| #
4589acc1
|
| 22-May-2025 |
Stefan Hajnoczi <stefanha@redhat.com> |
Merge tag 'misc-next-pull-request' of https://gitlab.com/berrange/qemu into staging
Misc VNC, I/O, Crypto & checkpatch changes
* Fix VNC tight encoding with 8/16-bpp formats with
mixed endian ser
Merge tag 'misc-next-pull-request' of https://gitlab.com/berrange/qemu into staging
Misc VNC, I/O, Crypto & checkpatch changes
* Fix VNC tight encoding with 8/16-bpp formats with
mixed endian server/client
* Fix VNC non-tight encoding with mixed endian server/client
* Drop built-in AES impl from non-TCG usage, requiring
nettle/gcrypt/gnutls
* Fix validation of SPDX-License-Identifier in new files
* Mandate SPDX-License-Identifier in Rust source
* Reject license boilerplate in new files
* Add full control over TCP keep alive setting for sockets
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEE2vOm/bJrYpEtDo4/vobrtBUQT98FAmgu/EgACgkQvobrtBUQ
# T994FA/7BLeIHJqsV3/DtPKVqllzG2PJT/n85Owu/h39gqRsqHDssDQFPmgFsnzk
# UcvOSLd7RKQ5/tY5zLPh4JPpnloJ/jpj50hUK42wu8Q4U16PV/yUhQVVjEkVmX+z
# XepbEwgrEVuy4F62NnUJmbaT5PcayyS5FPREbrQ8zPzagMWTSqbR7EQ+PCTUkJdo
# LR4mvxoqWhGnaQzPAGlRtAfRfT6Jg3NaL4sLqLiexuhdloZLHC85SvE1usBg8x+M
# KP2BX1FeIILnN+1CXnZ9/vzUqiFaFLfzGwVMK9QYW0GW2Oo3uCcLloY+llbo6Pq/
# tC8Po8AMIOojnrJm+TeS6V18QBNU5qqyHKGamZrSlBobZRgC7tOSljExoT5mnGrS
# V1nKNAz5FLz7LQ8jZpziPlPqr3WBqBRtV8SxJD+a0vh0/5YnTCbPC0Q6Q2N8cQDh
# Wra9QN10xD60tjsnRT/7Lp7gW/RyjT+uJHQkNxn6PZVbI/6Q1283YpbmVY55vcNe
# De47LPsmc6XnpJSmzmjt+VrWLob67IOo4JcttMrv7xWj08jb1TFUf7M0Mvdu2YBR
# 3C9MAt5sjmL9qHARToXr8RC3SCX9pMTZFYatHGAbRdRDi6ygFW1OQVJvxrOj00kN
# bavXjcDlTfRzgTnVRbqUbqSY0D9LZqSUDRxfQdEBGAzWgMksAuM=
# =X323
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu 22 May 2025 06:28:24 EDT
# gpg: using RSA key DAF3A6FDB26B62912D0E8E3FBE86EBB415104FDF
# gpg: Good signature from "Daniel P. Berrange <dan@berrange.com>" [full]
# gpg: aka "Daniel P. Berrange <berrange@redhat.com>" [full]
# Primary key fingerprint: DAF3 A6FD B26B 6291 2D0E 8E3F BE86 EBB4 1510 4FDF
* tag 'misc-next-pull-request' of https://gitlab.com/berrange/qemu: (23 commits)
scripts/checkpatch.pl: mandate SPDX tag for Rust src files
util/qemu-sockets: Introduce inet socket options controlling TCP keep-alive
util/qemu-sockets: Refactor inet_parse() to use QemuOpts
util/qemu-sockets: Add support for keep-alive flag to passive sockets
util/qemu-sockets: Refactor success and failure paths in inet_listen_saddr()
util/qemu-sockets: Refactor setting client sockopts into a separate function
io: Fix partial struct copy in qio_dns_resolver_lookup_sync_inet()
scripts/checkpatch: reject license boilerplate on new files
scripts/checkpatch: reimplement mandate for SPDX-License-Identifier
scripts/checkpatch: use new hook for MAINTAINERS update check
scripts/checkpatch: expand pattern for matching makefiles
scripts/checkpatch: use new hook for file permissions check
scripts/checkpatch: use new hook for ACPI test data check
scripts/checkpatch: introduce tracking of file start/end
scripts/checkpatch.pl: fix various indentation mistakes
Revert "scripts: mandate that new files have SPDX-License-Identifier"
crypto: fully drop built-in cipher provider
tests: fix skipping cipher tests when AES is not available
tests: skip legacy qcow2 encryption test if AES is not available
tests: skip encrypted secret tests if AES is not available
...
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
show more ...
|
| #
5a56f60d
|
| 06-May-2025 |
Daniel P. Berrangé <berrange@redhat.com> |
crypto: fully drop built-in cipher provider
When originally creating the internal crypto cipher APIs, they were
wired up to use the built-in D3DES and AES implementations, as a way
to gracefully tra
crypto: fully drop built-in cipher provider
When originally creating the internal crypto cipher APIs, they were
wired up to use the built-in D3DES and AES implementations, as a way
to gracefully transition to the new APIs without introducing an
immediate hard dep on any external crypto libraries for the VNC
password auth (D3DES) or the qcow2 encryption (AES).
In the 6.1.0 release we dropped the built-in D3DES impl, and also
the XTS mode for the AES impl, leaving only AES with ECB/CBC modes.
The rational was that with the system emulators, it is expected that
3rd party crypto libraries will be available.
The qcow2 LUKS impl is preferred to the legacy raw AES impl, and by
default that requires AES in XTS mode, limiting the usefulness of
the built-in cipher provider.
The built-in AES impl has known timing attacks and is only suitable
for use cases where a security boundary is already not expected to
be provided (TCG).
Providing a built-in cipher impl thus potentially misleads users,
should they configure a QEMU without any crypto library, and try
to use it with the LUKS backend, even if that requires a non-default
configuration choice.
Complete what we started in 6.1.0 and purge the remaining AES
support.
Use of either gnutls, nettle, or libcrypt is now mandatory for any
cipher support, except for TCG impls.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
show more ...
|