mirrors
/
qemu
mirror of https://gitlab.com/qemu-project/qemu
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

* Replace --enable/disable-git-update with --with-git-submodules 

to allow improved control over use of git submodules
 * Deprecate the -enable-fips option
 * Ensure docs use prefer format for bool options
 * Clarify platform support rules
 * Misc fixes to keymap conversions
 * Fix misc problems on macOS
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEE2vOm/bJrYpEtDo4/vobrtBUQT98FAmAUQXUACgkQvobrtBUQ
 T9/9Zw//VV3z7MI70HjWk17TUmkKLGFbmrc3xvtS6EMZbhfXpsR8qMfSjoRxP4Gn
 CgeftOa/lK5XjL7FcEUmcZeO8jZNE/+S5wgP2upP5Ae1zuDeyaSPTGR6UYs7WqSa
 P1kQsot2sAsZCP7Lko0jSv7rEDInK1bcdWr0a/xR5M2TvKiXoEdbElIZdwe3yLbC
 qWPWiv2pp6z2eGtJK/9VBxXjP0tlkNAR+jz8p/8RSZEEKf3aSq6HvVae+bHU86nX
 9t4baZk3ZuuwkmHJrHJP/72BjjitqEOiydtSsOCVYmY2GOclYeTnezG/vm75cGIK
 ej6hwFGElAEQk+KU9g7HOXi1eqXncSBjP0xWqc8PaZLW7wW/Uv8UV94fk+SCkIQ0
 GVBBLP8PzySL+w33NN7sv14cWeBpsjy9arMr4okZ80klFlS2hx/FqnUmhFhoN8ub
 ptIPUcSJoL+6pjxatV2yJ6bHkVga9PiwtLC8/rqETYPJz0b756xlPaEGd+0B1P0V
 ZMraE7lCgS0kJM6w0xF3R7JlGVtKouj4ZePCK5MGjpByBAK/vn/MbhbEmcyh+uJD
 r6sakKwqLjDLKdmQDd+biq3q6mvKE8ZKaUj8dXYdvxXSxxqXZ8DnrNpj/UkDTi3S
 chlTT1qUYrp2MVYqGmFjZ0XcEdEUR1I39rUs+wRxE3RgtE56M1A=
 =g6bC
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/berrange-gitlab/tags/misc-fixes-pull-request' into staging

* Replace --enable/disable-git-update with --with-git-submodules
  to allow improved control over use of git submodules
* Deprecate the -enable-fips option
* Ensure docs use prefer format for bool options
* Clarify platform support rules
* Misc fixes to keymap conversions
* Fix misc problems on macOS

# gpg: Signature made Fri 29 Jan 2021 17:10:13 GMT
# gpg:                using RSA key DAF3A6FDB26B62912D0E8E3FBE86EBB415104FDF
# gpg: Good signature from "Daniel P. Berrange <dan@berrange.com>" [full]
# gpg:                 aka "Daniel P. Berrange <berrange@redhat.com>" [full]
# Primary key fingerprint: DAF3 A6FD B26B 6291 2D0E  8E3F BE86 EBB4 1510 4FDF

* remotes/berrange-gitlab/tags/misc-fixes-pull-request:
  tests: Replace deprecated ASN1 code
  tests: Fix runtime error in test-authz-pam
  ui: update keycodemapdb submodule commit
  crypto: Add spaces around operator
  configure: replace --enable/disable-git-update with --with-git-submodules
  docs: fix missing backslash in certtool shell example
  docs: simplify and clarify the platform support rules
  Prefer 'on' | 'off' over 'yes' | 'no' for bool options
  os: deprecate the -enable-fips option and QEMU's FIPS enforcement
  crypto: Fix memory leaks in set_loaded for tls-*
  crypto: Forbid broken unloading of secrets
  crypto: Move USER_CREATABLE to secret_common base class
  crypto: Fix some code style problems, add spaces around operator

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
This commit is contained in:
Peter Maydell 2021-01-29 19:51:25 +00:00
parent 9df52f58e7 ecb98f5c75
commit 74208cd252
25 changed files with 162 additions and 148 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
Makefile
View File

