From eb3271a8659be0305eb9138da27dd4a3e74f6718 Mon Sep 17 00:00:00 2001

Message-Id: <eb3271a8659be0305eb9138da27dd4a3e74f6718.1389183248.git.jdenemar@redhat.com>

From: Eric Blake <eblake@redhat.com>

Date: Wed, 18 Dec 2013 08:21:44 -0700

Subject: [PATCH] qemu: ask for -enable-fips when FIPS is required

RHEL 7.0: https://bugzilla.redhat.com/show_bug.cgi?id=1035474

On a system that is enforcing FIPS, most libraries honor the

current mode by default.  Qemu, on the other hand, refused to

honor FIPS mode unless you add the '-enable-fips' command

line option; worse, this option is not discoverable via QMP,

and is only present on binaries built for Linux.  So, if we

detect FIPS mode, then we unconditionally ask for FIPS; either

qemu is new enough to have the option and then correctly

cripple insecure VNC passwords, or it is so old that we are

correctly avoiding a FIPS violation by preventing qemu from

starting.  Meanwhile, if we don't detect FIPS mode, then

omitting the argument is safe whether the qemu has the option

(but it would do nothing because FIPS is disabled) or whether

qemu lacks the option (including in the case where we are not

running on Linux).

The testsuite was a bit interesting: we don't want our test

to depend on whether it is being run in FIPS mode, so I had

to tweak things to set the capability bit outside of our

normal interaction with capability parsing.

This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1035474

* src/qemu/qemu_capabilities.h (QEMU_CAPS_ENABLE_FIPS): New bit.

* src/qemu/qemu_capabilities.c (virQEMUCapsInitQMP): Conditionally

set capability according to detection of FIPS mode.

* src/qemu/qemu_command.c (qemuBuildCommandLine): Use it.

* tests/qemucapabilitiestest.c (testQemuCaps): Conditionally set

capability to test expected output.

* tests/qemucapabilitiesdata/caps_1.2.2-1.caps: Update list.

* tests/qemucapabilitiesdata/caps_1.6.0-1.caps: Likewise.

Signed-off-by: Eric Blake <eblake@redhat.com>

(cherry picked from commit a21cfb0f4864e891cee93eed94ed2e76efdb02ec)

Conflicts:

	src/qemu/qemu_capabilities.c - not all upstream caps have been backported

	src/qemu/qemu_capabilities.h - likewise

	tests/qemucapabilitiesdata/caps_1.2.2-1.caps - test not backported

	tests/qemucapabilitiesdata/caps_1.6.0-1.caps - likewise

	tests/qemucapabilitiestest.c - likewise

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>

---

 src/qemu/qemu_capabilities.c | 25 +++++++++++++++++++++++++

 src/qemu/qemu_capabilities.h |  1 +

 src/qemu/qemu_command.c      |  2 ++

 3 files changed, 28 insertions(+)

diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c

index ba17cce..565d9ca 100644

--- a/src/qemu/qemu_capabilities.c

+++ b/src/qemu/qemu_capabilities.c

@@ -240,6 +240,7 @@ VIR_ENUM_IMPL(virQEMUCaps, QEMU_CAPS_LAST,

               "ich9-intel-hda",

               "boot-strict",

               "pvpanic",

+              "enable-fips",

     );

 struct _virQEMUCaps {

@@ -2514,6 +2515,30 @@ virQEMUCapsInitQMP(virQEMUCapsPtr qemuCaps,

     config.data.nix.path = monpath;

     config.data.nix.listen = false;

+    /* Qemu 1.2 and later have a binary flag -enable-fips that must be

+     * used for VNC auth to obey FIPS settings; but the flag only

+     * exists on Linux, and with no way to probe for it via QMP.  Our

+     * solution: if FIPS mode is required, then unconditionally use

+     * the flag, regardless of qemu version, for the following matrix:

+     *

+     *                          old QEMU            new QEMU

+     * FIPS enabled             doesn't start       VNC auth disabled

+     * FIPS disabled/missing    VNC auth enabled    VNC auth enabled

+     *

+     * Setting the flag here instead of in virQEMUCapsInitQMPMonitor

+     * or virQEMUCapsInitHelp also allows the testsuite to be

+     * independent of FIPS setting.

+     */

+    if (virFileExists("/proc/sys/crypto/fips_enabled")) {

+        char *buf = NULL;

+

+        if (virFileReadAll("/proc/sys/crypto/fips_enabled", 10, &buf) < 0)

+            goto cleanup;

+        if (STREQ(buf, "1\n"))

+            virQEMUCapsSet(qemuCaps, QEMU_CAPS_ENABLE_FIPS);

+        VIR_FREE(buf);

+    }

+

     VIR_DEBUG("Try to get caps via QMP qemuCaps=%p", qemuCaps);

     /*

diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h

index dea1e13..4117d87 100644

--- a/src/qemu/qemu_capabilities.h

+++ b/src/qemu/qemu_capabilities.h

@@ -197,6 +197,7 @@ enum virQEMUCapsFlags {

     QEMU_CAPS_DEVICE_ICH9_INTEL_HDA,    /* -device ich9-intel-hda */

     QEMU_CAPS_BOOT_STRICT,              /* -boot strict */

     QEMU_CAPS_DEVICE_PANIC,             /* -device pvpanic */

+    QEMU_CAPS_ENABLE_FIPS,              /* -enable-fips */

     QEMU_CAPS_LAST,                   /* this must always be the last item */

 };

diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c

index 35355b7..d43fdc9 100644

--- a/src/qemu/qemu_command.c

+++ b/src/qemu/qemu_command.c

@@ -7556,6 +7556,8 @@ qemuBuildCommandLine(virConnectPtr conn,

         }

     }

     virCommandAddArg(cmd, "-S"); /* freeze CPU */

+    if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_ENABLE_FIPS))

+        virCommandAddArg(cmd, "-enable-fips");

     if (qemuBuildMachineArgStr(cmd, def, qemuCaps) < 0)

         goto error;

-- 

1.8.5.2