softmmu: remove deprecated --enable-fips option

Users requiring FIPS support must build QEMU with either the libgcrypt or gnutls libraries as the crytography backend. Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2022-03-04 10:27:42 +00:00 · 2022-03-04 10:27:42 +00:00 · c6b310b37c
parent a1755db71e
commit c6b310b37c
7 changed files with 11 additions and 68 deletions
--- a/docs/about/deprecated.rst
+++ b/docs/about/deprecated.rst
@ -67,18 +67,6 @@ and will cause a warning.
 The replacement for the ``nodelay`` short-form boolean option is ``nodelay=on``
 rather than ``delay=off``.

-``--enable-fips`` (since 6.0)
-'''''''''''''''''''''''''''''
-
-This option restricts usage of certain cryptographic algorithms when
-the host is operating in FIPS mode.
-
-If FIPS compliance is required, QEMU should be built with the ``libgcrypt``
-library enabled as a cryptography provider.
-
-Neither the ``nettle`` library, or the built-in cryptography provider are
-supported on FIPS enabled hosts.
-
 ``-writeconfig`` (since 6.0)
 '''''''''''''''''''''''''''''

--- a/docs/about/removed-features.rst
+++ b/docs/about/removed-features.rst
@ -336,6 +336,17 @@ for the RISC-V ``virt`` machine and ``sifive_u`` machine.
 The ``-no-quit`` was a synonym for ``-display ...,window-close=off`` which
 should be used instead.

+``--enable-fips`` (removed in 7.1)
+''''''''''''''''''''''''''''''''''
+
+This option restricted usage of certain cryptographic algorithms when
+the host is operating in FIPS mode.
+
+If FIPS compliance is required, QEMU should be built with the ``libgcrypt``
+or ``gnutls`` library enabled as a cryptography provider.
+
+Neither the ``nettle`` library, or the built-in cryptography provider are
+supported on FIPS enabled hosts.

 QEMU Machine Protocol (QMP) commands
 ------------------------------------
--- a/include/qemu/osdep.h
+++ b/include/qemu/osdep.h
@ -553,9 +553,6 @@ int qemu_pipe(int pipefd[2]);

 void qemu_set_cloexec(int fd);

-void fips_set_state(bool requested);
-bool fips_get_state(void);
-
 /* Return a dynamically allocated directory path that is appropriate for storing
 * local state.
 *
--- a/os-posix.c
+++ b/os-posix.c
@ -150,14 +150,6 @@ int os_parse_cmd_args(int index, const char *optarg)
    case QEMU_OPTION_daemonize:
        daemonize = 1;
        break;
-#if defined(CONFIG_LINUX)
-    case QEMU_OPTION_enablefips:
-        warn_report("-enable-fips is deprecated, please build QEMU with "
-                    "the `libgcrypt` library as the cryptography provider "
-                    "to enable FIPS compliance");
-        fips_set_state(true);
-        break;
-#endif
    default:
        return -1;
    }
--- a/qemu-options.hx
+++ b/qemu-options.hx
@ -4673,16 +4673,6 @@ HXCOMM Internal use
 DEF("qtest", HAS_ARG, QEMU_OPTION_qtest, "", QEMU_ARCH_ALL)
 DEF("qtest-log", HAS_ARG, QEMU_OPTION_qtest_log, "", QEMU_ARCH_ALL)

-#ifdef __linux__
-DEF("enable-fips", 0, QEMU_OPTION_enablefips,
-    "-enable-fips    enable FIPS 140-2 compliance\n",
-    QEMU_ARCH_ALL)
-#endif
-SRST
-``-enable-fips``
-    Enable FIPS 140-2 compliance mode.
-ERST
-
 DEF("msg", HAS_ARG, QEMU_OPTION_msg,
    "-msg [timestamp[=on|off]][,guest-name=[on|off]]\n"
    "                control error message format\n"
--- a/ui/vnc.c
+++ b/ui/vnc.c
@ -4059,13 +4059,6 @@ void vnc_display_open(const char *id, Error **errp)
        password = qemu_opt_get_bool(opts, "password", false);
    }
    if (password) {
-        if (fips_get_state()) {
-            error_setg(errp,
-                       "VNC password auth disabled due to FIPS mode, "
-                       "consider using the VeNCrypt or SASL authentication "
-                       "methods as an alternative");
-            goto fail;
-        }
        if (!qcrypto_cipher_supports(
                QCRYPTO_CIPHER_ALG_DES, QCRYPTO_CIPHER_MODE_ECB)) {
            error_setg(errp,
--- a/util/osdep.c
+++ b/util/osdep.c
@ -31,8 +31,6 @@
 #include "qemu/hw-version.h"
 #include "monitor/monitor.h"

-static bool fips_enabled = false;
-
 static const char *hw_version = QEMU_HW_VERSION;

 int socket_set_cork(int fd, int v)
@ -514,32 +512,6 @@ const char *qemu_hw_version(void)
    return hw_version;
 }

-void fips_set_state(bool requested)
-{
-#ifdef __linux__
-    if (requested) {
-        FILE *fds = fopen("/proc/sys/crypto/fips_enabled", "r");
-        if (fds != NULL) {
-            fips_enabled = (fgetc(fds) == '1');
-            fclose(fds);
-        }
-    }
-#else
-    fips_enabled = false;
-#endif /* __linux__ */
-
-#ifdef _FIPS_DEBUG
-    fprintf(stderr, "FIPS mode %s (requested %s)\n",
-            (fips_enabled ? "enabled" : "disabled"),
-            (requested ? "enabled" : "disabled"));
-#endif
-}
-
-bool fips_get_state(void)
-{
-    return fips_enabled;
-}
-
 #ifdef _WIN32
 static void socket_cleanup(void)
 {