[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 00/10] Consolidate crypto APIs & implementations
From: |
Gonglei |
Subject: |
Re: [Qemu-devel] [PATCH 00/10] Consolidate crypto APIs & implementations |
Date: |
Fri, 22 May 2015 19:50:03 +0800 |
User-agent: |
Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 |
On 2015/5/22 19:37, Daniel P. Berrange wrote:
> On Fri, May 22, 2015 at 07:29:05PM +0800, Gonglei wrote:
>> On 2015/5/21 18:56, Daniel P. Berrange wrote:
>>> This small series covers the crypto consolidation patches
>>> I previously posted as part of a larger RFC for the TLS work
>>>
>>> https://lists.nongnu.org/archive/html/qemu-devel/2015-04/msg02038.html
>>>
>>> Currently there are a 5 main places in QEMU which use some
>>> form of cryptographic hash or cipher algorithm. These are
>>> the quorum block driver (hash), qcow[2] block driver (cipher),
>>> VNC password auth (cipher), VNC websockets (hash) and some
>>> of the CPU instruction emulation (cipher).
>>>
>>> For ciphers the code is using the in-tree implementations
>>> of AES and/or the RFB cripple-DES. While there is nothing
>>> broken about these implementations, it is none the less
>>> desirable to be able to use the GNUTLS provided impls in
>>> cases whre we are already linking to GNUTLS. This will
>>> allow QEMU to use FIPS certified implementations, which
>>> have been well audited, have some protection against
>>> side-channel leakage and are generally actively maintained
>>> by people knowledgable about encryption.
>>>
>> Can we use OpenSSL library in Qemu? If not, that's because of the license?
>
> There are differing opinions on OpenSSL licensing. Personally I consider
> it to be GPL incompatible because I don't accept the suggestion that openssl
> is exempt under the system libraries clause. In any case QEMU is already
> using GNUTLS and IME it has a more friendly API with better documentation
> than openssl or nss.
>
> That all said, one benefit of the crypto consolidation is that it makes it
> more feasible to plug in alternative crypto libraries, because all the
> gnutls specific code is isolated in one place, instead of spread across
> the entire codebase. I don't intend to do any work to support other
> crypto libraries though as I don't think there's any compelling benefit
> to them.
>
OK, I see, thanks.
BTW do you have a github branch which can be easier to test?
Regards,
-Gonglei
- [Qemu-devel] [PATCH 08/10] ui: convert VNC websockets to use crypto APIs, (continued)
- [Qemu-devel] [PATCH 08/10] ui: convert VNC websockets to use crypto APIs, Daniel P. Berrange, 2015/05/21
- [Qemu-devel] [PATCH 06/10] crypto: add a nettle cipher implementation, Daniel P. Berrange, 2015/05/21
- [Qemu-devel] [PATCH 09/10] block: convert qcow/qcow2 to use generic cipher API, Daniel P. Berrange, 2015/05/21
- [Qemu-devel] [PATCH 10/10] ui: convert VNC to use generic cipher API, Daniel P. Berrange, 2015/05/21
- Re: [Qemu-devel] [PATCH 00/10] Consolidate crypto APIs & implementations, Gonglei, 2015/05/22