doc: encrypted images: Add note on ivt attribute

Message ID	20200910210948.129006-1-bage@linutronix.de
State	Changes Requested
Headers	show Return-Path: <swupdate+bncBDPPPP7KYILBBJNM5L5AKGQEDIQHZTQ@googlegroups.com> Sender: swupdate@googlegroups.com Received-SPF: pass (google.com: domain of bage@linutronix.de designates 193.142.43.55 as permitted sender) client-ip=193.142.43.55; From: bage@linutronix.de To: swupdate@googlegroups.com Cc: Bastian Germann <bage@linutronix.de> Subject: [swupdate] [PATCH] doc: encrypted images: Add note on ivt attribute Date: Thu, 10 Sep 2020 23:09:48 +0200 Message-Id: <20200910210948.129006-1-bage@linutronix.de> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Precedence: list Mailing-list: list swupdate@googlegroups.com; contact swupdate+owners@googlegroups.com
Series	doc: encrypted images: Add note on ivt attribute \| expand doc: encrypted images: Add note on ivt attribute

Message ID

20200910210948.129006-1-bage@linutronix.de

State

Changes Requested

Headers

Sender: swupdate@googlegroups.com
Received-SPF: pass (google.com: domain of bage@linutronix.de designates
 193.142.43.55 as permitted sender) client-ip=193.142.43.55;
From: bage@linutronix.de
To: swupdate@googlegroups.com
Cc: Bastian Germann <bage@linutronix.de>
Subject: [swupdate] [PATCH] doc: encrypted images: Add note on ivt attribute
Date: Thu, 10 Sep 2020 23:09:48 +0200
Message-Id: <20200910210948.129006-1-bage@linutronix.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Precedence: list
Mailing-list: list swupdate@googlegroups.com;
 contact swupdate+owners@googlegroups.com

Series

doc: encrypted images: Add note on ivt attribute | expand

Comments

Stefano Babic Sept. 11, 2020, 10:18 a.m. UTC | #1

Hi Bastian,

On 10.09.20 23:09, bage@linutronix.de wrote:
> From: Bastian Germann <bage@linutronix.de>
> 
> Signed-off-by: Bastian Germann <bage@linutronix.de>
> ---
>  doc/source/encrypted_images.rst | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/doc/source/encrypted_images.rst b/doc/source/encrypted_images.rst
> index fcb10a4..d0feedb 100644
> --- a/doc/source/encrypted_images.rst
> +++ b/doc/source/encrypted_images.rst
> @@ -49,6 +49,9 @@ For earlier versions of SWUpdate it was falsely noted that passing the SALT as a
>  3rd parameter would increase security. Key and IV are enough for maximum security,
>  salt doesn't add any value.
>  
> +You should change the IV with every encryption. The ``ivt`` sw-description attribute
> +overrides the key file's IV for one specific image.
> +

You could maybe take the chance to add some further and useful
explanation here - we know both the reason for it, but I guess the
background is unknown to most users. I see that the only added
documentation up now is just listing "ivt" as attribute, where my
explanation is very "concentrated", too (or even cryptic...). It will be
nice if you can extend the concept (adding a link to the explanation why
ivt should be changed each time), and you can also add "ivt" to the
example in the same page.

Best regards,
Stefano Babic

diff --git a/doc/source/encrypted_images.rst b/doc/source/encrypted_images.rst
index fcb10a4..d0feedb 100644
--- a/doc/source/encrypted_images.rst
+++ b/doc/source/encrypted_images.rst
@@ -49,6 +49,9 @@  For earlier versions of SWUpdate it was falsely noted that passing the SALT as a
 3rd parameter would increase security. Key and IV are enough for maximum security,
 salt doesn't add any value.
 
+You should change the IV with every encryption. The ``ivt`` sw-description attribute
+overrides the key file's IV for one specific image.
+
 Encryption of UBI volumes
 -------------------------

doc: encrypted images: Add note on ivt attribute

Commit Message

Comments

Patch