Alexander S A Kjeldaas wrote:
>
> I think there are some interesting issues to be solved when we want to
> get hardware crypto cards running under Linux. For one, we want to
> have a queue of processing requests for the device instead of having a
> synchronous interface like most crypto libraries offer. We also
> probably want to use the CPU if the queue starts to have too many
> entries, or load-balance between several cards, so we need a
> "crypto-provider" concept.
So you need an abstraction interface. If we're talking
kernel here (ie for IPsec/filesystem crypto/stego), then
all we should need is an abstraction over symmetric key
operations - IKE is done in userspace, after all. I suppose
that it would be possible to leave the slot open for
message digests as well, although I haven't seen a card
which accelerates MD5/SHA-1, or HMAC over them.
The only plea that I would make is to not make it too
fancy - otherwise we end up with CDSA and other such
monsters.
Neil
begin:vcard
n:Dunbar;Neil
tel;fax:+44 (0) 117 312 9901
tel;home:+44 (0) 1454 856684
tel;work:+44 (0) 117 312 9471
x-mozilla-html:FALSE
org:Hewlett Packard Company;ISE
version:2.1
email;internet:neil_dunbar@xxxxxx
title:IT Consultant
adr;quoted-printable:;;Filton Road=0D=0AStoke Gifford;Bristol;England;BS34 6QZ;United Kingdom
x-mozilla-cpt:;-24320
fn:Neil Dunbar
end:vcard
