lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <b07fbb30-92a5-7c96-339c-ffbdf40ea1bf@linux.dev> Date: Thu, 2 Nov 2023 00:31:03 +0000 From: Vadim Fedorenko <vadim.fedorenko@...ux.dev> To: Martin KaFai Lau <martin.lau@...ux.dev> Cc: bpf@...r.kernel.org, netdev@...r.kernel.org, linux-crypto@...r.kernel.org, Jakub Kicinski <kuba@...nel.org>, Andrii Nakryiko <andrii@...nel.org>, Alexei Starovoitov <ast@...nel.org>, Mykola Lysenko <mykolal@...com>, Vadim Fedorenko <vadfed@...a.com>, "David S. Miller" <davem@...emloft.net>, Herbert Xu <herbert@...dor.apana.org.au> Subject: Re: [PATCH bpf-next v3 1/2] bpf: add skcipher API support to TC/XDP programs On 01.11.2023 22:59, Martin KaFai Lau wrote: > On 11/1/23 3:50 PM, Vadim Fedorenko wrote: >>>> +static int bpf_crypto_skcipher_crypt(struct crypto_sync_skcipher *tfm, >>>> + const struct bpf_dynptr_kern *src, >>>> + struct bpf_dynptr_kern *dst, >>>> + const struct bpf_dynptr_kern *iv, >>>> + bool decrypt) >>>> +{ >>>> + struct skcipher_request *req = NULL; >>>> + struct scatterlist sgin, sgout; >>>> + int err; >>>> + >>>> + if (crypto_sync_skcipher_get_flags(tfm) & CRYPTO_TFM_NEED_KEY) >>>> + return -EINVAL; >>>> + >>>> + if (__bpf_dynptr_is_rdonly(dst)) >>>> + return -EINVAL; >>>> + >>>> + if (!__bpf_dynptr_size(dst) || !__bpf_dynptr_size(src)) >>>> + return -EINVAL; >>>> + >>>> + if (__bpf_dynptr_size(iv) != crypto_sync_skcipher_ivsize(tfm)) >>>> + return -EINVAL; >>>> + >>>> + req = skcipher_request_alloc(&tfm->base, GFP_ATOMIC); >>> >>> Doing alloc per packet may kill performance. Is it possible to optimize it >>> somehow? What is the usual size of the req (e.g. the example in the selftest)? >>> >> >> In ktls code aead_request is allocated every time encryption is invoked, see >> tls_decrypt_sg(), apparently per skb. Doesn't look like performance >> killer. For selftest it's only sizeof(struct skcipher_request). > > ktls is doing the en/decrypt on the userspace behalf to compensate the cost. > > When this kfunc is used in xdp to decrypt a few bytes for each packet and then > XDP_TX out, this extra alloc will be quite noticeable. If the size is usually > small, can it be done in the stack memory? Hmm... looks like SYNC_SKCIPHER_REQUEST_ON_STACK will help us. Ok, I'll change this part to use stack allocations.
Powered by blists - more mailing lists