On Fri, Mar 08, 2024 at 08:37:19PM +0000, Aoife Moloney wrote: > Wiki - https://fedoraproject.org/wiki/Changes/OpensslNoEngine > > This is a proposed Change for Fedora Linux. > This document represents a proposed Change. As part of the Changes > process, proposals are publicly announced in order to receive > community feedback. This proposal will only be implemented if approved > by the Fedora Engineering Steering Committee. > > == Summary == > We disable support of engines in OpenSSL > > == Owner == > * Name: [[User:Dbelyavs| Dmitry Belyavskiy]] > * Email: dbelyavs@xxxxxxxxxx > > == Detailed Description == > We are going to build OpenSSL without engine support. Engines are not > FIPS compatible and corresponding API is deprecated since OpenSSL 3.0. > The engine functionality we are aware of (PKCS#11, TPM) is either > covered by providers or will be covered soon. > > == Feedback == > > > == Benefit to Fedora == > We get rid of deprecated functionality and enforce using up-to-date > API. Engine support is deprecated in OpenSSL upstream, and after > provider migration caused some deficiencies with engine support. No > new features will be added to the engine. So we reduce the maintenance > burden and potentially attack surface. Hi, In systemd, we recently added support for engines in various tools: - systemd-{repart,measure} have --private-key-source=file|engine|provider (this is C code). - ukify has --signing-engine. This is Python code that calls sbsign or pesign to do parts of the heavy lifting, and those binaries do not support providers. (At least the docs are silent on this, please correct it they do.) So it seems we'd lose support for signing with keys stored on yubikeys and tpms and other fancy approaches if the proposed change goes through. -- Also, what is the impact on: - kernel module signing in the build system - signing of shim, grub2, fwupd, and the kernel in the build system - mokutil Thanks, Zbyszek -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
