qemu: Store state of FIPS in virQEMUDriver

Rather than re-query all the time we can cache the state of FIPS of the host as it will not change during the runtime of the guest. Introduce a 'hostFips' flag to 'virQEMUDriver' and move the code checking the state from 'qemuCheckFips' to 'qemuStateInitialize' and also populate 'hostFips' in qemuxml2argvtest. Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
2024-12-22 13:45:38 +00:00 · 2022-05-16 12:47:19 +02:00 · 2022-05-16 12:47:19 +02:00 · b5fd6f2b68
commit b5fd6f2b68
parent 552790edf2
4 changed files with 16 additions and 13 deletions
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@ -1787,21 +1787,11 @@ bool
 qemuCheckFips(virDomainObj *vm)
 {
    qemuDomainObjPrivate *priv = vm->privateData;
-    virQEMUCaps *qemuCaps = priv->qemuCaps;

-    if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_ENABLE_FIPS))
+    if (!virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_ENABLE_FIPS))
        return false;

-    if (virFileExists("/proc/sys/crypto/fips_enabled")) {
-        g_autofree char *buf = NULL;
-
-        if (virFileReadAll("/proc/sys/crypto/fips_enabled", 10, &buf) < 0)
-            return false;
-        if (STREQ(buf, "1\n"))
-            return true;
-    }
-
-    return false;
+    return priv->driver->hostFips;
 }


--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@ -251,6 +251,7 @@ struct _virQEMUDriver {
    /* Immutable values */
    bool privileged;
    char *embeddedRoot;
+    bool hostFips; /* FIPS mode is enabled on the host */

    /* Immutable pointers. Caller must provide locking */
    virStateInhibitCallback inhibitCallback;
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@ -735,6 +735,15 @@ qemuStateInitialize(bool privileged,
    if (qemuMigrationDstErrorInit(qemu_driver) < 0)
        goto error;

+    /* qemu-5.1 and older requires use of '-enable-fips' flag when the host
+     * is in FIPS mode. We store whether FIPS is enabled */
+    if (virFileExists("/proc/sys/crypto/fips_enabled")) {
+        g_autofree char *buf = NULL;
+
+        if (virFileReadAll("/proc/sys/crypto/fips_enabled", 10, &buf) > 0)
+            qemu_driver->hostFips = STREQ(buf, "1\n");
+    }
+
    if (privileged) {
        g_autofree char *channeldir = NULL;

--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@ -386,9 +386,12 @@ testCompareXMLToArgvCreateArgs(virQEMUDriver *drv,
                               unsigned int flags)
 {
    qemuDomainObjPrivate *priv = vm->privateData;
-    bool enableFips = !!(flags & FLAG_FIPS_HOST);
+    bool enableFips;
    size_t i;

+    drv->hostFips = flags & FLAG_FIPS_HOST;
+    enableFips = drv->hostFips;
+
    if (qemuProcessCreatePretendCmdPrepare(drv, vm, migrateURI,
                                           VIR_QEMU_PROCESS_START_COLD) < 0)
        return NULL;