Re: [PATCH] implement in-kernel keys & keyring management

[Linus Torvalds]

On Sun, 8 Aug 2004, James Morris wrote:
> 
> I'm not disagreeing with the above, but what about performance?  Part of
> the reason I suggested Netlink is that it's likely to be more efficient
> to send messages over a socket than to exec a program for each key
> request from the kernel.

Yes. However, I don't see that the kernel really would ask for new keys 
very often.  Any normal operation is that you have the key already.

> It's difficult to know if performance will actually be an issue without
> understanding the potential workload more.  What if many thousands of
> clients are connected to a fileserver?  Would calling /sbin/request-key
> for each key request be likely to cause performance problems?

The fileserver generally is the one that _asks_ for keys, not the other 
way around.

So the "I don't have a key" case is more of an issue where somebody tries 
to mount an encrypted filesystem, and the filesystem says "you don't have 
a key".

It's not a thing like "you tried to open a file" that happens thousands of
times a second - that one would get an EACCES if you don't have a key. 

It would be more like "the mount binary needs a key to mount this volume, 
so let's request that key first".

David, have you actually coded up something that uses the user callback, 
maybe you can describe a realistic schenario...

But at least to me, the /sbin/request-key thing is more like loading a 
module. You might do it to mount a filesystem or read an encrypted volume, 
but you wouldn't do it in the "normal" workload. It's a major event.

		Linus
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/