* Replace --enable/disable-git-update with --with-git-submodules

to allow improved control over use of git submodules * Deprecate the -enable-fips option * Ensure docs use prefer format for bool options * Clarify platform support rules * Misc fixes to keymap conversions * Fix misc problems on macOS -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEE2vOm/bJrYpEtDo4/vobrtBUQT98FAmAUQXUACgkQvobrtBUQ T9/9Zw//VV3z7MI70HjWk17TUmkKLGFbmrc3xvtS6EMZbhfXpsR8qMfSjoRxP4Gn CgeftOa/lK5XjL7FcEUmcZeO8jZNE/+S5wgP2upP5Ae1zuDeyaSPTGR6UYs7WqSa P1kQsot2sAsZCP7Lko0jSv7rEDInK1bcdWr0a/xR5M2TvKiXoEdbElIZdwe3yLbC qWPWiv2pp6z2eGtJK/9VBxXjP0tlkNAR+jz8p/8RSZEEKf3aSq6HvVae+bHU86nX 9t4baZk3ZuuwkmHJrHJP/72BjjitqEOiydtSsOCVYmY2GOclYeTnezG/vm75cGIK ej6hwFGElAEQk+KU9g7HOXi1eqXncSBjP0xWqc8PaZLW7wW/Uv8UV94fk+SCkIQ0 GVBBLP8PzySL+w33NN7sv14cWeBpsjy9arMr4okZ80klFlS2hx/FqnUmhFhoN8ub ptIPUcSJoL+6pjxatV2yJ6bHkVga9PiwtLC8/rqETYPJz0b756xlPaEGd+0B1P0V ZMraE7lCgS0kJM6w0xF3R7JlGVtKouj4ZePCK5MGjpByBAK/vn/MbhbEmcyh+uJD r6sakKwqLjDLKdmQDd+biq3q6mvKE8ZKaUj8dXYdvxXSxxqXZ8DnrNpj/UkDTi3S chlTT1qUYrp2MVYqGmFjZ0XcEdEUR1I39rUs+wRxE3RgtE56M1A= =g6bC -----END PGP SIGNATURE----- Merge remote-tracking branch 'remotes/berrange-gitlab/tags/misc-fixes-pull-request' into staging * Replace --enable/disable-git-update with --with-git-submodules to allow improved control over use of git submodules * Deprecate the -enable-fips option * Ensure docs use prefer format for bool options * Clarify platform support rules * Misc fixes to keymap conversions * Fix misc problems on macOS # gpg: Signature made Fri 29 Jan 2021 17:10:13 GMT # gpg: using RSA key DAF3A6FDB26B62912D0E8E3FBE86EBB415104FDF # gpg: Good signature from "Daniel P. Berrange <dan@berrange.com>" [full] # gpg: aka "Daniel P. Berrange <berrange@redhat.com>" [full] # Primary key fingerprint: DAF3 A6FD B26B 6291 2D0E 8E3F BE86 EBB4 1510 4FDF * remotes/berrange-gitlab/tags/misc-fixes-pull-request: tests: Replace deprecated ASN1 code tests: Fix runtime error in test-authz-pam ui: update keycodemapdb submodule commit crypto: Add spaces around operator configure: replace --enable/disable-git-update with --with-git-submodules docs: fix missing backslash in certtool shell example docs: simplify and clarify the platform support rules Prefer 'on' | 'off' over 'yes' | 'no' for bool options os: deprecate the -enable-fips option and QEMU's FIPS enforcement crypto: Fix memory leaks in set_loaded for tls-* crypto: Forbid broken unloading of secrets crypto: Move USER_CREATABLE to secret_common base class crypto: Fix some code style problems, add spaces around operator Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2025-08-07 09:43:56 -06:00 · 2021-01-29 19:51:25 +00:00 · 2021-01-29 19:51:25 +00:00 · 74208cd252
commit 74208cd252
parent 9df52f58e7 ecb98f5c75
25 changed files with 162 additions and 148 deletions
--- a/docs/system/build-platforms.rst
+++ b/docs/system/build-platforms.rst
@ -25,55 +25,38 @@ software in their distro, QEMU upstream code will not add explicit
 support for those backports, unless the feature is auto-detectable in a
 manner that works for the upstream releases too.

-The Repology site https://repology.org is a useful resource to identify
+The `Repology`_ site is a useful resource to identify
 currently shipped versions of software in various operating systems,
 though it does not cover all distros listed below.

-Linux OS
--------
+Linux OS, macOS, FreeBSD, NetBSD, OpenBSD
+-----------------------------------------

-For distributions with frequent, short-lifetime releases, the project
-will aim to support all versions that are not end of life by their
-respective vendors. For the purposes of identifying supported software
-versions, the project will look at Fedora, Ubuntu, and openSUSE distros.
-Other short- lifetime distros will be assumed to ship similar software
-versions.
+The project aims to support the most recent major version at all times. Support
+for the previous major version will be dropped 2 years after the new major
+version is released or when the vendor itself drops support, whichever comes
+first. In this context, third-party efforts to extend the lifetime of a distro
+are not considered, even when they are endorsed by the vendor (eg. Debian LTS).

