aboutsummaryrefslogtreecommitdiff
path: root/docs/system
diff options
context:
space:
mode:
authorPeter Maydell <peter.maydell@linaro.org>2021-01-29 19:51:25 +0000
committerPeter Maydell <peter.maydell@linaro.org>2021-01-29 19:51:25 +0000
commit74208cd252c5da9d867270a178799abd802b9338 (patch)
treea2cfcd1a4b5e1d970286c759da2faef0f891539f /docs/system
parent9df52f58e76e904fb141b10318362d718f470db2 (diff)
parentecb98f5c7589ba8ecd15c8b1baa2ec7192e47c75 (diff)
Merge remote-tracking branch 'remotes/berrange-gitlab/tags/misc-fixes-pull-request' into staging
* Replace --enable/disable-git-update with --with-git-submodules to allow improved control over use of git submodules * Deprecate the -enable-fips option * Ensure docs use prefer format for bool options * Clarify platform support rules * Misc fixes to keymap conversions * Fix misc problems on macOS # gpg: Signature made Fri 29 Jan 2021 17:10:13 GMT # gpg: using RSA key DAF3A6FDB26B62912D0E8E3FBE86EBB415104FDF # gpg: Good signature from "Daniel P. Berrange <dan@berrange.com>" [full] # gpg: aka "Daniel P. Berrange <berrange@redhat.com>" [full] # Primary key fingerprint: DAF3 A6FD B26B 6291 2D0E 8E3F BE86 EBB4 1510 4FDF * remotes/berrange-gitlab/tags/misc-fixes-pull-request: tests: Replace deprecated ASN1 code tests: Fix runtime error in test-authz-pam ui: update keycodemapdb submodule commit crypto: Add spaces around operator configure: replace --enable/disable-git-update with --with-git-submodules docs: fix missing backslash in certtool shell example docs: simplify and clarify the platform support rules Prefer 'on' | 'off' over 'yes' | 'no' for bool options os: deprecate the -enable-fips option and QEMU's FIPS enforcement crypto: Fix memory leaks in set_loaded for tls-* crypto: Forbid broken unloading of secrets crypto: Move USER_CREATABLE to secret_common base class crypto: Fix some code style problems, add spaces around operator Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'docs/system')
-rw-r--r--docs/system/build-platforms.rst63
-rw-r--r--docs/system/deprecated.rst12
-rw-r--r--docs/system/tls.rst2
-rw-r--r--docs/system/vnc-security.rst10
4 files changed, 41 insertions, 46 deletions
diff --git a/docs/system/build-platforms.rst b/docs/system/build-platforms.rst
index 9734eba2f1..692323609e 100644
--- a/docs/system/build-platforms.rst
+++ b/docs/system/build-platforms.rst
@@ -25,55 +25,38 @@ software in their distro, QEMU upstream code will not add explicit
support for those backports, unless the feature is auto-detectable in a
manner that works for the upstream releases too.
-The Repology site https://repology.org is a useful resource to identify
+The `Repology`_ site is a useful resource to identify
currently shipped versions of software in various operating systems,
though it does not cover all distros listed below.
-Linux OS
---------
+Linux OS, macOS, FreeBSD, NetBSD, OpenBSD
+-----------------------------------------
-For distributions with frequent, short-lifetime releases, the project
-will aim to support all versions that are not end of life by their
-respective vendors. For the purposes of identifying supported software
-versions, the project will look at Fedora, Ubuntu, and openSUSE distros.
-Other short- lifetime distros will be assumed to ship similar software
-versions.
+The project aims to support the most recent major version at all times. Support
+for the previous major version will be dropped 2 years after the new major
+version is released or when the vendor itself drops support, whichever comes
+first. In this context, third-party efforts to extend the lifetime of a distro
+are not considered, even when they are endorsed by the vendor (eg. Debian LTS).
-For distributions with long-lifetime releases, the project will aim to
-support the most recent major version at all times. Support for the
-previous major version will be dropped 2 years after the new major
-version is released, or when it reaches "end of life". For the purposes
-of identifying supported software versions, the project will look at
-RHEL, Debian, Ubuntu LTS, and SLES distros. Other long-lifetime distros
-will be assumed to ship similar software versions.
+For the purposes of identifying supported software versions available on Linux,
+the project will look at CentOS, Debian, Fedora, openSUSE, RHEL, SLES and
+Ubuntu LTS. Other distros will be assumed to ship similar software versions.
