Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-86059

Enable PQ crypto in DEFAULT crypto policy

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • crypto-policies-20250424-1.git9267dee.el10
    • No
    • Moderate
    • 1
    • rhel-security-crypto
    • ssg_security
    • 9
    • 10
    • 1.5
    • Hide

      While the bulk of the post-quantum cryptography work happens in the actual cryptographic libraries, what actually makes the work user-visible and the bugreports flowing in is flipping the defaults in crypto-policies. With this change, select PQ algorithms are enabled by default in RHEL for the first time ever. More specifically pure ML-DSA signature algorithms and hybrid ML-KEM key exchange are preferred for the backends supporting them: both ML-KEM and ML-DSA for OpenSSL, just ML-KEM for NSS, gnutls and openssh. (So far the fallout looks very moderate.)

      Show
      While the bulk of the post-quantum cryptography work happens in the actual cryptographic libraries, what actually makes the work user-visible and the bugreports flowing in is flipping the defaults in crypto-policies. With this change, select PQ algorithms are enabled by default in RHEL for the first time ever. More specifically pure ML-DSA signature algorithms and hybrid ML-KEM key exchange are preferred for the backends supporting them: both ML-KEM and ML-DSA for OpenSSL, just ML-KEM for NSS, gnutls and openssh. (So far the fallout looks very moderate.)
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Crypto25Q2
    • Hide

      AC1) LEGACY/DEFAULT/FUTURE policies:

      • prepend the following to group: X25519-MLKEM768, P256-MLKEM768, P384-MLKEM1024 and MLKEM768-X25519
      • prepend the following to sign: MLDSA44, MLDSA65 and MLDSA87
      • prepend the following to key_exchange: KEM-ECDH

      AC2) Newly introduced NO-PQ subpolicy disables the algorithms above.

      AC3) Applying these policies does not cause warnings.

      AC4) Package crypto-policies-pq-preview is no longer available.

      Show
      AC1) LEGACY/DEFAULT/FUTURE policies: prepend the following to group: X25519-MLKEM768, P256-MLKEM768, P384-MLKEM1024 and MLKEM768-X25519 prepend the following to sign: MLDSA44, MLDSA65 and MLDSA87 prepend the following to key_exchange: KEM-ECDH AC2) Newly introduced NO-PQ subpolicy disables the algorithms above. AC3) Applying these policies does not cause warnings. AC4) Package crypto-policies-pq-preview is no longer available.
    • Pass
    • Not Needed
    • Automated
    • Enhancement
    • Hide
      Feature, enhancement: pure ML-KEM and hybrid ML-DSA post-quantum cryptographic algorithms are now enabled in LEGACY, DEFAULT and FUTURE cryptographic policies with the highest priorities. A new NO-PQ subpolicy has been introduced to simplify reverting the effect of this change.
      Reason: This change is part of RHEL's ongoing post-quantum readiness effort.
      Result: RHEL-10.1 hosts may now default to negotiating select post-quantum algorithms in both received and established TLS and SSH connections, depending on the software being used and the configuration on the other side of the connection.
      Show
      Feature, enhancement: pure ML-KEM and hybrid ML-DSA post-quantum cryptographic algorithms are now enabled in LEGACY, DEFAULT and FUTURE cryptographic policies with the highest priorities. A new NO-PQ subpolicy has been introduced to simplify reverting the effect of this change. Reason: This change is part of RHEL's ongoing post-quantum readiness effort. Result: RHEL-10.1 hosts may now default to negotiating select post-quantum algorithms in both received and established TLS and SSH connections, depending on the software being used and the configuration on the other side of the connection.
    • Proposed
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      we are planning the following:
      OpenSSL in RHEL will be rebased to 3.5 (the version that has the native support of PQ crypto) as soon as it is released (currently the release is planned to Apr 8, 2025). The new version will obsolete the oqsprovider package used for providing PQ crypto in 10.0.
      PQ crypto algorithms ML-DSA (pure) and ML-KEM(hybrid) will be added to DEFAULT, LEGACY, and FUTURE crypto-policies with the highest priority.
      Some extended support of other PQ algorithms (pure ML-KEM, hybrid ML-DSA, etc) might be kept in the optional TEST-PQ crypto policies.

      These changes are to land by CTC1.

      We may also want to implement NO-PQ subpolicy

      Acceptance Criteria proposal:

      1. SanityOnly LEGACY/DEFAULT/FUTURE policies:

      • prepend the following to group: X25519-MLKEM768, P256-MLKEM768, P384-MLKEM1024 and MLKEM768-X25519
      • prepend the following to sign: MLDSA44, MLDSA65 and MLDSA87
      • prepend the following to key_exchange: KEM-ECDH
        2. newly introduced NO-PQ subpolicy disables the algorithms above
        3. Applying these policies does not cause warnings.

              asosedki@redhat.com Alexander Sosedkin
              dbelyavs@redhat.com Dmitry Belyavskiy
              Alexander Sosedkin Alexander Sosedkin
              Ondrej Moris Ondrej Moris
              Mirek Jahoda Mirek Jahoda
              Votes:
              0 Vote for this issue
              Watchers:
              13 Start watching this issue

                Created:
                Updated: