Linux-Security-Module Archive on lore.kernel.org
 help / color / Atom feed
* Can KEY_DH_OPERATIONS become tristate? (was: Re: Kernel 5.3.0 stuck during boot on Amiga)
       [not found]               ` <CAMuHMdVeedJZE6mrGdYqRgawUtfu_ww5p-Qg1rLXNmGWiY7Nxg@mail.gmail.com>
@ 2019-09-18 14:27                 ` Geert Uytterhoeven
  2019-09-18 15:54                 ` David Howells
  1 sibling, 0 replies; 5+ messages in thread
From: Geert Uytterhoeven @ 2019-09-18 14:27 UTC (permalink / raw)
  To: John Paul Adrian Glaubitz
  Cc: Michael Schmitz, linux-m68k, Mat Martineau, David Howells,
	James Morris, Serge E. Hallyn, keyrings, linux-security-module,
	Linux Kernel Mailing List

CC crypto keys people

TL;DR: CONFIG_CRYPTO_DH=y is reported to cause boot delays of several
minutes on old and slow machines. Can KEY_DH_OPERATIONS be made tristate?

On Wed, Sep 18, 2019 at 4:08 PM Geert Uytterhoeven <geert@linux-m68k.org> wrote:
> On Wed, Sep 18, 2019 at 3:57 PM John Paul Adrian Glaubitz
> <glaubitz@physik.fu-berlin.de> wrote:
> > On 9/18/19 3:48 PM, Geert Uytterhoeven wrote:
> > >> Diffie-Hellman doing some heavy crypto lifting on a poor m68k CPU?
> > >>
> > >> Disable CONFIG_CRYPTO_DH?
> > >
> > > See also https://lists.debian.org/debian-68k/2019/04/msg00033.html
> > >
> > > CRYPTO_DH is selected by CRYPTO_DEV_QAT and KEY_DH_OPERATIONS.
> > > The latter is bool, forcing CRYPTO_DH builtin.
> > >
> > > If KEY_DH_OPERATIONS needs to be enabled in a Debian kernel, perhaps
> > > it can be made tristate?
> > It was enabled in [1] as it's required for certain WiFi drivers [2].
> >
> > So, should it be fixed as you suggest or should we selectively disable it on m68k?
>
> Disabling it on m68k could be a first step (any WiFi drivers supported
> on m68k yet?).
>
> Making it tristate is non-trivial, as there are some interdependencies:
>
>     security/keys/Makefile:compat-obj-$(CONFIG_KEY_DH_OPERATIONS) += compat_dh.o
>     security/keys/Makefile:obj-$(CONFIG_KEY_DH_OPERATIONS) += dh.o
>     security/keys/internal.h:#ifdef CONFIG_KEY_DH_OPERATIONS
>     security/keys/keyctl.c:
> (IS_ENABLED(CONFIG_KEY_DH_OPERATIONS)    ? KEYCTL_CAPS0_DIFFIE_HELLMAN
> : 0) |
>
> > > [1] https://salsa.debian.org/kernel-team/linux/commit/88f44cb9eb34098138c79bdab5fae434492866d1
> > > [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911998

Gr{oetje,eeting}s,

                        Geert

-- 
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Can KEY_DH_OPERATIONS become tristate? (was: Re: Kernel 5.3.0 stuck during boot on Amiga)
       [not found]               ` <CAMuHMdVeedJZE6mrGdYqRgawUtfu_ww5p-Qg1rLXNmGWiY7Nxg@mail.gmail.com>
  2019-09-18 14:27                 ` Can KEY_DH_OPERATIONS become tristate? (was: Re: Kernel 5.3.0 stuck during boot on Amiga) Geert Uytterhoeven
@ 2019-09-18 15:54                 ` David Howells
  2019-09-18 16:18                   ` Geert Uytterhoeven
  2019-09-18 16:43                   ` David Howells
  1 sibling, 2 replies; 5+ messages in thread
From: David Howells @ 2019-09-18 15:54 UTC (permalink / raw)
  To: Geert Uytterhoeven
  Cc: dhowells, John Paul Adrian Glaubitz, Michael Schmitz, linux-m68k,
	Mat Martineau, James Morris, Serge E. Hallyn, keyrings,
	linux-security-module, Linux Kernel Mailing List

Geert Uytterhoeven <geert@linux-m68k.org> wrote:

> CC crypto keys people
> 
> TL;DR: CONFIG_CRYPTO_DH=y is reported to cause boot delays of several
> minutes on old and slow machines.

