> Alexander S A Kjeldaas wrote:
>
> So you need an abstraction interface. If we're talking
> kernel here (ie for IPsec/filesystem crypto/stego), then
> all we should need is an abstraction over symmetric key
> operations - IKE is done in userspace, after all. I suppose
> that it would be possible to leave the slot open for
> message digests as well, although I haven't seen a card
> which accelerates MD5/SHA-1, or HMAC over them.
I would be tempted to do (some of) what another company did (what's their
name ... Microsoft?) when they implemented an acceleration layer for video /
sound, etc. That is, add hooks for things that aren't necessarily
accelerated everywhere, but might be, and then report back to the caller
whether those things are or are not accelerated (like a CPU-ID).
Session = CryptoAccel_Init();
if (CryptoAccel_Available(CRYPTA_SHA1))
/* send data to be accelerated */
else
/* do it yourself, or let the un-accelerated library do it */
> The only plea that I would make is to not make it too
> fancy - otherwise we end up with CDSA and other such
> monsters.
True enough ...
--
Michael T. Babcock
Linux-crypto: cryptography in and on the Linux system
Archive: http://mail.nl.linux.org/linux-crypto/
