Hi! On Wed, Mar 20, 2024 at 9:50 AM Zbigniew Jędrzejewski-Szmek < zbys...@in.waw.pl> wrote:
> On Fri, Mar 08, 2024 at 08:37:19PM +0000, Aoife Moloney wrote: > > Wiki - https://fedoraproject.org/wiki/Changes/OpensslNoEngine > > > > This is a proposed Change for Fedora Linux. > > This document represents a proposed Change. As part of the Changes > > process, proposals are publicly announced in order to receive > > community feedback. This proposal will only be implemented if approved > > by the Fedora Engineering Steering Committee. > > > > == Summary == > > We disable support of engines in OpenSSL > > > > == Owner == > > * Name: [[User:Dbelyavs| Dmitry Belyavskiy]] > > * Email: dbely...@redhat.com > > > > == Detailed Description == > > We are going to build OpenSSL without engine support. Engines are not > > FIPS compatible and corresponding API is deprecated since OpenSSL 3.0. > > The engine functionality we are aware of (PKCS#11, TPM) is either > > covered by providers or will be covered soon. > > > > == Feedback == > > > > > > == Benefit to Fedora == > > We get rid of deprecated functionality and enforce using up-to-date > > API. Engine support is deprecated in OpenSSL upstream, and after > > provider migration caused some deficiencies with engine support. No > > new features will be added to the engine. So we reduce the maintenance > > burden and potentially attack surface. > > Hi, > > In systemd, we recently added support for engines in various tools: > - systemd-{repart,measure} have --private-key-source=file|engine|provider > (this is C code). > As `provider` is a possible source, you will have to replace `engine` with a particular provider. tpm2 provider is on the way to rawhide, and pkcs11 provider has already landed, so TPMs and Yubikeys > - ukify has --signing-engine. > This is Python code that calls sbsign or pesign to do parts of the > heavy lifting, and those binaries do not support providers. (At least > the docs are silent on this, please correct it they do.) > Have no idea but it means we have to change this code > > So it seems we'd lose support for signing with keys stored on yubikeys > and tpms and other fancy approaches if the proposed change goes through. > We don't lose this support but we still have to adjust configurations. > -- > > Also, what is the impact on: > - kernel module signing in the build system > - signing of shim, grub2, fwupd, and the kernel in the build system > - mokutil > Does any kernel module rely on OpenSSL? > > Thanks, > Zbyszek > -- > _______________________________________________ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > -- Dmitry Belyavskiy
-- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
