Subject: Re: VIA ACE patch
To: Miles Nordin <carton@Ivy.NET>
From: Daniel de Kok <danieldk@pobox.com>
List: tech-crypto
Date: 01/12/2007 20:38:01
Miles Nordin wrote:
> Do you know what it does exactly?  ex., ``It accelerates AES in
> FAST_IPSEC and in cgd''?

It registers itself with the opencrypto framework, making it 
(transparently) useful for all opencrypto consumers. FAST_IPSEC is an 
opencrypto consumer, cgd is not at this time (though I plan to look at 
that if no one else does).

> Anyway this is kernel-only support, or it somehow affects openssl too?
> I guess I don't understand our crypto architecture that well.

If you use OpenSSL with the cryptodev engine, yes, since it uses 
/dev/crypto (which is handled through opencrypto framework). Though, 
-current and 4.0_BETA2 also have an OpenSSL engine that directly utilizes 
ACE. I have issued a pullup request for the netbsd-3 branch to get 
this engine integrated in the netbsd-3 branch. So, for applications that 
rely on OpenSSL, you may want to use that, rather than cryptodev[1].

Still, this is patch is useful for kernel components that use crypto.

-- Daniel

[1] Especially considering that cryptodev currently does not support 
aes-256-cbc, though that is trivial to patch.