Re: [PATCH v6 0/7] refactor file signing program
From: Shreenidhi Shedi
Date: Mon Aug 07 2023 - 06:22:04 EST
On 07/08/23 13:47, Shreenidhi Shedi wrote:
On 07/08/23 07:53, Masahiro Yamada wrote:
On Thu, Jun 1, 2023 at 6:08 PM Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx>
wrote:
On Thu, Jun 01, 2023 at 02:33:23PM +0530, Shreenidhi Shedi wrote:
On Wed, 31-May-2023 22:20, Greg KH wrote:
On Wed, May 31, 2023 at 09:01:24PM +0530, Shreenidhi Shedi wrote:
On Wed, 31-May-2023 20:08, Greg KH wrote:
On Tue, Apr 25, 2023 at 04:14:49PM +0530, Shreenidhi Shedi wrote:
On Wed, 22-Mar-2023 01:03, Shreenidhi Shedi wrote:
Can you please review the latest patch series? I think I have
addressed your
concerns. Thanks.
The big question is, "who is going to use these new features"? This
tool is only used by the in-kernel build scripts, and if they do not
take advantage of these new options you have added, why are they
needed?
thanks,
greg k-h
Hi Greg,
Thanks for the response.
We use it in VMware Photon OS. Following is the link for the same.
https://github.com/vmware/photon/blob/master/SPECS/linux/spec_install_post.inc#L4
If this change goes in, it will give a slight push to our build
performance.
What exactly do you mean by "slight push"?
Instead of invoking the signing tool binary for each module, we can
pass
modules in bulk and it will reduce the build time by couple of seconds.
Then why not modify the in-kernel build system to also do this, allowing
everyone to save time and money (i.e. energy)?
Why keep the build savings to yourself?
thanks,
greg k-h
If I understand correctly,
"sign-file: add support to sign modules in bulk"
is the only benefit in the patchset.
I tested the bulk option, but I did not see build savings.
My evaluation:
1. 'make allmodconfig all', then 'make modules_install'.
(9476 modules installed)
2. I ran 'perf stat' for single signing vs bulk signing
(5 runs for each).
I changed the -n option in scripts/signfile.sh
A. single sign
Sign one module per scripts/sign-file invocation.
find "${MODULES_PATH}" -name *.ko -type f -print0 | \
xargs -r -0 -P$(nproc) -x -n1 sh -c "..."
Performance counter stats for './signfile-single.sh' (5 runs):
22.33 +- 2.26 seconds time elapsed ( +- 10.12% )
B. bulk sign
Sign 32 modules per scripts/sign-file invocation
find "${MODULES_PATH}" -name *.ko -type f -print0 | \
xargs -r -0 -P$(nproc) -x -n32 sh -c "..."
Performance counter stats for './signfile-bulk.sh' (5 runs):
24.78 +- 3.01 seconds time elapsed ( +- 12.14% )
The bulk option decreases the process forks of scripts/sign-file
but I did not get even "slight push".
That's some really interesting data. I'm surprised that with stand alone
run bulk signing is not performing as expected. Can you give the full
command you used for bulk sign? Reduced number of forks should
eventually lead to getting more done in less time.
But I got ~1.4 seconds boost when I did "make module_install".
I gave the data in my other response as well. Copying the same here
because this has in better context.
root@ph5dev:~/linux-6.3.5 # ./test.sh orig
real 0m14.699s
user 0m55.519s
sys 0m9.036s
root@ph5dev:~/linux-6.3.5 # ./test.sh new
real 0m13.327s
user 0m46.885s
sys 0m6.770s
Here is my test script.
```
#!/bin/bash
set -e
if [ "$1" != "new" ] && [ "$1" != "orig" ]; then
echo "invalid arg, ($0 [orig|new])" >&2
exit 1
fi
rm -rf $PWD/tmp
s="scripts/sign-file.c"
m="scripts/Makefile.modinst"
fns=($s $m)
for f in ${fns[@]}; do
cp $f.$1 $f
done
cd scripts
gcc -o sign-file sign-file.c -lcrypto
cd -
time make modules_install INSTALL_MOD_PATH=$PWD/tmp -s -j$(nproc)
```
I ran the signfile script again using perf. Almost same as the method
you followed.
I have 991 modules in the target modules directory. Following is the report:
```
root@ph5dev:~/linux-6.3.5 #
perf stat ./signfile.sh sha384 certs/signing_key.pem 1
Performance counter stats for './signfile.sh sha384
certs/signing_key.pem 1':
18,498.62 msec task-clock # 7.901
CPUs utilized
6,211 context-switches # 335.755 /sec
52 cpu-migrations # 2.811 /sec
554,414 page-faults # 29.971 K/sec
2.341202651 seconds time elapsed
14.891415000 seconds user
3.018111000 seconds sys
root@ph5dev:~/linux-6.3.5 #
perf stat ./signfile.sh sha384 certs/signing_key.pem 32
Performance counter stats for './signfile.sh sha384
certs/signing_key.pem 32':
8,397.24 msec task-clock # 7.548
CPUs utilized
1,237 context-switches # 147.310 /sec
0 cpu-migrations # 0.000 /sec
22,529 page-faults # 2.683 K/sec
1.112510013 seconds time elapsed
8.057543000 seconds user
0.323572000 seconds sys
```
And now the interesting part. I tested the time saved with only
modules_sign.
root@ph5dev:~/linux-6.3.5 # ./b.sh new
real 0m1.756s
user 0m8.481s
sys 0m0.553s
root@ph5dev:~/linux-6.3.5 # ./b.sh orig
real 0m3.078s
user 0m16.801s
sys 0m3.096s
root@ph5dev:~/linux-6.3.5 # ./b.sh new
real 0m1.757s
user 0m8.554s
sys 0m0.504s
root@ph5dev:~/linux-6.3.5 # ./b.sh orig
real 0m3.098s
user 0m16.855s
sys 0m3.073s
And signfile.sh script also shows the same. I tweaked it a bit to accept
number of process as another arg.
root@ph5dev:~/linux-6.3.5 #
time ./signfile.sh sha384 certs/signing_key.pem 1
real 0m2.343s
user 0m14.916s
sys 0m2.890s
root@ph5dev:~/linux-6.3.5 #
time ./signfile.sh sha384 certs/signing_key.pem 32
real 0m1.120s
user 0m8.120s
sys 0m0.276s
So, every run is saving ~2 seconds of time. I think something is wrong
in the way you tested. Please check once at your end.
--
Shedi