Jerry Snitselaar @ 2020-12-04 11:59 MST: > Simo Sorce @ 2020-12-04 07:32 MST: > >> On Fri, 2020-12-04 at 14:08 +0000, Peter Robinson wrote: >>> On Fri, Dec 4, 2020 at 2:04 PM Simo Sorce <s...@redhat.com> wrote: >>> > On Thu, 2020-12-03 at 21:25 +0000, Peter Robinson wrote: >>> > > > We are looking to no longer support TPM1.2 in RHEL9. Than raised the >>> > > > question with regards to opencryptoki-tpmtok if it should be changed >>> > > > in >>> > > > Fedora as well, so I thought I'd see what everyone thinks about future >>> > > > TPM1.2 support in Fedora. I know at one point in the last year or so >>> > > > trousers almost dropped from Fedora due to being orphaned for quite a >>> > > > while. From what I could find the following packages have >>> > > > dependencies: >>> > > > >>> > > > ecryptfs-utils - --disable-tspi >>> > > > openconnect - looks like it will only build support if trousers-devel >>> > > > is >>> > > > there, and makes use of tpm2-tss as well. >>> > > > strongswan - --enable-tss-tss2 instead of --enable-tss-trousers? >>> > > > tboot - the trousers dependency was just in a policy tool that >>> > > > has now >>> > > > been deprecated upstream. >>> > > > opencryptoki-tpmtok - --disable-tpmtok >>> > > > >>> > > > tpm-quote-tools, tpm-tools, and trousers are all tpm1.2 specific >>> > > > packages. >>> > > > >>> > > > Another thing is that in the kernel there currently is no way to build >>> > > > with just tpm1.2 or tpm2.0 support so the kernel support for tpm1.2 >>> > > > would still be there. >>> > > > >>> > > > I don't think Fedora needs to drop the tpm1.2 support if people want >>> > > > to >>> > > > continue supporting it, but wanted to put the question out there and >>> > > > see >>> > > > how everyone felt. >>> > > >>> > > I think it should be dropped, tpm2 has been shipped in hardware for 5+ >>> > > years and tpm1 has security issues, so I think the time is now to drop >>> > > it. Please do a Fedora Change proposal to ensure it's communicated >>> > > properly. >>> > >>> > Won't that hurt people that have keys trapped in a TPM 1.2 device ? >>> >>> Won't it hurt RHEL users in similar ways? >> >> It may, but that is RHEL, and this Fedora, no ? >> >>> What is the likelihood of >>> those users actively upgrading anyway? >> >> Upgrades in RHEL are a much bigger deal, and usually better researched >> (also rare, usually people reinstall there). >> >> In Fedora distro-upgrading w/o looking too hard at release notes is >> common. >> >> Of course the amount of people that uses TPM 1.2 in Fedora is probably >> very small, so this change may be ok, but I just wanted to raise the >> issue. >> >> Is there a way, after update to still use TPM 1.2 at all (even if it >> requires installing copr/other repo packages)? Or will people need to >> roll back their system to access those secrets at all ? >> >> Simo. > > Yes, the kernel support in the driver would still be there. Currently > the driver code can't be compiled for just tpm1.2 or tpm2.0. So it > would be a matter of getting userspace tools to talk to it.
I think the plan will be in RHEL to tell people that if you need to use TPM1.2 keep using RHEL8 since it will be supported for a number of years still. TPM1.2 was already marked as deprecated in the RHEL8 Release Notes, so hopefully it won't generate too much unhappiness. I know Fedora is a different beast though, and sticking with an older release isn't really an option for users. _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
