mirror of https://github.com/proxmox/mirror_qemu
Misc patch queue
* Removes depecated --enable-fips QEMU system emulator option * Fixes array bounds check in keycode conversion for ESCC device -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEE2vOm/bJrYpEtDo4/vobrtBUQT98FAmJoDAoACgkQvobrtBUQ T99iOg/+LeLLLKtjVx2HFzDgXWy9F5gGBzUNv4tqlkqDHMSdKWrMJAZfQXNMIeIN NsIc7cJW9usZj9kPrLIMjXQziVaqFzuwGrD0A9ESJOEI/quPFuQ6clUL+Qs7leRz SaoGHjprDy9TRe+e9B418LDIL29a2e5KUDa/HgpZJfXQRuSx93lutaNqm5MwGs8+ WllO0fIi/6N2IJlaBwoYWZJ1VdV3DbokS/We9p2BAMCaxk16w/2o+W+drBkaxjaS hihicW50JJgn4B7uUKqpHKRLkdmYatBcdqUc2aIuKZ6URx/cS6A0Oxt2coKhhOHV vIDsUhqK03sfIPmQhr5HWeKpCs5lANgu0tmKIYZac5qIZFN/1ATpoKOZD8IZ1K25 GOC7p7wDDTB6KaAqpCXDBZc7Kp4CbCYR79VciI1XNxFXiKgkqfaXRwr9JPM0oseo QKLdb5Xn3c0HvjDKnEmO3BR5jx9E0QabK8WwplodCJJfpu349eUflNRdiH74iDFk +AO4hShIr56Ksuj/GSWwIk4YeE0Ct2viZqjjIEGGWAKCQT1aultIH1pZcvCrTUVe qyWSHx1lmqgOwGOF15xHo8yBZAa/o/SAv8V4FDVwXAzLU1eg144fJupkMMEMd3Og PLnuR14Bii8K1pSkZbGSXqMxEybSmjnLlEh4xJxX0t/q4clzE0U= =NiU1 -----END PGP SIGNATURE----- Merge tag 'misc-next-pull-request' of https://gitlab.com/berrange/qemu into staging Misc patch queue * Removes depecated --enable-fips QEMU system emulator option * Fixes array bounds check in keycode conversion for ESCC device # -----BEGIN PGP SIGNATURE----- # # iQIzBAABCAAdFiEE2vOm/bJrYpEtDo4/vobrtBUQT98FAmJoDAoACgkQvobrtBUQ # T99iOg/+LeLLLKtjVx2HFzDgXWy9F5gGBzUNv4tqlkqDHMSdKWrMJAZfQXNMIeIN # NsIc7cJW9usZj9kPrLIMjXQziVaqFzuwGrD0A9ESJOEI/quPFuQ6clUL+Qs7leRz # SaoGHjprDy9TRe+e9B418LDIL29a2e5KUDa/HgpZJfXQRuSx93lutaNqm5MwGs8+ # WllO0fIi/6N2IJlaBwoYWZJ1VdV3DbokS/We9p2BAMCaxk16w/2o+W+drBkaxjaS # hihicW50JJgn4B7uUKqpHKRLkdmYatBcdqUc2aIuKZ6URx/cS6A0Oxt2coKhhOHV # vIDsUhqK03sfIPmQhr5HWeKpCs5lANgu0tmKIYZac5qIZFN/1ATpoKOZD8IZ1K25 # GOC7p7wDDTB6KaAqpCXDBZc7Kp4CbCYR79VciI1XNxFXiKgkqfaXRwr9JPM0oseo # QKLdb5Xn3c0HvjDKnEmO3BR5jx9E0QabK8WwplodCJJfpu349eUflNRdiH74iDFk # +AO4hShIr56Ksuj/GSWwIk4YeE0Ct2viZqjjIEGGWAKCQT1aultIH1pZcvCrTUVe # qyWSHx1lmqgOwGOF15xHo8yBZAa/o/SAv8V4FDVwXAzLU1eg144fJupkMMEMd3Og # PLnuR14Bii8K1pSkZbGSXqMxEybSmjnLlEh4xJxX0t/q4clzE0U= # =NiU1 # -----END PGP SIGNATURE----- # gpg: Signature made Tue 26 Apr 2022 08:13:14 AM PDT # gpg: using RSA key DAF3A6FDB26B62912D0E8E3FBE86EBB415104FDF # gpg: Good signature from "Daniel P. Berrange <dan@berrange.com>" [full] # gpg: aka "Daniel P. Berrange <berrange@redhat.com>" [full] * tag 'misc-next-pull-request' of https://gitlab.com/berrange/qemu: github: fix config mistake preventing repo lockdown commenting hw/char: fix qcode array bounds check in ESCC impl softmmu: remove deprecated --enable-fips option Signed-off-by: Richard Henderson <richard.henderson@linaro.org>master
commit
eab18e4021
|
@ -15,7 +15,7 @@ jobs:
|
||||||
steps:
|
steps:
|
||||||
- uses: dessant/repo-lockdown@v2
|
- uses: dessant/repo-lockdown@v2
|
||||||
with:
|
with:
|
||||||
pull-comment: |
|
pr-comment: |
|
||||||
Thank you for your interest in the QEMU project.
