mirror of
https://github.com/libvirt/libvirt.git
synced 2025-02-25 18:55:26 -06:00
qemu: Store state of FIPS in virQEMUDriver
Rather than re-query all the time we can cache the state of FIPS of the host as it will not change during the runtime of the guest. Introduce a 'hostFips' flag to 'virQEMUDriver' and move the code checking the state from 'qemuCheckFips' to 'qemuStateInitialize' and also populate 'hostFips' in qemuxml2argvtest. Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
This commit is contained in:
Peter Krempa
parent
552790edf2
commit
b5fd6f2b68
@ -1787,21 +1787,11 @@ bool
|
|||||||
qemuCheckFips(virDomainObj *vm)
|
qemuCheckFips(virDomainObj *vm)
|
||||||
{
|
{
|
||||||
qemuDomainObjPrivate *priv = vm->privateData;
|
qemuDomainObjPrivate *priv = vm->privateData;
|
||||||
virQEMUCaps *qemuCaps = priv->qemuCaps;
|
|
||||||
|
|
||||||
if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_ENABLE_FIPS))
|
if (!virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_ENABLE_FIPS))
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
if (virFileExists("/proc/sys/crypto/fips_enabled")) {
|
return priv->driver->hostFips;
|
||||||
g_autofree char *buf = NULL;
|
|
||||||
|
|
||||||
if (virFileReadAll("/proc/sys/crypto/fips_enabled", 10, &buf) < 0)
|
|
||||||
return false;
|
|
||||||
if (STREQ(buf, "1\n"))
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
|
|
||||||
return false;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -251,6 +251,7 @@ struct _virQEMUDriver {
|
|||||||
/* Immutable values */
|
/* Immutable values */
|
||||||
bool privileged;
|
bool privileged;
|
||||||
char *embeddedRoot;
|
char *embeddedRoot;
|
||||||
|
bool hostFips; /* FIPS mode is enabled on the host */
|
||||||
|
|
||||||
/* Immutable pointers. Caller must provide locking */
|
/* Immutable pointers. Caller must provide locking */
|
||||||
virStateInhibitCallback inhibitCallback;
|
virStateInhibitCallback inhibitCallback;
|
||||||
|
|||||||
@ -735,6 +735,15 @@ qemuStateInitialize(bool privileged,
|
|||||||
if (qemuMigrationDstErrorInit(qemu_driver) < 0)
|
if (qemuMigrationDstErrorInit(qemu_driver) < 0)
|
||||||
goto error;
|
goto error;
|
||||||
|
|
||||||
|
/* qemu-5.1 and older requires use of '-enable-fips' flag when the host
|
||||||
|
* is in FIPS mode. We store whether FIPS is enabled */
|
||||||
|
if (virFileExists("/proc/sys/crypto/fips_enabled")) {
|
||||||
|
g_autofree char *buf = NULL;
|
||||||
|
|
||||||
|
if (virFileReadAll("/proc/sys/crypto/fips_enabled", 10, &buf) > 0)
|
||||||
|
qemu_driver->hostFips = STREQ(buf, "1\n");
|
||||||
|
}
|
||||||
|
|
||||||
if (privileged) {
|
if (privileged) {
|
||||||
g_autofree char *channeldir = NULL;
|
g_autofree char *channeldir = NULL;
|
||||||
|
|
||||||
|
|||||||
@ -386,9 +386,12 @@ testCompareXMLToArgvCreateArgs(virQEMUDriver *drv,
|
|||||||
unsigned int flags)
|
unsigned int flags)
|
||||||
{
|
{
|
||||||
qemuDomainObjPrivate *priv = vm->privateData;
|
qemuDomainObjPrivate *priv = vm->privateData;
|
||||||
bool enableFips = !!(flags & FLAG_FIPS_HOST);
|
bool enableFips;
|
||||||
size_t i;
|
size_t i;
|
||||||
|
|
||||||
|
drv->hostFips = flags & FLAG_FIPS_HOST;
|
||||||
|
enableFips = drv->hostFips;
|
||||||
|
|
||||||
if (qemuProcessCreatePretendCmdPrepare(drv, vm, migrateURI,
|
if (qemuProcessCreatePretendCmdPrepare(drv, vm, migrateURI,
|
||||||
VIR_QEMU_PROCESS_START_COLD) < 0)
|
VIR_QEMU_PROCESS_START_COLD) < 0)
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user