On Fri, 2020-12-04 at 11:59 -0700, Jerry Snitselaar wrote: > Simo Sorce @ 2020-12-04 07:32 MST: > > > On Fri, 2020-12-04 at 14:08 +0000, Peter Robinson wrote: > > > On Fri, Dec 4, 2020 at 2:04 PM Simo Sorce <simo@xxxxxxxxxx> wrote: > > > > On Thu, 2020-12-03 at 21:25 +0000, Peter Robinson wrote: > > > > > > We are looking to no longer support TPM1.2 in RHEL9. Than raised the > > > > > > question with regards to opencryptoki-tpmtok if it should be changed in > > > > > > Fedora as well, so I thought I'd see what everyone thinks about future > > > > > > TPM1.2 support in Fedora. I know at one point in the last year or so > > > > > > trousers almost dropped from Fedora due to being orphaned for quite a > > > > > > while. From what I could find the following packages have dependencies: > > > > > > > > > > > > ecryptfs-utils - --disable-tspi > > > > > > openconnect - looks like it will only build support if trousers-devel is > > > > > > there, and makes use of tpm2-tss as well. > > > > > > strongswan - --enable-tss-tss2 instead of --enable-tss-trousers? > > > > > > tboot - the trousers dependency was just in a policy tool that has now > > > > > > been deprecated upstream. > > > > > > opencryptoki-tpmtok - --disable-tpmtok > > > > > > > > > > > > tpm-quote-tools, tpm-tools, and trousers are all tpm1.2 specific > > > > > > packages. > > > > > > > > > > > > Another thing is that in the kernel there currently is no way to build > > > > > > with just tpm1.2 or tpm2.0 support so the kernel support for tpm1.2 > > > > > > would still be there. > > > > > > > > > > > > I don't think Fedora needs to drop the tpm1.2 support if people want to > > > > > > continue supporting it, but wanted to put the question out there and see > > > > > > how everyone felt. > > > > > > > > > > I think it should be dropped, tpm2 has been shipped in hardware for 5+ > > > > > years and tpm1 has security issues, so I think the time is now to drop > > > > > it. Please do a Fedora Change proposal to ensure it's communicated > > > > > properly. > > > > > > > > Won't that hurt people that have keys trapped in a TPM 1.2 device ? > > > > > > Won't it hurt RHEL users in similar ways? > > > > It may, but that is RHEL, and this Fedora, no ? > > > > > What is the likelihood of > > > those users actively upgrading anyway? > > > > Upgrades in RHEL are a much bigger deal, and usually better researched > > (also rare, usually people reinstall there). > > > > In Fedora distro-upgrading w/o looking too hard at release notes is > > common. > > > > Of course the amount of people that uses TPM 1.2 in Fedora is probably > > very small, so this change may be ok, but I just wanted to raise the > > issue. > > > > Is there a way, after update to still use TPM 1.2 at all (even if it > > requires installing copr/other repo packages)? Or will people need to > > roll back their system to access those secrets at all ? > > > > Simo. > > Yes, the kernel support in the driver would still be there. Currently > the driver code can't be compiled for just tpm1.2 or tpm2.0. So it > would be a matter of getting userspace tools to talk to it. So a container with a previous fedora version+tools would be a way to "deal" with it at least temporarily? (for example to decrypt data and transition to TPM2.0 to re-encrypt it or similr...) -- Simo Sorce RHEL Crypto Team Red Hat, Inc _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