-For distributions with long-lifetime releases, the project will aim to
-support the most recent major version at all times. Support for the
-previous major version will be dropped 2 years after the new major
-version is released, or when it reaches "end of life". For the purposes
-of identifying supported software versions, the project will look at
-RHEL, Debian, Ubuntu LTS, and SLES distros. Other long-lifetime distros
-will be assumed to ship similar software versions.
+For the purposes of identifying supported software versions available on Linux,
+the project will look at CentOS, Debian, Fedora, openSUSE, RHEL, SLES and
+Ubuntu LTS. Other distros will be assumed to ship similar software versions.
+
+For FreeBSD and OpenBSD, decisions will be made based on the contents of the
+respective ports repository, while NetBSD will use the pkgsrc repository.
+
+For macOS, `HomeBrew`_ will be used, although `MacPorts`_ is expected to carry
+similar versions.

 Windows
 -------

-The project supports building with current versions of the MinGW
-toolchain, hosted on Linux.
+The project supports building with current versions of the MinGW toolchain,
+hosted on Linux (Debian/Fedora).

-macOS
-----
+The version of the Windows API that's currently targeted is Vista / Server
+2008.

-The project supports building with the two most recent versions of
-macOS, with the current Homebrew package set available.
-
-FreeBSD
-------
-
-The project aims to support all versions which are not end of
-life.
-
-NetBSD
------
-
-The project aims to support the most recent major version at all times.
-Support for the previous major version will be dropped 2 years after the
-new major version is released.
-
-OpenBSD
-------
-
-The project aims to support all versions which are not end of
-life.
+.. _HomeBrew: https://brew.sh/
+.. _MacPorts: https://www.macports.org/
+.. _Repology: https://repology.org/
--- a/docs/system/deprecated.rst
+++ b/docs/system/deprecated.rst
@ -134,6 +134,18 @@ Boolean options such as ``share=on``/``share=off`` could be written
 in short form as ``share`` and ``noshare``.  This is now deprecated
 and will cause a warning.

+``--enable-fips`` (since 6.0)
+'''''''''''''''''''''''''''''
+
+This option restricts usage of certain cryptographic algorithms when
+the host is operating in FIPS mode.
+
+If FIPS compliance is required, QEMU should be built with the ``libgcrypt``
+library enabled as a cryptography provider.
+
+Neither the ``nettle`` library, or the built-in cryptography provider are
+supported on FIPS enabled hosts.
+
 QEMU Machine Protocol (QMP) commands
 ------------------------------------

--- a/docs/system/tls.rst
+++ b/docs/system/tls.rst
@ -64,7 +64,7 @@ interactive prompts from certtool::
   cert_signing_key
   EOF
   # certtool --generate-self-signed \
-              --load-privkey ca-key.pem
+              --load-privkey ca-key.pem \
              --template ca.info \
              --outfile ca-cert.pem

--- a/docs/system/vnc-security.rst
+++ b/docs/system/vnc-security.rst
@ -65,7 +65,7 @@ encrypted session.
 .. parsed-literal::

   |qemu_system| [...OPTIONS...] \
-     -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=no \
+     -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=off \
     -vnc :1,tls-creds=tls0 -monitor stdio

 In the above example ``/etc/pki/qemu`` should contain at least three
@ -84,12 +84,12 @@ connecting. The server will request that the client provide a
 certificate, which it will then validate against the CA certificate.
 This is a good choice if deploying in an environment with a private
 internal certificate authority. It uses the same syntax as previously,
-but with ``verify-peer`` set to ``yes`` instead.
+but with ``verify-peer`` set to ``on`` instead.

 .. parsed-literal::

   |qemu_system| [...OPTIONS...] \
-     -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=yes \
+     -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=on \
     -vnc :1,tls-creds=tls0 -monitor stdio

 .. _vnc_005fsec_005fcertificate_005fpw:
@ -103,7 +103,7 @@ authentication to provide two layers of authentication for clients.
 .. parsed-literal::

   |qemu_system| [...OPTIONS...] \
-     -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=yes \
+     -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=on \
     -vnc :1,tls-creds=tls0,password -monitor stdio
   (qemu) change vnc password
   Password: ********
@ -145,7 +145,7 @@ x509 options:
 .. parsed-literal::

   |qemu_system| [...OPTIONS...] \
-     -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=yes \
+     -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=on \
     -vnc :1,tls-creds=tls0,sasl -monitor stdio

 .. _vnc_005fsetup_005fsasl: