config.data.nix.path = monpath;
config.data.nix.listen = false;
- /* Qemu 1.2 and later have a binary flag -enable-fips that must be
- * used for VNC auth to obey FIPS settings; but the flag only
- * exists on Linux, and with no way to probe for it via QMP. Our
- * solution: if FIPS mode is required, then unconditionally use
- * the flag, regardless of qemu version, for the following matrix:
- *
- * old QEMU new QEMU
- * FIPS enabled doesn't start VNC auth disabled
- * FIPS disabled/missing VNC auth enabled VNC auth enabled
- *
- * Setting the flag here instead of in virQEMUCapsInitQMPMonitor
- * or virQEMUCapsInitHelp also allows the testsuite to be
- * independent of FIPS setting.
- */
- if (virFileExists("/proc/sys/crypto/fips_enabled")) {
- char *buf = NULL;
-
- if (virFileReadAll("/proc/sys/crypto/fips_enabled", 10, &buf) < 0)
- goto cleanup;
- if (STREQ(buf, "1\n"))
- virQEMUCapsSet(qemuCaps, QEMU_CAPS_ENABLE_FIPS);
- VIR_FREE(buf);
- }
-
VIR_DEBUG("Try to get caps via QMP qemuCaps=%p", qemuCaps);
/*
}
+/* Qemu 1.2 and later have a binary flag -enable-fips that must be
+ * used for VNC auth to obey FIPS settings; but the flag only
+ * exists on Linux, and with no way to probe for it via QMP. Our
+ * solution: if FIPS mode is required, then unconditionally use
+ * the flag, regardless of qemu version, for the following matrix:
+ *
+ * old QEMU new QEMU
+ * FIPS enabled doesn't start VNC auth disabled
+ * FIPS disabled/missing VNC auth enabled VNC auth enabled
+ */
+bool
+qemuCheckFips(void)
+{
+ bool ret = false;
+
+ if (virFileExists("/proc/sys/crypto/fips_enabled")) {
+ char *buf = NULL;
+
+ if (virFileReadAll("/proc/sys/crypto/fips_enabled", 10, &buf) < 0)
+ return ret;
+ if (STREQ(buf, "1\n"))
+ ret = true;
+ VIR_FREE(buf);
+ }
+
+ return ret;
+}
+
+
char *
qemuBuildDriveStr(virConnectPtr conn,
virDomainDiskDefPtr disk,
virDomainSnapshotObjPtr snapshot,
virNetDevVPortProfileOp vmop,
qemuBuildCommandLineCallbacksPtr callbacks,
- bool standalone)
+ bool standalone,
+ bool enableFips)
{
virErrorPtr originalError = NULL;
size_t i, j;
if (!standalone)
virCommandAddArg(cmd, "-S"); /* freeze CPU */
- if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_ENABLE_FIPS))
+ if (enableFips)
virCommandAddArg(cmd, "-enable-fips");
if (qemuBuildMachineArgStr(cmd, def, qemuCaps) < 0)
virDomainSnapshotObjPtr current_snapshot,
virNetDevVPortProfileOp vmop,
qemuBuildCommandLineCallbacksPtr callbacks,
- bool forXMLToArgv)
+ bool forXMLToArgv,
+ bool enableFips)
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(11);
/* Generate '-device' string for chardev device */
char **source);
int qemuCheckDiskConfig(virDomainDiskDefPtr disk);
+
+bool
+qemuCheckFips(void);
#endif /* __QEMU_COMMAND_H__*/
NULL, -1, NULL,
VIR_NETDEV_VPORT_PROFILE_OP_NO_OP,
&buildCommandLineCallbacks,
- true)))
+ true,
+ qemuCheckFips())))
goto cleanup;
ret = virCommandToString(cmd);
if (!(cmd = qemuBuildCommandLine(conn, driver, vm->def, priv->monConfig,
priv->monJSON, priv->qemuCaps,
migrateFrom, stdin_fd, snapshot, vmop,
- &buildCommandLineCallbacks, false)))
+ &buildCommandLineCallbacks, false,
+ qemuCheckFips())))
goto cleanup;
/* now that we know it is about to start call the hook if present */
<flag name='usb-storage'/>
<flag name='usb-storage.removable'/>
<flag name='kvm-pit-lost-tick-policy'/>
- <flag name='enable-fips'/>
<flag name='usb-kbd'/>
<flag name='host-pci-multidomain'/>
