Le 04/05/2026 à 20:00, Eric Biggers a écrit :
On Mon, May 04, 2026 at 03:28:24PM +0200, Christophe Leroy (CS GROUP) wrote:
Hi Eric,
Le 04/05/2026 à 06:14, Eric Biggers a écrit :
Earlier the decision was made to keep this code for a while, despite no
other architectures having optimized MD5 code anymore, because of
someone using it via AF_ALG via libkcapi-hasher
(https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flore.kernel.org%2Fr%2Ff0d771d5-ed70-444c-957a-ad4c16f6c115%40csgroup.eu%2F&data=05%7C02%7Cchristophe.leroy%40csgroup.eu%7C8fce00ee4e5a497f0d8808deaa074073%7C8b87af7d86474dc78df45f69a2011bb5%7C0%7C0%7C639135145289986833%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=cS5krthqFluqLlSXBy4Dv0h34gms0bIYRUVfWetoAdg%3D&reserved=0)
However, with AF_ALG itself now being on its way out due to its
continuous stream of security vulnerabilities
(https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flore.kernel.org%2Fr%2F20260430011544.31823-1-ebiggers%40kernel.org%2F&data=05%7C02%7Cchristophe.leroy%40csgroup.eu%7C8fce00ee4e5a497f0d8808deaa074073%7C8b87af7d86474dc78df45f69a2011bb5%7C0%7C0%7C639135145290017177%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=bMbQdEM%2FQYmgz7lelwXuKepC2dZCvKz6Pa6ixwlGtrk%3D&reserved=0),
it's time to be a bit more forceful with nudging people towards
userspace crypto code. It's always been the better solution anyway, and
it's much more efficient if properly optimized code is used.
Ok, why not, but what do you propose as an alternative ? Let me explain the
situation.
We have two versions of boards:
- One with powerpc MPC885E, which embeds a SECURITY Engine called TALITOS
for offloading crypto operations
- One with powerpc MPC866, which doesn't have the security engine.
To use the security engine, our software use the AF_ALG interface (via
libkcapi).
Our software has to run on both boards, we can't afford two different
versions of the software and the software shall have no dead code. Therefore
we rely on the capability of the kernel to do the hash by itself when the
TALITOS in not available.
The kernel has always been the place where we do board specific stuff, not
the application. I can't see why the application would have to ask the
kernel when the Talitos is there and have to do the hashing by itself when
the Talitos is not there.
I'm really concerned with the optimised MD5 going away now, and I'm also
wondering what will be the way to splice a file into the kernel and get it's
MD-5 hash from the TALITOS if AF_ALG goes away in medium-term.
What is the way forward ? I'm open to any suggestion as I really can't see
where to go for now.
But please don't remove powerpc MD5 before we find an alternative solution.
Thanks
Christophe
I think I gave the solution in the commit message already, no? Take the
same MD5 code and run it in userspace. It will be even faster than
invoking that code via AF_ALG.
Yes, the selection of software vs "security" engine (if you actually
still need the latter, which in reality you probably don't) would then
occur in userspace. But selecting an implementation in userspace isn't
unusual. It's no different from how different CPU features are handled
in userspace.
Anyway, please don't confuse this patch (which only affects performance)
with full removal of AF_ALG (which would be a hard break, and won't
occur until quite far in the future). This patch is just a nudge in the
right direction, and a cleanup of the kernel's powerpc support to be
aligned with all the other architectures. So I do believe we should
proceed with this patch.
But this cleanup is a huge performance regression. If it had been a few
% why not, but here we are talking about 30% more time. And userspace is
even worse, see below. I really doubt that porting the ASM
implementation into userspace will make the regression disappear.
Lets give a summary on performance:
With the TALITOS security engine embedded on powerpc 885:
root@miae:~# time md5sum avion.au
6513851d6109d42477b20cd56bf57f28 avion.au
real 0m 0.71s
user 0m 0.00s
sys 0m 0.38s
With kernel PPC MD5:
root@miae:~# time md5sum avion.au
6513851d6109d42477b20cd56bf57f28 avion.au
real 0m 1.01s
user 0m 0.01s
sys 0m 1.00s
With kernel generic MD5:
root@miae:~# time md5sum avion.au
6513851d6109d42477b20cd56bf57f28 avion.au
real 0m 1.31s
user 0m 0.01s
sys 0m 1.30s
With userspace MD5:
root@miae:~# time ./busybox md5sum avion.au
6513851d6109d42477b20cd56bf57f28 avion.au
real 0m 2.38s
user 0m 1.99s
sys 0m 0.38s
Now, we are talking about MD5 which is obsolete and being replaced in
our systems by SHA256. So a commit message ressembling to the one in
commit 23e5c306a207 ("lib/crypto: sparc: Drop optimized MD5 code") would
be better as a justification for the removal.
With the commit message modified to explain that MD5 is obsolete and
using it is risky as you explained in the Sparc commit message, you can
add Acked-by: Christophe Leroy (CS GROUP) <[email protected]>
But please consider the above performance comparison when addressing the
AF_ALG removal.
By the way, what are your plans for SHA1 ? I think SHA1 should likely go
away as well for the same reason.
Christophe
