[dpdk-dev] [PATCH 0/3] adding op-type crt sign and decrypt

Shally Verma shallyv at marvell.com
Tue Feb 12 06:27:25 CET 2019

Previous message: [dpdk-dev] [PATCH 0/3] adding op-type crt sign and decrypt
Next message: [dpdk-dev] [PATCH 0/3] adding op-type crt sign and decrypt
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

HI Arek,

From: Kusztal, ArkadiuszX <arkadiuszx.kusztal at intel.com> 
Sent: 11 February 2019 17:11
To: Ayuj Verma <ayverma at marvell.com>; Trahe, Fiona <fiona.trahe at intel.com>; Shally Verma <shallyv at marvell.com>
Cc: akhil.goyal at nxp.com
Subject: [EXT] RE: [PATCH 0/3] adding op-type crt sign and decrypt

External Email 
________________________________________
Hi Ayuj,

Few comments from me. 

Some PMDs can only support RSA private key operations using CRT keys
(quintuple) only. Thus it is required to add in PMD RSA xform
capability which key type is supported to perform sign and decrypt ops.

Thus add an another op_type RTE_CRYPTO_OP_TYPE_SIGN_CRT and
RTE_CRYPTO_OP_TYPE_DECRYPT_CRT, which would mean perform an private
key op using CRT keys (quintuple) only.
[AK] - What would be the purpose of enum rte_crypto_rsa_priv_key_type key_type in RSA XFORM then?

[Shally] PMDs, like openssl, can support private key ops with both key type i.e. one can invoke RSA_Sign() with quintuple keys or exponent keys. 
Openssl in its capability would reflect it support ops with both key types. that's why key_type is still required in xform. 

PMD would reflect its capability to support these operations using its
op_type mask. App should query RSA xform capability API to check if
specific op_type is supported, thus call operation with relevant key
type.

Another proposal is, it is not known if non-crt keys is used at all to
perform otherwise naturally slow RSA private keys operations.
So, it is also possible to deprecate RSA_KEY_TYPE_EXPONENT altogether
and just use quintuple key type for private key operations.
In that case, there is no need to add another SIGN/DECRYPT_CRT variant,
current SIGN and DECRYPT operation default to using quintuple RSA keys.
[AK] - even if I generally agree that all drivers will be using CRT by default (when quintuple keys provided) I think that if some PMD cannot support mod exp, it should fail on session init or should receive unsupported error on dequeue.

[Shally] Sorry this isn't clear to me when you say "if some PMD cannot support mod exp, it should fail on session init" . modexp is exported as separate xform on lib, if PMD doesn't support this xform, it will not be in its capability.
Or do you mean to say, we can leave exponent key type support , if PMD doesn't support operations using this type, it can will fail during session_init()?
modexp is base for all RSA operation, so any PMD has to support it internally in any case.

Ayuj Verma (3):
  lib/cryptodev: add crt sign and decrypt ops
  crypto/openssl: update op-type mask with crt ops
  test/crypto: check for rsa capa for op-type

 drivers/crypto/openssl/rte_openssl_pmd_ops.c |  4 +-
 lib/librte_cryptodev/rte_crypto_asym.h       |  8 ++++
 test/test/test_cryptodev_asym.c              | 47 ++++++++++++++++++++
 3 files changed, 58 insertions(+), 1 deletion(-)

-- 
2.20.0

Regards,
Arek

Previous message: [dpdk-dev] [PATCH 0/3] adding op-type crt sign and decrypt
Next message: [dpdk-dev] [PATCH 0/3] adding op-type crt sign and decrypt
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list