From: Peter Krempa <pkrempa@redhat.com>
Date: Mon, 16 May 2022 10:47:19 +0000 (+0200)
Subject: qemu: Store state of FIPS in virQEMUDriver
X-Git-Tag: v8.4.0-rc1~146
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b5fd6f2b68ef5524ea38d988fc7fd077af180b43;p=thirdparty%2Flibvirt.git

qemu: Store state of FIPS in virQEMUDriver

Rather than re-query all the time we can cache the state of FIPS of the
host as it will not change during the runtime of the guest.

Introduce a 'hostFips' flag to 'virQEMUDriver' and move the code
checking the state from 'qemuCheckFips' to 'qemuStateInitialize' and
also populate 'hostFips' in qemuxml2argvtest.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
---

diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index facb942485..1a5fd20632 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -1787,21 +1787,11 @@ bool
 qemuCheckFips(virDomainObj *vm)
 {
     qemuDomainObjPrivate *priv = vm->privateData;
-    virQEMUCaps *qemuCaps = priv->qemuCaps;
 
-    if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_ENABLE_FIPS))
+    if (!virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_ENABLE_FIPS))
         return false;
 
-    if (virFileExists("/proc/sys/crypto/fips_enabled")) {
-        g_autofree char *buf = NULL;
-
-        if (virFileReadAll("/proc/sys/crypto/fips_enabled", 10, &buf) < 0)
-            return false;
-        if (STREQ(buf, "1\n"))
-            return true;
-    }
-
-    return false;
+    return priv->driver->hostFips;
 }
 
 
diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index c71a666aea..5e752d075e 100644
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -251,6 +251,7 @@ struct _virQEMUDriver {
     /* Immutable values */
     bool privileged;
     char *embeddedRoot;
+    bool hostFips; /* FIPS mode is enabled on the host */
 
     /* Immutable pointers. Caller must provide locking */
     virStateInhibitCallback inhibitCallback;
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 4f6b295859..96ca67dfca 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -735,6 +735,15 @@ qemuStateInitialize(bool privileged,
     if (qemuMigrationDstErrorInit(qemu_driver) < 0)
         goto error;
 
+    /* qemu-5.1 and older requires use of '-enable-fips' flag when the host
+     * is in FIPS mode. We store whether FIPS is enabled */
+    if (virFileExists("/proc/sys/crypto/fips_enabled")) {
+        g_autofree char *buf = NULL;
+
+        if (virFileReadAll("/proc/sys/crypto/fips_enabled", 10, &buf) > 0)
+            qemu_driver->hostFips = STREQ(buf, "1\n");
+    }
+
     if (privileged) {
         g_autofree char *channeldir = NULL;
 
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index ee5de55e21..c6d175939e 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -386,9 +386,12 @@ testCompareXMLToArgvCreateArgs(virQEMUDriver *drv,
                                unsigned int flags)
 {
     qemuDomainObjPrivate *priv = vm->privateData;
-    bool enableFips = !!(flags & FLAG_FIPS_HOST);
+    bool enableFips;
     size_t i;
 
+    drv->hostFips = flags & FLAG_FIPS_HOST;
+    enableFips = drv->hostFips;
+
     if (qemuProcessCreatePretendCmdPrepare(drv, vm, migrateURI,
                                            VIR_QEMU_PROCESS_START_COLD) < 0)
         return NULL;