On 2023/08/11 16:43, Mark Kettenis wrote: > > Date: Fri, 11 Aug 2023 11:13:23 +0000 > > From: Klemens Nanni <k...@openbsd.org> > > > > On Mon, May 08, 2023 at 11:00:27AM +0000, Klemens Nanni wrote: > > > On Sun, Apr 23, 2023 at 05:07:30PM +0000, Klemens Nanni wrote: > > > > For new installs, it seems adequate to base the number on the actual > > > > hardware, > > > > assuming the CRYPTO volume will stay in that hardware for a while. > > > > > > > > The current default of 16 is from old PKCS5 PBKDF2 times and changing > > > > it in > > > > bioctl(8) is a more invasive change (for later, perhaps). > > > > > > > > Thoughts? Feedback from the crypto folks appreciated. > > > > > > > > On X230 and T14, 16 feels pretty instant, whereas 'auto' takes about a > > > > second > > > > on a T14. > > > > > > Ping. > > > > Anyone? > > > > I consider a hardware based value a saner default for new installations > > (root disk volumes are most likely to stick around on the same machine) > > than a decade old constant. > > See the recent discussion about _bcrypt_autorounds() in libc. > > System performance varies, and even on modern hardware it can provide > varying results. The ramdisk environment is considerably different > from the mult-user environment in this respect. > > Using a fixed value is way more predictable. If 16 no longer is a > safe default it should be raised.
Agreed. (Re bcrypt, I usually completely ignore auto rounds, I had just forgotten to set that up on the machine where I noticed the problem..) Also, am I right in thinking that this only affects the time when entering the passphrase when mounting or creating the device, i.e. once per boot? If so, there's nowhere near as much a downside to that being slow as there is for user login. (anyone actually wanting to crack these passphrases would be doing it on a fast system rather than whatever the device is normally used with, so there are valid reasons for picking something that might be a bit slow if it doesn't cause too much system impact). > > >From bioctl(8): > > -r rounds > > The number of iterations for the KDF algorithm to use when > > converting a passphrase into a key, in order to create a new > > encrypted volume or change the passphrase of an existing > > encrypted volume. A larger number of iterations takes more > > time, > > but offers increased resistance against passphrase guessing > > attacks. If rounds is specified as auto, the number of rounds > > will be automatically determined based on system performance. > > Otherwise the minimum is 4 rounds and the default is 16. > > > > Rebased diff. > > > > Index: install.sub > > =================================================================== > > RCS file: /cvs/src/distrib/miniroot/install.sub,v > > retrieving revision 1.1253 > > diff -u -p -r1.1253 install.sub > > --- install.sub 10 Aug 2023 17:09:34 -0000 1.1253 > > +++ install.sub 11 Aug 2023 11:02:19 -0000 > > @@ -3097,7 +3097,7 @@ encrypt_root() { > > md_prep_fdisk $_chunk > > echo 'RAID *' | disklabel -w -A -T- $_chunk > > > > - until bioctl -Cforce -cC -l${_chunk}a softraid0 >/dev/null; do > > + until bioctl -Cforce -cC -rauto -l${_chunk}a softraid0 >/dev/null; do > > # Most likely botched passphrases, silently retry twice. > > ((++_tries < 3)) || exit > > done > > > > >