-Windows
--------
-
-The project supports building with current versions of the MinGW
-toolchain, hosted on Linux.
-
-macOS
------
+For FreeBSD and OpenBSD, decisions will be made based on the contents of the
+respective ports repository, while NetBSD will use the pkgsrc repository.
-The project supports building with the two most recent versions of
-macOS, with the current Homebrew package set available.
+For macOS, `HomeBrew`_ will be used, although `MacPorts`_ is expected to carry
+similar versions.
-FreeBSD
+Windows
-------
-The project aims to support all versions which are not end of
-life.
-
-NetBSD
-------
+The project supports building with current versions of the MinGW toolchain,
+hosted on Linux (Debian/Fedora).
-The project aims to support the most recent major version at all times.
-Support for the previous major version will be dropped 2 years after the
-new major version is released.
-
-OpenBSD
--------
+The version of the Windows API that's currently targeted is Vista / Server
+2008.
-The project aims to support all versions which are not end of
-life.
+.. _HomeBrew: https://brew.sh/
+.. _MacPorts: https://www.macports.org/
+.. _Repology: https://repology.org/
diff --git a/docs/system/deprecated.rst b/docs/system/deprecated.rst
index 9de663526a..6ac757ed9f 100644
--- a/docs/system/deprecated.rst
+++ b/docs/system/deprecated.rst
@@ -134,6 +134,18 @@ Boolean options such as ``share=on``/``share=off`` could be written
in short form as ``share`` and ``noshare``. This is now deprecated
and will cause a warning.
+``--enable-fips`` (since 6.0)
+'''''''''''''''''''''''''''''
+
+This option restricts usage of certain cryptographic algorithms when
+the host is operating in FIPS mode.
+
+If FIPS compliance is required, QEMU should be built with the ``libgcrypt``
+library enabled as a cryptography provider.
+
+Neither the ``nettle`` library, or the built-in cryptography provider are
+supported on FIPS enabled hosts.
+
QEMU Machine Protocol (QMP) commands
------------------------------------
diff --git a/docs/system/tls.rst b/docs/system/tls.rst
index dc2b94257f..b0973afe1b 100644
--- a/docs/system/tls.rst
+++ b/docs/system/tls.rst
@@ -64,7 +64,7 @@ interactive prompts from certtool::
cert_signing_key
EOF
# certtool --generate-self-signed \
- --load-privkey ca-key.pem
+ --load-privkey ca-key.pem \
--template ca.info \
--outfile ca-cert.pem
diff --git a/docs/system/vnc-security.rst b/docs/system/vnc-security.rst
index 558e4faffc..ebca656d87 100644
--- a/docs/system/vnc-security.rst
+++ b/docs/system/vnc-security.rst
@@ -65,7 +65,7 @@ encrypted session.
.. parsed-literal::
|qemu_system| [...OPTIONS...] \
- -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=no \
+ -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=off \
-vnc :1,tls-creds=tls0 -monitor stdio
In the above example ``/etc/pki/qemu`` should contain at least three
@@ -84,12 +84,12 @@ connecting. The server will request that the client provide a
certificate, which it will then validate against the CA certificate.
This is a good choice if deploying in an environment with a private
internal certificate authority. It uses the same syntax as previously,
-but with ``verify-peer`` set to ``yes`` instead.
+but with ``verify-peer`` set to ``on`` instead.
.. parsed-literal::
|qemu_system| [...OPTIONS...] \
- -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=yes \
+ -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=on \
-vnc :1,tls-creds=tls0 -monitor stdio
.. _vnc_005fsec_005fcertificate_005fpw:
@@ -103,7 +103,7 @@ authentication to provide two layers of authentication for clients.
.. parsed-literal::
|qemu_system| [...OPTIONS...] \
- -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=yes \
+ -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=on \
-vnc :1,tls-creds=tls0,password -monitor stdio
(qemu) change vnc password
Password: ********
@@ -145,7 +145,7 @@ x509 options:
.. parsed-literal::
|qemu_system| [...OPTIONS...] \
- -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=yes \
+ -object tls-creds-x509,id=tls0,dir=/etc/pki/qemu,endpoint=server,verify-peer=on \
-vnc :1,tls-creds=tls0,sasl -monitor stdio
.. _vnc_005fsetup_005fsasl: