pmb.config.cipher: set default to aes-xts-plain64 (MR 1958)
Replace aes-cbc-plain64 with the stronger cipher aes-xts-plain64. CONFIG_CRYPTO_XTS is necessary for this, so require it in "pmbootstrap kconfig check". Related: https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions#5-security-aspects
This commit is contained in:
parent
ec71670f20
commit
05c013536d
|
@ -66,9 +66,7 @@ defaults = {
|
||||||
"aports": "$WORK/cache_git/pmaports",
|
"aports": "$WORK/cache_git/pmaports",
|
||||||
"ccache_size": "5G",
|
"ccache_size": "5G",
|
||||||
"is_default_channel": True,
|
"is_default_channel": True,
|
||||||
# aes-xts-plain64 would be better, but this is not supported on LineageOS
|
"cipher": "aes-xts-plain64",
|
||||||
# kernel configs
|
|
||||||
"cipher": "aes-cbc-plain64",
|
|
||||||
"config": os.path.expanduser("~") + "/.config/pmbootstrap.cfg",
|
"config": os.path.expanduser("~") + "/.config/pmbootstrap.cfg",
|
||||||
"device": "qemu-amd64",
|
"device": "qemu-amd64",
|
||||||
"extra_packages": "none",
|
"extra_packages": "none",
|
||||||
|
@ -191,6 +189,7 @@ necessary_kconfig_options = {
|
||||||
"ANDROID_PARANOID_NETWORK": False,
|
"ANDROID_PARANOID_NETWORK": False,
|
||||||
"BLK_DEV_INITRD": True,
|
"BLK_DEV_INITRD": True,
|
||||||
"CGROUPS": True,
|
"CGROUPS": True,
|
||||||
|
"CRYPTO_XTS": True,
|
||||||
"DEVTMPFS": True,
|
"DEVTMPFS": True,
|
||||||
"DM_CRYPT": True,
|
"DM_CRYPT": True,
|
||||||
"EXT4_FS": True,
|
"EXT4_FS": True,
|
||||||
|
|
|
@ -29,6 +29,7 @@ CONFIG_SYSVIPC=y
|
||||||
CONFIG_VT=y
|
CONFIG_VT=y
|
||||||
CONFIG_UEVENT_HELPER=y
|
CONFIG_UEVENT_HELPER=y
|
||||||
CONFIG_LBDAF=y
|
CONFIG_LBDAF=y
|
||||||
|
CONFIG_CRYPTO_XTS=y
|
||||||
CONFIG_EXT4_FS=y
|
CONFIG_EXT4_FS=y
|
||||||
CONFIG_SQUASHFS=y
|
CONFIG_SQUASHFS=y
|
||||||
CONFIG_SQUASHFS_XZ=y
|
CONFIG_SQUASHFS_XZ=y
|
||||||
|
|
|
@ -30,3 +30,4 @@ CONFIG_DM_CRYPT=y
|
||||||
CONFIG_VT=y
|
CONFIG_VT=y
|
||||||
CONFIG_UEVENT_HELPER=y
|
CONFIG_UEVENT_HELPER=y
|
||||||
CONFIG_LBDAF=y
|
CONFIG_LBDAF=y
|
||||||
|
CONFIG_CRYPTO_XTS=y
|
||||||
|
|
|
@ -29,5 +29,6 @@ CONFIG_SYSVIPC=y
|
||||||
CONFIG_VT=y
|
CONFIG_VT=y
|
||||||
CONFIG_UEVENT_HELPER=y
|
CONFIG_UEVENT_HELPER=y
|
||||||
CONFIG_LBDAF=y
|
CONFIG_LBDAF=y
|
||||||
|
CONFIG_CRYPTO_XTS=y
|
||||||
### here's one wrong option set:
|
### here's one wrong option set:
|
||||||
ANDROID_PARANOID_NETWORK=y
|
ANDROID_PARANOID_NETWORK=y
|
||||||
|
|
|
@ -29,6 +29,7 @@ CONFIG_SYSVIPC=y
|
||||||
CONFIG_VT=y
|
CONFIG_VT=y
|
||||||
CONFIG_UEVENT_HELPER=y
|
CONFIG_UEVENT_HELPER=y
|
||||||
CONFIG_LBDAF=y
|
CONFIG_LBDAF=y
|
||||||
|
CONFIG_CRYPTO_XTS=y
|
||||||
### here's one explicitely disabled:
|
### here's one explicitely disabled:
|
||||||
# ANDROID_PARANOID_NETWORK is not set
|
# ANDROID_PARANOID_NETWORK is not set
|
||||||
### here's one set to module:
|
### here's one set to module:
|
||||||
|
|
|
@ -29,6 +29,7 @@ CONFIG_SYSVIPC=y
|
||||||
CONFIG_VT=y
|
CONFIG_VT=y
|
||||||
CONFIG_UEVENT_HELPER=y
|
CONFIG_UEVENT_HELPER=y
|
||||||
CONFIG_LBDAF=y
|
CONFIG_LBDAF=y
|
||||||
|
CONFIG_CRYPTO_XTS=y
|
||||||
CONFIG_EXT4_FS=y
|
CONFIG_EXT4_FS=y
|
||||||
CONFIG_SQUASHFS=y
|
CONFIG_SQUASHFS=y
|
||||||
CONFIG_SQUASHFS_XZ=y
|
CONFIG_SQUASHFS_XZ=y
|
||||||
|
|
Loading…
Reference in New Issue