From 666749806da7475dd0e02ab3d418bad99c74a3ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= Date: Wed, 2 Feb 2022 23:11:34 +0100 Subject: [PATCH] module: icp: remove provider stats MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit These were all folded into a single kstat at /proc/spl/kstat/kcf/NONAME_provider_stats with no way to know which one it actually was, and only the AES and SHA (so not Skein) ones were ever updated Reviewed-by: Brian Behlendorf Signed-off-by: Ahelenia ZiemiaƄska Closes #12901 --- module/icp/api/kcf_cipher.c | 2 - module/icp/api/kcf_mac.c | 7 +-- module/icp/include/sys/crypto/impl.h | 50 ------------------ module/icp/spi/kcf_spi.c | 77 ---------------------------- 4 files changed, 1 insertion(+), 135 deletions(-) diff --git a/module/icp/api/kcf_cipher.c b/module/icp/api/kcf_cipher.c index 34023f984..81c3b96b1 100644 --- a/module/icp/api/kcf_cipher.c +++ b/module/icp/api/kcf_cipher.c @@ -91,7 +91,6 @@ retry: KCF_SET_PROVIDER_MECHNUM(mech->cm_type, pd, &lmech); error = KCF_PROV_ENCRYPT_ATOMIC(pd, &lmech, key, plaintext, ciphertext, spi_ctx_tmpl); - KCF_PROV_INCRSTATS(pd, error); if (error != CRYPTO_SUCCESS && IS_RECOVERABLE(error)) { /* Add pd to the linked list of providers tried. */ @@ -164,7 +163,6 @@ retry: error = KCF_PROV_DECRYPT_ATOMIC(pd, &lmech, key, ciphertext, plaintext, spi_ctx_tmpl); - KCF_PROV_INCRSTATS(pd, error); if (error != CRYPTO_SUCCESS && IS_RECOVERABLE(error)) { /* Add pd to the linked list of providers tried. */ diff --git a/module/icp/api/kcf_mac.c b/module/icp/api/kcf_mac.c index 36db2cbb5..6a72811ea 100644 --- a/module/icp/api/kcf_mac.c +++ b/module/icp/api/kcf_mac.c @@ -107,7 +107,6 @@ retry: KCF_SET_PROVIDER_MECHNUM(mech->cm_type, pd, &lmech); error = KCF_PROV_MAC_ATOMIC(pd, &lmech, key, data, mac, spi_ctx_tmpl); - KCF_PROV_INCRSTATS(pd, error); if (error != CRYPTO_SUCCESS && IS_RECOVERABLE(error)) { /* Add pd to the linked list of providers tried. */ @@ -171,7 +170,6 @@ crypto_mac_init_prov(kcf_provider_desc_t *pd, crypto_mechanism_t lmech = *mech; KCF_SET_PROVIDER_MECHNUM(mech->cm_type, real_provider, &lmech); rv = KCF_PROV_MAC_INIT(real_provider, ctx, &lmech, key, tmpl); - KCF_PROV_INCRSTATS(pd, rv); if (rv == CRYPTO_SUCCESS) *ctxp = (crypto_context_t)ctx; @@ -259,9 +257,7 @@ crypto_mac_update(crypto_context_t context, crypto_data_t *data) return (CRYPTO_INVALID_CONTEXT); } - int rv = KCF_PROV_MAC_UPDATE(pd, ctx, data); - KCF_PROV_INCRSTATS(pd, rv); - return (rv); + return (KCF_PROV_MAC_UPDATE(pd, ctx, data)); } /* @@ -291,7 +287,6 @@ crypto_mac_final(crypto_context_t context, crypto_data_t *mac) } int rv = KCF_PROV_MAC_FINAL(pd, ctx, mac); - KCF_PROV_INCRSTATS(pd, rv); /* Release the hold done in kcf_new_ctx() during init step. */ KCF_CONTEXT_COND_RELEASE(rv, kcf_ctx); diff --git a/module/icp/include/sys/crypto/impl.h b/module/icp/include/sys/crypto/impl.h index e440d5944..dca7aa1b5 100644 --- a/module/icp/include/sys/crypto/impl.h +++ b/module/icp/include/sys/crypto/impl.h @@ -40,55 +40,11 @@ extern "C" { #endif -#define KCF_MODULE "kcf" - /* * Prefixes convention: structures internal to the kernel cryptographic * framework start with 'kcf_'. Exposed