Upcoming changes to crypto(9) and dm_target_crypt(4)
Aaron LI
aly at aaronly.me
Fri Apr 4 03:53:31 PDT 2025
On 4/4/25 4:41 PM, Michael Neumann wrote:
> On Fri, Apr 04, 2025 at 09:45:00AM +0800, Aaron LI wrote:
>> On 4/4/25 3:35 AM, Michael Neumann wrote:
>>>
>>> * /dev/crypto is gone
>>
>> Will this change require modifications to OpenSSL/LibreSSL/OpenSSH etc.
>> software?
>
> No.
Cool!
> Our version of OpenSSL does not ship with the cryptodev engine. Note
> that OpenSSL is capable of doing all crypto in userland without any help
> of special kernel features. For instance, it bundles AESNI assembly
> here:
>
> /usr/src/crypto/libressl/crypto/aes/aesni-elf-x86_64.S
>
> Using cryptodev engine, which AFAIK would only work on FreeBSD, should
> actually be much slower as compared to using the AESNI assembly from
> OpenSSL.
>
> OpenSSL in ports might ship with cryptodev engine but it should not be
> used on DragonFly! It should compile and decide at runtime "/dev/crypto"
> is not there so skip it.
Nice to know.
>>> * tcplay(8) is gone
>>
>> Hmm, I'd not just remove tcplay(8). As alexh said (in
>> https://github.com/bwalex/tc-play ) it's quite robust and mature. And the
>> upstream also added VeraCrypt support.
>
> Ok. I think we can make it work :).
>
> We might need to patch it slightly... and the question arises if we want
> to keep it in our src tree or move it out as a port? Is the current
> version in src up-to-date?
Don't think our version is up-to-date with the upstream. I think it
worthies a sync.
I think it doesn't hurt to push the changes/fixes to the upstream, and
it would be much better if merged.
> tcplay depends on /dev/crypto which I really would like to get rid of
> for various reasons.
>
> One is, I can reproducibly crash the kernel by using tcplay:
>
> https://bugs.dragonflybsd.org/issues/3370
I knew this bug report and had a simple look. I was suspecting some
missing kfree() in opencrypto. Does it still panic due to malloc limit
exceeded after your crypto overhaul?
> Should not be too hard to change tcplay to use a crypto function from
> OpenSSL.
This would be good. IIRC it already links to libcrypto, so I don't know
why it requires /dev/crypto since the actual crypto ops are performed in
dm_target_crypt.
Cheers,
Aaron
More information about the Users
mailing list