Is there any attempts being made to provide software based RSA
cryptographic support in kernel level? I see that 2.6.21 supports
Hardware devices such as VIA Padlock ACE. Has anybody had a change to
use such a system?
-GS
On Thu, Jul 05, 2007 at 03:48:51PM -0700, Gautam Singaraju ([email protected]) wrote:
> Is there any attempts being made to provide software based RSA
> cryptographic support in kernel level? I see that 2.6.21 supports
> Hardware devices such as VIA Padlock ACE. Has anybody had a change to
> use such a system?
VIA padlock engine or RSA? The former is heavily used in the wild, but
why would anyone want to use RSA in the kernel?
> -GS
--
Evgeniy Polyakov
From: Evgeniy Polyakov <[email protected]>
Date: Fri, 6 Jul 2007 14:37:31 +0400
> On Thu, Jul 05, 2007 at 03:48:51PM -0700, Gautam Singaraju ([email protected]) wrote:
> > Is there any attempts being made to provide software based RSA
> > cryptographic support in kernel level? I see that 2.6.21 supports
> > Hardware devices such as VIA Padlock ACE. Has anybody had a change to
> > use such a system?
>
> VIA padlock engine or RSA? The former is heavily used in the wild, but
> why would anyone want to use RSA in the kernel?
Automatic SSL done in-kernel on user data for socket I/O, with
hardware offload from the crypto layer when available.
Solaris has done this for quite some time and it helps a lot for
things like the VIA and Niagara.
On Fri, Jul 06, 2007 at 04:05:33AM -0700, David Miller ([email protected]) wrote:
> From: Evgeniy Polyakov <[email protected]>
> Date: Fri, 6 Jul 2007 14:37:31 +0400
>
> > On Thu, Jul 05, 2007 at 03:48:51PM -0700, Gautam Singaraju ([email protected]) wrote:
> > > Is there any attempts being made to provide software based RSA
> > > cryptographic support in kernel level? I see that 2.6.21 supports
> > > Hardware devices such as VIA Padlock ACE. Has anybody had a change to
> > > use such a system?
> >
> > VIA padlock engine or RSA? The former is heavily used in the wild, but
> > why would anyone want to use RSA in the kernel?
>
> Automatic SSL done in-kernel on user data for socket I/O, with
> hardware offload from the crypto layer when available.
>
> Solaris has done this for quite some time and it helps a lot for
> things like the VIA and Niagara.
I.e. for userspace stuff? That is obviously the right usage, but Linux
cryptoapi does not have userspace interface, so was my question.
Actually I was several times already asked after acrypto was closed, how
userspace can use new hardware drivers, and frankly I do not know what
the best userspace API would look like (in one of the projects I already
used all three methods one-by-one and failed to determine the best).
Simple char device read/write or ioctl, or blocking/nonblocking syscall
over file descriptor, or anything else?
--
Evgeniy Polyakov
David Miller <[email protected]> wrote:
>>
>> VIA padlock engine or RSA? The former is heavily used in the wild, but
>> why would anyone want to use RSA in the kernel?
>
> Automatic SSL done in-kernel on user data for socket I/O, with
> hardware offload from the crypto layer when available.
AFAIK asymmetric crypto is only used for SSL key exchange and not
on the data transfers so I'm not sure whether this would be that
useful. This is pretty much the same situation with IPsec where
we delegate the key exchange to the userspace KMs.
Now having in-kernel SSL data exchange support using the crypto
API would be pretty cool and would provide the same level of
crypto support to SSL users as we do for IPsec.
So far the only proposed user for RSA in-kernel seems to be
module signing and I'm staying well away from that debate :)
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
On Fri, Jul 06, 2007 at 09:12:52PM +0800, Herbert Xu wrote:
> So far the only proposed user for RSA in-kernel seems to be module
> signing and I'm staying well away from that debate :)
eCryptfs uses RSA.
Right now it has to defer to a userspace daemon to perform the
operation.
Mike
.___________________________________________________________________.
Michael A. Halcrow
Security Software Engineer, IBM Linux Technology Center
GnuPG Fingerprint: 419C 5B1E 948A FA73 A54C 20F5 DB40 8531 6DCA 8769
"This is about humans being human."
- Carl Sagan
I am considering RSA as an option for research purposes; though I need
it only for decryption purposes. Any specific reason for running the
daemon in user space?
