You are not logged in.
Hi,
I'm wondering about disk encryption, using dm_crypt.
Until recently, my (old 4.19) kernel used aesni_intel and aes_x86_64 (one being a dependency of the other)
More recent kernels have dropped aes_x86_64 as being 'less performant than generic' (The only relevant info I could find was this one https://bugs.archlinux.org/task/64721 )
But then, aesni_intel does not appear loaded either.
So I wonder.
aesni_intel Is supposed to manage hardware encryption, which IMHO is better than software, as a matter of CPU use (and heat, and laptop fans not spinning, etc. and ... comfort)
I simply can't find information about all this.
How could I use hardware intel encryption on recent kernels ?
I tried manual load of aesni_intel which failed : ERROR: could not insert 'aesni_intel': Operation not permitted
I tried to add "aesni_intel" on kernel parameters at boot, with no success
If anyone out there has knowledge about this, thank you so much for any clue !
regards
Squalou
Last edited by squalou (2020-04-19 12:59:43)
Offline
fir the records, on an old kernel
$ lsmod | grep aes
aesni_intel 200704 25
crypto_simd 16384 1 aesni_intel
cryptd 28672 11 crypto_simd,ghash_clmulni_intel,aesni_intel
glue_helper 16384 1 aesni_intel
aes_x86_64 20480 1 aesni_intel
Offline
I tried manual load of aesni_intel which failed : ERROR: could not insert 'aesni_intel': Operation not permitted
You need to be root to load kernel modules. Please also post the exact commands along with their outputs in code tags.
# modprobe aesni_intel
lsmod
Offline
I did modprobe as root,
*but* with module_blacklist=aes_x86_64 which according to the doc should not prevent its loading if it is a prerequisite. (on the old kernel) and should have no efefct on the new one anyway
I reboot again and copy you the commands output
Last edited by squalou (2020-04-19 11:22:40)
Offline
Ok ... some clarifications
- with kernel 5.6, (without aes_x86_64 obviously) : *aesni_intel* is loaded so everything is fine there.
Back in a moment with the old kernel (4.19)
You'll ask me why I stick with this old one : anything with kernel > 5.3 overheats the cpu a bit, so I investigate on new ones, keepng this one handy so far.
You'll ask me then why I bother trying to get rid of aes_x86_64 on the ol one ? Because mkinitcpio complains everytime when dealing with recent kernel, because aes_x86_64 *is* listed in modules array (to be used with old one, module I'd like to drop to avoid these errors)
Last edited by squalou (2020-04-19 11:37:02)
Offline
back on 4.19 with aes_x86_64 blacklisted on kernel line parameters and aesni_intel explicitely added on the line too
root@myhost # lsmod | grep aes
root@myhost # modprobe aesni_intel
modprobe: ERROR: could not insert 'aesni_intel': Operation not permitted
root@bmyhost # lsmod
Module Size Used by
ccm 20480 6
uhid 20480 1
rfcomm 86016 16
fuse 118784 3
ipt_MASQUERADE 16384 2
nf_conntrack_netlink 49152 0
xfrm_user 45056 1
xfrm_algo 16384 1 xfrm_user
xt_addrtype 16384 2
br_netfilter 24576 0
overlay 131072 0
snd_hda_codec_hdmi 57344 1
snd_hda_codec_realtek 122880 1
snd_hda_codec_generic 86016 1 snd_hda_codec_realtek
cmac 16384 15
algif_hash 16384 7
algif_skcipher 16384 7
af_alg 28672 30 algif_hash,algif_skcipher
bnep 24576 2
ip6t_REJECT 16384 14
nf_reject_ipv6 16384 1 ip6t_REJECT
ip6t_rpfilter 16384 1
ipt_REJECT 16384 5
nf_reject_ipv4 16384 1 ipt_REJECT
xt_conntrack 16384 10
ebtable_nat 16384 1
ebtable_broute 16384 1
bridge 188416 2 br_netfilter,ebtable_broute
stp 16384 1 bridge
llc 16384 2 bridge,stp
ip6table_nat 16384 1
nf_nat_ipv6 16384 1 ip6table_nat
ip6table_mangle 16384 1
ip6table_raw 16384 1
ip6table_security 16384 1
iptable_nat 16384 1
nf_nat_ipv4 16384 2 ipt_MASQUERADE,iptable_nat
