Message ID | 37079e43-a5af-db04-086e-750f04151b75@ipfire.org |
---|---|
State | Accepted |
Commit | fb4e1d53a0f079a82717203d0ff7eeea7d0c6162 |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4HGg3Z2jTlz3xWd for <patchwork@web04.haj.ipfire.org>; Sat, 25 Sep 2021 07:08:26 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4HGg3Y6qbZz6mB; Sat, 25 Sep 2021 07:08:25 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4HGg3Y60w7z2yWh; Sat, 25 Sep 2021 07:08:25 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4HGg3X19znz2xB7 for <development@lists.ipfire.org>; Sat, 25 Sep 2021 07:08:24 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4HGg3W34Pyzks for <development@lists.ipfire.org>; Sat, 25 Sep 2021 07:08:23 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1632553703; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=hppzTyoNsTQ6ixQPeGb8pgyP3ccXGE6kHBAJAn5GTTY=; b=gV6G3VcDtcriQp2mCgekJMrRNYv3KgBuiMTlfvfs8yBBhUKjSl4kOK5Vjg1eCpktZYtNZo go2UbTvLs+socLAg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1632553703; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=hppzTyoNsTQ6ixQPeGb8pgyP3ccXGE6kHBAJAn5GTTY=; b=GoEYvRt0MsaxP4DBQI4Ys0BWR8JNsF9iiwQEuyCxTHi1djVn6F3WAYtoaTBV48ycvsoQN0 K3iWoLWP+V1Y0GWr7ilF8RbSr43gFY2iYetfgpG7Wlb7PgndZBgRwHADg7lPtGXZ9KwMSc 2Zf83bMSNAPm4SOFDFa9rbf1eixjspe9c/xgYEwNpr5ZgHzEfhYVHyLRU+tOxG2m5zoxjf RvKtUyv/g65BU8Q7ktly3nln4E4bIJ9oN+Wa0YMM9v8/40+VK5oqDoYvUuitlzZJNKeJO1 ivPCh6wXQjyacWyaT426qbJfbmlFJuhgtqvACjxkTJQf2zok07qh1KX5auQ1nA== Subject: [PATCH 2/4] Tor: Use crypto hardware acceleration if available To: development@lists.ipfire.org References: <c3117283-a083-01ad-0649-05da5bfa8b0d@ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org> Message-ID: <37079e43-a5af-db04-086e-750f04151b75@ipfire.org> Date: Sat, 25 Sep 2021 09:08:22 +0200 MIME-Version: 1.0 In-Reply-To: <c3117283-a083-01ad-0649-05da5bfa8b0d@ipfire.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
[1/4] Tor: Enable syscall sandbox
|
|
Commit Message
Peter Müller
Sept. 25, 2021, 7:08 a.m. UTC
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
html/cgi-bin/tor.cgi | 1 +
1 file changed, 1 insertion(+)
Comments
Hello, Can you elaborate a little bit more on this? Tor is using OpenSSL which by default should use RDRAND, AES-NI (if applicable) and so on. What does this option change? -Michael > On 25 Sep 2021, at 08:08, Peter Müller <peter.mueller@ipfire.org> wrote: > > Signed-off-by: Peter Müller <peter.mueller@ipfire.org> > --- > html/cgi-bin/tor.cgi | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/html/cgi-bin/tor.cgi b/html/cgi-bin/tor.cgi > index ce579aec1..2b0d93336 100644 > --- a/html/cgi-bin/tor.cgi > +++ b/html/cgi-bin/tor.cgi > @@ -731,6 +731,7 @@ sub BuildConfiguration() { > > # Global settings. > print FILE "Sandbox 1\n"; > + print FILE "HardwareAccel 1\n"; > print FILE "ControlPort $TOR_CONTROL_PORT\n"; > > if ($settings{'TOR_ENABLED'} eq 'on') { > -- > 2.26.2
