[U-Boot] VU#166743: Das U-Boot AES-CBC encryption
trini at konsulko.com
Sat Sep 9 17:17:49 UTC 2017
On Sat, Sep 09, 2017 at 09:29:45AM -0700, Blibbet wrote:
> I apologize if I missed it, but I haven't see any mention of this recent
> vulnerability here, excerpts below.
> Vulnerability Note VU#166743
> Das U-Boot AES-CBC encryption implementation contains multiple
> Original Release date: 08 Sep 2017
> Das U-Boot is a device bootloader that can read its configuration from
> an AES encrypted file. For devices utilizing this environment encryption
> mode, U-Boot's use of a zero initialization vector and improper handling
> of an error condition may allow attacks against the underlying
> cryptographic implementation and allow an attacker to decrypt the data.
> An attacker with physical access to the device may be able to decrypt
> the device's contents.
> The CERT/CC is currently unaware of a practical solution to this problem.
So, I mentioned this in the patch that migrated the option to Kconfig
and marked it deprecated, and I plan to mention it in the release notes
on Monday. But, this option has no in-tree users and I plan to remove
the code in the near term, if no one with the relevant background steps
up to re-implement it. Thanks!
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: Digital signature
More information about the U-Boot