RSA support into kernel?

RSA support into kernel?

[Gautam Singaraju]

Is there any attempts being made to provide software based RSA
cryptographic support in kernel level? I see that 2.6.21 supports
Hardware devices such as VIA Padlock ACE. Has anybody had a change to
use such a system?

-GS

RSA support into kernel?

[Gautam Singaraju]

Is there any attempt being made to provide software based RSA
cryptographic support in kernel? I see that Linux supports
Hardware based cryptographic devices (VIA Padlock ACE). How is the
performance of such hardware? How well are these devices supported?
-GS

Re: RSA support into kernel?

[jimmy bahuleyan]

Gautam Singaraju wrote:
> Is there any attempt being made to provide software based RSA
> cryptographic support in kernel? I see that Linux supports
> Hardware based cryptographic devices (VIA Padlock ACE). How is the
> performance of such hardware? How well are these devices supported?
> -GS

i fail to see why the kernel should provide software RSA support? The
hardware support that you're talking about are device drivers for chips,
not a cryptographic interface.

-jb
-- 
Tact is the art of making a point without making an enemy.

Re: RSA support into kernel?

[Heikki Orsila]

On Thu, Jul 05, 2007 at 05:53:11PM -0700, Gautam Singaraju wrote:
> Is there any attempt being made to provide software based RSA
> cryptographic support in kernel?

I fail to see how it would be useful. RSA is such a slow operation that 
doing it in userspace is efficient and safer.

-- 
Heikki Orsila			Barbie's law:
heikki.orsila@iki.fi		"Math is hard, let's go shopping!"
http://www.iki.fi/shd

Re: RSA support into kernel?

[Evgeniy Polyakov]

On Thu, Jul 05, 2007 at 03:48:51PM -0700, Gautam Singaraju (gautam.singaraju@gmail.com) wrote:
> Is there any attempts being made to provide software based RSA
> cryptographic support in kernel level? I see that 2.6.21 supports
> Hardware devices such as VIA Padlock ACE. Has anybody had a change to
> use such a system?

VIA padlock engine or RSA? The former is heavily used in the wild, but
why would anyone want to use RSA in the kernel?

> -GS

-- 
	Evgeniy Polyakov

Re: RSA support into kernel?

[David Miller]

From: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
Date: Fri, 6 Jul 2007 14:37:31 +0400

> On Thu, Jul 05, 2007 at 03:48:51PM -0700, Gautam Singaraju (gautam.singaraju@gmail.com) wrote:
> > Is there any attempts being made to provide software based RSA
> > cryptographic support in kernel level? I see that 2.6.21 supports
> > Hardware devices such as VIA Padlock ACE. Has anybody had a change to
> > use such a system?
> 
> VIA padlock engine or RSA? The former is heavily used in the wild, but
> why would anyone want to use RSA in the kernel?

Automatic SSL done in-kernel on user data for socket I/O, with
hardware offload from the crypto layer when available.

Solaris has done this for quite some time and it helps a lot for
things like the VIA and Niagara.

Re: RSA support into kernel?

[Evgeniy Polyakov]

On Fri, Jul 06, 2007 at 04:05:33AM -0700, David Miller (davem@davemloft.net) wrote:
> From: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
> Date: Fri, 6 Jul 2007 14:37:31 +0400
> 
> > On Thu, Jul 05, 2007 at 03:48:51PM -0700, Gautam Singaraju (gautam.singaraju@gmail.com) wrote:
> > > Is there any attempts being made to provide software based RSA
> > > cryptographic support in kernel level? I see that 2.6.21 supports
> > > Hardware devices such as VIA Padlock ACE. Has anybody had a change to
> > > use such a system?
> > 
> > VIA padlock engine or RSA? The former is heavily used in the wild, but
> > why would anyone want to use RSA in the kernel?
> 
> Automatic SSL done in-kernel on user data for socket I/O, with
> hardware offload from the crypto layer when available.
> 
> Solaris has done this for quite some time and it helps a lot for
> things like the VIA and Niagara.

I.e. for userspace stuff? That is obviously the right usage, but Linux
cryptoapi does not have userspace interface, so was my question.
Actually I was several times already asked after acrypto was closed, how
userspace can use new hardware drivers, and frankly I do not know what
the best userspace API would look like (in one of the projects I already 
used all three methods one-by-one and failed to determine the best). 
Simple char device read/write or ioctl, or blocking/nonblocking syscall 
over file descriptor, or anything else?

-- 
	Evgeniy Polyakov

Re: RSA support into kernel?

[Herbert Xu]

David Miller <davem@davemloft.net> wrote:
>> 
>> VIA padlock engine or RSA? The former is heavily used in the wild, but
>> why would anyone want to use RSA in the kernel?
> 
> Automatic SSL done in-kernel on user data for socket I/O, with
> hardware offload from the crypto layer when available.

AFAIK asymmetric crypto is only used for SSL key exchange and not
on the data transfers so I'm not sure whether this would be that
useful.  This is pretty much the same situation with IPsec where
we delegate the key exchange to the userspace KMs.

Now having in-kernel SSL data exchange support using the crypto
API would be pretty cool and would provide the same level of
crypto support to SSL users as we do for IPsec.

So far the only proposed user for RSA in-kernel seems to be
module signing and I'm staying well away from that debate :)

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: RSA support into kernel?

[Michael Halcrow]

[-- Attachment #1: Type: text/plain, Size: 669 bytes --]

On Fri, Jul 06, 2007 at 09:12:52PM +0800, Herbert Xu wrote:
> So far the only proposed user for RSA in-kernel seems to be module
> signing and I'm staying well away from that debate :)

eCryptfs uses RSA.

