On Fri, Dec 4, 2020 at 2:32 PM Simo Sorce <simo@xxxxxxxxxx> wrote: > > On Fri, 2020-12-04 at 14:08 +0000, Peter Robinson wrote: > > On Fri, Dec 4, 2020 at 2:04 PM Simo Sorce <simo@xxxxxxxxxx> wrote: > > > On Thu, 2020-12-03 at 21:25 +0000, Peter Robinson wrote: > > > > > We are looking to no longer support TPM1.2 in RHEL9. Than raised the > > > > > question with regards to opencryptoki-tpmtok if it should be changed in > > > > > Fedora as well, so I thought I'd see what everyone thinks about future > > > > > TPM1.2 support in Fedora. I know at one point in the last year or so > > > > > trousers almost dropped from Fedora due to being orphaned for quite a > > > > > while. From what I could find the following packages have dependencies: > > > > > > > > > > ecryptfs-utils - --disable-tspi > > > > > openconnect - looks like it will only build support if trousers-devel is > > > > > there, and makes use of tpm2-tss as well. > > > > > strongswan - --enable-tss-tss2 instead of --enable-tss-trousers? > > > > > tboot - the trousers dependency was just in a policy tool that has now > > > > > been deprecated upstream. > > > > > opencryptoki-tpmtok - --disable-tpmtok > > > > > > > > > > tpm-quote-tools, tpm-tools, and trousers are all tpm1.2 specific > > > > > packages. > > > > > > > > > > Another thing is that in the kernel there currently is no way to build > > > > > with just tpm1.2 or tpm2.0 support so the kernel support for tpm1.2 > > > > > would still be there. > > > > > > > > > > I don't think Fedora needs to drop the tpm1.2 support if people want to > > > > > continue supporting it, but wanted to put the question out there and see > > > > > how everyone felt. > > > > > > > > I think it should be dropped, tpm2 has been shipped in hardware for 5+ > > > > years and tpm1 has security issues, so I think the time is now to drop > > > > it. Please do a Fedora Change proposal to ensure it's communicated > > > > properly. > > > > > > Won't that hurt people that have keys trapped in a TPM 1.2 device ? > > > > Won't it hurt RHEL users in similar ways? > > It may, but that is RHEL, and this Fedora, no ? > > > What is the likelihood of > > those users actively upgrading anyway? > > Upgrades in RHEL are a much bigger deal, and usually better researched > (also rare, usually people reinstall there). Really? I did a number of years in RH Consulting and I'd like to see where you get that data from. It varies a LOT. > In Fedora distro-upgrading w/o looking too hard at release notes is > common. > > Of course the amount of people that uses TPM 1.2 in Fedora is probably > very small, so this change may be ok, but I just wanted to raise the > issue. Sure, and I don't disagree with both those assessments > Is there a way, after update to still use TPM 1.2 at all (even if it > requires installing copr/other repo packages)? Or will people need to > roll back their system to access those secrets at all ? I haven't looked that far. Ultimately we never supported it for things like disk encryption particularly well and in any easy manner without jumping through hoops, eg it's not supported through things like clevis, there was some support in some VPN related bits but not well via the standard tools for VPN like NetworkManager so I suspect the actual use of tpm1 was little. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
