On Thu, Dec 3, 2020 at 11:22 PM Jerry Snitselaar <jsnitsel@xxxxxxxxxx> wrote: > > On Thu, Dec 3, 2020 at 2:28 PM Peter Robinson <pbrobinson@xxxxxxxxx> wrote: > > > > > We are looking to no longer support TPM1.2 in RHEL9. Than raised the > > > question with regards to opencryptoki-tpmtok if it should be changed in > > > Fedora as well, so I thought I'd see what everyone thinks about future > > > TPM1.2 support in Fedora. I know at one point in the last year or so > > > trousers almost dropped from Fedora due to being orphaned for quite a > > > while. From what I could find the following packages have dependencies: > > > > > > ecryptfs-utils - --disable-tspi > > > openconnect - looks like it will only build support if trousers-devel is > > > there, and makes use of tpm2-tss as well. > > > strongswan - --enable-tss-tss2 instead of --enable-tss-trousers? > > > tboot - the trousers dependency was just in a policy tool that has now > > > been deprecated upstream. > > > opencryptoki-tpmtok - --disable-tpmtok > > > > > > tpm-quote-tools, tpm-tools, and trousers are all tpm1.2 specific > > > packages. > > > > > > Another thing is that in the kernel there currently is no way to build > > > with just tpm1.2 or tpm2.0 support so the kernel support for tpm1.2 > > > would still be there. > > > > > > I don't think Fedora needs to drop the tpm1.2 support if people want to > > > continue supporting it, but wanted to put the question out there and see > > > how everyone felt. > > > > I think it should be dropped, tpm2 has been shipped in hardware for 5+ > > years and tpm1 has security issues, so I think the time is now to drop > > it. Please do a Fedora Change proposal to ensure it's communicated > > properly. > > > > Peter > > Hi Peter, > > Having never done one of these before, looking at the documentation would > this be considered system-wide? I think in addition to the above packages > possibly selinux-policy could be added to remove the capabilities > listed for tcsd. I think a Self Contained change is fine, it's relatively self contained across a small subset of packages and well defined hardware. Peter _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
