boot.initrd.luks: remove x86_64/i586 AES modules #85074
Conversation
Commit 1d2c3279311e4f03fcf164e1366f2fda9f4bfccf in the upstream kernel repository removed support for the scalar x86_64 and i586 AES assembly implementations, since the generic AES implementation generated by the compiler is faster for both platforms. Remove the modules from the cryptoModules list. This causes a regression for kernel versions >=5.4 which include the removal. This should have no negative impact on AES performance on older kernels since the generic implementation should be faster there as well since the implementation was hardly touched from its initial submission. Fixes NixOS#84842
Emantor
force-pushed
the
fix/boot_kernel_module
branch
from
86dbabf to
61da203
Compare
ofborg
bot
added
6.topic: nixos
|
perhaps @ivanbrennan can validate this? |
@worldofpeace I'm happy to, but do you know how I could test it without risking locking myself out of my system? |
|
You can probably test this with |
|
@worldofpeace @Emantor I tested using Again, since I only have access to one machine (and need it for work), I'm hesitant to try it for real (not in a vm, actually rebuild and reboot), but I'm probably being too cautious. For reference, my test involved:
git clone git@github.com:Emantor/nixpkgs.git -b fix/boot_kernel_module ./test-nixpkgs
sudo nixos-rebuild build-vm -I nixpkgs=./test-nixpkgs --max-jobs 1
./result/bin/run-nixosbox-vmThe full build logs are in this gist: https://gist.github.com/ivanbrennan/e006577dd65d26d6a6f20435e9912f57#file-nixos-build-vm-log The kernel modules section can also be seen here: I noticed a bunch of warnings related to udev rules, like: The relevant section of the build logs can be seen here: https://gist.github.com/ivanbrennan/e006577dd65d26d6a6f20435e9912f57#file-udev-rules-log I don't think the udev rules warnings are related, nor do they look problematic -- just something I noticed when searching the logs for "fatal", "error", and "warning" |
Since this is NixOS, even if the new system doesn't boot you can still start an older generation from the boot menu which will include the old generated initramfs with the module. The only thing which could remove the generation would be automatic run of |
When I boot up, I'm prompted for the passphrase to decrypt the root drive before arriving at the boot menu (where generations are listed). This is why I'm not sure I'd be able to rollback if it went wrong. |
Hm, than support for decryption should be in the used bootloader, which from your description should be grub. Since this initial decryption to access the boot partition does not use the kernel at all, the grub decryption shouldn't break even if we remove the kernel module. Please confirm this from your configuration, it should contain something like: (copied from the NixOS wiki here). This would mean that it should also be safe to test this PR on your system. Of course I understand if you are still reluctant to test the change on your production system, no pressure 😃. It would be helpful to have a minimal reproducible configuration, than I could test this against a local VM. |
|
@Emantor I'm using the systemd-boot EFI boot loader in this case: (I'm no expert, but on this machine, a Dell XPS 13 9360, I had to go with EFI rather than grub to get things working.) Nonetheless, it sounds like your main point -- that the drive decryption doesn't use the kernel -- still applies. I'll put a minimal reproducible configuration together and post it here. Thanks for all your help, by the way! |
|
@Emantor I was mistaken - on bootup, I'm not prompted to decrypt the drive until after choosing a generation. It had been a while since I did a full reboot. Sorry for the confusion. |
Than a test on your primary machine shouldn't block on anything 👍 |
|
@worldofpeace @Emantor Is there anything else I can do to help this along? |
You could test this on your main machine, alternatively post a minimal configuration to reproduce your bug, than I can test this fix. Testing on your machine can be done with: I don't currently have the time to come up with a reproducing configuration myself, unfortunately 😞 |
|
@Emantor Here's my attempt at a minimal reproducible config: I built a vm with it and was able to get to the login prompt. I imagine hardware-configuration.nix would require some changes to run on a different machine (e.g. device ids). |
|
@worldofpeace @Emantor I tested this on my machine and rebooted. It all worked correctly 👍 As suggested, I rebuilt with rebooted, and was able to decrypt the drive and log into the system without incident. |
|
@worldofpeace Is there anything else I can do to help this get merged? |
|
@fpletz Thanks! The delay was mostly because I was afraid to test this change (with a rebuild and full reboot) on my one (and currently only) machine. I finally did, however, and it worked out fine. |
Now that the x86_64/i586 AES modules have been removed from boot.initrd.luks (see NixOS/nixpkgs#85074), and that change has made it into the nixos-unstable channel, https://github.com/NixOS/nixpkgs-channels/tree/a5cc7d3197705f933d88e97c0c61849219ce76c1 reintroduce the changes that are needed for NixOS 20.03 https://nixos.org/nixos/manual/release-notes.html#sec-release-20.03
Motivation for this change
Commit 1d2c3279311e4f03fcf164e1366f2fda9f4bfccf in the upstream kernel
repository removed support for the scalar x86_64 and i586 AES
assembly implementations, since the generic AES implementation generated
by the compiler is faster for both platforms. Remove the modules from
the cryptoModules list. This causes a regression for kernel versions
>=5.4which include the removal. This should have no negative impact onAES performance on older kernels since the generic implementation should
be faster there as well since the implementation was hardly touched from
its initial submission.
Fixes #84842
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)