On 20 July 2018 at 20:45, Mark Brown <broonie@xxxxxxxxxx> wrote: > On Fri, Jul 20, 2018 at 10:02:21AM +0900, Ard Biesheuvel wrote: >> On 20 July 2018 at 00:50, Mark Brown <broonie@xxxxxxxxxx> wrote: > >> > Existing hardware can definitely do the IV generation and I believe that >> > it can chain multiple sectors together though I'd need to confirm this, >> > as mentioned elsewhere in the thread the ccree driver is for one of >> > the relevant devices. I've poked some relevant people. > >> As far as I can infer from the ccree driver source, IV generation and >> en/decryption are separate operations, and given that each sector >> requires both operations to be applied in sequence, letting the crypto >> layer handle an entire bio does not have any benefit *at the moment*. > > Interesting... they were reporting some benefits from that with their > out of tree driver prior to upstreaming (and there are other > implementations out there, that's the only one I definitely know about). > I have to confess I didn't look at their in tree driver, looking briefly > now it looks awfully like the hardware should be able to chain IV > generation together with encryption without bothering the CPU which > would be good enough. > Indeed interesting. But afaict, that would still mean that the IV generation transform and the payload transform would be expressed as a single crypto algorithm, e.g., 'dm(essiv-foo(aes),gcm(aes)), or the DM layer would still need to be involved in sequencing one operation after the other, and I don't think any of that support is in the current series. But I'm just a drive by reviewer here, so please correct me if I am wrong. >> In fact, it seems to me that the ability to use protected AES keys is >> much more appealing than any performance argument (including 'it may >> be slower but at least it does not load the CPU'), so some background >> on how such a change would enable this use case would be beneficial as >> well to getting this adopted. > > Right, that's another benefit which was on the radar for followup work. > >> So my recommendation would be to focus on moving the IV generation >> into the crypto layer, but conservatively, and not confuse people by >> making additional changes that could theoretically improve >> performance, but only on hardware that does not exist. > > It certainly seems like splitting things up will at least allow things > to progress. Indeed. -- dm-devel mailing list dm-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/dm-devel
