On 6/24/20 2:49 AM, Gerd Hoffmann wrote: > IIRC the idea is to have a global switch to enable fips compilance for > the whole distro. RH specific. rhel-7 kernel has it. rhel-8 kernel > too, so it probably isn't obsolete. Not present in mainline kernels. > > I'm wondering what the point of the -enablefips switch is. Shouldn't > qemu check /proc/sys/crypto/fips_enabled unconditionally instead?
It sounds like we want a compile-time flag that makes it mandatory instead of optional where it doesn't do a good job of "enforcing" fips mode. (If you accidentally, uh, omit it.) Then the flag can go away. Compile the feature in or out. Toggle the behavior using the /proc/sys/ flag. Or, as Dan said, just get rid of it. It sounds like it's already handled by our client libraries in 2020. --js
