Skip to content

feat(fips): disable kvm module in fips mode #43480

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kruskall merged 1 commit into from
Mar 26, 2025
Merged

feat(fips): disable kvm module in fips mode #43480

kruskall merged 1 commit into from
Mar 26, 2025

Conversation

@kruskall
Copy link
Member

@kruskall kruskall commented Mar 25, 2025

Proposed commit message

go-libvirt is pulling quite a few x/crypto packages

disable kvm modules in fips mode

should remove the following packages from metricbeat:

  • golang.org/x/crypto/chacha20
  • golang.org/x/crypto/curve25519
  • golang.org/x/crypto/ssh
  • golang.org/x/crypto/internal/poly1305

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Disruptive User Impact

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Use cases

Screenshots

Logs

@kruskall
feat(fips): disable kvm module in fips mode
b8d1088 
go-libvirt is pulling quite a few x/crypto packages

disable kvm modules in fips mode
@kruskall kruskall added enhancement backport-8.x Automated backport to the 8.x branch with mergify backport-9.0 Automated backport to the 9.0 branch labels Mar 25, 2025
@kruskall kruskall requested a review from a team as a code owner March 25, 2025 05:46
@kruskall kruskall requested review from mauri870 and rdner March 25, 2025 05:46
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Mar 25, 2025
simitt
simitt reviewed Mar 25, 2025
View reviewed changes
Copy link
Contributor

@simitt simitt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With these changes, I wonder whether it really still makes sense to keep the metricbeat/module/kvm enabled for FIPS mode when metricbeat/module/kvm/status and metricbeat/module/kvm/dommemstat are disabled? While the third party libraries in question are removed in this PR, functionality wise I don't see the point in keeping the kvm module enabled.

Other than that, LGTM

@pierrehilbert pierrehilbert added the Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team label Mar 25, 2025
@elasticmachine
Copy link
Contributor

elasticmachine commented Mar 25, 2025

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Mar 25, 2025
mauri870
mauri870 approved these changes Mar 26, 2025
View reviewed changes
Copy link
Member

@mauri870 mauri870 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed the code, LGTM.

@kruskall kruskall merged commit 92aebb3 into elastic:main Mar 26, 2025
37 checks passed
@kruskall kruskall deleted the feat/fips-kvm branch March 26, 2025 12:29
mergify bot pushed a commit that referenced this pull request Mar 26, 2025
@kruskall @mergify
feat(fips): disable kvm module in fips mode (#43480)
d7b6e1e 
go-libvirt is pulling quite a few x/crypto packages

disable kvm modules in fips mode

(cherry picked from commit 92aebb3)
@mergify mergify bot mentioned this pull request Mar 26, 2025
Merged
6 tasks
mergify bot pushed a commit that referenced this pull request Mar 26, 2025
@kruskall @mergify
feat(fips): disable kvm module in fips mode (#43480)
cb5acf9 
go-libvirt is pulling quite a few x/crypto packages

disable kvm modules in fips mode

(cherry picked from commit 92aebb3)
@mergify mergify bot mentioned this pull request Mar 26, 2025
Closed
6 tasks
@kruskall
Copy link
Member Author

kruskall commented Mar 26, 2025

With these changes, I wonder whether it really still makes sense to keep the metricbeat/module/kvm enabled for FIPS mode when metricbeat/module/kvm/status and metricbeat/module/kvm/dommemstat are disabled? While the third party libraries in question are removed in this PR, functionality wise I don't see the point in keeping the kvm module enabled.

kvm does not add a metricset, only an asset so there's no impact but I guess we could disable it too

kruskall added a commit that referenced this pull request Mar 26, 2025
@mergify @kruskall
feat(fips): disable kvm module in fips mode (#43480) (#43502)
596afa8 
go-libvirt is pulling quite a few x/crypto packages

disable kvm modules in fips mode

(cherry picked from commit 92aebb3)

Co-authored-by: kruskall <99559985+kruskall@users.noreply.github.com>
This was referenced Jun 17, 2025
Merged
Merged
Merged
This was referenced Jun 18, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mauri870 mauri870 mauri870 approved these changes

@rdner rdner Awaiting requested review from rdner rdner is a code owner automatically assigned from elastic/elastic-agent-data-plane

+1 more reviewer

@simitt simitt simitt left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@kruskall kruskall

Labels

backport-8.x Automated backport to the 8.x branch with mergify backport-9.0 Automated backport to the 9.0 branch enhancement Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@kruskall @elasticmachine @simitt @mauri870 @pierrehilbert