From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([208.118.235.92]:35881) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SbiUN-0000zY-PV for qemu-devel@nongnu.org; Mon, 04 Jun 2012 21:23:17 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1SbiUL-000820-P3 for qemu-devel@nongnu.org; Mon, 04 Jun 2012 21:23:15 -0400 Received: from mail-pb0-f45.google.com ([209.85.160.45]:52980) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SbiUL-00081u-J2 for qemu-devel@nongnu.org; Mon, 04 Jun 2012 21:23:13 -0400 Received: by pbbro12 with SMTP id ro12so7323845pbb.4 for ; Mon, 04 Jun 2012 18:23:12 -0700 (PDT) Message-ID: <4FCD5F78.9090102@codemonkey.ws> Date: Tue, 05 Jun 2012 09:23:04 +0800 From: Anthony Liguori MIME-Version: 1.0 References: <20120502193256.6508.86360.stgit@sifl> <4FCAB60E.1070107@codemonkey.ws> <10302697.mednriu9QL@sifl> <4FCD409C.70003@codemonkey.ws> <1E364312-A64D-4D14-90A4-89C8F2BA8A54@suse.de> <4FCD4ACF.4000809@codemonkey.ws> <4FCD5AD1.9080406@codemonkey.ws> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Alexander Graf Cc: Paul Moore , qemu-devel Developers , Roman Drahtmueller On 06/05/2012 09:08 AM, Alexander Graf wrote: > > On 05.06.2012, at 03:03, Anthony Liguori wrote: > >> On 06/05/2012 08:55 AM, Alexander Graf wrote: >>> >>> On 05.06.2012, at 01:54, Anthony Liguori wrote: >>> >>>> Have you ever experienced a random failure on an SELinux box that made no logical sense? Out of desperation, you setenforce 0 and magically, thinks work again. >>> >>> Yeah - I never understood how anyone thought it makes sense to enable SELinux globally be default.... Either way, FIPS hopefully isn't something you find enabled by accident anywhere. >>> >>>> Even if the user enabled fips mode, they may not understand that this means VNC authentication will stop working. Providing an option (1) allows the user to discover what the problem is (2) makes the behavior much more clear. >>> >>> Where would you want the option to live? Compile time would be useless - users don't recompile QEMU, they take binary packages. A runtime option? Who would enable that runtime option then? Libvirt by default I suppose? So you're back in the same hell. RH would patch libvirt to always pass in -enable-fips and nothing would be different. >> >> A QemuOpts option that is disabled by default but can be enabled through /etc/qemu/target-x86_64.conf >> >> If any distribution wants to enable it as part of the default configuration, they certainly can. But a user can override it if they want to. >> >> Likewise, libvirt can enable it by default if they are so inclined. At least the qemu logs from libvirt will show -enable-fips-mode >> >>> >>>> Removing features based on a magic procfs variable with no input from the user is a bad idea IMHO. >>> >>> But it's the design of the Linux FIPS model. >> >> Just because someone made a bad choice, that doesn't mean we have to continue to make bad choices ourselves. >> >> This whole feature is ridiculous from a technical perspective. As you said, disabling VNC auth but allowing no-password to be used is simply moronic. >> >> I understand why we have to support these things, but it should not be the default behavior. > > Fair enough, but I don't think a > > ### log file ### > > qemu-kvm -enable-fips > > ### end of log file ### > > vs > > ### log file ### > > qemu-kvm