Re: F41 Change Proposal: Disable openSSL Engine Support (system-wide)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 20 Mar 2024 at 09:05, Dmitry Belyavskiy <dbelyavs@xxxxxxxxxx> wrote:
>
> Hi!
>
> On Wed, Mar 20, 2024 at 9:50 AM Zbigniew Jędrzejewski-Szmek <zbyszek@xxxxxxxxx> wrote:
>>
>> On Fri, Mar 08, 2024 at 08:37:19PM +0000, Aoife Moloney wrote:
>> > Wiki - https://fedoraproject.org/wiki/Changes/OpensslNoEngine
>> >
>> > This is a proposed Change for Fedora Linux.
>> > This document represents a proposed Change. As part of the Changes
>> > process, proposals are publicly announced in order to receive
>> > community feedback. This proposal will only be implemented if approved
>> > by the Fedora Engineering Steering Committee.
>> >
>> > == Summary ==
>> > We disable support of engines in OpenSSL
>> >
>> > == Owner ==
>> > * Name: [[User:Dbelyavs| Dmitry Belyavskiy]]
>> > * Email: dbelyavs@xxxxxxxxxx
>> >
>> > == Detailed Description ==
>> > We are going to build OpenSSL without engine support. Engines are not
>> > FIPS compatible and corresponding API is deprecated since OpenSSL 3.0.
>> > The engine functionality we are aware of (PKCS#11, TPM) is either
>> > covered by providers or will be covered soon.
>> >
>> > == Feedback ==
>> >
>> >
>> > == Benefit to Fedora ==
>> > We get rid of deprecated functionality and enforce using up-to-date
>> > API. Engine support is deprecated in OpenSSL upstream, and after
>> > provider migration caused some deficiencies with engine support. No
>> > new features will be added to the engine. So we reduce the maintenance
>> > burden and potentially attack surface.
>>
>> Hi,
>>
>> In systemd, we recently added support for engines in various tools:
>> - systemd-{repart,measure} have --private-key-source=file|engine|provider
>>   (this is C code).
>
>
> As `provider` is a possible source, you will have to replace `engine` with a particular provider.
> tpm2 provider is on the way to rawhide, and pkcs11 provider has already landed, so TPMs and Yubikeys
>
>
>>
>> - ukify has --signing-engine.
>>   This is Python code that calls sbsign or pesign to do parts of the
>>   heavy lifting, and those binaries do not support providers. (At least
>>   the docs are silent on this, please correct it they do.)
>
>
> Have no idea but it means we have to change this code
>>
>>
>> So it seems we'd lose support for signing with keys stored on yubikeys
>> and tpms and other fancy approaches if the proposed change goes through.
>
>
> We don't lose this support but we still have to adjust configurations.
>
>>
>> --
>>
>> Also, what is the impact on:
>> - kernel module signing in the build system
>> - signing of shim, grub2, fwupd, and the kernel in the build system
>> - mokutil
>
>
> Does any kernel module rely on OpenSSL?

No but they use openssl for signing kernel modules, you can see
details in the spec [1], search openssl.

[1] https://src.fedoraproject.org/rpms/kernel/blob/rawhide/f/kernel.spec
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux