[Pkg-cryptsetup-devel] Bug#445186: Bug#445186: cryptsetup: Please load optimized cipher kernel modules by default

David Härdeman david at hardeman.nu
Thu Oct 4 14:38:26 UTC 2007 

On Wed, October 3, 2007 22:52, Reinhard Tartler wrote:
> In ubuntu, we have patched cryptsetup so that it looks for
> optimized ciphers kernel modules and loads them if
> available. Please consider merging this patch to debian.

In general a good idea, some comments below:

> diff -pruN 2:1.0.5-2/debian/cryptdisks.functions
> 2:1.0.5-2ubuntu1/debian/cryptdisks.functions
> --- 2:1.0.5-2/debian/cryptdisks.functions	2007-10-03 00:08:07.000000000
> +0100
> +++ 2:1.0.5-2ubuntu1/debian/cryptdisks.functions	2007-10-03
> 00:07:57.000000000 +0100
> @@ -1,3 +1,8 @@
> +#
> +# This file is for inclusion with
> +#	. /lib/cryptsetup/cryptdisks.functions
> +# and should not be executed directly.
> +
>  PATH="/sbin:/bin"
>  TABFILE=/etc/crypttab
>  CRYPTDISKS_ENABLE="Yes"
> @@ -391,6 +412,18 @@ do_close () {
>  	return $?
>  }
>
> +load_optimized_aes_module () {
> +        local asm_module modulesdir
> +
> +        # find directory with kernel modules
> +        modulesdir="/lib/modules/`uname -r`"
> +        # Add assembly optimized AES module if it exists
> +        asm_module=`ls -1 "$modulesdir"/kernel/arch/*/*/aes*.ko`
> +        if [ $asm_module ];then

if [ -n "$asm_module" ]; then....but see below

> +           insmod $asm_module 2>/dev/null || true
> +        fi
> +}

It seems unnecessary to have an aes-specific function, why not:

load_optimized_module() {
        local module optmodule
        module="$1"

        optmodule=$(find "/lib/modules/$(uname -r)/kernel/arch" -name
"${module}*.ko" 2> /dev/null)
        if [ -n "$optmodule" ] && [ "$(echo -n "$optmodule" | wc -l)" -eq
1 ]; then
                modprobe "$optmodule" 2>/dev/null && return 0
        fi

        modprobe "$module" 2>/dev/null || return 1
        return 0
}

(I haven't tested that code, I just wrote it up to show the idea)

Advantages:
* works for all kinds of modules (twofish for example).

* use of modprobe allows blacklists to work

* falls back on non-optimized module automatically

* detects if more than one candidate is found (most likely an error) and
falls back to unoptimized

>  # Sets up all entries in crypttab
>  do_start () {
>  	local dst src key opts result
> @@ -399,6 +432,7 @@ do_start () {
>  	modprobe -qb dm-crypt || true
>  	dmsetup mknodes > /dev/null 2>&1 || true
>  	log_action_begin_msg "Starting $INITSTATE crypto disks"
> +	load_optimized_aes_module

With the above function, the function call could go someplace else
(probably to the "cipher" part of the big switch statement in parse_opts.

> --- 2:1.0.5-2/debian/initramfs/cryptroot-hook	2007-10-03
> 00:08:07.000000000 +0100
> +++ 2:1.0.5-2ubuntu1/debian/initramfs/cryptroot-hook	2007-10-03
> 00:07:57.000000000 +0100
> @@ -357,9 +371,18 @@ add_device() {
>
>  # Unless MODULES = "dep", we always add a basic subset of modules/tools
>  if [ "$MODULES" != "dep" ]; then
> -	for mod in dm_mod dm_crypt aes sha256 cbc; do
> +	for mod in dm_mod dm_crypt sha256 cbc; do
>  		manual_add_modules $mod
>  	done
> +
> +	# Add assembly optimized AES module if it exists
> +	asm_module=`find "$MODULESDIR"/kernel/arch/ -name aes\*`
> +	if [ $asm_module ];then
> +		manual_add_modules `basename "$asm_module"|sed s/.ko//`
> +	else
> +		manual_add_modules aes
> +	fi
> +

And then a copy of the function above, but with manual_add_modules instead
of modprobe, can be added to the initramfs hook.

-- 
David Härdeman

More information about the Pkg-cryptsetup-devel mailing list