Fedora Linux Transition

Dmitry Belyavskiy (Red Hat)


While numerous robust post-quantum (PQ) standards exist, along with various projects implementing them, widespread adoption for communication and data protection hinges on their integration into mainstream OS distributions. By incorporating these standards into popular OS distributions, we can significantly enhance their accessibility and utility.

Red Hat as a member of the QUBIP consortium has chosen Fedora Linux as the platform to provide initial support for Quantum Resistant cryptography. The Fedora Project creates an innovative, free, and open source platform for hardware, clouds, and containers that enables software developers and community members to build tailored solutions for their users. This community platform is ideal for testing software that will become part of Red Hat Enterprise Linux (RHEL) in a future release cycle. Red Hat has a strong presence in the community influencing and contributing to its further development. Rapid release cycle is a major enabling factor in Fedora’s ability to innovate. Being a center of innovation, Fedora Linux may include versions of software based on non-finalized specifications of PQ algorithms and protocols. The PQ software being suitable for conducting experiments and building test environments can be widely distributed for feedback. Red Hat teams actively participate in maintaining the QUBIP-relevant portions of the Fedora project.

The scope of the current additions to Fedora Linux is centered around adding low-level components that extend crypto libraries capabilities to provide PQ algorithms. The applications relying on these crypto libraries (OpenSSL, NSS) will be suitable to use the PQ algorithms via standard interfaces to the extent it is implemented by their maintainers. For instance, openssl-based web-server nginx and openssl-dependent command line TLS client tool like curl accept the configuration options for specifying key exchange algorithms and can use OpenSSL providers basing on system-wide configurations, so called crypto policies. Introducing PQ support to particular applications (e.g. package signature verification, secure boot, etc) is currently out of scope of our efforts related to the QUBIP project but of course we are going to incorporate any changes made by maintainers.

Red Hat associates have a long history of working with crypto libraries such as OpenSSL and NSS chosen as primary targets for providing PQ algorithms and are also involved in the upstream development of these libraries. These libraries are completely different. OpenSSL implements a so-called providers API that allows easy implementation of new algorithms and using them from OpenSSL-based applications. NSS also relies on a pluggable API (PKCS#11) but has more hard-coded limitations to deal with. OpenSSL dominates the web-server world (Apache, nginx) and command-line utilities (curl). On the contrary the NSS-using web browser Firefox remains a popular GUI tool.

Protocol implementation in Fedora Linux requires standards covering PQ variants that are incomplete nowadays. Therefore, there are no upstream repositories (i.e. the primary public repository of software; in this case of operating system) ready to implement any PQ protocols until there is a complete (enough) specification approved by the relevant standard body.

Fedora project relies on integrating open-source components into the system and working in a compatible manner. So, work started with choosing the relevant open-source components to integrate into the OS. Our choice is the liboqs and oqsprovider developed by the Open Quantum Safe project.

liboqs was chosen to be included in Fedora Linux after investigating many options. It is written in C, follows best development practices, provides a wide list of algorithms, has a suitable license, and a very responsive upstream. The combination of these circumstances makes liboqs a good choice both for QUBIP purposes and for possible future use in Fedora Linux. Furthermore, liboqs uses the same low-level implementation of PQ algorithms (PQClean) that is, according to best of our knowledge, planned to be included into NSS so it improves compatibility between the 2 libraries.

oqsprovider is based on liboqs, is implemented by the same team, and tests using oqsprovider are run as a part of OpenSSL integration tests. It ensures compatibility between the provider and OpenSSL itself.

The level of matching the standards is the one provided by the version of liboqs available in the distribution. Usually the latest version of the liboqs and the oqs provider is available in Fedora Rawhide (a development version).

We added liboqs and oqsprovider in Fedora 39, the earliest supported version as of now. Since then it became possible to experiment with PQ key exchange in TLS. We made a presentation about it at FOSDEM’24. At this stage it was possible to test PQ KEM using hybrid Kyber solutions for nginx and curl and also test the interoperability with external implementations (Google, Cloudflare). Subsequently we have been working on extending the level of integration of PQ algorithms into Fedora. This requires upgrading OpenSSL, liboqs, and oqs-provider versions shipped with Fedora to match up-to-date standard versions and development and contributing to these projects. The version of liboqs available in the distribution determines the level of compatibility with the draft version of standards. Usually, the latest versions liboqs and oqs-provider are available in Fedora Rawhide (the Fedora Linux development version).

Currently the PQ algorithms provided by different versions of Fedora Linux are different. The versions 39 and 40 provided Kyber and Dilithium, but this changed after the latest NIST drafts were published. Fedora Rawhide (future Fedora 41) provides both recent NIST versions (ML-DSA and ML-KEM) and we also added the hybrid Kyber-based algorithms to the list of supported algorithms in the build of liboqs. We did this to be able to interoperate with deployment of these algorithms despite its experimental status. This, however, may change in the future.

Fedora Linux implements a system-wide feature called “crypto policies” that provides consistent configurations for all applications using core crypto libraries (OpenSSL, NSS, GnuTLS); separate crypto-policy/policies enabling PQ and/or hybrid algorithms are available.

To simplify the setup for demo purposes, we have implemented a container for nginx and curl so users can easily try out simple TLS connections. These container images have all the necessary components and the crypto policies installed but will need some manual steps (like key generation) to be prepared for testing. Documentation is not ready yet, but we plan to provide it before the public release.

liboqs and oqsprovider are already available in the distribution. The other partners will make available additional components for testing, in separate repositories that will make it simple to install and test their modifications These repositories may be added to a particular installation during system configuration and then the standard system commands will be used to install components seamlessly. GUI tools such as Firefox will probably be available in Flatpak format. Applications distributed in this format can include custom versions of system libraries (NSS), this way non-compatible changes don’t affect the whole system.

All these changes make Fedora Linux a great playground for experimenting with PQ algorithms and a viable platform for the QUBIP efforts to integrate PQ cryptography into protocols, networks and systems we use in our regular work.

Share on