Hi, >> Which gets me to a new idea. Why not exit(1) when we detect FIPS and a >> password is set? I agree with the assessment that we should never >> silently drop features. So the best way to make sure that the user >> knows he did something stupid (enable FIPS, but require a non-FIPS >> compliant authentication method) would be to just quit, no? > > I think my primary requirement is: allow a user to use vnc > authentication even when fips mode is active by using some command line > option.
That doesn't make sense to me at all. If fips is enabled by accident just disable it. If fips is enabled intentionally I don't think qemu should ignore it and allow to use weak vnc auth. Fips users should setup sasl instead I guess ... cheers, Gerd