On Wed, October 3, 2007 22:52, Reinhard Tartler wrote: > In ubuntu, we have patched cryptsetup so that it looks for > optimized ciphers kernel modules and loads them if > available. Please consider merging this patch to debian.
In general a good idea, some comments below: > diff -pruN 2:1.0.5-2/debian/cryptdisks.functions > 2:1.0.5-2ubuntu1/debian/cryptdisks.functions > --- 2:1.0.5-2/debian/cryptdisks.functions 2007-10-03 00:08:07.000000000 > +0100 > +++ 2:1.0.5-2ubuntu1/debian/cryptdisks.functions 2007-10-03 > 00:07:57.000000000 +0100 > @@ -1,3 +1,8 @@ > +# > +# This file is for inclusion with > +# . /lib/cryptsetup/cryptdisks.functions > +# and should not be executed directly. > + > PATH="/sbin:/bin" > TABFILE=/etc/crypttab > CRYPTDISKS_ENABLE="Yes" > @@ -391,6 +412,18 @@ do_close () { > return $? > } > > +load_optimized_aes_module () { > + local asm_module modulesdir > + > + # find directory with kernel modules > + modulesdir="/lib/modules/`uname -r`" > + # Add assembly optimized AES module if it exists > + asm_module=`ls -1 "$modulesdir"/kernel/arch/*/*/aes*.ko` > + if [ $asm_module ];then if [ -n "$asm_module" ]; then....but see below > + insmod $asm_module 2>/dev/null || true > + fi > +} It seems unnecessary to have an aes-specific function, why not: load_optimized_module() { local module optmodule module="$1" optmodule=$(find "/lib/modules/$(uname -r)/kernel/arch" -name "${module}*.ko" 2> /dev/null) if [ -n "$optmodule" ] && [ "$(echo -n "$optmodule" | wc -l)" -eq 1 ]; then modprobe "$optmodule" 2>/dev/null && return 0 fi modprobe "$module" 2>/dev/null || return 1 return 0 } (I haven't tested that code, I just wrote it up to show the idea) Advantages: * works for all kinds of modules (twofish for example). * use of modprobe allows blacklists to work * falls back on non-optimized module automatically * detects if more than one candidate is found (most likely an error) and falls back to unoptimized > # Sets up all entries in crypttab > do_start () { > local dst src key opts result > @@ -399,6 +432,7 @@ do_start () { > modprobe -qb dm-crypt || true > dmsetup mknodes > /dev/null 2>&1 || true > log_action_begin_msg "Starting $INITSTATE crypto disks" > + load_optimized_aes_module With the above function, the function call could go someplace else (probably to the "cipher" part of the big switch statement in parse_opts. > --- 2:1.0.5-2/debian/initramfs/cryptroot-hook 2007-10-03 > 00:08:07.000000000 +0100 > +++ 2:1.0.5-2ubuntu1/debian/initramfs/cryptroot-hook 2007-10-03 > 00:07:57.000000000 +0100 > @@ -357,9 +371,18 @@ add_device() { > > # Unless MODULES = "dep", we always add a basic subset of modules/tools > if [ "$MODULES" != "dep" ]; then > - for mod in dm_mod dm_crypt aes sha256 cbc; do > + for mod in dm_mod dm_crypt sha256 cbc; do > manual_add_modules $mod > done > + > + # Add assembly optimized AES module if it exists > + asm_module=`find "$MODULESDIR"/kernel/arch/ -name aes\*` > + if [ $asm_module ];then > + manual_add_modules `basename "$asm_module"|sed s/.ko//` > + else > + manual_add_modules aes > + fi > + And then a copy of the function above, but with manual_add_modules instead of modprobe, can be added to the initramfs hook. -- David Härdeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]