[U-Boot] VU#166743: Das U-Boot AES-CBC encryption

Tom Rini trini at konsulko.com
Sat Sep 9 17:17:49 UTC 2017

On Sat, Sep 09, 2017 at 09:29:45AM -0700, Blibbet wrote:

> I apologize if I missed it, but I haven't see any mention of this recent
> vulnerability here, excerpts below.
> http://www.kb.cert.org/vuls/id/166743
> -----snip-----
> Vulnerability Note VU#166743
> Das U-Boot AES-CBC encryption implementation contains multiple
> vulnerabilities
> Original Release date: 08 Sep 2017
> Das U-Boot is a device bootloader that can read its configuration from
> an AES encrypted file. For devices utilizing this environment encryption
> mode, U-Boot's use of a zero initialization vector and improper handling
> of an error condition may allow attacks against the underlying
> cryptographic implementation and allow an attacker to decrypt the data.
> An attacker with physical access to the device may be able to decrypt
> the device's contents.
> The CERT/CC is currently unaware of a practical solution to this problem.
> -----snip-----

So, I mentioned this in the patch that migrated the option to Kconfig
and marked it deprecated, and I plan to mention it in the release notes
on Monday.  But, this option has no in-tree users and I plan to remove
the code in the near term, if no one with the relevant background steps
up to re-implement it.  Thanks!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20170909/423af6e8/attachment.sig>

More information about the U-Boot mailing list