Why is it doing that?  It doesn't do anything unless it is called, so
something must be calling it.

> Can KEY_DH_OPERATIONS be made tristate?

Um.  It's non-trivial since it's implementing a keyctl() function for
userspace to call and there's currently no ops table to jump through.

David

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Can KEY_DH_OPERATIONS become tristate? (was: Re: Kernel 5.3.0 stuck during boot on Amiga)
  2019-09-18 15:54                 ` David Howells
@ 2019-09-18 16:18                   ` Geert Uytterhoeven
  2019-09-18 16:43                   ` David Howells
  1 sibling, 0 replies; 5+ messages in thread
From: Geert Uytterhoeven @ 2019-09-18 16:18 UTC (permalink / raw)
  To: David Howells
  Cc: John Paul Adrian Glaubitz, Michael Schmitz, linux-m68k,
	Mat Martineau, James Morris, Serge E. Hallyn, keyrings,
	linux-security-module, Linux Kernel Mailing List

Hi David,

On Wed, Sep 18, 2019 at 5:54 PM David Howells <dhowells@redhat.com> wrote:
> Geert Uytterhoeven <geert@linux-m68k.org> wrote:
> > CC crypto keys people
> >
> > TL;DR: CONFIG_CRYPTO_DH=y is reported to cause boot delays of several
> > minutes on old and slow machines.
>
> Why is it doing that?  It doesn't do anything unless it is called, so
> something must be calling it.

I don't know.  Enabling initcall_debug shows that dh_init() takes a very long
time.

Gr{oetje,eeting}s,

                        Geert

-- 
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Can KEY_DH_OPERATIONS become tristate? (was: Re: Kernel 5.3.0 stuck during boot on Amiga)
  2019-09-18 15:54                 ` David Howells
  2019-09-18 16:18                   ` Geert Uytterhoeven
@ 2019-09-18 16:43                   ` David Howells
  2019-09-19 19:17                     ` Geert Uytterhoeven
  1 sibling, 1 reply; 5+ messages in thread
From: David Howells @ 2019-09-18 16:43 UTC (permalink / raw)
  To: Geert Uytterhoeven
  Cc: dhowells, John Paul Adrian Glaubitz, Michael Schmitz, linux-m68k,
	Mat Martineau, James Morris, Serge E. Hallyn, keyrings,
	linux-crypto, linux-security-module, Linux Kernel Mailing List

Geert Uytterhoeven <geert@linux-m68k.org> wrote:

> > > TL;DR: CONFIG_CRYPTO_DH=y is reported to cause boot delays of several
> > > minutes on old and slow machines.
> >
> > Why is it doing that?  It doesn't do anything unless it is called, so
> > something must be calling it.
>
> I don't know.  Enabling initcall_debug shows that dh_init() takes a very long
> time.

Ah...  The bit that handles keyctl_dh_compute() doesn't do anything unless
asked, but the bit in the crypto layer that does dh does (ie. dh_init()).  I
guess it's doing some sort of self-test, but I can't see how it effects that.
I think you need to consult the author/maintainer of crypto/dh.c.

It might be possible to make CONFIG_KEY_DH_OPERATIONS not depend on
CONFIG_CRYPTO_DH and have crypto_alloc_kpp() load the *crypto* part on
demand.  Failing that, I can look into demand-loading keyctl operations.

