* Jonas Meurer | 2009-08-31 17:52:00 [+0200]: >> Could someone please look at initramfs to figure out why those three >> modules are not copied in this reduced setup? > >the reason is simply that no other crypto modules define depends on the >listed ones: Well yes, but aes cbc is placed in the new initrd. I took a look, read below. >so the following depends should be added/changed: > >- chainiv should depend o 'krng' instead of 'rng' at least rng is a subsubsystem within crypto. krng is one implementation which provides random numbers. So does ansi_cprng. Another implementation may come. >- maybe cipher modules like aes,serpent,... should depend on 'cryptomgr' > instead of 'crypto_algapi' This isn't possible without dummy variables because they don't need each other in first place. We could move code but crypto_algapi can live without cryptomgr. However cryptomgr doesn't make sense without crypto_algapi. Lets say you have a VIA CPU which provides cbc(aes) in HW. So you don't need cryptomgr because cbc(aes) is allready available. You need aes_generic but that's another story :) >- crypto_algapi should depend on chainiv chainiv is one possible implementation eseqiv is another one. The later is used on async-hw and in 2.6.32+ on SMP afaik. >these changes are pure guesses, i don't know the details. but at least >additional depends need to be defined for crypto modules, don't you >think so? We have them in Kconfig. All required modules are built and are available. However the things aren't that easy. The crypto subsystem is very flexible and undocumented and this is the problem here I think. Another example: The geode aes HW/driver can handle cbc(aes) requests as long as its keysize is 128bits. Larger keys can't be handled by HW so we fallback to the next implementation. If you just copy the geode module then the geode module won't work because an alternative implementation is missing. So this brings me to the following question: Why are you so picky and you don't take all of the modules? sh 2.6.30-1 on various debian archs: du -sh x86_64 i386 powerpc s390x mips(r5k-ip32) crypto 720K 636K 1.1M 804K 968K arch/<arch>/crypto 72K 36K 0 92K 0 driver/crypto 32K 60K 60K 0 52K Total 824K 732K 1.2M 896K 1020 So all modules together have an average footprint of 941.0K. This isn't that much. There is no size limit on initrd unless you are on a system with has 32MiB or something like that :) With *all* those crypto modules which are selected and built you are able to cover all corner cases. I took a look at hooks/cryptroot and really and only a few modules are included. Right now you don't include HW cipher e.g. VIA's padlock or AMD's geode. If you don't load those module while openning the root partition (the first request), then the module is never loaded / used. The other unhandled case are non default ciphers like xts(aes) which one might use. The brand new aes implementation aesni-intel is also not be considered. Most modules have _generic in their name if there is another implementation available and <name>-arch if there is an assembly variant but I would prefer that this does not become part of an ABI where one can rely on. Would it be okay for you to change the way the crypto modules are picked and include the full set? >greetings, > jonas Sebastian -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html