[PATCH] meson: default to system crypto policies where available

Thu, 06 Nov 2025 03:53:45 -0800 

From: Daniel P. Berrangé <[email protected]>

In RHEL and Fedora, the built-in GNUTLS default priority is changed
from "NORMAL" to "@SYSTEM", but because libvirt sets an explicit
policy with gnutls we don't honour that. Instead we force "NORMAL"
unless the 'tls_priority' meson option is changed.

In RPM builds, meanwhile, we ask for "@LIBVIRT,SYSTEM" to make it
look for a libvirt specific profile first, falling back to "@SYSTEM"

This changes the meson option to default to "@LIBVIRT,SYSTEM" if the
crypto-policies config is present on the local machine and the meson
option -Dsystem=true is given.

This gives developers more appropriate default behaviour, matching
that seen in package builds.

Signed-off-by: Daniel P. Berrangé <[email protected]>
---
 meson.build       | 13 ++++++++++++-
 meson_options.txt |  2 +-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/meson.build b/meson.build
index d68b37d0ba..c1871de64c 100644
--- a/meson.build
+++ b/meson.build
@@ -2035,7 +2035,18 @@ elif get_option('userfaultfd_sysctl').enabled()
   error('userfaultfd_sysctl option requires sysctl_config to be enabled')
 endif
 
-conf.set_quoted('TLS_PRIORITY', get_option('tls_priority'))
+prio = get_option('tls_priority')
+if prio == 'auto'
+    # If local OS has 'crypto-policies' then default to that
+    policy = '/etc/crypto-policies/config'
+    if get_option('system') and \
+       run_command('test', '-f', policy, check: false).returncode() == 0
+        prio = '@LIBVIRT,SYSTEM'
+    else
+        prio = 'NORMAL'
+    endif
+endif
+conf.set_quoted('TLS_PRIORITY', prio)
 
 
 # test options
diff --git a/meson_options.txt b/meson_options.txt
index 3dc3e8667b..8b6b26dfc6 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -134,4 +134,4 @@ option('ssh_proxy', type: 'feature', value: 'auto', 
description: 'Build ssh-prox
 option('sysctl_config', type: 'feature', value: 'auto', description: 'Whether 
to install sysctl configs')
 # dep:sysctl_config
 option('userfaultfd_sysctl', type: 'feature', value: 'auto', description: 
'Whether to install sysctl config for enabling unprivileged userfaultfd')
-option('tls_priority', type: 'string', value: 'NORMAL', description: 'set the 
default TLS session priority string')
+option('tls_priority', type: 'string', value: 'auto', description: 'set the 
default TLS session priority string')
-- 
2.51.1

Reply via email to