Re: -enablefips

["Daniel P. Berrangé" <berrange@redhat.com>]

On Tue, Jun 23, 2020 at 11:51:09PM -0400, John Snow wrote:
> I never knew what this option did, but the answer is ... strange!
> 
> It's only defined for linux, in os-posix.c. When called, it calls
> fips_set_state(true), located in osdep.c.
> 
> This will read /proc/sys/crypto/fips_enabled and set the static global
> 'fips_enabled' to true if this setting is on.
> 
> (Tangent: what does *this* setting actually control? Should QEMU
> meaningfully change its behavior when it's set?)
> 
> This static global is exposed via the getter fips_get_state(). This
> function is called only by vnc.c, and appears to disable the use of the
> password option for -vnc.
> 
> This seems very high-level and abstract for something that ultimately
> only disables VNC password authentication. Is this misleadingly abstract?
> 
> The docs state:
> "enable FIPS 140-2 compliance"
> 
> Like hell it does.

It prevents the use of non-FIPS crypto in QEMU, so it isn't that
inaccurate.

> Can we deprecate this? It was added in 2012 and never seemed to pursue
> the mission laid out in the help file. If we do still want it, the
> documentation should be changed dramatically to reflect what it actually
> does.
> 
> This is so at risk of bit-rot, and a misleading crypto flag is certainly
> worse than no crypto flag. I think it should just go.

I think it can go.

FIPS support in QEMU is only needed if using our own crypto code which
lacks FIPS compliance, which essentially means our Single DES impl.

Anyone who cares about FIPS should be building QEMU with crypto provided
by libgcrypt. This will take care of FIPS compliance automatically,
so there's nothing QEMU needs do itself.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|