swtpm: Disable OpenSSL FIPS mode to avoid libtpms failures

[stefanberger]

While libtpms does not provide any means to disable FIPS-disabled crypto
algorithms from being used, work around the issue by simply disabling the
FIPS mode of OpenSSL if it is enabled. If it cannot be disabled, exit
swtpm with a failure message that it cannot be disabled. If FIPS mode
was successfully disabled, print out a message as well.

Signed-off-by: Stefan Berger stefanb@linux.ibm.com

[stefanberger]

@elmarco This is the solution for now to run swtpm on FIPS-enabled machines.

[coveralls]

Pull Request Test Coverage Report for Build 3897

• 8 of 14 (57.14%) changed or added relevant lines in 4 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage decreased (-0.03%) to 74.811%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
src/swtpm/fips.c	5	11	45.45%

Totals
Change from base Build 3884:	-0.03%
Covered Lines:	6145
Relevant Lines:	8214

---

💛 - Coveralls

[stefanberger]

This should now be in a shape where this can be merged and should resolve the issue on the platform where the error was reported.

[berrange]

Obviously this change would prevent the vTPM actually being used with/included in any government certification programs for virt hosts that require FIPS, but as a short term workaround to at least get the VMs booting, the code looks OK.

[stefanberger]

Obviously this change would prevent the vTPM actually being used with/included in any government certification programs for virt hosts that require FIPS, but as a short term workaround to at least get the VMs booting, the code looks OK.

So this patch works in the scenario described in the bugzilla?

[berrange]

So this patch works in the scenario described in the bugzilla?

I can't claim to have tested it myself, nor in fact even used FIPS, but conceptually I believe it should address the immediate problem.