Revision as of 07:31, 13 July 2010

Feature: Dev Crypto Userspace API

Summary

Allow the user space applications directly or indirectly through existing crypto libraries interfacing with the kernel crypto implementation.

Owner

Name: Tomáš Mráz

Email: tmraz AT redhat DOT com

Current status

Targeted release: Fedora XX
Last updated: 2010-07-13
Percentage of completion: 5%

Detailed Description

The /dev/crypto is a special device which is currently in development for the upstream kernel inclusion. This device allows user space applications to directly call the cryptographic routines that are part of the Linux kernel code. Similar device is available also on other kernels.

Separation of the cryptographic primitives into the kernel allows fulfilling the requirements of the new U.S. Government standards (such as FIPS-140-3) in regards to the implementation and usage of the cryptographic algorithms on general purpose operating systems.

This separation allows isolation of the private and secret keys from the user space applications so these critical security parameters (CSP) are not leaked in case the user space applications are for example exploited by malicious users. It also allows proper auditing of any administrative manipulation with these CSP.

Benefit to Fedora

Fedora will be able to declare being the leader in developing and enabling users of the cryptographic algorithms to comply with the newest government standards.

Scope

Required steps are:

/dev/crypto interface built into the kernel
user space library allowing easy access to the /dev/crypto interface

Optional steps (maybe a feature for Fedora 15):

PKCS#11 module directly pluggable into the Mozilla NSS crypto library
Configurable replacement of the crypto implementation in other system crypto libraries such as OpenSSL or libgcrypt

How To Test

The accomplishment of this feature does not require much testing. Mainly the testing will be provided by the tests included in the build of the user space API library. More testing will need to be done when the integration with the existing system crypto libraries is implemented. This testing will be necessary to ensure that by using this kernel API instead of the native crypto algorithm implementations the crypto algorithms supported still work correctly.

User Experience

Dependencies

Contingency Plan

Documentation

Release Notes

Comments and Discussion

See Talk:Features/YourFeatureName

@@ Line 41: / Line 41: @@
 == How To Test ==
-<!-- This does not need to be a full-fledged document.  Describe the dimensions of tests that this feature is expected to pass when it is done.  If it needs to be tested with different hardware or software configurations, indicate them.  The more specific you can be, the better the community testing can be.
+The accomplishment of this feature does not require much testing. Mainly the testing will be provided by the tests included in the build of the user space API library. More testing will need to be done when the integration with the existing system crypto libraries is implemented. This testing will be necessary to ensure that by using this kernel API instead of the native crypto algorithm implementations the crypto algorithms supported still work correctly.
-Remember that you are writing this how to for interested testers to use to check out your feature - documenting what you do for testing is OK, but it's much better to document what *I* can do to test your feature.
-A good "how to test" should answer these four questions:
-. What special hardware / data / etc. is needed (if any)?
-. How do I prepare my system to test this feature? What packages
-need to be installed, config files edited, etc.?
-. What specific actions do I perform to check that the feature is
-working like it's supposed to?
-. What are the expected results of those actions?
--->
 == User Experience ==

Search

Features/DevCrypto: Difference between revisions