[RFC] Hardware support notes for the kernel crypto API (2.5+)

• Next message: John Bradford: "Re: Symlink indirection"
• Previous message: Henning P. Schmiedehausen: "Re: Networking/Becker et al [was Re: pci-skeleton duplex check]"
• Next in thread: Andrew McGregor: "Re: [RFC] Hardware support notes for the kernel crypto API (2.5+)"
• Reply: Andrew McGregor: "Re: [RFC] Hardware support notes for the kernel crypto API (2.5+)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Below are some initial notes on hardware support for the kernel crypto
API, discussing some initial requirements, vendor documentation status,
GPL driver status, and pointers to resources and earlier discussions on
the topic.

The focus at the moment is on gathering the requirements for generic
hardware crypto devices, which can be used to assist kernel components
(e.g. IPsec, CIFS), and userspace applications (e.g. SSL, IKE). Some work
has begun on obtaining documentation from vendors and developing clean GPL
drivers.

Comments welcome, please consider following up to cryptoapi-devel for
ongoing discussion.

(This document is also maintained at http://samba.org/~jamesm/crypto/)

------------------------------------------------------------------------------
Linux Kernel Crypto API - Hardware Support Notes
Last updated 15 Dec 2002
------------------------------------------------------------------------------

Requirements
  
  - Crypto hardware will require an asynchronous API with callbacks via
    softirq.
    
  - Multiple card support:
      Request dispatcher, needs to ensure requests are balanced
      across cards.
      
      Allow parallel operation for the same session: need to
      reserve session across all boards and dispatch appropriately.

  - Request dispatcher therefore required, and must have knowledge
    of cards: session support, session id format, algorithms,
    batching capability, SG support etc.
  
  - Driver might be passed a logical request from the dispatcher
    in the form of:
      
      command = {operation, context, source, destination}
    
    How to handle scatter/gather?

      command = { operation, context, source sg, destination sg}
  
    If the card supports batching, multiple commands may be grouped:
    
      { command, command, command, ... }

  - How to handle card / queue full? (top level API change: all operations
    can fail). Fall back to software? (async api will be required to
    support software implementations as well).

  - Pipeline management (where appropriate).
  
  - How to support IPsec offload to onboard NIC?
  
  - What will the Kernel & Userspace APIs look like?
  
    Kernel:
      crypto_alloc_tfm() - current simple interface
      crypto_alloc_session() - batching of commands, IPsec offload[?] etc.
                               specify algorithm bundle, preferences, then
                               use api helpers to build and send dispatcher
                               requests.

    Userspace:
      cryptoapifs? (see
      http://www.kerneli.org/pipermail/cryptoapi-devel/2002-December/000320.html)
    
  - Asymmetric crypto?

  - Existing kernel APIs with hardware support:
    - OpenBSD crypto queue
    - Cryptolib by Martin Gadbois,
      http://sources.colubris.com/en/projects/FreeSWAN/
      (what license does cryptolib use?)
    
  - Other discussions/proposals/code:
    - Michael Richardson
      http://mail.nl.linux.org/linux-crypto/2002-07/msg00054.html
      (also see followup threads on cryptoapi-devel)
    - Bart Trojanowski's Generic Engine
      http://www.jukie.net/~bart/genericengine/
      

Hardware documentation status:

  HiFn
    Documentation for Hifn cards available via download at their web site.
  
  IBM
    Can provide driver source for the card, and some general documentation is
    available at http://www.ibm.com/security/cryptocards/
    Software development toolkit is export controlled (contact IBM for more
    info).
    
  Motorola
    Unknown (Steve is working on some Linux drivers though).
    
  Intel
    Crypto documentation for NICs unavailable.
    
  3COM
    Crypto documentation for NICs unavailable.
    
  Broadcom
    No response to emails.
    
  AEP/Baltimore
    Unknown (not contacted yet, Linux driver available).
    
  Corrent
    Unknown (not contacted yet).
   
  Eracom
    Contacted some time ago, documentation had to be purchased (expensive).
    Not sure if this has changed.
    
  Safenet
    Unknown (not contacted yet).
  

GPL Driver status:

  HiFn 7751
    James Morris (in progress).
  
  HiFn 7951
    David Bryson (in progress).
    Also see http://sourceforge.net/projects/hifn7951/
  
  HiFn 7901
    See http://sources.colubris.com/en/projects/FreeSWAN/
    
  Motorola MPC190, MPC184
    Steve (in progress).
    
  IBM 4758
    Available from IBM on request.

  AEP paep
    A dual licensed GPL/BSD driver is available somewhere.

Summary:
   I don't think we have enough documentation yet, notably none for NICs
   with crypto hardware.

------------------------------------------------------------------------------

- James

--
James Morris
<jmorris@intercode.com.au>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

• Next message: John Bradford: "Re: Symlink indirection"
• Previous message: Henning P. Schmiedehausen: "Re: Networking/Becker et al [was Re: pci-skeleton duplex check]"
• Next in thread: Andrew McGregor: "Re: [RFC] Hardware support notes for the kernel crypto API (2.5+)"
• Reply: Andrew McGregor: "Re: [RFC] Hardware support notes for the kernel crypto API (2.5+)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Sun Dec 15 2002 - 22:00:30 EST