p11_child benchmark : OpenSC caching

[mvogt1]

I just found out that p11_child does benefit from the caching mechanism by OpenSC.

The difference is significant 9 secs vs 0.9 secs ! ( factor 10 )

# CACHE: DISABLED
$ cat /etc/opensc.conf | grep use_file_caching
        use_file_caching = no;
$ time pkcs11-tool --list-objects
real    0m8.982s
user    0m0.030s
sys     0m0.033s

# CACHE: ENABLED
$ cat /etc/opensc.conf | grep use_file_caching
        use_file_caching = public;          <---- default
$ time pkcs11-tool --list-objects
real    0m0.963s
user    0m0.017s
sys     0m0.011s

I'm using a wrapper to benchmark p11_child:

$ cat /usr/libexec/sssd/p11_child
#!/usr/bin/bash

LOG="/tmp/p11_child.log"
#export XDG_CACHE_HOME="/var/tmp/xdg-cache/root_p11/"
#mkdir -p $XDG_CACHE_HOME

id >> $LOG
env >> $LOG
echo "HOME: $HOME" >>$LOG

{ time  /usr/libexec/sssd/p11_child.bin "$@" ; } 2>>$LOG

When testing p11_child:

$pamtester -v gdm-smartcard <mylogin> authenticate
$ tail -f /tmp/p11_child.log 
real    0m8.820s
user    0m0.008s
sys     0m0.012s

This take 8.8 secs for p11_child, and thus not using caching (0.8 secs)

I'm missing an option in /etc/sssd.conf, for example:

p11_child_xdg_cache_home=/var/cache/p11_child

which sets the environment variable XDG_CACHE_HOME before calling pkcs11-opensc.so.
In the example wrapper above I would then get the 0.8 secs.

Note:

Setting a global cache dir according to man opensc.conf :

$ cat  /etc/opensc.conf | grep file_cache_dir
        file_cache_dir = "/var/cache/opensc";

works, but is a global option, I would prefer a seperate option for p11_child.

As a result, currently, at least on RedHat, the default is to not use caching, and thus is performing poorly.

Caching in OpenSC is configured globally but does not work in p11_child, because neither $HOME nor $XDG_CACHE_HOME ist set in p11_child. Setting file_cache_dir would work, but needs a additional SELinux rule.

I would prefer a default in sssd, including a shipped SELinux rule, for p11_child which runs in context=system_u:system_r:sssd_t:s0.

[sumit-bose]

Hi,

thank you for the suggestion. So far I was thinking that a global cache with file_cache_dir would be sufficient but your are right about SELinux.

But do you think a configurable path is needed? Would do you think of having a fixed location somewhere below /var/lib/sss/? This way no extra option for sssd.conf is needed and if a cache should be used or not can be controlled in opensc.conf.

bye,
Sumit

[mvogt1]

Hello Sumit,

the fixed location should be fine, and the case to disable caching then can be controlled by opensc.conf is fine too.
So the patch would be

putenv("XDG_CACHE_HOME=" COMPILE_TIME_VAR "/p11_child");

in p11_child main?
Does the build system already adds a SELinux exceptions for /var/lib/sss ?

bye,

Martin

[alexey-tikhonov]

Does the build system already adds a SELinux exceptions for /var/lib/sss ?

Default SELinux policy labels this dir:
https://github.com/SELinuxProject/refpolicy/blob/0dae0f47cc8218badb39c49ee44f5323137c3771/policy/modules/services/sssd.fc#L10

[sumit-bose]

Hello Sumit,

the fixed location should be fine, and the case to disable caching then can be controlled by opensc.conf is fine too. So the patch would be

putenv("XDG_CACHE_HOME=" COMPILE_TIME_VAR "/p11_child");

Hi,

yes, /var/lib/sss is defined in SSS_STATEDIR. If I understand the opensc.conf man page correctly OpenSC will add /opensc to XDG_CACHE_HOME so using XDG_CACHE_HOME=SSS_STATEDIR might be sufficient to use /var/lib/sss/opensc as cache directory. Btw, since krb5_child has to access the Smartcard for PKINIT as well it might benefit from setting the environment variable as well.

Would you like to prepare a patch and pull-request for this?

bye,
Sumit

in p11_child main? Does the build system already adds a SELinux exceptions for /var/lib/sss ?

bye,

Martin

[mvogt1]

Hello Sumit,

Would you like to prepare a patch and pull-request for this?

Yes, let me try to prepare a pull request for this.

I noticed that even if I get p11_child to one sec, krb5_child needs another 20 secs.

• The overall time before "Enter PIN" appears take 28 secs here

I haven't looked at krb5_child, if it is the same issue it would be an easy fix too.
But 20 secs are two times of an opensc card read. I will take a look at it.

bye,

Martin

[mvogt1]

Hello Sumit,

I tested

ret = setenv("XDG_CACHE_HOME",SSS_STATEDIR,1);

and now have

• 1.0 sec for p11_child
• 2.4 sec for krb5_child

The whole process now takes 8 secs.

$ time pamtester gdm-smartcard <login> authenticate
PIN for Smartcard: 
pamtester: successfully authenticated

real    0m8.518s
user    0m0.002s
sys     0m0.007s

This is already a major improvement from the 30 secs before, I will look into this the next week again.

What can be seen is that krb5_child reads the smartcard two times, everytime it is invoke, and therefore this needs 2 seconds.

Any idea from where the additional 5 secs for pamtester are coming from?

bye,

Martin