On 06/20/16 08:49, Stephan Mueller wrote: > Am Montag, 20. Juni 2016, 11:01:47 schrieb Theodore Ts'o: > > Hi Theodore, > >> >> So simply doing chacha20 encryption in a tight loop in the kernel >> might not be a good proxy for what would actually happen in real life >> when someone calls getrandom(2). (Another good question to ask is >> when someone might be needing to generate millions of 256-bit session >> keys per second, when the D-H setup, even if you were using ECCDH, >> would be largely dominating the time for the connection setup anyway.) > > Is speed everything we should care about? What about: > > - offloading of crypto operation from the CPU > This sounds like a speed operation (and very unlikely to be a win given the usage). > - potentially additional security features a hardware cipher may provide like > cache coloring attack resistance? How about burning that bridge when and if we get to it? It sounds very hypothetical. I guess I could add in some comments here about how a lot of these problems can be eliminated by offloading an entire DRNG into hardware, but I don't think it is productive. -hpa -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html