because I don't accept the suggestion that openssl > > is exempt under the system libraries clause. In any case QEMU is already > > using GNUTLS and IME it has a more friendly API with better documentation > > than openssl or nss. > > > > That all said, one benefit of the crypto consolidation is that it makes it > > more feasible to plug in alternative crypto libraries, because all the > > gnutls specific code is isolated in one place, instead of spread across > > the entire codebase. I don't intend to do any work to support other > > crypto libraries though as I don't think there's any compelling benefit > > to them. > > > OK, I see, thanks. > BTW do you have a github branch which can be easier to test? This small series is here: https://github.com/berrange/qemu/tree/qemu-crypto-v1 It is ultimately part of a much larger (work in progress) series I have here: https://github.com/berrange/qemu/tree/qemu-io-channel-12 Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|