mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-22 13:45:38 +00:00
qemuBuildCommandLine: Inline qemuCheckFips
Now that we store the state of the host FIPS mode setting in the qemu driver object, we don't need to outsource the logic into 'qemuCheckFips'. Additionally since we no longer support very old qemu's which would not yet have --enable-fips we can drop the part of the comment about very old qemus. Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
This commit is contained in:
parent
9b765882cd
commit
2afaa6894e
@ -1769,32 +1769,6 @@ qemuDiskConfigBlkdeviotuneEnabled(virDomainDiskDef *disk)
|
||||
}
|
||||
|
||||
|
||||
/* QEMU 1.2 and later have a binary flag -enable-fips that must be
|
||||
* used for VNC auth to obey FIPS settings; but the flag only
|
||||
* exists on Linux, and with no way to probe for it via QMP. Our
|
||||
* solution: if FIPS mode is required, then unconditionally use
|
||||
* the flag, regardless of qemu version, for the following matrix:
|
||||
*
|
||||
* old QEMU new QEMU
|
||||
* FIPS enabled doesn't start VNC auth disabled
|
||||
* FIPS disabled/missing VNC auth enabled VNC auth enabled
|
||||
*
|
||||
* In QEMU 5.2.0, use of -enable-fips was deprecated. In scenarios
|
||||
* where FIPS is required, QEMU must be built against libgcrypt
|
||||
* which automatically enforces FIPS compliance.
|
||||
*/
|
||||
bool
|
||||
qemuCheckFips(virDomainObj *vm)
|
||||
{
|
||||
qemuDomainObjPrivate *priv = vm->privateData;
|
||||
|
||||
if (!virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_ENABLE_FIPS))
|
||||
return false;
|
||||
|
||||
return priv->driver->hostFips;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* qemuDiskBusIsSD:
|
||||
* @bus: disk bus
|
||||
@ -10425,7 +10399,6 @@ qemuBuildCommandLine(virDomainObj *vm,
|
||||
const char *migrateURI,
|
||||
virDomainMomentObj *snapshot,
|
||||
virNetDevVPortProfileOp vmop,
|
||||
bool enableFips,
|
||||
size_t *nnicindexes,
|
||||
int **nicindexes,
|
||||
unsigned int flags)
|
||||
@ -10486,7 +10459,19 @@ qemuBuildCommandLine(virDomainObj *vm,
|
||||
if (qemuBuildPflashBlockdevCommandLine(cmd, priv) < 0)
|
||||
return NULL;
|
||||
|
||||
if (enableFips)
|
||||
/* QEMU 1.2 and later have a binary flag -enable-fips that must be
|
||||
* used for VNC auth to obey FIPS settings; but the flag only
|
||||
* exists on Linux, and with no way to probe for it via QMP. Our
|
||||
* solution: if FIPS mode is required, then unconditionally use the flag.
|
||||
*
|
||||
* In QEMU 5.2.0, use of -enable-fips was deprecated. In scenarios
|
||||
* where FIPS is required, QEMU must be built against libgcrypt
|
||||
* which automatically enforces FIPS compliance.
|
||||
*
|
||||
* Note this is the only use of driver->hostFips.
