Am Sonntag, 24. Januar 2021, 15:23:29 CET schrieb Ard Biesheuvel: Hi Ard,
> On Sun, 24 Jan 2021 at 15:10, Stephan Müller <smuel...@chronox.de> wrote: > > Hi, > > > > The key derviation functions are considered to be a cryptographic > > operation. As cryptographic operations are provided via the kernel > > crypto API, this patch set consolidates the KDF implementations into the > > crypto API. > > > > The KDF implementations are provided as service functions. Yet, the > > interface to the two provided KDFs are identical with the goal to allow > > them to be transformed into a crypto API template eventually. > > Why? There are typically two reasons to use the crypto API abstractions: > - the algorithm is not known at compile time, so we need the runtime > dispatch that the crypto API implements, > - the algorithm may be implemented by a h/w accelerator which is > discovered at runtime via the driver stack > > In other cases, a library API is much more suitable, even in the case > where we may provide arch-specific accelerated implementations of such > an algorithm. In case your "why" refers to why I stated that the KDF implementations are similar to eventually consolidate them into a template eventually: A KDF is conceptually a logic on top of a (hash) algorithm like a block chaining mode on top of a block cipher or a deterministic RNG on top of an underlying cipher. So, conceptually with the kernel crypto API, we would have a KDF template that can be used like hkdf(sha256) or hkdf(sha256-avx2). The behavior of a KDF is identical to a deterministic RNG. Thus, a long time ago, I had a patch developed that adds a very small addition to the existing RNG API to allow the KDFs to be used. See [1]. Yet, that was not desired at the time due to different reasons. Yet, the crypto API as it stands today knows of templates and basic algorithms. Having a separate library API providing a crypto algorithm is new to the crypto API. You see that with the test manager which works well with the templates / algorithms but does not provide any helpers for some "library APIs". In case your "why" refers to whether I am not using a template to begin with: Some time back I provided the patch using a template (see [1] for example). At that time, Herbert wanted to have a service API instead. [1] http://www.chronox.de/kdf.html Ciao Stephan
