On Wed, 20 Mar 2024 at 09:05, Dmitry Belyavskiy <dbelyavs@xxxxxxxxxx> wrote: > > Hi! > > On Wed, Mar 20, 2024 at 9:50 AM Zbigniew Jędrzejewski-Szmek <zbyszek@xxxxxxxxx> wrote: >> >> On Fri, Mar 08, 2024 at 08:37:19PM +0000, Aoife Moloney wrote: >> > Wiki - https://fedoraproject.org/wiki/Changes/OpensslNoEngine >> > >> > This is a proposed Change for Fedora Linux. >> > This document represents a proposed Change. As part of the Changes >> > process, proposals are publicly announced in order to receive >> > community feedback. This proposal will only be implemented if approved >> > by the Fedora Engineering Steering Committee. >> > >> > == Summary == >> > We disable support of engines in OpenSSL >> > >> > == Owner == >> > * Name: [[User:Dbelyavs| Dmitry Belyavskiy]] >> > * Email: dbelyavs@xxxxxxxxxx >> > >> > == Detailed Description == >> > We are going to build OpenSSL without engine support. Engines are not >> > FIPS compatible and corresponding API is deprecated since OpenSSL 3.0. >> > The engine functionality we are aware of (PKCS#11, TPM) is either >> > covered by providers or will be covered soon. >> > >> > == Feedback == >> > >> > >> > == Benefit to Fedora == >> > We get rid of deprecated functionality and enforce using up-to-date >> > API. Engine support is deprecated in OpenSSL upstream, and after >> > provider migration caused some deficiencies with engine support. No >> > new features will be added to the engine. So we reduce the maintenance >> > burden and potentially attack surface. >> >> Hi, >> >> In systemd, we recently added support for engines in various tools: >> - systemd-{repart,measure} have --private-key-source=file|engine|provider >> (this is C code). > > > As `provider` is a possible source, you will have to replace `engine` with a particular provider. > tpm2 provider is on the way to rawhide, and pkcs11 provider has already landed, so TPMs and Yubikeys > > >> >> - ukify has --signing-engine. >> This is Python code that calls sbsign or pesign to do parts of the >> heavy lifting, and those binaries do not support providers. (At least >> the docs are silent on this, please correct it they do.) > > > Have no idea but it means we have to change this code >> >> >> So it seems we'd lose support for signing with keys stored on yubikeys >> and tpms and other fancy approaches if the proposed change goes through. > > > We don't lose this support but we still have to adjust configurations. > >> >> -- >> >> Also, what is the impact on: >> - kernel module signing in the build system >> - signing of shim, grub2, fwupd, and the kernel in the build system >> - mokutil > > > Does any kernel module rely on OpenSSL? No but they use openssl for signing kernel modules, you can see details in the spec [1], search openssl. [1] https://src.fedoraproject.org/rpms/kernel/blob/rawhide/f/kernel.spec -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
