softmmu: remove deprecated --enable-fips option
Users requiring FIPS support must build QEMU with either the libgcrypt or gnutls libraries as the crytography backend. Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
parent
a1755db71e
commit
c6b310b37c
@ -67,18 +67,6 @@ and will cause a warning.
|
|||||||
The replacement for the ``nodelay`` short-form boolean option is ``nodelay=on``
|
The replacement for the ``nodelay`` short-form boolean option is ``nodelay=on``
|
||||||
rather than ``delay=off``.
|
rather than ``delay=off``.
|
||||||
|
|
||||||
``--enable-fips`` (since 6.0)
|
|
||||||
'''''''''''''''''''''''''''''
|
|
||||||
|
|
||||||
This option restricts usage of certain cryptographic algorithms when
|
|
||||||
the host is operating in FIPS mode.
|
|
||||||
|
|
||||||
If FIPS compliance is required, QEMU should be built with the ``libgcrypt``
|
|
||||||
library enabled as a cryptography provider.
|
|
||||||
|
|
||||||
Neither the ``nettle`` library, or the built-in cryptography provider are
|
|
||||||
supported on FIPS enabled hosts.
|
|
||||||
|
|
||||||
``-writeconfig`` (since 6.0)
|
``-writeconfig`` (since 6.0)
|
||||||
'''''''''''''''''''''''''''''
|
'''''''''''''''''''''''''''''
|
||||||
|
|
||||||
|
@ -336,6 +336,17 @@ for the RISC-V ``virt`` machine and ``sifive_u`` machine.
|
|||||||
The ``-no-quit`` was a synonym for ``-display ...,window-close=off`` which
|
The ``-no-quit`` was a synonym for ``-display ...,window-close=off`` which
|
||||||
should be used instead.
|
should be used instead.
|
||||||
|
|
||||||
|
``--enable-fips`` (removed in 7.1)
|
||||||
|
''''''''''''''''''''''''''''''''''
|
||||||
|
|
||||||
|
This option restricted usage of certain cryptographic algorithms when
|
||||||
|
the host is operating in FIPS mode.
|
||||||
|
|
||||||
|
If FIPS compliance is required, QEMU should be built with the ``libgcrypt``
|
||||||
|
or ``gnutls`` library enabled as a cryptography provider.
|
||||||
|
|
||||||
|
Neither the ``nettle`` library, or the built-in cryptography provider are
|
||||||
|
supported on FIPS enabled hosts.
|
||||||
|
|
||||||
QEMU Machine Protocol (QMP) commands
|
QEMU Machine Protocol (QMP) commands
|
||||||
------------------------------------
|
------------------------------------
|
||||||
|
@ -553,9 +553,6 @@ int qemu_pipe(int pipefd[2]);
|
|||||||
|
|
||||||
void qemu_set_cloexec(int fd);
|
void qemu_set_cloexec(int fd);
|
||||||
|
|
||||||
void fips_set_state(bool requested);
|
|
||||||
bool fips_get_state(void);
|
|
||||||
|
|
||||||
/* Return a dynamically allocated directory path that is appropriate for storing
|
/* Return a dynamically allocated directory path that is appropriate for storing
|
||||||
* local state.
|
* local state.
|
||||||
*
|
*
|
||||||
|
@ -150,14 +150,6 @@ int os_parse_cmd_args(int index, const char *optarg)
|
|||||||
case QEMU_OPTION_daemonize:
|
case QEMU_OPTION_daemonize:
|
||||||
daemonize = 1;
|
daemonize = 1;
|
||||||
break;
|
break;
|
||||||
#if defined(CONFIG_LINUX)
|
|
||||||
case QEMU_OPTION_enablefips:
|
|
||||||
warn_report("-enable-fips is deprecated, please build QEMU with "
|
|
||||||
"the `libgcrypt` library as the cryptography provider "
|
|
||||||
"to enable FIPS compliance");
|
|
||||||
fips_set_state(true);
|
|
||||||
break;
|
|
||||||
#endif
|
|
||||||
default:
|
default:
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
@ -4673,16 +4673,6 @@ HXCOMM Internal use
|
|||||||
DEF("qtest", HAS_ARG, QEMU_OPTION_qtest, "", QEMU_ARCH_ALL)
|
DEF("qtest", HAS_ARG, QEMU_OPTION_qtest, "", QEMU_ARCH_ALL)
|
||||||
DEF("qtest-log", HAS_ARG, QEMU_OPTION_qtest_log, "", QEMU_ARCH_ALL)
|
DEF("qtest-log", HAS_ARG, QEMU_OPTION_qtest_log, "", QEMU_ARCH_ALL)
|
||||||
|
|
||||||
#ifdef __linux__
|
|
||||||
DEF("enable-fips", 0, QEMU_OPTION_enablefips,
|
|
||||||
"-enable-fips enable FIPS 140-2 compliance\n",
|
|
||||||
QEMU_ARCH_ALL)
|
|
||||||
#endif
|
|
||||||
SRST
|
|
||||||
``-enable-fips``
|
|
||||||
Enable FIPS 140-2 compliance mode.
|
|
||||||
ERST
|
|
||||||
|
|
||||||
DEF("msg", HAS_ARG, QEMU_OPTION_msg,
|
DEF("msg", HAS_ARG, QEMU_OPTION_msg,
|
||||||
"-msg [timestamp[=on|off]][,guest-name=[on|off]]\n"
|
"-msg [timestamp[=on|off]][,guest-name=[on|off]]\n"
|
||||||
" control error message format\n"
|
" control error message format\n"
|
||||||
|
7
ui/vnc.c
7
ui/vnc.c
@ -4059,13 +4059,6 @@ void vnc_display_open(const char *id, Error **errp)
|
|||||||
password = qemu_opt_get_bool(opts, "password", false);
|
password = qemu_opt_get_bool(opts, "password", false);
|
||||||
}
|
}
|
||||||
if (password) {
|
if (password) {
|
||||||
if (fips_get_state()) {
|
|
||||||
error_setg(errp,
|
|
||||||
"VNC password auth disabled due to FIPS mode, "
|
|
||||||
"consider using the VeNCrypt or SASL authentication "
|
|
||||||
"methods as an alternative");
|
|
||||||
goto fail;
|
|
||||||
}
|
|
||||||
if (!qcrypto_cipher_supports(
|
if (!qcrypto_cipher_supports(
|
||||||
QCRYPTO_CIPHER_ALG_DES, QCRYPTO_CIPHER_MODE_ECB)) {
|
QCRYPTO_CIPHER_ALG_DES, QCRYPTO_CIPHER_MODE_ECB)) {
|
||||||
error_setg(errp,
|
error_setg(errp,
|
||||||
|
28
util/osdep.c
28
util/osdep.c
@ -31,8 +31,6 @@
|
|||||||
#include "qemu/hw-version.h"
|
#include "qemu/hw-version.h"
|
||||||
#include "monitor/monitor.h"
|
#include "monitor/monitor.h"
|
||||||
|
|
||||||
static bool fips_enabled = false;
|
|
||||||
|
|
||||||
static const char *hw_version = QEMU_HW_VERSION;
|
static const char *hw_version = QEMU_HW_VERSION;
|
||||||
|
|
||||||
int socket_set_cork(int fd, int v)
|
int socket_set_cork(int fd, int v)
|
||||||
@ -514,32 +512,6 @@ const char *qemu_hw_version(void)
|
|||||||
return hw_version;
|
return hw_version;
|
||||||
}
|
}
|
||||||
|
|
||||||
void fips_set_state(bool requested)
|
|
||||||
{
|
|
||||||
#ifdef __linux__
|
|
||||||
if (requested) {
|
|
||||||
FILE *fds = fopen("/proc/sys/crypto/fips_enabled", "r");
|
|
||||||
if (fds != NULL) {
|
|
||||||
fips_enabled = (fgetc(fds) == '1');
|
|
||||||
fclose(fds);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
#else
|
|
||||||
fips_enabled = false;
|
|
||||||
#endif /* __linux__ */
|
|
||||||
|
|
||||||
#ifdef _FIPS_DEBUG
|
|
||||||
fprintf(stderr, "FIPS mode %s (requested %s)\n",
|
|
||||||
(fips_enabled ? "enabled" : "disabled"),
|
|
||||||
(requested ? "enabled" : "disabled"));
|
|
||||||
#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
bool fips_get_state(void)
|
|
||||||
{
|
|
||||||
return fips_enabled;
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifdef _WIN32
|
#ifdef _WIN32
|
||||||
static void socket_cleanup(void)
|
static void socket_cleanup(void)
|
||||||
{
|
{
|
||||||
|
Loading…
Reference in New Issue
Block a user