From: Michal Ludvig <mludvig@suse.cz>
To: Jeff Garzik <jgarzik@pobox.com>
Cc: Michael Halcrow <mahalcro@us.ibm.com>,
CryptoAPI List <cryptoapi@lists.logix.cz>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] /dev/crypto for Linux
Date: Wed, 25 Aug 2004 16:41:50 +0200 [thread overview]
Message-ID: <412CA52E.3000907@suse.cz> (raw)
In-Reply-To: <412C9F89.7000901@pobox.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jeff Garzik told me that:
>
>> What is it good for? One can build really light-weigth programs
>> with crypto support that don't need any external libraries (e.g.
>> OpenSSL) or built-in algorithms. Easier testing of new CryptoAPI
>> ciphers (later also hashes and maybe asymmetric ciphers as well).
>> Once, maybe, userspace access to crypto accelerators through kernel
>> drivers.
>
> Let's see...
>
> 1) This increases context switches over a solution that links with
> libcrypto and libssl.
Indeed. It is not ment to replace libcrypto - just a possibility if needed.
> 2) "build really lightweight programs with crypto support" implies
> that you think it's a benefit to use the kernel as your crypto lib.
Yes, I think it may come handy in some scenarios. The algorithm is there
in the kernel so why not use it from the userspace?
Also (a wild guess) similar interface could provide access to some
key-management done in the kernel.
> 3) Your proposal actually avoids existing, working hardware crypto
> support such as Broadcom's hwcrypto driver which is fully supported
> by openssh.
Why avoids? I don't force OpenSSH to use it and I agree that typically
the everything-in-the-userspace is better/faster. This is just an option
for situations where no other cryptolib is available.
On my todo list is adding a module option for selecting allowed
algorithms. Something like "allow=-ALL:+aes:+sha1".
> 4) "open it and use ioctls to transfer data" is typically a bad idea.
> ioctl(2) is a historical Unix mistake, to be avoided where possible.
> read(2)/write(2) are to be used to transfer data.
Well yes, my driver actually reuses the API from OpenBSD. I have no
problem in changing (or extending) it but for now I did it this way for
easier testing with the OpenSSL cryptodev engine. This can definitely
evolve...
Michal Ludvig
- --
SUSE Labs mludvig@suse.cz
(+420) 296.542.396 http://www.suse.cz
Personal homepage http://www.logix.cz/michal
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFBLKUoDDolCcRbIhgRApyzAKDYFtdhhDWgGeOtivbzPqsLbFT4ZACaA4H0
rdxbrN0z31pNtMomjMevbZU=
=6XVI
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2004-08-25 14:42 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-08-24 21:37 [PATCH] /dev/crypto for Linux Michal Ludvig
[not found] ` <20040824215351.GA9272@halcrow.us>
2004-08-25 7:37 ` Michal Ludvig
2004-08-25 14:17 ` Jeff Garzik
2004-08-25 14:41 ` Michal Ludvig [this message]
2004-08-25 14:26 ` Christoph Hellwig
2004-08-25 15:44 ` Michal Ludvig
2004-08-25 14:42 ` Christoph Hellwig
2004-08-25 14:44 ` James Morris
2004-08-25 21:28 ` Bill Davidsen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=412CA52E.3000907@suse.cz \
--to=mludvig@suse.cz \
--cc=cryptoapi@lists.logix.cz \
--cc=jgarzik@pobox.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mahalcro@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox