Re: [PATCH 1/4] softmmu: remove deprecated --enable-fips option

2022-03-04 Thread Eric Blake 
On Fri, Mar 04, 2022 at 11:56:54AM +, Daniel P. Berrangé wrote:
> Users requiring FIPS support must build QEMU with either the libgcrypt
> or gnutls libraries for as the crytography backend.

s/for //

> 
> Signed-off-by: Daniel P. Berrangé 
> ---
>  docs/about/deprecated.rst   | 12 
>  docs/about/removed-features.rst | 11 +++
>  include/qemu/osdep.h|  3 ---
>  os-posix.c  |  8 
>  qemu-options.hx | 10 --
>  ui/vnc.c|  7 ---
>  util/osdep.c| 28 
>  7 files changed, 11 insertions(+), 68 deletions(-)

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.   +1-919-301-3266
Virtualization:  qemu.org | libvirt.org

Re: [PATCH 1/4] softmmu: remove deprecated --enable-fips option

2022-03-04 Thread Philippe Mathieu-Daudé 

On 4/3/22 12:56, Daniel P. Berrangé wrote:

Users requiring FIPS support must build QEMU with either the libgcrypt
or gnutls libraries for as the crytography backend.

Signed-off-by: Daniel P. Berrangé 
---
  docs/about/deprecated.rst   | 12 
  docs/about/removed-features.rst | 11 +++
  include/qemu/osdep.h|  3 ---
  os-posix.c  |  8 
  qemu-options.hx | 10 --
  ui/vnc.c|  7 ---
  util/osdep.c| 28 
  7 files changed, 11 insertions(+), 68 deletions(-)


Reviewed-by: Philippe Mathieu-Daudé

[PATCH 1/4] softmmu: remove deprecated --enable-fips option

2022-03-04 Thread Daniel P . Berrangé 
Users requiring FIPS support must build QEMU with either the libgcrypt
or gnutls libraries for as the crytography backend.

Signed-off-by: Daniel P. Berrangé 
---
 docs/about/deprecated.rst   | 12 
 docs/about/removed-features.rst | 11 +++
 include/qemu/osdep.h|  3 ---
 os-posix.c  |  8 
 qemu-options.hx | 10 --
 ui/vnc.c|  7 ---
 util/osdep.c| 28 
 7 files changed, 11 insertions(+), 68 deletions(-)

diff --git a/docs/about/deprecated.rst b/docs/about/deprecated.rst
index 26d00812ba..a458dd453c 100644
--- a/docs/about/deprecated.rst
+++ b/docs/about/deprecated.rst
@@ -67,18 +67,6 @@ and will cause a warning.
 The replacement for the ``nodelay`` short-form boolean option is ``nodelay=on``
 rather than ``delay=off``.
 
-``--enable-fips`` (since 6.0)
-'
-
-This option restricts usage of certain cryptographic algorithms when
-the host is operating in FIPS mode.
-
-If FIPS compliance is required, QEMU should be built with the ``libgcrypt``
-library enabled as a cryptography provider.
-
-Neither the ``nettle`` library, or the built-in cryptography provider are
-supported on FIPS enabled hosts.
-
 ``-writeconfig`` (since 6.0)
 '
 
diff --git a/docs/about/removed-features.rst b/docs/about/removed-features.rst
index cb0575fd49..6ca66f658d 100644
--- a/docs/about/removed-features.rst
+++ b/docs/about/removed-features.rst
@@ -336,6 +336,17 @@ for the RISC-V ``virt`` machine and ``sifive_u`` machine.
 The ``-no-quit`` was a synonym for ``-display ...,window-close=off`` which
 should be used instead.
 
+``--enable-fips`` (removed in 7.0)
+''
+
+This option restricted usage of certain cryptographic algorithms when
+the host is operating in FIPS mode.
+
+If FIPS compliance is required, QEMU should be built with the ``libgcrypt``
+or ``gnutls`` library enabled as a cryptography provider.
+
+Neither the ``nettle`` library, or the built-in cryptography provider are
+supported on FIPS enabled hosts.
 
 QEMU Machine Protocol (QMP) commands
 
diff --git a/include/qemu/osdep.h b/include/qemu/osdep.h
index 7bcce3bceb..66e70e24ff 100644
--- a/include/qemu/osdep.h
+++ b/include/qemu/osdep.h
@@ -534,9 +534,6 @@ static inline void qemu_timersub(const struct timeval *val1,
 
 void qemu_set_cloexec(int fd);
 
-void fips_set_state(bool requested);
-bool fips_get_state(void);
-
 /* Return a dynamically allocated pathname denoting a file or directory that is
  * appropriate for storing local state.
  *
diff --git a/os-posix.c b/os-posix.c
index ae6c9f2a5e..7cd662098e 100644
--- a/os-posix.c
+++ b/os-posix.c
@@ -151,14 +151,6 @@ int os_parse_cmd_args(int index, const char *optarg)
 case QEMU_OPTION_daemonize:
 daemonize = 1;
 break;
-#if defined(CONFIG_LINUX)
-case QEMU_OPTION_enablefips:
-warn_report("-enable-fips is deprecated, please build QEMU with "
-"the `libgcrypt` library as the cryptography provider "
-"to enable FIPS compliance");
-fips_set_state(true);
-break;
-#endif
 default:
 return -1;
 }
diff --git a/qemu-options.hx b/qemu-options.hx
index 094a6c1d7c..cb0c58904b 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -4655,16 +4655,6 @@ HXCOMM Internal use
 DEF("qtest", HAS_ARG, QEMU_OPTION_qtest, "", QEMU_ARCH_ALL)
 DEF("qtest-log", HAS_ARG, QEMU_OPTION_qtest_log, "", QEMU_ARCH_ALL)
 
-#ifdef __linux__
-DEF("enable-fips", 0, QEMU_OPTION_enablefips,
-"-enable-fipsenable FIPS 140-2 compliance\n",
-QEMU_ARCH_ALL)
-#endif
-SRST
-``-enable-fips``
-Enable FIPS 140-2 compliance mode.
-ERST
-
 DEF("msg", HAS_ARG, QEMU_OPTION_msg,
 "-msg [timestamp[=on|off]][,guest-name=[on|off]]\n"
 "control error message format\n"
diff --git a/ui/vnc.c b/ui/vnc.c
index 3ccd33dedc..82b28aec95 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -4051,13 +4051,6 @@ void vnc_display_open(const char *id, Error **errp)
 password = qemu_opt_get_bool(opts, "password", false);
 }
 if (password) {
-if (fips_get_state()) {
-error_setg(errp,
-   "VNC password auth disabled due to FIPS mode, "
-   "consider using the VeNCrypt or SASL authentication "
-   "methods as an alternative");
-goto fail;
-}
 if (!qcrypto_cipher_supports(
 QCRYPTO_CIPHER_ALG_DES, QCRYPTO_CIPHER_MODE_ECB)) {
 error_setg(errp,
diff --git a/util/osdep.c b/util/osdep.c
index 723cdcb004..456df9e81a 100644
--- a/util/osdep.c
+++ b/util/osdep.c
@@ -43,8 +43,6 @@ extern int madvise(char *, size_t, int);
 #include "qemu/hw-version.h"
 #include "monitor/monitor.h"
 
-static bool fips_enabled = false;
-
 static const char *hw_version =