softmmu: remove deprecated --enable-fips option

Users requiring FIPS support must build QEMU with either the libgcrypt
or gnutls libraries as the crytography backend.

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrangé 2022-03-04 10:27:42 +00:00
parent a1755db71e
commit c6b310b37c
7 changed files with 11 additions and 68 deletions

View File

@ -67,18 +67,6 @@ and will cause a warning.
The replacement for the ``nodelay`` short-form boolean option is ``nodelay=on`` The replacement for the ``nodelay`` short-form boolean option is ``nodelay=on``
rather than ``delay=off``. rather than ``delay=off``.
``--enable-fips`` (since 6.0)
'''''''''''''''''''''''''''''
This option restricts usage of certain cryptographic algorithms when
the host is operating in FIPS mode.
If FIPS compliance is required, QEMU should be built with the ``libgcrypt``
library enabled as a cryptography provider.
Neither the ``nettle`` library, or the built-in cryptography provider are
supported on FIPS enabled hosts.
``-writeconfig`` (since 6.0) ``-writeconfig`` (since 6.0)
''''''''''''''''''''''''''''' '''''''''''''''''''''''''''''

View File

@ -336,6 +336,17 @@ for the RISC-V ``virt`` machine and ``sifive_u`` machine.
The ``-no-quit`` was a synonym for ``-display ...,window-close=off`` which The ``-no-quit`` was a synonym for ``-display ...,window-close=off`` which
should be used instead. should be used instead.
``--enable-fips`` (removed in 7.1)
''''''''''''''''''''''''''''''''''
This option restricted usage of certain cryptographic algorithms when
the host is operating in FIPS mode.
If FIPS compliance is required, QEMU should be built with the ``libgcrypt``
or ``gnutls`` library enabled as a cryptography provider.
Neither the ``nettle`` library, or the built-in cryptography provider are
supported on FIPS enabled hosts.
QEMU Machine Protocol (QMP) commands QEMU Machine Protocol (QMP) commands
------------------------------------ ------------------------------------

View File

@ -553,9 +553,6 @@ int qemu_pipe(int pipefd[2]);
void qemu_set_cloexec(int fd); void qemu_set_cloexec(int fd);
void fips_set_state(bool requested);
bool fips_get_state(void);
/* Return a dynamically allocated directory path that is appropriate for storing /* Return a dynamically allocated directory path that is appropriate for storing
* local state. * local state.
* *

View File

@ -150,14 +150,6 @@ int os_parse_cmd_args(int index, const char *optarg)
case QEMU_OPTION_daemonize: case QEMU_OPTION_daemonize:
daemonize = 1; daemonize = 1;
break; break;
#if defined(CONFIG_LINUX)
case QEMU_OPTION_enablefips:
warn_report("-enable-fips is deprecated, please build QEMU with "
"the `libgcrypt` library as the cryptography provider "
"to enable FIPS compliance");
fips_set_state(true);
break;
#endif
default: default:
return -1; return -1;
} }

View File

@ -4673,16 +4673,6 @@ HXCOMM Internal use
DEF("qtest", HAS_ARG, QEMU_OPTION_qtest, "", QEMU_ARCH_ALL) DEF("qtest", HAS_ARG, QEMU_OPTION_qtest, "", QEMU_ARCH_ALL)
DEF("qtest-log", HAS_ARG, QEMU_OPTION_qtest_log, "", QEMU_ARCH_ALL) DEF("qtest-log", HAS_ARG, QEMU_OPTION_qtest_log, "", QEMU_ARCH_ALL)
#ifdef __linux__
DEF("enable-fips", 0, QEMU_OPTION_enablefips,
"-enable-fips enable FIPS 140-2 compliance\n",
QEMU_ARCH_ALL)
#endif
SRST
``-enable-fips``
Enable FIPS 140-2 compliance mode.
ERST
DEF("msg", HAS_ARG, QEMU_OPTION_msg, DEF("msg", HAS_ARG, QEMU_OPTION_msg,
"-msg [timestamp[=on|off]][,guest-name=[on|off]]\n" "-msg [timestamp[=on|off]][,guest-name=[on|off]]\n"
" control error message format\n" " control error message format\n"

View File

@ -4059,13 +4059,6 @@ void vnc_display_open(const char *id, Error **errp)
password = qemu_opt_get_bool(opts, "password", false); password = qemu_opt_get_bool(opts, "password", false);
} }
if (password) { if (password) {
if (fips_get_state()) {
error_setg(errp,
"VNC password auth disabled due to FIPS mode, "
"consider using the VeNCrypt or SASL authentication "
"methods as an alternative");
goto fail;
}
if (!qcrypto_cipher_supports( if (!qcrypto_cipher_supports(
QCRYPTO_CIPHER_ALG_DES, QCRYPTO_CIPHER_MODE_ECB)) { QCRYPTO_CIPHER_ALG_DES, QCRYPTO_CIPHER_MODE_ECB)) {
error_setg(errp, error_setg(errp,

View File

@ -31,8 +31,6 @@
#include "qemu/hw-version.h" #include "qemu/hw-version.h"
#include "monitor/monitor.h" #include "monitor/monitor.h"
static bool fips_enabled = false;
static const char *hw_version = QEMU_HW_VERSION; static const char *hw_version = QEMU_HW_VERSION;
int socket_set_cork(int fd, int v) int socket_set_cork(int fd, int v)
@ -514,32 +512,6 @@ const char *qemu_hw_version(void)
return hw_version; return hw_version;
} }
void fips_set_state(bool requested)
{
#ifdef __linux__
if (requested) {
FILE *fds = fopen("/proc/sys/crypto/fips_enabled", "r");
if (fds != NULL) {
fips_enabled = (fgetc(fds) == '1');
fclose(fds);
}
}
#else
fips_enabled = false;
#endif /* __linux__ */
#ifdef _FIPS_DEBUG
fprintf(stderr, "FIPS mode %s (requested %s)\n",
(fips_enabled ? "enabled" : "disabled"),
(requested ? "enabled" : "disabled"));
#endif
}
bool fips_get_state(void)
{
return fips_enabled;
}
#ifdef _WIN32 #ifdef _WIN32
static void socket_cleanup(void) static void socket_cleanup(void)
{ {