Pawel Jakub Dawidek wrote: > On Wed, Mar 07, 2007 at 10:36:15AM +0000, Darren J Moffat wrote: >> Jeff Bonwick wrote: >>> For the benefit of our friends at Apple, BSD, etc -- it would be >>> good to keep the super-simple software implementation of SHA-256 >>> available as an #ifdef. >> Sure, I'll arrange the #ifdef that way. >> >> This is however going to be a big problem for Apple and BSD when we add >> crypto support though because they don't have the same crypto APIs that we >> have (since there is no >> standard API for in kernel crypto). > > Will it be possible to design ZFS crypto API which will hide internals > of OS-specific in-kernel crypto API? There is opencrypto API in > FreeBSD's kernel on which I worked quite a bit, so I could help with > design. You can find more info about opencrypto here:
My prototype bits has all the actually calls to the OpenSolaris KCF API (things like crypto_encrypt()) isolated into a single file. The calls to do the encryption/decryption in places like ZIO are all generic - that was done partly for this reason and also because I was mirroring what compression/checksum already did anyway. So yes as much as possible it will be isolated to one place. We might (not yet decided) make some use of PKCS#11 in userland if we need to do stuff there. Thats an even better choice because it is a standards based API. > http://www.freebsd.org/cgi/man.cgi?query=crypto&sektion=9&format=html > > The good thing is that we probably need very simple API for ZFS. For the actual crypto yes the API is simple, the key management is the more complex part - as always :-) -- Darren J Moffat
