crypto.
ClosedPublic
Actions

Authored by jhb on Nov 21 2020, 12:47 AM.

Details

Reviewers

markj
jmg

Group Reviewers

manpages

Commits

rS368005: Remove the cloned file descriptors for /dev/crypto.

Summary

Crypto file descriptors were added in the original OCF import as a way
to provide per-open data (specifically the list of symmetric
sessions). However, this gives a bit of a confusing API where one has
to open /dev/crypto and then invoke an ioctl to obtain a second file
descriptor. Character devices have gained support for per-open data
via cdevpriv since OCF was imported, so simply the userland API by
permitting ioctls directly on /dev/crypto descriptors.

To provide backwards compatibility, CRIOGET now opens another
/dev/crypto descriptor via kern_openat(). This preserves prior
semantics in case CRIOGET is invoked multiple times on a single file
descriptor.

Test Plan

old and new cryptocheck work on a new kernel
openssl speed from 1.1.1 now works (doesn't work currently as it doesn't use CRIOGET)
Drew tested an earlier version of this with openssl speed as well

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

jhb requested review of this revision.Nov 21 2020, 12:47 AM

jhb created this revision.

Harbormaster completed remote builds in B34938: Diff 79824.Nov 21 2020, 12:47 AM

markj accepted this revision.Nov 22 2020, 7:24 PM

markj added inline comments.

sys/opencrypto/cryptodev.c
1354 ↗	(On Diff #79824)	As part of an attempt to reduce the usage of `volatile` in preference of atomic(9), we now have a `refcount_load()` which should be used here.
1454 ↗	(On Diff #79824)	This is going to fail if the process has restricted filesystem access, e.g., if it's in a chroot or jail without /dev/crypto, or it's in capability mode. That seems acceptable, but might be worth a comment.