[RFC] Hardware support notes for the kernel crypto API (2.5+)

From: James Morris (jmorris@intercode.com.au)
Date: Sat Dec 14 2002 - 08:51:25 EST

Below are some initial notes on hardware support for the kernel crypto
API, discussing some initial requirements, vendor documentation status,
GPL driver status, and pointers to resources and earlier discussions on
the topic.

The focus at the moment is on gathering the requirements for generic
hardware crypto devices, which can be used to assist kernel components
(e.g. IPsec, CIFS), and userspace applications (e.g. SSL, IKE). Some work
has begun on obtaining documentation from vendors and developing clean GPL

Comments welcome, please consider following up to cryptoapi-devel for
ongoing discussion.

(This document is also maintained at http://samba.org/~jamesm/crypto/)

Linux Kernel Crypto API - Hardware Support Notes
Last updated 15 Dec 2002

  - Crypto hardware will require an asynchronous API with callbacks via
  - Multiple card support:
      Request dispatcher, needs to ensure requests are balanced
      across cards.
      Allow parallel operation for the same session: need to
      reserve session across all boards and dispatch appropriately.

  - Request dispatcher therefore required, and must have knowledge
    of cards: session support, session id format, algorithms,
    batching capability, SG support etc.
  - Driver might be passed a logical request from the dispatcher
    in the form of:
      command = {operation, context, source, destination}
    How to handle scatter/gather?

      command = { operation, context, source sg, destination sg}
    If the card supports batching, multiple commands may be grouped:
      { command, command, command, ... }

  - How to handle card / queue full? (top level API change: all operations
    can fail). Fall back to software? (async api will be required to
    support software implementations as well).

  - Pipeline management (where appropriate).
  - How to support IPsec offload to onboard NIC?
  - What will the Kernel & Userspace APIs look like?
      crypto_alloc_tfm() - current simple interface
      crypto_alloc_session() - batching of commands, IPsec offload[?] etc.
                               specify algorithm bundle, preferences, then
                               use api helpers to build and send dispatcher

      cryptoapifs? (see
  - Asymmetric crypto?

  - Existing kernel APIs with hardware support:
    - OpenBSD crypto queue
    - Cryptolib by Martin Gadbois,
      (what license does cryptolib use?)
  - Other discussions/proposals/code:
    - Michael Richardson
      (also see followup threads on cryptoapi-devel)
    - Bart Trojanowski's Generic Engine

Hardware documentation status:

    Documentation for Hifn cards available via download at their web site.
    Can provide driver source for the card, and some general documentation is
    available at http://www.ibm.com/security/cryptocards/
    Software development toolkit is export controlled (contact IBM for more
    Unknown (Steve is working on some Linux drivers though).
    Crypto documentation for NICs unavailable.
    Crypto documentation for NICs unavailable.
    No response to emails.
    Unknown (not contacted yet, Linux driver available).
    Unknown (not contacted yet).
    Contacted some time ago, documentation had to be purchased (expensive).
    Not sure if this has changed.
    Unknown (not contacted yet).

GPL Driver status:

  HiFn 7751
    James Morris (in progress).
  HiFn 7951
    David Bryson (in progress).
    Also see http://sourceforge.net/projects/hifn7951/
  HiFn 7901
    See http://sources.colubris.com/en/projects/FreeSWAN/
  Motorola MPC190, MPC184
    Steve (in progress).
  IBM 4758
    Available from IBM on request.

  AEP paep
    A dual licensed GPL/BSD driver is available somewhere.

   I don't think we have enough documentation yet, notably none for NICs
   with crypto hardware.


- James

James Morris

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/

This archive was generated by hypermail 2b29 : Sun Dec 15 2002 - 22:00:30 EST