[0/3] adding op-type crt sign and decrypt

Message ID 20190206111405.30860-1-ayverma@marvell.com
Headers show
Series
  • adding op-type crt sign and decrypt
Related show

Message

Ayuj Verma Feb. 6, 2019, 11:16 a.m.
Some PMDs can only support RSA private key operations using CRT keys
(quintuple) only. Thus it is required to add in PMD RSA xform
capability which key type is supported to perform sign and decrypt ops.

Thus add an another op_type RTE_CRYPTO_OP_TYPE_SIGN_CRT and
RTE_CRYPTO_OP_TYPE_DECRYPT_CRT, which would mean perform an private
key op using CRT keys (quintuple) only.

PMD would reflect its capability to support these operations using its
op_type mask. App should query RSA xform capability API to check if
specific op_type is supported, thus call operation with relevant key
type.

Another proposal is, it is not known if non-crt keys is used at all to
perform otherwise naturally slow RSA private keys operations.
So, it is also possible to deprecate RSA_KEY_TYPE_EXPONENT altogether
and just use quintuple key type for private key operations.
In that case, there is no need to add another SIGN/DECRYPT_CRT variant,
current SIGN and DECRYPT operation default to using quintuple RSA keys.

Ayuj Verma (3):
  lib/cryptodev: add crt sign and decrypt ops
  crypto/openssl: update op-type mask with crt ops
  test/crypto: check for rsa capa for op-type

 drivers/crypto/openssl/rte_openssl_pmd_ops.c |  4 +-
 lib/librte_cryptodev/rte_crypto_asym.h       |  8 ++++
 test/test/test_cryptodev_asym.c              | 47 ++++++++++++++++++++
 3 files changed, 58 insertions(+), 1 deletion(-)

Comments

Ayuj Verma Feb. 8, 2019, 8:47 a.m. | #1
Hi Pablo,Fiona


Did you get a chance to look into these.


Thanks and regards

Ayuj Verma
Shally Verma Feb. 12, 2019, 5:27 a.m. | #2
HI Arek,

From: Kusztal, ArkadiuszX <arkadiuszx.kusztal@intel.com> 
Sent: 11 February 2019 17:11
To: Ayuj Verma <ayverma@marvell.com>; Trahe, Fiona <fiona.trahe@intel.com>; Shally Verma <shallyv@marvell.com>
Cc: akhil.goyal@nxp.com
Subject: [EXT] RE: [PATCH 0/3] adding op-type crt sign and decrypt

External Email
Kusztal, ArkadiuszX Feb. 12, 2019, 11:12 a.m. | #3
Hi Shally, Ayuj

Answers with [AK]

> -----Original Message-----
> From: Shally Verma [mailto:shallyv@marvell.com]
> Sent: Tuesday, February 12, 2019 6:27 AM
> To: Kusztal, ArkadiuszX <arkadiuszx.kusztal@intel.com>; Ayuj Verma
> <ayverma@marvell.com>; Trahe, Fiona <fiona.trahe@intel.com>
> Cc: akhil.goyal@nxp.com; Kanaka Durga Kotamarthy
> <kkotamarthy@marvell.com>; Sunila Sahu <ssahu@marvell.com>;
> dev@dpdk.org
> Subject: RE: [PATCH 0/3] adding op-type crt sign and decrypt
> 
> HI Arek,
> 
> From: Kusztal, ArkadiuszX <arkadiuszx.kusztal@intel.com>
> Sent: 11 February 2019 17:11
> To: Ayuj Verma <ayverma@marvell.com>; Trahe, Fiona
> <fiona.trahe@intel.com>; Shally Verma <shallyv@marvell.com>
> Cc: akhil.goyal@nxp.com
> Subject: [EXT] RE: [PATCH 0/3] adding op-type crt sign and decrypt
> 
> External Email
> ________________________________________
> Hi Ayuj,
> 
> Few comments from me.
> 
> Some PMDs can only support RSA private key operations using CRT keys
> (quintuple) only. Thus it is required to add in PMD RSA xform capability
> which key type is supported to perform sign and decrypt ops.
> 
> 
> Thus add an another op_type RTE_CRYPTO_OP_TYPE_SIGN_CRT and
> RTE_CRYPTO_OP_TYPE_DECRYPT_CRT, which would mean perform an
> private key op using CRT keys (quintuple) only.
> [AK] - What would be the purpose of enum rte_crypto_rsa_priv_key_type
> key_type in RSA XFORM then?
> 
> [Shally] PMDs, like openssl, can support private key ops with both key type
> i.e. one can invoke RSA_Sign() with quintuple keys or exponent keys.
> Openssl in its capability would reflect it support ops with both key types.
> that's why key_type is still required in xform.

[AK] But still I wonder if we could not just use this enum to distinguish between crt and mod exp rsa?
I am not very keen on adding SIGN_CRT op type as it is RSA only. Another option would be to add flags to rsa op like uint64_t flags;
> 
> PMD would reflect its capability to support these operations using its
> op_type mask. App should query RSA xform capability API to check if specific
> op_type is supported, thus call operation with relevant key type.
> 
> Another proposal is, it is not known if non-crt keys is used at all to perform
> otherwise naturally slow RSA private keys operations.
> So, it is also possible to deprecate RSA_KEY_TYPE_EXPONENT altogether and
> just use quintuple key type for private key operations.
> In that case, there is no need to add another SIGN/DECRYPT_CRT variant,
> current SIGN and DECRYPT operation default to using quintuple RSA keys.
> [AK] - even if I generally agree that all drivers will be using CRT by default
> (when quintuple keys provided) I think that if some PMD cannot support
> mod exp, it should fail on session init or should receive unsupported error on
> dequeue.
> 
> [Shally] Sorry this isn't clear to me when you say "if some PMD cannot
> support mod exp, it should fail on session init" . modexp is exported as
> separate xform on lib, if PMD doesn't support this xform, it will not be in its
> capability.
> Or do you mean to say, we can leave exponent key type support , if PMD
> doesn't support operations using this type, it can will fail during
> session_init()?
[AK] Yes
> modexp is base for all RSA operation, so any PMD has to support it internally
> in any case.
> 
> Ayuj Verma (3):
>   lib/cryptodev: add crt sign and decrypt ops
>   crypto/openssl: update op-type mask with crt ops
>   test/crypto: check for rsa capa for op-type
> 
>  drivers/crypto/openssl/rte_openssl_pmd_ops.c |  4 +-
>  lib/librte_cryptodev/rte_crypto_asym.h       |  8 ++++
>  test/test/test_cryptodev_asym.c              | 47 ++++++++++++++++++++
>  3 files changed, 58 insertions(+), 1 deletion(-)
> 
> --
> 2.20.0
> 
> Regards,
> Arek
Shally Verma Feb. 12, 2019, 11:19 a.m. | #4
Hi Arek

>-----Original Message-----
>From: Kusztal, ArkadiuszX <arkadiuszx.kusztal@intel.com>
>Sent: 12 February 2019 16:42
>To: Shally Verma <shallyv@marvell.com>; Ayuj Verma <ayverma@marvell.com>; Trahe, Fiona <fiona.trahe@intel.com>
>Cc: akhil.goyal@nxp.com; Kanaka Durga Kotamarthy <kkotamarthy@marvell.com>; Sunila Sahu <ssahu@marvell.com>;
>dev@dpdk.org
>Subject: RE: [PATCH 0/3] adding op-type crt sign and decrypt
>
>Hi Shally, Ayuj
>
>Answers with [AK]
>
>> -----Original Message-----
>> From: Shally Verma [mailto:shallyv@marvell.com]
>> Sent: Tuesday, February 12, 2019 6:27 AM
>> To: Kusztal, ArkadiuszX <arkadiuszx.kusztal@intel.com>; Ayuj Verma
>> <ayverma@marvell.com>; Trahe, Fiona <fiona.trahe@intel.com>
>> Cc: akhil.goyal@nxp.com; Kanaka Durga Kotamarthy
>> <kkotamarthy@marvell.com>; Sunila Sahu <ssahu@marvell.com>;
>> dev@dpdk.org
>> Subject: RE: [PATCH 0/3] adding op-type crt sign and decrypt
>>
>> HI Arek,
>>
>> From: Kusztal, ArkadiuszX <arkadiuszx.kusztal@intel.com>
>> Sent: 11 February 2019 17:11
>> To: Ayuj Verma <ayverma@marvell.com>; Trahe, Fiona
>> <fiona.trahe@intel.com>; Shally Verma <shallyv@marvell.com>
>> Cc: akhil.goyal@nxp.com
>> Subject: [EXT] RE: [PATCH 0/3] adding op-type crt sign and decrypt
>>
>> External Email
>> ________________________________________
>> Hi Ayuj,
>>
>> Few comments from me.
>>
>> Some PMDs can only support RSA private key operations using CRT keys
>> (quintuple) only. Thus it is required to add in PMD RSA xform capability
>> which key type is supported to perform sign and decrypt ops.
>>
>>
>> Thus add an another op_type RTE_CRYPTO_OP_TYPE_SIGN_CRT and
>> RTE_CRYPTO_OP_TYPE_DECRYPT_CRT, which would mean perform an
>> private key op using CRT keys (quintuple) only.
>> [AK] - What would be the purpose of enum rte_crypto_rsa_priv_key_type
>> key_type in RSA XFORM then?
>>
>> [Shally] PMDs, like openssl, can support private key ops with both key type
>> i.e. one can invoke RSA_Sign() with quintuple keys or exponent keys.
>> Openssl in its capability would reflect it support ops with both key types.
>> that's why key_type is still required in xform.
>
>[AK] But still I wonder if we could not just use this enum to distinguish between crt and mod exp rsa?
>I am not very keen on adding SIGN_CRT op type as it is RSA only. Another option would be to add flags to rsa op like uint64_t flags;
[Shally] Ok .. you mean as feature flag? Example, RTE_CRYPTODEV_ASYM_FF_RSA_PRIV_KEY_OP_CRT?

