From eb3271a8659be0305eb9138da27dd4a3e74f6718 Mon Sep 17 00:00:00 2001
Message-Id: <eb3271a8659be0305eb9138da27dd4a3e74f6718.1389183248.git.jdenemar@redhat.com>
From: Eric Blake <eblake@redhat.com>
Date: Wed, 18 Dec 2013 08:21:44 -0700
Subject: [PATCH] qemu: ask for -enable-fips when FIPS is required

RHEL 7.0: https://bugzilla.redhat.com/show_bug.cgi?id=1035474

On a system that is enforcing FIPS, most libraries honor the
current mode by default.  Qemu, on the other hand, refused to
honor FIPS mode unless you add the '-enable-fips' command
line option; worse, this option is not discoverable via QMP,
and is only present on binaries built for Linux.  So, if we
detect FIPS mode, then we unconditionally ask for FIPS; either
qemu is new enough to have the option and then correctly
cripple insecure VNC passwords, or it is so old that we are
correctly avoiding a FIPS violation by preventing qemu from
starting.  Meanwhile, if we don't detect FIPS mode, then
omitting the argument is safe whether the qemu has the option
(but it would do nothing because FIPS is disabled) or whether
qemu lacks the option (including in the case where we are not
running on Linux).

The testsuite was a bit interesting: we don't want our test
to depend on whether it is being run in FIPS mode, so I had
to tweak things to set the capability bit outside of our
normal interaction with capability parsing.

This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1035474

* src/qemu/qemu_capabilities.h (QEMU_CAPS_ENABLE_FIPS): New bit.
* src/qemu/qemu_capabilities.c (virQEMUCapsInitQMP): Conditionally
set capability according to detection of FIPS mode.
* src/qemu/qemu_command.c (qemuBuildCommandLine): Use it.
* tests/qemucapabilitiestest.c (testQemuCaps): Conditionally set
capability to test expected output.
* tests/qemucapabilitiesdata/caps_1.2.2-1.caps: Update list.
* tests/qemucapabilitiesdata/caps_1.6.0-1.caps: Likewise.

Signed-off-by: Eric Blake <eblake@redhat.com>
(cherry picked from commit a21cfb0f4864e891cee93eed94ed2e76efdb02ec)

Conflicts:
	src/qemu/qemu_capabilities.c - not all upstream caps have been backported
	src/qemu/qemu_capabilities.h - likewise
	tests/qemucapabilitiesdata/caps_1.2.2-1.caps - test not backported
	tests/qemucapabilitiesdata/caps_1.6.0-1.caps - likewise
	tests/qemucapabilitiestest.c - likewise
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
---
 src/qemu/qemu_capabilities.c | 25 +++++++++++++++++++++++++
 src/qemu/qemu_capabilities.h |  1 +
 src/qemu/qemu_command.c      |  2 ++
 3 files changed, 28 insertions(+)

diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index ba17cce..565d9ca 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -240,6 +240,7 @@ VIR_ENUM_IMPL(virQEMUCaps, QEMU_CAPS_LAST,
               "ich9-intel-hda",
               "boot-strict",
               "pvpanic",
+              "enable-fips",
     );
 
 struct _virQEMUCaps {
@@ -2514,6 +2515,30 @@ virQEMUCapsInitQMP(virQEMUCapsPtr qemuCaps,
     config.data.nix.path = monpath;
     config.data.nix.listen = false;
 
+    /* Qemu 1.2 and later have a binary flag -enable-fips that must be
+     * used for VNC auth to obey FIPS settings; but the flag only
+     * exists on Linux, and with no way to probe for it via QMP.  Our
+     * solution: if FIPS mode is required, then unconditionally use
+     * the flag, regardless of qemu version, for the following matrix:
+     *
+     *                          old QEMU            new QEMU
+     * FIPS enabled             doesn't start       VNC auth disabled
+     * FIPS disabled/missing    VNC auth enabled    VNC auth enabled
+     *
+     * Setting the flag here instead of in virQEMUCapsInitQMPMonitor
+     * or virQEMUCapsInitHelp also allows the testsuite to be
+     * independent of FIPS setting.
+     */
+    if (virFileExists("/proc/sys/crypto/fips_enabled")) {
+        char *buf = NULL;
+
+        if (virFileReadAll("/proc/sys/crypto/fips_enabled", 10, &buf) < 0)
+            goto cleanup;
+        if (STREQ(buf, "1\n"))
+            virQEMUCapsSet(qemuCaps, QEMU_CAPS_ENABLE_FIPS);
+        VIR_FREE(buf);
+    }
+
     VIR_DEBUG("Try to get caps via QMP qemuCaps=%p", qemuCaps);
 
     /*
diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h
index dea1e13..4117d87 100644
--- a/src/qemu/qemu_capabilities.h
+++ b/src/qemu/qemu_capabilities.h
@@ -197,6 +197,7 @@ enum virQEMUCapsFlags {
     QEMU_CAPS_DEVICE_ICH9_INTEL_HDA,    /* -device ich9-intel-hda */
     QEMU_CAPS_BOOT_STRICT,              /* -boot strict */
     QEMU_CAPS_DEVICE_PANIC,             /* -device pvpanic */
+    QEMU_CAPS_ENABLE_FIPS,              /* -enable-fips */
 
     QEMU_CAPS_LAST,                   /* this must always be the last item */
 };
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 35355b7..d43fdc9 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -7556,6 +7556,8 @@ qemuBuildCommandLine(virConnectPtr conn,
         }
     }
     virCommandAddArg(cmd, "-S"); /* freeze CPU */
+    if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_ENABLE_FIPS))
+        virCommandAddArg(cmd, "-enable-fips");
 
     if (qemuBuildMachineArgStr(cmd, def, qemuCaps) < 0)
         goto error;
-- 
1.8.5.2