@ -47,30 +47,10 @@ git-submodule-update:
Makefile: .git-submodule-status
.PHONY: git-submodule-update
git_module_status := $(shell \
cd '$(SRC_PATH)' && \
GIT="$(GIT)" ./scripts/git-submodule.sh status $(GIT_SUBMODULES); \
echo $$?; \
)
ifeq (1,$(git_module_status))
ifeq (no,$(GIT_UPDATE))
git-submodule-update:
$(call quiet-command, \
echo && \
echo "GIT submodule checkout is out of date. Please run" && \
echo " scripts/git-submodule.sh update $(GIT_SUBMODULES)" && \
echo "from the source directory checkout $(SRC_PATH)" && \
echo && \
exit 1)
else
git-submodule-update:
$(call quiet-command, \
(cd $(SRC_PATH) && GIT="$(GIT)" ./scripts/git-submodule.sh update $(GIT_SUBMODULES)), \
"GIT","$(GIT_SUBMODULES)")
endif
endif
(GIT="$(GIT)" "$(SRC_PATH)/scripts/git-submodule.sh" $(GIT_SUBMODULES_ACTION) $(GIT_SUBMODULES)), \
"GIT","$(GIT_SUBMODULES)")
# 0. ensure the build tree is okay

51
configure vendored
View File

@ -255,12 +255,12 @@ gdb_bin=$(command -v "gdb-multiarch" || command -v "gdb")
if test -e "$source_path/.git"
then
git_update=yes
git_submodules_action="update"
git_submodules="ui/keycodemapdb"
git_submodules="$git_submodules tests/fp/berkeley-testfloat-3"
git_submodules="$git_submodules tests/fp/berkeley-softfloat-3"
else
git_update=no
git_submodules_action="ignore"
git_submodules=""
if ! test -f "$source_path/ui/keycodemapdb/README"
@ -1499,9 +1499,16 @@ for opt do
;;
--with-git=*) git="$optarg"
;;
--enable-git-update) git_update=yes
--enable-git-update)
git_submodules_action="update"
echo "--enable-git-update deprecated, use --with-git-submodules=update"
;;
--disable-git-update) git_update=no
--disable-git-update)
git_submodules_action="validate"
echo "--disable-git-update deprecated, use --with-git-submodules=validate"
;;
--with-git-submodules=*)
git_submodules_action="$optarg"
;;
--enable-debug-mutex) debug_mutex=yes
;;
@ -1557,6 +1564,21 @@ for opt do
esac
done
case $git_submodules_action in
update|validate)
if test ! -e "$source_path/.git"; then
echo "ERROR: cannot $git_submodules_action git submodules without .git"
exit 1
fi
;;
ignore)
;;
*)
echo "ERROR: invalid --with-git-submodules= value '$git_submodules_action'"
exit 1
;;
esac
libdir="${libdir:-$prefix/lib}"
libexecdir="${libexecdir:-$prefix/libexec}"
includedir="${includedir:-$prefix/include}"
@ -1701,6 +1723,9 @@ Advanced options (experts only):
--ninja=NINJA use specified ninja [$ninja]
--smbd=SMBD use specified smbd [$smbd]
--with-git=GIT use specified git [$git]
--with-git-submodules=update update git submodules (default if .git dir exists)
--with-git-submodules=validate fail if git submodules are not up to date
--with-git-submodules=ignore do not update or check git submodules (default if no .git dir)
--static enable static build [$static]
--mandir=PATH install man pages in PATH
--datadir=PATH install firmware in PATH/$qemu_suffix
@ -1917,7 +1942,7 @@ python="$python -B"
if test -z "$meson"; then
if test "$explicit_python" = no && has meson && version_ge "$(meson --version)" 0.55.3; then
meson=meson
elif test -e "${source_path}/.git" && test $git_update = 'yes' ; then
elif test $git_submodules_action != 'ignore' ; then
meson=git
elif test -e "${source_path}/meson/meson.py" ; then
meson=internal
@ -1985,7 +2010,7 @@ fi
# Consult white-list to determine whether to enable werror
# by default. Only enable by default for git builds
if test -z "$werror" ; then
if test -e "$source_path/.git" && \
if test "$git_submodules_action" != "ignore" && \
{ test "$linux" = "yes" || test "$mingw32" = "yes"; }; then
werror="yes"
else
@ -3558,7 +3583,7 @@ fi
case "$fdt" in
auto | enabled | internal)
# Simpler to always update submodule, even if not needed.
if test -e "${source_path}/.git" && test $git_update = 'yes' ; then
if test "$git_submodules_action" != "ignore"; then
git_submodules="${git_submodules} dtc"
fi
;;
@ -4272,7 +4297,7 @@ fi
case "$capstone" in
auto | enabled | internal)
# Simpler to always update submodule, even if not needed.
if test -e "${source_path}/.git" && test $git_update = 'yes' ; then
if test "$git_submodules_action" != "ignore"; then
git_submodules="${git_submodules} capstone"
fi
;;
@ -5219,7 +5244,7 @@ fi
case "$slirp" in
auto | enabled | internal)
# Simpler to always update submodule, even if not needed.
if test -e "${source_path}/.git" && test $git_update = 'yes' ; then
if test "$git_submodules_action" != "ignore"; then
git_submodules="${git_submodules} slirp"
fi
;;
@ -5393,7 +5418,7 @@ if test "$cpu" = "s390x" ; then
roms="$roms s390-ccw"
# SLOF is required for building the s390-ccw firmware on s390x,
# since it is using the libnet code from SLOF for network booting.
if test -e "${source_path}/.git" ; then
if test "$git_submodules_action" != "ignore"; then
git_submodules="${git_submodules} roms/SLOF"
fi
fi
@ -5431,8 +5456,8 @@ else
cxx=
fi
if test $git_update = 'yes' ; then
(cd "${source_path}" && GIT="$git" "./scripts/git-submodule.sh" update "$git_submodules")
if !(GIT="$git" "$source_path/scripts/git-submodule.sh" "$git_submodules_action" "$git_submodules"); then
exit 1
fi
config_host_mak="config-host.mak"
@ -5443,7 +5468,7 @@ echo >> $config_host_mak
echo all: >> $config_host_mak
echo "GIT=$git" >> $config_host_mak
echo "GIT_SUBMODULES=$git_submodules" >> $config_host_mak
echo "GIT_UPDATE=$git_update" >> $config_host_mak
echo "GIT_SUBMODULES_ACTION=$git_submodules_action" >> $config_host_mak
echo "ARCH=$ARCH" >> $config_host_mak

