Date: Sun, 12 Apr 2020 13:08:49 -0700 From: Xin Li <delphij@delphij.net> To: John Baldwin <jhb@FreeBSD.org>, src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r359374 - in head: . share/man/man4 share/man/man7 share/man/man9 sys/crypto/aesni sys/crypto/armv8 sys/crypto/blake2 sys/crypto/ccp sys/crypto/via sys/dev/cesa sys/dev/cxgbe sys/dev/cx... Message-ID: <9c343572-5bf6-7047-f435-8e3fcffa8f8e@delphij.net> In-Reply-To: <202003271825.02RIPOmR010857@repo.freebsd.org> References: <202003271825.02RIPOmR010857@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 3/27/20 11:25 AM, John Baldwin wrote: [...]> - Drivers no longer register a list of supported algorithms. This > doesn't quite work when you factor in modes (e.g. a driver might > support both AES-CBC and SHA2-256-HMAC separately but not combined > for ETA). Instead, a new 'crypto_probesession' method has been > added to the kobj interface for symmteric crypto drivers. This > method returns a negative value on success (similar to how > device_probe works) and the crypto framework uses this value to pick > the "best" driver. There are three constants for hardware > (e.g. ccr), accelerated software (e.g. aesni), and plain software > (cryptosoft) that give preference in that order. One effect of this > is that if you request only hardware when creating a new session, > you will no longer get a session using accelerated software. > Another effect is that the default setting to disallow software > crypto via /dev/crypto now disables accelerated software. For user-visible interface, it seems like we are essentially treating "accelerated software" like AES-NI the same way of plain software. For example, geom_eli would now say: GEOM_ELI: Encryption: AES-XTS 128 GEOM_ELI: Crypto: software Instead of: GEOM_ELI: Encryption: AES-XTS 128 GEOM_ELI: Crypto: hardware When AES-NI is used (which is because we only have two bits to represent hardware and software, and have gave neither bits clear with its own meaning (use specific driver)). If we are not going to add a new bit to represent accelerated software, why are they categorized as software providers? Technically, all these still requires hardware that implements the cryptographic primitives to work, and it's much easier for system administrators if we expose the fact that they are using some kind of acceleration than asking them to run DTrace etc. to find out. Personally, I think it's probably better to change the notion to either "accelerated" (by either hardware or software) and "software"... Cheers,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9c343572-5bf6-7047-f435-8e3fcffa8f8e>