|
||||
*/
|
||||
if (driver->hostFips &&
|
||||
virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_ENABLE_FIPS))
|
||||
virCommandAddArg(cmd, "-enable-fips");
|
||||
|
||||
if (qemuBuildMachineCommandLine(cmd, cfg, def, qemuCaps, priv) < 0)
|
||||
|
@ -51,7 +51,6 @@ virCommand *qemuBuildCommandLine(virDomainObj *vm,
|
||||
const char *migrateURI,
|
||||
virDomainMomentObj *snapshot,
|
||||
virNetDevVPortProfileOp vmop,
|
||||
bool enableFips,
|
||||
size_t *nnicindexes,
|
||||
int **nicindexes,
|
||||
unsigned int flags);
|
||||
@ -214,10 +213,6 @@ int qemuGetDriveSourceString(virStorageSource *src,
|
||||
bool
|
||||
qemuDiskConfigBlkdeviotuneEnabled(virDomainDiskDef *disk);
|
||||
|
||||
|
||||
bool
|
||||
qemuCheckFips(virDomainObj *vm);
|
||||
|
||||
virJSONValue *qemuBuildHotpluggableCPUProps(const virDomainVcpuDef *vcpu)
|
||||
ATTRIBUTE_NONNULL(1);
|
||||
|
||||
|
@ -6391,9 +6391,7 @@ static char *qemuConnectDomainXMLToNative(virConnectPtr conn,
|
||||
if (qemuConnectDomainXMLToNativePrepareHost(vm) < 0)
|
||||
return NULL;
|
||||
|
||||
if (!(cmd = qemuProcessCreatePretendCmdBuild(vm, NULL,
|
||||
qemuCheckFips(vm),
|
||||
commandlineflags)))
|
||||
if (!(cmd = qemuProcessCreatePretendCmdBuild(vm, NULL, commandlineflags)))
|
||||
return NULL;
|
||||
|
||||
return virCommandToString(cmd, false);
|
||||
|
@ -7448,7 +7448,6 @@ qemuProcessLaunch(virConnectPtr conn,
|
||||
if (!(cmd = qemuBuildCommandLine(vm,
|
||||
incoming ? "defer" : NULL,
|
||||
snapshot, vmop,
|
||||
qemuCheckFips(vm),
|
||||
&nnicindexes, &nicindexes, 0)))
|
||||
goto cleanup;
|
||||
|
||||
@ -7947,14 +7946,12 @@ qemuProcessCreatePretendCmdPrepare(virQEMUDriver *driver,
|
||||
virCommand *
|
||||
qemuProcessCreatePretendCmdBuild(virDomainObj *vm,
|
||||
const char *migrateURI,
|
||||
bool enableFips,
|
||||
unsigned int flags)
|
||||
{
|
||||
return qemuBuildCommandLine(vm,
|
||||
migrateURI,
|
||||
NULL,
|
||||
VIR_NETDEV_VPORT_PROFILE_OP_NO_OP,
|
||||
enableFips,
|
||||
NULL,
|
||||
NULL,
|
||||
flags);
|
||||
|
@ -99,7 +99,6 @@ int qemuProcessCreatePretendCmdPrepare(virQEMUDriver *driver,
|
||||
|
||||
virCommand *qemuProcessCreatePretendCmdBuild(virDomainObj *vm,
|
||||
const char *migrateURI,
|
||||
bool enableFips,
|
||||
unsigned int flags);
|
||||
|
||||
int qemuProcessInit(virQEMUDriver *driver,
|
||||
|
@ -386,11 +386,9 @@ testCompareXMLToArgvCreateArgs(virQEMUDriver *drv,
|
||||
unsigned int flags)
|
||||
{
|
||||
qemuDomainObjPrivate *priv = vm->privateData;
|
||||
bool enableFips;
|
||||
size_t i;
|
||||
|
||||
drv->hostFips = flags & FLAG_FIPS_HOST;
|
||||
enableFips = drv->hostFips;
|
||||
|
||||
if (qemuProcessCreatePretendCmdPrepare(drv, vm, migrateURI,
|
||||
VIR_QEMU_PROCESS_START_COLD) < 0)
|
||||
@ -486,12 +484,7 @@ testCompareXMLToArgvCreateArgs(virQEMUDriver *drv,
|
||||
}
|
||||
}
|
||||
|
||||
/* we can't use qemuCheckFips() directly as it queries host state */
|
||||
if (!virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_ENABLE_FIPS))
|
||||
enableFips = false;
|
||||
|
||||
return qemuProcessCreatePretendCmdBuild(vm, migrateURI,
|
||||
enableFips, 0);
|
||||
return qemuProcessCreatePretendCmdBuild(vm, migrateURI, 0);
|
||||
}
|
||||
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user