From: Simon Richter <Simon.Richter@hogyros.de>
To: Demi Marie Obenour <demiobenour@gmail.com>,
Eric Biggers <ebiggers@kernel.org>
Cc: Jan Schaumann <jschauma@netmeister.org>,
iwd@lists.linux.dev,
Linux kernel mailing list <linux-kernel@vger.kernel.org>,
linux-crypto@vger.kernel.org,
Herbert Xu <herbert@gondor.apana.org.au>
Subject: Re: AF_ALG hardening
Date: Sat, 2 May 2026 17:19:14 +0900 [thread overview]
Message-ID: <9f020da7-97c5-41cc-b0f1-d8aab1bb39ec@hogyros.de> (raw)
In-Reply-To: <3cc88b2d-fbd6-4e47-b82c-3c685fec0581@gmail.com>
[-- Attachment #1.1: Type: text/plain, Size: 4788 bytes --]
Hi,
On 5/2/26 13:52, Demi Marie Obenour wrote:
>> Of course, it'll also be a fair a bit of work, and unfortunately I also
>> expect pushback from people who (incorrectly IMO) think that AF_ALG
>> performance is important, even moreso than security.
AF_ALG performance (time/power) is important in the way that it's
literally the only point to its existence. If all it provides is extra
overhead over a software implementation, then it makes no sense to keep it.
> If one cares about crypto offload performance, they would be better
> served by creating a better interface to it than AF_ALG. AF_ALG is
> a horrible API with (presumably) tons of overhead. I know the QAT
> driver and an Nvidia BlueField DPU accelerator driver both bypass it.
The API is designed to be zerocopy, that's why it's this horrible
combination of socket API and splice(). The general assumption here is
that it does not make sense to offload small requests in the first
place, and application programmers are aware of that.
The use case is "I have a file or pipe full of data and a device with a
kernel driver that should process it, can we somehow avoid copying the
data to userspace only to immediately copy it back to kernelspace?"
This copying is even more silly if the actual question I have in
userspace is "what is the SHA256 checksum of this file?" or "what is the
SHA256 checksum of the string 'blob 8794311528\0' followed by this
file?" (where you can see why anyone would ask such a silly question and
prefer to use the dedicated hardware that processes 24 GB/s over the CPU
at 100 MB/s)
> Furthermore, AF_ALG only supports symmetric algorithms. These
> algorithms are inexpensive in software, so the cost of going to an
> accelerator and back is enormous compared to the cost of a single
> operation.
Yes, initial setup cost is high, so this only makes sense for large
requests or batches (submitting individual requests is generally cheap,
the difficulty is ensuring the data is accessible to the hardware).
That's also why there are no asymmetric algorithms: these aren't
generally used on large amounts of data, so it's never worth it to
offload these.
It would make sense to offload asymmetric algorithms if there was a
secure key storage inside the device, but AFAIK the API does not support
that, or even the notion of on-device contexts.
It is not a good API, and it sits on top of the ahash/acomp/acrypt
interfaces which are also unfriendly to accelerator hardware.
> For offload to even a very fast accelerator to make sense,
> one must be able to deeply pipeline requests. However, this creates
> a huge amount of additional complexity for software.
Software that has requirements like that is already complex -- if I have
a few thousand workload packets, I need a worker pool.
If I don't have these requirements, then indeed I am better off with a
software-only solution in userspace, because it is not relevant from a
performance standpoint.
> Asymmetric accelerators also don't have a better alternative in the
> form of inline encryption hardware.
Quite a number of architectures do not have inline encryption support,
and these are more likely to use offload hardware even for smaller
requests (e.g. for power saving).
> I think a high performance interface to hardware cryptography (and,
> more importantly, compression) would look much more like RDMA.
> There would be a kernel driver that did the bare minimum to provide
> isolation between userspace programs, and a userspace driver that
> was responsible for abstracting over the hardware.
Offload hardware comes in two flavours: the high-throughput kind, built
into devices where no one cares about power, and the
lower-power-than-the-CPU-doing-it kind.
The former can easily provide user contexts even in virtualized
environments, but the latter is generally found in systems that do not
even have an IOMMU. Either we have two distinct interfaces for these, or
we need one that can handle either.
My feeling is that no one is happy with either AF_ALG or the
asynchronous interfaces in general, so I think they should be removed
completely, and there should be a separate "offload" SIG that creates
new interfaces that are actually usable with current hardware.
> 1. Get rid of zero-copy support (splice()).
> 2. Get rid of AIO support.
> 3. Only allow software implementations.
That makes sense if we're forced to keep the interface for now, but it
means that offload support through the crypto subsystem is completely
dead, and anyone wanting to support offload hardware needs to go
elsewhere. Can we get a definitive statement that this is intended?
Simon
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
next prev parent reply other threads:[~2026-05-02 8:19 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <afJorKIje4O6dXbH@netmeister.org>
[not found] ` <d6111caa-db61-498a-92cb-ea7a0aa0a5e2@ehuk.net>
[not found] ` <87se8dgicq.fsf@gentoo.org>
[not found] ` <afL-QhLfEKqHZqka@eldamar.lan>
[not found] ` <20260430071917.GB54208@sol>
[not found] ` <177abb5d-8ba9-4bb9-8b23-9fbc868ed3cd@gmail.com>
[not found] ` <20260501180028.GA2260@sol>
[not found] ` <19837ef5-e5b6-45f4-8336-3ce07423dfb1@gmail.com>
[not found] ` <20260501201841.GA2540@quark>
[not found] ` <c13dd3c5-ddc1-431e-bc7d-2de39c551f8e@gmail.com>
[not found] ` <20260502033556.GA3872267@google.com>
2026-05-02 4:52 ` AF_ALG hardening Demi Marie Obenour
2026-05-02 8:19 ` Simon Richter [this message]
2026-05-02 20:42 ` Demi Marie Obenour
2026-05-02 19:16 ` Eric Biggers
2026-05-04 19:01 ` Simon Richter
2026-05-04 19:54 ` Eric Biggers
[not found] ` <20260502035402.GB3872267@google.com>
[not found] ` <378c2ca2-417a-4969-bda5-b7d3f3e8b6fd@gmail.com>
[not found] ` <CAM=PXV4q2i13W8Z_AZGDfdxbqWANJ=U4Sw3FTcv5mH_QUrrSfA@mail.gmail.com>
[not found] ` <afcqxCv58YrhbtVr@definition.pseudorandom.co.uk>
2026-05-03 19:20 ` [oss-security] CVE-2026-31431: CopyFail: linux local privilege scalation Greg Dahlman
[not found] ` <cfe5a1f5-f7fe-44a5-8af9-8e4c8d68b3d7@terraraq.uk>
2026-05-02 22:32 ` Demi Marie Obenour
2026-05-03 6:30 ` Peter Gutmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9f020da7-97c5-41cc-b0f1-d8aab1bb39ec@hogyros.de \
--to=simon.richter@hogyros.de \
--cc=demiobenour@gmail.com \
--cc=ebiggers@kernel.org \
--cc=herbert@gondor.apana.org.au \
--cc=iwd@lists.linux.dev \
--cc=jschauma@netmeister.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox