Madivelopa ochokera ku Cloudflare za kugwira ntchito kuti mukwaniritse magwiridwe antchito a disk encryption mu Linux kernel. Zotsatira zake zinali zokonzeka za subsystem ndi Crypto API, zomwe zinapangitsa kuti zikhale zotheka kuchulukitsa kuwirikiza kawiri kuwerenga ndi kulemba kupyolera mu kuyesa kopanga, komanso kuchepetsa kuchepa kwa theka. Poyesedwa pa hardware yeniyeni, kubisala pamwamba kunachepetsedwa kufika pafupifupi mlingo womwe umawonedwa pogwira ntchito ndi disk popanda kubisa deta.
Cloudflare imagwiritsa ntchito dm-crypt kubisa deta pazida zosungira zomwe zimagwiritsidwa ntchito posungira zomwe zili pa CDN. Dm-crypt imagwira ntchito pazida za block block ndikulemba encrypts kulemba zopempha za I / O ndikutsitsa zopempha zowerengera, kukhala ngati wosanjikiza pakati pa chipangizo chotchinga ndi dalaivala wamafayilo.
Kuti muwone momwe dm-crypt imagwirira ntchito pogwiritsa ntchito phukusi Tidayezera liwiro logwira ntchito ndi magawo obisidwa komanso osabisidwa pa disk ya RAM yomwe ili mu RAM kuti tichotse kusinthasintha kwa magwiridwe antchito a disk ndikuyang'ana kwambiri magwiridwe antchito. Kwa magawo osasinthika, kuwerenga ndi kulemba kudali pa 1126 MB / s, koma liwiro linatsika pamene kubisa kunayatsidwa. 7 nthawi ndi kuchuluka kwa 147 MB/s.
Poyamba, kukayikira kudayamba kugwiritsa ntchito ma algorithms osagwira ntchito mu kernel cryptosystem. Koma mayeserowa adagwiritsa ntchito algorithm yothamanga kwambiri, aes-xts, yokhala ndi makiyi a 256 encryption, omwe magwiridwe ake akamayendetsa "cryptsetup benchmark" amakhala ochulukirapo kuwirikiza kawiri kuposa momwe amapezera poyesa diski ya RAM. Kuyesera ndi mbendera za dm-crypt pakukonza magwiridwe antchito sikunapereke zotsatira: mukamagwiritsa ntchito mbendera ya "--perf-same_cpu_crypt", magwiridwe antchito adatsika mpaka 136 MB/s, ndipo pofotokoza mbendera ya "--perf-submit_from_crypt_cpus" idangokulirakulira. mpaka 166 MB/s.
Kusanthula mozama kwa malingaliro ogwiritsira ntchito kunawonetsa kuti dm-crypt siwophweka monga momwe zimawonekera - pempho lolemba likafika kuchokera kwa dalaivala wa FS, dm-crypt siyimayikonza nthawi yomweyo, koma imayiyika pamzere wa "kcryptd", womwe. sichinasinthidwe nthawi yomweyo, koma nthawi yabwino. Kuchokera pamzere, pempho limatumizidwa ku Linux Crypto API kuti ipange kubisa. Koma popeza Crypto API imagwiritsa ntchito njira yophatikizira yofananira, kubisa sikumachitidwanso nthawi yomweyo, koma kudutsa mzere wina. Pambuyo kubisa kumalizidwa, dm-crypt angayesere kusanja zopempha zolembera pogwiritsa ntchito mtengo wosaka . Pamapeto pake, ulusi wosiyana wa kernel kachiwiri, ndikuchedwa kwina, umatenga zopempha za I / O zomwe zasonkhanitsidwa ndikuzitumiza ku chipangizo cha block.
Powerenga, dm-crypt imawonjezera pempho pamzere wa "kcryptd_io" kuti mulandire deta kuchokera pagalimoto. Patapita nthawi, deta imapezeka ndipo imayikidwa pamzere wa "kcryptd" kuti iwonongeke.
