/* TCG couldn't be disabled nor queried until QEMU 2.10 */
if (qemuCaps->version < 2010000)
virQEMUCapsSet(qemuCaps, QEMU_CAPS_TCG);
+
+ /* -enable-fips is deprecated in QEMU 5.2.0, and QEMU
+ * should be built with gcrypt to achieve FIPS compliance
+ * automatically / implicitly
+ */
+ if (qemuCaps->version < 5002000)
+ virQEMUCapsSet(qemuCaps, QEMU_CAPS_ENABLE_FIPS);
}
* old QEMU new QEMU
* FIPS enabled doesn't start VNC auth disabled
* FIPS disabled/missing VNC auth enabled VNC auth enabled
+ *
+ * In QEMU 5.2.0, use of -enable-fips was deprecated. In scenarios
+ * where FIPS is required, QEMU must be built against libgcrypt
+ * which automatically enforces FIPS compliance.
*/
bool
-qemuCheckFips(void)
+qemuCheckFips(virDomainObjPtr vm)
{
+ qemuDomainObjPrivatePtr priv = vm->privateData;
+ virQEMUCapsPtr qemuCaps = priv->qemuCaps;
+
+ if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_ENABLE_FIPS))
+ return false;
+
if (virFileExists("/proc/sys/crypto/fips_enabled")) {
g_autofree char *buf = NULL;
bool
-qemuCheckFips(void);
+qemuCheckFips(virDomainObjPtr vm);
virJSONValuePtr qemuBuildHotpluggableCPUProps(const virDomainVcpuDef *vcpu)
ATTRIBUTE_NONNULL(1);
goto cleanup;
if (!(cmd = qemuProcessCreatePretendCmdBuild(driver, vm, NULL,
- qemuCheckFips(), true, false)))
+ qemuCheckFips(vm), true, false)))
goto cleanup;
ret = virCommandToString(cmd, false);
incoming ? incoming->launchURI : NULL,
snapshot, vmop,
false,
- qemuCheckFips(),
+ qemuCheckFips(vm),
&nnicindexes, &nicindexes, 0)))
goto cleanup;
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='usb-kbd'/>
<flag name='usb-audio'/>
<flag name='splash-timeout'/>
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='virtio-mmio'/>
<flag name='ich9-intel-hda'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
<flag name='virtio-mmio'/>
<flag name='ich9-intel-hda'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
<flag name='drive-discard'/>
<flag name='virtio-mmio'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
<flag name='change-backing-file'/>
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='drive-discard'/>
<flag name='virtio-mmio'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
<flag name='change-backing-file'/>
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='virtio-mmio'/>
<flag name='ich9-intel-hda'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
<flag name='virtio-mmio'/>
<flag name='ich9-intel-hda'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
<flag name='drive-discard'/>
<flag name='virtio-mmio'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
<flag name='change-backing-file'/>
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='virtio-mmio'/>
<flag name='ich9-intel-hda'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
<flag name='virtio-mmio'/>
<flag name='ich9-intel-hda'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='drive-discard'/>
<flag name='virtio-mmio'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
<flag name='change-backing-file'/>
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='drive-discard'/>
<flag name='virtio-mmio'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
<flag name='change-backing-file'/>
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='virtio-mmio'/>
<flag name='ich9-intel-hda'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
<flag name='drive-discard'/>
<flag name='virtio-mmio'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
<flag name='change-backing-file'/>
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='usb-storage.removable'/>
<flag name='ich9-intel-hda'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
<flag name='drive-discard'/>
<flag name='virtio-mmio'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
<flag name='change-backing-file'/>
<flag name='drive-discard'/>
<flag name='virtio-mmio'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
<flag name='change-backing-file'/>
<flag name='mem-merge'/>
<flag name='drive-discard'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
<flag name='change-backing-file'/>
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='usb-storage.removable'/>
<flag name='ich9-intel-hda'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='virtio-mmio'/>
<flag name='ich9-intel-hda'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
<flag name='usb-storage.removable'/>
<flag name='ich9-intel-hda'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
<flag name='virtio-mmio'/>
<flag name='ich9-intel-hda'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='virtio-mmio'/>
<flag name='ich9-intel-hda'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='mem-merge'/>
<flag name='drive-discard'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
<flag name='change-backing-file'/>
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='virtio-mmio'/>
<flag name='ich9-intel-hda'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
<flag name='usb-storage.removable'/>
<flag name='ich9-intel-hda'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
<flag name='mem-merge'/>
<flag name='drive-discard'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
<flag name='change-backing-file'/>
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='virtio-mmio'/>
<flag name='ich9-intel-hda'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
<flag name='usb-storage.removable'/>
<flag name='ich9-intel-hda'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='active-commit'/>
<flag name='virtio-mmio'/>
<flag name='ich9-intel-hda'/>
<flag name='boot-strict'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
<flag name='kvm-pit-lost-tick-policy'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
+ <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='usb-kbd'/>
<flag name='msg-timestamp'/>
unsigned int flags,
bool jsonPropsValidation)
{
+ qemuDomainObjPrivatePtr priv = vm->privateData;
bool enableFips = !!(flags & FLAG_FIPS_HOST);
size_t i;
}
}
+ /* we can't use qemuCheckFips() directly as it queries host state */
+ if (!virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_ENABLE_FIPS))
+ enableFips = false;
+
return qemuProcessCreatePretendCmdBuild(drv, vm, migrateURI,
enableFips, false,
jsonPropsValidation);
projects / libvirt.git / commitdiff