On Thu, Apr 27, 2017 at 05:17:58PM +0300, Tudor Ambarus wrote: > Hi, Herbert, > > I'm working with a crypto accelerator that is capable of generating and > retaining ecc private keys in hardware and further use them for ecdh. > The private keys can not be read from the device. This is good because > the less software has access to secrets, the better. > > Generation and retention of ecc private keys are also helpful in a user > space to kernel ecdh offload. The privkey can be generated in kernel and > never revealed to user space. > > I propose to extend the ecc software support to allow the generation of > private keys. ECDH software implementation and drivers will permit the > users to provide NULL keys. In this case, the kernel (or the device, if > possible) will generate the ecc private key and further use it for ecdh. > > What's your feeling on this? It sounds sane to me. It does raise the question though whether we need the ability to set the secret at all. Thanks, -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt