Re: [Qemu-devel] [libvirt] [PATCH] qemu: always ask for -enable-fips

[Eric Blake]

On 12/13/2013 08:06 AM, Jiri Denemark wrote:
 On Fri, Dec 13, 2013 at 15:58:55 +0100, Michal Privoznik wrote:
 On 05.12.2013 22:54, Eric Blake wrote:
 On a system that is enforcing FIPS, most libraries honor the
 current mode by default.  Qemu, on the other hand, refused to
 honor FIPS mode unless you add the '-enable-fips' command
 line option; worse, this option is not discoverable via QMP,
 and is only present on binaries built for Linux.  As far as
 I can tell, unconditionally using the option when it is
 available has no negative consequences (the option has no
 change to qemu behavior except when FIPS is enabled, at which
 point it cripples insecure VNC passwords which is the one thing
 that libvirt must not allow when FIPS is active).

 This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1035474

 Sigh, oh boy, your favorite swear-word. ACK.
 
 Don't we want to wait for QEMU to decide what they should be doing with
 -enable-fips to make it detectable?

I tried, and got no response:
https://lists.gnu.org/archive/html/qemu-devel/2013-12/msg00946.html

adding qemu-devel in CC for another try.

 If we push this patch, we can't
 basically move into detecting the option and enabling it only when
 detected since that could cause regressions for older QEMU version that
 supported the option but did not advertise it.

Not necessarily.  We can code things along these lines:
if qemu new enough to provide binary option detection:
use detection results, use if present
else:
if Linux:
hard-code on
else:
assume unavailable

 If we just wait for the
 option to be detectable and enable it only when we detect its support in
 QEMU, we won't enable it for all possible QEMU versions but we won't
 regress in any way.

I'm not worried about regressions - if someone backports binary option
detection, we'll do the right thing; if they don't, then trying to the
option on a build where it is not present will give a nice loud failure
from qemu about an unrecognized command line option, which we would get
anyways even if binary option detection is not added in qemu and our
hard-code guess is wrong.  I'd rather have libvirt turn the option on
NOW (since it is a FIPS certification nightmare if we don't) than wait
for some future qemu to fix binary option detection and hope it gets
backported to any version of qemu that libvirt must drive in a FIPS
environment.

-- 
Eric Blake   eblake redhat com+1-919-301-3266
Libvirt virtualization library http://libvirt.org



signature.asc
Description: OpenPGP digital signature

Re: [Qemu-devel] [libvirt] [PATCH] qemu: always ask for -enable-fips

[Eric Blake]

On 12/13/2013 08:15 AM, Daniel P. Berrange wrote:
 QEMU already detects current FIPs enablement via the file
 /proc/sys/crypto/fips_enabled, but only if you use --enable-fips.
 This is really stupid given that all the crypto libraries that
 QEMU uses unconditonally look at the proc file. So by having this
 flag QEMU is in the insane situation where if FIPS is enabled then
 part of QEMU will honour FIPS settings but other parts of QEMU will
 not honour it until you pass --enable-fips. Insanity. So having
 libvirt pass --enable-fips unconditionally fixes this insanity as
 much as possible. Better yet if QEMU were to just remove the
 pointless --enable-fips arg and just respect the fips_enabled
 sysctl flag by default.

Agreed that qemu's current stance is insane, and that libvirt being
forced to deal with it is not the ideal solution.  But we've tried to
fight the battle of getting qemu to just enable the FIPS check
unconditionally (ie. make -enable-fips a no-op, still existing for
back-compat reasons, but behaving as if it were always requested), and
so far have not had any luck.  I'd rather patch libvirt now than wait
for a future qemu (especially if it is still contentious to change the
qemu behavior).

Shall I go ahead and push this libvirt patch?

-- 
Eric Blake   eblake redhat com+1-919-301-3266
Libvirt virtualization library http://libvirt.org



signature.asc
Description: OpenPGP digital signature