=== genii is now known as genii-core | ||
=== doko__ is now known as doko | ||
=== alan_g_ is now known as alan_g | ||
juliank | hallyn, jmbl it's just not super ready yet to actually revoke stuff via sbat | 10:26 |
---|---|---|
=== Guest45 is now known as wilkmar | ||
hallyn | juliank: is there a list of things that aren't ready yet, and a forum where the stuff's happening? | 13:24 |
juliank | hallyn: there have not been any SBAT revocations yet, once there are things should be clearer | 14:27 |
juliank | as in we have a broad understanding of how it should work, but we'll see if it *really* works that way once it happens | 14:32 |
hallyn | juliank: but are there any documents right now htat actually clearly outline how it's *meant* to work? Or is SBAT.md in rhboot/shim it? | 14:38 |
juliank | SBAT.md is the only public resource I am aware of | 14:38 |
hallyn | I'm a tinge surprised there aren't more people out there talking about (a) how to use a self-signed shim on your laptop to (b) run your own .efi and then (c) self-sign an SbatVersion variable for it. | 14:39 |
hallyn | s/aren't more/aren't any/ | 14:39 |
hallyn | but thanks, juliank . Good to know. | 14:40 |
beisner | ⭐🎄🎁 Cheers, Ubufriends! | 14:46 |
hallyn | beisner: \o may your tree also be rich with presents :) | 14:54 |
ahasenack | schopin: hi, do you know something about FIPS_mode() and openssl3? | 15:02 |
ahasenack | i.e., is it a known drop in the 3 version? | 15:02 |
ahasenack | in 1.1.1l we have /usr/include/openssl/crypto.h:int FIPS_mode(void); | 15:03 |
ahasenack | ok, looks like it was removed | 15:07 |
schopin | ahasenack: yes, it is. there's a straightforward replacement, though. | 15:19 |
schopin | EVP_default_properties_enable_fips(3) and EVP_default_properties_is_fips_enabled(3) ( | 15:20 |
schopin | FIPS_mode() should be replaced by EVP_default_properties_is_fips_enabled(NULL) IIRC | 15:22 |
=== genii-core is now known as genii | ||
bryceh | ahasenack, having some firefox trouble be at standup in a min hopefully | 16:01 |
ahasenack | bryceh: ok | 16:02 |
ahasenack | schopin: yeah, found this in a commit | 16:06 |
ahasenack | +#if OPENSSL_VERSION_NUMBER >= 0x30000000L | 16:06 |
ahasenack | + if (!EVP_default_properties_is_fips_enabled(NULL)) { | 16:06 |
ahasenack | +#else | 16:06 |
ahasenack | if (FIPS_mode() == 0) { | 16:06 |
ahasenack | +#endif | 16:06 |
* schopin has written lots of variations on this one in the past few weeks :) | 16:07 | |
schopin | Note that if you have an explicit ctx object, you might want to pass it to EVP_default...() (assuming said context is used to query the algorithms) | 16:08 |
ahasenack | instead of null, ok | 16:11 |
=== genii is now known as genii-core |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!