pmb.config.cipher: set default to aes-xts-plain64 (MR 1958)
Replace aes-cbc-plain64 with the stronger cipher aes-xts-plain64. CONFIG_CRYPTO_XTS is necessary for this, so require it in "pmbootstrap kconfig check". Related: https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions#5-security-aspects
This commit is contained in:
parent
ec71670f20
commit
05c013536d
|
@ -66,9 +66,7 @@ defaults = {
|
|||
"aports": "$WORK/cache_git/pmaports",
|
||||
"ccache_size": "5G",
|
||||
"is_default_channel": True,
|
||||
# aes-xts-plain64 would be better, but this is not supported on LineageOS
|
||||
# kernel configs
|
||||
"cipher": "aes-cbc-plain64",
|
||||
"cipher": "aes-xts-plain64",
|
||||
"config": os.path.expanduser("~") + "/.config/pmbootstrap.cfg",
|
||||
"device": "qemu-amd64",
|
||||
"extra_packages": "none",
|
||||
|
@ -191,6 +189,7 @@ necessary_kconfig_options = {
|
|||
"ANDROID_PARANOID_NETWORK": False,
|
||||
"BLK_DEV_INITRD": True,
|
||||
"CGROUPS": True,
|
||||
"CRYPTO_XTS": True,
|
||||
"DEVTMPFS": True,
|
||||
"DM_CRYPT": True,
|
||||
"EXT4_FS": True,
|
||||
|
|
|
@ -29,6 +29,7 @@ CONFIG_SYSVIPC=y
|
|||
CONFIG_VT=y
|
||||
CONFIG_UEVENT_HELPER=y
|
||||
CONFIG_LBDAF=y
|
||||
CONFIG_CRYPTO_XTS=y
|
||||
CONFIG_EXT4_FS=y
|
||||
CONFIG_SQUASHFS=y
|
||||
CONFIG_SQUASHFS_XZ=y
|
||||
|
|
|
@ -30,3 +30,4 @@ CONFIG_DM_CRYPT=y
|
|||
CONFIG_VT=y
|
||||
CONFIG_UEVENT_HELPER=y
|
||||
CONFIG_LBDAF=y
|
||||
CONFIG_CRYPTO_XTS=y
|
||||
|
|
|
@ -29,5 +29,6 @@ CONFIG_SYSVIPC=y
|
|||
CONFIG_VT=y
|
||||
CONFIG_UEVENT_HELPER=y
|
||||
CONFIG_LBDAF=y
|
||||
CONFIG_CRYPTO_XTS=y
|
||||
### here's one wrong option set:
|
||||
ANDROID_PARANOID_NETWORK=y
|
||||
|
|
|
@ -29,6 +29,7 @@ CONFIG_SYSVIPC=y
|
|||
CONFIG_VT=y
|
||||
CONFIG_UEVENT_HELPER=y
|
||||
CONFIG_LBDAF=y
|
||||
CONFIG_CRYPTO_XTS=y
|
||||
### here's one explicitely disabled:
|
||||
# ANDROID_PARANOID_NETWORK is not set
|
||||
### here's one set to module:
|
||||
|
|
|
@ -29,6 +29,7 @@ CONFIG_SYSVIPC=y
|
|||
CONFIG_VT=y
|
||||
CONFIG_UEVENT_HELPER=y
|
||||
CONFIG_LBDAF=y
|
||||
CONFIG_CRYPTO_XTS=y
|
||||
CONFIG_EXT4_FS=y
|
||||
CONFIG_SQUASHFS=y
|
||||
CONFIG_SQUASHFS_XZ=y
|
||||
|
|
Loading…
Reference in New Issue