[Qemu-devel] detecting -enable-fips

[Qemu-devel] detecting -enable-fips

[Eric Blake]

[-- Attachment #1: Type: text/plain, Size: 1094 bytes --]

Commit 0f66998 added the command line option -enable-fips for qemu 1.2;
but as of at least qemu 1.6, the 'query-command-line-options' QMP
monitor command does not report it.  This is particularly annoying since
the command line option is conditional - it is present in Linux builds
but absent in BSD builds.  Does anyone know of any other QMP method for
querying if this command line option is supported?  Or am I just
relegated to trying it and seeing if the option gets rejected?

[I'm personally of the opinion that libvirt should use -enable-fips 100%
of the time; I don't really see what it is buying us to have an option
that can be enabled but not disabled, and where enabling it has no
impact except when running in FIPS mode; especially when the other
libraries in use on the system already honor FIPS mode without any extra
command line option.  But I'm not going to be the one to argue for a
change in behavior other than the mere detection of the option.]

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 621 bytes --]

Re: [Qemu-devel] detecting -enable-fips

[Eric Blake]

[-- Attachment #1: Type: text/plain, Size: 1253 bytes --]

On 12/05/2013 02:04 PM, Eric Blake wrote:
> Commit 0f66998 added the command line option -enable-fips for qemu 1.2;
> but as of at least qemu 1.6, the 'query-command-line-options' QMP
> monitor command does not report it.  This is particularly annoying since
> the command line option is conditional - it is present in Linux builds
> but absent in BSD builds.  Does anyone know of any other QMP method for
> querying if this command line option is supported?  Or am I just
> relegated to trying it and seeing if the option gets rejected?
> 
> [I'm personally of the opinion that libvirt should use -enable-fips 100%
> of the time; I don't really see what it is buying us to have an option
> that can be enabled but not disabled, and where enabling it has no
> impact except when running in FIPS mode; especially when the other
> libraries in use on the system already honor FIPS mode without any extra
> command line option.  But I'm not going to be the one to argue for a
> change in behavior other than the mere detection of the option.]

Ping.  Any thoughts at all on how to detect boolean command-line options
via QMP?

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 621 bytes --]

Re: [Qemu-devel] detecting -enable-fips

[Paolo Bonzini]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Il 05/12/2013 22:04, Eric Blake ha scritto:
> Commit 0f66998 added the command line option -enable-fips for qemu
> 1.2; but as of at least qemu 1.6, the 'query-command-line-options'
> QMP monitor command does not report it.  This is particularly
> annoying since the command line option is conditional - it is
> present in Linux builds but absent in BSD builds.  Does anyone know
> of any other QMP method for querying if this command line option is
> supported?

No, there is none.

query-command-line-options only queries QemuOpts-based options, and
non-QemuOpts-based options are hardly being added (because QemuOpts
also means that people can use the simpler -readconfig interface).

> Or am I just relegated to trying it and seeing if the option gets
> rejected?

I think libvirt should use -enable-fips unconditionally if FIPS mode
is enabled, even if that means that old QEMU will not work at all.  On
BSDs, FIPS mode will never be enabled, so no problem.

> [I'm personally of the opinion that libvirt should use -enable-fips
> 100% of the time; I don't really see what it is buying us to have
> an option that can be enabled but not disabled, and where enabling
> it has no impact except when running in FIPS mode; especially when
> the other libraries in use on the system already honor FIPS mode
> without any extra command line option.  But I'm not going to be the
> one to argue for a change in behavior other than the mere detection
> of the option.]

I agree.

Paolo

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSqzJVAAoJEBvWZb6bTYbyA18P/0aYqDg6yZZp2HRVti0UeLgF
bBltlo9aXuqjj2CEYqQYhLSg+445WSmL2zkLwsMPX7OxFSoUgXJHCTprsV3Zxl+f
yeBTo0xmgrFHDkJjCs0N6Z7TRUQYRtXoWhclf++PjsJWQi3qXtOYHl/RURzKLlKX
vjKwD7zlX7zbWmz9x2S3xNRWi/LVk2ibKkUvCQiV0YXRnkjR2btZoFWUs75WGbH6
2IdBwpYgVspDmr/cQqd+tycmSMkViLIJ8ObIxfv7j0Z6m9QJeHK2O/skg+DNHRsl
1cuQOQyAftblP8i0W+PX2E3khl+0miskzNf2GPWOGDF2SpkaQni+it3XzrgTeG57
N3sf4TaFe5y73eL3aL9evgOkGItDOHV19p5K1QNVWCM2fXyJI5/a4lEVMJenJ3HV
ngyvJhOKTFfgieoCmBCN8xH57Qper4M1OW6TRZhrydIvxUSKRHpdIvt9X3xHlw21
Nmfo98OzcOEvNxaXPfKlMNylVba4iHbyQ98uA2E5XcFbxEQTFUxOyqkXbp8NaFJD
gtMOlKuV7xLDb/sVxi2/ZQbyFmkGfazrv1OdaYYROylcdwX2XoYgt4559GZOFD6+
TeG1tn2d1aAKB/aahHyJCcnZQdQ9itEIPUIAjy5zOgeBAm+CN/BASh73xdsbwiI7
bAE+IUsDscdxmD5YzVhs
=+Pwh
-----END PGP SIGNATURE-----