On 2023/08/11 16:43, Mark Kettenis wrote:
> > Date: Fri, 11 Aug 2023 11:13:23 +0000
> > From: Klemens Nanni <k...@openbsd.org>
> >
> > On Mon, May 08, 2023 at 11:00:27AM +0000, Klemens Nanni wrote:
> > > On Sun, Apr 23, 2023 at 05:07:30PM +0000, Klemens Nanni wrote:
> > > > For new installs, it seems adequate to base the number on the actual
> > > > hardware,
> > > > assuming the CRYPTO volume will stay in that hardware for a while.
> > > >
> > > > The current default of 16 is from old PKCS5 PBKDF2 times and changing
> > > > it in
> > > > bioctl(8) is a more invasive change (for later, perhaps).
> > > >
> > > > Thoughts? Feedback from the crypto folks appreciated.
> > > >
> > > > On X230 and T14, 16 feels pretty instant, whereas 'auto' takes about a
> > > > second
> > > > on a T14.
> > >
> > > Ping.
> >
> > Anyone?
> >
> > I consider a hardware based value a saner default for new installations
> > (root disk volumes are most likely to stick around on the same machine)
> > than a decade old constant.
>
> See the recent discussion about _bcrypt_autorounds() in libc.
>
> System performance varies, and even on modern hardware it can provide
> varying results. The ramdisk environment is considerably different
> from the mult-user environment in this respect.
>
> Using a fixed value is way more predictable. If 16 no longer is a
> safe default it should be raised.
Agreed. (Re bcrypt, I usually completely ignore auto rounds, I had just
forgotten to set that up on the machine where I noticed the problem..)
Also, am I right in thinking that this only affects the time when
entering the passphrase when mounting or creating the device, i.e. once
per boot?
If so, there's nowhere near as much a downside to that being slow
as there is for user login. (anyone actually wanting to crack these
passphrases would be doing it on a fast system rather than whatever
the device is normally used with, so there are valid reasons for
picking something that might be a bit slow if it doesn't cause too
much system impact).
> > >From bioctl(8):
> > -r rounds
> > The number of iterations for the KDF algorithm to use when
> > converting a passphrase into a key, in order to create a new
> > encrypted volume or change the passphrase of an existing
> > encrypted volume. A larger number of iterations takes more
> > time,
> > but offers increased resistance against passphrase guessing
> > attacks. If rounds is specified as auto, the number of rounds
> > will be automatically determined based on system performance.
> > Otherwise the minimum is 4 rounds and the default is 16.
> >
> > Rebased diff.
> >
> > Index: install.sub
> > ===================================================================
> > RCS file: /cvs/src/distrib/miniroot/install.sub,v
> > retrieving revision 1.1253
> > diff -u -p -r1.1253 install.sub
> > --- install.sub 10 Aug 2023 17:09:34 -0000 1.1253
> > +++ install.sub 11 Aug 2023 11:02:19 -0000
> > @@ -3097,7 +3097,7 @@ encrypt_root() {
> > md_prep_fdisk $_chunk
> > echo 'RAID *' | disklabel -w -A -T- $_chunk
> >
> > - until bioctl -Cforce -cC -l${_chunk}a softraid0 >/dev/null; do
> > + until bioctl -Cforce -cC -rauto -l${_chunk}a softraid0 >/dev/null; do
> > # Most likely botched passphrases, silently retry twice.
> > ((++_tries < 3)) || exit
> > done
> >
> >
>
