env: Migrate CONFIG_ENV_AES to Kconfig and deprecate

The underlying implementation for ENV_AES has security complications and is not recommended for use. Please see CVE-2017-3225 and CVE-2017-3226 for more details. Mark this as deprecated now and delete this in the medium term if no one comes forward to re-work the support. Signed-off-by: Tom Rini <trini@konsulko.com>
7 years ago · 5eb35220b2
parent 0683fb7242
commit 5eb35220b2
2 changed files with 8 additions and 1 deletions
--- a/env/Kconfig
+++ b/env/Kconfig
@ -375,6 +375,14 @@ config ENV_IS_IN_UBI

 endchoice

+config ENV_AES
+	bool "AES-128 encryption for stored environment (DEPRECATED)"
+	help
+	  Enable this to have the on-device stored environment be encrypted
+	  with AES-128.  The implementation here however has security
+	  complications and is not recommended for use.  Please see
+	  CVE-2017-3225 and CVE-2017-3226 for more details.
+
 config ENV_FAT_INTERFACE
 	string "Name of the block device for the environment"
 	depends on ENV_IS_IN_FAT
--- a/scripts/config_whitelist.txt
+++ b/scripts/config_whitelist.txt
@ -574,7 +574,6 @@ CONFIG_ENV_ACCESS_IGNORE_FORCE
 CONFIG_ENV_ADDR
 CONFIG_ENV_ADDR_FLEX
 CONFIG_ENV_ADDR_REDUND
-CONFIG_ENV_AES
 CONFIG_ENV_BASE
 CONFIG_ENV_CALLBACK_LIST_DEFAULT
 CONFIG_ENV_CALLBACK_LIST_STATIC