AES improvements on Intel CPUs
Stephan Mueller
smueller at chronox.de
Fri Feb 18 07:20:37 CET 2011
Am Donnerstag, 17. Februar 2011, um 18:24:27 schrieb Werner Koch:
Hi Werner,
>
> There is even a way to disable the use of AES-NI:
>
> @item GCRYCTL_DISABLE_HWF; Arguments: const char *name
Thank you very much for pointing that out.
>
> > I guess you know where I am coming from: it would be great when it is
> > possible for the caller/administrator (at least in FIPS mode) to allow
> > or disallow that AES-NI cipher use.
>
> If you run in FIPS mode, no hardware features will be detected. Of
> course that can easily be changed. Details need to be discussed;
> e.g. whether it is allowed to run the detection code in fips mode or
> whether it is sufficient to mask out the features which are not to be
> validated.
That sounds great.
As we all do not know what the next FIPS validation will cover, all that would
be interesting is an easy way (even with a small code change) to define with
cipher implementations will be available in FIPS mode and which not. And that
seems the case for AES-NI. I would guess that is also the case for padlock.
For example, is it possible to easily flip the FIPS switch for either padlock
or AES-NI in cipher.c:cipher_table?
Thanks
Stephan
--
| Cui bono? |
More information about the Gcrypt-devel
mailing list