Re: Fedora TPM1.2 Support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Dec 4, 2020 at 2:32 PM Simo Sorce <simo@xxxxxxxxxx> wrote:
>
> On Fri, 2020-12-04 at 14:08 +0000, Peter Robinson wrote:
> > On Fri, Dec 4, 2020 at 2:04 PM Simo Sorce <simo@xxxxxxxxxx> wrote:
> > > On Thu, 2020-12-03 at 21:25 +0000, Peter Robinson wrote:
> > > > > We are looking to no longer support TPM1.2 in RHEL9. Than raised the
> > > > > question with regards to opencryptoki-tpmtok if it should be changed in
> > > > > Fedora as well, so I thought I'd see what everyone thinks about future
> > > > > TPM1.2 support in Fedora. I know at one point in the last year or so
> > > > > trousers almost dropped from Fedora due to being orphaned for quite a
> > > > > while. From what I could find the following packages have dependencies:
> > > > >
> > > > > ecryptfs-utils  - --disable-tspi
> > > > > openconnect - looks like it will only build support if trousers-devel is
> > > > >               there, and makes use of tpm2-tss as well.
> > > > > strongswan  - --enable-tss-tss2 instead of --enable-tss-trousers?
> > > > > tboot       - the trousers dependency was just in a policy tool that has now
> > > > >               been deprecated upstream.
> > > > > opencryptoki-tpmtok - --disable-tpmtok
> > > > >
> > > > > tpm-quote-tools, tpm-tools, and trousers are all tpm1.2 specific
> > > > > packages.
> > > > >
> > > > > Another thing is that in the kernel there currently is no way to build
> > > > > with just tpm1.2 or tpm2.0 support so the kernel support for tpm1.2
> > > > > would still be there.
> > > > >
> > > > > I don't think Fedora needs to drop the tpm1.2 support if people want to
> > > > > continue supporting it, but wanted to put the question out there and see
> > > > > how everyone felt.
> > > >
> > > > I think it should be dropped, tpm2 has been shipped in hardware for 5+
> > > > years and tpm1 has security issues, so I think the time is now to drop
> > > > it. Please do a Fedora Change proposal to ensure it's communicated
> > > > properly.
> > >
> > > Won't that hurt people that have keys trapped in a TPM 1.2 device ?
> >
> > Won't it hurt RHEL users in similar ways?
>
> It may, but that is RHEL, and this Fedora, no ?
>
> > What is the likelihood of
> > those users actively upgrading anyway?
>
> Upgrades in RHEL are a much bigger deal, and usually better researched
> (also rare, usually people reinstall there).

Really? I did a number of years in RH Consulting and I'd like to see
where you get that data from. It varies a LOT.

> In Fedora distro-upgrading w/o looking too hard at release notes is
> common.
>
> Of course the amount of people that uses TPM 1.2 in Fedora is probably
> very small, so this change may be ok, but I just wanted to raise the
> issue.

Sure, and I don't disagree with both those assessments

> Is there a way, after update to still use TPM 1.2 at all (even if it
> requires installing copr/other repo packages)? Or will people need to
> roll back their system to access those secrets at all ?

I haven't looked that far. Ultimately we never supported it for things
like disk encryption particularly well and in any easy manner without
jumping through hoops, eg it's not supported through things like
clevis, there was some support in some VPN related bits but not well
via the standard tools for VPN like NetworkManager so I suspect the
actual use of tpm1 was little.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux