From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:50660)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <anthony@codemonkey.ws>) id 1ScT7l-0002ZD-HV
	for qemu-devel@nongnu.org; Wed, 06 Jun 2012 23:11:02 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <anthony@codemonkey.ws>) id 1ScT7j-0004ZH-TD
	for qemu-devel@nongnu.org; Wed, 06 Jun 2012 23:11:01 -0400
Received: from mail-pb0-f45.google.com ([209.85.160.45]:39504)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <anthony@codemonkey.ws>) id 1ScT7j-0004Z3-Ml
	for qemu-devel@nongnu.org; Wed, 06 Jun 2012 23:10:59 -0400
Received: by pbbro12 with SMTP id ro12so445930pbb.4
	for <qemu-devel@nongnu.org>; Wed, 06 Jun 2012 20:10:58 -0700 (PDT)
Message-ID: <4FD01BBD.4010201@codemonkey.ws>
Date: Thu, 07 Jun 2012 11:10:53 +0800
From: Anthony Liguori <anthony@codemonkey.ws>
MIME-Version: 1.0
References: <20120502193256.6508.86360.stgit@sifl>
	<4FCE9117.7080908@codemonkey.ws>
	<DCD23A99-F37B-4EE8-8BCC-9612022890E8@suse.de>
	<12067146.ZyE99xJO2B@sifl>
In-Reply-To: <12067146.ZyE99xJO2B@sifl>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password
 authentication (security type 2) when in FIPS mode
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Paul Moore <pmoore@redhat.com>
Cc: qemu-devel Developers <qemu-devel@nongnu.org>, Alexander Graf <agraf@suse.de>, Roman Drahtmueller <draht@suse.de>

On 06/07/2012 06:56 AM, Paul Moore wrote:
> On Wednesday, June 06, 2012 01:56:52 AM Alexander Graf wrote:
>> The other one (FIPS) is basically a list of encryption algorithms that are
>> deemed OK and not crackable within seconds by anyone.
>>
>> Only one of the 2 doesn't help much. In combination they actually enhance
>> security. This patch is only about FIPS though.
>
> I don't have much to add beyond what Alex already posted.  FIPS 140-2 outlines
> a set of security requirements for systems implementing cryptography in a
> variety of forms; the full requirements are likely beyond the scope here but
> you can always read the full specification (Google knows where to find the
> document).
>
> The relevant portion appears to be annex A which lists the approved ciphers
> and their approved uses; DES is not listed as an approved cipher and that is
> the main problem we are trying to solve right now.

But does FIPS mandate that it's impossible for a user to use an unapproved cipher?

IOW, is just having this feature implemented at the libvirt level good enough to 
satisfy FIPS?  Do we really need to do this in QEMU?

Regards,

Anthony Liguori

>