Kcryptd imatumiza pempho ku Linux Crypto API, yomwe imachotsa chidziwitsocho mwachisawawa. Zopempha sizimadutsa pamzere wonse, koma pazovuta kwambiri, pempho lolemba limakhala pamzere mpaka maulendo 4, ndipo pempho lowerengedwa mpaka katatu. Kugunda kulikonse pamzere kumabweretsa kuchedwa, chomwe ndi chifukwa chachikulu cha kuchepa kwakukulu kwa magwiridwe antchito a dm-crypt.
Kugwiritsiridwa ntchito kwa mizere kumachitika chifukwa chofuna kugwira ntchito pamene zosokoneza zimachitika. Mu 2005, pamene dm-crypt's queue-based operating model ikugwiritsidwa ntchito, Crypto API inali isanakwane. Crypto API itasamutsidwa ku mtundu wophatikizika wa asynchronous, chitetezo chapawiri chinayamba kugwiritsidwa ntchito. Mizere idayambitsidwanso kuti ipulumutse kugwiritsiridwa ntchito kwa kernel stack, koma itakula mu 2014, kukhathamiritsa uku kudasiya kufunikira kwake. Mzere wowonjezera "kcryptd_io" adayambitsidwa kuti athane ndi vuto lomwe limapangitsa kudikirira kugawika kwa kukumbukira pomwe zopempha zambiri zifika. Mu 2015, gawo lowonjezera losankhira lidayambitsidwa, popeza zopempha za encryption pamakina amitundu yambiri zitha kumalizidwa popanda dongosolo (m'malo motsatana ndi diski, mwayi udachitika mwachisawawa, ndipo CFQ scheduler sanagwire ntchito bwino). Pakadali pano, mukamagwiritsa ntchito ma drive a SSD, kusanja kwataya tanthauzo, ndipo ndandanda ya CFQ sikugwiritsidwanso ntchito mu kernel.
Poganizira kuti zoyendetsa zamakono zakhala zofulumira komanso zanzeru, njira yogawa zida mu Linux kernel yasinthidwanso ndipo ma subsystems ena akonzedwanso, akatswiri a Cloudflare. dm-crypt ili ndi njira yatsopano yogwiritsira ntchito yomwe imathetsa kugwiritsa ntchito mizere yosafunikira komanso mafoni osasinthika. Mawonekedwewa amathandizidwa ndi mbendera yosiyana "force_inline" ndipo imabweretsa dm-crypt ku mawonekedwe a proxy yosavuta yomwe imalemba ndikuchotsa zopempha zomwe zikubwera. Kuyanjana ndi Crypto API kwakongoletsedwa posankha momveka bwino ma aligorivimu achinsinsi omwe amagwira ntchito molumikizana komanso osagwiritsa ntchito mizere yopempha. Kugwira ntchito synchronously ndi Crypto API panali gawo lomwe limakupatsani mwayi wogwiritsa ntchito FPU/AES-NI kuti mupititse patsogolo ndikupititsa patsogolo ma encryption ndi ma decryption.
Zotsatira zake, poyesa diski ya RAM, zinali zotheka kupitilira kuwirikiza kawiri ntchito ya dm-crypt - magwiridwe antchito adakwera kuchokera ku 294 MB / s (2 x 147 MB ββ/ s) mpaka 640 MB / s, yomwe ili pafupi kwambiri. ntchito yobisa (696 MB / s).
Poyesa kuchuluka kwa ma seva enieni, kukhazikitsidwa kwatsopano kunawonetsa magwiridwe antchito pafupi kwambiri ndi kasinthidwe kamene kakuyenda popanda kubisa, ndipo kuloleza kubisa pamaseva okhala ndi cache ya Cloudflare sikunakhudze liwiro lakuyankha. M'tsogolomu, Cloudflare ikukonzekera kusamutsa zigamba zokonzedwa ku Linux kernel, koma izi zisanachitike zidzafunika kukonzedwanso, chifukwa zimakongoletsedwa ndi katundu wina ndipo siziphimba madera onse ogwiritsira ntchito, mwachitsanzo, kubisala pansi. -zida zophatikizidwa ndi mphamvu.
Source: opennet.ru