--fde appears to use CBC, not XTS. Is that a problem?

Right now, the --fde switch appears to default to AES CBC encryption. It's not entirely clear to me whether it uses a diffuser, if not this would make it way more prone to tampering than XTS. Is there a specific reason why --fde doesn't just use XTS? And does it actually use CBC diffused or undiffused? I think the easiest way to ensure to get something reasonably tamper-proof would be to switch it to an XTS default, but I could be wrong.

Further reading to CBC and XTS (which I found helpful):

• https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions#5-security-aspects
• https://en.wikipedia.org/wiki/Disk_encryption_theory#Cipher-block_chaining_(CBC)
• https://en.wikipedia.org/wiki/Disk_encryption_theory#XEX-based_tweaked-codebook_mode_with_ciphertext_stealing_.28XTS.29

In the very first commit of pmbootstrap it was introduced and never changed.

    # aes-xts-plain64 would be better, but this is not supported on LineageOS
    # kernel configs
    "cipher": "aes-cbc-plain64"

I think I did this during early development, where it was not clear to me that we always need to compile our own kernels (which is obvious now of course).

Some time after pmbootstrap was released, the android recovery zip code has been added. And there, cryptsetup is actually executed in whatever kernel the recovery environment (TWRP, ...) uses. This kernel will likely not support XTS, so for that specific use case it makes sense to aim for more compatibility. With that being said, I doubt that anybody is actually using the android recovery zip method in combination with FDE these days.

It's not entirely clear to me whether it uses a diffuser

I'm not sure either (that depends on how cryptsetup handles things by default).

I think the easiest way to ensure to get something reasonably tamper-proof would be to switch it to an XTS default, but I could be wrong.

Yes, this sounds like a good idea. Unfortunately, 132 kernels are built without CRYPTO_XTS currently and need to be adjusted :\

I'm preparing patches:

• add CRYPTO_XTS to pmbootstrap kconfig check
• adjust all kernels to enable CRYPTO_XTS in their kernel config
• change the default cipher in pmbootstrap to aes-xts-plain64
• print a warning when using pmbootstrap install --fde --android-recovery-zip - something like this:

    # Warning for android recovery zip with FDE
    if args.android_recovery_zip and args.full_disk_encryption:
        logging.info("WARNING: --fde is rarely used in combination with"
                     " --android-recovery-zip. If this does not work, consider"
                     " using another method (e.g. installing via netcat)")
        logging.info("WARNING: the kernel of the recovery system (e.g. TWRP)"
                     f" must support the cryptsetup cipher '{args.cipher}'.")
        logging.info("If you know what you are doing, consider setting a"
                     " different cipher with 'pmbootstrap --cipher=... install"
                     " --fde --android-recovery-zip'.")

By Oliver Smith on 2020-07-08T14:53:50

mentioned in commit pmaports@6c0c6d7f

By Oliver Smith on 2020-07-09T10:34:45

I've enabled CRYPTO_XTS in 126 kernels and I'm building them now in the background (let's see how long it takes...). (In the future it would be great if we could automate such mass-editing, see #1942.)

4 kernels don't work out of the box with pmbootstrap kconfig edit, I'll look into them next.

By Oliver Smith on 2020-07-09T10:55:11

mentioned in commit wiki@aa824378

By postmarketOS Wiki bot on 2020-07-09T20:43:41

mentioned in commit pmaports@e451f9ea

By Oliver Smith on 2020-07-09T21:19:55

mentioned in merge request !1958 (merged)

By Oliver Smith on 2020-07-09T22:42:00

mentioned in commit pmaports@0cfcc52e

By Oliver Smith on 2020-07-11T13:27:22

mentioned in commit pmaports@4753cf35

By Oliver Smith on 2020-07-11T13:58:05

closed via merge request !1958 (merged)

By Oliver Smith on 2020-07-11T14:14:24