disk/cryptodisk: Add --hw-accel to enable hardware acceleration

The --hw-accel option has been added to cryptomount to speed up decryption by temporarily enabling hardware-specific instruction sets (e.g., AVX, SSE) in libgcrypt. A new feature, "feature_gcry_hw_accel", is also introduced to mark the availability of the new option. Signed-off-by: Gary Lin <glin@suse.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2025-10-22 09:29:00 +08:00 · 2025-10-22 09:29:00 +08:00 · 91ddada642
commit 91ddada642
parent f8f68f14ae
3 changed files with 28 additions and 6 deletions
--- a/docs/grub.texi
+++ b/docs/grub.texi
@ -7134,7 +7134,7 @@ The option @option{--quiet} can be given to suppress the output.
@node cryptomount
@subsection cryptomount

-@deffn Command cryptomount [ [@option{-p} password] | [@option{-k} keyfile [@option{-O} keyoffset] [@option{-S} keysize] ] | [@option{-P} protector] ] [@option{-H} file] device|@option{-u} uuid|@option{-a}|@option{-b}
+@deffn Command cryptomount [ [@option{-p} password] | [@option{-k} keyfile [@option{-O} keyoffset] [@option{-S} keysize] ] | [@option{-P} protector] | [@option{-A}] ] [@option{-H} file] device|@option{-u} uuid|@option{-a}|@option{-b}
 Setup access to encrypted device. A passphrase will be requested interactively,
 if neither the @option{-p} nor @option{-k} options are given. The option
@option{-p} can be used to supply a passphrase (useful for scripts).
@ -7142,7 +7142,8 @@ Alternatively the @option{-k} option can be used to supply a keyfile with
 options @option{-O} and @option{-S} optionally supplying the offset and size,
 respectively, of the key data in the given key file. Besides the keyfile,
 the key can be stored in a key protector, and option @option{-P} configures
-specific key protector, e.g. tpm2, to retrieve the key from.
+specific key protector, e.g. tpm2, to retrieve the key from. The option @option{-A}
+enables hardware acceleration in libgcrypt to speed up decryption.
 The @option{-H} options can be used to supply cryptomount backends with an
 alternative header file (aka detached header). Not all backends have headers
 nor support alternative header files (currently only LUKS1 and LUKS2 support them).
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@ -29,6 +29,7 @@
 #include <grub/partition.h>
 #include <grub/key_protector.h>
 #include <grub/safemath.h>
+#include <grub/hwfeatures-gcry.h>

 #ifdef GRUB_UTIL
 #include <grub/emu/hostdisk.h>
@ -48,7 +49,8 @@ enum
    OPTION_KEYFILE_OFFSET,
    OPTION_KEYFILE_SIZE,
    OPTION_HEADER,
-    OPTION_PROTECTOR
+    OPTION_PROTECTOR,
+    OPTION_HWACCEL
  };

 static const struct grub_arg_option options[] =
@ -64,6 +66,7 @@ static const struct grub_arg_option options[] =
    {"header", 'H', 0, N_("Read header from file"), 0, ARG_TYPE_STRING},
    {"protector", 'P', GRUB_ARG_OPTION_REPEATABLE,
     N_("Unlock volume(s) using key protector(s)."), 0, ARG_TYPE_STRING},
+    {"hw-accel", 'A', 0, N_("Enable hardware acceleration."), 0, 0},
    {0, 0, 0, 0, 0, 0}
  };

@ -1420,7 +1423,7 @@ grub_cryptodisk_clear_key_cache (struct grub_cryptomount_args *cargs)
 }

 static grub_err_t
-grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
+__grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
 {
  struct grub_arg_list *state = ctxt->state;
  struct grub_cryptomount_args cargs = {0};
@ -1629,6 +1632,23 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
    }
 }

+static grub_err_t
+grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
+{
+  struct grub_arg_list *state = ctxt->state;
+  grub_err_t err;
+
+  if (state[OPTION_HWACCEL].set)
+    grub_enable_gcry_hwf ();
+
+  err = __grub_cmd_cryptomount (ctxt, argc, args);
+
+  if (state[OPTION_HWACCEL].set)
+    grub_reset_gcry_hwf ();
+
+  return err;
+}
+
 static struct grub_disk_dev grub_cryptodisk_dev = {
  .name = "cryptodisk",
  .id = GRUB_DISK_DEVICE_CRYPTODISK_ID,
@ -1898,7 +1918,7 @@ GRUB_MOD_INIT (cryptodisk)
  cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0,
 			      N_("[ [-p password] | [-k keyfile"
 				 " [-O keyoffset] [-S keysize] ] ] [-H file]"
-				 " [-P protector [-P protector ...]]"
+				 " [-P protector [-P protector ...]] | [-A]"
 				 " <SOURCE|-u UUID|-a|-b>"),
 			      N_("Mount a crypto device."), options);
  grub_procfs_register ("luks_script", &luks_script);
--- a/grub-core/normal/main.c
+++ b/grub-core/normal/main.c
@ -518,7 +518,8 @@ static const char *features[] = {
  "feature_default_font_path", "feature_all_video_module",
  "feature_menuentry_id", "feature_menuentry_options", "feature_200_final",
  "feature_nativedisk_cmd", "feature_timeout_style",
-  "feature_search_cryptodisk_only", "feature_tpm2_cap_pcrs"
+  "feature_search_cryptodisk_only", "feature_tpm2_cap_pcrs",
+  "feature_gcry_hw_accel"
 };

 GRUB_MOD_INIT(normal)