[U-Boot] [PATCH] env: Migrate CONFIG_ENV_AES to Kconfig and deprecate
Tom Rini
trini at konsulko.com
Fri Sep 8 17:13:59 UTC 2017
The underlying implementation for ENV_AES has security complications and
is not recommended for use. Please see CVE-2017-3225 and CVE-2017-3226
for more details. Mark this as deprecated now and delete this in the
medium term if no one comes forward to re-work the support.
Signed-off-by: Tom Rini <trini at konsulko.com>
---
env/Kconfig | 8 ++++++++
scripts/config_whitelist.txt | 1 -
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/env/Kconfig b/env/Kconfig
index f12ef2863458..024d4d79bd49 100644
--- a/env/Kconfig
+++ b/env/Kconfig
@@ -375,6 +375,14 @@ config ENV_IS_IN_UBI
endchoice
+config ENV_AES
+ bool "AES-128 encryption for stored environment (DEPRECATED)"
+ help
+ Enable this to have the on-device stored environment be encrypted
+ with AES-128. The implementation here however has security
+ complications and is not recommended for use. Please see
+ CVE-2017-3225 and CVE-2017-3226 for more details.
+
config ENV_FAT_INTERFACE
string "Name of the block device for the environment"
depends on ENV_IS_IN_FAT
diff --git a/scripts/config_whitelist.txt b/scripts/config_whitelist.txt
index a9fb068e925b..9ce0c3f039ff 100644
--- a/scripts/config_whitelist.txt
+++ b/scripts/config_whitelist.txt
@@ -574,7 +574,6 @@ CONFIG_ENV_ACCESS_IGNORE_FORCE
CONFIG_ENV_ADDR
CONFIG_ENV_ADDR_FLEX
CONFIG_ENV_ADDR_REDUND
-CONFIG_ENV_AES
CONFIG_ENV_BASE
CONFIG_ENV_CALLBACK_LIST_DEFAULT
CONFIG_ENV_CALLBACK_LIST_STATIC
--
1.9.1
More information about the U-Boot
mailing list