Re: [Qemu-devel] Question about add AF_ALG backend for virtio-crypto

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Daniel P. Berrange" <berrange@redhat.com>
To: "Gonglei (Arei)" <arei.gonglei@huawei.com>
Cc: Stefan Hajnoczi <stefanha@redhat.com>,
	longpeng <longpeng2@huawei.com>,
	Paolo Bonzini <pbonzini@redhat.com>,
	QEMU-DEV <qemu-devel@nongnu.org>,
	"Wubin (H)" <wu.wubin@huawei.com>,
	"Zhoujian (jay, Euler)" <jianjay.zhou@huawei.com>
Subject: Re: [Qemu-devel] Question about add AF_ALG backend for virtio-crypto
Date: Tue, 10 Jan 2017 12:03:54 +0000	[thread overview]
Message-ID: <20170110120354.GH27720@redhat.com> (raw)
In-Reply-To: <33183CC9F5247A488A2544077AF19020DA182ADA@DGGEMA505-MBX.china.huawei.com>

On Tue, Jan 10, 2017 at 11:36:19AM +0000, Gonglei (Arei) wrote:
> Hi Daniel,
> 
> >
> > >
> > > >
> > > > On Mon, Jan 09, 2017 at 01:43:10PM +0000, Stefan Hajnoczi wrote:
> > > > > On Mon, Jan 09, 2017 at 03:04:55PM +0800, Longpeng (Mike) wrote:
> > > > > > I'm one of Gonglei's virtio-crypto project members, and we plan to add a
> > > > AF_ALG
> > > > > > backend for virtio-crypto(there's only builtin-backend currently).
> > > > > >
> > > > > > I found that Catalin, Paolo and Stefan had discussed about this in 2015
> > > > > > (http://www.spinics.net/lists/kvm/msg115457.html), but it seems that
> > > > Catalin
> > > > > > didn't do it, so I'm confuse about wether it is need to add a AF_ALG
> > > > backend.
> > > > > >
> > > > > > Do you have any suggestion? Thanks :)
> > > > >
> > > > > I have no objections to an AF_ALG backend in QEMU.
> > > >
> > > > Rather than do another backend for virtio-crypto, IMHO, we should have
> > > > an AF_ALG impl of the crypto/ APIs. That way any potential performance
> > > > benefits will enhance our LUKS encryption code too.
> > > >
> > > According to the currently schemas of crypto/ APIs, we can't choose the
> > > specific backend dynamically. This is a limitation for virtio-crypto
> > > device I think.
> > 
> > Do we really need to be able to choose the backend explicitly. If the AF_ALG
> > backend is faster, why would you simply not use that automatically if it is
> > available.
> 
> Can we realize the purpose based on the crypto/ APIs? IIUC the crypto
> subsystem chooses a backend during the building according to the specific priority,
> nettle > gcrypt > cipher-builtin.
> 
> If we add an AF_ALG implementation for crypto subsystem, shall we set it
> as the highest priority? If so, other backends won't be used since AF_ALG
> is always available. If not, how can we use AF_ALG backend for crypto/ API?
> 
> Please correct me if I'm missing something.

While AF_ALG has been available for a while, not all features have. For
example AEAD support was only added in kernel 4.1

So if we had AF_ALG in QEMU, we would have to have a stacked impl, where
we try AF_ALG and then fallback to the current code when QEMU runs on a
kernel lacking the feature needed.

We could potentially also have a global arg to switch backends e.g.

 -crypto-backend [afalg|builtin]


Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://entangle-photo.org       -o-    http://search.cpan.org/~danberr/ :|

next prev parent reply	other threads:[~2017-01-10 12:04 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-01-09  7:04 [Qemu-devel] Question about add AF_ALG backend for virtio-crypto Longpeng (Mike)
2017-01-09 13:43 ` Stefan Hajnoczi
2017-01-09 16:25   ` Daniel P. Berrange
2017-01-10  9:03     ` Gonglei (Arei)
2017-01-10 10:03       ` Daniel P. Berrange
2017-01-10 11:36         ` Gonglei (Arei)
2017-01-10 12:03           ` Daniel P. Berrange [this message]
2017-01-10 12:17             ` Gonglei (Arei)
2017-01-10 13:30               ` Daniel P. Berrange
2017-02-08 10:46                 ` Longpeng (Mike)
2017-02-08 10:53                   ` Daniel P. Berrange
2017-02-09  2:58                     ` Longpeng (Mike)
2017-02-09 10:11                       ` Daniel P. Berrange
2017-02-09 11:03                         ` Longpeng (Mike)
2017-02-09 11:22                           ` Daniel P. Berrange

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170110120354.GH27720@redhat.com \
    --to=berrange@redhat.com \
    --cc=arei.gonglei@huawei.com \
    --cc=jianjay.zhou@huawei.com \
    --cc=longpeng2@huawei.com \
    --cc=pbonzini@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=stefanha@redhat.com \
    --cc=wu.wubin@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.