Right now it has to defer to a userspace daemon to perform the
operation.

Mike
.___________________________________________________________________.
                         Michael A. Halcrow                          
       Security Software Engineer, IBM Linux Technology Center       
GnuPG Fingerprint: 419C 5B1E 948A FA73 A54C  20F5 DB40 8531 6DCA 8769

"This is about humans being human."                                  
 - Carl Sagan 

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 481 bytes --]

Re: RSA support into kernel?

[Gautam Singaraju]

I am considering RSA as an option for research purposes; though I need
it only for decryption purposes. Any specific reason for running the
daemon in user space?

Gautam
On 7/6/07, Michael Halcrow <mike@halcrow.us> wrote:
> On Fri, Jul 06, 2007 at 09:12:52PM +0800, Herbert Xu wrote:
> > So far the only proposed user for RSA in-kernel seems to be module
> > signing and I'm staying well away from that debate :)
>
> eCryptfs uses RSA.
>
> Right now it has to defer to a userspace daemon to perform the
> operation.
>
> Mike
> .___________________________________________________________________.
>                          Michael A. Halcrow
>        Security Software Engineer, IBM Linux Technology Center
> GnuPG Fingerprint: 419C 5B1E 948A FA73 A54C  20F5 DB40 8531 6DCA 8769
>
> "This is about humans being human."
>  - Carl Sagan
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
>
> iQEVAwUBRo5FZNtAhTFtyodpAQO9jAgAmCPiGap1u/Qd5Zogb/hxtpoNF8/7Vx+z
> FWnIbzI9jK8g1PBxXGkYVASQ/rPbT/yhX3Zg53jrJm+8RqDAQDY/Ca1qAUvDtD57
> R5Mo/eSSlwuvAMVsLFDYYINeER3fpIX7wdrwB5VTN6YKz9eJFhsNqMUSQ8mCSbbV
> qEzFUq8EdcYsaxSZ56uIXSSphneKXIDAzWCu5hjbLtr71WSkvXKe4kVZKElb1LrB
> SGxxPajTCnjuw1z9VL5Tp2pOfyX3pWRSnoiCxUjwl2Aco0hu+Nl+0X2qsVkkmBSx
> 0MoeTrZ+FAY0QBDlPbtR6N5kD4NvV94WXnfQPi5DC66730nwLufk4Q==
> =4vHb
> -----END PGP SIGNATURE-----
>
>


-- 
---
Gautam

Re: RSA support into kernel?

[Michael Halcrow]

[-- Attachment #1: Type: text/plain, Size: 586 bytes --]

On Fri, Jul 06, 2007 at 07:41:18AM -0700, Gautam Singaraju wrote:
> I am considering RSA as an option for research purposes; though I
> need it only for decryption purposes. Any specific reason for
> running the daemon in user space?

That's where RSA is.

Mike
.___________________________________________________________________.
                         Michael A. Halcrow                          
       Security Software Engineer, IBM Linux Technology Center       
GnuPG Fingerprint: 419C 5B1E 948A FA73 A54C  20F5 DB40 8531 6DCA 8769

panic: kernel trap (ignored)

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 481 bytes --]

Re: RSA support into kernel?

[Gautam Singaraju]

Ok, I see that there has been a previous attempt been made to support
bignum library, hence PKI, in kernel in a project named Cryptomark.
Thanks!

On 7/6/07, Michael Halcrow <mike@halcrow.us> wrote:
> On Fri, Jul 06, 2007 at 07:41:18AM -0700, Gautam Singaraju wrote:
> > I am considering RSA as an option for research purposes; though I
> > need it only for decryption purposes. Any specific reason for
> > running the daemon in user space?
>
> That's where RSA is.
>
> Mike
> .___________________________________________________________________.
>                          Michael A. Halcrow
>        Security Software Engineer, IBM Linux Technology Center
> GnuPG Fingerprint: 419C 5B1E 948A FA73 A54C  20F5 DB40 8531 6DCA 8769
>
> panic: kernel trap (ignored)
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
>
> iQEVAwUBRo5inNtAhTFtyodpAQNlCQf8Ddk3dymDPMPoVDJHR78KcJ4eSZD0NbDV
> Lwlwp54262mYNAfALCrs/t/CcUaJOWl3Zr0zPkWehu73HEsvbUZqVV2swyrgIFZY
> kwELd/wA1ii5HJRhzZ9GcL9dJeUQb58aXoepZKmDcjTDjgXFYxSKWRm29h+zj9o0
> z/WwqF5Fzj/YDtTHaCJhSticRaeZvXpPkIjQy4JZoOt1nNagU0dPD7GxZpoRva1k
> 0EfRtV97xJEt3eYguBiAx9sb9ndJ5ndpYUZxI4a/NMhdO1s8w2T0fP2yfr6KX0YJ
> 5Io4itFZl3S5m9ZdmI8VAFHI13oJEtP/EuqC3VqaP8V4MdtS+MMsWA==
> =ckOc
> -----END PGP SIGNATURE-----
>
>


-- 
---
Gautam

Re: RSA support into kernel?

[Herbert Xu]

On Fri, Jul 06, 2007 at 08:36:37AM -0500, Michael Halcrow wrote:
>
> eCryptfs uses RSA.
> 
> Right now it has to defer to a userspace daemon to perform the
> operation.

OK that'd be the most convincing case for me then.

Thanks,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt