Re: [dm-crypt] [RFC] dm-crypt and hardware-optimized crypto modules

[Jonas Meurer <jonas@freesources.org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey Milan,

Am 24.10.2011 08:29, schrieb Milan Broz:
> On 10/24/2011 01:30 AM, Jonas Meurer wrote:
> 
>> In the Debian bugreport #639832 [1], Simon Mackinlay pointed out,
>> that hardware-optimized crypto driver modules aren't loaded
>> automatically at cryptsetup invokation in the boot process
>> (initramfs) in Debian.
>> 
>> I verified this. At least for setups with aes support compiled
>> into the kernel, and hardware-optimized aes drivers (aes-x86_64, 
>> aesni-intel) built as modules (which is the default for Debian
>> and Ubuntu kernels), the hardware-optimized aes modules aren't
>> loaded at cryptsetup invokation. (Sure, this is tested with
>> aes-encrypted volumes.) I didn't have time to check other setups
>> (e.g. everything built as modules) yet.
> 
> If the modules are present at this time (either compiled-in or as
> separate modules) this seems to be kernel cryptoAPI bug.

It seems like this is the case, yes. I verified that
hardware-optimized modules are present in the initramfs both in Debian
and Ubuntu. I tested the 3.0.0-12-generic kernel in Ubuntu so far,
will check other kernels and setups later.

> If it is not present (in intramfs) then available module is used
> and later it is not replaced by hw accelerated driver.

Yes, that makes a lot of sense to me. But as written above, the
hardware-optimized drivers are available as modules at the time of
cryptsetup invokation.

> Anyway, I am using aesni_intel loaded from Debian initramfs and it
> works with no hacks. Wonder what is the difference... (kernel 3.0.3
> but compiled with own config to own kernel deb package.)

Do you have crypto drivers compiled into the kernel? Or built as
modules? I guess that software drivers built into the kernel and
hardware drivers available as modules is the only setup with problems,
but didn't test it yet.

>> I'm happy to extend the initramfs scripts to load
>> hardware-optimized modules in case they're available before
>> cryptsetup is invoked. But that an implementation would be ugly
>> and hard to maintain as it needs to be updated for possible
>> kernel crypto driver changes. I would prefer a solution where the
>> kernel crypto api took responsibility for this task.
> 
> I think it should load modules automatically according to its
> priorities (hw has always higher priority). Anyway, this is the
> question for linux-crypto (kernel) list.
> 
> There is no way how to force dm-crypt load specific driver.

Yes, I see the point that this is a issue for linux-crypto, and will
move the discussion to this list as soon as I did further investigation.

Thanks for your answers!

Greetings,
 jonas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOpVRwAAoJEFJi5/9JEEn+LAMQAKLyIr8YZZMF2vYC/2pwN9WG
PI295FhABcdXCMuaD2GFbbW4euF7DSaknQF0uOFpxevm1wpXtlxOPFDPb6cD6YS2
9/n12quqVnfcgCsUo7cyWmZqZQylfQyuA6Xs/iamoaF7Y8SKXzLcazlNSRYHhCt9
lT03CdkTSGAR0g4Kbek8CT/lEjcjZ/DMO4OBCaPPZi9GppauW5eTu3yRvLZexZe7
xtiD2ZZoVu7YHIimMs/zbOvzi3Yo+nEPj6uQOeFkFjxHX/eMScKOcPzKX+KqvYqO
mDSMiMeDyxv5AVc8jdvgJUftbAIZ9mOPGxvIrI61v006KMHftC0NOlnlIz7xC7RG
E0XW+956sHLfDBRnfTe4dxuZYPHy4RjgwVJVBHvacSHl6IKu/jZHowadDglaF8NT
EJGdKRgnlkgAK3rb0APmBzd4WM/PY2Cew43Z5Ux1vLyH7/ZtXv6NlK6l7k6SBkoB
q4QChUlVzpLTKgZ5QCesMtyI/TVqjSHv3WEVOOwW3FLTT6riexYe6BzaHvoJUQXq
1DqmzCHhNjr6Fq5f++PuiKQSvb0MPn4dk+ZK7gXHshoNG05uSmXgTKr3l13oP9/5
XdiecNJF0eQjfSttLkc+T/LYVRlTanbyWODwlgPZaugDyDgBmUJsSyGV5xTt2w23
mZ4Rl1Au3UofuudPqf10
=Cu6i
-----END PGP SIGNATURE-----