Next: Conclusions
Up: Other Optimizations and Future
Previous: OpenSSL support algorithm-chaining with
In most practical uses of the OCF (especially in protocols like TLS or
SSH), an application issues one or more crypto requests via
/dev/crypto, followed by a write() or send() call to
transmit the data. Similarly, a read() or recv() call is
followed by a number of requests to /dev/crypto. This implies
considerable data copying to and from the kernel, and potentially
unnecessary context switching back and forth. An alternative approach
is to ``link'' some crypto context to a socket or file descriptor
(when doing application-level file encryption), such that data sent or
received on that file descriptor are processed appropriately by the
kernel: for example, a TLS implementation might construct a data
record and simply write() it to the socket (one data copy and
kernel crossing), only to have the kernel pass it to the OCF for
processing before actually passing it on to TCP for transmission. This
requires some discipline by the application, which must set the state
on the socket and only write() appropriately-formatted record,
as well as some support in the kernel to decode incoming TLS or SSH
frames for processing by the OCF before passing them on to the
application.
Another potential approach is to do ``page sharing'' of data buffers;
when a request is given to /dev/crypto, the kernel removes the
page from the process's address space and maps it in its own. When the
request is done, the kernel re-maps the page back to the process's
address space, avoiding all data copying. This works well as long as
/dev/crypto remains a synchronous interface. If processes are
allowed to have multiple pending requests, accesses to that page while
it is being shared with the kernel must be caught and handled, similar
to the way copy-on-write of memory pages is handled. An alternative is
to block any process that tries to access such pinned-down pages until
the crypto request is completed. Obviously, pages that are shared
between processes can cause similar problems even in the current mode
of operation. Operations that cross page boundaries also have to be
dealt carefully.
Next: Conclusions
Up: Other Optimizations and Future
Previous: OpenSSL support algorithm-chaining with
Angelos D. Keromytis
3/25/2003