Message ID | 20220428230012.3467800-1-alejandro@enedino.org |
---|---|
State | New |
Headers | show |
Series | cryptsetup: Add luks2 related PACKAGECONFIGs | expand |
On 4/28/22 16:00, Alejandro Hernandez Samaniego wrote: > Cryptsetup allows for certain luks2 related defaults to be > set for libcryptsetup, these include the default PBKDF > algorithm, memory limit for PBKDF2, parallel threads and > iteration time. > > Add these options as PACKAGECONFIGs to cryptsetup while > setting variables defined as the current cryptsetup > defaults, making this change transparent for the user but > allow these knobs to be customized. > > Signed-off-by: Alejandro Enedino Hernandez Samaniego <alejandro@enedino.org> > --- > .../recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb | 12 ++++++++++++ > 1 file changed, 12 insertions(+) > > diff --git a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb > index 8f9f663a3..7baca98cb 100644 > --- a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb > +++ b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb > @@ -44,6 +44,14 @@ PACKAGECONFIG:append:class-target = " \ > udev \ > " > > + > +# libcryptsetup default PBKDF algorithm, Argon2 memory cost (KB), parallel threads and iteration time (ms) > +LUKS2_PBKDF ?= "argon2i" > +LUKS2_MEMORYKB ?= "1048576" > +LUKS2_PARALLEL_THREADS ?= "4" > +LUKS2_ITERTIME ?= "2000" > + is this something that can be selected at runtime too ? > + > PACKAGECONFIG[keyring] = "--enable-keyring,--disable-keyring" > PACKAGECONFIG[fips] = "--enable-fips,--disable-fips" > PACKAGECONFIG[pwquality] = "--enable-pwquality,--disable-pwquality,libpwquality" > @@ -69,6 +77,10 @@ PACKAGECONFIG[nss] = "--with-crypto_backend=nss,,nss" > PACKAGECONFIG[kernel] = "--with-crypto_backend=kernel" > PACKAGECONFIG[nettle] = "--with-crypto_backend=nettle,,nettle" > PACKAGECONFIG[luks2] = "--with-default-luks-format=LUKS2,--with-default-luks-format=LUKS1" > +PACKAGECONFIG[luks2-pbkdf] = "--with-luks2-pbkdf=${LUKS2_PBKDF}" > +PACKAGECONFIG[luks2-memorykb] = "--with-luks2-memory-kb=${LUKS2_MEMORYKB}" > +PACKAGECONFIG[luks2-parallel-threads] = "--with-luks2-parallel-threads=${LUKS2_PARALLEL_THREADS}" > +PACKAGECONFIG[luks2-itertime] = "--with-luks2-iter-time=${LUKS2_ITERTIME}" > > EXTRA_OECONF = "--enable-static" > # Building without largefile is not supported by upstream > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#96850): https://lists.openembedded.org/g/openembedded-devel/message/96850 > Mute This Topic: https://lists.openembedded.org/mt/90765285/1997914 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [raj.khem@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On Thu, Apr 28, 2022, 6:30 PM Khem Raj <raj.khem@gmail.com> wrote: > > > On 4/28/22 16:00, Alejandro Hernandez Samaniego wrote: > > Cryptsetup allows for certain luks2 related defaults to be > > set for libcryptsetup, these include the default PBKDF > > algorithm, memory limit for PBKDF2, parallel threads and > > iteration time. > > > > Add these options as PACKAGECONFIGs to cryptsetup while > > setting variables defined as the current cryptsetup > > defaults, making this change transparent for the user but > > allow these knobs to be customized. > > > > Signed-off-by: Alejandro Enedino Hernandez Samaniego < > alejandro@enedino.org> > > --- > > .../recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb | 12 ++++++++++++ > > 1 file changed, 12 insertions(+) > > > > diff --git a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb > b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb > > index 8f9f663a3..7baca98cb 100644 > > --- a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb > > +++ b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb > > @@ -44,6 +44,14 @@ PACKAGECONFIG:append:class-target = " \ > > udev \ > > " > > > > + > > +# libcryptsetup default PBKDF algorithm, Argon2 memory cost (KB), > parallel threads and iteration time (ms) > > +LUKS2_PBKDF ?= "argon2i" > > +LUKS2_MEMORYKB ?= "1048576" > > +LUKS2_PARALLEL_THREADS ?= "4" > > +LUKS2_ITERTIME ?= "2000" > > + > > is this something that can be selected at runtime too ? > Hi Khem, Yes, if using cryptsetup directly these can be changed at runtime regardless of the default set here. Being able to change these at build time becomes useful when relying on the libcryptsetup API. Cheers, Alejandro > > + > > PACKAGECONFIG[keyring] = "--enable-keyring,--disable-keyring" > > PACKAGECONFIG[fips] = "--enable-fips,--disable-fips" > > PACKAGECONFIG[pwquality] = > "--enable-pwquality,--disable-pwquality,libpwquality" > > @@ -69,6 +77,10 @@ PACKAGECONFIG[nss] = "--with-crypto_backend=nss,,nss" > > PACKAGECONFIG[kernel] = "--with-crypto_backend=kernel" > > PACKAGECONFIG[nettle] = "--with-crypto_backend=nettle,,nettle" > > PACKAGECONFIG[luks2] = > "--with-default-luks-format=LUKS2,--with-default-luks-format=LUKS1" > > +PACKAGECONFIG[luks2-pbkdf] = "--with-luks2-pbkdf=${LUKS2_PBKDF}" > > +PACKAGECONFIG[luks2-memorykb] = > "--with-luks2-memory-kb=${LUKS2_MEMORYKB}" > > +PACKAGECONFIG[luks2-parallel-threads] = > "--with-luks2-parallel-threads=${LUKS2_PARALLEL_THREADS}" > > +PACKAGECONFIG[luks2-itertime] = > "--with-luks2-iter-time=${LUKS2_ITERTIME}" > > > > EXTRA_OECONF = "--enable-static" > > # Building without largefile is not supported by upstream > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#96850): > https://lists.openembedded.org/g/openembedded-devel/message/96850 > > Mute This Topic: https://lists.openembedded.org/mt/90765285/1997914 > > Group Owner: openembedded-devel+owner@lists.openembedded.org > > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [ > raj.khem@gmail.com] > > -=-=-=-=-=-=-=-=-=-=-=- > > >
On Thu, Apr 28, 2022 at 5:39 PM Alejandro Enedino Hernandez Samaniego <alejandro@enedino.org> wrote: > > > > On Thu, Apr 28, 2022, 6:30 PM Khem Raj <raj.khem@gmail.com> wrote: >> >> >> >> On 4/28/22 16:00, Alejandro Hernandez Samaniego wrote: >> > Cryptsetup allows for certain luks2 related defaults to be >> > set for libcryptsetup, these include the default PBKDF >> > algorithm, memory limit for PBKDF2, parallel threads and >> > iteration time. >> > >> > Add these options as PACKAGECONFIGs to cryptsetup while >> > setting variables defined as the current cryptsetup >> > defaults, making this change transparent for the user but >> > allow these knobs to be customized. >> > >> > Signed-off-by: Alejandro Enedino Hernandez Samaniego <alejandro@enedino.org> >> > --- >> > .../recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb | 12 ++++++++++++ >> > 1 file changed, 12 insertions(+) >> > >> > diff --git a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb >> > index 8f9f663a3..7baca98cb 100644 >> > --- a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb >> > +++ b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb >> > @@ -44,6 +44,14 @@ PACKAGECONFIG:append:class-target = " \ >> > udev \ >> > " >> > >> > + >> > +# libcryptsetup default PBKDF algorithm, Argon2 memory cost (KB), parallel threads and iteration time (ms) >> > +LUKS2_PBKDF ?= "argon2i" >> > +LUKS2_MEMORYKB ?= "1048576" >> > +LUKS2_PARALLEL_THREADS ?= "4" >> > +LUKS2_ITERTIME ?= "2000" >> > + >> >> is this something that can be selected at runtime too ? > > > > Hi Khem, > > Yes, if using cryptsetup directly these can be changed at runtime regardless of the default set here. > in current settings, it will need to set two knobs and it seems a bit off from what packageconfigs are for. so perhaps we can enable the default configure options unconditionally with default values and make the values a weak assigment. > Being able to change these at build time becomes useful when relying on the libcryptsetup API. > > > Cheers, > Alejandro > > >> >> > + >> > PACKAGECONFIG[keyring] = "--enable-keyring,--disable-keyring" >> > PACKAGECONFIG[fips] = "--enable-fips,--disable-fips" >> > PACKAGECONFIG[pwquality] = "--enable-pwquality,--disable-pwquality,libpwquality" >> > @@ -69,6 +77,10 @@ PACKAGECONFIG[nss] = "--with-crypto_backend=nss,,nss" >> > PACKAGECONFIG[kernel] = "--with-crypto_backend=kernel" >> > PACKAGECONFIG[nettle] = "--with-crypto_backend=nettle,,nettle" >> > PACKAGECONFIG[luks2] = "--with-default-luks-format=LUKS2,--with-default-luks-format=LUKS1" >> > +PACKAGECONFIG[luks2-pbkdf] = "--with-luks2-pbkdf=${LUKS2_PBKDF}" >> > +PACKAGECONFIG[luks2-memorykb] = "--with-luks2-memory-kb=${LUKS2_MEMORYKB}" >> > +PACKAGECONFIG[luks2-parallel-threads] = "--with-luks2-parallel-threads=${LUKS2_PARALLEL_THREADS}" >> > +PACKAGECONFIG[luks2-itertime] = "--with-luks2-iter-time=${LUKS2_ITERTIME}" >> > >> > EXTRA_OECONF = "--enable-static" >> > # Building without largefile is not supported by upstream >> > >> > >> > >> > -=-=-=-=-=-=-=-=-=-=-=- >> > Links: You receive all messages sent to this group. >> > View/Reply Online (#96850): https://lists.openembedded.org/g/openembedded-devel/message/96850 >> > Mute This Topic: https://lists.openembedded.org/mt/90765285/1997914 >> > Group Owner: openembedded-devel+owner@lists.openembedded.org >> > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [raj.khem@gmail.com] >> > -=-=-=-=-=-=-=-=-=-=-=- >> >
On Thu, Apr 28, 2022, 6:52 PM Khem Raj <raj.khem@gmail.com> wrote: > On Thu, Apr 28, 2022 at 5:39 PM Alejandro Enedino Hernandez Samaniego > <alejandro@enedino.org> wrote: > > > > > > > > On Thu, Apr 28, 2022, 6:30 PM Khem Raj <raj.khem@gmail.com> wrote: > >> > >> > >> > >> On 4/28/22 16:00, Alejandro Hernandez Samaniego wrote: > >> > Cryptsetup allows for certain luks2 related defaults to be > >> > set for libcryptsetup, these include the default PBKDF > >> > algorithm, memory limit for PBKDF2, parallel threads and > >> > iteration time. > >> > > >> > Add these options as PACKAGECONFIGs to cryptsetup while > >> > setting variables defined as the current cryptsetup > >> > defaults, making this change transparent for the user but > >> > allow these knobs to be customized. > >> > > >> > Signed-off-by: Alejandro Enedino Hernandez Samaniego < > alejandro@enedino.org> > >> > --- > >> > .../recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb | 12 > ++++++++++++ > >> > 1 file changed, 12 insertions(+) > >> > > >> > diff --git a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb > b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb > >> > index 8f9f663a3..7baca98cb 100644 > >> > --- a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb > >> > +++ b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb > >> > @@ -44,6 +44,14 @@ PACKAGECONFIG:append:class-target = " \ > >> > udev \ > >> > " > >> > > >> > + > >> > +# libcryptsetup default PBKDF algorithm, Argon2 memory cost (KB), > parallel threads and iteration time (ms) > >> > +LUKS2_PBKDF ?= "argon2i" > >> > +LUKS2_MEMORYKB ?= "1048576" > >> > +LUKS2_PARALLEL_THREADS ?= "4" > >> > +LUKS2_ITERTIME ?= "2000" > >> > + > >> > >> is this something that can be selected at runtime too ? > > > > > > > > Hi Khem, > > > > Yes, if using cryptsetup directly these can be changed at runtime > regardless of the default set here. > > > > in current settings, it will need to set two knobs and it seems a bit > off from what packageconfigs are for. > so perhaps we can enable the default configure options unconditionally > with default values and make the values a weak assigment. > I'd be fine with that too, the only thing worth mentioning is that some of these are only valid as a combination, for example: Luks2-memorykb is only valid when luks2-pbkdf="argon2<foo>", if luks2-pbkdf="pbkdf2" the luks header doesn't contain a memory field, also all these are only valid when the type=luks2 I believe we can just set them all as you say, as long as they don't conflict