Re: [Ocf-linux-users] some questions on OCF
Brought to you by:
david-m
Menu
▾
▴
Re: [Ocf-linux-users] some questions on OCF
|
From: David M. <dav...@mc...> - 2010-03-18 03:58:15
|
Jivin avital sela lays it down ... > Hello David, > > I am working on porting our custom AES and SHA drivers written for > native crypto to OCF. Cryptosoft can use those already. In fact, if you have async kernel api crypto, I now have a version of cryptosoft that can use those as well. I am about to do an OCF release with the updated cryptosoft that can use the kernels async cryptoapi code. > As a start I modified the cryptosoft driver by removing the > crypto_done call in case of HMAC/MAC and block cipher and replacing > the appropriate crypto op calls with ones that enqueue the requests > to the drivers. The drivers then from interrupt context call > crypto_done. I also changed the registration to Hardware. Using > crytotest I verifed that everything works fine (and produces pretty > good results as compared with SW only crypto). > > With this approach I was able to make use of all your existing > skbuff/uiov manipulation code which seems non trivial at all. > The one problem I see with this approach is that I won't be able to > make use of alg chaining which I will eventually need for ipsec. > Is my understanding on the trade off (using a lot of existing code > versus optimal performance) correct or am I missing something else? OCF does chaining, you have just based your driver on cryptosoft which currently doesn't. The safe/hifn/talitos/ixp and basically every other HW driver does to chaining on hmac/ciphers. > Is it possible that with very small buffers the hw processing , the > corrosponding interrupt and the call to crypto_done will complete > before the crypto_process routine returns? If that happens will that > be a problem? That won't be a problem, I have already seen that happen and the code is able to deal with it specifically. > As far as I could tell, there is no way to get the native kernel IPSEC > to call the OCF driver so I need to change to the KLIPS stack. Is this > true? Yes. The native stack can only use the native cryptoapi drivers. > With the current drivers I use setkey to manually setup a tunnel . > Will I still be able to do that with the KLIPS stack? No, you need to use the openswan tools, whican can also do netkey. So, if you can, use pluto and at a minimum whack to configure your tunnels. Using ipsec.conf is better though ;-) Cheers, Davidm -- David McCullough, dav...@mc..., Ph:+61 734352815 McAfee - SnapGear http://www.mcafee.com http://www.uCdot.org |
