Power Global

Power Global

A central meeting place for IBM Power. Connect, ask questions, share ideas, and explore the full spectrum of Power technologies across workloads, industries, and use cases.


#TechXchangePresenter
#Power

 View Only
Back to discussions
Expand all | Collapse all

Configuring Quantum Safe OpenSSL in RHEL 9 running on IBM Power

  • 1.  Configuring Quantum Safe OpenSSL in RHEL 9 running on IBM Power

    Posted 22 hours ago

    For my upcoming session at TechXchange on PowerSC Quantum Safe Scan, I needed to get a PQC key or certificate on a system in our lab. I found Alex Bozarthin's excellent article "Developing with quantum-safe OpenSSL" (https://developer.ibm.com/tutorials/awb-quantum-safe-openssl/), but it is for installing into Ubuntu on in an x86 environment. 

    Below are modified instruction to set up OpenSSL 3 with a Quantum Safe provider in RHEL 9 on IBM Power. It is installed into its own workspace so as to not conflict with any current SSL installations. It assumes that you are running these steps with root privileges. If that is not true, make appropriate use of sudo to gain the necessary rights. 

    Of course, use this at your own risk. Hopefully, someone finds this useful.

    1. Prepare the System

    Update Packages

    dnf update && dnf upgrade

    Create Workspace

    These steps create a workspace for the installations and can be any directory that you have write permissions to. The total installation is less than 3GB.

    export WORKSPACE=/opt/pqc
    export BUILD_DIR=$WORKSPACE/build
    mkdir -p $BUILD_DIR/lib64
    ln -s $BUILD_DIR/lib64 $BUILD_DIR/lib
    cd $WORKSPACE

    Install Build Dependencies

    subscription-manager repos --enable codeready-builder-for-rhel-9-ppc64le-rpms
    dnf -y groupinstall "Development Tools"
    dnf -y install perl wget cmake ninja-build

    2. Install OpenSSL

    cd $WORKSPACE
    git clone https://github.com/openssl/openssl.git
    cd openssl
    ./Configure \
      --prefix=$BUILD_DIR \
      no-ssl no-tls1 no-tls1_1 no-afalgeng \
      no-shared threads -lm
    make -j $(nproc)
    make -j $(nproc) install_sw install_ssldirs

    3. Install liboqs

    cd $WORKSPACE
    git clone https://github.com/open-quantum-safe/liboqs.git
    cd liboqs
    cmake \
      -DCMAKE_INSTALL_PREFIX=$BUILD_DIR \
      -DBUILD_SHARED_LIBS=ON \
      -DOQS_USE_OPENSSL=OFF \
      -DCMAKE_BUILD_TYPE=Release \
      -DOQS_BUILD_ONLY_LIB=ON \
      -DOQS_DIST_BUILD=ON
    make -j $(nproc)
    make -j $(nproc) install

    4. Install and Configure the Open Quantum Safe Provider

    Install Open Quantum Safe

    cd $WORKSPACE
    git clone https://github.com/open-quantum-safe/oqs-provider.git
    cd oqs-provider
    liboqs_DIR=$BUILD_DIR cmake \
      -DCMAKE_INSTALL_PREFIX=$WORKSPACE/oqs-provider \
      -DOPENSSL_ROOT_DIR=$BUILD_DIR \
      -DCMAKE_BUILD_TYPE=Release \
      -S . \
      -B _build
    cmake --build _build

    Update openssl.cnf to use the provider

    cp _build/lib/* $BUILD_DIR/lib/
    sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" $BUILD_DIR/ssl/openssl.cnf
    sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" $BUILD_DIR/ssl/openssl.cnf

    Set Environmental Variables and List Providers

    You should see "oqsprovider" listed under Providers.

    export OPENSSL_CONF=$BUILD_DIR/ssl/openssl.cnf
    export OPENSSL_MODULES=$BUILD_DIR/lib
    $BUILD_DIR/bin/openssl list -providers -verbose -provider oqsprovider

    6. Install and Run cURL with Quantum-Safe Algorithms

    cd $WORKSPACE
    git clone https://github.com/curl/curl.git
    cd curl
    autoreconf -fi
    ./configure \
      LIBS="-lssl -lcrypto -lz" \
      LDFLAGS="-Wl,-rpath,$BUILD_DIR/lib64 -L$BUILD_DIR/lib64 -Wl,-rpath,$BUILD_DIR/lib -L$BUILD_DIR/lib -Wl,-rpath,/lib64 -L/lib64 -Wl,-rpath,/lib -L/lib" \
      CFLAGS="-O3 -fPIC" \
      --prefix=$BUILD_DIR \
      --with-ssl=$BUILD_DIR \
      --with-zlib=/ \
      --enable-optimize --enable-libcurl-option --enable-libgcc --enable-shared \
      --enable-ldap=no --enable-ipv6 --enable-versioned-symbols \
      --disable-manual \
      --without-default-ssl-backend \
      --without-librtmp --without-libidn2 \
      --without-gnutls --without-mbedtls \
      --without-wolfssl --without-libpsl
    make -j $(nproc)
    make -j $(nproc) install

    Test

    $BUILD_DIR/bin/curl -vk https://test.openquantumsafe.org/CA.crt --output $BUILD_DIR/ca.cert

    In the list of SSL connections, you should see a PQC algorithm listed. I received X25519MLKEM768 while Alex's tutorial resulted in p521_kyber1024.

    He did note that the "The port for a signature and key exchange algorithm combination provided by the test server is subject to change." Referring to the documentation on the test server, that appears to be the difference between these tutorials' results.

    Optional: Generate SPHINCS+ Keypair

    Generate Keypair

    $BUILD_DIR/bin/openssl genpkey -algorithm sphincssha2128ssimple -provider oqsprovider -out sk.pem
    $BUILD_DIR/bin/openssl pkey -in sk.pem -pubout -out pk.pem



    ------------------------------
    Blake Hoskinson
    ------------------------------


Related Content