On a system that is enforcing FIPS, most libraries honor the
current mode by default. Qemu, on the other hand, refused to
honor FIPS mode unless you add the '-enable-fips' command
line option; worse, this option is not discoverable via QMP,
and is only present on binaries built for Linux. So, if we
detect FIPS mode, then we unconditionally ask for FIPS; either
qemu is new enough to have the option and then correctly
cripple insecure VNC passwords, or it is so old that we are
correctly avoiding a FIPS violation by preventing qemu from
starting. Meanwhile, if we don't detect FIPS mode, then
omitting the argument is safe whether the qemu has the option
(but it would do nothing because FIPS is disabled) or whether
qemu lacks the option (including in the case where we are not
running on Linux).
The testsuite was a bit interesting: we don't want our test
to depend on whether it is being run in FIPS mode, so I had
to tweak things to set the capability bit outside of our
normal interaction with capability parsing.
This fixes https://bugzilla.redhat.com/show_bug.cgi?id=
1035474
* src/qemu/qemu_capabilities.h (QEMU_CAPS_ENABLE_FIPS): New bit.
* src/qemu/qemu_capabilities.c (virQEMUCapsInitQMP): Conditionally
set capability according to detection of FIPS mode.
* src/qemu/qemu_command.c (qemuBuildCommandLine): Use it.
* tests/qemucapabilitiestest.c (testQemuCaps): Conditionally set
capability to test expected output.
* tests/qemucapabilitiesdata/caps_1.2.2-1.caps: Update list.
* tests/qemucapabilitiesdata/caps_1.6.0-1.caps: Likewise.
Signed-off-by: Eric Blake <eblake@redhat.com>
"kvm-pit-lost-tick-policy",
"boot-strict", /* 160 */
- "pvpanic", /* 161 */
+ "pvpanic",
+ "enable-fips",
);
struct _virQEMUCaps {
config.data.nix.path = monpath;
config.data.nix.listen = false;
+ /* Qemu 1.2 and later have a binary flag -enable-fips that must be
+ * used for VNC auth to obey FIPS settings; but the flag only
+ * exists on Linux, and with no way to probe for it via QMP. Our
+ * solution: if FIPS mode is required, then unconditionally use
+ * the flag, regardless of qemu version, for the following matrix:
+ *
+ * old QEMU new QEMU
+ * FIPS enabled doesn't start VNC auth disabled
+ * FIPS disabled/missing VNC auth enabled VNC auth enabled
+ *
+ * Setting the flag here instead of in virQEMUCapsInitQMPMonitor
+ * or virQEMUCapsInitHelp also allows the testsuite to be
+ * independent of FIPS setting.
+ */
+ if (virFileExists("/proc/sys/crypto/fips_enabled")) {
+ char *buf = NULL;
+
+ if (virFileReadAll("/proc/sys/crypto/fips_enabled", 10, &buf) < 0)
+ goto cleanup;
+ if (STREQ(buf, "1\n"))
+ virQEMUCapsSet(qemuCaps, QEMU_CAPS_ENABLE_FIPS);
+ VIR_FREE(buf);
+ }
+
VIR_DEBUG("Try to get caps via QMP qemuCaps=%p", qemuCaps);
/*
QEMU_CAPS_KVM_PIT_TICK_POLICY = 159, /* kvm-pit.lost_tick_policy */
QEMU_CAPS_BOOT_STRICT = 160, /* -boot strict */
QEMU_CAPS_DEVICE_PANIC = 161, /* -device pvpanic */
+ QEMU_CAPS_ENABLE_FIPS = 162, /* -enable-fips */
QEMU_CAPS_LAST, /* this must always be the last item */
};
}
}
virCommandAddArg(cmd, "-S"); /* freeze CPU */
+ if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_ENABLE_FIPS))
+ virCommandAddArg(cmd, "-enable-fips");
if (qemuBuildMachineArgStr(cmd, def, qemuCaps) < 0)
goto error;
<flag name='usb-storage'/>
<flag name='usb-storage.removable'/>
<flag name='kvm-pit-lost-tick-policy'/>
+ <flag name='enable-fips'/>
</qemuCaps>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
<flag name='reboot-timeout'/>
+ <flag name='enable-fips'/>
</qemuCaps>
struct _testQemuData {
virDomainXMLOptionPtr xmlopt;
const char *base;
+ bool fips;
};
static qemuMonitorTestPtr
qemuMonitorTestGetMonitor(mon)) < 0)
goto cleanup;
+ /* So that our test does not depend on the contents of /proc, we
+ * hoisted the setting of ENABLE_FIPS to virQEMUCapsInitQMP. But
+ * we do want to test the effect of that flag. */
+ if (data->fips)
+ virQEMUCapsSet(capsComputed, QEMU_CAPS_ENABLE_FIPS);
+
if (testQemuCapsCompare(capsProvided, capsComputed) < 0)
goto cleanup;
data.xmlopt = xmlopt;
-#define DO_TEST(name) \
- data.base = name; \
- if (virtTestRun(name, testQemuCaps, &data) < 0) \
+#define DO_TEST_FULL(name, use_fips) \
+ data.base = name; \
+ data.fips = use_fips; \
+ if (virtTestRun(name, testQemuCaps, &data) < 0) \
ret = -1
- DO_TEST("caps_1.2.2-1");
+#define DO_TEST(name) DO_TEST_FULL(name, false)
+
+ DO_TEST_FULL("caps_1.2.2-1", true);
DO_TEST("caps_1.3.1-1");
DO_TEST("caps_1.4.2-1");
DO_TEST("caps_1.5.3-1");
- DO_TEST("caps_1.6.0-1");
+ DO_TEST_FULL("caps_1.6.0-1", true);
DO_TEST("caps_1.6.50-1");
virObjectUnref(xmlopt);
projects / people / dariof / libvirt.git / commitdiff