nf_nat 36864 2 nf_nat_ipv6,nf_nat_ipv4
nf_conntrack 172032 6 xt_conntrack,nf_nat,nf_nat_ipv6,ipt_MASQUERADE,nf_nat_ipv4,nf_conntrack_netlink
nf_defrag_ipv6 20480 1 nf_conntrack
nf_defrag_ipv4 16384 1 nf_conntrack
libcrc32c 16384 2 nf_conntrack,nf_nat
iptable_mangle 16384 1
iptable_raw 16384 1
iptable_security 16384 1
ip_set 45056 0
nfnetlink 16384 4 nf_conntrack_netlink,ip_set
ebtable_filter 16384 1
ebtables 36864 3 ebtable_nat,ebtable_filter,ebtable_broute
ip6table_filter 16384 1
ip6_tables 28672 7 ip6table_filter,ip6table_raw,ip6table_nat,ip6table_mangle,ip6table_security
iptable_filter 16384 1
arc4 16384 2
btusb 53248 0
btrtl 16384 1 btusb
btbcm 16384 1 btusb
btintel 24576 1 btusb
bluetooth 651264 45 btrtl,btintel,btbcm,bnep,btusb,rfcomm
ecdh_generic 24576 2 bluetooth
uvcvideo 118784 0
videobuf2_vmalloc 16384 1 uvcvideo
videobuf2_memops 16384 1 videobuf2_vmalloc
videobuf2_v4l2 28672 1 uvcvideo
videobuf2_common 53248 2 videobuf2_v4l2,uvcvideo
videodev 217088 3 videobuf2_v4l2,uvcvideo,videobuf2_common
media 45056 2 videodev,uvcvideo
joydev 24576 0
intel_rapl 24576 0
mousedev 24576 0
i915 2101248 9
snd_soc_skl 114688 0
snd_soc_skl_ipc 73728 1 snd_soc_skl
snd_soc_sst_ipc 16384 1 snd_soc_skl_ipc
snd_soc_sst_dsp 36864 1 snd_soc_skl_ipc
snd_hda_ext_core 28672 1 snd_soc_skl
snd_soc_acpi_intel_match 24576 1 snd_soc_skl
snd_soc_acpi 16384 2 snd_soc_acpi_intel_match,snd_soc_skl
snd_soc_core 270336 1 snd_soc_skl
snd_compress 24576 1 snd_soc_core
x86_pkg_temp_thermal 16384 0
ac97_bus 16384 1 snd_soc_core
kvmgt 28672 0
snd_pcm_dmaengine 16384 1 snd_soc_core
intel_powerclamp 16384 0
vfio_mdev 16384 0
mdev 20480 2 kvmgt,vfio_mdev
vfio_iommu_type1 28672 0
kvm_intel 237568 0
vfio 32768 3 kvmgt,vfio_mdev,vfio_iommu_type1
snd_hda_intel 49152 3
hid_multitouch 28672 0
hid_generic 16384 0
snd_hda_codec 151552 4 snd_hda_codec_generic,snd_hda_codec_hdmi,snd_hda_intel,snd_hda_codec_realtek
ath10k_pci 61440 0
iTCO_wdt 16384 0
iTCO_vendor_support 16384 1 iTCO_wdt
mei_wdt 16384 0
kvm 741376 2 kvmgt,kvm_intel
snd_hda_core 98304 7 snd_hda_codec_generic,snd_hda_codec_hdmi,snd_hda_intel,snd_hda_ext_core,snd_hda_codec,snd_hda_codec_realtek,snd_soc_skl
nls_iso8859_1 16384 1
dell_laptop 24576 0
dell_wmi 16384 0
nls_cp437 20480 1
intel_cstate 16384 0
wmi_bmof 16384 0
intel_wmi_thunderbolt 16384 0
vfat 20480 1
dell_smbios 28672 2 dell_wmi,dell_laptop
ath10k_core 544768 1 ath10k_pci
snd_hwdep 16384 1 snd_hda_codec
irqbypass 16384 1 kvm
fat 86016 1 vfat
ath 36864 1 ath10k_core
dell_wmi_descriptor 16384 2 dell_wmi,dell_smbios
snd_pcm 131072 8 snd_hda_codec_hdmi,snd_hda_intel,snd_hda_ext_core,snd_hda_codec,snd_soc_core,snd_soc_skl,snd_hda_core,snd_pcm_dmaengine
i2c_algo_bit 16384 1 i915
dcdbas 16384 1 dell_smbios
intel_uncore 135168 0
mac80211 925696 1 ath10k_core
snd_timer 36864 1 snd_pcm
input_leds 16384 0
pcspkr 16384 0
intel_rapl_perf 16384 0
drm_kms_helper 208896 1 i915
snd 106496 16 snd_hda_codec_generic,snd_hda_codec_hdmi,snd_hwdep,snd_hda_intel,snd_hda_codec,snd_hda_codec_realtek,snd_timer,snd_compress,snd_soc_core,snd_pcm
soundcore 16384 1 snd
i2c_i801 32768 0
cfg80211 778240 3 ath,mac80211,ath10k_core
rtsx_pci_ms 20480 0
intel_gtt 24576 1 i915
mei_me 45056 1
syscopyarea 16384 1 drm_kms_helper
memstick 16384 1 rtsx_pci_ms
sysfillrect 16384 1 drm_kms_helper
mei 118784 3 mei_wdt,mei_me
processor_thermal_device 16384 0
rfkill 28672 8 bluetooth,dell_laptop,cfg80211
i2c_hid 28672 0
sysimgblt 16384 1 drm_kms_helper
intel_xhci_usb_role_switch 16384 0
intel_pch_thermal 16384 0
fb_sys_fops 16384 1 drm_kms_helper
roles 16384 1 intel_xhci_usb_role_switch
intel_soc_dts_iosf 16384 1 processor_thermal_device
ucsi_acpi 16384 0
idma64 20480 0
typec_ucsi 36864 1 ucsi_acpi
intel_lpss_pci 20480 0
intel_lpss 16384 1 intel_lpss_pci