6
crypto/aes.c
View File

@ -1080,9 +1080,9 @@ int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
rk = key->rd_key;
if (bits==128)
if (bits == 128)
key->rounds = 10;
else if (bits==192)
else if (bits == 192)
key->rounds = 12;
else
key->rounds = 14;
@ -1182,7 +1182,7 @@ int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
rk = key->rd_key;
/* invert the order of the round keys: */
for (i = 0, j = 4*(key->rounds); i < j; i += 4, j -= 4) {
for (i = 0, j = 4 * (key->rounds); i < j; i += 4, j -= 4) {
temp = rk[i ]; rk[i ] = rk[j ]; rk[j ] = temp;
temp = rk[i + 1]; rk[i + 1] = rk[j + 1]; rk[j + 1] = temp;
temp = rk[i + 2]; rk[i + 2] = rk[j + 2]; rk[j + 2] = temp;

4
crypto/desrfb.c
View File

@ -56,7 +56,7 @@ static const unsigned char pc1[56] = {
13, 5, 60, 52, 44, 36, 28, 20, 12, 4, 27, 19, 11, 3 };
static const unsigned char totrot[16] = {
1,2,4,6,8,10,12,14,15,17,19,21,23,25,27,28 };
1, 2, 4, 6, 8, 10, 12, 14, 15, 17, 19, 21, 23, 25, 27, 28 };
static const unsigned char pc2[48] = {
13, 16, 10, 23, 0, 4, 2, 27, 14, 5, 20, 9,
@ -93,7 +93,7 @@ void deskey(unsigned char *key, int edf)
}
for( j = 0; j < 24; j++ ) {
if( pcr[pc2[j]] ) kn[m] |= bigbyte[j];
if( pcr[pc2[j+24]] ) kn[n] |= bigbyte[j];
if( pcr[pc2[j + 24]] ) kn[n] |= bigbyte[j];
}
}
cookey(kn);

