diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 751daf20d3..a92c8c698a 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -1769,32 +1769,6 @@ qemuDiskConfigBlkdeviotuneEnabled(virDomainDiskDef *disk) } -/* QEMU 1.2 and later have a binary flag -enable-fips that must be - * used for VNC auth to obey FIPS settings; but the flag only - * exists on Linux, and with no way to probe for it via QMP. Our - * solution: if FIPS mode is required, then unconditionally use - * the flag, regardless of qemu version, for the following matrix: - * - * old QEMU new QEMU - * FIPS enabled doesn't start VNC auth disabled - * FIPS disabled/missing VNC auth enabled VNC auth enabled - * - * In QEMU 5.2.0, use of -enable-fips was deprecated. In scenarios - * where FIPS is required, QEMU must be built against libgcrypt - * which automatically enforces FIPS compliance. - */ -bool -qemuCheckFips(virDomainObj *vm) -{ - qemuDomainObjPrivate *priv = vm->privateData; - - if (!virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_ENABLE_FIPS)) - return false; - - return priv->driver->hostFips; -} - - /** * qemuDiskBusIsSD: * @bus: disk bus @@ -10425,7 +10399,6 @@ qemuBuildCommandLine(virDomainObj *vm, const char *migrateURI, virDomainMomentObj *snapshot, virNetDevVPortProfileOp vmop, - bool enableFips, size_t *nnicindexes, int **nicindexes, unsigned int flags) @@ -10486,7 +10459,19 @@ qemuBuildCommandLine(virDomainObj *vm, if (qemuBuildPflashBlockdevCommandLine(cmd, priv) < 0) return NULL; - if (enableFips) + /* QEMU 1.2 and later have a binary flag -enable-fips that must be + * used for VNC auth to obey FIPS settings; but the flag only + * exists on Linux, and with no way to probe for it via QMP. Our + * solution: if FIPS mode is required, then unconditionally use the flag. + * + * In QEMU 5.2.0, use of -enable-fips was deprecated. In scenarios + * where FIPS is required, QEMU must be built against libgcrypt + * which automatically enforces FIPS compliance. + * + * Note this is the only use of driver->hostFips. + */ + if (driver->hostFips && + virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_ENABLE_FIPS)) virCommandAddArg(cmd, "-enable-fips"); if (qemuBuildMachineCommandLine(cmd, cfg, def, qemuCaps, priv) < 0) diff --git a/src/qemu/qemu_command.h b/src/qemu/qemu_command.h index db5b532cb8..72b0401c7b 100644 --- a/src/qemu/qemu_command.h +++ b/src/qemu/qemu_command.h @@ -51,7 +51,6 @@ virCommand *qemuBuildCommandLine(virDomainObj *vm, const char *migrateURI, virDomainMomentObj *snapshot, virNetDevVPortProfileOp vmop, - bool enableFips, size_t *nnicindexes, int **nicindexes, unsigned int flags); @@ -214,10 +213,6 @@ int qemuGetDriveSourceString(virStorageSource *src, bool qemuDiskConfigBlkdeviotuneEnabled(virDomainDiskDef *disk); - -bool -qemuCheckFips(virDomainObj *vm); - virJSONValue *qemuBuildHotpluggableCPUProps(const virDomainVcpuDef *vcpu) ATTRIBUTE_NONNULL(1); diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 8097dcf144..2ca264d9f9 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -6391,9 +6391,7 @@ static char *qemuConnectDomainXMLToNative(virConnectPtr conn, if (qemuConnectDomainXMLToNativePrepareHost(vm) < 0) return NULL; - if (!(cmd = qemuProcessCreatePretendCmdBuild(vm, NULL, - qemuCheckFips(vm), - commandlineflags))) + if (!(cmd = qemuProcessCreatePretendCmdBuild(vm, NULL, commandlineflags))) return NULL; return virCommandToString(cmd, false); diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index fbad1254a0..d50cf2e6be 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -7448,7 +7448,6 @@ qemuProcessLaunch(virConnectPtr conn, if (!(cmd = qemuBuildCommandLine(vm, incoming ? "defer" : NULL, snapshot, vmop, - qemuCheckFips(vm), &nnicindexes, &nicindexes, 0))) goto cleanup; @@ -7947,14 +7946,12 @@ qemuProcessCreatePretendCmdPrepare(virQEMUDriver *driver, virCommand * qemuProcessCreatePretendCmdBuild(virDomainObj *vm, const char *migrateURI, - bool enableFips, unsigned int flags) { return qemuBuildCommandLine(vm, migrateURI, NULL, VIR_NETDEV_VPORT_PROFILE_OP_NO_OP, - enableFips, NULL, NULL, flags); diff --git a/src/qemu/qemu_process.h b/src/qemu/qemu_process.h index 9856da3bb5..2387fcdcdc 100644 --- a/src/qemu/qemu_process.h +++ b/src/qemu/qemu_process.h @@ -99,7 +99,6 @@ int qemuProcessCreatePretendCmdPrepare(virQEMUDriver *driver, virCommand *qemuProcessCreatePretendCmdBuild(virDomainObj *vm, const char *migrateURI, - bool enableFips, unsigned int flags); int qemuProcessInit(virQEMUDriver *driver, diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c index 967e575327..8a15904b98 100644 --- a/tests/qemuxml2argvtest.c +++ b/tests/qemuxml2argvtest.c @@ -386,11 +386,9 @@ testCompareXMLToArgvCreateArgs(virQEMUDriver *drv, unsigned int flags) { qemuDomainObjPrivate *priv = vm->privateData; - bool enableFips; size_t i; drv->hostFips = flags & FLAG_FIPS_HOST; - enableFips = drv->hostFips; if (qemuProcessCreatePretendCmdPrepare(drv, vm, migrateURI, VIR_QEMU_PROCESS_START_COLD) < 0) @@ -486,12 +484,7 @@ testCompareXMLToArgvCreateArgs(virQEMUDriver *drv, } } - /* we can't use qemuCheckFips() directly as it queries host state */ - if (!virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_ENABLE_FIPS)) - enableFips = false; - - return qemuProcessCreatePretendCmdBuild(vm, migrateURI, - enableFips, 0); + return qemuProcessCreatePretendCmdBuild(vm, migrateURI, 0); }