[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 00/10] Consolidate crypto APIs & implementations
From: |
Daniel P. Berrange |
Subject: |
Re: [Qemu-devel] [PATCH 00/10] Consolidate crypto APIs & implementations |
Date: |
Fri, 22 May 2015 12:37:21 +0100 |
User-agent: |
Mutt/1.5.23 (2014-03-12) |
On Fri, May 22, 2015 at 07:29:05PM +0800, Gonglei wrote:
> On 2015/5/21 18:56, Daniel P. Berrange wrote:
> > This small series covers the crypto consolidation patches
> > I previously posted as part of a larger RFC for the TLS work
> >
> > https://lists.nongnu.org/archive/html/qemu-devel/2015-04/msg02038.html
> >
> > Currently there are a 5 main places in QEMU which use some
> > form of cryptographic hash or cipher algorithm. These are
> > the quorum block driver (hash), qcow[2] block driver (cipher),
> > VNC password auth (cipher), VNC websockets (hash) and some
> > of the CPU instruction emulation (cipher).
> >
> > For ciphers the code is using the in-tree implementations
> > of AES and/or the RFB cripple-DES. While there is nothing
> > broken about these implementations, it is none the less
> > desirable to be able to use the GNUTLS provided impls in
> > cases whre we are already linking to GNUTLS. This will
> > allow QEMU to use FIPS certified implementations, which
> > have been well audited, have some protection against
> > side-channel leakage and are generally actively maintained
> > by people knowledgable about encryption.
> >
> Can we use OpenSSL library in Qemu? If not, that's because of the license?
There are differing opinions on OpenSSL licensing. Personally I consider
it to be GPL incompatible because I don't accept the suggestion that openssl
is exempt under the system libraries clause. In any case QEMU is already
using GNUTLS and IME it has a more friendly API with better documentation
than openssl or nss.
That all said, one benefit of the crypto consolidation is that it makes it
more feasible to plug in alternative crypto libraries, because all the
gnutls specific code is isolated in one place, instead of spread across
the entire codebase. I don't intend to do any work to support other
crypto libraries though as I don't think there's any compelling benefit
to them.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
- [Qemu-devel] [PATCH 05/10] crypto: add a gcrypt cipher implementation, (continued)
- [Qemu-devel] [PATCH 05/10] crypto: add a gcrypt cipher implementation, Daniel P. Berrange, 2015/05/21
- [Qemu-devel] [PATCH 08/10] ui: convert VNC websockets to use crypto APIs, Daniel P. Berrange, 2015/05/21
- [Qemu-devel] [PATCH 06/10] crypto: add a nettle cipher implementation, Daniel P. Berrange, 2015/05/21
- [Qemu-devel] [PATCH 09/10] block: convert qcow/qcow2 to use generic cipher API, Daniel P. Berrange, 2015/05/21
- [Qemu-devel] [PATCH 10/10] ui: convert VNC to use generic cipher API, Daniel P. Berrange, 2015/05/21
- Re: [Qemu-devel] [PATCH 00/10] Consolidate crypto APIs & implementations, Gonglei, 2015/05/22
- Re: [Qemu-devel] [PATCH 00/10] Consolidate crypto APIs & implementations,
Daniel P. Berrange <=