Gautam
On 7/6/07, Michael Halcrow <[email protected]> wrote:
> On Fri, Jul 06, 2007 at 09:12:52PM +0800, Herbert Xu wrote:
> > So far the only proposed user for RSA in-kernel seems to be module
> > signing and I'm staying well away from that debate :)
>
> eCryptfs uses RSA.
>
> Right now it has to defer to a userspace daemon to perform the
> operation.
>
> Mike
> .___________________________________________________________________.
> Michael A. Halcrow
> Security Software Engineer, IBM Linux Technology Center
> GnuPG Fingerprint: 419C 5B1E 948A FA73 A54C 20F5 DB40 8531 6DCA 8769
>
> "This is about humans being human."
> - Carl Sagan
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
>
> iQEVAwUBRo5FZNtAhTFtyodpAQO9jAgAmCPiGap1u/Qd5Zogb/hxtpoNF8/7Vx+z
> FWnIbzI9jK8g1PBxXGkYVASQ/rPbT/yhX3Zg53jrJm+8RqDAQDY/Ca1qAUvDtD57
> R5Mo/eSSlwuvAMVsLFDYYINeER3fpIX7wdrwB5VTN6YKz9eJFhsNqMUSQ8mCSbbV
> qEzFUq8EdcYsaxSZ56uIXSSphneKXIDAzWCu5hjbLtr71WSkvXKe4kVZKElb1LrB
> SGxxPajTCnjuw1z9VL5Tp2pOfyX3pWRSnoiCxUjwl2Aco0hu+Nl+0X2qsVkkmBSx
> 0MoeTrZ+FAY0QBDlPbtR6N5kD4NvV94WXnfQPi5DC66730nwLufk4Q==
> =4vHb
> -----END PGP SIGNATURE-----
>
>
--
---
Gautam
On Fri, Jul 06, 2007 at 08:36:37AM -0500, Michael Halcrow wrote:
>
> eCryptfs uses RSA.
>
> Right now it has to defer to a userspace daemon to perform the
> operation.
OK that'd be the most convincing case for me then.
Thanks,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
On Fri, Jul 06, 2007 at 07:41:18AM -0700, Gautam Singaraju wrote:
> I am considering RSA as an option for research purposes; though I
> need it only for decryption purposes. Any specific reason for
> running the daemon in user space?
That's where RSA is.
Mike
.___________________________________________________________________.
Michael A. Halcrow
Security Software Engineer, IBM Linux Technology Center
GnuPG Fingerprint: 419C 5B1E 948A FA73 A54C 20F5 DB40 8531 6DCA 8769
panic: kernel trap (ignored)
Ok, I see that there has been a previous attempt been made to support
bignum library, hence PKI, in kernel in a project named Cryptomark.
Thanks!
On 7/6/07, Michael Halcrow <[email protected]> wrote:
> On Fri, Jul 06, 2007 at 07:41:18AM -0700, Gautam Singaraju wrote:
> > I am considering RSA as an option for research purposes; though I
> > need it only for decryption purposes. Any specific reason for
> > running the daemon in user space?
>
> That's where RSA is.
>
> Mike
> .___________________________________________________________________.
> Michael A. Halcrow
> Security Software Engineer, IBM Linux Technology Center
> GnuPG Fingerprint: 419C 5B1E 948A FA73 A54C 20F5 DB40 8531 6DCA 8769
>
> panic: kernel trap (ignored)
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
>
> iQEVAwUBRo5inNtAhTFtyodpAQNlCQf8Ddk3dymDPMPoVDJHR78KcJ4eSZD0NbDV
> Lwlwp54262mYNAfALCrs/t/CcUaJOWl3Zr0zPkWehu73HEsvbUZqVV2swyrgIFZY
> kwELd/wA1ii5HJRhzZ9GcL9dJeUQb58aXoepZKmDcjTDjgXFYxSKWRm29h+zj9o0
> z/WwqF5Fzj/YDtTHaCJhSticRaeZvXpPkIjQy4JZoOt1nNagU0dPD7GxZpoRva1k
> 0EfRtV97xJEt3eYguBiAx9sb9ndJ5ndpYUZxI4a/NMhdO1s8w2T0fP2yfr6KX0YJ
> 5Io4itFZl3S5m9ZdmI8VAFHI13oJEtP/EuqC3VqaP8V4MdtS+MMsWA==
> =ckOc
> -----END PGP SIGNATURE-----
>
>
--
---
Gautam