structure start with 'crypto_'. */ -/* Provider stats. Not protected. */ -typedef struct kcf_prov_stats { - kstat_named_t ps_ops_total; - kstat_named_t ps_ops_passed; - kstat_named_t ps_ops_failed; - kstat_named_t ps_ops_busy_rval; -} kcf_prov_stats_t; - -/* - * Keep all the information needed by the scheduler from - * this provider. - */ -typedef struct kcf_sched_info { - /* The number of operations dispatched. */ - uint64_t ks_ndispatches; - - /* The number of operations that failed. */ - uint64_t ks_nfails; - - /* The number of operations that returned CRYPTO_BUSY. */ - uint64_t ks_nbusy_rval; -} kcf_sched_info_t; - -/* - * pd_irefcnt approximates the number of inflight requests to the - * provider. Though we increment this counter during registration for - * other purposes, that base value is mostly same across all providers. - * So, it is a good measure of the load on a provider when it is not - * in a busy state. Once a provider notifies it is busy, requests - * back up in the taskq. So, we use tq_nalloc in that case which gives - * the number of task entries in the task queue. Note that we do not - * acquire any locks here as it is not critical to get the exact number - * and the lock contention may be too costly for this code path. - */ -#define KCF_PROV_INCRSTATS(pd, error) { \ - (pd)->pd_sched_info.ks_ndispatches++; \ - if (error == CRYPTO_BUSY) \ - (pd)->pd_sched_info.ks_nbusy_rval++; \ - else if (error != CRYPTO_SUCCESS) \ - (pd)->pd_sched_info.ks_nfails++; \ -} - /* * The following two macros should be @@ -147,15 +103,12 @@ typedef enum { * number to an index in pd_mechanisms array * pd_mechanisms: Array of mechanisms supported by the provider, specified * by the provider during registration - * pd_sched_info: Scheduling information associated with the provider * pd_mech_list_count: The number of entries in pi_mechanisms, specified * by the provider during registration * pd_remove_cv: cv to wait on while the provider queue drains * pd_description: Provider description string * pd_kcf_prov_handle: KCF-private handle assigned by KCF * pd_prov_id: Identification # assigned by KCF to provider - * pd_kstat: kstat associated with the provider - * pd_ks_data: kstat data */ typedef struct kcf_provider_desc { uint_t pd_refcnt; @@ -166,14 +119,11 @@ typedef struct kcf_provider_desc { ushort_t pd_mech_indx[KCF_OPS_CLASSSIZE]\ [KCF_MAXMECHTAB]; const crypto_mech_info_t *pd_mechanisms; - kcf_sched_info_t pd_sched_info; uint_t pd_mech_list_count; kcondvar_t pd_remove_cv; const char *pd_description; crypto_kcf_provider_handle_t pd_kcf_prov_handle; crypto_provider_id_t pd_prov_id; - kstat_t *pd_kstat; - kcf_prov_stats_t pd_ks_data; } kcf_provider_desc_t; /* atomic operations in linux implicitly form a memory barrier */ diff --git a/module/icp/spi/kcf_spi.c b/module/icp/spi/kcf_spi.c index 62df15801..87e765d47 100644 --- a/module/icp/spi/kcf_spi.c +++ b/module/icp/spi/kcf_spi.c @@ -38,15 +38,6 @@ static int init_prov_mechs(const crypto_provider_info_t *, kcf_provider_desc_t *); -static int kcf_prov_kstat_update(kstat_t *, int); -static void delete_kstat(kcf_provider_desc_t *); - -static const kcf_prov_stats_t kcf_stats_ks_data_template = { - { "kcf_ops_total", KSTAT_DATA_UINT64 }, - { "kcf_ops_passed", KSTAT_DATA_UINT64 }, - { "kcf_ops_failed", KSTAT_DATA_UINT64 }, - { "kcf_ops_returned_busy", KSTAT_DATA_UINT64 } -}; /* * This routine is used to add cryptographic providers to the KEF framework. @@ -95,27 +86,6 @@ crypto_register_provider(const crypto_provider_info_t *info, * to keep some entries cached to improve performance. */ - /* - * Create the kstat for this provider. There is a kstat - * installed for each successfully registered provider. - * This kstat is deleted, when the provider unregisters. - */ - prov_desc->pd_kstat = kstat_create("kcf", 0, "NONAME_provider_stats", - "crypto", KSTAT_TYPE_NAMED, sizeof (kcf_prov_stats_t) / - sizeof (kstat_named_t), KSTAT_FLAG_VIRTUAL); - - if (prov_desc->pd_kstat != NULL) { - bcopy(&kcf_stats_ks_data_template, - &prov_desc->pd_ks_data, - sizeof (kcf_stats_ks_data_template)); - prov_desc->pd_kstat->ks_data = &prov_desc->pd_ks_data; - KCF_PROV_REFHOLD(prov_desc); - KCF_PROV_IREFHOLD(prov_desc); - prov_desc->pd_kstat->ks_private = prov_desc; - prov_desc->pd_kstat->ks_update = kcf_prov_kstat_update; - kstat_install(prov_desc->pd_kstat); - } - mutex_enter(&prov_desc->pd_lock); prov_desc->pd_state = KCF_PROV_READY; mutex_exit(&prov_desc->pd_lock); @@ -192,8 +162,6 @@ crypto_unregister_provider(crypto_kcf_provider_handle_t handle) return (CRYPTO_UNKNOWN_PROVIDER); } - delete_kstat(desc); - /* Release reference held by kcf_prov_tab_lookup(). */ KCF_PROV_REFRELE(desc); @@ -290,35 +258,6 @@ init_prov_mechs(const crypto_provider_info_t *info, kcf_provider_desc_t *desc) return (CRYPTO_ARGUMENTS_BAD); } -/* - * Update routine for kstat. Only privileged users are allowed to - * access this information, since this information is sensitive. - * There are some cryptographic attacks (e.g. traffic analysis) - * which can use this information. - */ -static int -kcf_prov_kstat_update(kstat_t *ksp, int rw) -{ - kcf_prov_stats_t *ks_data; - kcf_provider_desc_t *pd = (kcf_provider_desc_t *)ksp->ks_private; - - if (rw == KSTAT_WRITE) - return (EACCES); - - ks_data = ksp->ks_data; - - ks_data->ps_ops_total.value.ui64 = pd->pd_sched_info.ks_ndispatches; - ks_data->ps_ops_failed.value.ui64 = pd->pd_sched_info.ks_nfails; - ks_data->ps_ops_busy_rval.value.ui64 = pd->pd_sched_info.ks_nbusy_rval; - ks_data->ps_ops_passed.value.ui64 = - pd->pd_sched_info.ks_ndispatches - - pd->pd_sched_info.ks_nfails - - pd->pd_sched_info.ks_nbusy_rval; - - return (0); -} - - /* * Utility routine called from failure paths in crypto_register_provider() * and from crypto_load_soft_disabled(). @@ -339,19 +278,3 @@ undo_register_provider(kcf_provider_desc_t *desc, boolean_t remove_prov) if (remove_prov) (void) kcf_prov_tab_rem_provider(desc->pd_prov_id); } - -static void -delete_kstat(kcf_provider_desc_t *desc) -{ - /* destroy the kstat created for this provider */ - if (desc->pd_kstat != NULL) { - kcf_provider_desc_t *kspd = desc->pd_kstat->ks_private; - - /* release reference held by desc->pd_kstat->ks_private */ - ASSERT(desc == kspd); - kstat_delete(kspd->pd_kstat); - desc->pd_kstat = NULL; - KCF_PROV_REFRELE(kspd); - KCF_PROV_IREFRELE(kspd); - } -}