From 5eb35220b2cbeac79af8d73c696f5930a755c5bd Mon Sep 17 00:00:00 2001 From: Tom Rini Date: Fri, 8 Sep 2017 13:12:16 -0400 Subject: [PATCH] env: Migrate CONFIG_ENV_AES to Kconfig and deprecate The underlying implementation for ENV_AES has security complications and is not recommended for use. Please see CVE-2017-3225 and CVE-2017-3226 for more details. Mark this as deprecated now and delete this in the medium term if no one comes forward to re-work the support. Signed-off-by: Tom Rini --- env/Kconfig | 8 ++++++++ scripts/config_whitelist.txt | 1 - 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/env/Kconfig b/env/Kconfig index f12ef28..024d4d7 100644 --- a/env/Kconfig +++ b/env/Kconfig @@ -375,6 +375,14 @@ config ENV_IS_IN_UBI endchoice +config ENV_AES + bool "AES-128 encryption for stored environment (DEPRECATED)" + help + Enable this to have the on-device stored environment be encrypted + with AES-128. The implementation here however has security + complications and is not recommended for use. Please see + CVE-2017-3225 and CVE-2017-3226 for more details. + config ENV_FAT_INTERFACE string "Name of the block device for the environment" depends on ENV_IS_IN_FAT diff --git a/scripts/config_whitelist.txt b/scripts/config_whitelist.txt index a9fb068..9ce0c3f 100644 --- a/scripts/config_whitelist.txt +++ b/scripts/config_whitelist.txt @@ -574,7 +574,6 @@ CONFIG_ENV_ACCESS_IGNORE_FORCE CONFIG_ENV_ADDR CONFIG_ENV_ADDR_FLEX CONFIG_ENV_ADDR_REDUND -CONFIG_ENV_AES CONFIG_ENV_BASE CONFIG_ENV_CALLBACK_LIST_DEFAULT CONFIG_ENV_CALLBACK_LIST_STATIC