14
crypto/secret.c
View File

@ -107,13 +107,6 @@ qcrypto_secret_prop_get_file(Object *obj,
}
static void
qcrypto_secret_complete(UserCreatable *uc, Error **errp)
{
object_property_set_bool(OBJECT(uc), "loaded", true, errp);
}
static void
qcrypto_secret_finalize(Object *obj)
{
@ -129,9 +122,6 @@ qcrypto_secret_class_init(ObjectClass *oc, void *data)
QCryptoSecretCommonClass *sic = QCRYPTO_SECRET_COMMON_CLASS(oc);
sic->load_data = qcrypto_secret_load_data;
UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
ucc->complete = qcrypto_secret_complete;
object_class_property_add_str(oc, "data",
qcrypto_secret_prop_get_data,
qcrypto_secret_prop_set_data);
@ -148,10 +138,6 @@ static const TypeInfo qcrypto_secret_info = {
.instance_finalize = qcrypto_secret_finalize,
.class_size = sizeof(QCryptoSecretClass),
.class_init = qcrypto_secret_class_init,
.interfaces = (InterfaceInfo[]) {
{ TYPE_USER_CREATABLE },
{ }
}
};

21
crypto/secret_common.c
View File

@ -191,9 +191,9 @@ qcrypto_secret_prop_set_loaded(Object *obj,
secret->rawdata = input;
secret->rawlen = inputlen;
} else {
g_free(secret->rawdata);
secret->rawlen = 0;
} else if (secret->rawdata) {
error_setg(errp, "Cannot unload secret");
return;
}
}
@ -268,6 +268,13 @@ qcrypto_secret_prop_get_keyid(Object *obj,
}
static void
qcrypto_secret_complete(UserCreatable *uc, Error **errp)
{
object_property_set_bool(OBJECT(uc), "loaded", true, errp);
}
static void
qcrypto_secret_finalize(Object *obj)
{
@ -281,6 +288,10 @@ qcrypto_secret_finalize(Object *obj)
static void
qcrypto_secret_class_init(ObjectClass *oc, void *data)
{
UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
ucc->complete = qcrypto_secret_complete;
object_class_property_add_bool(oc, "loaded",
qcrypto_secret_prop_get_loaded,
qcrypto_secret_prop_set_loaded);
@ -390,6 +401,10 @@ static const TypeInfo qcrypto_secret_info = {
.class_size = sizeof(QCryptoSecretCommonClass),
.class_init = qcrypto_secret_class_init,
.abstract = true,
.interfaces = (InterfaceInfo[]) {
{ TYPE_USER_CREATABLE },
{ }
}
};

14
crypto/secret_keyring.c
View File

@ -102,22 +102,12 @@ qcrypto_secret_prop_get_key(Object *obj, Visitor *v,
}
static void
qcrypto_secret_keyring_complete(UserCreatable *uc, Error **errp)
{
object_property_set_bool(OBJECT(uc), "loaded", true, errp);
}
static void
qcrypto_secret_keyring_class_init(ObjectClass *oc, void *data)
{
QCryptoSecretCommonClass *sic = QCRYPTO_SECRET_COMMON_CLASS(oc);
sic->load_data = qcrypto_secret_keyring_load_data;
UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
ucc->complete = qcrypto_secret_keyring_complete;
object_class_property_add(oc, "serial", "int32_t",
qcrypto_secret_prop_get_key,
qcrypto_secret_prop_set_key,
@ -130,10 +120,6 @@ static const TypeInfo qcrypto_secret_info = {
.name = TYPE_QCRYPTO_SECRET_KEYRING,
.instance_size = sizeof(QCryptoSecretKeyring),
.class_init = qcrypto_secret_keyring_class_init,
.interfaces = (InterfaceInfo[]) {
{ TYPE_USER_CREATABLE },
{ }
}
};

