From: Hannes Frederic Sowa <hannes@stressinduktion.org>
To: Cristian Stoica <cristian.stoica@freescale.com>
Cc: herbert@gondor.apana.org.au, linux-crypto@vger.kernel.org,
davem@davemloft.net, linux-kernel@vger.kernel.org,
netdev <netdev@vger.kernel.org>
Subject: Re: [PATCH 0/2] Add TLS record layer encryption module
Date: Mon, 25 Aug 2014 15:12:50 +0200 [thread overview]
Message-ID: <1408972370.8545.12.camel@localhost> (raw)
In-Reply-To: <1406626353-23309-1-git-send-email-cristian.stoica@freescale.com>
Hi,
On Di, 2014-07-29 at 12:32 +0300, Cristian Stoica wrote:
> This set of patches introduces support for TLS 1.0 record layer
> encryption/decryption with a corresponding algorithm called
> tls10(hmac(<hash>),cbc(<cipher>)).
>
> Similarly to authenc.c on which it is based, this module mixes the base
> algorithms in software to produce an algorithm that does record layer
> encryption and decryption for TLS1.0.
> Any combination of hw and sw base algorithms is possible, but the purpose
> is to take advantage of hardware acceleration for TLS record layer offloading
> when hardware acceleration is present.
>
> This is a software alternative to forthcoming Freescale caam patches that
> will add support for one-pass hardware-only TLS record layer offloading.
>
> Performance figures depend largely on several factors including hardware
> support and record layer size. For user-space applications the
> kernel/user-space interface is also important. That said, we have done several
> performance tests using openssl and cryptodev on Freescale QorIQ platforms.
> On P4080, for a single stream of records larger than 512 bytes, the performance
> improved from about 22Mbytes/s to 64Mbytes/s while also reducing CPU load.
>
> The purpose of this module is to enable TLS kernel offloading on hw platforms
> that have acceleration for AES/SHA1 but do not have direct support for TLS
> record layer.
>
> (minor dependency on pending patch
> crypto: testmgr.c: white space fix-ups on test_aead)
>
> Cristian Stoica (2):
> crypto: add support for TLS 1.0 record encryption
> crypto: add TLS 1.0 test vectors for AES-CBC-HMAC-SHA1
>
> crypto/Kconfig | 20 ++
> crypto/Makefile | 1 +
> crypto/authenc.c | 5 +-
> crypto/tcrypt.c | 5 +
> crypto/testmgr.c | 41 +++-
> crypto/testmgr.h | 217 +++++++++++++++++++
> crypto/tls.c | 528 +++++++++++++++++++++++++++++++++++++++++++++++
> include/crypto/authenc.h | 3 +
> 8 files changed, 808 insertions(+), 12 deletions(-)
> create mode 100644 crypto/tls.c
>
Maybe could you add netdev@vger.kernel.org to Cc on your next
submission?
It would be great if this feature would be made available in some way
that user space does TLS handshaking over a socket and symmetric keys
could later be installed via e.g. setsockopt and kernel offloads tls
processing over this socket.
Alert message handling seems problematic, though and might require some
out-of-band interface.
Thanks,
Hannes
parent reply other threads:[~2014-08-25 13:12 UTC|newest]
Thread overview: expand[flat|nested] mbox.gz Atom feed
[parent not found: <1406626353-23309-1-git-send-email-cristian.stoica@freescale.com>]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1408972370.8545.12.camel@localhost \
--to=hannes@stressinduktion.org \
--cc=cristian.stoica@freescale.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).