On Wed, 24 Jan 2007, Derek Morr wrote: > Padlock uses unprivileged opcodes (but no non-standard registers), so it's > accessible from userspace. To avoid the mode-switch overhead, I wrote a > PKCS11 driver for it. One issue I've run into here is how do I configure > cryptosvc to use one provider preferentially over the others? So far, I've > been manually editing /etc/crypto/pkcs11.conf and listing the padlock > provider first, but that's hardly recommended.
In fact, that's a "private interface, may change at any time", so you're right, it shouldn't be used. we've talked about adding a "weighting" figure to each provider, especially with recent discussions of improving our smartcard support - you certainly would not want to attempt to use your slow smartcard' for bulk encryption of very large files :-) Alas, I can't find the RFE that covers this - it may be we've all talked about it so long, we didn't file anything. I'll poke around a bit more & if I can't find it, file one. Valerie -- Valerie Bubb, http://blogs.sun.com/bubbva Solaris Security Technologies, Developer, Sun Microsystems, Inc. 17 Network Circle, Menlo Park, CA, 94025. 650-786-0461
