Re: [Qemu-devel] [libvirt] [PATCH] qemu: always ask for -enable-fips

[Eric Blake <eblake@redhat.com>]

[-- Attachment #1: Type: text/plain, Size: 2632 bytes --]

On 12/13/2013 08:06 AM, Jiri Denemark wrote:
> On Fri, Dec 13, 2013 at 15:58:55 +0100, Michal Privoznik wrote:
>> On 05.12.2013 22:54, Eric Blake wrote:
>>> On a system that is enforcing FIPS, most libraries honor the
>>> current mode by default.  Qemu, on the other hand, refused to
>>> honor FIPS mode unless you add the '-enable-fips' command
>>> line option; worse, this option is not discoverable via QMP,
>>> and is only present on binaries built for Linux.  As far as
>>> I can tell, unconditionally using the option when it is
>>> available has no negative consequences (the option has no
>>> change to qemu behavior except when FIPS is enabled, at which
>>> point it cripples insecure VNC passwords which is the one thing
>>> that libvirt must not allow when FIPS is active).
>>>
>>> This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1035474
>>
>> Sigh, oh boy, <your favorite swear-word>. ACK.
> 
> Don't we want to wait for QEMU to decide what they should be doing with
> -enable-fips to make it detectable?

I tried, and got no response:
https://lists.gnu.org/archive/html/qemu-devel/2013-12/msg00946.html

adding qemu-devel in CC for another try.

> If we push this patch, we can't
> basically move into detecting the option and enabling it only when
> detected since that could cause regressions for older QEMU version that
> supported the option but did not advertise it.

Not necessarily.  We can code things along these lines:
if qemu new enough to provide binary option detection:
    use detection results, use if present
else:
    if Linux:
        hard-code on
    else:
        assume unavailable

> If we just wait for the
> option to be detectable and enable it only when we detect its support in
> QEMU, we won't enable it for all possible QEMU versions but we won't
> regress in any way.

I'm not worried about regressions - if someone backports binary option
detection, we'll do the right thing; if they don't, then trying to the
option on a build where it is not present will give a nice loud failure
from qemu about an unrecognized command line option, which we would get
anyways even if binary option detection is not added in qemu and our
hard-code guess is wrong.  I'd rather have libvirt turn the option on
NOW (since it is a FIPS certification nightmare if we don't) than wait
for some future qemu to fix binary option detection and hope it gets
backported to any version of qemu that libvirt must drive in a FIPS
environment.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 621 bytes --]