Add optimized cipher modules to initramfs

Bug #73862 reported by Pär Lindfors on 2006-11-30
6
Affects Status Importance Assigned to Milestone
cryptsetup (Ubuntu)
Undecided
Pär Lindfors

Bug Description

Binary package hint: cryptsetup

The initramfs hook script only adds a module named $cipher.ko for each cipher that is used. Some ciphers have assembly optimized kernel modules on some architectures wich should be used instead as they give much better performance. (Using aes-i586.ko instead of aes.ko on my system doubles disk throughput for sustained reads, while using 60% instead of 100% CPU)

Attached is a patch against feisty. I have only tested to build a initramfs with it in a chroot, but it seems to be working.

The patch use find to look for cipher modules in $MODULESDIR/kernel/arch directory wich should only find the asm module as the normal ones are in $MODULESDIR/kernel/crypto. It would be better to look directly in $MODULESDIR/kernel/arch/`uname -i`/crypto/, but uname -i only returns "unknown" on Ubuntu.

Pär Lindfors (paran) wrote :

patch

Reinhard Tartler (siretart) wrote :

The patch looks fine to me. Martin, what do you think? Whom should we ask about this?

Changed in cryptsetup:
status: Unconfirmed → Confirmed
Reinhard Tartler (siretart) wrote :

oh, this is a patch against cryptsetup itself, I think I'll just apply it then.

Pär Lindfors (paran) wrote :

Yes, the patch is against the cryptsetup ubuntu package and only modifies a few lines of debian/initramfs-cryptroot-hook.

However the patch is for 1.0.4-8ubuntu1 and don't seem to apply cleanly to the current feisty version 1.0.4+svn26-1ubuntu1. I can make a new version tomorrow if you don't want to do it yourself.

Reinhard Tartler (siretart) wrote :

we now are at an even more recent version of cryptsetup, and your patch doesn't apply at all any longer :( - I'm very sorry that I missed that patch for feisty.

Can you please redo the patch and attach one for the gutsy package? please also send your patch to the debian crypsetup maintainers as well.

Changed in cryptsetup:
assignee: nobody → paran
status: Confirmed → Needs Info

Attached is the same patch as above but against cryptsetup_1.0.4+svn29-1ubuntu4 found in gutsy.

Stephan Rügamer (sruegamer) wrote :

Find attached a debdiff which adds the patch to the package.

Siretart, please add this patch as well to Ubuntus BZR archive for cryptsetup, thx.

That patch does add optimized ciphers only when in cryptroot mode. Could
it be improved to load optimized ciphers even on non-cryptroot, like
e.g. crypted /home?

I added the patch to the bzr branch nevertheless.

--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4

Pär Lindfors (paran) wrote :

Sorry for forgetting about this bug. Thank you Anthony porting this to a newer crypsetup.

Reinhard: I only think this is needed for the root file system. If you for example only have /home on dm-crypt then it will set up after leaving initramfs. This means that all kernel modules are available and insmod will be smart enough to load the optimized one.

Pär Lindfors (paran) wrote :

One more thing, should this bug really still be Incomplete+Undecided?

Reinhard Tartler (siretart) wrote :

Pär Andersson <email address hidden> writes:

> Reinhard: I only think this is needed for the root file system. If you
> for example only have /home on dm-crypt then it will set up after
> leaving initramfs. This means that all kernel modules are available and
> insmod will be smart enough to load the optimized one.

I can confirm that this is not the case, as I do use such a setup in my
laptop. lsmod only shows aes, but not aes-i586.

It would probably pop up if I had entered it in /etc/modules, but since
we cannot modify that file easily (you would need some magic to detect
the architecture and module name and stuff), it would be really great if
this wasn't really necessary.

--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4

Reinhard Tartler (siretart) wrote :

Pär Andersson <email address hidden> writes:

> One more thing, should this bug really still be Incomplete+Undecided?

Well, the cryptroot part is 'pending', as the patch was imported to the
bzr branch. The non-cryptroot part (e.g. only /home crypted) is still
not resolved. I'm therefore setting this bug to

  status confirmed

--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4

Changed in cryptsetup:
status: Incomplete → Confirmed

You should file another bug report for the non-cryptroot stuff. This report is only for updating the initramfs to support the platform specific modules. After / is mounted the modules that are in initramfs do not matter.

Reinhard Tartler (siretart) wrote :

Anthony DeStefano <email address hidden> writes:

> You should file another bug report for the non-cryptroot stuff. This
> report is only for updating the initramfs to support the platform
> specific modules. After / is mounted the modules that are in initramfs
> do not matter.

Yes, I could do that. However, I was hoping the author of the patch I'm
reviewing for sponsorship was able to make it more general.

--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4

Daniel Holbach (dholbach) wrote :

Unsubscribing Ubuntu Sponsors for main from this bug until problems with the patch are solved.

