lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <4adea710-72ca-0908-d280-625bc3682aa1@linux.dev> Date: Wed, 1 Nov 2023 15:59:56 -0700 From: Martin KaFai Lau <martin.lau@...ux.dev> To: Vadim Fedorenko <vadim.fedorenko@...ux.dev> Cc: bpf@...r.kernel.org, netdev@...r.kernel.org, linux-crypto@...r.kernel.org, Jakub Kicinski <kuba@...nel.org>, Andrii Nakryiko <andrii@...nel.org>, Alexei Starovoitov <ast@...nel.org>, Mykola Lysenko <mykolal@...com>, Vadim Fedorenko <vadfed@...a.com>, "David S. Miller" <davem@...emloft.net>, Herbert Xu <herbert@...dor.apana.org.au> Subject: Re: [PATCH bpf-next v3 1/2] bpf: add skcipher API support to TC/XDP programs On 11/1/23 3:50 PM, Vadim Fedorenko wrote: >>> +static int bpf_crypto_skcipher_crypt(struct crypto_sync_skcipher *tfm, >>> + const struct bpf_dynptr_kern *src, >>> + struct bpf_dynptr_kern *dst, >>> + const struct bpf_dynptr_kern *iv, >>> + bool decrypt) >>> +{ >>> + struct skcipher_request *req = NULL; >>> + struct scatterlist sgin, sgout; >>> + int err; >>> + >>> + if (crypto_sync_skcipher_get_flags(tfm) & CRYPTO_TFM_NEED_KEY) >>> + return -EINVAL; >>> + >>> + if (__bpf_dynptr_is_rdonly(dst)) >>> + return -EINVAL; >>> + >>> + if (!__bpf_dynptr_size(dst) || !__bpf_dynptr_size(src)) >>> + return -EINVAL; >>> + >>> + if (__bpf_dynptr_size(iv) != crypto_sync_skcipher_ivsize(tfm)) >>> + return -EINVAL; >>> + >>> + req = skcipher_request_alloc(&tfm->base, GFP_ATOMIC); >> >> Doing alloc per packet may kill performance. Is it possible to optimize it >> somehow? What is the usual size of the req (e.g. the example in the selftest)? >> > > In ktls code aead_request is allocated every time encryption is invoked, see > tls_decrypt_sg(), apparently per skb. Doesn't look like performance > killer. For selftest it's only sizeof(struct skcipher_request). ktls is doing the en/decrypt on the userspace behalf to compensate the cost. When this kfunc is used in xdp to decrypt a few bytes for each packet and then XDP_TX out, this extra alloc will be quite noticeable. If the size is usually small, can it be done in the stack memory?
Powered by blists - more mailing lists