From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:48921)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <agraf@suse.de>) id 1SbiaV-0000Kg-VS
	for qemu-devel@nongnu.org; Mon, 04 Jun 2012 21:29:37 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <agraf@suse.de>) id 1SbiaU-00014s-1n
	for qemu-devel@nongnu.org; Mon, 04 Jun 2012 21:29:35 -0400
Received: from cantor2.suse.de ([195.135.220.15]:52909 helo=mx2.suse.de)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <agraf@suse.de>) id 1SbiaT-00014h-OK
	for qemu-devel@nongnu.org; Mon, 04 Jun 2012 21:29:33 -0400
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset=iso-8859-1
From: Alexander Graf <agraf@suse.de>
In-Reply-To: <4FCD5F78.9090102@codemonkey.ws>
Date: Tue, 5 Jun 2012 03:29:26 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <582B3619-750F-43BF-96EB-FCE454EC90CE@suse.de>
References: <20120502193256.6508.86360.stgit@sifl>
	<4FCAB60E.1070107@codemonkey.ws> <10302697.mednriu9QL@sifl>
	<4FCD409C.70003@codemonkey.ws>
	<1E364312-A64D-4D14-90A4-89C8F2BA8A54@suse.de>
	<4FCD4ACF.4000809@codemonkey.ws>
	<A4BD8D9E-1176-4AA9-8468-39E8E1DD42A8@suse.de>
	<4FCD5AD1.9080406@codemonkey.ws>
	<FF828E1A-3C24-4CE6-B0FE-31BA668FFA38@suse.de>
	<4FCD5F78.9090102@codemonkey.ws>
Subject: Re: [Qemu-devel] [PATCH v2] vnc: disable VNC password
	authentication (security type 2) when in FIPS mode
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Anthony Liguori <anthony@codemonkey.ws>
Cc: Paul Moore <pmoore@redhat.com>, qemu-devel Developers <qemu-devel@nongnu.org>, Roman Drahtmueller <draht@suse.de>


On 05.06.2012, at 03:23, Anthony Liguori wrote:

> On 06/05/2012 09:08 AM, Alexander Graf wrote:
>>=20
>> On 05.06.2012, at 03:03, Anthony Liguori wrote:
>>=20
>>> On 06/05/2012 08:55 AM, Alexander Graf wrote:
>>>>=20
>>>> On 05.06.2012, at 01:54, Anthony Liguori wrote:
>>>>=20
>>>>> Have you ever experienced a random failure on an SELinux box that =
made no logical sense?  Out of desperation, you setenforce 0 and =
magically, thinks work again.
>>>>=20
>>>> Yeah - I never understood how anyone thought it makes sense to =
enable SELinux globally be default.... Either way, FIPS hopefully isn't =
something you find enabled by accident anywhere.
>>>>=20
>>>>> Even if the user enabled fips mode, they may not understand that =
this means VNC authentication will stop working.  Providing an option =
(1) allows the user to discover what the problem is (2) makes the =
behavior much more clear.
>>>>=20
>>>> Where would you want the option to live? Compile time would be =
useless - users don't recompile QEMU, they take binary packages. A =
runtime option? Who would enable that runtime option then? Libvirt by =
default I suppose? So you're back in the same hell. RH would patch =
libvirt to always pass in -enable-fips and nothing would be different.
>>>=20
>>> A QemuOpts option that is disabled by default but can be enabled =
through /etc/qemu/target-x86_64.conf
>>>=20
>>> If any distribution wants to enable it as part of the default =
configuration, they certainly can.  But a user can override it if they =
want to.
>>>=20
>>> Likewise, libvirt can enable it by default if they are so inclined.  =
At least the qemu logs from libvirt will show -enable-fips-mode
>>>=20
>>>>=20
>>>>> Removing features based on a magic procfs variable with no input =
from the user is a bad idea IMHO.
>>>>=20
>>>> But it's the design of the Linux FIPS model.
>>>=20
>>> Just because someone made a bad choice, that doesn't mean we have to =
continue to make bad choices ourselves.
>>>=20
>>> This whole feature is ridiculous from a technical perspective.  As =
you said, disabling VNC auth but allowing no-password to be used is =
simply moronic.
>>>=20
>>> I understand why we have to support these things, but it should not =
be the default behavior.
>>=20
>> Fair enough, but I don't think a
>>=20
>> ### log file ###
>>=20
>> qemu-kvm<a lot of options>  -enable-fips<a lot of other options>
>>=20
>> ### end of log file ###
>>=20
>> vs
>>=20
>> ### log file ###
>>=20
>> qemu-kvm<even more options>  <option that sets vnc password>
>> WARNING: your VNC password has just been deactivated
>>=20
>> ### end of log file ###
>>=20
>> make too much of a difference.
>>=20
>> Which gets me to a new idea. Why not exit(1) when we detect FIPS and =
a password is set? I agree with the assessment that we should never =
silently drop features. So the best way to make sure that the user knows =
he did something stupid (enable FIPS, but require a non-FIPS compliant =
authentication method) would be to just quit, no?
>=20
> I think my primary requirement is: allow a user to use vnc =
authentication even when fips mode is active by using some command line =
option.

That's where we disagree.

To me, fips mode enabled in /proc/somewhere is as good as passing in =
-enable-fips on the command line. So it's almost the same as =
-enable-kvm. I don't want -enable-kvm to silently not use KVM, I want =
QEMU to bail out because I've asked it to do something it can't do.

If I pass -enable-fips -vnc-passwd foo, I want to have QEMU bail out. =
Since /proc/foo/fips_mode=3D=3D1 is equivalent to -enable-fips, I want =
the same effect there.

But then again, most people in this world won't care, because they won't =
enable FIPS either way ;). So we've probably already wasted more time =
discussing this than any user would have trying to debug why his =
password authentication wouldn't work.


Alex