<flag name='usb-audio'/>
<flag name='boot-strict'/>
<flag name='pvpanic'/>
<flag name='reboot-timeout'/>
- <flag name='enable-fips'/>
<flag name='spice-file-xfer-disable'/>
<flag name='spiceport'/>
<flag name='usb-kbd'/>
struct _testQemuData {
virDomainXMLOptionPtr xmlopt;
const char *base;
- bool fips;
};
static qemuMonitorTestPtr
qemuMonitorTestGetMonitor(mon)) < 0)
goto cleanup;
- /* So that our test does not depend on the contents of /proc, we
- * hoisted the setting of ENABLE_FIPS to virQEMUCapsInitQMP. But
- * we do want to test the effect of that flag. */
- if (data->fips)
- virQEMUCapsSet(capsComputed, QEMU_CAPS_ENABLE_FIPS);
-
if (testQemuCapsCompare(capsProvided, capsComputed) < 0)
goto cleanup;
data.xmlopt = xmlopt;
-#define DO_TEST_FULL(name, use_fips) \
- data.base = name; \
- data.fips = use_fips; \
- if (virtTestRun(name, testQemuCaps, &data) < 0) \
- ret = -1
-
-#define DO_TEST(name) DO_TEST_FULL(name, false)
+#define DO_TEST(name) \
+ do { \
+ data.base = name; \
+ if (virtTestRun(name, testQemuCaps, &data) < 0) \
+ ret = -1; \
+ } while (0)
- DO_TEST_FULL("caps_1.2.2-1", true);
+ DO_TEST("caps_1.2.2-1");
DO_TEST("caps_1.3.1-1");
DO_TEST("caps_1.4.2-1");
DO_TEST("caps_1.5.3-1");
- DO_TEST_FULL("caps_1.6.0-1", true);
+ DO_TEST("caps_1.6.0-1");
DO_TEST("caps_1.6.50-1");
virObjectUnref(xmlopt);
--- /dev/null
+LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \
+/usr/bin/qemu \
+-S -enable-fips -M pc -m 214 -smp 1 -nographic -monitor \
+unix:/tmp/test-monitor,server,nowait -no-acpi -boot c -usb \
+-hda /dev/HostVG/QEMUGuest1 -net none -serial \
+none -parallel none
--- /dev/null
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory unit='KiB'>219100</memory>
+ <currentMemory unit='KiB'>219100</currentMemory>
+ <vcpu placement='static' cpuset='1-4,8-20,525'>1</vcpu>
+ <os>
+ <type arch='i686' machine='pc'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu</emulator>
+ <disk type='block' device='disk'>
+ <source dev='/dev/HostVG/QEMUGuest1'/>
+ <target dev='hda' bus='ide'/>
+ <address type='drive' controller='0' bus='0' target='0' unit='0'/>
+ </disk>
+ <controller type='ide' index='0'/>
+ <memballoon model='virtio'/>
+ </devices>
+</domain>
FLAG_EXPECT_FAILURE = 1 << 1,
FLAG_EXPECT_PARSE_ERROR = 1 << 2,
FLAG_JSON = 1 << 3,
+ FLAG_FIPS = 1 << 4,
} virQemuXML2ArgvTestFlags;
static int testCompareXMLToArgvFiles(const char *xml,
(flags & FLAG_JSON), extraFlags,
migrateFrom, migrateFd, NULL,
VIR_NETDEV_VPORT_PROFILE_OP_NO_OP,
- &testCallbacks, false))) {
+ &testCallbacks, false,
+ (flags & FLAG_FIPS)))) {
if (!virtTestOOMActive() &&
(flags & FLAG_EXPECT_FAILURE)) {
ret = 0;
if (virQEMUCapsGet(info->extraFlags, QEMU_CAPS_MONITOR_JSON))
flags |= FLAG_JSON;
+ if (virQEMUCapsGet(info->extraFlags, QEMU_CAPS_ENABLE_FIPS))
+ flags |= FLAG_FIPS;
+
result = testCompareXMLToArgvFiles(xml, args, info->extraFlags,
info->migrateFrom, info->migrateFd,
flags);
DO_TEST("panic", QEMU_CAPS_DEVICE_PANIC,
QEMU_CAPS_DEVICE, QEMU_CAPS_NODEFCONFIG);
+ DO_TEST("fips-enabled", QEMU_CAPS_ENABLE_FIPS);
+
virObjectUnref(driver.config);
virObjectUnref(driver.caps);
virObjectUnref(driver.xmlopt);
vmdef, &monitor_chr, json, extraFlags,
migrateFrom, migrateFd, NULL,
VIR_NETDEV_VPORT_PROFILE_OP_NO_OP,
- &testCallbacks, false)))
+ &testCallbacks, false, false)))
goto fail;
if (!virtTestOOMActive()) {
projects / thirdparty / libvirt.git / commitdiff