3
crypto/tlscredsanon.c
View File

@ -123,10 +123,9 @@ qcrypto_tls_creds_anon_prop_set_loaded(Object *obj,
{
QCryptoTLSCredsAnon *creds = QCRYPTO_TLS_CREDS_ANON(obj);
qcrypto_tls_creds_anon_unload(creds);
if (value) {
qcrypto_tls_creds_anon_load(creds, errp);
} else {
qcrypto_tls_creds_anon_unload(creds);
}
}

3
crypto/tlscredspsk.c
View File

@ -192,10 +192,9 @@ qcrypto_tls_creds_psk_prop_set_loaded(Object *obj,
{
QCryptoTLSCredsPSK *creds = QCRYPTO_TLS_CREDS_PSK(obj);
qcrypto_tls_creds_psk_unload(creds);
if (value) {
qcrypto_tls_creds_psk_load(creds, errp);
} else {
qcrypto_tls_creds_psk_unload(creds);
}
}

5
crypto/tlscredsx509.c
View File

@ -143,7 +143,7 @@ qcrypto_tls_creds_check_cert_key_usage(QCryptoTLSCredsX509 *creds,
if (status < 0) {
if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
usage = isCA ? GNUTLS_KEY_KEY_CERT_SIGN :
GNUTLS_KEY_DIGITAL_SIGNATURE|GNUTLS_KEY_KEY_ENCIPHERMENT;
GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT;
} else {
error_setg(errp,
"Unable to query certificate %s key usage: %s",
@ -694,10 +694,9 @@ qcrypto_tls_creds_x509_prop_set_loaded(Object *obj,
{
QCryptoTLSCredsX509 *creds = QCRYPTO_TLS_CREDS_X509(obj);
qcrypto_tls_creds_x509_unload(creds);
if (value) {
qcrypto_tls_creds_x509_load(creds, errp);
} else {
qcrypto_tls_creds_x509_unload(creds);
}
}

65
docs/system/build-platforms.rst
View File

@ -25,55 +25,38 @@ software in their distro, QEMU upstream code will not add explicit
support for those backports, unless the feature is auto-detectable in a
manner that works for the upstream releases too.
The Repology site https://repology.org is a useful resource to identify
The `Repology`_ site is a useful resource to identify
currently shipped versions of software in various operating systems,
though it does not cover all distros listed below.
Linux OS
--------
Linux OS, macOS, FreeBSD, NetBSD, OpenBSD
-----------------------------------------
For distributions with frequent, short-lifetime releases, the project
will aim to support all versions that are not end of life by their
respective vendors. For the purposes of identifying supported software
versions, the project will look at Fedora, Ubuntu, and openSUSE distros.
Other short- lifetime distros will be assumed to ship similar software
versions.
The project aims to support the most recent major version at all times. Support
for the previous major version will be dropped 2 years after the new major
version is released or when the vendor itself drops support, whichever comes
first. In this context, third-party efforts to extend the lifetime of a distro
are not considered, even when they are endorsed by the vendor (eg. Debian LTS).
For distributions with long-lifetime releases, the project will aim to
support the most recent major version at all times. Support for the
previous major version will be dropped 2 years after the new major
version is released, or when it reaches "end of life". For the purposes
of identifying supported software versions, the project will look at
RHEL, Debian, Ubuntu LTS, and SLES distros. Other long-lifetime distros
will be assumed to ship similar software versions.
For the purposes of identifying supported software versions available on Linux,
the project will look at CentOS, Debian, Fedora, openSUSE, RHEL, SLES and
Ubuntu LTS. Other distros will be assumed to ship similar software versions.
For FreeBSD and OpenBSD, decisions will be made based on the contents of the
respective ports repository, while NetBSD will use the pkgsrc repository.
For macOS, `HomeBrew`_ will be used, although `MacPorts`_ is expected to carry
similar versions.
Windows
-------
The project supports building with current versions of the MinGW
toolchain, hosted on Linux.
The project supports building with current versions of the MinGW toolchain,
hosted on Linux (Debian/Fedora).
macOS
-----
The version of the Windows API that's currently targeted is Vista / Server
2008.
The project supports building with the two most recent versions of
macOS, with the current Homebrew package set available.
FreeBSD
-------
The project aims to support all versions which are not end of
life.
NetBSD
------
The project aims to support the most recent major version at all times.
Support for the previous major version will be dropped 2 years after the
new major version is released.
OpenBSD
-------
The project aims to support all versions which are not end of
life.
.. _HomeBrew: https://brew.sh/
.. _MacPorts: https://www.macports.org/
.. _Repology: https://repology.org/

