From: Greg KH <gregkh@linuxfoundation.org>
To: "Kim, David" <david.kim@ncipher.com>
Cc: "arnd@arndb.de" <arnd@arndb.de>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"Magee, Tim" <tim.magee@ncipher.com>
Subject: Re: [PATCH v2] drivers: misc: Add support for nCipher HSM devices
Date: Thu, 9 Jan 2020 10:36:29 +0100 [thread overview]
Message-ID: <20200109093629.GB44349@kroah.com> (raw)
In-Reply-To: <1578561832423.48959@ncipher.com>
On Thu, Jan 09, 2020 at 09:23:52AM +0000, Kim, David wrote:
> > > A cryptographic accelerator uses key material which is stored on, and managed
> > > by, the host machine. Hardware security modules, such as nCipher’s Solo
> > > products, retain key material (i.e. secrets) within the secure boundary of the
> > > device, and implement various forms of access control to restrict use of that
> > > key material.
> > >
> > > nCipher's product range started, in the early 1990s, as cryptographic
> > > accelerators. The series of hardware security modules served by this driver
> > > still does do cryptography but their main function is the generation, management
> > > and use of keys within a secure boundary.
> > >
> > > The driver doesn't do any cryptography. It provides the link between the
> > > userspace software and the HSM's firmware. Cryptography is done within the HSM's
> > > secure boundary.
> >
> > So this should tie into the correct crypto/key apis that the kernel has
> > and not create a brand new user/kernel api, right?
> >
> > Please work with the crypto kernel developers to get this right, I can't
> > take this until they agree that this code and api is correct.
>
>
> Although it is technically possible for us to use the linux crypto APIs, that
> doesn't fit in with how our hardware is meant to be used. Please see the
> explanation below from Ian, one of our architects. If you feel that our driver
> should instead be targeted to drivers/crypto, I can resubmit our patch to the
> crypto list and we'll discuss with the crypto maintainers.
As I said, please submit and get approval from the crypto
developers/maintainers first. I need that before I can accept a
brand-new api for a one-off device that then needs to be supported for
40+ years.
thanks,
greg k-h
prev parent reply other threads:[~2020-01-09 9:36 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-20 15:47 [PATCH v2] drivers: misc: Add support for nCipher HSM devices Dave Kim
2019-12-20 21:30 ` Greg KH
2020-01-07 8:50 ` Kim, David
2020-01-07 9:28 ` Greg KH
2020-01-09 9:23 ` Kim, David
2020-01-09 9:36 ` Greg KH [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200109093629.GB44349@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=arnd@arndb.de \
--cc=david.kim@ncipher.com \
--cc=linux-kernel@vger.kernel.org \
--cc=tim.magee@ncipher.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox