> Date: Mon, 18 May 2020 17:51:51 -0400 > From: Thor Lancelot Simon <t...@panix.com> > > On Mon, May 18, 2020 at 09:08:14PM +0100, Alexander Nasonov wrote: > > matthew green wrote: > > > what's the use-case for disabling encrypted swap later? > > > > It might be too slow on some machines. > > > > > i'd argue we should avoid kauth for this and simply disable > > > it always as i've been unable to think of any use case that > > > is the only solution. > > > > Always encrypted swap would be even better but ... slow machines. > > Compared to the time required to put the pages out to disk?
If anyone is concerned with the overhead of encryption on top of the cost of swapping to disk, we could: 1. Always prohibit disabling it for now -- no new kauth required. Wanna disable it, gotta reboot. 2. While it is off by default, measure the additional impact on slow machines of doing the bit of extra computation when we're already swapping. 3. Decide on the basis of (2) whether, if/when we later flip on vm.swap_encrypt=1 by default, to add a kauth to control whether it can be disabled at all, or whether to just always encrypt swap unconditionally and forget about the bad old days when we wrote ephemeral memory out to nonvolatile storage in cleartext. > Could try chacha8. This does not work on its face, because we may need to encrypt many different pages over time in the same swap slot, and the only additional input available is the swap slot number. That's why I chose AES-CBC with iv=AES_k(slotno). To use ChaCha8 with the same key and same slot number twice we would need to maintain a nonce to distinguish the two versions, which adds extra storage when we're already swapping. We could improve on it by using a better wide-block tweakable PRP construction than CBC, and by using a better primitive than AES, but that would require slightly more work and thought that may not be worthwhile. (My calculus last weekend was that I wanted to make swap encryption JFW, preferably some time over a decade ago. My calculus for a rainy day later on depends on the results of measurement.)
