On Thu, Apr 28, 2022, 6:30 PM Khem Raj <[email protected]> wrote:
>
>
> On 4/28/22 16:00, Alejandro Hernandez Samaniego wrote:
> > Cryptsetup allows for certain luks2 related defaults to be
> > set for libcryptsetup, these include the default PBKDF
> > algorithm, memory limit for PBKDF2, parallel threads and
> > iteration time.
> >
> > Add these options as PACKAGECONFIGs to cryptsetup while
> > setting variables defined as the current cryptsetup
> > defaults, making this change transparent for the user but
> > allow these knobs to be customized.
> >
> > Signed-off-by: Alejandro Enedino Hernandez Samaniego <
> [email protected]>
> > ---
> > .../recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb | 12 ++++++++++++
> > 1 file changed, 12 insertions(+)
> >
> > diff --git a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb
> b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb
> > index 8f9f663a3..7baca98cb 100644
> > --- a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb
> > +++ b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb
> > @@ -44,6 +44,14 @@ PACKAGECONFIG:append:class-target = " \
> > udev \
> > "
> >
> > +
> > +# libcryptsetup default PBKDF algorithm, Argon2 memory cost (KB),
> parallel threads and iteration time (ms)
> > +LUKS2_PBKDF ?= "argon2i"
> > +LUKS2_MEMORYKB ?= "1048576"
> > +LUKS2_PARALLEL_THREADS ?= "4"
> > +LUKS2_ITERTIME ?= "2000"
> > +
>
> is this something that can be selected at runtime too ?
>
Hi Khem,
Yes, if using cryptsetup directly these can be changed at runtime
regardless of the default set here.
Being able to change these at build time becomes useful when relying on the
libcryptsetup API.
Cheers,
Alejandro
> > +
> > PACKAGECONFIG[keyring] = "--enable-keyring,--disable-keyring"
> > PACKAGECONFIG[fips] = "--enable-fips,--disable-fips"
> > PACKAGECONFIG[pwquality] =
> "--enable-pwquality,--disable-pwquality,libpwquality"
> > @@ -69,6 +77,10 @@ PACKAGECONFIG[nss] = "--with-crypto_backend=nss,,nss"
> > PACKAGECONFIG[kernel] = "--with-crypto_backend=kernel"
> > PACKAGECONFIG[nettle] = "--with-crypto_backend=nettle,,nettle"
> > PACKAGECONFIG[luks2] =
> "--with-default-luks-format=LUKS2,--with-default-luks-format=LUKS1"
> > +PACKAGECONFIG[luks2-pbkdf] = "--with-luks2-pbkdf=${LUKS2_PBKDF}"
> > +PACKAGECONFIG[luks2-memorykb] =
> "--with-luks2-memory-kb=${LUKS2_MEMORYKB}"
> > +PACKAGECONFIG[luks2-parallel-threads] =
> "--with-luks2-parallel-threads=${LUKS2_PARALLEL_THREADS}"
> > +PACKAGECONFIG[luks2-itertime] =
> "--with-luks2-iter-time=${LUKS2_ITERTIME}"
> >
> > EXTRA_OECONF = "--enable-static"
> > # Building without largefile is not supported by upstream
> >
> >
> >
> >
> >
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#96852):
https://lists.openembedded.org/g/openembedded-devel/message/96852
Mute This Topic: https://lists.openembedded.org/mt/90765285/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
