On Thu, Apr 28, 2022 at 5:39 PM Alejandro Enedino Hernandez Samaniego
<[email protected]> wrote:
>
>
>
> On Thu, Apr 28, 2022, 6:30 PM Khem Raj <[email protected]> wrote:
>>
>>
>>
>> On 4/28/22 16:00, Alejandro Hernandez Samaniego wrote:
>> > Cryptsetup allows for certain luks2 related defaults to be
>> > set for libcryptsetup, these include the default PBKDF
>> > algorithm, memory limit for PBKDF2, parallel threads and
>> > iteration time.
>> >
>> > Add these options as PACKAGECONFIGs to cryptsetup while
>> > setting variables defined as the current cryptsetup
>> > defaults, making this change transparent for the user but
>> > allow these knobs to be customized.
>> >
>> > Signed-off-by: Alejandro Enedino Hernandez Samaniego
>> > <[email protected]>
>> > ---
>> > .../recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb | 12 ++++++++++++
>> > 1 file changed, 12 insertions(+)
>> >
>> > diff --git a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb
>> > b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb
>> > index 8f9f663a3..7baca98cb 100644
>> > --- a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb
>> > +++ b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb
>> > @@ -44,6 +44,14 @@ PACKAGECONFIG:append:class-target = " \
>> > udev \
>> > "
>> >
>> > +
>> > +# libcryptsetup default PBKDF algorithm, Argon2 memory cost (KB),
>> > parallel threads and iteration time (ms)
>> > +LUKS2_PBKDF ?= "argon2i"
>> > +LUKS2_MEMORYKB ?= "1048576"
>> > +LUKS2_PARALLEL_THREADS ?= "4"
>> > +LUKS2_ITERTIME ?= "2000"
>> > +
>>
>> is this something that can be selected at runtime too ?
>
>
>
> Hi Khem,
>
> Yes, if using cryptsetup directly these can be changed at runtime regardless
> of the default set here.
>
in current settings, it will need to set two knobs and it seems a bit
off from what packageconfigs are for.
so perhaps we can enable the default configure options unconditionally
with default values and make the values a weak assigment.
> Being able to change these at build time becomes useful when relying on the
> libcryptsetup API.
>
>
> Cheers,
> Alejandro
>
>
>>
>> > +
>> > PACKAGECONFIG[keyring] = "--enable-keyring,--disable-keyring"
>> > PACKAGECONFIG[fips] = "--enable-fips,--disable-fips"
>> > PACKAGECONFIG[pwquality] =
>> > "--enable-pwquality,--disable-pwquality,libpwquality"
>> > @@ -69,6 +77,10 @@ PACKAGECONFIG[nss] = "--with-crypto_backend=nss,,nss"
>> > PACKAGECONFIG[kernel] = "--with-crypto_backend=kernel"
>> > PACKAGECONFIG[nettle] = "--with-crypto_backend=nettle,,nettle"
>> > PACKAGECONFIG[luks2] =
>> > "--with-default-luks-format=LUKS2,--with-default-luks-format=LUKS1"
>> > +PACKAGECONFIG[luks2-pbkdf] = "--with-luks2-pbkdf=${LUKS2_PBKDF}"
>> > +PACKAGECONFIG[luks2-memorykb] = "--with-luks2-memory-kb=${LUKS2_MEMORYKB}"
>> > +PACKAGECONFIG[luks2-parallel-threads] =
>> > "--with-luks2-parallel-threads=${LUKS2_PARALLEL_THREADS}"
>> > +PACKAGECONFIG[luks2-itertime] = "--with-luks2-iter-time=${LUKS2_ITERTIME}"
>> >
>> > EXTRA_OECONF = "--enable-static"
>> > # Building without largefile is not supported by upstream
>> >
>> >
>> >
>> >
>> >
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#96853):
https://lists.openembedded.org/g/openembedded-devel/message/96853
Mute This Topic: https://lists.openembedded.org/mt/90765285/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
