Hi Shally, Ayuj Answers with [AK]
> -----Original Message----- > From: Shally Verma [mailto:shal...@marvell.com] > Sent: Tuesday, February 12, 2019 6:27 AM > To: Kusztal, ArkadiuszX <arkadiuszx.kusz...@intel.com>; Ayuj Verma > <ayve...@marvell.com>; Trahe, Fiona <fiona.tr...@intel.com> > Cc: akhil.go...@nxp.com; Kanaka Durga Kotamarthy > <kkotamar...@marvell.com>; Sunila Sahu <ss...@marvell.com>; > dev@dpdk.org > Subject: RE: [PATCH 0/3] adding op-type crt sign and decrypt > > HI Arek, > > From: Kusztal, ArkadiuszX <arkadiuszx.kusz...@intel.com> > Sent: 11 February 2019 17:11 > To: Ayuj Verma <ayve...@marvell.com>; Trahe, Fiona > <fiona.tr...@intel.com>; Shally Verma <shal...@marvell.com> > Cc: akhil.go...@nxp.com > Subject: [EXT] RE: [PATCH 0/3] adding op-type crt sign and decrypt > > External Email > ________________________________________ > Hi Ayuj, > > Few comments from me. > > Some PMDs can only support RSA private key operations using CRT keys > (quintuple) only. Thus it is required to add in PMD RSA xform capability > which key type is supported to perform sign and decrypt ops. > > > Thus add an another op_type RTE_CRYPTO_OP_TYPE_SIGN_CRT and > RTE_CRYPTO_OP_TYPE_DECRYPT_CRT, which would mean perform an > private key op using CRT keys (quintuple) only. > [AK] - What would be the purpose of enum rte_crypto_rsa_priv_key_type > key_type in RSA XFORM then? > > [Shally] PMDs, like openssl, can support private key ops with both key type > i.e. one can invoke RSA_Sign() with quintuple keys or exponent keys. > Openssl in its capability would reflect it support ops with both key types. > that's why key_type is still required in xform. [AK] But still I wonder if we could not just use this enum to distinguish between crt and mod exp rsa? I am not very keen on adding SIGN_CRT op type as it is RSA only. Another option would be to add flags to rsa op like uint64_t flags; > > PMD would reflect its capability to support these operations using its > op_type mask. App should query RSA xform capability API to check if specific > op_type is supported, thus call operation with relevant key type. > > Another proposal is, it is not known if non-crt keys is used at all to perform > otherwise naturally slow RSA private keys operations. > So, it is also possible to deprecate RSA_KEY_TYPE_EXPONENT altogether and > just use quintuple key type for private key operations. > In that case, there is no need to add another SIGN/DECRYPT_CRT variant, > current SIGN and DECRYPT operation default to using quintuple RSA keys. > [AK] - even if I generally agree that all drivers will be using CRT by default > (when quintuple keys provided) I think that if some PMD cannot support > mod exp, it should fail on session init or should receive unsupported error on > dequeue. > > [Shally] Sorry this isn't clear to me when you say "if some PMD cannot > support mod exp, it should fail on session init" . modexp is exported as > separate xform on lib, if PMD doesn't support this xform, it will not be in > its > capability. > Or do you mean to say, we can leave exponent key type support , if PMD > doesn't support operations using this type, it can will fail during > session_init()? [AK] Yes > modexp is base for all RSA operation, so any PMD has to support it internally > in any case. > > Ayuj Verma (3): > lib/cryptodev: add crt sign and decrypt ops > crypto/openssl: update op-type mask with crt ops > test/crypto: check for rsa capa for op-type > > drivers/crypto/openssl/rte_openssl_pmd_ops.c | 4 +- > lib/librte_cryptodev/rte_crypto_asym.h | 8 ++++ > test/test/test_cryptodev_asym.c | 47 ++++++++++++++++++++ > 3 files changed, 58 insertions(+), 1 deletion(-) > > -- > 2.20.0 > > Regards, > Arek
