[fedora-arm] Hardware Crypto Offload on Kirkwood (SheevaPlug)
omalleys at msu.edu
omalleys at msu.edu
Tue May 24 19:54:23 UTC 2011
Quoting Gordan Bobic <gordan at bobich.net>:
> On 05/24/2011 08:15 PM, omalleys at msu.edu wrote:
>> Quoting Gordan Bobic <gordan at bobich.net>:
>>
>>> On 05/24/2011 07:27 PM, Alexander Boström wrote:
>>>> mån 2011-05-23 klockan 15:15 +0100 skrev Gordan Bobic:
>>>>
>>>>> What I'm pondering now is something like a dkms package for the
>>>>> cryptodev kernel module, but I seem to remember reading somewhere that
>>>>> dkms is a non-Fedora RHEL thing. What do you guys think would be the
>>>>> best way to approach it, especially since we don't have "standard"
>>>>> kernels at the moment?
>>>>
>>>> It's probably a lot easier to just patch your kernel build (or ask
>>>> whoever builds your kernel to do it). Then you won't need kernel build
>>>> tools installed on your little arm device.
>>>
>>> I really don't think that's a big deal. Cryptodev module takes seconds
>>> to build, and even if you are building your own kernel, it means you can
>>> just install the new kernel, and the new module with automatically be
>>> built for it. So it still saves effort.
>>
>> I think this is a bigger deal then you assume. I sure as heck don't want
>> a compiler sitting on my embedded device facing the outside world
>
> You don't want to be updating the kernel on your embedded device without
> ample preparation either.
Well depends on how you look at it. It can be a valuable learning
experience trying to figure out how exactly to recover from your
mistake.
>> or on my desktop system,
>
> So you don't like having nvidia/ati accelerated graphics with
> manufacturer provided drivers either, then? Or LSI SAS controllers? Or
> anything else that relies on dkms to keep it's drivers up to date.
I have to recompile them for various kernels. I have the same issue
with OpenAFS if the package hasn't been updated yet and a new kernel
is released.
>> just the same as I don't put a compiler on a
>> production server system either.
>
> See above. The LSI MPT driver that ships with the kernel on RHEL is
> quite a long way out of date. I guess you could have a build machine
> template for every type system you have, but that's impractical if you
> have a lot of heterogenous hardware.
I do have a build environment for a number of different services.
I moved most of the dev environments to virtual machines though.
> Besides - I don't see a big deal. If you don't like dkms don't use it -
> build the drivers the hard way. For most people, myself included, it's
> an acceptable solution.
>
>> It is just as easy to compile a rootkit
>> as it is a dkms.
>
> If somebody has gained shell access to your box, you've already lost, so
> I don't see this as a particularly viable argument.
Yes but they may have shell access and build the kit to gain root access.
>> Embedded also has space at a premium and dev tools and
>> libraries can eat up space.
>
> If it's embedded, it doesn't get updated often or without good reason,
> and if it really is embedded, then you are probably developing in a
> dedicated environment and planning to deploy on many identical devices.
> In that case you can just push out the driver with the kernel package
> and be done with it. I don't see the two approaches as in any way
> contradictory. The fact that the solution doesn't fit your requirements
> doesn't mean it fits nobody's. I posted the docs on how to do it -
> whether you do it that way or dkms wrapped is entirely up to you. :)
I think the docs were actually well written. I quite enjoyed reading them.
> The only point I'm really making is that dkms is a standard, recognized
> way of doing things like this. It may not fit everyone's requirements,
> but it fits a lot of people's requirements. I'd love to see it become a
> non-issue by bundling the driver/headers in the kernel rpms when those
> become available for popular devices, but until then I think dkms would
> make it much easier for most people who don't want to get their hands
> dirty with doing it all manually.
I understand your argument. It seems strange that you would be making
the argument given you are one of the people who likes to get their
hands dirty. :)
I just think there has to be a better way to do it, sans moving to a
bsd style kernel... :)
More information about the arm
mailing list