with one another and cause an error during do_configure. I can check if these are okay to set and discarded if not compatible and we can go with that, performing checks for compatibility with anonymous python is another solution but seems a bit of an overkill. > > Being able to change these at build time becomes useful when relying on > the libcryptsetup API. > > > > > > Cheers, > > Alejandro > > > > > >> > >> > + > >> > PACKAGECONFIG[keyring] = "--enable-keyring,--disable-keyring" > >> > PACKAGECONFIG[fips] = "--enable-fips,--disable-fips" > >> > PACKAGECONFIG[pwquality] = > "--enable-pwquality,--disable-pwquality,libpwquality" > >> > @@ -69,6 +77,10 @@ PACKAGECONFIG[nss] = > "--with-crypto_backend=nss,,nss" > >> > PACKAGECONFIG[kernel] = "--with-crypto_backend=kernel" > >> > PACKAGECONFIG[nettle] = "--with-crypto_backend=nettle,,nettle" > >> > PACKAGECONFIG[luks2] = > "--with-default-luks-format=LUKS2,--with-default-luks-format=LUKS1" > >> > +PACKAGECONFIG[luks2-pbkdf] = "--with-luks2-pbkdf=${LUKS2_PBKDF}" > >> > +PACKAGECONFIG[luks2-memorykb] = > "--with-luks2-memory-kb=${LUKS2_MEMORYKB}" > >> > +PACKAGECONFIG[luks2-parallel-threads] = > "--with-luks2-parallel-threads=${LUKS2_PARALLEL_THREADS}" > >> > +PACKAGECONFIG[luks2-itertime] = > "--with-luks2-iter-time=${LUKS2_ITERTIME}" > >> > > >> > EXTRA_OECONF = "--enable-static" > >> > # Building without largefile is not supported by upstream > >> > > >> > > >> > > >> > -=-=-=-=-=-=-=-=-=-=-=- > >> > Links: You receive all messages sent to this group. > >> > View/Reply Online (#96850): > https://lists.openembedded.org/g/openembedded-devel/message/96850 > >> > Mute This Topic: https://lists.openembedded.org/mt/90765285/1997914 > >> > Group Owner: openembedded-devel+owner@lists.openembedded.org > >> > Unsubscribe: > https://lists.openembedded.org/g/openembedded-devel/unsub [ > raj.khem@gmail.com] > >> > -=-=-=-=-=-=-=-=-=-=-=- > >> > >
diff --git a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb index 8f9f663a3..7baca98cb 100644 --- a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb +++ b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb @@ -44,6 +44,14 @@ PACKAGECONFIG:append:class-target = " \ udev \ " + +# libcryptsetup default PBKDF algorithm, Argon2 memory cost (KB), parallel threads and iteration time (ms) +LUKS2_PBKDF ?= "argon2i" +LUKS2_MEMORYKB ?= "1048576" +LUKS2_PARALLEL_THREADS ?= "4" +LUKS2_ITERTIME ?= "2000" + + PACKAGECONFIG[keyring] = "--enable-keyring,--disable-keyring" PACKAGECONFIG[fips] = "--enable-fips,--disable-fips" PACKAGECONFIG[pwquality] = "--enable-pwquality,--disable-pwquality,libpwquality" @@ -69,6 +77,10 @@ PACKAGECONFIG[nss] = "--with-crypto_backend=nss,,nss" PACKAGECONFIG[kernel] = "--with-crypto_backend=kernel" PACKAGECONFIG[nettle] = "--with-crypto_backend=nettle,,nettle" PACKAGECONFIG[luks2] = "--with-default-luks-format=LUKS2,--with-default-luks-format=LUKS1" +PACKAGECONFIG[luks2-pbkdf] = "--with-luks2-pbkdf=${LUKS2_PBKDF}" +PACKAGECONFIG[luks2-memorykb] = "--with-luks2-memory-kb=${LUKS2_MEMORYKB}" +PACKAGECONFIG[luks2-parallel-threads] = "--with-luks2-parallel-threads=${LUKS2_PARALLEL_THREADS}" +PACKAGECONFIG[luks2-itertime] = "--with-luks2-iter-time=${LUKS2_ITERTIME}" EXTRA_OECONF = "--enable-static" # Building without largefile is not supported by upstream
Cryptsetup allows for certain luks2 related defaults to be set for libcryptsetup, these include the default PBKDF algorithm, memory limit for PBKDF2, parallel threads and iteration time. Add these options as PACKAGECONFIGs to cryptsetup while setting variables defined as the current cryptsetup defaults, making this change transparent for the user but allow these knobs to be customized. Signed-off-by: Alejandro Enedino Hernandez Samaniego <alejandro@enedino.org> --- .../recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb | 12 ++++++++++++ 1 file changed, 12 insertions(+)