On Sat, Sep 09, 2017 at 09:29:45AM -0700, Blibbet wrote:
I apologize if I missed it, but I haven't see any mention of this recent vulnerability here, excerpts below.
http://www.kb.cert.org/vuls/id/166743
-----snip----- Vulnerability Note VU#166743
Das U-Boot AES-CBC encryption implementation contains multiple vulnerabilities
Original Release date: 08 Sep 2017
Das U-Boot is a device bootloader that can read its configuration from an AES encrypted file. For devices utilizing this environment encryption mode, U-Boot's use of a zero initialization vector and improper handling of an error condition may allow attacks against the underlying cryptographic implementation and allow an attacker to decrypt the data.
An attacker with physical access to the device may be able to decrypt the device's contents.
The CERT/CC is currently unaware of a practical solution to this problem. -----snip-----
So, I mentioned this in the patch that migrated the option to Kconfig and marked it deprecated, and I plan to mention it in the release notes on Monday. But, this option has no in-tree users and I plan to remove the code in the near term, if no one with the relevant background steps up to re-implement it. Thanks!