Hi,
Is there a mechanism to allow a hardware crypto driver to be unloaded and the
IPsec session to fallback to using software based crypto drivers ?
The requirement is to not take down the IPsec tunnel whilst unloading the
hardware crypto driver. Bascially, the hardware become unavailable during the
session.
Conversely, is there a mechanism to dynamically upgrade from using software
based crypto to hardware based crypto without killing the IPsec tunnel ?
Thanks for any info.
Regards,
Dean Jenkins
MontaVista Software
Dean Jenkins <[email protected]> wrote:
>
> Is there a mechanism to allow a hardware crypto driver to be unloaded and the
> IPsec session to fallback to using software based crypto drivers ?
Fail-over should be implemented within the driver. Please look
at drivers/crypto/padlock-sha.c for an example for how to use a
software fallback implementation.
> Conversely, is there a mechanism to dynamically upgrade from using software
> based crypto to hardware based crypto without killing the IPsec tunnel ?
Note that IPsec tunnel != IPsec SA. During the life-time of a
tunnel many SAs could be used. It's trivial to change drivers
without killing the tunnel by changing SAs. Of course, changing
implementations without replacing the SA is impossible, unless
you start out with the hardware implementation registered but
only use the software fallback.
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt