crypto: increase default pbkdf2 time for luks to 2 seconds

cryptsetup recently increased the default pbkdf2 time to 2 seconds
to partially mitigate improvements in hardware performance wrt
brute-forcing the pbkdf algorithm. This updates QEMU defaults to
match.

Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

diff --git a/crypto/block-luks.c b/crypto/block-luks.c
index 3ab3250e3da5d1471c1ec43d6e31c9589e486216..a848232034dad84b5b90e135335cdddd5ea646b0 100644 (file)
--- a/crypto/block-luks.c
+++ b/crypto/block-luks.c
@@ -921,7 +921,7 @@ qcrypto_block_luks_create(QCryptoBlock *block,
 
     memcpy(&luks_opts, &options->u.luks, sizeof(luks_opts));
     if (!luks_opts.has_iter_time) {
-        luks_opts.iter_time = 1000;
+        luks_opts.iter_time = 2000;
     }
     if (!luks_opts.has_cipher_alg) {
         luks_opts.cipher_alg = QCRYPTO_CIPHER_ALG_AES_256;

diff --git a/qapi/crypto.json b/qapi/crypto.json
index 2b6118f660bf680ac70f7c6f263aee245b0c4ad4..6933b13bd01df5a9bdf127d212e4b79c0888f32c 100644 (file)
--- a/qapi/crypto.json
+++ b/qapi/crypto.json
@@ -187,7 +187,7 @@
 #            Currently defaults to 'sha256'
 # @iter-time: #optional number of milliseconds to spend in
 #             PBKDF passphrase processing. Currently defaults
-#             to 1000. (since 2.8)
+#             to 2000. (since 2.8)
 # Since: 2.6
 ##
 { 'struct': 'QCryptoBlockCreateOptionsLUKS',