Fedora project will be dropping openssl engine support

[traxtopel]

You are probably aware that the Fedora project will be dropping engine support in OpenSSL and wpa_supplicant. This will of course impact tpm2-pkcs11.
Are there any plans to add support for the tpm2-openssl provider to wpa_supplicant?

https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine

[gotthardp]

Not in this project. You should ask the wpa_supplicant folks.

[tomoveu]

@traxtopel I would be happy to take a look because I am trying to gather more tpm2-openssl experience. My work involves using the TPM2 directly through the TPM software stack, however this has started to change and now I am forced to user openssl like it or not.

My timeline for looking at tpm2-pkcs would be beginning of next year. The fedora announcement does not say when is this change into effect. Is it immediate?

Thanks,
Dimi

[traxtopel]

I've been informed by the developer dcaratti@redhat.com that the OpenSSL maintainers have confirmed the engine API will be deprecated in a few months, which affects both TPM2 and PKCS11 implementations. Red Hat is shifting towards the pkcs11-provider as an alternative solution. However, I've encountered difficulties using this provider, even when using a patched wpa_supplicant (https://github.com/dcaratti/hostap-ctest/tree/pkcs11-use-provider-in-place-of-engine). In light of this, it would be beneficial patching wpa_supplicant to support the TPM2-openssl provider. Let me know if I can assist in testing.

[tomoveu]

@traxtopel please send me an email at dimi@tpm.dev to stay in touch. I will look into tpm2-provider support for wpa-supplicant for sure. Thank you for the good information.