12
docs/system/deprecated.rst
View File

@ -134,6 +134,18 @@ Boolean options such as ``share=on``/``share=off`` could be written
in short form as ``share`` and ``noshare``. This is now deprecated
and will cause a warning.
``--enable-fips`` (since 6.0)
'''''''''''''''''''''''''''''
This option restricts usage of certain cryptographic algorithms when
the host is operating in FIPS mode.
If FIPS compliance is required, QEMU should be built with the ``libgcrypt``
library enabled as a cryptography provider.
Neither the ``nettle`` library, or the built-in cryptography provider are
supported on FIPS enabled hosts.
QEMU Machine Protocol (QMP) commands
------------------------------------

2
docs/system/tls.rst
View File

@ -64,7 +64,7 @@ interactive prompts from certtool::
cert_signing_key
EOF
# certtool --generate-self-signed \
--load-privkey ca-key.pem
--load-privkey ca-key.pem \
--template ca.info \
--outfile ca-cert.pem

10
docs/system/vnc-security.rst
View File

@ -65,7 +65,7 @@ encrypted session.
.. parsed-literal::
|qemu_system| [...OPTIONS...] \
-object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=no \
-object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=off \
-vnc :1,tls-creds=tls0 -monitor stdio
In the above example ``/etc/pki/qemu`` should contain at least three
@ -84,12 +84,12 @@ connecting. The server will request that the client provide a
certificate, which it will then validate against the CA certificate.
This is a good choice if deploying in an environment with a private
internal certificate authority. It uses the same syntax as previously,
but with ``verify-peer`` set to ``yes`` instead.
but with ``verify-peer`` set to ``on`` instead.
.. parsed-literal::
|qemu_system| [...OPTIONS...] \
-object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=yes \
-object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=on \
-vnc :1,tls-creds=tls0 -monitor stdio
.. _vnc_005fsec_005fcertificate_005fpw:
@ -103,7 +103,7 @@ authentication to provide two layers of authentication for clients.
.. parsed-literal::
|qemu_system| [...OPTIONS...] \
-object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=yes \
-object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=on \
-vnc :1,tls-creds=tls0,password -monitor stdio
(qemu) change vnc password
Password: ********
@ -145,7 +145,7 @@ x509 options:
.. parsed-literal::
|qemu_system| [...OPTIONS...] \
-object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=yes \
-object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=on \
-vnc :1,tls-creds=tls0,sasl -monitor stdio
.. _vnc_005fsetup_005fsasl:

2
include/authz/listfile.h
View File

@ -73,7 +73,7 @@ OBJECT_DECLARE_SIMPLE_TYPE(QAuthZListFile,
* The object can be created on the command line using
*
* -object authz-list-file,id=authz0,\
* filename=/etc/qemu/myvm-vnc.acl,refresh=yes
* filename=/etc/qemu/myvm-vnc.acl,refresh=on
*
*/
struct QAuthZListFile {

3
os-posix.c
View File

@ -153,6 +153,9 @@ int os_parse_cmd_args(int index, const char *optarg)
break;
#if defined(CONFIG_LINUX)
case QEMU_OPTION_enablefips:
warn_report("-enable-fips is deprecated, please build QEMU with "
"the `libgcrypt` library as the cryptography provider "
"to enable FIPS compliance");
fips_set_state(true);
break;
#endif