|
Thank you for your interest in the QEMU project.
|
||||||
|
|
||||||
This repository is a read-only mirror of the project's repostories hosted
|
This repository is a read-only mirror of the project's repostories hosted
|
||||||
|
@ -26,5 +26,5 @@ jobs:
|
||||||
functionality). However, we get a lot of patches, and so we have some
|
functionality). However, we get a lot of patches, and so we have some
|
||||||
guidelines about contributing on the project website:
|
guidelines about contributing on the project website:
|
||||||
https://www.qemu.org/contribute/
|
https://www.qemu.org/contribute/
|
||||||
lock-pull: true
|
lock-pr: true
|
||||||
close-pull: true
|
close-pr: true
|
||||||
|
|
|
@ -67,18 +67,6 @@ and will cause a warning.
|
||||||
The replacement for the ``nodelay`` short-form boolean option is ``nodelay=on``
|
The replacement for the ``nodelay`` short-form boolean option is ``nodelay=on``
|
||||||
rather than ``delay=off``.
|
rather than ``delay=off``.
|
||||||
|
|
||||||
``--enable-fips`` (since 6.0)
|
|
||||||
'''''''''''''''''''''''''''''
|
|
||||||
|
|
||||||
This option restricts usage of certain cryptographic algorithms when
|
|
||||||
the host is operating in FIPS mode.
|
|
||||||
|
|
||||||
If FIPS compliance is required, QEMU should be built with the ``libgcrypt``
|
|
||||||
library enabled as a cryptography provider.
|
|
||||||
|
|
||||||
Neither the ``nettle`` library, or the built-in cryptography provider are
|
|
||||||
supported on FIPS enabled hosts.
|
|
||||||
|
|
||||||
``-writeconfig`` (since 6.0)
|
``-writeconfig`` (since 6.0)
|
||||||
'''''''''''''''''''''''''''''
|
'''''''''''''''''''''''''''''
|
||||||
|
|
||||||
|
|
|
@ -336,6 +336,17 @@ for the RISC-V ``virt`` machine and ``sifive_u`` machine.
|
||||||
The ``-no-quit`` was a synonym for ``-display ...,window-close=off`` which
|
The ``-no-quit`` was a synonym for ``-display ...,window-close=off`` which
|
||||||
should be used instead.
|
should be used instead.
|
||||||
|
|
||||||
|
``--enable-fips`` (removed in 7.1)
|
||||||
|
''''''''''''''''''''''''''''''''''
|
||||||
|
|
||||||
|
This option restricted usage of certain cryptographic algorithms when
|
||||||
|
the host is operating in FIPS mode.
|
||||||
|
|
||||||
|
If FIPS compliance is required, QEMU should be built with the ``libgcrypt``
|
||||||
|
or ``gnutls`` library enabled as a cryptography provider.
|
||||||
|
|
||||||
|
Neither the ``nettle`` library, or the built-in cryptography provider are
|
||||||
|
supported on FIPS enabled hosts.
|
||||||
|
|
||||||
QEMU Machine Protocol (QMP) commands
|
QEMU Machine Protocol (QMP) commands
|
||||||
------------------------------------
|
------------------------------------
|
||||||
|
|
|
@ -828,7 +828,7 @@ static void sunkbd_handle_event(DeviceState *dev, QemuConsole *src,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (qcode > qemu_input_map_qcode_to_sun_len) {
|
if (qcode >= qemu_input_map_qcode_to_sun_len) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -553,9 +553,6 @@ int qemu_pipe(int pipefd[2]);
|
||||||
|
|
||||||
void qemu_set_cloexec(int fd);
|
void qemu_set_cloexec(int fd);
|
||||||
|
|
||||||
void fips_set_state(bool requested);
|
|
||||||
bool fips_get_state(void);
|
|
||||||
|
|
||||||
/* Return a dynamically allocated directory path that is appropriate for storing
|
/* Return a dynamically allocated directory path that is appropriate for storing
|
||||||
* local state.
|
* local state.