Hello Michael, thanks for your reply. To quote from Tor's manpage (see https://2019.www.torproject.org/docs/tor-manual.html.en#HardwareAccel for an online version of it): > HardwareAccel 0|1 > If non-zero, try to use built-in (static) crypto hardware > acceleration when available. Can not be changed while tor is > running. (Default: 0) Even if it is available, Tor does not use hardware crypto acceleration by default. While I consider this a reasonable default for Tor users not trusting their hardware, we agreed on doing so a while ago (https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=13eab1060d0474ddf413386de0361e32113f8cb7). Therefore, this needs to be enabled explicitly, which is what this patch is good for. :-) I hope to have your question answered. Thanks, and best regards, Peter Müller > Hello, > > Can you elaborate a little bit more on this? > > Tor is using OpenSSL which by default should use RDRAND, AES-NI (if applicable) and so on. > > What does this option change? > > -Michael > >> On 25 Sep 2021, at 08:08, Peter Müller <peter.mueller@ipfire.org> wrote: >> >> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >> --- >> html/cgi-bin/tor.cgi | 1 + >> 1 file changed, 1 insertion(+) >> >> diff --git a/html/cgi-bin/tor.cgi b/html/cgi-bin/tor.cgi >> index ce579aec1..2b0d93336 100644 >> --- a/html/cgi-bin/tor.cgi >> +++ b/html/cgi-bin/tor.cgi >> @@ -731,6 +731,7 @@ sub BuildConfiguration() { >> >> # Global settings. >> print FILE "Sandbox 1\n"; >> + print FILE "HardwareAccel 1\n"; >> print FILE "ControlPort $TOR_CONTROL_PORT\n"; >> >> if ($settings{'TOR_ENABLED'} eq 'on') { >> -- >> 2.26.2 >
Thank you for clearing this up for me. -Michael > On 4 Oct 2021, at 11:49, Peter Müller <peter.mueller@ipfire.org> wrote: > > Hello Michael, > > thanks for your reply. > > To quote from Tor's manpage (see https://2019.www.torproject.org/docs/tor-manual.html.en#HardwareAccel > for an online version of it): > >> HardwareAccel 0|1 >> If non-zero, try to use built-in (static) crypto hardware >> acceleration when available. Can not be changed while tor is >> running. (Default: 0) > > Even if it is available, Tor does not use hardware crypto acceleration by default. While I consider > this a reasonable default for Tor users not trusting their hardware, we agreed on doing so a while > ago (https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=13eab1060d0474ddf413386de0361e32113f8cb7). > > Therefore, this needs to be enabled explicitly, which is what this patch is good for. :-) > > I hope to have your question answered. > > Thanks, and best regards, > Peter Müller > > >> Hello, >> Can you elaborate a little bit more on this? >> Tor is using OpenSSL which by default should use RDRAND, AES-NI (if applicable) and so on. >> What does this option change? >> -Michael >>> On 25 Sep 2021, at 08:08, Peter Müller <peter.mueller@ipfire.org> wrote: >>> >>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >>> --- >>> html/cgi-bin/tor.cgi | 1 + >>> 1 file changed, 1 insertion(+) >>> >>> diff --git a/html/cgi-bin/tor.cgi b/html/cgi-bin/tor.cgi >>> index ce579aec1..2b0d93336 100644 >>> --- a/html/cgi-bin/tor.cgi >>> +++ b/html/cgi-bin/tor.cgi >>> @@ -731,6 +731,7 @@ sub BuildConfiguration() { >>> >>> # Global settings. >>> print FILE "Sandbox 1\n"; >>> + print FILE "HardwareAccel 1\n"; >>> print FILE "ControlPort $TOR_CONTROL_PORT\n"; >>> >>> if ($settings{'TOR_ENABLED'} eq 'on') { >>> -- >>> 2.26.2
diff --git a/html/cgi-bin/tor.cgi b/html/cgi-bin/tor.cgi index ce579aec1..2b0d93336 100644 --- a/html/cgi-bin/tor.cgi +++ b/html/cgi-bin/tor.cgi @@ -731,6 +731,7 @@ sub BuildConfiguration() { # Global settings. print FILE "Sandbox 1\n"; + print FILE "HardwareAccel 1\n"; print FILE "ControlPort $TOR_CONTROL_PORT\n"; if ($settings{'TOR_ENABLED'} eq 'on') {