> > > FIPS 140-2 requires disabling certain ciphers, including DES, which is > > > used > > > by VNC to obscure passwords when they are sent over the network. The > > > solution for FIPS users is to disable the use of VNC password auth when > > > the > > > host system is operating in FIPS mode. > > > > > > This patch causes qemu to emit a syslog entry indicating that VNC password > > > auth is disabled when it detects the host is running in FIPS mode, and > > > unless a VNC password was specified on the command line it continues > > > normally. However, if a VNC password was given on the command line, qemu > > > fails with an error message to stderr explaining that VNC password auth is > > > not allowed in FIPS mode. > > > > I just talked to Roman about this one and he had some comments :) > > I'm sure he did :)
*g* Thanks, Alex! :) The purpose makes perfect sense, I think. Some small glitch, though: fips=1 on the kernel commandline turns on fips mode in the kernel crypto, and leaves "1" in /proc/sys/crypto/fips_enabled for userland to consume. openssl starts up, reads the file and runs its fips initialization with "1" in the file. Typically... Two problems: 1) openssl may not come with FIPS support. proc file is ignored. 2) openssl may run in FIPS mode for reasons other than fips=1 on the kernel cmdline (environment, ...). Suggested way to handle this: 1) compile-time check if <openssl/fips.h> exists. Ignore fips specifics if not, otherwise: 2) use int FIPS_mode(void) for what it's there: #ifdef _QEMU_FIPS /* or whatever */ #include <openssl/fips.h> vs->fips = FIPS_mode(); #endif and skip fips_enabled(void). Much easier! > paul moore > security and virtualization @ redhat Thanks, Roman. (don't know if list is subscribers-post only)