typec 45056 1 typec_ucsi
wmi 28672 5 intel_wmi_thunderbolt,dell_wmi,wmi_bmof,dell_smbios,dell_wmi_descriptor
hid 135168 4 i2c_hid,hid_multitouch,hid_generic,uhid
battery 24576 0
soc_button_array 16384 0
intel_vbtn 16384 0
pcc_cpufreq 16384 0
evdev 24576 22
intel_hid 16384 0
int3403_thermal 16384 0
mac_hid 16384 0
sparse_keymap 16384 3 intel_hid,dell_wmi,intel_vbtn
int340x_thermal_zone 16384 2 int3403_thermal,processor_thermal_device
int3400_thermal 16384 0
acpi_thermal_rel 16384 1 int3400_thermal
ac 16384 0
vboxnetflt 32768 0
vboxnetadp 28672 0
vboxdrv 495616 2 vboxnetadp,vboxnetflt
coretemp 16384 0
msr 16384 0
dell_smm_hwmon 16384 0
drm 512000 7 drm_kms_helper,i915
agpgart 49152 2 intel_gtt,drm
crypto_user 16384 0
ip_tables 28672 5 iptable_filter,iptable_security,iptable_raw,iptable_nat,iptable_mangle
x_tables 45056 17 ebtables,ip6table_filter,xt_conntrack,ip6table_raw,iptable_filter,iptable_security,ip6t_rpfilter,ipt_MASQUERADE,xt_addrtype,ip6_tables,ipt_REJECT,iptable_raw,ip_tables,ip6table_mangle,ip6table_security,ip6t_REJECT,iptable_mangle
xts 16384 1
rtsx_pci_sdmmc 28672 0
serio_raw 16384 0
mmc_core 180224 1 rtsx_pci_sdmmc
atkbd 32768 0
libps2 16384 1 atkbd
crct10dif_pclmul 16384 0
crc32_pclmul 16384 0
ghash_clmulni_intel 16384 0
crypto_simd 16384 0
cryptd 28672 2 crypto_simd,ghash_clmulni_intel
glue_helper 16384 0
xhci_pci 16384 0
xhci_hcd 266240 1 xhci_pci
rtsx_pci 73728 2 rtsx_pci_sdmmc,rtsx_pci_ms
i8042 32768 1 dell_laptop
serio 28672 5 serio_raw,atkbd,i8042
ext4 737280 2
crc32c_generic 16384 0
crc32c_intel 24576 3
crc16 16384 2 bluetooth,ext4
mbcache 16384 1 ext4
jbd2 122880 1 ext4
fscrypto 32768 1 ext4
dm_crypt 40960 1
dm_mod 155648 9 dm_crypt
Offline
Have you tried removing aes_x86_64 from the module blacklist, removing aes_x86_64 from mkinitcpio.conf, using a custom mkinitcpio.conf for 4.19 (configure that in /etc/mkinitcpio.d/linux-lts.preset)
Last edited by loqs (2020-04-19 11:40:18)
Offline
I did'nt find a clear doc about 'presets', I don't know if I should write the entire 'MODULES' line in the preset file.
Arch doc is declared 'out of date'
Reason: The presets will be removed from the kernel packages. mkinitcpio 27 uses a pacman hook that creates the presets from a template (/usr/share/mkinitcpio/hook.preset). (Discuss in Talk:Mkinitcpio#)
https://wiki.archlinux.org/index.php/Mkinitcpio
So, I didn't play with it.
But if it works, I'd rather ADD aes_x86_64 in my old -lts kernel preset, to have it work 'as before', and remove it in the regular mkinitcpio.conf sa that the new one doesn't complain ?
I would have
/etc/mkinitcpio.conf
MODULES="dm_mod dm_crypt ext4 sha256 sha512"
/etc/mkinitcpio.d/linux-lts.preset
MODULES="dm_mod dm_crypt ext4 aes_x86_64 sha256 sha512"
does that sound right ?
What about the warnings in the doc ?
Last edited by squalou (2020-04-19 11:52:59)
Offline
The preset is now generated by a hook but that has no impact on using the preset file. The hook will backup the preset file on removal of the kernel that generated that preset and restore that backup on re-installation of that kernel. So I do not understand the out of date flag.
Do hooks fail to detect that all of the modules you listed are required?
Offline
No, thing is, as I was reluctant to fiddle with mkinitcpio MDULES line, I did play in grub and added interactively 'module_blacklist' on the kernel line.
I'll try the preset thing.
Would sound perfect to me, having :
- old kernel working as ever
- new one without warnings
- no errors reported
Will let you know.
Offline
Ok, looks like it's perfectly working
Tried to install some dkms things, update regular kernel, no more warnings. Rebuilt old kernel image too -> still all modules found, everything right.
Using preset, way to go !
Thank you !
Offline