Re: [PATCH] os: deprecate the -enable-fips option and QEMU's FIPS enforcement

[Daniel P . Berrangé]

On Tue, Oct 20, 2020 at 07:22:03PM +0200, Paolo Bonzini wrote:
> On 20/10/20 18:22, Daniel P. Berrangé wrote:
> > @@ -153,6 +153,9 @@ int os_parse_cmd_args(int index, const char *optarg)
> >          break;
> >  #if defined(CONFIG_LINUX)
> >      case QEMU_OPTION_enablefips:
> > +        warn_report("-enable-fips is deprecated, please build QEMU with "
> > +                    "the `libgcrypt` library as the cryptography provider "
> > +                    "to enable FIPS compliance");
> >          fips_set_state(true);
> >          break;
> >  #endif
> 
> Should you also remove fips_set_state(true) and make fips_get_state()
> return the contents of /proc/sys/crypto/fips_enabled, so that VNC
> password authentication is disabled?

I did think about doing that, but decided that since my intention is
to delete all trace of fips_get_state / fips_set_state at the end of
the deprecation period, that it'd be saner just to leave the semantics
unchanged during the deprecation period.

Deprecation notices shouldn't really be associated with changes in
functionality at time they are introduced.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|