[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 00/10] Consolidate crypto APIs & implementations
From: |
Daniel P. Berrange |
Subject: |
Re: [Qemu-devel] [PATCH 00/10] Consolidate crypto APIs & implementations |
Date: |
Fri, 22 May 2015 13:12:09 +0100 |
User-agent: |
Mutt/1.5.23 (2014-03-12) |
On Fri, May 22, 2015 at 07:50:03PM +0800, Gonglei wrote:
> On 2015/5/22 19:37, Daniel P. Berrange wrote:
> > On Fri, May 22, 2015 at 07:29:05PM +0800, Gonglei wrote:
> >> On 2015/5/21 18:56, Daniel P. Berrange wrote:
> >>> This small series covers the crypto consolidation patches
> >>> I previously posted as part of a larger RFC for the TLS work
> >>>
> >>> https://lists.nongnu.org/archive/html/qemu-devel/2015-04/msg02038.html
> >>>
> >>> Currently there are a 5 main places in QEMU which use some
> >>> form of cryptographic hash or cipher algorithm. These are
> >>> the quorum block driver (hash), qcow[2] block driver (cipher),
> >>> VNC password auth (cipher), VNC websockets (hash) and some
> >>> of the CPU instruction emulation (cipher).
> >>>
> >>> For ciphers the code is using the in-tree implementations
> >>> of AES and/or the RFB cripple-DES. While there is nothing
> >>> broken about these implementations, it is none the less
> >>> desirable to be able to use the GNUTLS provided impls in
> >>> cases whre we are already linking to GNUTLS. This will
> >>> allow QEMU to use FIPS certified implementations, which
> >>> have been well audited, have some protection against
> >>> side-channel leakage and are generally actively maintained
> >>> by people knowledgable about encryption.
> >>>
> >> Can we use OpenSSL library in Qemu? If not, that's because of the license?
> >
> > There are differing opinions on OpenSSL licensing. Personally I consider
> > it to be GPL incompatible because I don't accept the suggestion that openssl
> > is exempt under the system libraries clause. In any case QEMU is already
> > using GNUTLS and IME it has a more friendly API with better documentation
> > than openssl or nss.
> >
> > That all said, one benefit of the crypto consolidation is that it makes it
> > more feasible to plug in alternative crypto libraries, because all the
> > gnutls specific code is isolated in one place, instead of spread across
> > the entire codebase. I don't intend to do any work to support other
> > crypto libraries though as I don't think there's any compelling benefit
> > to them.
> >
> OK, I see, thanks.
> BTW do you have a github branch which can be easier to test?
This small series is here:
https://github.com/berrange/qemu/tree/qemu-crypto-v1
It is ultimately part of a much larger (work in progress) series I have here:
https://github.com/berrange/qemu/tree/qemu-io-channel-12
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
- [Qemu-devel] [PATCH 06/10] crypto: add a nettle cipher implementation, (continued)