From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:60886) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VrVNg-0008IS-5o for qemu-devel@nongnu.org; Fri, 13 Dec 2013 11:14:30 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VrVNa-0005yG-GL for qemu-devel@nongnu.org; Fri, 13 Dec 2013 11:14:24 -0500 Received: from mail-qe0-x236.google.com ([2607:f8b0:400d:c02::236]:35308) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VrVNa-0005y6-CI for qemu-devel@nongnu.org; Fri, 13 Dec 2013 11:14:18 -0500 Received: by mail-qe0-f54.google.com with SMTP id cy11so1764899qeb.13 for ; Fri, 13 Dec 2013 08:14:18 -0800 (PST) Sender: Paolo Bonzini Message-ID: <52AB3255.3020509@redhat.com> Date: Fri, 13 Dec 2013 17:14:13 +0100 From: Paolo Bonzini MIME-Version: 1.0 References: <52A0EA4D.1020606@redhat.com> In-Reply-To: <52A0EA4D.1020606@redhat.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] detecting -enable-fips List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Eric Blake Cc: "qemu-devel@nongnu.org" -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Il 05/12/2013 22:04, Eric Blake ha scritto: > Commit 0f66998 added the command line option -enable-fips for qemu > 1.2; but as of at least qemu 1.6, the 'query-command-line-options' > QMP monitor command does not report it. This is particularly > annoying since the command line option is conditional - it is > present in Linux builds but absent in BSD builds. Does anyone know > of any other QMP method for querying if this command line option is > supported? No, there is none. query-command-line-options only queries QemuOpts-based options, and non-QemuOpts-based options are hardly being added (because QemuOpts also means that people can use the simpler -readconfig interface). > Or am I just relegated to trying it and seeing if the option gets > rejected? I think libvirt should use -enable-fips unconditionally if FIPS mode is enabled, even if that means that old QEMU will not work at all. On BSDs, FIPS mode will never be enabled, so no problem. > [I'm personally of the opinion that libvirt should use -enable-fips > 100% of the time; I don't really see what it is buying us to have > an option that can be enabled but not disabled, and where enabling > it has no impact except when running in FIPS mode; especially when > the other libraries in use on the system already honor FIPS mode > without any extra command line option. But I'm not going to be the > one to argue for a change in behavior other than the mere detection > of the option.] I agree. Paolo -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJSqzJVAAoJEBvWZb6bTYbyA18P/0aYqDg6yZZp2HRVti0UeLgF bBltlo9aXuqjj2CEYqQYhLSg+445WSmL2zkLwsMPX7OxFSoUgXJHCTprsV3Zxl+f yeBTo0xmgrFHDkJjCs0N6Z7TRUQYRtXoWhclf++PjsJWQi3qXtOYHl/RURzKLlKX vjKwD7zlX7zbWmz9x2S3xNRWi/LVk2ibKkUvCQiV0YXRnkjR2btZoFWUs75WGbH6 2IdBwpYgVspDmr/cQqd+tycmSMkViLIJ8ObIxfv7j0Z6m9QJeHK2O/skg+DNHRsl 1cuQOQyAftblP8i0W+PX2E3khl+0miskzNf2GPWOGDF2SpkaQni+it3XzrgTeG57 N3sf4TaFe5y73eL3aL9evgOkGItDOHV19p5K1QNVWCM2fXyJI5/a4lEVMJenJ3HV ngyvJhOKTFfgieoCmBCN8xH57Qper4M1OW6TRZhrydIvxUSKRHpdIvt9X3xHlw21 Nmfo98OzcOEvNxaXPfKlMNylVba4iHbyQ98uA2E5XcFbxEQTFUxOyqkXbp8NaFJD gtMOlKuV7xLDb/sVxi2/ZQbyFmkGfazrv1OdaYYROylcdwX2XoYgt4559GZOFD6+ TeG1tn2d1aAKB/aahHyJCcnZQdQ9itEIPUIAjy5zOgeBAm+CN/BASh73xdsbwiI7 bAE+IUsDscdxmD5YzVhs =+Pwh -----END PGP SIGNATURE-----