photon icon indicating copy to clipboard operation
photon copied to clipboard
verified publisher icon vmware

Secure Boot with support for FIPS 204 ML-DSA post-quantum signature algorithm

Open dcasota opened this issue 8 months ago • 2 comments

Is your feature request related to a problem? Please describe.

Hi Photon OS team, The FIPS 204 ML-DSA post-quantum signature algorithm seems to become the preferred one for future secure boot. The openssl 3.0 series' support will fade out next year and hybrid/composite pqc signature algorithms will be supported in 3.5++ only (https://github.com/openssl/openssl/issues/26121).

Version Release Type Release Date Supported Until
3.0 LTS Sep 2021 Sep 2026
3.5 LTS Apr 2025 Apr 2030

3.0 to 3.5 is a remarkable change. Early impact testing for openssl 3.5 in Photon OS could be helpful.

Describe the solution you'd like

Verified as described in STIG compliances, in dod-compliance-and-automation

Describe alternatives you've considered

No response

Additional context

fyi https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8547.ipd.pdf

dcasota avatar Mar 27 '25 14:03 dcasota

OpenSSL 3.5 won't gain any additional hybrid schemes beyond the few it supports for TLS.

3.6 is the place where these should become available.

paulidale avatar Apr 03 '25 23:04 paulidale

OpenSSL roadmap: https://openssl-library.org/roadmap/index.html OpenSSL 3.0.18 (latest) has been applied to Photon OS 4.0/5.0/6.0. 🧐 no migration yet to next LTS OpenSSL 3.5 (actual release 3.5.4) for open-source Photon OS.

dcasota avatar Nov 19 '25 12:11 dcasota