qemuBuildCommandLine: Inline qemuCheckFips

Now that we store the state of the host FIPS mode setting in the qemu
driver object, we don't need to outsource the logic into
'qemuCheckFips'.

Additionally since we no longer support very old qemu's which would not
yet have --enable-fips we can drop the part of the comment about very
old qemus.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
This commit is contained in:
Peter Krempa 2022-05-16 13:47:28 +02:00
parent 9b765882cd
commit 2afaa6894e
6 changed files with 15 additions and 48 deletions

View File

@ -1769,32 +1769,6 @@ qemuDiskConfigBlkdeviotuneEnabled(virDomainDiskDef *disk)
}
/* QEMU 1.2 and later have a binary flag -enable-fips that must be
* used for VNC auth to obey FIPS settings; but the flag only
* exists on Linux, and with no way to probe for it via QMP. Our
* solution: if FIPS mode is required, then unconditionally use
* the flag, regardless of qemu version, for the following matrix:
*
* old QEMU new QEMU
* FIPS enabled doesn't start VNC auth disabled
* FIPS disabled/missing VNC auth enabled VNC auth enabled
*
* In QEMU 5.2.0, use of -enable-fips was deprecated. In scenarios
* where FIPS is required, QEMU must be built against libgcrypt
* which automatically enforces FIPS compliance.
*/
bool
qemuCheckFips(virDomainObj *vm)
{
qemuDomainObjPrivate *priv = vm->privateData;
if (!virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_ENABLE_FIPS))
return false;
return priv->driver->hostFips;
}
/**
* qemuDiskBusIsSD:
* @bus: disk bus
@ -10425,7 +10399,6 @@ qemuBuildCommandLine(virDomainObj *vm,
const char *migrateURI,
virDomainMomentObj *snapshot,
virNetDevVPortProfileOp vmop,
bool enableFips,
size_t *nnicindexes,
int **nicindexes,
unsigned int flags)
@ -10486,7 +10459,19 @@ qemuBuildCommandLine(virDomainObj *vm,
if (qemuBuildPflashBlockdevCommandLine(cmd, priv) < 0)
return NULL;
if (enableFips)
/* QEMU 1.2 and later have a binary flag -enable-fips that must be
* used for VNC auth to obey FIPS settings; but the flag only
* exists on Linux, and with no way to probe for it via QMP. Our
* solution: if FIPS mode is required, then unconditionally use the flag.
*
* In QEMU 5.2.0, use of -enable-fips was deprecated. In scenarios
* where FIPS is required, QEMU must be built against libgcrypt
* which automatically enforces FIPS compliance.
*
* Note this is the only use of driver->hostFips.
*/
if (driver->hostFips &&
virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_ENABLE_FIPS))
virCommandAddArg(cmd, "-enable-fips");
if (qemuBuildMachineCommandLine(cmd, cfg, def, qemuCaps, priv) < 0)

View File

@ -51,7 +51,6 @@ virCommand *qemuBuildCommandLine(virDomainObj *vm,
const char *migrateURI,
virDomainMomentObj *snapshot,
virNetDevVPortProfileOp vmop,
bool enableFips,
size_t *nnicindexes,
int **nicindexes,
unsigned int flags);
@ -214,10 +213,6 @@ int qemuGetDriveSourceString(virStorageSource *src,
bool
qemuDiskConfigBlkdeviotuneEnabled(virDomainDiskDef *disk);
bool
qemuCheckFips(virDomainObj *vm);
virJSONValue *qemuBuildHotpluggableCPUProps(const virDomainVcpuDef *vcpu)
ATTRIBUTE_NONNULL(1);

View File

@ -6391,9 +6391,7 @@ static char *qemuConnectDomainXMLToNative(virConnectPtr conn,
if (qemuConnectDomainXMLToNativePrepareHost(vm) < 0)
return NULL;
if (!(cmd = qemuProcessCreatePretendCmdBuild(vm, NULL,
qemuCheckFips(vm),
commandlineflags)))
if (!(cmd = qemuProcessCreatePretendCmdBuild(vm, NULL, commandlineflags)))
return NULL;
return virCommandToString(cmd, false);

View File

@ -7448,7 +7448,6 @@ qemuProcessLaunch(virConnectPtr conn,
if (!(cmd = qemuBuildCommandLine(vm,
incoming ? "defer" : NULL,
snapshot, vmop,
qemuCheckFips(vm),
&nnicindexes, &nicindexes, 0)))
goto cleanup;
@ -7947,14 +7946,12 @@ qemuProcessCreatePretendCmdPrepare(virQEMUDriver *driver,
virCommand *
qemuProcessCreatePretendCmdBuild(virDomainObj *vm,
const char *migrateURI,
bool enableFips,
unsigned int flags)
{
return qemuBuildCommandLine(vm,
migrateURI,
NULL,
VIR_NETDEV_VPORT_PROFILE_OP_NO_OP,
enableFips,
NULL,
NULL,
flags);

View File

@ -99,7 +99,6 @@ int qemuProcessCreatePretendCmdPrepare(virQEMUDriver *driver,
virCommand *qemuProcessCreatePretendCmdBuild(virDomainObj *vm,
const char *migrateURI,
bool enableFips,
unsigned int flags);
int qemuProcessInit(virQEMUDriver *driver,

View File

@ -386,11 +386,9 @@ testCompareXMLToArgvCreateArgs(virQEMUDriver *drv,
unsigned int flags)
{
qemuDomainObjPrivate *priv = vm->privateData;
bool enableFips;
size_t i;
drv->hostFips = flags & FLAG_FIPS_HOST;
enableFips = drv->hostFips;
if (qemuProcessCreatePretendCmdPrepare(drv, vm, migrateURI,
VIR_QEMU_PROCESS_START_COLD) < 0)
@ -486,12 +484,7 @@ testCompareXMLToArgvCreateArgs(virQEMUDriver *drv,
}
}
/* we can't use qemuCheckFips() directly as it queries host state */
if (!virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_ENABLE_FIPS))
enableFips = false;
return qemuProcessCreatePretendCmdBuild(vm, migrateURI,
enableFips, 0);
return qemuProcessCreatePretendCmdBuild(vm, migrateURI, 0);
}