Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password authentication (security type 2) when in FIPS mode

[Alexander Graf]

On 05.06.2012, at 01:54, Anthony Liguori wrote:

> On 06/05/2012 07:17 AM, Alexander Graf wrote:
>> 
>> On 05.06.2012, at 01:11, Anthony Liguori wrote:
>> 
>>> On 06/05/2012 02:16 AM, Paul Moore wrote:
>>>> On Sunday, June 03, 2012 08:55:42 AM Anthony Liguori wrote:
>>>>> This needs to be optional and disabled by default I think.  I strongly
>>>>> dislike  disabling a feature when a user isn't asking for it.  You can
>>>>> introduce a global -enable-fips-mode or something like that.
>>>> 
>>>> I'll resend the patch, but before I do I want to make sure the defaults are
>>>> set to whatever you find acceptable to merging and the second sentence 
>>>> above
>>>> has me a little confused; do you mean "... dislike _enabling_ a feature 
>>>> when a
>>>> user isn't asking for it."?
>>> 
>>> I dislike *removing* a feature unless a user has explicitly asked us too.
>>> 
>>> If a user isn't aware that fips mode is enabled, they will have no idea why 
>>> VNC authentication doesn't work.  I think we should let a user choice 
>>> whether they want QEMU to respect fips mode or not.
>> 
>> While I agree in general, for FIPS chances are basically negligible that you 
>> accidentally enable it. And if you do, the rest of your system will have 
>> gone mad before you notice QEMU behaving differently anyways :)
> 
> Have you ever experienced a random failure on an SELinux box that made no 
> logical sense?  Out of desperation, you setenforce 0 and magically, thinks 
> work again.

Yeah - I never understood how anyone thought it makes sense to enable SELinux 
globally be default.... Either way, FIPS hopefully isn't something you find 
enabled by accident anywhere.

> Even if the user enabled fips mode, they may not understand that this means 
> VNC authentication will stop working.  Providing an option (1) allows the 
> user to discover what the problem is (2) makes the behavior much more clear.

Where would you want the option to live? Compile time would be useless - users 
don't recompile QEMU, they take binary packages. A runtime option? Who would 
enable that runtime option then? Libvirt by default I suppose? So you're back 
in the same hell. RH would patch libvirt to always pass in -enable-fips and 
nothing would be different.

> Removing features based on a magic procfs variable with no input from the 
> user is a bad idea IMHO.

But it's the design of the Linux FIPS model.

The thing that I definitely do think we should do is tell the user about it. So 
if we find FIPS mode, let the user know that his option just got dropped 
because of it, so that he has a chance to debug why his great command line 
didn't work just now.


Alex