[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <cover.1404245510.git.d.kasatkin@samsung.com>
Date: Tue, 1 Jul 2014 23:12:48 +0300
From: Dmitry Kasatkin <dmitry.kasatkin@...il.com>
To: zohar@...ux.vnet.ibm.com, linux-ima-devel@...ts.sourceforge.net,
linux-security-module@...r.kernel.org
Cc: linux-kernel@...r.kernel.org, linux-crypto@...r.kernel.org,
Dmitry Kasatkin <d.kasatkin@...sung.com>
Subject: [PATCH v2 0/3] ima: use asynchronous hash API for hash calculation
Depending on the IMA policy, it might require to measure huge amount of files.
It may be very important to speedup hash calculation or to reduce (bettery)
energy required to do it. Currently IMA uses synchronous hash API (shash)
which is CPU based. CPU based hash calculation is very CPU intensive and on the
battery powered device will be also high energy consuming.
Many platforms provide cryptographic acceleration modules which allow speedup
and/or reduce energy consumption, and provide asynchronous way to calculate
hashes. Defacto way to implement drivers for such accelerators is using
asynchronous hash API (ahash).
The first patch adds use of ahash API to IMA. Performance of using HW
acceleration depends very much on amount of data to hash and it depends
on particular HW. It is usually inefficient for small data due to HW
initialization overhead. In order to make it possible to optimize performance
for particular system, the patch provides kernel parameter
'ima_ahash=<min_file_size>', which allows to specify optimal file size
when start using ahash. By default ahash is disabled until non-zero value
with 'ima_ahash=' is provided.
Second patch introduces multi-page buffers which makes HW acceleration more
efficient. It extends 'ima_ahash' kernel parameter to specify buffer size:
'ima_ahash=<min_file_size>[,<bufsize>]'
Third patch introduces double-buffering which allows to readahead next portion
of data for hashing while calculating the hash.
Changes to v1:
- ima_ahash_size and ima_ahash_bufsize were combined as ima_ahash
- ahash pre-allocation moved out from __init code to be able to use
ahash crypto modules. Ahash allocated once on the first use.
- hash calculation falls back to sahsh if ahash allocation/calculation fails
- complex initialization separated from variable declaration
- improved comments
- Dmitry
Dmitry Kasatkin (3):
ima: use ahash API for file hash calculation
ima: introduce multi-page collect buffers
ima: provide double buffering for hash calculation
Documentation/kernel-parameters.txt | 6 +
security/integrity/ima/ima_crypto.c | 287 +++++++++++++++++++++++++++++++++++-
2 files changed, 290 insertions(+), 3 deletions(-)
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists