git: dm_target_crypt_ng - Add next-generation implementation
Michael Neumann
mneumann at crater.dragonflybsd.org
Sun Apr 6 05:10:42 PDT 2025
commit 14e6c73d4c479e4ab26571490758da27da5cbbad
Author: Michael Neumann <mneumann at ntecs.de>
Date: Sun Apr 6 12:07:14 2025 +0200
dm_target_crypt_ng - Add next-generation implementation
* No longer use opencrypto or cryptodev. These were asynchronous and
caused a lot (!) of complications to the code.
* Instead, use our own set of crypto ciphers implemented in
crypto_cipher.{c,h}, which is a simplified API to use symmetric block
ciphers. It mostly calls out to the actual crypto algorithm
implementations contained under sys/crypto.
* Interactivity is greatly improved! When running "blogbench" with the
old dm_target_crypt module, "blogbench" basically "freezes" the system
at around 400 number blogs (Nb). The mouse cursor continuously freezes
for about 1 second. While the computer becomes slower when running
dm_target_crypt_ng, no lag of mouse can be observed. The final
"blogbench" performance result stays about the same. For example:
# dm_target_crypt (old)
Final score for writes: 2136
Final score for reads : 200584
# dm_target_crypt_ng (new)
Final score for writes: 2265
Final score for reads : 203668
* BIOs are processed by two worker pools, each having a set of threads
bound to a particular CPU. Read requests need to be decrypted, while
write requests need to be encrypted. Having a separate worker pool for
read and write requests should provide more fairness. Requests are
scheduled to the workers using round-robin, and "struct bio" is used to
chain "requests" to be processed by worker threads. Read workers need no
further memory to be allocated in order to decrypt the blocks. The write
workers use a shared mpipe as before, as we need to copy the write
buffer before encrypting it.
* Currently, dm_target_crypt_ng only supports AES-CBC and AES-XTS.
Twofish and Serpent are not supported. They are said to be more
secure, but also slower and do not have hardware support. It should be
easy to bring them back into crypto_ciphers.{c,h}.
* If you want to try out the new module, add the following line to
/boot/loader.conf:
dm_target_crypt_ng_load=YES
This might not work with "swapon" as it tries to manually load
"dm_target_crypt".
* My plan is to make "dm_target_crypt_ng" the default and remove the
old "dm_target_crypt" after more intensive testing and feedback.
Summary of changes:
sys/dev/disk/dm/crypt_ng/Makefile | 4 +-
sys/dev/disk/dm/crypt_ng/crypto_cipher.c | 630 +++++++++++++++
sys/dev/disk/dm/crypt_ng/crypto_cipher.h | 108 +++
sys/dev/disk/dm/crypt_ng/dm_target_crypt.c | 1153 +++++++++-------------------
sys/dev/disk/dm/crypt_ng/worker_pool.c | 259 +++++++
sys/dev/disk/dm/crypt_ng/worker_pool.h | 160 ++++
6 files changed, 1502 insertions(+), 812 deletions(-)
create mode 100644 sys/dev/disk/dm/crypt_ng/crypto_cipher.c
create mode 100644 sys/dev/disk/dm/crypt_ng/crypto_cipher.h
create mode 100644 sys/dev/disk/dm/crypt_ng/worker_pool.c
create mode 100644 sys/dev/disk/dm/crypt_ng/worker_pool.h
http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/14e6c73d4c479e4ab26571490758da27da5cbbad
--
DragonFly BSD source repository
More information about the Commits
mailing list