I'm with Bill: the knob really doesn't make sense.  FreeBSD has the
knob disconnected, and always passes a constant 1 (meaning, userlevel
requests get hardware crypto only) to the appropriate function.

I would rather not support it at all, except in case of debugging
(or just possibly, diagnosig bad hardware). And if thats all its for, I
care so much how ugly it is.

>And a knob doesn't make sense for that because userland wouldn't have
>access to the keys in the first place in that case..

But it _might_ make sense to move (for example) Diffie-Hellman session
key exchange machinery, completely into the kernel, so that you don't
do it in userspace at all. In which case you might want the kernel to
do the D-H/session-key machinery in software.  There's a separate knob
for that (and public/private key ops too, I think).

IIIRC, isakmpd uses kernel ocf calls for Diffie-Hellman; I dunno if it
has a separate userspace bignum/DH library as well.