From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:32960) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VrVOg-0000o6-CF for qemu-devel@nongnu.org; Fri, 13 Dec 2013 11:15:31 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1VrVOa-0006RO-U5 for qemu-devel@nongnu.org; Fri, 13 Dec 2013 11:15:26 -0500 Received: from mx1.redhat.com ([209.132.183.28]:32822) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1VrVOa-0006RK-LG for qemu-devel@nongnu.org; Fri, 13 Dec 2013 11:15:20 -0500 Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id rBDGFImN000370 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Fri, 13 Dec 2013 11:15:19 -0500 Message-ID: <52AB3295.7060806@redhat.com> Date: Fri, 13 Dec 2013 09:15:17 -0700 From: Eric Blake MIME-Version: 1.0 References: <1386280486-29740-1-git-send-email-eblake@redhat.com> <52AB20AF.8010009@redhat.com> <20131213150650.GP23062@orkuz.home> <20131213151559.GB2801@redhat.com> In-Reply-To: <20131213151559.GB2801@redhat.com> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Md6U0PGFINXdnEic3Hg556H4q8VPNOJgJ" Subject: Re: [Qemu-devel] [libvirt] [PATCH] qemu: always ask for -enable-fips List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "Daniel P. Berrange" , Michal Privoznik , libvir-list@redhat.com, "qemu-devel@nongnu.org" This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Md6U0PGFINXdnEic3Hg556H4q8VPNOJgJ Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 12/13/2013 08:15 AM, Daniel P. Berrange wrote: > QEMU already detects current FIPs enablement via the file > /proc/sys/crypto/fips_enabled, but only if you use --enable-fips. > This is really stupid given that all the crypto libraries that > QEMU uses unconditonally look at the proc file. So by having this > flag QEMU is in the insane situation where if FIPS is enabled then > part of QEMU will honour FIPS settings but other parts of QEMU will > not honour it until you pass --enable-fips. Insanity. So having > libvirt pass --enable-fips unconditionally fixes this insanity as > much as possible. Better yet if QEMU were to just remove the > pointless --enable-fips arg and just respect the fips_enabled > sysctl flag by default. Agreed that qemu's current stance is insane, and that libvirt being forced to deal with it is not the ideal solution. But we've tried to fight the battle of getting qemu to just enable the FIPS check unconditionally (ie. make -enable-fips a no-op, still existing for back-compat reasons, but behaving as if it were always requested), and so far have not had any luck. I'd rather patch libvirt now than wait for a future qemu (especially if it is still contentious to change the qemu behavior). Shall I go ahead and push this libvirt patch? --=20 Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org --Md6U0PGFINXdnEic3Hg556H4q8VPNOJgJ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Public key at http://people.redhat.com/eblake/eblake.gpg Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJSqzKVAAoJEKeha0olJ0NqwjUH/2C0ZUdyII0N8rBQFZteehEA WeOox208TB4XUxWbW4Txj+6J0LTXLZMOgXIlJkA98L0747ZJeD6Xnxq2dQsAnwCp lhXEYc2Jhi8AiwaWntAmUDe6NK6kp2TjEpRRt1Vc753IzJV2GUTJhNrxr1BiB9Nr EsS5i9/7N+40BPF/Su0lL+WD4MwXkgDdCJWltpUwU5ZE2kG3GjqwEiJ4zKb3WVHv WYeJZMnG9g63z6dxbV53iuP+0aj+9hGklclOP5V6Icf4tCoPO56yEBtPe1JY54t+ ijgmnqx0BJYNTDPnOhxk9JqjvoE2Hrl7DVzkloR5ET/ercVscgauzKxM6+Kshq4= =NL79 -----END PGP SIGNATURE----- --Md6U0PGFINXdnEic3Hg556H4q8VPNOJgJ--