Simo Sorce @ 2020-12-04 07:32 MST: > On Fri, 2020-12-04 at 14:08 +0000, Peter Robinson wrote: >> On Fri, Dec 4, 2020 at 2:04 PM Simo Sorce <simo@xxxxxxxxxx> wrote: >> > On Thu, 2020-12-03 at 21:25 +0000, Peter Robinson wrote: >> > > > We are looking to no longer support TPM1.2 in RHEL9. Than raised the >> > > > question with regards to opencryptoki-tpmtok if it should be changed in >> > > > Fedora as well, so I thought I'd see what everyone thinks about future >> > > > TPM1.2 support in Fedora. I know at one point in the last year or so >> > > > trousers almost dropped from Fedora due to being orphaned for quite a >> > > > while. From what I could find the following packages have dependencies: >> > > > >> > > > ecryptfs-utils - --disable-tspi >> > > > openconnect - looks like it will only build support if trousers-devel is >> > > > there, and makes use of tpm2-tss as well. >> > > > strongswan - --enable-tss-tss2 instead of --enable-tss-trousers? >> > > > tboot - the trousers dependency was just in a policy tool that has now >> > > > been deprecated upstream. >> > > > opencryptoki-tpmtok - --disable-tpmtok >> > > > >> > > > tpm-quote-tools, tpm-tools, and trousers are all tpm1.2 specific >> > > > packages. >> > > > >> > > > Another thing is that in the kernel there currently is no way to build >> > > > with just tpm1.2 or tpm2.0 support so the kernel support for tpm1.2 >> > > > would still be there. >> > > > >> > > > I don't think Fedora needs to drop the tpm1.2 support if people want to >> > > > continue supporting it, but wanted to put the question out there and see >> > > > how everyone felt. >> > > >> > > I think it should be dropped, tpm2 has been shipped in hardware for 5+ >> > > years and tpm1 has security issues, so I think the time is now to drop >> > > it. Please do a Fedora Change proposal to ensure it's communicated >> > > properly. >> > >> > Won't that hurt people that have keys trapped in a TPM 1.2 device ? >> >> Won't it hurt RHEL users in similar ways? > > It may, but that is RHEL, and this Fedora, no ? > >> What is the likelihood of >> those users actively upgrading anyway? > > Upgrades in RHEL are a much bigger deal, and usually better researched > (also rare, usually people reinstall there). > > In Fedora distro-upgrading w/o looking too hard at release notes is > common. > > Of course the amount of people that uses TPM 1.2 in Fedora is probably > very small, so this change may be ok, but I just wanted to raise the > issue. > > Is there a way, after update to still use TPM 1.2 at all (even if it > requires installing copr/other repo packages)? Or will people need to > roll back their system to access those secrets at all ? > > Simo. Yes, the kernel support in the driver would still be there. Currently the driver code can't be compiled for just tpm1.2 or tpm2.0. So it would be a matter of getting userspace tools to talk to it. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
