openssl: disable cryptodev by default

Message ID 1488992224-2962-1-git-send-email-ross.burton@intel.com
State New
Headers show

Commit Message

Burton, Ross March 8, 2017, 4:57 p.m.
Cryptodev is a way for userspace to access the kernel crypto drivers (and so,
hardware crypto).

Not all hardware supports cryptodev so this is something that should be enabled
in a BSP layer instead of in oe-core.

Signed-off-by: Ross Burton <ross.burton@intel.com>

---
 meta/recipes-connectivity/openssl/openssl.inc       | 2 ++
 meta/recipes-connectivity/openssl/openssl_1.0.2k.bb | 5 -----
 2 files changed, 2 insertions(+), 5 deletions(-)

-- 
2.8.1

-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Comments

Martin Jansa March 8, 2017, 5:05 p.m. | #1
On Wed, Mar 08, 2017 at 04:57:04PM +0000, Ross Burton wrote:
> Cryptodev is a way for userspace to access the kernel crypto drivers (and so,

> hardware crypto).

> 

> Not all hardware supports cryptodev so this is something that should be enabled

> in a BSP layer instead of in oe-core.


How is BSP layer supposed to enable this without being considered toxic
to all other layers which might support MACHINEs with the same
TUNE_PKGARCH?

> Signed-off-by: Ross Burton <ross.burton@intel.com>

> ---

>  meta/recipes-connectivity/openssl/openssl.inc       | 2 ++

>  meta/recipes-connectivity/openssl/openssl_1.0.2k.bb | 5 -----

>  2 files changed, 2 insertions(+), 5 deletions(-)

> 

> diff --git a/meta/recipes-connectivity/openssl/openssl.inc b/meta/recipes-connectivity/openssl/openssl.inc

> index 9afa5bd..03dee0e 100644

> --- a/meta/recipes-connectivity/openssl/openssl.inc

> +++ b/meta/recipes-connectivity/openssl/openssl.inc

> @@ -15,7 +15,9 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \

>            "

>  S = "${WORKDIR}/openssl-${PV}"

>  

> +PACKAGECONFIG ??= ""

>  PACKAGECONFIG[perl] = ",,,"

> +PACKAGECONFIG[cryptodev] = "-DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS,-UHAVE_CRYPTODEV,cryptodev-linux"

>  

>  AR_append = " r"

>  TERMIO_libc-musl = "-DTERMIOS"

> diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb

> index 1973f81..4436ba3 100644

> --- a/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb

> +++ b/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb

> @@ -1,10 +1,5 @@

>  require openssl.inc

>  

> -# For target side versions of openssl enable support for OCF Linux driver

> -# if they are available.

> -DEPENDS += "cryptodev-linux"

> -

> -CFLAG += "-DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS"

>  CFLAG_append_class-native = " -fPIC"

>  

>  LIC_FILES_CHKSUM = "file://LICENSE;md5=27ffa5d74bb5a337056c14b2ef93fbf6"

> -- 

> 2.8.1

> 

> -- 

> _______________________________________________

> Openembedded-core mailing list

> Openembedded-core@lists.openembedded.org

> http://lists.openembedded.org/mailman/listinfo/openembedded-core


-- 
Martin 'JaMa' Jansa     jabber: Martin.Jansa@gmail.com
-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Mark Hatle March 8, 2017, 5:28 p.m. | #2
On 3/8/17 10:57 AM, Ross Burton wrote:
> Cryptodev is a way for userspace to access the kernel crypto drivers (and so,

> hardware crypto).


If the BSP does not support crypto dev, what is the harm in this?  It should
fall back to standard behaviors.

> Not all hardware supports cryptodev so this is something that should be enabled

> in a BSP layer instead of in oe-core.


This would make the package be machine specific, which I'm not sure is good for
a package like openssl.  (Distro specific, I'm fine with -- machine I've got
concerns.)

--Mark

> Signed-off-by: Ross Burton <ross.burton@intel.com>

> ---

>  meta/recipes-connectivity/openssl/openssl.inc       | 2 ++

>  meta/recipes-connectivity/openssl/openssl_1.0.2k.bb | 5 -----

>  2 files changed, 2 insertions(+), 5 deletions(-)

> 

> diff --git a/meta/recipes-connectivity/openssl/openssl.inc b/meta/recipes-connectivity/openssl/openssl.inc

> index 9afa5bd..03dee0e 100644

> --- a/meta/recipes-connectivity/openssl/openssl.inc

> +++ b/meta/recipes-connectivity/openssl/openssl.inc

> @@ -15,7 +15,9 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \

>            "

>  S = "${WORKDIR}/openssl-${PV}"

>  

> +PACKAGECONFIG ??= ""

>  PACKAGECONFIG[perl] = ",,,"

> +PACKAGECONFIG[cryptodev] = "-DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS,-UHAVE_CRYPTODEV,cryptodev-linux"

>  

>  AR_append = " r"

>  TERMIO_libc-musl = "-DTERMIOS"

> diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb

> index 1973f81..4436ba3 100644

> --- a/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb

> +++ b/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb

> @@ -1,10 +1,5 @@

>  require openssl.inc

>  

> -# For target side versions of openssl enable support for OCF Linux driver

> -# if they are available.

