AES improvements on Intel CPUs
smueller at chronox.de
Fri Feb 18 07:20:37 CET 2011
Am Donnerstag, 17. Februar 2011, um 18:24:27 schrieb Werner Koch:
> There is even a way to disable the use of AES-NI:
> @item GCRYCTL_DISABLE_HWF; Arguments: const char *name
Thank you very much for pointing that out.
> > I guess you know where I am coming from: it would be great when it is
> > possible for the caller/administrator (at least in FIPS mode) to allow
> > or disallow that AES-NI cipher use.
> If you run in FIPS mode, no hardware features will be detected. Of
> course that can easily be changed. Details need to be discussed;
> e.g. whether it is allowed to run the detection code in fips mode or
> whether it is sufficient to mask out the features which are not to be
That sounds great.
As we all do not know what the next FIPS validation will cover, all that would
be interesting is an easy way (even with a small code change) to define with
cipher implementations will be available in FIPS mode and which not. And that
seems the case for AES-NI. I would guess that is also the case for padlock.
For example, is it possible to easily flip the FIPS switch for either padlock
or AES-NI in cipher.c:cipher_table?
| Cui bono? |
More information about the Gcrypt-devel