|
||||||
*
|
*
|
||||||
|
|
|
@ -150,14 +150,6 @@ int os_parse_cmd_args(int index, const char *optarg)
|
||||||
case QEMU_OPTION_daemonize:
|
case QEMU_OPTION_daemonize:
|
||||||
daemonize = 1;
|
daemonize = 1;
|
||||||
break;
|
break;
|
||||||
#if defined(CONFIG_LINUX)
|
|
||||||
case QEMU_OPTION_enablefips:
|
|
||||||
warn_report("-enable-fips is deprecated, please build QEMU with "
|
|
||||||
"the `libgcrypt` library as the cryptography provider "
|
|
||||||
"to enable FIPS compliance");
|
|
||||||
fips_set_state(true);
|
|
||||||
break;
|
|
||||||
#endif
|
|
||||||
default:
|
default:
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
|
@ -4673,16 +4673,6 @@ HXCOMM Internal use
|
||||||
DEF("qtest", HAS_ARG, QEMU_OPTION_qtest, "", QEMU_ARCH_ALL)
|
DEF("qtest", HAS_ARG, QEMU_OPTION_qtest, "", QEMU_ARCH_ALL)
|
||||||
DEF("qtest-log", HAS_ARG, QEMU_OPTION_qtest_log, "", QEMU_ARCH_ALL)
|
DEF("qtest-log", HAS_ARG, QEMU_OPTION_qtest_log, "", QEMU_ARCH_ALL)
|
||||||
|
|
||||||
#ifdef __linux__
|
|
||||||
DEF("enable-fips", 0, QEMU_OPTION_enablefips,
|
|
||||||
"-enable-fips enable FIPS 140-2 compliance\n",
|
|
||||||
QEMU_ARCH_ALL)
|
|
||||||
#endif
|
|
||||||
SRST
|
|
||||||
``-enable-fips``
|
|
||||||
Enable FIPS 140-2 compliance mode.
|
|
||||||
ERST
|
|
||||||
|
|
||||||
DEF("msg", HAS_ARG, QEMU_OPTION_msg,
|
DEF("msg", HAS_ARG, QEMU_OPTION_msg,
|
||||||
"-msg [timestamp[=on|off]][,guest-name=[on|off]]\n"
|
"-msg [timestamp[=on|off]][,guest-name=[on|off]]\n"
|
||||||
" control error message format\n"
|
" control error message format\n"
|
||||||
|
|
7
ui/vnc.c
7
ui/vnc.c
|
@ -4059,13 +4059,6 @@ void vnc_display_open(const char *id, Error **errp)
|
||||||
password = qemu_opt_get_bool(opts, "password", false);
|
password = qemu_opt_get_bool(opts, "password", false);
|
||||||
}
|
}
|
||||||
if (password) {
|
if (password) {
|
||||||
if (fips_get_state()) {
|
|
||||||
error_setg(errp,
|
|
||||||
"VNC password auth disabled due to FIPS mode, "
|
|
||||||
"consider using the VeNCrypt or SASL authentication "
|
|
||||||
"methods as an alternative");
|
|
||||||
goto fail;
|
|
||||||
}
|
|
||||||
if (!qcrypto_cipher_supports(
|
if (!qcrypto_cipher_supports(
|
||||||
QCRYPTO_CIPHER_ALG_DES, QCRYPTO_CIPHER_MODE_ECB)) {
|
QCRYPTO_CIPHER_ALG_DES, QCRYPTO_CIPHER_MODE_ECB)) {
|
||||||
error_setg(errp,
|
error_setg(errp,
|
||||||
|
|
28
util/osdep.c
28
util/osdep.c
|
@ -31,8 +31,6 @@
|
||||||
#include "qemu/hw-version.h"
|
#include "qemu/hw-version.h"
|
||||||
#include "monitor/monitor.h"
|
#include "monitor/monitor.h"
|
||||||
|
|
||||||
static bool fips_enabled = false;
|
|
||||||
|
|
||||||
static const char *hw_version = QEMU_HW_VERSION;
|
static const char *hw_version = QEMU_HW_VERSION;
|
||||||
|
|
||||||
int socket_set_cork(int fd, int v)
|
int socket_set_cork(int fd, int v)
|
||||||
|
@ -514,32 +512,6 @@ const char *qemu_hw_version(void)
|
||||||
return hw_version;
|
return hw_version;
|
||||||
}
|
}
|
||||||
|
|
||||||
void fips_set_state(bool requested)
|
|
||||||
{
|
|
||||||
#ifdef __linux__
|
|
||||||
if (requested) {
|
|
||||||
FILE *fds = fopen("/proc/sys/crypto/fips_enabled", "r");
|
|
||||||
if (fds != NULL) {
|
|
||||||
fips_enabled = (fgetc(fds) == '1');
|
|
||||||
fclose(fds);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
#else
|
|
||||||
fips_enabled = false;
|
|
||||||
#endif /* __linux__ */
|
|
||||||
|
|
||||||
#ifdef _FIPS_DEBUG
|
|
||||||
fprintf(stderr, "FIPS mode %s (requested %s)\n",
|
|
||||||
(fips_enabled ? "enabled" : "disabled"),
|
|
||||||
(requested ? "enabled" : "disabled"));
|
|
||||||
#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
bool fips_get_state(void)
|
|
||||||
{
|
|
||||||
return fips_enabled;
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifdef _WIN32
|
#ifdef _WIN32
|
||||||
static void socket_cleanup(void)
|
static void socket_cleanup(void)
|
||||||
{
|
{
|
||||||
|
|
Loading…
Reference in New Issue