lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <8d20e867-1c13-4d2a-9802-b9570085fd25@gmail.com>
Date:   Mon, 7 Aug 2023 13:47:28 +0530
From:   Shreenidhi Shedi <yesshedi@...il.com>
To:     Masahiro Yamada <masahiroy@...nel.org>,
        Greg KH <gregkh@...uxfoundation.org>
Cc:     dhowells@...hat.com, dwmw2@...radead.org,
        linux-kernel@...r.kernel.org, sshedi@...are.com
Subject: Re: [PATCH v6 0/7] refactor file signing program

On 07/08/23 07:53, Masahiro Yamada wrote:
> On Thu, Jun 1, 2023 at 6:08 PM Greg KH <gregkh@...uxfoundation.org> wrote:
>>
>> On Thu, Jun 01, 2023 at 02:33:23PM +0530, Shreenidhi Shedi wrote:
>>> On Wed, 31-May-2023 22:20, Greg KH wrote:
>>>> On Wed, May 31, 2023 at 09:01:24PM +0530, Shreenidhi Shedi wrote:
>>>>> On Wed, 31-May-2023 20:08, Greg KH wrote:
>>>>>> On Tue, Apr 25, 2023 at 04:14:49PM +0530, Shreenidhi Shedi wrote:
>>>>>>> On Wed, 22-Mar-2023 01:03, Shreenidhi Shedi wrote:
>>>>>>> Can you please review the latest patch series? I think I have addressed your
>>>>>>> concerns. Thanks.
>>>>>>
>>>>>> The big question is, "who is going to use these new features"?  This
>>>>>> tool is only used by the in-kernel build scripts, and if they do not
>>>>>> take advantage of these new options you have added, why are they needed?
>>>>>>
>>>>>> thanks,
>>>>>>
>>>>>> greg k-h
>>>>>
>>>>> Hi Greg,
>>>>>
>>>>> Thanks for the response.
>>>>>
>>>>> We use it in VMware Photon OS. Following is the link for the same.
>>>>> https://github.com/vmware/photon/blob/master/SPECS/linux/spec_install_post.inc#L4
>>>>>
>>>>> If this change goes in, it will give a slight push to our build performance.
>>>>
>>>> What exactly do you mean by "slight push"?
>>>
>>> Instead of invoking the signing tool binary for each module, we can pass
>>> modules in bulk and it will reduce the build time by couple of seconds.
>>
>> Then why not modify the in-kernel build system to also do this, allowing
>> everyone to save time and money (i.e. energy)?
>>
>> Why keep the build savings to yourself?
>>
>> thanks,
>>
>> greg k-h
> 
> 
> If I understand correctly,
> "sign-file: add support to sign modules in bulk"
> is the only benefit in the patchset.
> 
> I tested the bulk option, but I did not see build savings.
> 
> 
> 
> My evaluation:
> 1.  'make allmodconfig all', then 'make modules_install'.
>          (9476 modules installed)
> 
> 2.  I ran 'perf stat' for single signing vs bulk signing
>        (5 runs for each).
>        I changed the -n option in scripts/signfile.sh
> 
> 
> 
> 
> A.  single sign
> 
> Sign one module per scripts/sign-file invocation.
> 
> find "${MODULES_PATH}" -name *.ko -type f -print0 | \
>          xargs -r -0 -P$(nproc) -x -n1 sh -c "..."
> 
> 
> 
>   Performance counter stats for './signfile-single.sh' (5 runs):
> 
>               22.33 +- 2.26 seconds time elapsed  ( +- 10.12% )
> 
> 
> 
> 
> B. bulk sign
> 
> Sign 32 modules per scripts/sign-file invocation
> 
> find "${MODULES_PATH}" -name *.ko -type f -print0 | \
>          xargs -r -0 -P$(nproc) -x -n32 sh -c "..."
> 
> 
>   Performance counter stats for './signfile-bulk.sh' (5 runs):
> 
>               24.78 +- 3.01 seconds time elapsed  ( +- 12.14% )
> 
> 
> 
> 
> The bulk option decreases the process forks of scripts/sign-file
> but I did not get even "slight push".
> 
> 
> 

That's some really interesting data. I'm surprised that with stand alone 
run bulk signing is not performing as expected. Can you give the full 
command you used for bulk sign? Reduced number of forks should 
eventually lead to getting more done in less time.

But I got ~1.4 seconds boost when I did "make module_install".

I gave the data in my other response as well. Copying the same here 
because this has in better context.

root@...dev:~/linux-6.3.5 # ./test.sh orig

real	0m14.699s
user	0m55.519s
sys	0m9.036s

root@...dev:~/linux-6.3.5 # ./test.sh new

real	0m13.327s
user	0m46.885s
sys	0m6.770s

Here is my test script.
```
#!/bin/bash

set -e

if [ "$1" != "new" ] && [ "$1" != "orig" ]; then
    echo "invalid arg, ($0 [orig|new])" >&2
    exit 1
fi

rm -rf $PWD/tmp

s="scripts/sign-file.c"
m="scripts/Makefile.modinst"
fns=($s $m)

for f in ${fns[@]}; do
      cp $f.$1 $f
done

cd scripts
gcc -o sign-file sign-file.c -lcrypto
cd -

time make modules_install INSTALL_MOD_PATH=$PWD/tmp -s -j$(nproc)
```

-- 
Shedi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