On Mon, Jun 12, 2017 at 12:51:29PM +0000, Taylor R Campbell wrote: > > Date: Mon, 12 Jun 2017 10:53:52 +0900 > > From: Kengo NAKAHARA <k-nakah...@iij.ad.jp> > > > > I want to avoid detaching the encryption device while it is used by IPsec. > > That is, once someone creates Security Assocatation(SA) to call > > crypto_newsession(), the encryption device related the SA must not be > > detached until the SA is flushed(done crypto_freesession()) and the SA > > is not used(done crypto_dispatch() and cryptointr()). > > Why don't you just use a global reference count first? Is the latency > and scalability of crypto_newsession and crypto_freesession critical?
For many workloads, it will be, yes. This pair of operations will occur: * Once per SSL/TLS connection even if the connection is resumed, which is tens of thousands of times per second on a busy server, possibly even hundreds of thousands of times per second. This assumes someone has an SSL/TLS library that can efficiently use our kernel crypto, but there's at least one out there that I know of. With modern instruction-based accelerators rather than the DMA-and-interrupts style this probably matters less. * Once per Phase 2 IPsec association -- potentially tens of thousands per second in recovery from an outage -- this likely matters more to most users of our opencrypto today. -- Thor Lancelot Simon t...@panix.com "We cannot usually in social life pursue a single value or a single moral aim, untroubled by the need to compromise with others." - H.L.A. Hart