On Thu, Feb 02, 2017 at 10:04:56AM -0800, Chirag Shahani wrote:
> The accelerated algo. is in use when the code is run on a h/w box which has
> the C2xxx SoC with QAT 1.5.
> *O/p from /proc/crypto*:
> name         : authenc(hmac(sha512),cbc(des3_ede))
> driver       : icp_qat_des3_cbc_sha512_hmac
> module       : icp_qat_netkey
> priority     : 4001
> refcnt       : 1
> selftest     : passed
> type         : aead
> async        : yes
> blocksize    : 8
> ivsize       : 8
> maxauthsize  : 64
> geniv        : <built-in>

Yes, this is what you're looking for.

> *Now, in case where the code in run on linux box:*name         :
> authenc(hmac(sha256),cbc(aes))
> driver       : authenc(hmac(sha256-generic),cbc(aes-asm))
> module       : authenc
> priority     : 2000
> refcnt       : 9
> selftest     : passed
> type         : aead
> async        : no
> blocksize    : 16
> ivsize       : 16
> maxauthsize  : 32
> geniv        : <built-in>

With "linux box", do you mean another machine running linux as well but
not having the crypto engine?

> I will rephrase my question. I think it was not asked clearly in the
> previous email.
> So, I have used cryptodev-linux module (http://cryptodev-linux.org/) for
> FIPS validation to access the /dev/crypto interface and running user space
> code (example under cryptodev-linux-1.8/examples/ ). This took car of the
> FIPs validation when the code was running on the linux box as the linux
> kernel code did the encrypt decrypt.
> I need to do the same FIPS validation on the h/w box which has C2xxx SoC
> with QAT 1.5. I am not sure how to access drivers to get o/p for fips
> validation for various alogo's.
> I was under the impression, using cryptodev-linux module would do it by
> detecting the code is run on h/w and the kernel would handoff the
> encrypt/decrypt operations to the h/w.
> In short, can we use cryptodev-linux module to access C2xxx SoC. or any
> other library like cryptodev-linux to access it?

Short answer: Yes.

Cryptodev-linux merely provides an interface to the kernel crypto API
for user space. So in order to make use of some crypto engine, the
kernel crypto API must have access to it. That's why you need a kernel
driver for the engine in the first place. If it was successfully
registered, the kernel lists the accelerated algorithms in /proc/crypto,
so checking that file is a good way to find out whether the kernel has
access to the engine or not.

But even if all looks fine, you might end up using a software
implementation if your user space code requests an algorithm the engine
doesn't provide. So from looking at what you pasted above, the engine
should be used for at least SHA512 and DES3.

Not sure if that answers your question. I'm not familiar with FIPS, so
you're on your own in that regard.

Cheers, Phil

Cryptodev-linux-devel mailing list

Reply via email to