diff options
| author | Joseph Richey <joerichey@google.com> | 2020-03-23 14:24:23 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-03-23 14:24:23 -0700 |
| commit | ab531eea551598170e4dd973fa5955f01b5c0318 (patch) | |
| tree | ad01ed9d6ffa3d9715c40ff14041f95978107ba7 /cmd/fscrypt/setup.go | |
| parent | b43cb6970da16fea7aa2c073a83891909a2833b1 (diff) | |
| parent | 02ec13d8d96fc16282998f8355074dad53271591 (diff) | |
Merge pull request #205 from ebiggers/autoselect-v2
Automatically enable policy_version 2 when kernel support is detected
Diffstat (limited to 'cmd/fscrypt/setup.go')
| -rw-r--r-- | cmd/fscrypt/setup.go | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/cmd/fscrypt/setup.go b/cmd/fscrypt/setup.go index 69787bb..7b9bebb 100644 --- a/cmd/fscrypt/setup.go +++ b/cmd/fscrypt/setup.go @@ -50,8 +50,22 @@ func createGlobalConfig(w io.Writer, path string) error { return err } + // v2 encryption policies are recommended, so set policy_version 2 when + // the kernel supports it. v2 policies are supported by upstream Linux + // v5.4 and later. For now we simply check the kernel version. Ideally + // we'd instead check whether setting a v2 policy actually works, in + // order to also detect backports of the kernel patches. However, that's + // hard because from this context (creating /etc/fscrypt.conf) we may + // not yet have access to a filesystem that supports encryption. + var policyVersion int64 + if util.IsKernelVersionAtLeast(5, 4) { + fmt.Fprintln(w, "Defaulting to policy_version 2 because kernel supports it.") + policyVersion = 2 + } else { + fmt.Fprintln(w, "Defaulting to policy_version 1 because kernel doesn't support v2.") + } fmt.Fprintln(w, "Customizing passphrase hashing difficulty for this system...") - err = actions.CreateConfigFile(timeTargetFlag.Value, legacyFlag.Value) + err = actions.CreateConfigFile(timeTargetFlag.Value, policyVersion) if err != nil { return err } |