From: Gonglei <arei.gonglei@huawei.com>
To: "Daniel P. Berrange" <berrange@redhat.com>
Cc: Kevin Wolf <kwolf@redhat.com>,
Paolo Bonzini <pbonzini@redhat.com>,
qemu-devel@nongnu.org, Gerd Hoffmann <kraxel@redhat.com>
Subject: Re: [Qemu-devel] [PATCH 00/10] Consolidate crypto APIs & implementations
Date: Fri, 22 May 2015 19:50:03 +0800 [thread overview]
Message-ID: <555F17EB.1010401@huawei.com> (raw)
In-Reply-To: <20150522113721.GI14428@redhat.com>
On 2015/5/22 19:37, Daniel P. Berrange wrote:
> On Fri, May 22, 2015 at 07:29:05PM +0800, Gonglei wrote:
>> On 2015/5/21 18:56, Daniel P. Berrange wrote:
>>> This small series covers the crypto consolidation patches
>>> I previously posted as part of a larger RFC for the TLS work
>>>
>>> https://lists.nongnu.org/archive/html/qemu-devel/2015-04/msg02038.html
>>>
>>> Currently there are a 5 main places in QEMU which use some
>>> form of cryptographic hash or cipher algorithm. These are
>>> the quorum block driver (hash), qcow[2] block driver (cipher),
>>> VNC password auth (cipher), VNC websockets (hash) and some
>>> of the CPU instruction emulation (cipher).
>>>
>>> For ciphers the code is using the in-tree implementations
>>> of AES and/or the RFB cripple-DES. While there is nothing
>>> broken about these implementations, it is none the less
>>> desirable to be able to use the GNUTLS provided impls in
>>> cases whre we are already linking to GNUTLS. This will
>>> allow QEMU to use FIPS certified implementations, which
>>> have been well audited, have some protection against
>>> side-channel leakage and are generally actively maintained
>>> by people knowledgable about encryption.
>>>
>> Can we use OpenSSL library in Qemu? If not, that's because of the license?
>
> There are differing opinions on OpenSSL licensing. Personally I consider
> it to be GPL incompatible because I don't accept the suggestion that openssl
> is exempt under the system libraries clause. In any case QEMU is already
> using GNUTLS and IME it has a more friendly API with better documentation
> than openssl or nss.
>
> That all said, one benefit of the crypto consolidation is that it makes it
> more feasible to plug in alternative crypto libraries, because all the
> gnutls specific code is isolated in one place, instead of spread across
> the entire codebase. I don't intend to do any work to support other
> crypto libraries though as I don't think there's any compelling benefit
> to them.
>
OK, I see, thanks.
BTW do you have a github branch which can be easier to test?
Regards,
-Gonglei
next prev parent reply other threads:[~2015-05-22 11:50 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-21 10:56 [Qemu-devel] [PATCH 00/10] Consolidate crypto APIs & implementations Daniel P. Berrange
2015-05-21 10:56 ` [Qemu-devel] [PATCH 01/10] crypto: introduce new module for computing hash digests Daniel P. Berrange
2015-05-28 13:28 ` Gonglei
2015-06-01 16:46 ` Daniel P. Berrange
2015-06-02 7:43 ` Markus Armbruster
2015-06-02 8:34 ` Daniel P. Berrange
2015-05-21 10:56 ` [Qemu-devel] [PATCH 02/10] crypto: move built-in AES implementation into crypto/ Daniel P. Berrange
2015-05-21 10:56 ` [Qemu-devel] [PATCH 03/10] crypto: move built-in D3DES " Daniel P. Berrange
2015-05-21 10:56 ` [Qemu-devel] [PATCH 04/10] crypto: introduce generic cipher API & built-in implementation Daniel P. Berrange
2015-05-21 19:52 ` Richard Henderson
2015-05-22 9:10 ` Daniel P. Berrange
2015-05-29 2:39 ` Gonglei
2015-06-01 16:50 ` Daniel P. Berrange
2015-05-21 10:56 ` [Qemu-devel] [PATCH 05/10] crypto: add a gcrypt cipher implementation Daniel P. Berrange
2015-05-29 3:53 ` Gonglei
2015-06-01 16:53 ` Daniel P. Berrange
2015-05-21 10:56 ` [Qemu-devel] [PATCH 06/10] crypto: add a nettle " Daniel P. Berrange
2015-05-21 19:35 ` Richard Henderson
2015-05-29 6:36 ` Gonglei
2015-05-21 19:38 ` Richard Henderson
2015-05-22 9:05 ` Daniel P. Berrange
2015-05-21 10:56 ` [Qemu-devel] [PATCH 07/10] block: convert quorum blockdrv to use crypto APIs Daniel P. Berrange
2015-05-29 6:49 ` Gonglei
2015-06-01 16:56 ` Daniel P. Berrange
2015-05-21 10:56 ` [Qemu-devel] [PATCH 08/10] ui: convert VNC websockets " Daniel P. Berrange
2015-05-29 6:55 ` Gonglei
2015-05-21 10:56 ` [Qemu-devel] [PATCH 09/10] block: convert qcow/qcow2 to use generic cipher API Daniel P. Berrange
2015-05-29 7:16 ` Gonglei
2015-06-01 16:58 ` Daniel P. Berrange
2015-05-21 10:56 ` [Qemu-devel] [PATCH 10/10] ui: convert VNC " Daniel P. Berrange
2015-05-21 12:51 ` Eric Blake
2015-06-01 16:58 ` Daniel P. Berrange
2015-05-22 11:29 ` [Qemu-devel] [PATCH 00/10] Consolidate crypto APIs & implementations Gonglei
2015-05-22 11:37 ` Daniel P. Berrange
2015-05-22 11:50 ` Gonglei [this message]
2015-05-22 12:12 ` Daniel P. Berrange
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=555F17EB.1010401@huawei.com \
--to=arei.gonglei@huawei.com \
--cc=berrange@redhat.com \
--cc=kraxel@redhat.com \
--cc=kwolf@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).