OpenSSL with Linux kernel crypto API
Matt Caswell
matt at openssl.org
Fri Jan 13 10:15:14 UTC 2023
On 13/01/2023 05:08, Hareesh Das Ulleri wrote:
> Dear OpenSSL users,
>
> I have few questions regarding OpenSSL 3.0.7 and Linux 5.10.
>
> Does OpenSSL 3.0.7 support the use of linux Cryptodev or AF_ALGO. Or
> does it need any separate build configurations to work with Linux kernel
> crypto API interface (Is there any man page for this) ? My understanding
> is that, as a default OpenSSL uses its own user-space crypto
> implementations (in libcrypto) without calling linux kernel for its
> crypto operations, please clarify.
>
Correct - OpenSSL implements its own userspace crypto without going
through the kernel (mostly). There is some kernel crypto use in the
following areas:
- There is an AFALG engine which provides some limited support to a few
afalg ciphers. But of course engines are considered legacy and using one
from within a provider is probably unwise.
- Libssl has some capabilities to integrate with the Kernel TLS module
to offload encryption/decryption of TLS records.
> Does OpenSSL recommend to use Kernel Crypto API interface driver to interact
> with HSM cryption kernel module?
OpenSSL makes no recommendation about this at all either way.
Matt
More information about the openssl-users
mailing list