From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <jonas@freesources.org>
Received: from mail.saout.de ([127.0.0.1])
 by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id g938nnFWw-xR for <dm-crypt@saout.de>;
 Mon, 24 Oct 2011 14:05:19 +0200 (CEST)
Received: from mail01.freesources.org (mail01.freesources.org [80.237.252.149])
 (using TLSv1 with cipher AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mail.saout.de (Postfix) with ESMTPS
 for <dm-crypt@saout.de>; Mon, 24 Oct 2011 14:05:19 +0200 (CEST)
Received: from ip-94-79-161-2.unitymediagroup.de ([94.79.161.2]
 helo=[192.168.0.102])
 by mail01.freesources.org with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.69) (envelope-from <jonas@freesources.org>)
 id 1RIJHJ-0002yJ-7w
 for dm-crypt@saout.de; Mon, 24 Oct 2011 12:05:18 +0000
Message-ID: <4EA5547C.6030507@freesources.org>
Date: Mon, 24 Oct 2011 14:05:16 +0200
From: Jonas Meurer <jonas@freesources.org>
MIME-Version: 1.0
References: <4EA4A3B0.3030000@freesources.org> <4EA505E5.5080205@redhat.com>
In-Reply-To: <4EA505E5.5080205@redhat.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [dm-crypt] [RFC] dm-crypt and hardware-optimized crypto modules
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey Milan,

Am 24.10.2011 08:29, schrieb Milan Broz:
> On 10/24/2011 01:30 AM, Jonas Meurer wrote:
> 
>> In the Debian bugreport #639832 [1], Simon Mackinlay pointed out,
>> that hardware-optimized crypto driver modules aren't loaded
>> automatically at cryptsetup invokation in the boot process
>> (initramfs) in Debian.
>> 
>> I verified this. At least for setups with aes support compiled
>> into the kernel, and hardware-optimized aes drivers (aes-x86_64, 
>> aesni-intel) built as modules (which is the default for Debian
>> and Ubuntu kernels), the hardware-optimized aes modules aren't
>> loaded at cryptsetup invokation. (Sure, this is tested with
>> aes-encrypted volumes.) I didn't have time to check other setups
>> (e.g. everything built as modules) yet.
> 
> If the modules are present at this time (either compiled-in or as
> separate modules) this seems to be kernel cryptoAPI bug.

It seems like this is the case, yes. I verified that
hardware-optimized modules are present in the initramfs both in Debian
and Ubuntu. I tested the 3.0.0-12-generic kernel in Ubuntu so far,
will check other kernels and setups later.

> If it is not present (in intramfs) then available module is used
> and later it is not replaced by hw accelerated driver.

Yes, that makes a lot of sense to me. But as written above, the
hardware-optimized drivers are available as modules at the time of
cryptsetup invokation.

> Anyway, I am using aesni_intel loaded from Debian initramfs and it
> works with no hacks. Wonder what is the difference... (kernel 3.0.3
> but compiled with own config to own kernel deb package.)

Do you have crypto drivers compiled into the kernel? Or built as
modules? I guess that software drivers built into the kernel and
hardware drivers available as modules is the only setup with problems,
but didn't test it yet.

>> I'm happy to extend the initramfs scripts to load
>> hardware-optimized modules in case they're available before
>> cryptsetup is invoked. But that an implementation would be ugly
>> and hard to maintain as it needs to be updated for possible
>> kernel crypto driver changes. I would prefer a solution where the
>> kernel crypto api took responsibility for this task.
> 
> I think it should load modules automatically according to its
> priorities (hw has always higher priority). Anyway, this is the
> question for linux-crypto (kernel) list.
> 
> There is no way how to force dm-crypt load specific driver.

Yes, I see the point that this is a issue for linux-crypto, and will
move the discussion to this list as soon as I did further investigation.

Thanks for your answers!

Greetings,
 jonas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJOpVRwAAoJEFJi5/9JEEn+LAMQAKLyIr8YZZMF2vYC/2pwN9WG
PI295FhABcdXCMuaD2GFbbW4euF7DSaknQF0uOFpxevm1wpXtlxOPFDPb6cD6YS2
9/n12quqVnfcgCsUo7cyWmZqZQylfQyuA6Xs/iamoaF7Y8SKXzLcazlNSRYHhCt9
lT03CdkTSGAR0g4Kbek8CT/lEjcjZ/DMO4OBCaPPZi9GppauW5eTu3yRvLZexZe7
xtiD2ZZoVu7YHIimMs/zbOvzi3Yo+nEPj6uQOeFkFjxHX/eMScKOcPzKX+KqvYqO
mDSMiMeDyxv5AVc8jdvgJUftbAIZ9mOPGxvIrI61v006KMHftC0NOlnlIz7xC7RG
E0XW+956sHLfDBRnfTe4dxuZYPHy4RjgwVJVBHvacSHl6IKu/jZHowadDglaF8NT
EJGdKRgnlkgAK3rb0APmBzd4WM/PY2Cew43Z5Ux1vLyH7/ZtXv6NlK6l7k6SBkoB
q4QChUlVzpLTKgZ5QCesMtyI/TVqjSHv3WEVOOwW3FLTT6riexYe6BzaHvoJUQXq
1DqmzCHhNjr6Fq5f++PuiKQSvb0MPn4dk+ZK7gXHshoNG05uSmXgTKr3l13oP9/5
XdiecNJF0eQjfSttLkc+T/LYVRlTanbyWODwlgPZaugDyDgBmUJsSyGV5xTt2w23
mZ4Rl1Au3UofuudPqf10
=Cu6i
-----END PGP SIGNATURE-----