From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([208.118.235.92]:52516) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SwJSF-0007eg-L3 for qemu-devel@nongnu.org; Tue, 31 Jul 2012 16:54:13 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1SwJSD-0006JS-LR for qemu-devel@nongnu.org; Tue, 31 Jul 2012 16:54:11 -0400 Received: from e7.ny.us.ibm.com ([32.97.182.137]:57016) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SwJSD-0006J6-HB for qemu-devel@nongnu.org; Tue, 31 Jul 2012 16:54:09 -0400 Received: from /spool/local by e7.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 31 Jul 2012 16:54:07 -0400 Received: from d01relay04.pok.ibm.com (d01relay04.pok.ibm.com [9.56.227.236]) by d01dlp02.pok.ibm.com (Postfix) with ESMTP id 73D606E8044 for ; Tue, 31 Jul 2012 16:54:01 -0400 (EDT) Received: from d03av05.boulder.ibm.com (d03av05.boulder.ibm.com [9.17.195.85]) by d01relay04.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id q6VKrx9l353738 for ; Tue, 31 Jul 2012 16:54:00 -0400 Received: from d03av05.boulder.ibm.com (loopback [127.0.0.1]) by d03av05.boulder.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id q6VKqwYa003630 for ; Tue, 31 Jul 2012 14:52:59 -0600 From: Anthony Liguori In-Reply-To: <20120731201257.GC4333@redhat.com> References: <20120608213809.24584.63909.stgit@sifl> <6590893.1xqK9cpKEY@sifl> <87ehnr7lp4.fsf@codemonkey.ws> <20120731201257.GC4333@redhat.com> Date: Tue, 31 Jul 2012 15:52:33 -0500 Message-ID: <877gtjhcvi.fsf@codemonkey.ws> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: [Qemu-devel] [PATCH v4] vnc: disable VNC password authentication (security type 2) when in FIPS mode List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "Daniel P. Berrange" Cc: Paul Moore , qemu-devel@nongnu.org "Daniel P. Berrange" writes: > On Tue, Jul 31, 2012 at 02:52:07PM -0500, Anthony Liguori wrote: >> Paul Moore writes: >> >> > On Friday, June 08, 2012 05:38:12 PM Paul Moore wrote: >> >> FIPS 140-2 requires disabling certain ciphers, including DES, which is used >> >> by VNC to obscure passwords when they are sent over the network. The >> >> solution for FIPS users is to disable the use of VNC password auth when the >> >> host system is operating in FIPS mode. >> >> >> >> This patch causes QEMU to emit a message to stderr when the host system is >> >> running in FIPS mode and a VNC password was specified on the commend line. >> >> If the system is not running in FIPS mode, or is running in FIPS mode but >> >> VNC password authentication was not requested, QEMU operates normally. >> >> >> >> Signed-off-by: Paul Moore >> > >> > Hi Anthony, >> > >> > Any word on this patch? Other than Daniel Berrange's reviewed-by tag, the >> > discussion of the v4 patch has been quiet and I think we addressed all the >> > other remaining issues in the discussion attached to the v2 patch >> > posting. >> >> I asked for the specific language in FIPS mandating this. I don't see >> any other VNC server implementing a check like this. I would rather do >> this in a more user friendly fashion like make it a config file option >> that a user can set while in fips mode. > > The FIPS standard doesn't refer to particular applications like VNC. > As Paul says earlier, FIP 140-2 requires that DES (and certain other > ciphers) not be used in any applications which are running in a FIPS > compliant environment. Since VNC auth uses DES, this auth scheme > cannot be permitted in a FIPS environment. OpenSSL requires an explicit function call to enable fips mode--FIPS_mode_set(). It's not something that happens unconditionally behind the scenes. From talking to some folks here, it seems like an -enable-fips option would meet the requirements of FIPS. > The reason no other VNC server does this is almost certainly because > none of their developers have ever tried to have their code work in > a FIPS environment, so I don't think that's a relevant comparison. > > I'm not really sure what addding more configuration options gains > us here. The choice of auth mode is already configurable. This patch > is about ensuring that the user is not allowed to configure it, if > FIPS mode is in effect (as indicated by the kernels syfs tunable). > So in fact adding config params doesn't really address this. Disabling options unconditionally based on a magic kernel parameter is fundamentally wrong. If a user wants QEMU to participate in FIPS, it should explicitly ask QEMU to. Since OpenSSL also does this, there seems to be ample precedence for it. > The proposed patch is already very straightforward, is using the > official interface exposed by the upstream kernel to userspace & > has negligable maintenence burden IMHO. It's not QEMU's role to enforce security policy. Unconditionally disabling features goes against a very basic architectural assumption in QEMU. >>From what I'm told, there's nothing in FIPS that prevents us from masking this behavior behind a command line option. And I think that's the right thing to do. Regards, Anthony Liguori > > Regards, > Daniel > -- > |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| > |: http://libvirt.org -o- http://virt-manager.org :| > |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| > |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|