I never knew what this option did, but the answer is ... strange!

It's only defined for linux, in os-posix.c. When called, it calls
fips_set_state(true), located in osdep.c.

This will read /proc/sys/crypto/fips_enabled and set the static global
'fips_enabled' to true if this setting is on.

(Tangent: what does *this* setting actually control? Should QEMU
meaningfully change its behavior when it's set?)

This static global is exposed via the getter fips_get_state(). This
function is called only by vnc.c, and appears to disable the use of the
password option for -vnc.

This seems very high-level and abstract for something that ultimately
only disables VNC password authentication. Is this misleadingly abstract?

The docs state:
"enable FIPS 140-2 compliance"

Like hell it does.

Can we deprecate this? It was added in 2012 and never seemed to pursue
the mission laid out in the help file. If we do still want it, the
documentation should be changed dramatically to reflect what it actually
does.

This is so at risk of bit-rot, and a misleading crypto flag is certainly
worse than no crypto flag. I think it should just go.

(If we really do want to keep it, it should probably go under -global
somewhere instead to help reduce flag clutter, but we'd need to have a
chat about what fips compliance means for literally every other spot in
QEMU that is capable of using or receiving a cleartext password.)

--js


Reply via email to