Re: [gentoo-amd64] Kernel Cryptographic API
2010/9/14 Frank Peters frank.pet...@comcast.net: Hello, I just installed Gentoo on a new Core i7 based machine. After doing a bit of research on the best compile flags to use for this processor, I came across the advice to enable the kernel cryptograhic API. It seems that the kernel can make good use of the SSE 4.2 instruction set on the Core i7 to do the cryptographic work. My system is mainly a desktop workstation that is used for business/home functions such as word processing, database work, image processing, audio processing, custom programming etc. There is no networking involved other than a DHCP link to an ISP. I suppose that in my case the cryptographic API would be useless. Are the kernel crypto routines used by any common software, or are they limited to IPsec and other similar things? Does openssl or pz7ip use the crytpo API? If it is advisable for a desktop workstation to use the crypto API, what specific routines should be enabled? There are a lot of individual routines within the crypto API. The kernel crypto-api is also used for dm-crypt IIRC. Br, Maciej Grela
Re: [gentoo-amd64] Kernel Cryptographic API
- Original Message From: Frank Peters frank.pet...@comcast.net I just installed Gentoo on a new Core i7 based machine. After doing a bit of research on the best compile flags to use for this processor, I came across the advice to enable the kernel cryptograhic API. It seems that the kernel can make good use of the SSE 4.2 instruction set on the Core i7 to do the cryptographic work. My system is mainly a desktop workstation that is used for business/home functions such as word processing, database work, image processing, audio processing, custom programming etc. There is no networking involved other than a DHCP link to an ISP. I suppose that in my case the cryptographic API would be useless. Are the kernel crypto routines used by any common software, or are they limited to IPsec and other similar things? Does openssl or pz7ip use the crytpo API? While I am not a kernel coder - that would be my suspicion - that the Crypto API is for any kind of cryptography inside the kernel. OpenSSL itself is a cryptographic API, and is platform independent, so no, it would not use the kernel API. You would likely really only need the Cryptographic API if you have hardware (e.g. Trusted Computing's TPM module), IPSec, MD5/SHA1 verification of kernel modules, kernel-mode encrypted file systems, etc. There's a lot of things that can make use of it in the API. The Kernel Configuration utility will auto-enable it if you need it. And as with most things in the kernel, if you don't know what it is - take the default. (See the help. Most things are usually If you don't know what this is, then it is safe to disable it.). If it is advisable for a desktop workstation to use the crypto API, what specific routines should be enabled? There are a lot of individual routines within the crypto API. See the help. Ben
Re: [gentoo-amd64] Kernel Cryptographic API
On Tue, 14 Sep 2010 05:57:13 -0700 (PDT) BRM bm_witn...@yahoo.com wrote: While I am not a kernel coder - that would be my suspicion - that the Crypto API is for any kind of cryptography inside the kernel. OpenSSL itself is a cryptographic API, and is platform independent, so no, it would not use the kernel API. Thanks for all the responses. I wasn't sure if the Crypto API was purely for use within kernel space or if user space applications could have access to it in the same manner as with other kernel system routines. But I guess that the Crypto API is just for the use of the kernel. Frank Peters
Re: [gentoo-amd64] Kernel Cryptographic API
On 09/14/2010 12:17 PM, Frank Peters wrote: I wasn't sure if the Crypto API was purely for use within kernel space or if user space applications could have access to it in the same manner as with other kernel system routines. But I guess that the Crypto API is just for the use of the kernel. The API will be built automatically if you enable any settings that require it. The only reason to explicitly build it is if you plan on loading kernel modules built from a different source tree that use the API. In that case, you'll end up with missing symbols if you don't explicitly build the Crypto API (or also provide that via a module). Maybe if you had some kind of proprietary disk/LAN/etc-encryption hardware that supplied a closed-source module you might have need of this. If you used another distro where modules tended to come pre-packaged that could also be a concern. Since virtually all the modules on Gentoo are provided by the users themselves there isn't much of a need for this. Rich
Re: [gentoo-amd64] Kernel Cryptographic API
On Tue, 14 Sep 2010 12:17:14 -0400 Frank Peters frank.pet...@comcast.net wrote: On Tue, 14 Sep 2010 05:57:13 -0700 (PDT) BRM bm_witn...@yahoo.com wrote: While I am not a kernel coder - that would be my suspicion - that the Crypto API is for any kind of cryptography inside the kernel. OpenSSL itself is a cryptographic API, and is platform independent, so no, it would not use the kernel API. Thanks for all the responses. I wasn't sure if the Crypto API was purely for use within kernel space or if user space applications could have access to it in the same manner as with other kernel system routines. But I guess that the Crypto API is just for the use of the kernel. There is some movement however: http://lwn.net/Articles/401548/. So in the future it might be available for user-space ...we will see... Robert -- Robert Cernansky E-mail: hslis...@zoznam.sk Jabber: h...@jabber.sk
Re: [gentoo-amd64] Kernel Cryptographic API
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/13/10 17:28, Frank Peters wrote: Hello, I just installed Gentoo on a new Core i7 based machine. After doing a bit of research on the best compile flags to use for this processor, I came across the advice to enable the kernel cryptograhic API. It seems that the kernel can make good use of the SSE 4.2 instruction set on the Core i7 to do the cryptographic work. My system is mainly a desktop workstation that is used for business/home functions such as word processing, database work, image processing, audio processing, custom programming etc. There is no networking involved other than a DHCP link to an ISP. I suppose that in my case the cryptographic API would be useless. Are the kernel crypto routines used by any common software, or are they limited to IPsec and other similar things? Does openssl or pz7ip use the crytpo API? If it is advisable for a desktop workstation to use the crypto API, what specific routines should be enabled? There are a lot of individual routines within the crypto API. Frank Peters It is unlikely that you would receive any benefit from the kernel crypto API in the scenario you described. - -- === Mike Doty kingtaco -at- gentoo.org Gentoo Infrastructure Operations Manager Gentoo/AMD64 Strategic Lead GPG: E1A5 1C9C 93FE F430 C1D6 F2AF 806B A2E4 19F4 AE05 === -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (GNU/Linux) iJwEAQECAAYFAkyO05UACgkQgGui5Bn0rgWZEwQA5mheAcLe4+PhlPEZo1IOy6PX vZrsPKIxLnJ7jQLwfHg5+lXwLwc7GDryALEDVqP1jsgunuE47K3zz5Lvo7KH0jDk F1Bfv92VaCQZQip+P5AaxiQpNU5SCtMikqKMcDbLJZOQBm4oeW12uVA3nai0DNQa QVsEBEoLncSvabR+BLc= =UXer -END PGP SIGNATURE-