Date: Thu, 25 Feb 2021 16:20:44 GMT From: Martin Matuska <mm@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 442719c0c6de - releng/13.0 - zfs: disable use of hardware crypto offload drivers Message-ID: <202102251620.11PGKiGM017140@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch releng/13.0 has been updated by mm: URL: https://cgit.FreeBSD.org/src/commit/?id=442719c0c6de93051d4bf9820420e9863ed3de53 commit 442719c0c6de93051d4bf9820420e9863ed3de53 Author: Martin Matuska <mm@FreeBSD.org> AuthorDate: 2021-02-22 17:37:47 +0000 Commit: Martin Matuska <mm@FreeBSD.org> CommitDate: 2021-02-25 16:20:20 +0000 zfs: disable use of hardware crypto offload drivers From openzfs-master e7adccf7f commit message: First, the crypto request completion handler contains a bug in that it fails to reset fs_done correctly after the request is completed. This is only a problem for asynchronous drivers. Second, some hardware drivers have input constraints which ZFS does not satisfy. For instance, ccp(4) apparently requires the AAD length for AES-GCM to be a multiple of the cipher block size, and with qat(4) the AES-GCM AAD length may not be longer than 240 bytes. FreeBSD's generic crypto framework doesn't have a mechanism to automatically fall back to a software implementation if a hardware driver cannot process a request, and ZFS does not tolerate such errors. Patch Author: Mark Johnston <markj@freebsd.org> Obtained from: openzfs/zfs@e7adccf7f537a4d07281a2b74b360154bae367bc PR: 252981, 253595 Approved by: re (gjb) (cherry picked from commit 940415f20a784156ec0e247989796385896f32a8) --- sys/contrib/openzfs/module/os/freebsd/zfs/crypto_os.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/sys/contrib/openzfs/module/os/freebsd/zfs/crypto_os.c b/sys/contrib/openzfs/module/os/freebsd/zfs/crypto_os.c index b86ffc59a21d..0a7241699842 100644 --- a/sys/contrib/openzfs/module/os/freebsd/zfs/crypto_os.c +++ b/sys/contrib/openzfs/module/os/freebsd/zfs/crypto_os.c @@ -293,8 +293,19 @@ freebsd_crypt_newsession(freebsd_crypt_session_t *sessp, error = ENOTSUP; goto bad; } - error = crypto_newsession(&sessp->fs_sid, &csp, - CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE); + + /* + * Disable the use of hardware drivers on FreeBSD 13 and later since + * common crypto offload drivers impose constraints on AES-GCM AAD + * lengths that make them unusable for ZFS, and we currently do not have + * a mechanism to fall back to a software driver for requests not + * handled by a hardware driver. + * + * On 12 we continue to permit the use of hardware drivers since + * CPU-accelerated drivers such as aesni(4) register themselves as + * hardware drivers. + */ + error = crypto_newsession(&sessp->fs_sid, &csp, CRYPTOCAP_F_SOFTWARE); mtx_init(&sessp->fs_lock, "FreeBSD Cryptographic Session Lock", NULL, MTX_DEF); crypt_sessions++;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202102251620.11PGKiGM017140>