mirror of
https://git.proxmox.com/git/mirror_zfs.git
synced 2025-01-03 23:09:35 +03:00
FreeBSD: disable the use of hardware crypto offload drivers for now
First, the crypto request completion handler contains a bug in that it fails to reset fs_done correctly after the request is completed. This is only a problem for asynchronous drivers. Second, some hardware drivers have input constraints which ZFS does not satisfy. For instance, ccp(4) apparently requires the AAD length for AES-GCM to be a multiple of the cipher block size, and with qat(4) the AES-GCM AAD length may not be longer than 240 bytes. FreeBSD's generic crypto framework doesn't have a mechanism to automatically fall back to a software implementation if a hardware driver cannot process a request, and ZFS does not tolerate such errors. The plan is to implement such a fallback mechanism, but with FreeBSD 13.0 approaching we should simply disable the use hardware drivers for now. Reviewed-by: Ryan Moeller <ryan@iXsystems.com> Reviewed-by: Alexander Motin <mav@FreeBSD.org> Signed-off-by: Mark Johnston <markj@FreeBSD.org> Closes #11612
This commit is contained in:
parent
f6440fa094
commit
f17c843eff
@ -293,8 +293,19 @@ freebsd_crypt_newsession(freebsd_crypt_session_t *sessp,
|
||||
error = ENOTSUP;
|
||||
goto bad;
|
||||
}
|
||||
error = crypto_newsession(&sessp->fs_sid, &csp,
|
||||
CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE);
|
||||
|
||||
/*
|
||||
* Disable the use of hardware drivers on FreeBSD 13 and later since
|
||||
* common crypto offload drivers impose constraints on AES-GCM AAD
|
||||
* lengths that make them unusable for ZFS, and we currently do not have
|
||||
* a mechanism to fall back to a software driver for requests not
|
||||
* handled by a hardware driver.
|
||||
*
|
||||
* On 12 we continue to permit the use of hardware drivers since
|
||||
* CPU-accelerated drivers such as aesni(4) register themselves as
|
||||
* hardware drivers.
|
||||
*/
|
||||
error = crypto_newsession(&sessp->fs_sid, &csp, CRYPTOCAP_F_SOFTWARE);
|
||||
mtx_init(&sessp->fs_lock, "FreeBSD Cryptographic Session Lock",
|
||||
NULL, MTX_DEF);
|
||||
crypt_sessions++;
|
||||
|
Loading…
Reference in New Issue
Block a user