=== genii is now known as genii-core
=== doko__ is now known as doko
=== alan_g_ is now known as alan_g
[10:26] <juliank> hallyn, jmbl it's just not super ready yet to actually revoke stuff via sbat
=== Guest45 is now known as wilkmar
[13:24] <hallyn> juliank: is there a list of things that aren't ready yet, and a forum where the stuff's happening?
[14:27] <juliank> hallyn: there have not been any SBAT revocations yet, once there are things should be clearer
[14:32] <juliank> as in we have a broad understanding of how it should work, but we'll see if it *really* works that way once it happens
[14:38] <hallyn> juliank: but are there any documents right now htat actually clearly outline how it's *meant* to work?  Or is SBAT.md in rhboot/shim it?
[14:38] <juliank> SBAT.md is the only public resource I am aware of
[14:39] <hallyn> I'm a tinge surprised there aren't more people out there talking about (a) how to use a self-signed shim on your laptop to (b) run  your own .efi and then (c) self-sign an SbatVersion variable for it.
[14:39] <hallyn> s/aren't more/aren't any/
[14:40] <hallyn> but thanks, juliank .  Good to know.
[14:46] <beisner> ⭐🎄🎁 Cheers, Ubufriends!
[14:54] <hallyn> beisner: \o  may your tree also be rich with presents :)
[15:02] <ahasenack> schopin: hi, do you know something about FIPS_mode() and openssl3?
[15:02] <ahasenack> i.e., is it a known drop in the 3 version?
[15:03] <ahasenack> in 1.1.1l we have /usr/include/openssl/crypto.h:int FIPS_mode(void);
[15:07] <ahasenack> ok, looks like it was removed
[15:19] <schopin> ahasenack: yes, it is. there's a straightforward replacement, though.
[15:20] <schopin> EVP_default_properties_enable_fips(3) and  EVP_default_properties_is_fips_enabled(3) (
[15:22] <schopin> FIPS_mode() should be replaced by EVP_default_properties_is_fips_enabled(NULL) IIRC
=== genii-core is now known as genii
[16:01] <bryceh> ahasenack, having some firefox trouble be at standup in a min hopefully
[16:02] <ahasenack> bryceh: ok
[16:06] <ahasenack> schopin: yeah, found this in a commit
[16:06] <ahasenack> +#if OPENSSL_VERSION_NUMBER >= 0x30000000L
[16:06] <ahasenack> +               if (!EVP_default_properties_is_fips_enabled(NULL)) {
[16:06] <ahasenack> +#else
[16:06] <ahasenack>                 if (FIPS_mode() == 0) {
[16:06] <ahasenack> +#endif
[16:07]  * schopin has written lots of variations on this one in the past few weeks :)
[16:08] <schopin> Note that if you have an explicit ctx object, you might want to pass it to EVP_default...() (assuming said context is used to query the algorithms)
[16:11] <ahasenack> instead of null, ok
=== genii is now known as genii-core