qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH for-2.9 1/3] crypto: add standard des support

From: Gonglei (Arei)
Subject: Re: [Qemu-devel] [PATCH for-2.9 1/3] crypto: add standard des support
Date: Tue, 6 Dec 2016 09:28:32 +0000 
>
> > > > > >          }
> > > > > > diff --git a/qapi/crypto.json b/qapi/crypto.json
> > > > > > index 5c9d7d4..d403ab9 100644
> > > > > > --- a/qapi/crypto.json
> > > > > > +++ b/qapi/crypto.json
> > > > > > @@ -75,7 +75,7 @@
> > > > > >  { 'enum': 'QCryptoCipherAlgorithm',
> > > > > >    'prefix': 'QCRYPTO_CIPHER_ALG',
> > > > > >    'data': ['aes-128', 'aes-192', 'aes-256',
> > > > > > -           'des-rfb',
> > > > > > +           'des-rfb', 'des',
> > > > >
> > > > > Can we call this '3des' to make it clear that this is Triple-DES and 
> > > > > not
> > > > > the single-DES (which des-rfb is)
> > > > >
> > > > Actually the current des is not triple-DES, just the single-DES, and 
> > > > des-rfb
> in
> > > QEMU is just a variant of
> > > > single DES, which change the standard key by calling
> > > qcrypto_cipher_munge_des_rfb_key().
> > > >
> > > > I think we can add the 3des support as well in the next step.
> > > >
> > > > The current single-DES in the patch set is ok to me. :)
> > >
> > > Per my othre reply in this thread,
> >
> > I saw that, thanks for your information, Daniel.
> >
> > > I don't think we should be supporting
> > > single-DES at all in QEMU / cryptodev. So IMHO, the correct fix is to
> > > remove the single-DES support from cryptodev entirely
> > >
> > The cryptodev-builtin is one kind of cryptodev backends. It provides the
> > real crypto capability for virtio crypto device.
> >
> > I don't think we should artificially remove one algorithm support if
> > the frontend driver (users) wants to use it, though the algorithm is
> > unsafe.
> 
> IIUC the cryptodev hardware is ultimately about allowing the guest
> to offload crypto operations to the host, potentialy using hardware
> acceleration. If the cryptodev backend doesn't support a particular
> algorithm, the guest is still capable of using its own built-in
> support for that algorithm. I see no compelling reason to provide
> host offload / acceleration for single-DES. Just kill this obsolete
> algorithm from cryptodev and in the unlikely event that a guest
> really does want single-DES it can use its built-in impl instead.
> 
Make sense. And I don't want to support single-DES in the virtio-crypto
frontend driver as well. The guest will use the software realization.

Thanks,
-Gonglei
reply via email to
[Prev in Thread] Current Thread [Next in Thread]