Reinhard Tartler (siretart) wrote :

cryptsetup (2:1.0.5-1ubuntu4) gutsy; urgency=low

  [ Stephan Hermann ]
  * debian/initramfs/cryptroot-hook: (LP: #73862)
    - Added patch to install aes optimized cypher module

  [ Reinhard Tartler ]
  * re-applying old patch to new package version
  * try to load optimized cypher module in cryptsetup.functions as well,
    because cryptroot-hook is only executed when we really have a
    cryptoroot.

 -- Reinhard Tartler <email address hidden> Thu, 27 Sep 2007 19:38:48 +0200

Changed in cryptsetup:
status: Confirmed → Fix Released
Pär Lindfors (paran) wrote :

> I can confirm that this is not the case, as I do use such a setup in my
> laptop. lsmod only shows aes, but not aes-i586.

Sorry, I was mistaken.

> It would probably pop up if I had entered it in /etc/modules, but since
> we cannot modify that file easily (you would need some magic to detect
> the architecture and module name and stuff), it would be really great if
> this wasn't really necessary.

I think a better solution would be to create /etc/modprobe.d/cryptsetup and let it contain (on amd64):
alias aes aes_x86_64
alias twofish twofish_x86_64
...

That would set the asm optimized modules as default.

However we could look into this for hardy. The version that have now been included in gutsy will work fine and will give most users of encrypted disks a nice speed boost. :-)

Reinhard Tartler (siretart) wrote :
Download full text (4.4 KiB)

cryptsetup (2:1.0.5-2ubuntu1) gutsy; urgency=low

  * Merge new debian version. Remaining changes:
    - cryptsetup is linked dynamically against libgcrypt and libgpg-error.
      This will break systems where /usr is a separate encrypted filesystem
      but not have other bad consequences (in particular, systems with
      encrypted root are still fine). The upsides include better
      security supportability and smaller packages.
    - libcryptsetup.so et al removed from the binary packages. They have
      no stable ABI and are not suitable for use by other packages, and
      were in violation of library policies etc. They're not needed since
      the cryptsetup executable statically contains the relevant parts of
      libcryptsetup.
    - cryptdisks.functions: remove #!/bin/bash as it isn't a script
      by itself; it's only sourced by other scripts. This gets rid
      of the lintian warning `script-not-executable' for this file.
    - stop usplash on user input. LP #62751
    - Always output and read from the console. LP #58794.
    - Add XSBC-Vcs-Bzr tag to indicate that this package is managed using
      bzr on launchpad.
    - Bump libgcrypt11 build-dependency again to 1.2.4-2ubuntu2 to eliminate
      libnsl linkage;
    - debian/initramfs/cryptroot-hook: (LP: #73862)
      Added patch to install aes optimized cypher module
    - try to load optimized cypher module in cryptsetup.functions as well,
      because cryptroot-hook is only executed when we really have a
      cryptoroot.
    - apply patch from pitti for allowing UUIDs in /etc/crypttab.
      This allowes crypted PVs! LP: #144390.
    - remove README.ubuntu, since it contains old and obsolete information.

cryptsetup (2:1.0.5-2) unstable; urgency=low

  [ Jonas Meurer ]
  * Add libselinux1-dev and libsepol1-dev to build-depends. Detected by
    the build daemon from hell by Steinar H. Gunderson. Thanks to Manoj
    Srivastava for advice.
  * Fix the watchfile
  * Fix cryptopensc-hook to honor key=none. Thanks to Daniel Baumann
    (closes: #436434)
  * Remove outdated README.html and example usbcrypto.* scripts from
    documentation. Add example usbcrypto.udev script. Thanks to Volker Sauer
    for the update. (closes: #409775)
  * Document that stdin is read different with '--key-file=-' than without.
    Thanks to Marc Haber. (closes: #418450)
  * Document that --timeout is useless in conjunction with --key-file. Thanks
    Alexander Zangerl. (closes: #421693)
  * [03_check_for_root.dpatch] Check for UID == 0 before actually doing
    something. Thanks to Benjamin Seidenberg. (closes: #401766)
  * [04_fix_unused_or_unitialized_variables.dpatch] Fix some gcc warnings
    about unused or unitialized variables. Thanks to Ludwig Nussel for the
    patch.
  * [05_segfault_at_nonexisting_device.dpatch] Fix segfault when trying to
    open a non existing device. Thanks to Ludwig Nussel for the patch.
    (closes: #438198)
  * Add CFLAGS="$(CFLAGS)" before ./configure invocation in debian/rules.
    This way CFLAGS are passed to the configure script. Thanks to Gordon
    Farquharson for the patch. (closes: #438450)
  * Add a warning about missing hash option in crypt...

Read more...

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments