From nobody Mon Feb 9 16:35:26 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1652713982; cv=none; d=zohomail.com; s=zohoarc; b=Kqch5wrd0JM+2EhBKCCDZbpLRPSOAFePAfuvkov67WkTVZb2XBMUSCMGmkJ3oaZDcZcDJd5q3LkgrNR82OGGd7Ekiz2cJEwrgmnraZH1ij3KDWlyxGHhnbIMu1vGmRG8l41jcjWir7BzA+JrpvjXk7kKPV575xSiZvWy6CIIkHk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1652713982; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=asUgkIs7FoDv5I5wtMoyBpmrWIKEGJvMRoGvoKHgWnU=; b=Ma5Hz+8oToxe3ZRwXCnXGTTfdD4fiLuRuyMhJ8U+tWcZkmXOUc/x6OZ7FWOQOwPQazc29Wo68Lx915kfbt0wBmw23xCFmCCYa96Pfv5xwv6a39K49ENwNDbqzDfRjcAiLVwmPEcL9Xz7gVrmBo2vplXRfaf3kNpthTtwj+apvSQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1652713982924185.36889888971484; Mon, 16 May 2022 08:13:02 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-524-ueMHH76rMXO8uZpmAgBcVQ-1; Mon, 16 May 2022 11:12:58 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id ABE373C138A9; Mon, 16 May 2022 15:12:51 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 92320400DE5E; Mon, 16 May 2022 15:12:51 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 5DF6E194706E; Mon, 16 May 2022 15:12:51 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id BF9A71947072 for ; Mon, 16 May 2022 15:12:48 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id A9ED1401DBE; Mon, 16 May 2022 15:12:48 +0000 (UTC) Received: from speedmetal.lan (unknown [10.40.208.21]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1E9AB492C14 for ; Mon, 16 May 2022 15:12:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1652713981; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=asUgkIs7FoDv5I5wtMoyBpmrWIKEGJvMRoGvoKHgWnU=; b=FEdVYAnxtAoNImNMMKMr8LEUX3kj5eLzrzLvGK9qIOMLe85Fc2/Ao/Gw4Yqn35zmY55wUg 2sq8/VEeNugHNBPcOM/jxDOTqrURkyrkbTuihCZWdNWRAYjj2IFmEVuvf4WKirzQFQ+ZHR K8uPQSUSBlyd07bgL7HbhF8D+CJniaA= X-MC-Unique: ueMHH76rMXO8uZpmAgBcVQ-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Peter Krempa To: libvir-list@redhat.com Subject: [PATCH 05/11] qemu: Store state of FIPS in virQEMUDriver Date: Mon, 16 May 2022 17:12:35 +0200 Message-Id: <548a9433f968a97ba937da10d92cbce1b09c6198.1652710341.git.pkrempa@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.85 on 10.11.54.10 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 2.84 on 10.11.54.1 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1652713984457100001 Content-Type: text/plain; charset="utf-8" Rather than re-query all the time we can cache the state of FIPS of the host as it will not change during the runtime of the guest. Introduce a 'hostFips' flag to 'virQEMUDriver' and move the code checking the state from 'qemuCheckFips' to 'qemuStateInitialize' and also populate 'hostFips' in qemuxml2argvtest. Signed-off-by: Peter Krempa --- src/qemu/qemu_command.c | 14 ++------------ src/qemu/qemu_conf.h | 1 + src/qemu/qemu_driver.c | 9 +++++++++ tests/qemuxml2argvtest.c | 5 ++++- 4 files changed, 16 insertions(+), 13 deletions(-) diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index d3b3603fbe..3e9db271b1 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -1787,21 +1787,11 @@ bool qemuCheckFips(virDomainObj *vm) { qemuDomainObjPrivate *priv =3D vm->privateData; - virQEMUCaps *qemuCaps =3D priv->qemuCaps; - if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_ENABLE_FIPS)) + if (!virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_ENABLE_FIPS)) return false; - if (virFileExists("/proc/sys/crypto/fips_enabled")) { - g_autofree char *buf =3D NULL; - - if (virFileReadAll("/proc/sys/crypto/fips_enabled", 10, &buf) < 0) - return false; - if (STREQ(buf, "1\n")) - return true; - } - - return false; + return priv->driver->hostFips; } diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h index c71a666aea..5e752d075e 100644 --- a/src/qemu/qemu_conf.h +++ b/src/qemu/qemu_conf.h @@ -251,6 +251,7 @@ struct _virQEMUDriver { /* Immutable values */ bool privileged; char *embeddedRoot; + bool hostFips; /* FIPS mode is enabled on the host */ /* Immutable pointers. Caller must provide locking */ virStateInhibitCallback inhibitCallback; diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 4f6b295859..96ca67dfca 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -735,6 +735,15 @@ qemuStateInitialize(bool privileged, if (qemuMigrationDstErrorInit(qemu_driver) < 0) goto error; + /* qemu-5.1 and older requires use of '-enable-fips' flag when the host + * is in FIPS mode. We store whether FIPS is enabled */ + if (virFileExists("/proc/sys/crypto/fips_enabled")) { + g_autofree char *buf =3D NULL; + + if (virFileReadAll("/proc/sys/crypto/fips_enabled", 10, &buf) > 0) + qemu_driver->hostFips =3D STREQ(buf, "1\n"); + } + if (privileged) { g_autofree char *channeldir =3D NULL; diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c index 8d0d4acca9..385448b57a 100644 --- a/tests/qemuxml2argvtest.c +++ b/tests/qemuxml2argvtest.c @@ -386,9 +386,12 @@ testCompareXMLToArgvCreateArgs(virQEMUDriver *drv, unsigned int flags) { qemuDomainObjPrivate *priv =3D vm->privateData; - bool enableFips =3D !!(flags & FLAG_FIPS_HOST); + bool enableFips; size_t i; + drv->hostFips =3D flags & FLAG_FIPS_HOST; + enableFips =3D drv->hostFips; + if (qemuProcessCreatePretendCmdPrepare(drv, vm, migrateURI, VIR_QEMU_PROCESS_START_COLD) < = 0) return NULL; --=20 2.35.3