Re: [dm-crypt] [RFC] dm-crypt and hardware-optimized crypto modules

[Arno Wagner <arno@wagner.name>]

On Mon, Oct 24, 2011 at 02:11:29PM +0200, Jonas Meurer wrote:
> Am 24.10.2011 08:21, schrieb Arno Wagner:
> > Hi Jonas,
> 
> Hey Arno,
> 
> > the definite authority on this is Milan, but as far as I understand
> > module autoloading, as long as an implementation for a requested
> > cipher is already loaded, that will be used. Now, I expect it would
> > be possible to not build the normal AES module and thereby have the
> > HW-supported AES module loade automatically when needed. As the
> > Debian distro-kernel cannot know HW-support would be there, it
> > obviously defaults to the software implementation.
> 
> Nope, the Debian distro-kernel has software implementation built into
> the kernel, and hardware-accelerated drivers built as modules. So
> according to Milans answers, the kernel crypto engine should load and
> use the hardware-optimised drivers in case they're supported.

Hmm. If the software-version is already compiled-in, that could
prevent auto-loading of the hw-version. I would expect that you 
need both as modules or both compiled-in. Should be easy to test
though. 

> > AFAIK, if both HW and SW support are loaded, HW support is used as
> > default. I think there is some kind of priority system in place.
> > But I am really only guessing here.
> 
> I guess you're correct here ;)
> 
> > I see two ways around this:
> > 
> > 1. Load the HW module manually (or scripted). While I have not used
> > a Debian Distro kernel for a long time, I think adding the
> > HW-module to /etc/modules should accomplish that. Noneed to mess
> > with the initrd, unless possibly if you have encrypted root.
> > 
> > 2. Roll your own kernel, possibly with HW support statically 
> > compiled in. I have used Debian with kernels from kernel.org and
> > module-support turned off with good success for about 10 years now.
> > (I don't like initrds. Good for distros, but they complicate things
> > and complexity is the enemy of reliablity and efficiency. Also, I
> > like to mess around with my installatons and initrds make that
> > harder. I also do not like to use kernel modules very much,
> > although it is definitely good that they are there.)
> > 
> > To use your own kernel with Debian, just boot it and tell it the
> > root partition. Of course you have to make sure it somehow has the
> > drivers it needs to fnd and mount the root partition.
> 
> As I'm the maintainer of cryptsetup in Debian, I'm searching for a
> solution for default setups. 

Ah, sorry. That gives you a different perspective obviously.

> I know how to manually tweak setups to
> use the hardware-optimized crypto drivers. But I need a solution for
> the default setup with default distro-kernel. Thus building custom
> kernels is out of scope in my case.

I can see that, yes. 

Arno

-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier