On Fri, 2020-12-04 at 14:08 +0000, Peter Robinson wrote: > On Fri, Dec 4, 2020 at 2:04 PM Simo Sorce <simo@xxxxxxxxxx> wrote: > > On Thu, 2020-12-03 at 21:25 +0000, Peter Robinson wrote: > > > > We are looking to no longer support TPM1.2 in RHEL9. Than raised the > > > > question with regards to opencryptoki-tpmtok if it should be changed in > > > > Fedora as well, so I thought I'd see what everyone thinks about future > > > > TPM1.2 support in Fedora. I know at one point in the last year or so > > > > trousers almost dropped from Fedora due to being orphaned for quite a > > > > while. From what I could find the following packages have dependencies: > > > > > > > > ecryptfs-utils - --disable-tspi > > > > openconnect - looks like it will only build support if trousers-devel is > > > > there, and makes use of tpm2-tss as well. > > > > strongswan - --enable-tss-tss2 instead of --enable-tss-trousers? > > > > tboot - the trousers dependency was just in a policy tool that has now > > > > been deprecated upstream. > > > > opencryptoki-tpmtok - --disable-tpmtok > > > > > > > > tpm-quote-tools, tpm-tools, and trousers are all tpm1.2 specific > > > > packages. > > > > > > > > Another thing is that in the kernel there currently is no way to build > > > > with just tpm1.2 or tpm2.0 support so the kernel support for tpm1.2 > > > > would still be there. > > > > > > > > I don't think Fedora needs to drop the tpm1.2 support if people want to > > > > continue supporting it, but wanted to put the question out there and see > > > > how everyone felt. > > > > > > I think it should be dropped, tpm2 has been shipped in hardware for 5+ > > > years and tpm1 has security issues, so I think the time is now to drop > > > it. Please do a Fedora Change proposal to ensure it's communicated > > > properly. > > > > Won't that hurt people that have keys trapped in a TPM 1.2 device ? > > Won't it hurt RHEL users in similar ways? It may, but that is RHEL, and this Fedora, no ? > What is the likelihood of > those users actively upgrading anyway? Upgrades in RHEL are a much bigger deal, and usually better researched (also rare, usually people reinstall there). In Fedora distro-upgrading w/o looking too hard at release notes is common. Of course the amount of people that uses TPM 1.2 in Fedora is probably very small, so this change may be ok, but I just wanted to raise the issue. Is there a way, after update to still use TPM 1.2 at all (even if it requires installing copr/other repo packages)? Or will people need to roll back their system to access those secrets at all ? Simo. -- Simo Sorce RHEL Crypto Team Red Hat, Inc _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
