On Wed, 20 Mar 2024 at 09:05, Dmitry Belyavskiy <dbelyavs(a)redhat.com> wrote:
Hi!
On Wed, Mar 20, 2024 at 9:50 AM Zbigniew Jędrzejewski-Szmek <zbyszek(a)in.waw.pl>
wrote:
>
> On Fri, Mar 08, 2024 at 08:37:19PM +0000, Aoife Moloney wrote:
> > Wiki -
https://fedoraproject.org/wiki/Changes/OpensslNoEngine
> >
> > This is a proposed Change for Fedora Linux.
> > This document represents a proposed Change. As part of the Changes
> > process, proposals are publicly announced in order to receive
> > community feedback. This proposal will only be implemented if approved
> > by the Fedora Engineering Steering Committee.
> >
> > == Summary ==
> > We disable support of engines in OpenSSL
> >
> > == Owner ==
> > * Name: [[User:Dbelyavs| Dmitry Belyavskiy]]
> > * Email: dbelyavs(a)redhat.com
> >
> > == Detailed Description ==
> > We are going to build OpenSSL without engine support. Engines are not
> > FIPS compatible and corresponding API is deprecated since OpenSSL 3.0.
> > The engine functionality we are aware of (PKCS#11, TPM) is either
> > covered by providers or will be covered soon.
> >
> > == Feedback ==
> >
> >
> > == Benefit to Fedora ==
> > We get rid of deprecated functionality and enforce using up-to-date
> > API. Engine support is deprecated in OpenSSL upstream, and after
> > provider migration caused some deficiencies with engine support. No
> > new features will be added to the engine. So we reduce the maintenance
> > burden and potentially attack surface.
>
> Hi,
>
> In systemd, we recently added support for engines in various tools:
> - systemd-{repart,measure} have --private-key-source=file|engine|provider
> (this is C code).
As `provider` is a possible source, you will have to replace `engine` with a particular
provider.
tpm2 provider is on the way to rawhide, and pkcs11 provider has already landed, so TPMs
and Yubikeys
>
> - ukify has --signing-engine.
> This is Python code that calls sbsign or pesign to do parts of the
> heavy lifting, and those binaries do not support providers. (At least
> the docs are silent on this, please correct it they do.)
Have no idea but it means we have to change this code
>
>
> So it seems we'd lose support for signing with keys stored on yubikeys
> and tpms and other fancy approaches if the proposed change goes through.
We don't lose this support but we still have to adjust configurations.
>
> --
>
> Also, what is the impact on:
> - kernel module signing in the build system
> - signing of shim, grub2, fwupd, and the kernel in the build system
> - mokutil
Does any kernel module rely on OpenSSL?
No but they use openssl for signing kernel modules, you can see
details in the spec [1], search openssl.
[1]