Subject: Re: Adding opencrypto, crypto acceelerator to GENERIC kernels?
To: Jason Thorpe <thorpej@wasabisystems.com>
From: Jonathan Stone <jonathan@DSG.Stanford.EDU>
List: tech-crypto
Date: 11/18/2003 17:26:47
In message <341824A0-1A27-11D8-B449-000A957650EC@wasabisystems.com>
Jason Thorpe writes:
>Is this pretty easy to handle in the OpenSSL "engine" support?
No -- the opencrypto API doesnt have a way for the kernel to indicate
back to userlevel whether a successful session-create got bound to
hardware or to software. But think the following achieves what you
want. For comparison, FreeBSD passes a constant value of 0 as the last
arg to crypto_newsession().
(ISTR Sam Leffler commented the sysctl wasnt really useful; apart from
debugging new transforms, I'd agree. And in that case one you're
building custome kernels anyway and can trivially build a custom
kernel with a tailored value for cryptodevallowsoft).
? opencrypto/crypto.c.log
? opencrypto/files.opencrypto.jrs
Index: opencrypto/cryptodev.c
===================================================================
RCS file: /cvsroot/src/sys/opencrypto/cryptodev.c,v
retrieving revision 1.8
diff -u -r1.8 cryptodev.c
--- opencrypto/cryptodev.c 16 Nov 2003 00:16:06 -0000 1.8
+++ opencrypto/cryptodev.c 19 Nov 2003 01:20:16 -0000
@@ -131,6 +131,18 @@
int usercrypto = 1; /* userland may do crypto requests */
int userasymcrypto = 1; /* userland may do asymmetric crypto reqs */
+/*
+ * cryptodevallowsoft is (intended to be) sysctl'able, controlling
+ * access to hardware versus software transforms as below:
+ *
+ * cryptodevallowsoft < 0: Force userlevel requests to use software
+ * transforms, always
+ * cryptodevallowsoft = 0: Use hardware if present, grant userlevel
+ * requests for non-accelerated transforms
+ * (handling the latter in software)
+ * cryptodevallowsoft > 0: Allow user requests only for transforms which
+ * are hardware-accelerated.
+ */
int cryptodevallowsoft = 1; /* only use hardware crypto */
/* ARGSUSED */
@@ -272,7 +284,7 @@
}
error = crypto_newsession(&sid, (txform ? &crie : &cria),
- 0);
+ cryptodevallowsoft);
if (error) {
/* this is an auditable security event? */
printf("SIOCSESSION violates kernel parameters\n");