From: Eric Biggers <ebiggers@kernel.org>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: linux-integrity@vger.kernel.org,
Roberto Sassu <roberto.sassu@huawei.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] ima: remove buggy support for asynchronous hashes
Date: Sat, 14 Mar 2026 11:25:01 -0700 [thread overview]
Message-ID: <20260314182501.GA40504@quark> (raw)
In-Reply-To: <1c5f16f0913bae48bf2f24feaaaf3525ecdf4c97.camel@linux.ibm.com>
On Thu, Mar 12, 2026 at 07:29:05PM -0400, Mimi Zohar wrote:
> On Wed, 2026-03-11 at 22:39 -0700, Eric Biggers wrote:
> > IMA computes hashes using the crypto_shash or crypto_ahash API. The
> > latter is used only when ima.ahash_minsize is set on the command line,
> > and its purpose is ostensibly to make the hash computation faster.
> >
> > However, going off the CPU to a crypto engine and back again is actually
> > quite slow, especially compared with the acceleration that is built into
> > modern CPUs and the kernel now enables by default for most algorithms.
> > Typical performance results for SHA-256 on a modern platform can be
> > found at https://lore.kernel.org/linux-crypto/20250615184638.GA1480@sol/
> >
> > Partly for this reason, several other kernel subsystems have already
> > dropped support for the crypto_ahash API.
>
> The performance benefit was the ability of reading and filling a buffer from
> disk, which was slow, while the other buffer was sent to the crypto engine.
On normal filesystems, sequential reads from a file already kick off
async readahead. So the hashing and disk reads can already happen
concurrently anyway.
- Eric
next prev parent reply other threads:[~2026-03-14 18:25 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-12 5:39 [PATCH] ima: remove buggy support for asynchronous hashes Eric Biggers
2026-03-12 23:29 ` Mimi Zohar
2026-03-14 18:25 ` Eric Biggers [this message]
2026-03-17 14:13 ` Dmitry Kasatkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260314182501.GA40504@quark \
--to=ebiggers@kernel.org \
--cc=dmitry.kasatkin@gmail.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=roberto.sassu@huawei.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.