Subject: Re: Adding opencrypto, crypto acceelerator to GENERIC kernels?
To: Jason Thorpe <thorpej@wasabisystems.com>
From: Jonathan Stone <jonathan@DSG.Stanford.EDU>
List: tech-crypto
Date: 11/18/2003 17:26:47
In message <341824A0-1A27-11D8-B449-000A957650EC@wasabisystems.com>
Jason Thorpe writes:

>Is this pretty easy to handle in the OpenSSL "engine" support?

No -- the opencrypto API doesnt have a way for the kernel to indicate
back to userlevel whether a successful session-create got bound to
hardware or to software. But think the following achieves what you
want. For comparison, FreeBSD passes a constant value of 0 as the last
arg to crypto_newsession().

(ISTR Sam Leffler commented the sysctl wasnt really useful; apart from
debugging new transforms, I'd agree. And in that case one you're
building custome kernels anyway and can trivially build a custom
kernel with a tailored value for cryptodevallowsoft).


? opencrypto/crypto.c.log
? opencrypto/files.opencrypto.jrs
Index: opencrypto/cryptodev.c
===================================================================
RCS file: /cvsroot/src/sys/opencrypto/cryptodev.c,v
retrieving revision 1.8
diff -u -r1.8 cryptodev.c
--- opencrypto/cryptodev.c	16 Nov 2003 00:16:06 -0000	1.8
+++ opencrypto/cryptodev.c	19 Nov 2003 01:20:16 -0000
@@ -131,6 +131,18 @@
 
 int	usercrypto = 1;		/* userland may do crypto requests */
 int	userasymcrypto = 1;	/* userland may do asymmetric crypto reqs */
+/* 
+ * cryptodevallowsoft is (intended to be) sysctl'able, controlling
+ * access to hardware versus software transforms as below:
+ *
+ * cryptodevallowsoft < 0:  Force userlevel requests to use software
+ *                              transforms, always
+ * cryptodevallowsoft = 0:  Use hardware if present, grant userlevel
+ *                              requests for non-accelerated transforms
+ *                              (handling the latter in software)
+ * cryptodevallowsoft > 0:  Allow user requests only for transforms which
+ *                               are hardware-accelerated.
+ */
 int	cryptodevallowsoft = 1;	/* only use hardware crypto */
 
 /* ARGSUSED */
@@ -272,7 +284,7 @@
 		}
 
 		error = crypto_newsession(&sid, (txform ? &crie : &cria),
-			    0);
+			    cryptodevallowsoft);
 		if (error) {
 			/* this is an auditable security event? */
 		  	printf("SIOCSESSION violates kernel parameters\n");