qemu: Store state of FIPS in virQEMUDriver

author Peter Krempa <pkrempa@redhat.com>

Mon, 16 May 2022 10:47:19 +0000 (12:47 +0200)

committer Peter Krempa <pkrempa@redhat.com>

Tue, 17 May 2022 17:31:07 +0000 (19:31 +0200)
author Peter Krempa <pkrempa@redhat.com>
Mon, 16 May 2022 10:47:19 +0000 (12:47 +0200)
committer Peter Krempa <pkrempa@redhat.com>
Tue, 17 May 2022 17:31:07 +0000 (19:31 +0200)
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c

index facb942485fefb348cdb731425c5779ba679ab31..1a5fd20632cb6a502725f9dc31dd5db71dbd147a 100644 (file)
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -1787,21 +1787,11 @@ bool
  qemuCheckFips(virDomainObj *vm)
  {
      qemuDomainObjPrivate *priv = vm->privateData;
-    virQEMUCaps *qemuCaps = priv->qemuCaps;
  
-    if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_ENABLE_FIPS))
+    if (!virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_ENABLE_FIPS))
          return false;
  
-    if (virFileExists("/proc/sys/crypto/fips_enabled")) {
-        g_autofree char *buf = NULL;
-
-        if (virFileReadAll("/proc/sys/crypto/fips_enabled", 10, &buf) < 0)
-            return false;
-        if (STREQ(buf, "1\n"))
-            return true;
-    }
-
-    return false;
+    return priv->driver->hostFips;
  }
  
  
diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h

index c71a666aea7b80e7249e43a4321bdebce3fcf39e..5e752d075eb09ed1d2b9d13d5958b1b0df0b2923 100644 (file)
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -251,6 +251,7 @@ struct _virQEMUDriver {
      /* Immutable values */
      bool privileged;
      char *embeddedRoot;
+    bool hostFips; /* FIPS mode is enabled on the host */
  
      /* Immutable pointers. Caller must provide locking */
      virStateInhibitCallback inhibitCallback;
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c

index 4f6b29585973277e3b8ca6198bdb397d8d9fe354..96ca67dfca8942018ff9873f8cb6f9588d0f4e66 100644 (file)
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -735,6 +735,15 @@ qemuStateInitialize(bool privileged,
      if (qemuMigrationDstErrorInit(qemu_driver) < 0)
          goto error;
  
+    /* qemu-5.1 and older requires use of '-enable-fips' flag when the host
+     * is in FIPS mode. We store whether FIPS is enabled */
+    if (virFileExists("/proc/sys/crypto/fips_enabled")) {
+        g_autofree char *buf = NULL;
+
+        if (virFileReadAll("/proc/sys/crypto/fips_enabled", 10, &buf) > 0)
+            qemu_driver->hostFips = STREQ(buf, "1\n");
+    }
+
      if (privileged) {
          g_autofree char *channeldir = NULL;
  
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c

index ee5de55e211a39ea9f3d25171cc1c199c8117097..c6d175939e84a01162003eebc2e96b9291f5fe3b 100644 (file)
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -386,9 +386,12 @@ testCompareXMLToArgvCreateArgs(virQEMUDriver *drv,
                                 unsigned int flags)
  {
      qemuDomainObjPrivate *priv = vm->privateData;
-    bool enableFips = !!(flags & FLAG_FIPS_HOST);
+    bool enableFips;
      size_t i;
  
+    drv->hostFips = flags & FLAG_FIPS_HOST;
+    enableFips = drv->hostFips;
+
      if (qemuProcessCreatePretendCmdPrepare(drv, vm, migrateURI,
                                             VIR_QEMU_PROCESS_START_COLD) < 0)
          return NULL;
author	Peter Krempa <pkrempa@redhat.com>
	Mon, 16 May 2022 10:47:19 +0000 (12:47 +0200)
committer	Peter Krempa <pkrempa@redhat.com>
	Tue, 17 May 2022 17:31:07 +0000 (19:31 +0200)
src/qemu/qemu_command.c		patch \| blob \| blame \| history
src/qemu/qemu_conf.h		patch \| blob \| blame \| history
src/qemu/qemu_driver.c		patch \| blob \| blame \| history
tests/qemuxml2argvtest.c		patch \| blob \| blame \| history