You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@impala.apache.org by ta...@apache.org on 2018/02/22 17:58:59 UTC
[6/6] impala git commit: IMPALA-6219: actually turn on AES-GCM
IMPALA-6219: actually turn on AES-GCM
There was a typo that prevented it from matching the output of cpuinfo
correctly.
Testing:
Manually verified that impalad.INFO contains the expected hardware
flags:
Hardware Supports:
ssse3
sse4_1
sse4_2
popcnt
avx
avx2
pclmulqdq
Added temporary logging to verify that openssl-util-test and impala with
--disk_spill_encryption=true were going down the expected code path.
Added permanent logging at startup to report the default mode.
Change-Id: I64f23c493c6cc8d7e51ff45bbb305a71085e84c8
Reviewed-on: http://gerrit.cloudera.org:8080/9386
Reviewed-by: Alex Behm <al...@cloudera.com>
Tested-by: Impala Public Jenkins
Project: http://git-wip-us.apache.org/repos/asf/impala/repo
Commit: http://git-wip-us.apache.org/repos/asf/impala/commit/623ace0e
Tree: http://git-wip-us.apache.org/repos/asf/impala/tree/623ace0e
Diff: http://git-wip-us.apache.org/repos/asf/impala/diff/623ace0e
Branch: refs/heads/master
Commit: 623ace0e4c84297606d13f321bd2ceee70a8b9f2
Parents: 8ea1ce8
Author: Tim Armstrong <ta...@cloudera.com>
Authored: Wed Feb 21 14:02:15 2018 -0800
Committer: Impala Public Jenkins <im...@gerrit.cloudera.org>
Committed: Thu Feb 22 07:18:39 2018 +0000
----------------------------------------------------------------------
be/src/common/init.cc | 2 ++
be/src/util/cpu-info.cc | 2 +-
be/src/util/openssl-util.cc | 6 +++---
be/src/util/openssl-util.h | 20 ++++++++++----------
4 files changed, 16 insertions(+), 14 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/impala/blob/623ace0e/be/src/common/init.cc
----------------------------------------------------------------------
diff --git a/be/src/common/init.cc b/be/src/common/init.cc
index 41d4549..745112a 100644
--- a/be/src/common/init.cc
+++ b/be/src/common/init.cc
@@ -239,6 +239,8 @@ void impala::InitCommonRuntime(int argc, char** argv, bool init_jvm,
LOG(INFO) << MemInfo::DebugString();
LOG(INFO) << OsInfo::DebugString();
LOG(INFO) << "Process ID: " << getpid();
+ LOG(INFO) << "Default AES cipher mode for spill-to-disk: "
+ << EncryptionKey::ModeToString(EncryptionKey::GetSupportedDefaultMode());
// Required for the FE's Catalog
ABORT_IF_ERROR(impala::LibCache::Init());
http://git-wip-us.apache.org/repos/asf/impala/blob/623ace0e/be/src/util/cpu-info.cc
----------------------------------------------------------------------
diff --git a/be/src/util/cpu-info.cc b/be/src/util/cpu-info.cc
index 1e3fcde..570e677 100644
--- a/be/src/util/cpu-info.cc
+++ b/be/src/util/cpu-info.cc
@@ -91,7 +91,7 @@ static struct {
{ "popcnt", CpuInfo::POPCNT },
{ "avx", CpuInfo::AVX },
{ "avx2", CpuInfo::AVX2 },
- { "pclmuldqd", CpuInfo::PCLMULQDQ }
+ { "pclmulqdq", CpuInfo::PCLMULQDQ }
};
static const long num_flags = sizeof(flag_mappings) / sizeof(flag_mappings[0]);
http://git-wip-us.apache.org/repos/asf/impala/blob/623ace0e/be/src/util/openssl-util.cc
----------------------------------------------------------------------
diff --git a/be/src/util/openssl-util.cc b/be/src/util/openssl-util.cc
index 83cd8fd..2b368da 100644
--- a/be/src/util/openssl-util.cc
+++ b/be/src/util/openssl-util.cc
@@ -223,7 +223,7 @@ void EncryptionKey::SetCipherMode(AES_CIPHER_MODE m) {
}
}
-bool EncryptionKey::IsModeSupported(AES_CIPHER_MODE m) const {
+bool EncryptionKey::IsModeSupported(AES_CIPHER_MODE m) {
switch (m) {
case AES_256_GCM:
// It becomes a bit tricky for GCM mode, because GCM mode is enabled since
@@ -251,13 +251,13 @@ bool EncryptionKey::IsModeSupported(AES_CIPHER_MODE m) const {
}
}
-AES_CIPHER_MODE EncryptionKey::GetSupportedDefaultMode() const {
+AES_CIPHER_MODE EncryptionKey::GetSupportedDefaultMode() {
if (IsModeSupported(AES_256_GCM)) return AES_256_GCM;
if (IsModeSupported(AES_256_CTR)) return AES_256_CTR;
return AES_256_CFB;
}
-const string EncryptionKey::ModeToString(AES_CIPHER_MODE m) const {
+const string EncryptionKey::ModeToString(AES_CIPHER_MODE m) {
switch(m) {
case AES_256_GCM: return "AES-GCM";
case AES_256_CTR: return "AES-CTR";
http://git-wip-us.apache.org/repos/asf/impala/blob/623ace0e/be/src/util/openssl-util.h
----------------------------------------------------------------------
diff --git a/be/src/util/openssl-util.h b/be/src/util/openssl-util.h
index ef53425..d9f0da2 100644
--- a/be/src/util/openssl-util.h
+++ b/be/src/util/openssl-util.h
@@ -134,6 +134,15 @@ class EncryptionKey {
/// If is GCM mode at runtime
bool IsGcmMode() const { return mode_ == AES_256_GCM; }
+ /// Returns the a default mode which is supported at runtime. If GCM mode
+ /// is supported, return AES_256_GCM as the default. If GCM is not supported,
+ /// but CTR is still supported, return AES_256_CTR. When both GCM and
+ /// CTR modes are not supported, return AES_256_CFB.
+ static AES_CIPHER_MODE GetSupportedDefaultMode();
+
+ /// Converts mode type to string.
+ static const std::string ModeToString(AES_CIPHER_MODE m);
+
private:
/// Helper method that encrypts/decrypts if 'encrypt' is true/false respectively.
/// A buffer of input data 'data' of length 'len' is encrypted/decrypted with this
@@ -144,16 +153,7 @@ class EncryptionKey {
uint8_t* out) WARN_UNUSED_RESULT;
/// Check if mode m is supported at runtime
- bool IsModeSupported(AES_CIPHER_MODE m) const;
-
- /// Returns the a default mode which is supported at runtime. If GCM mode
- /// is supported, return AES_256_GCM as the default. If GCM is not supported,
- /// but CTR is still supported, return AES_256_CTR. When both GCM and
- /// CTR modes are not supported, return AES_256_CFB.
- AES_CIPHER_MODE GetSupportedDefaultMode() const;
-
- /// Converts mode type to string.
- const string ModeToString(AES_CIPHER_MODE m) const;
+ static bool IsModeSupported(AES_CIPHER_MODE m);
/// Track whether this key has been initialized, to avoid accidentally using
/// uninitialized keys.