Thanks
Shally
...
>> Regards,
>> Arek
Kusztal, ArkadiuszX Feb. 12, 2019, 11:36 a.m. | #5
> -----Original Message-----
> From: Shally Verma [mailto:shallyv@marvell.com]
> Sent: Tuesday, February 12, 2019 12:19 PM
> To: Kusztal, ArkadiuszX <arkadiuszx.kusztal@intel.com>; Ayuj Verma
> <ayverma@marvell.com>; Trahe, Fiona <fiona.trahe@intel.com>
> Cc: akhil.goyal@nxp.com; Kanaka Durga Kotamarthy
> <kkotamarthy@marvell.com>; Sunila Sahu <ssahu@marvell.com>;
> dev@dpdk.org
> Subject: RE: [PATCH 0/3] adding op-type crt sign and decrypt
> 
> Hi Arek
> 
> >-----Original Message-----
> >From: Kusztal, ArkadiuszX <arkadiuszx.kusztal@intel.com>
> >Sent: 12 February 2019 16:42
> >To: Shally Verma <shallyv@marvell.com>; Ayuj Verma
> ><ayverma@marvell.com>; Trahe, Fiona <fiona.trahe@intel.com>
> >Cc: akhil.goyal@nxp.com; Kanaka Durga Kotamarthy
> ><kkotamarthy@marvell.com>; Sunila Sahu <ssahu@marvell.com>;
> >dev@dpdk.org
> >Subject: RE: [PATCH 0/3] adding op-type crt sign and decrypt
> >
> >Hi Shally, Ayuj
> >
> >Answers with [AK]
> >
> >> -----Original Message-----
> >> From: Shally Verma [mailto:shallyv@marvell.com]
> >> Sent: Tuesday, February 12, 2019 6:27 AM
> >> To: Kusztal, ArkadiuszX <arkadiuszx.kusztal@intel.com>; Ayuj Verma
> >> <ayverma@marvell.com>; Trahe, Fiona <fiona.trahe@intel.com>
> >> Cc: akhil.goyal@nxp.com; Kanaka Durga Kotamarthy
> >> <kkotamarthy@marvell.com>; Sunila Sahu <ssahu@marvell.com>;
> >> dev@dpdk.org
> >> Subject: RE: [PATCH 0/3] adding op-type crt sign and decrypt
> >>
> >> HI Arek,
> >>
> >> From: Kusztal, ArkadiuszX <arkadiuszx.kusztal@intel.com>
> >> Sent: 11 February 2019 17:11
> >> To: Ayuj Verma <ayverma@marvell.com>; Trahe, Fiona
> >> <fiona.trahe@intel.com>; Shally Verma <shallyv@marvell.com>
> >> Cc: akhil.goyal@nxp.com
> >> Subject: [EXT] RE: [PATCH 0/3] adding op-type crt sign and decrypt
> >>
> >> External Email
> >> ________________________________________
> >> Hi Ayuj,
> >>
> >> Few comments from me.
> >>
> >> Some PMDs can only support RSA private key operations using CRT keys
> >> (quintuple) only. Thus it is required to add in PMD RSA xform
> >> capability which key type is supported to perform sign and decrypt ops.
> >>
> >>
> >> Thus add an another op_type RTE_CRYPTO_OP_TYPE_SIGN_CRT and
> >> RTE_CRYPTO_OP_TYPE_DECRYPT_CRT, which would mean perform an
> private
> >> key op using CRT keys (quintuple) only.
> >> [AK] - What would be the purpose of enum rte_crypto_rsa_priv_key_type
> >> key_type in RSA XFORM then?
> >>
> >> [Shally] PMDs, like openssl, can support private key ops with both
> >> key type i.e. one can invoke RSA_Sign() with quintuple keys or exponent
> keys.
> >> Openssl in its capability would reflect it support ops with both key types.
> >> that's why key_type is still required in xform.
> >
> >[AK] But still I wonder if we could not just use this enum to distinguish
> between crt and mod exp rsa?
> >I am not very keen on adding SIGN_CRT op type as it is RSA only.
> >Another option would be to add flags to rsa op like uint64_t flags;
> [Shally] Ok .. you mean as feature flag? Example,
> RTE_CRYPTODEV_ASYM_FF_RSA_PRIV_KEY_OP_CRT?
[AK] Yes.
> 
> Thanks
> Shally
> ...
> >> Regards,
> >> Arek