24 Aug
2021
24 Aug
'21
11:02 p.m.
On 8/24/21 2:34 PM, Leonard Crestez wrote:
The crypto_shash API is used in order to compute packet signatures. The API comes with several unfortunate limitations:
- Allocating a crypto_shash can sleep and must be done in user context.
- Packet signatures must be computed in softirq context
- Packet signatures use dynamic "traffic keys" which require exclusive
access to crypto_shash for crypto_setkey.
The solution is to allocate one crypto_shash for each possible cpu for each algorithm at setsockopt time. The per-cpu tfm is then borrowed from softirq context, signatures are computed and the tfm is returned.
The pool for each algorithm is reference counted, initialized at setsockopt time and released in tcp_authopt_key_info's rcu callback
I don't know, why should we really care and try so hard to release the tfm per cpu ?
I would simply allocate them at boot time. This would avoid the expensive refcounting (potential false sharing)