Re: F41 Change Proposal: Disable openSSL Engine Support (system-wide)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi!

On Wed, Mar 20, 2024 at 9:50 AM Zbigniew Jędrzejewski-Szmek <zbyszek@xxxxxxxxx> wrote:
On Fri, Mar 08, 2024 at 08:37:19PM +0000, Aoife Moloney wrote:
> Wiki - https://fedoraproject.org/wiki/Changes/OpensslNoEngine
>
> This is a proposed Change for Fedora Linux.
> This document represents a proposed Change. As part of the Changes
> process, proposals are publicly announced in order to receive
> community feedback. This proposal will only be implemented if approved
> by the Fedora Engineering Steering Committee.
>
> == Summary ==
> We disable support of engines in OpenSSL
>
> == Owner ==
> * Name: [[User:Dbelyavs| Dmitry Belyavskiy]]
> * Email: dbelyavs@xxxxxxxxxx
>
> == Detailed Description ==
> We are going to build OpenSSL without engine support. Engines are not
> FIPS compatible and corresponding API is deprecated since OpenSSL 3.0.
> The engine functionality we are aware of (PKCS#11, TPM) is either
> covered by providers or will be covered soon.
>
> == Feedback ==
>
>
> == Benefit to Fedora ==
> We get rid of deprecated functionality and enforce using up-to-date
> API. Engine support is deprecated in OpenSSL upstream, and after
> provider migration caused some deficiencies with engine support. No
> new features will be added to the engine. So we reduce the maintenance
> burden and potentially attack surface.

Hi,

In systemd, we recently added support for engines in various tools:
- systemd-{repart,measure} have --private-key-source=file|engine|provider
  (this is C code).

As `provider` is a possible source, you will have to replace `engine` with a particular provider. 
tpm2 provider is on the way to rawhide, and pkcs11 provider has already landed, so TPMs and Yubikeys 

 
- ukify has --signing-engine.
  This is Python code that calls sbsign or pesign to do parts of the
  heavy lifting, and those binaries do not support providers. (At least
  the docs are silent on this, please correct it they do.)

Have no idea but it means we have to change this code 

So it seems we'd lose support for signing with keys stored on yubikeys
and tpms and other fancy approaches if the proposed change goes through.

We don't lose this support but we still have to adjust configurations.


--

Also, what is the impact on:
- kernel module signing in the build system
- signing of shim, grub2, fwupd, and the kernel in the build system
- mokutil

Does any kernel module rely on OpenSSL?
 

Thanks,
Zbyszek
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue


--
Dmitry Belyavskiy
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux