qemuBuildCommandLine: Inline qemuCheckFips

Now that we store the state of the host FIPS mode setting in the qemu
driver object, we don't need to outsource the logic into
'qemuCheckFips'.

Additionally since we no longer support very old qemu's which would not
yet have --enable-fips we can drop the part of the comment about very
old qemus.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>

diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 751daf20d30a152f48062f9ffc9b2fbae5b774c7..a92c8c698aa91b13b878d5ff958a73cd9ba3a4bc 100644 (file)
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -1769,32 +1769,6 @@ qemuDiskConfigBlkdeviotuneEnabled(virDomainDiskDef *disk)
 }
 
 
-/* QEMU 1.2 and later have a binary flag -enable-fips that must be
- * used for VNC auth to obey FIPS settings; but the flag only
- * exists on Linux, and with no way to probe for it via QMP.  Our
- * solution: if FIPS mode is required, then unconditionally use
- * the flag, regardless of qemu version, for the following matrix:
- *
- *                          old QEMU            new QEMU
- * FIPS enabled             doesn't start       VNC auth disabled
- * FIPS disabled/missing    VNC auth enabled    VNC auth enabled
- *
- * In QEMU 5.2.0, use of -enable-fips was deprecated. In scenarios
- * where FIPS is required, QEMU must be built against libgcrypt
- * which automatically enforces FIPS compliance.
- */
-bool
-qemuCheckFips(virDomainObj *vm)
-{
-    qemuDomainObjPrivate *priv = vm->privateData;
-
-    if (!virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_ENABLE_FIPS))
-        return false;
-
-    return priv->driver->hostFips;
-}
-
-
 /**
  * qemuDiskBusIsSD:
  * @bus: disk bus
@@ -10425,7 +10399,6 @@ qemuBuildCommandLine(virDomainObj *vm,
                      const char *migrateURI,
                      virDomainMomentObj *snapshot,
                      virNetDevVPortProfileOp vmop,
-                     bool enableFips,
                      size_t *nnicindexes,
                      int **nicindexes,
                      unsigned int flags)
@@ -10486,7 +10459,19 @@ qemuBuildCommandLine(virDomainObj *vm,
     if (qemuBuildPflashBlockdevCommandLine(cmd, priv) < 0)
         return NULL;
 
-    if (enableFips)
+    /* QEMU 1.2 and later have a binary flag -enable-fips that must be
+     * used for VNC auth to obey FIPS settings; but the flag only
+     * exists on Linux, and with no way to probe for it via QMP.  Our
+     * solution: if FIPS mode is required, then unconditionally use the flag.
+     *
+     * In QEMU 5.2.0, use of -enable-fips was deprecated. In scenarios
+     * where FIPS is required, QEMU must be built against libgcrypt
+     * which automatically enforces FIPS compliance.
+     *
+     * Note this is the only use of driver->hostFips.
+     */
+    if (driver->hostFips &&
+        virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_ENABLE_FIPS))
         virCommandAddArg(cmd, "-enable-fips");
 
     if (qemuBuildMachineCommandLine(cmd, cfg, def, qemuCaps, priv) < 0)

diff --git a/src/qemu/qemu_command.h b/src/qemu/qemu_command.h
index db5b532cb81d4ce9cebada69b50cb236f6ca7701..72b0401c7ba8c26c22c0e9b5840b9e7a9ef6a2e4 100644 (file)
--- a/src/qemu/qemu_command.h
+++ b/src/qemu/qemu_command.h
@@ -51,7 +51,6 @@ virCommand *qemuBuildCommandLine(virDomainObj *vm,
                                  const char *migrateURI,
                                  virDomainMomentObj *snapshot,
                                  virNetDevVPortProfileOp vmop,
-                                 bool enableFips,
                                  size_t *nnicindexes,
                                  int **nicindexes,
                                  unsigned int flags);
@@ -214,10 +213,6 @@ int qemuGetDriveSourceString(virStorageSource *src,
 bool
 qemuDiskConfigBlkdeviotuneEnabled(virDomainDiskDef *disk);
 
-
-bool
-qemuCheckFips(virDomainObj *vm);
-
 virJSONValue *qemuBuildHotpluggableCPUProps(const virDomainVcpuDef *vcpu)
     ATTRIBUTE_NONNULL(1);
 

diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 8097dcf144fd56aa6dc77506686cdf7d3721f14b..2ca264d9f9b76ede46a23a651c233c8068fee9e0 100644 (file)
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -6391,9 +6391,7 @@ static char *qemuConnectDomainXMLToNative(virConnectPtr conn,
     if (qemuConnectDomainXMLToNativePrepareHost(vm) < 0)
         return NULL;
 
-    if (!(cmd = qemuProcessCreatePretendCmdBuild(vm, NULL,
-                                                 qemuCheckFips(vm),
-                                                 commandlineflags)))
+    if (!(cmd = qemuProcessCreatePretendCmdBuild(vm, NULL, commandlineflags)))
         return NULL;
 
     return virCommandToString(cmd, false);

diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index fbad1254a06f36d16b14d24beb3e480dcaa57696..d50cf2e6be32f46293464caeede54c07924acd9a 100644 (file)
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -7448,7 +7448,6 @@ qemuProcessLaunch(virConnectPtr conn,
     if (!(cmd = qemuBuildCommandLine(vm,
                                      incoming ? "defer" : NULL,
                                      snapshot, vmop,
-                                     qemuCheckFips(vm),
                                      &nnicindexes, &nicindexes, 0)))
         goto cleanup;
 
@@ -7947,14 +7946,12 @@ qemuProcessCreatePretendCmdPrepare(virQEMUDriver *driver,
 virCommand *
 qemuProcessCreatePretendCmdBuild(virDomainObj *vm,
                                  const char *migrateURI,
-                                 bool enableFips,
                                  unsigned int flags)
 {
     return qemuBuildCommandLine(vm,
                                 migrateURI,
                                 NULL,
                                 VIR_NETDEV_VPORT_PROFILE_OP_NO_OP,
-                                enableFips,
                                 NULL,
                                 NULL,
                                 flags);

diff --git a/src/qemu/qemu_process.h b/src/qemu/qemu_process.h
index 9856da3bb5df81ed1f5f5cb3201fd4c3b592595f..2387fcdcdc4c7b36a9b97823ef18d5cb22ae143e 100644 (file)
--- a/src/qemu/qemu_process.h
+++ b/src/qemu/qemu_process.h
@@ -99,7 +99,6 @@ int qemuProcessCreatePretendCmdPrepare(virQEMUDriver *driver,
 
 virCommand *qemuProcessCreatePretendCmdBuild(virDomainObj *vm,
                                              const char *migrateURI,
-                                             bool enableFips,
                                              unsigned int flags);
 
 int qemuProcessInit(virQEMUDriver *driver,

diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index 967e575327b2025322c367b6d1c1a02865f59823..8a15904b980e279350abb60383acf3e2586bd2d1 100644 (file)
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -386,11 +386,9 @@ testCompareXMLToArgvCreateArgs(virQEMUDriver *drv,
                                unsigned int flags)
 {
     qemuDomainObjPrivate *priv = vm->privateData;
-    bool enableFips;
     size_t i;
 
     drv->hostFips = flags & FLAG_FIPS_HOST;
-    enableFips = drv->hostFips;
 
     if (qemuProcessCreatePretendCmdPrepare(drv, vm, migrateURI,
                                            VIR_QEMU_PROCESS_START_COLD) < 0)
@@ -486,12 +484,7 @@ testCompareXMLToArgvCreateArgs(virQEMUDriver *drv,
         }
     }
 
-    /* we can't use qemuCheckFips() directly as it queries host state */
-    if (!virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_ENABLE_FIPS))
-        enableFips = false;
-
-    return qemuProcessCreatePretendCmdBuild(vm, migrateURI,
-                                            enableFips, 0);
+    return qemuProcessCreatePretendCmdBuild(vm, migrateURI, 0);
 }