mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-02-22 03:12:22 +00:00
a21cfb0f48
On a system that is enforcing FIPS, most libraries honor the current mode by default. Qemu, on the other hand, refused to honor FIPS mode unless you add the '-enable-fips' command line option; worse, this option is not discoverable via QMP, and is only present on binaries built for Linux. So, if we detect FIPS mode, then we unconditionally ask for FIPS; either qemu is new enough to have the option and then correctly cripple insecure VNC passwords, or it is so old that we are correctly avoiding a FIPS violation by preventing qemu from starting. Meanwhile, if we don't detect FIPS mode, then omitting the argument is safe whether the qemu has the option (but it would do nothing because FIPS is disabled) or whether qemu lacks the option (including in the case where we are not running on Linux). The testsuite was a bit interesting: we don't want our test to depend on whether it is being run in FIPS mode, so I had to tweak things to set the capability bit outside of our normal interaction with capability parsing. This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1035474 * src/qemu/qemu_capabilities.h (QEMU_CAPS_ENABLE_FIPS): New bit. * src/qemu/qemu_capabilities.c (virQEMUCapsInitQMP): Conditionally set capability according to detection of FIPS mode. * src/qemu/qemu_command.c (qemuBuildCommandLine): Use it. * tests/qemucapabilitiestest.c (testQemuCaps): Conditionally set capability to test expected output. * tests/qemucapabilitiesdata/caps_1.2.2-1.caps: Update list. * tests/qemucapabilitiesdata/caps_1.6.0-1.caps: Likewise. Signed-off-by: Eric Blake <eblake@redhat.com>
LibVirt : simple API for virtualization
Libvirt is a C toolkit to interact with the virtualization capabilities
of recent versions of Linux (and other OSes). It is free software
available under the GNU Lesser General Public License. Virtualization of
the Linux Operating System means the ability to run multiple instances of
Operating Systems concurrently on a single hardware system where the basic
resources are driven by a Linux instance. The library aim at providing
long term stable C API initially for the Xen paravirtualization but
should be able to integrate other virtualization mechanisms if needed.
Daniel Veillard <veillard@redhat.com>