4
qemu-options.hx
View File

@ -5027,7 +5027,7 @@ SRST
Note the use of quotes due to the x509 distinguished name
containing whitespace, and escaping of ','.
``-object authz-listfile,id=id,filename=path,refresh=yes|no``
``-object authz-listfile,id=id,filename=path,refresh=on|off``
Create an authorization object that will control access to
network services.
@ -5072,7 +5072,7 @@ SRST
# |qemu_system| \\
... \\
-object authz-simple,id=auth0,filename=/etc/qemu/vnc-sasl.acl,refresh=yes \\
-object authz-simple,id=auth0,filename=/etc/qemu/vnc-sasl.acl,refresh=on \\
...
``-object authz-pam,id=id,service=string``

34
scripts/git-submodule.sh
View File

@ -9,9 +9,14 @@ command=$1
shift
maybe_modules="$@"
# if --with-git-submodules=ignore, do nothing
test "$command" = "ignore" && exit 0
test -z "$GIT" && GIT=git
error() {
cd "$(dirname "$0")/.."
update_error() {
echo "$0: $*"
echo
echo "Unable to automatically checkout GIT submodules '$modules'."
@ -24,7 +29,7 @@ error() {
echo "Alternatively you may disable automatic GIT submodule checkout"
echo "with:"
echo
echo " $ ./configure --disable-git-update"
echo " $ ./configure --with-git-submodules=validate"
echo
echo "and then manually update submodules prior to running make, with:"
echo
@ -33,6 +38,19 @@ error() {
exit 1
}
validate_error() {
if test "$1" = "validate"; then
echo "GIT submodules checkout is out of date, and submodules"
echo "configured for validate only. Please run"
echo " scripts/git-submodule.sh update $maybe_modules"
echo "from the source directory or call configure with"
echo " --with-git-submodules=update"
echo "To disable GIT submodules validation, use"
echo " --with-git-submodules=ignore"
fi
exit 1
}
modules=""
for m in $maybe_modules
do
@ -52,18 +70,18 @@ then
fi
case "$command" in
status)
status|validate)
if test -z "$maybe_modules"
then
test -s ${substat} && exit 1 || exit 0
test -s ${substat} && validate_error "$command" || exit 0
fi
test -f "$substat" || exit 1
test -f "$substat" || validate_error "$command"
for module in $modules; do
CURSTATUS=$($GIT submodule status $module)
OLDSTATUS=$(cat $substat | grep $module)
if test "$CURSTATUS" != "$OLDSTATUS"; then
exit 1
validate_error "$command"
fi
done
exit 0
@ -76,10 +94,10 @@ update)
fi
$GIT submodule update --init $modules 1>/dev/null
test $? -ne 0 && error "failed to update modules"
test $? -ne 0 && update_error "failed to update modules"
$GIT submodule status $modules > "${substat}"
test $? -ne 0 && error "failed to save git submodule status" >&2
test $? -ne 0 && update_error "failed to save git submodule status" >&2
;;
esac

10
tests/crypto-tls-x509-helpers.c
View File

@ -30,7 +30,7 @@
* This stores some static data that is needed when
* encoding extensions in the x509 certs
*/
ASN1_TYPE pkix_asn1;
asn1_node pkix_asn1;
/*
* To avoid consuming random entropy to generate keys,
@ -139,7 +139,7 @@ void test_tls_cleanup(const char *keyfile)
/*
* Turns an ASN1 object into a DER encoded byte array
*/
static void test_tls_der_encode(ASN1_TYPE src,
static void test_tls_der_encode(asn1_node src,
const char *src_name,
gnutls_datum_t *res)
{
@ -317,7 +317,7 @@ test_tls_generate_cert(QCryptoTLSTestCertReq *req,
* the 'critical' field which we want control over
*/
if (req->basicConstraintsEnable) {
ASN1_TYPE ext = ASN1_TYPE_EMPTY;
asn1_node ext = NULL;
asn1_create_element(pkix_asn1, "PKIX1.BasicConstraints", &ext);
asn1_write_value(ext, "cA",
@ -344,7 +344,7 @@ test_tls_generate_cert(QCryptoTLSTestCertReq *req,
* to be 'critical'
*/
if (req->keyUsageEnable) {
ASN1_TYPE ext = ASN1_TYPE_EMPTY;
asn1_node ext = NULL;
char str[2];
str[0] = req->keyUsageValue & 0xff;
@ -374,7 +374,7 @@ test_tls_generate_cert(QCryptoTLSTestCertReq *req,
* set this the hard way building up ASN1 data ourselves
*/
if (req->keyPurposeEnable) {
ASN1_TYPE ext = ASN1_TYPE_EMPTY;
asn1_node ext = NULL;
asn1_create_element(pkix_asn1, "PKIX1.ExtKeyUsageSyntax", &ext);
if (req->keyPurposeOID1) {

