Re: Adding opencrypto, crypto acceelerator to GENERIC kernels?

To: Jason Thorpe <thorpej%wasabisystems.com@localhost>
Subject: Re: Adding opencrypto, crypto acceelerator to GENERIC kernels?
From: Jonathan Stone <jonathan%DSG.Stanford.EDU@localhost>
Date: Tue, 18 Nov 2003 17:26:47 -0800

In message <341824A0-1A27-11D8-B449-000A957650EC%wasabisystems.com@localhost>
Jason Thorpe writes:

>Is this pretty easy to handle in the OpenSSL "engine" support?

No -- the opencrypto API doesnt have a way for the kernel to indicate
back to userlevel whether a successful session-create got bound to
hardware or to software. But think the following achieves what you
want. For comparison, FreeBSD passes a constant value of 0 as the last
arg to crypto_newsession().

(ISTR Sam Leffler commented the sysctl wasnt really useful; apart from
debugging new transforms, I'd agree. And in that case one you're
building custome kernels anyway and can trivially build a custom
kernel with a tailored value for cryptodevallowsoft).


? opencrypto/crypto.c.log
? opencrypto/files.opencrypto.jrs
Index: opencrypto/cryptodev.c
===================================================================
RCS file: /cvsroot/src/sys/opencrypto/cryptodev.c,v
retrieving revision 1.8
diff -u -r1.8 cryptodev.c
--- opencrypto/cryptodev.c      16 Nov 2003 00:16:06 -0000      1.8
+++ opencrypto/cryptodev.c      19 Nov 2003 01:20:16 -0000
@@ -131,6 +131,18 @@
 
 int    usercrypto = 1;         /* userland may do crypto requests */
 int    userasymcrypto = 1;     /* userland may do asymmetric crypto reqs */
+/* 
+ * cryptodevallowsoft is (intended to be) sysctl'able, controlling
+ * access to hardware versus software transforms as below:
+ *
+ * cryptodevallowsoft < 0:  Force userlevel requests to use software
+ *                              transforms, always
+ * cryptodevallowsoft = 0:  Use hardware if present, grant userlevel
+ *                              requests for non-accelerated transforms
+ *                              (handling the latter in software)
+ * cryptodevallowsoft > 0:  Allow user requests only for transforms which
+ *                               are hardware-accelerated.
+ */
 int    cryptodevallowsoft = 1; /* only use hardware crypto */
 
 /* ARGSUSED */
@@ -272,7 +284,7 @@
                }
 
                error = crypto_newsession(&sid, (txform ? &crie : &cria),
-                           0);
+                           cryptodevallowsoft);
                if (error) {
                        /* this is an auditable security event? */
                        printf("SIOCSESSION violates kernel parameters\n");

Follow-Ups:
- Re: Adding opencrypto, crypto acceelerator to GENERIC kernels?
  - From: Daniel Carosone

References:
- Re: Adding opencrypto, crypto acceelerator to GENERIC kernels?
  - From: Jason Thorpe

Prev by Date: Re: Adding opencrypto, crypto acceelerator to GENERIC kernels?
Next by Date: Re: Adding opencrypto, crypto acceelerator to GENERIC kernels?
Previous by Thread: Re: Adding opencrypto, crypto acceelerator to GENERIC kernels?
Next by Thread: Re: Adding opencrypto, crypto acceelerator to GENERIC kernels?
Indexes:

Home | Main Index | Thread Index | Old Index