From: "Daniel P. Berrangé" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Thomas Huth" <thuth@redhat.com>,
"Daniel P. Berrangé" <berrange@redhat.com>,
"Beraldo Leal" <bleal@redhat.com>,
libvir-list@redhat.com,
"Philippe Mathieu-Daudé" <f4bug@amsat.org>,
"Wainer dos Santos Moschetta" <wainersm@redhat.com>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Marc-André Lureau" <marcandre.lureau@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Alex Bennée" <alex.bennee@linaro.org>
Subject: [PULL 1/3] softmmu: remove deprecated --enable-fips option
Date: Tue, 26 Apr 2022 16:13:21 +0100 [thread overview]
Message-ID: <20220426151323.729982-2-berrange@redhat.com> (raw)
In-Reply-To: <20220426151323.729982-1-berrange@redhat.com>
Users requiring FIPS support must build QEMU with either the libgcrypt
or gnutls libraries as the crytography backend.
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
docs/about/deprecated.rst | 12 ------------
docs/about/removed-features.rst | 11 +++++++++++
include/qemu/osdep.h | 3 ---
os-posix.c | 8 --------
qemu-options.hx | 10 ----------
ui/vnc.c | 7 -------
util/osdep.c | 28 ----------------------------
7 files changed, 11 insertions(+), 68 deletions(-)
diff --git a/docs/about/deprecated.rst b/docs/about/deprecated.rst
index cf02ef6821..257cc15f82 100644
--- a/docs/about/deprecated.rst
+++ b/docs/about/deprecated.rst
@@ -67,18 +67,6 @@ and will cause a warning.
The replacement for the ``nodelay`` short-form boolean option is ``nodelay=on``
rather than ``delay=off``.
-``--enable-fips`` (since 6.0)
-'''''''''''''''''''''''''''''
-
-This option restricts usage of certain cryptographic algorithms when
-the host is operating in FIPS mode.
-
-If FIPS compliance is required, QEMU should be built with the ``libgcrypt``
-library enabled as a cryptography provider.
-
-Neither the ``nettle`` library, or the built-in cryptography provider are
-supported on FIPS enabled hosts.
-
``-writeconfig`` (since 6.0)
'''''''''''''''''''''''''''''
diff --git a/docs/about/removed-features.rst b/docs/about/removed-features.rst
index 4b831ea291..a66f4b73b2 100644
--- a/docs/about/removed-features.rst
+++ b/docs/about/removed-features.rst
@@ -336,6 +336,17 @@ for the RISC-V ``virt`` machine and ``sifive_u`` machine.
The ``-no-quit`` was a synonym for ``-display ...,window-close=off`` which
should be used instead.
+``--enable-fips`` (removed in 7.1)
+''''''''''''''''''''''''''''''''''
+
+This option restricted usage of certain cryptographic algorithms when
+the host is operating in FIPS mode.
+
+If FIPS compliance is required, QEMU should be built with the ``libgcrypt``
+or ``gnutls`` library enabled as a cryptography provider.
+
+Neither the ``nettle`` library, or the built-in cryptography provider are
+supported on FIPS enabled hosts.
QEMU Machine Protocol (QMP) commands
------------------------------------
diff --git a/include/qemu/osdep.h b/include/qemu/osdep.h
index baaa23c156..52d81c027b 100644
--- a/include/qemu/osdep.h
+++ b/include/qemu/osdep.h
@@ -553,9 +553,6 @@ int qemu_pipe(int pipefd[2]);
void qemu_set_cloexec(int fd);
-void fips_set_state(bool requested);
-bool fips_get_state(void);
-
/* Return a dynamically allocated directory path that is appropriate for storing
* local state.
*
diff --git a/os-posix.c b/os-posix.c
index faf6e6978b..1b746dba97 100644
--- a/os-posix.c
+++ b/os-posix.c
@@ -150,14 +150,6 @@ int os_parse_cmd_args(int index, const char *optarg)
case QEMU_OPTION_daemonize:
daemonize = 1;
break;
-#if defined(CONFIG_LINUX)
- case QEMU_OPTION_enablefips:
- warn_report("-enable-fips is deprecated, please build QEMU with "
- "the `libgcrypt` library as the cryptography provider "
- "to enable FIPS compliance");
- fips_set_state(true);
- break;
-#endif
default:
return -1;
}
diff --git a/qemu-options.hx b/qemu-options.hx
index 34e9b32a5c..1764eebfaf 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -4673,16 +4673,6 @@ HXCOMM Internal use
DEF("qtest", HAS_ARG, QEMU_OPTION_qtest, "", QEMU_ARCH_ALL)
DEF("qtest-log", HAS_ARG, QEMU_OPTION_qtest_log, "", QEMU_ARCH_ALL)
-#ifdef __linux__
-DEF("enable-fips", 0, QEMU_OPTION_enablefips,
- "-enable-fips enable FIPS 140-2 compliance\n",
- QEMU_ARCH_ALL)
-#endif
-SRST
-``-enable-fips``
- Enable FIPS 140-2 compliance mode.
-ERST
-
DEF("msg", HAS_ARG, QEMU_OPTION_msg,
"-msg [timestamp[=on|off]][,guest-name=[on|off]]\n"
" control error message format\n"
diff --git a/ui/vnc.c b/ui/vnc.c
index badf1d7664..1347e27b5b 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -4059,13 +4059,6 @@ void vnc_display_open(const char *id, Error **errp)
password = qemu_opt_get_bool(opts, "password", false);
}
if (password) {
- if (fips_get_state()) {
- error_setg(errp,
- "VNC password auth disabled due to FIPS mode, "
- "consider using the VeNCrypt or SASL authentication "
- "methods as an alternative");
- goto fail;
- }
if (!qcrypto_cipher_supports(
QCRYPTO_CIPHER_ALG_DES, QCRYPTO_CIPHER_MODE_ECB)) {
error_setg(errp,
diff --git a/util/osdep.c b/util/osdep.c
index c7aec36f22..60fcbbaebe 100644
--- a/util/osdep.c
+++ b/util/osdep.c
@@ -31,8 +31,6 @@
#include "qemu/hw-version.h"
#include "monitor/monitor.h"
-static bool fips_enabled = false;
-
static const char *hw_version = QEMU_HW_VERSION;
int socket_set_cork(int fd, int v)
@@ -514,32 +512,6 @@ const char *qemu_hw_version(void)
return hw_version;
}
-void fips_set_state(bool requested)
-{
-#ifdef __linux__
- if (requested) {
- FILE *fds = fopen("/proc/sys/crypto/fips_enabled", "r");
- if (fds != NULL) {
- fips_enabled = (fgetc(fds) == '1');
- fclose(fds);
- }
- }
-#else
- fips_enabled = false;
-#endif /* __linux__ */
-
-#ifdef _FIPS_DEBUG
- fprintf(stderr, "FIPS mode %s (requested %s)\n",
- (fips_enabled ? "enabled" : "disabled"),
- (requested ? "enabled" : "disabled"));
-#endif
-}
-
-bool fips_get_state(void)
-{
- return fips_enabled;
-}
-
#ifdef _WIN32
static void socket_cleanup(void)
{
--
2.35.1
next prev parent reply other threads:[~2022-04-26 15:14 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-26 15:13 [PULL 0/3] Misc next patches Daniel P. Berrangé
2022-04-26 15:13 ` Daniel P. Berrangé [this message]
2022-04-26 15:13 ` [PULL 2/3] hw/char: fix qcode array bounds check in ESCC impl Daniel P. Berrangé
2022-04-26 15:13 ` [PULL 3/3] github: fix config mistake preventing repo lockdown commenting Daniel P. Berrangé
2022-04-26 20:12 ` [PULL 0/3] Misc next patches Richard Henderson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220426151323.729982-2-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=alex.bennee@linaro.org \
--cc=bleal@redhat.com \
--cc=f4bug@amsat.org \
--cc=kraxel@redhat.com \
--cc=libvir-list@redhat.com \
--cc=marcandre.lureau@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=thuth@redhat.com \
--cc=wainersm@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).