2
tests/crypto-tls-x509-helpers.h
View File

@ -125,7 +125,7 @@ void test_tls_cleanup(const char *keyfile);
}; \
test_tls_generate_cert(&varname, NULL)
extern const ASN1_ARRAY_TYPE pkix_asn1_tab[];
extern const asn1_static_node pkix_asn1_tab[];
#endif /* QCRYPTO_HAVE_TLS_TEST_SUPPORT */

2
tests/pkix_asn1_tab.c
View File

@ -8,7 +8,7 @@
#ifdef QCRYPTO_HAVE_TLS_TEST_SUPPORT
const ASN1_ARRAY_TYPE pkix_asn1_tab[] = {
const asn1_static_node pkix_asn1_tab[] = {
{"PKIX1", 536875024, 0},
{0, 1073741836, 0},
{"id-ce", 1879048204, 0},

4
tests/qemu-iotests/233
View File

@ -84,7 +84,7 @@ echo
echo "== check plain client to TLS server fails =="
nbd_server_start_tcp_socket \
--object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=yes \
--object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=on \
--tls-creds tls0 \
-f $IMGFMT "$TEST_IMG" 2>> "$TEST_DIR/server.log"
@ -129,7 +129,7 @@ echo "== check TLS with authorization =="
nbd_server_stop
nbd_server_start_tcp_socket \
--object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=yes \
--object tls-creds-x509,dir=${tls_dir}/server1,endpoint=server,id=tls0,verify-peer=on \
--object "authz-simple,id=authz0,identity=CN=localhost,, \
O=Cthulu Dark Lord Enterprises client1,,L=R'lyeh,,C=South Pacific" \
--tls-authz authz0 \

10
tests/test-authz-pam.c
View File

@ -28,7 +28,7 @@
static bool failauth;
/*
* These two functions are exported by libpam.so.
* These three functions are exported by libpam.so.
*
* By defining them again here, our impls are resolved
* by the linker instead of those in libpam.so
@ -50,6 +50,7 @@ pam_start(const char *service_name, const char *user,
failauth = false;
}
*pamh = (pam_handle_t *)0xbadeaffe;
return PAM_SUCCESS;
}
@ -65,6 +66,13 @@ pam_acct_mgmt(pam_handle_t *pamh, int flags)
}
int
pam_end(pam_handle_t *pamh, int status)
{
return PAM_SUCCESS;
}
static void test_authz_unknown_service(void)
{
Error *local_err = NULL;

2
ui/keycodemapdb

@ -1 +1 @@
Subproject commit 6b3d716e2b6472eb7189d3220552280ef3d832ce
Subproject commit 6119e6e19a050df847418de7babe5166779955e4

3
ui/meson.build
View File

@ -127,9 +127,10 @@ if have_system or xkbcommon.found()
capture: true,
input: files('keycodemapdb/data/keymaps.csv'),
command: [python.full_path(), files('keycodemapdb/tools/keymap-gen'),
'code-map',
'--lang', 'glib2',
'--varname', 'qemu_input_map_@0@_to_@1@'.format(e[0], e[1]),
'code-map', '@INPUT0@', e[0], e[1]])
'@INPUT0@', e[0], e[1]])
endforeach
endif