[dm-crypt] [RFC] dm-crypt and hardware-optimized crypto modules

Jonas Meurer jonas at freesources.org
Mon Oct 24 14:05:16 CEST 2011

Hash: SHA1

Hey Milan,

Am 24.10.2011 08:29, schrieb Milan Broz:
> On 10/24/2011 01:30 AM, Jonas Meurer wrote:
>> In the Debian bugreport #639832 [1], Simon Mackinlay pointed out,
>> that hardware-optimized crypto driver modules aren't loaded
>> automatically at cryptsetup invokation in the boot process
>> (initramfs) in Debian.
>> I verified this. At least for setups with aes support compiled
>> into the kernel, and hardware-optimized aes drivers (aes-x86_64, 
>> aesni-intel) built as modules (which is the default for Debian
>> and Ubuntu kernels), the hardware-optimized aes modules aren't
>> loaded at cryptsetup invokation. (Sure, this is tested with
>> aes-encrypted volumes.) I didn't have time to check other setups
>> (e.g. everything built as modules) yet.
> If the modules are present at this time (either compiled-in or as
> separate modules) this seems to be kernel cryptoAPI bug.

It seems like this is the case, yes. I verified that
hardware-optimized modules are present in the initramfs both in Debian
and Ubuntu. I tested the 3.0.0-12-generic kernel in Ubuntu so far,
will check other kernels and setups later.

> If it is not present (in intramfs) then available module is used
> and later it is not replaced by hw accelerated driver.

Yes, that makes a lot of sense to me. But as written above, the
hardware-optimized drivers are available as modules at the time of
cryptsetup invokation.

> Anyway, I am using aesni_intel loaded from Debian initramfs and it
> works with no hacks. Wonder what is the difference... (kernel 3.0.3
> but compiled with own config to own kernel deb package.)

Do you have crypto drivers compiled into the kernel? Or built as
modules? I guess that software drivers built into the kernel and
hardware drivers available as modules is the only setup with problems,
but didn't test it yet.

>> I'm happy to extend the initramfs scripts to load
>> hardware-optimized modules in case they're available before
>> cryptsetup is invoked. But that an implementation would be ugly
>> and hard to maintain as it needs to be updated for possible
>> kernel crypto driver changes. I would prefer a solution where the
>> kernel crypto api took responsibility for this task.
> I think it should load modules automatically according to its
> priorities (hw has always higher priority). Anyway, this is the
> question for linux-crypto (kernel) list.
> There is no way how to force dm-crypt load specific driver.

Yes, I see the point that this is a issue for linux-crypto, and will
move the discussion to this list as soon as I did further investigation.

Thanks for your answers!

Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the dm-crypt mailing list