David

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Can KEY_DH_OPERATIONS become tristate? (was: Re: Kernel 5.3.0 stuck during boot on Amiga)
  2019-09-18 16:43                   ` David Howells
@ 2019-09-19 19:17                     ` Geert Uytterhoeven
  0 siblings, 0 replies; 5+ messages in thread
From: Geert Uytterhoeven @ 2019-09-19 19:17 UTC (permalink / raw)
  To: David Howells
  Cc: John Paul Adrian Glaubitz, Michael Schmitz, linux-m68k,
	Mat Martineau, James Morris, Serge E. Hallyn, keyrings,
	Linux Crypto Mailing List, linux-security-module,
	Linux Kernel Mailing List

Hi David,

On Wed, Sep 18, 2019 at 6:43 PM David Howells <dhowells@redhat.com> wrote:
> Geert Uytterhoeven <geert@linux-m68k.org> wrote:
> > > > TL;DR: CONFIG_CRYPTO_DH=y is reported to cause boot delays of several
> > > > minutes on old and slow machines.
> > >
> > > Why is it doing that?  It doesn't do anything unless it is called, so
> > > something must be calling it.
> >
> > I don't know.  Enabling initcall_debug shows that dh_init() takes a very long
> > time.
>
> Ah...  The bit that handles keyctl_dh_compute() doesn't do anything unless
> asked, but the bit in the crypto layer that does dh does (ie. dh_init()).  I
> guess it's doing some sort of self-test, but I can't see how it effects that.
> I think you need to consult the author/maintainer of crypto/dh.c.

Apparently the Debian kernel config had not enabled
CONFIG_CRYPTO_MANAGER_DISABLE_TESTS, so all crypto tests
were run at boot time :-(

> It might be possible to make CONFIG_KEY_DH_OPERATIONS not depend on
> CONFIG_CRYPTO_DH and have crypto_alloc_kpp() load the *crypto* part on
> demand.  Failing that, I can look into demand-loading keyctl operations.

Regardless, it may be a good idea to make KEY_DH_OPERATIONS tristate
one day, so enabling wireless as a module doesn't force CONFIG_CRYPTO_DH
builtin.

Thanks!

Gr{oetje,eeting}s,

                        Geert

-- 
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, back to index

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <278d9706-162d-28a4-4640-31b697924473@physik.fu-berlin.de>
     [not found] ` <c5acb1c0-7a5b-ce42-8b2f-5fd30cbdab6e@physik.fu-berlin.de>
     [not found]   ` <6304acd1-7b71-b1fb-f8d8-298cb3025e69@physik.fu-berlin.de>
     [not found]     ` <6725b972-05d4-fed4-7094-16401e86b452@gmail.com>
     [not found]       ` <578d8a91-aaee-087f-1742-65e64001b8fa@physik.fu-berlin.de>
     [not found]         ` <CAMuHMdUU6ejc168-ksqXrkE+PjCXFJumaRaWjRtj12NjG_TFSg@mail.gmail.com>
     [not found]           ` <CAMuHMdWfTrx8VuJoifEEBc1n+3MiiuwKNWcRnUw+TgWJCtOWag@mail.gmail.com>
     [not found]             ` <fea74ca3-4b24-780f-af74-a786646b1668@physik.fu-berlin.de>
     [not found]               ` <CAMuHMdVeedJZE6mrGdYqRgawUtfu_ww5p-Qg1rLXNmGWiY7Nxg@mail.gmail.com>
2019-09-18 14:27                 ` Can KEY_DH_OPERATIONS become tristate? (was: Re: Kernel 5.3.0 stuck during boot on Amiga) Geert Uytterhoeven
2019-09-18 15:54                 ` David Howells
2019-09-18 16:18                   ` Geert Uytterhoeven
2019-09-18 16:43                   ` David Howells
2019-09-19 19:17                     ` Geert Uytterhoeven

Linux-Security-Module Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-security-module/0 linux-security-module/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-security-module linux-security-module/ https://lore.kernel.org/linux-security-module \
		linux-security-module@vger.kernel.org linux-security-module@archiver.kernel.org
	public-inbox-index linux-security-module

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-security-module


AGPL code for this site: git clone https://public-inbox.org/ public-inbox