[2/4] Tor: Use crypto hardware acceleration if available

Message ID 37079e43-a5af-db04-086e-750f04151b75@ipfire.org
State Accepted
Commit fb4e1d53a0f079a82717203d0ff7eeea7d0c6162
Headers show
Series [1/4] Tor: Enable syscall sandbox | expand

Commit Message

Peter Müller Sept. 25, 2021, 7:08 a.m. UTC
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 html/cgi-bin/tor.cgi | 1 +
 1 file changed, 1 insertion(+)

Comments

Michael Tremer Sept. 27, 2021, 6:46 p.m. UTC | #1
Hello,

Can you elaborate a little bit more on this?

Tor is using OpenSSL which by default should use RDRAND, AES-NI (if applicable) and so on.

What does this option change?

-Michael

> On 25 Sep 2021, at 08:08, Peter Müller <peter.mueller@ipfire.org> wrote:
> 
> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
> ---
> html/cgi-bin/tor.cgi | 1 +
> 1 file changed, 1 insertion(+)
> 
> diff --git a/html/cgi-bin/tor.cgi b/html/cgi-bin/tor.cgi
> index ce579aec1..2b0d93336 100644
> --- a/html/cgi-bin/tor.cgi
> +++ b/html/cgi-bin/tor.cgi
> @@ -731,6 +731,7 @@ sub BuildConfiguration() {
> 
> 	# Global settings.
> 	print FILE "Sandbox 1\n";
> +	print FILE "HardwareAccel 1\n";
> 	print FILE "ControlPort $TOR_CONTROL_PORT\n";
> 
> 	if ($settings{'TOR_ENABLED'} eq 'on') {
> -- 
> 2.26.2
Peter Müller Oct. 4, 2021, 10:49 a.m. UTC | #2
Hello Michael,

thanks for your reply.

To quote from Tor's manpage (see https://2019.www.torproject.org/docs/tor-manual.html.en#HardwareAccel
for an online version of it):

>        HardwareAccel 0|1
>            If non-zero, try to use built-in (static) crypto hardware
>            acceleration when available. Can not be changed while tor is
>            running. (Default: 0)

Even if it is available, Tor does not use hardware crypto acceleration by default. While I consider
this a reasonable default for Tor users not trusting their hardware, we agreed on doing so a while
ago (https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=13eab1060d0474ddf413386de0361e32113f8cb7).

Therefore, this needs to be enabled explicitly, which is what this patch is good for. :-)

I hope to have your question answered.

Thanks, and best regards,
Peter Müller


> Hello,
> 
> Can you elaborate a little bit more on this?
> 
> Tor is using OpenSSL which by default should use RDRAND, AES-NI (if applicable) and so on.
> 
> What does this option change?
> 
> -Michael
> 
>> On 25 Sep 2021, at 08:08, Peter Müller <peter.mueller@ipfire.org> wrote:
>>
>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
>> ---
>> html/cgi-bin/tor.cgi | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/html/cgi-bin/tor.cgi b/html/cgi-bin/tor.cgi
>> index ce579aec1..2b0d93336 100644
>> --- a/html/cgi-bin/tor.cgi
>> +++ b/html/cgi-bin/tor.cgi
>> @@ -731,6 +731,7 @@ sub BuildConfiguration() {
>>
>> 	# Global settings.
>> 	print FILE "Sandbox 1\n";
>> +	print FILE "HardwareAccel 1\n";
>> 	print FILE "ControlPort $TOR_CONTROL_PORT\n";
>>
>> 	if ($settings{'TOR_ENABLED'} eq 'on') {
>> -- 
>> 2.26.2
>
Michael Tremer Oct. 4, 2021, 1:59 p.m. UTC | #3
Thank you for clearing this up for me.

-Michael

> On 4 Oct 2021, at 11:49, Peter Müller <peter.mueller@ipfire.org> wrote:
> 
> Hello Michael,
> 
> thanks for your reply.
> 
> To quote from Tor's manpage (see https://2019.www.torproject.org/docs/tor-manual.html.en#HardwareAccel
> for an online version of it):
> 
>>       HardwareAccel 0|1
>>           If non-zero, try to use built-in (static) crypto hardware
>>           acceleration when available. Can not be changed while tor is
>>           running. (Default: 0)
> 
> Even if it is available, Tor does not use hardware crypto acceleration by default. While I consider
> this a reasonable default for Tor users not trusting their hardware, we agreed on doing so a while
> ago (https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=13eab1060d0474ddf413386de0361e32113f8cb7).
> 
> Therefore, this needs to be enabled explicitly, which is what this patch is good for. :-)
> 
> I hope to have your question answered.
> 
> Thanks, and best regards,
> Peter Müller
> 
> 
>> Hello,
>> Can you elaborate a little bit more on this?
>> Tor is using OpenSSL which by default should use RDRAND, AES-NI (if applicable) and so on.
>> What does this option change?
>> -Michael
>>> On 25 Sep 2021, at 08:08, Peter Müller <peter.mueller@ipfire.org> wrote:
>>> 
>>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
>>> ---
>>> html/cgi-bin/tor.cgi | 1 +
>>> 1 file changed, 1 insertion(+)
>>> 
>>> diff --git a/html/cgi-bin/tor.cgi b/html/cgi-bin/tor.cgi
>>> index ce579aec1..2b0d93336 100644
>>> --- a/html/cgi-bin/tor.cgi
>>> +++ b/html/cgi-bin/tor.cgi
>>> @@ -731,6 +731,7 @@ sub BuildConfiguration() {
>>> 
>>> 	# Global settings.
>>> 	print FILE "Sandbox 1\n";
>>> +	print FILE "HardwareAccel 1\n";
>>> 	print FILE "ControlPort $TOR_CONTROL_PORT\n";
>>> 
>>> 	if ($settings{'TOR_ENABLED'} eq 'on') {
>>> -- 
>>> 2.26.2

Patch

diff --git a/html/cgi-bin/tor.cgi b/html/cgi-bin/tor.cgi
index ce579aec1..2b0d93336 100644
--- a/html/cgi-bin/tor.cgi
+++ b/html/cgi-bin/tor.cgi
@@ -731,6 +731,7 @@  sub BuildConfiguration() {
 
 	# Global settings.
 	print FILE "Sandbox 1\n";
+	print FILE "HardwareAccel 1\n";
 	print FILE "ControlPort $TOR_CONTROL_PORT\n";
 
 	if ($settings{'TOR_ENABLED'} eq 'on') {