> -DEPENDS += "cryptodev-linux"

> -

> -CFLAG += "-DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS"

>  CFLAG_append_class-native = " -fPIC"

>  

>  LIC_FILES_CHKSUM = "file://LICENSE;md5=27ffa5d74bb5a337056c14b2ef93fbf6"

> 


-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Richard Purdie March 8, 2017, 5:35 p.m. | #3
On Wed, 2017-03-08 at 11:28 -0600, Mark Hatle wrote:
> On 3/8/17 10:57 AM, Ross Burton wrote:
> > 
> > Cryptodev is a way for userspace to access the kernel crypto
> > drivers (and so,
> > hardware crypto).
> If the BSP does not support crypto dev, what is the harm in this?  It
> should fall back to standard behaviors.

Note that the implication here is that openssl depends on the kernel
building and many other pieces of the system depend on openssl so it
does bottleneck the build somewhat. 

It also means a kernel rebuild ends up triggering half the userspace to
rebuild which is annoying for users.


> > Not all hardware supports cryptodev so this is something that
> > should be enabled
> > in a BSP layer instead of in oe-core.
> This would make the package be machine specific, which I'm not sure
> is good for
> a package like openssl.  (Distro specific, I'm fine with -- machine
> I've got
> concerns.)

How commonly are kernel crypto drivers used?

Cheers,

Richard
Burton, Ross March 8, 2017, 5:43 p.m. | #4
On 8 March 2017 at 17:35, Richard Purdie <richard.purdie@linuxfoundation.org
> wrote:


> Note that the implication here is that openssl depends on the kernel

> building and many other pieces of the system depend on openssl so it

> does bottleneck the build somewhat.

>

> It also means a kernel rebuild ends up triggering half the userspace to

> rebuild which is annoying for users.

>


I swear I was seeing this, but can't see how it would happen now.  The bulk
of this patch is a sensible cleanup anyway so I shall verify my tests and
most likely resubmit.

Ross
-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Richard Purdie March 8, 2017, 5:44 p.m. | #5
On Wed, 2017-03-08 at 17:35 +0000, Richard Purdie wrote:
> On Wed, 2017-03-08 at 11:28 -0600, Mark Hatle wrote:
> > 
> > On 3/8/17 10:57 AM, Ross Burton wrote:
> > > 
> > > 
> > > Cryptodev is a way for userspace to access the kernel crypto
> > > drivers (and so,
> > > hardware crypto).
> > If the BSP does not support crypto dev, what is the harm in
> > this?  It
> > should fall back to standard behaviors.
> Note that the implication here is that openssl depends on the kernel
> building and many other pieces of the system depend on openssl so it
> does bottleneck the build somewhat. 
> 
> It also means a kernel rebuild ends up triggering half the userspace
> to rebuild which is annoying for users.

Just to clarify, it doesn't depend on the kernel module, only on a
header so it shouldn't be triggering kernel dependencies. I was getting
some recipe names confused.

I think Ross is going to take another look at this patch...

Cheers,

Richard
Mark Hatle March 8, 2017, 5:44 p.m. | #6
On 3/8/17 11:35 AM, Richard Purdie wrote:
> On Wed, 2017-03-08 at 11:28 -0600, Mark Hatle wrote:

>> On 3/8/17 10:57 AM, Ross Burton wrote:

>>>

>>> Cryptodev is a way for userspace to access the kernel crypto

>>> drivers (and so,

>>> hardware crypto).

>> If the BSP does not support crypto dev, what is the harm in this?  It

>> should fall back to standard behaviors.

> 

> Note that the implication here is that openssl depends on the kernel

> building and many other pieces of the system depend on openssl so it

> does bottleneck the build somewhat. 


I thought the crypto dev interface had been standardized and no longer required
a specific kernel-specific instance.  If this is not true, then it's effectively
machine specific already.

> It also means a kernel rebuild ends up triggering half the userspace to

> rebuild which is annoying for users.

> 

> 

>>> Not all hardware supports cryptodev so this is something that

>>> should be enabled

>>> in a BSP layer instead of in oe-core.

>> This would make the package be machine specific, which I'm not sure

>> is good for

>> a package like openssl.  (Distro specific, I'm fine with -- machine

>> I've got

>> concerns.)

> 

> How commonly are kernel crypto drivers used?


We are seeing it used a lot, especially on IA platforms.  (I have seen some
usage on an arm platform, but don't remember which.)

--Mark

> Cheers,

> 

> Richard

> 


-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Patch hide | download patch | download mbox

diff --git a/meta/recipes-connectivity/openssl/openssl.inc b/meta/recipes-connectivity/openssl/openssl.inc
index 9afa5bd..03dee0e 100644
--- a/meta/recipes-connectivity/openssl/openssl.inc
+++ b/meta/recipes-connectivity/openssl/openssl.inc
@@ -15,7 +15,9 @@  SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
           "
 S = "${WORKDIR}/openssl-${PV}"
 
+PACKAGECONFIG ??= ""
 PACKAGECONFIG[perl] = ",,,"
+PACKAGECONFIG[cryptodev] = "-DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS,-UHAVE_CRYPTODEV,cryptodev-linux"
 
 AR_append = " r"
 TERMIO_libc-musl = "-DTERMIOS"
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb
index 1973f81..4436ba3 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.2k.bb
@@ -1,10 +1,5 @@ 
 require openssl.inc
 
-# For target side versions of openssl enable support for OCF Linux driver
-# if they are available.
-DEPENDS += "cryptodev-linux"
-
-CFLAG += "-DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS"
 CFLAG_append_class-native = " -fPIC"
 
 LIC_FILES_CHKSUM = "file://LICENSE;md5=27ffa5d74bb5a337056c14b2ef93fbf6"