| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250214042951.GB2771@sol.localdomain> Date: Thu, 13 Feb 2025 20:29:51 -0800 From: Eric Biggers <ebiggers@...nel.org> To: Herbert Xu <herbert@...dor.apana.org.au> Cc: fsverity@...ts.linux.dev, linux-crypto@...r.kernel.org, dm-devel@...ts.linux.dev, x86@...nel.org, linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org, Ard Biesheuvel <ardb@...nel.org>, Sami Tolvanen <samitolvanen@...gle.com>, Alasdair Kergon <agk@...hat.com>, Mike Snitzer <snitzer@...nel.org>, Linus Torvalds <torvalds@...ux-foundation.org>, Mikulas Patocka <mpatocka@...hat.com>, David Howells <dhowells@...hat.com>, netdev@...r.kernel.org Subject: Re: [PATCH v8 0/7] Optimize dm-verity and fsverity using multibuffer hashing On Fri, Feb 14, 2025 at 11:50:51AM +0800, Herbert Xu wrote: > On Thu, Feb 13, 2025 at 07:35:18PM -0800, Eric Biggers wrote: > > > > It absolutely is designed for an obsolete form of hardware offload. Have you > > ever tried actually using it? Here's how to hash a buffer of data with shash: > > > > return crypto_shash_tfm_digest(tfm, data, size, out) > > > > ... and here's how to do it with the SHA-256 library, for what it's worth: > > > > sha256(data, size, out) > > > > and here's how to do it with ahash: > > Try the new virt ahash interface, and we could easily put the > request object on the stack for sync algorithms: > > SYNC_AHASH_REQUEST_ON_STACK(req, alg); > > ahash_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP, NULL, NULL); > ahash_request_set_virt(req, data, out, size); > > return crypto_ahash_digest(req); That doesn't actually exist, and your code snippet is also buggy (undefined behavior) because it never sets the tfm pointer in the ahash_request. So this just shows that you still can't use your own proposed APIs correctly because they're still too complex. Yes the virt address support would be an improvement on current ahash, but it would still be bolted onto an interface that wasn't designed for it. There would still be the weirdness of having to initialize so many unnecessary fields in the request, and having "synchronous asynchronous hashes" which is always a fun one to try to explain to people. The shash and lib/crypto/ interfaces are much better as they do not have these problems. > > What? GHASH is a polynomial hash function, so it is easily parallelizable. If > > you precompute N powers of the hash key then you can process N blocks in > > parallel. Check how the AES-GCM assembly code works; that's exactly what it > > does. This is fundamentally different from message digests like SHA-* where the > > blocks have to be processed serially. > > Fair enough. > > But there are plenty of other users who want batching, such as the > zcomp with iaa, and I don't want everybody to invent their own API > for the same thing. Well, the IAA and zswap people want a batch_compress method that takes an array of pages (https://lore.kernel.org/linux-crypto/20250206072102.29045-3-kanchana.p.sridhar@intel.com/). They do not seem to want the weird request chaining thing that you are trying to make them use. batch_compress is actually quite similar to what I'm proposing, just for compression instead of hashing. So there is no conflict with my proposal, and in fact they complement each other as they arrived at a similar conclusion. Hash and compression are different algorithm types, so they can never use exactly the same API anyway, just similar ones. And FWIW, zswap is synchronous, so yet again all the weird async stuff just gets in the way. - Eric
Powered by blists - more mailing lists