svn commit: r359374 - in head: . share/man/man4 share/man/man7 share/man/man9 sys/crypto/aesni sys/crypto/armv8 sys/crypto/blake2 sys/crypto/ccp sys/crypto/via sys/dev/cesa sys/dev/cxgbe sys/dev/cx...

Xin Li delphij at delphij.net
Sun Apr 12 20:08:53 UTC 2020 


On 3/27/20 11:25 AM, John Baldwin wrote:
[...]>   - Drivers no longer register a list of supported algorithms.  This
>     doesn't quite work when you factor in modes (e.g. a driver might
>     support both AES-CBC and SHA2-256-HMAC separately but not combined
>     for ETA).  Instead, a new 'crypto_probesession' method has been
>     added to the kobj interface for symmteric crypto drivers.  This
>     method returns a negative value on success (similar to how
>     device_probe works) and the crypto framework uses this value to pick
>     the "best" driver.  There are three constants for hardware
>     (e.g. ccr), accelerated software (e.g. aesni), and plain software
>     (cryptosoft) that give preference in that order.  One effect of this
>     is that if you request only hardware when creating a new session,
>     you will no longer get a session using accelerated software.
>     Another effect is that the default setting to disallow software
>     crypto via /dev/crypto now disables accelerated software.

For user-visible interface, it seems like we are essentially treating
"accelerated software" like AES-NI the same way of plain software.  For
example, geom_eli would now say:

GEOM_ELI: Encryption: AES-XTS 128
GEOM_ELI:     Crypto: software

Instead of:

GEOM_ELI: Encryption: AES-XTS 128
GEOM_ELI:     Crypto: hardware

When AES-NI is used (which is because we only have two bits to represent
hardware and software, and have gave neither bits clear with its own
meaning (use specific driver)).

If we are not going to add a new bit to represent accelerated software,
why are they categorized as software providers?  Technically, all these
still requires hardware that implements the cryptographic primitives to
work, and it's much easier for system administrators if we expose the
fact that they are using some kind of acceleration than asking them to
run DTrace etc. to find out.  Personally, I think it's probably better
to change the notion to either "accelerated" (by either hardware or
software) and "software"...

Cheers,

More information about the svn-src-head mailing list