From Fedora Project Wiki
 
(15 intermediate revisions by 3 users not shown)
Line 1: Line 1:
<!-- All fields on this form are required to be accepted by FESCo.
We also request that you maintain the same order of sections so that all of the feature pages are uniform.  -->
<!-- The actual name of your feature page should look something like: Features/YourFeatureName.  This keeps all features in the same namespace -->
= Feature: Dev Crypto Userspace API =
= Feature: Dev Crypto Userspace API =


== Summary ==
== Summary ==
Allow the user space applications directly or indirectly through existing crypto libraries interfacing with the kernel crypto implementation.
Allow the user space applications directly or indirectly through existing crypto libraries interfacing with the kernel crypto implementation.
* This Feature is obsoleted by [[Features/CryptographyInKernel]].


== Owner ==
== Owner ==
* Name: [[User:Tmraz| Tomáš Mráz]]
* Name: [[User:Tmraz| Tomáš Mráz]]
* Email: [mailto:tmraz@redhat.com tmraz AT redhat DOT com]
* Email: [mailto:tmraz@redhat.com tmraz AT redhat DOT com]


== Current status ==
== Current status ==
* Targeted release: [[Releases/XX | Fedora XX ]]  
* Targeted release: [[Releases/14 | Fedora 14 ]]  
* Last updated: 2010-07-13
* Last updated: 2010-07-13
* Percentage of completion: 5%
* Percentage of completion: 5%
<!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. -->


== Detailed Description ==
== Detailed Description ==
Line 33: Line 26:
== Scope ==
== Scope ==
Required steps are:
Required steps are:
* /dev/crypto interface built into the kernel
* /dev/crypto interface built into the kernel
* user space library allowing easy access to the /dev/crypto interface
* user space library allowing easy access to the /dev/crypto interface


Optional steps (maybe a feature for Fedora 15):
Optional steps (maybe a feature for Fedora 15):
* PKCS#11 module directly pluggable into the Mozilla NSS crypto library
* PKCS#11 module directly pluggable into the Mozilla NSS crypto library
* Configurable replacement of the crypto implementation in other system crypto libraries
* Configurable replacement of the crypto implementation in other system crypto libraries such as OpenSSL or libgcrypt
  such as OpenSSL or libgcrypt


== How To Test ==
== How To Test ==
<!-- This does not need to be a full-fledged document.  Describe the dimensions of tests that this feature is expected to pass when it is done. If it needs to be tested with different hardware or software configurations, indicate them.  The more specific you can be, the better the community testing can be.  
The accomplishment of this feature does not require much testing. Mainly the testing will be provided by the tests included in the build of the user space API library. More testing will need to be done when the integration with the existing system crypto libraries is implemented. This testing will be necessary to ensure that by using this kernel API instead of the native crypto algorithm implementations the crypto algorithms supported still work correctly.
 
Remember that you are writing this how to for interested testers to use to check out your feature - documenting what you do for testing is OK, but it's much better to document what *I* can do to test your feature.
 
A good "how to test" should answer these four questions:
 
0. What special hardware / data / etc. is needed (if any)?
1. How do I prepare my system to test this feature? What packages
need to be installed, config files edited, etc.?
2. What specific actions do I perform to check that the feature is
working like it's supposed to?
3. What are the expected results of those actions?
-->


== User Experience ==
== User Experience ==
<!-- If this feature is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->
No visible changes.


== Dependencies ==
== Dependencies ==
<!-- What other packages (RPMs) depend on this package?  Are there changes outside the developers' control on which completion of this feature depends?  In other words, completion of another feature owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate?  Other upstream projects like the kernel (if this is not a kernel feature)? -->
None external dependencies.


== Contingency Plan ==
== Contingency Plan ==
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "None necessary, revert to previous release behaviour."  Or it might not.  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy. -->
None necessary for the required parts of the feature. We would simply not ship the library if it is not completed.


== Documentation ==
== Documentation ==
<!-- Is there upstream documentation on this feature, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
* /dev/crypto: [http://home.gna.org/cryptodev-linux/]
*
* Public Git source tree: [http://repo.or.cz/w/cryptodev-linux.git]


== Release Notes ==
== Release Notes ==
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this feature, indicate them here.  You can also link to upstream documentation if it satisfies this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release. -->
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this feature, indicate them here.  You can also link to upstream documentation if it satisfies this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release. -->
*
* /dev/crypto kernel cryptographic algorithms interface for user space applications is available in Fedora 14. This feature allows calling the cryptographic algorithms implementations which are included in the kernel, directly from the user space applications and libraries. By separating the cryptographic implementations from the user space higher isolation of critical security parameters (such as private and secret keys) from the potentially exploitable user space code can be reached.


== Comments and Discussion ==
== Comments and Discussion ==
* See [[Talk:Features/YourFeatureName]]  <!-- This adds a link to the "discussion" tab associated with your page.  This provides the ability to have ongoing comments or conversation without bogging down the main feature page -->
* This Feature is obsoleted by [[Features/CryptographyInKernel]].
 
* See [[Talk:Features/DevCrypto]]  <!-- This adds a link to the "discussion" tab associated with your page.  This provides the ability to have ongoing comments or conversation without bogging down the main feature page -->


[[Category:FeaturePageIncomplete]]
<!-- see https://fedoraproject.org/wiki/Features/CryptographyInKernel [[Category:FeatureReadyForFesco]] -->
<!-- When your feature page is completed and ready for review -->
<!-- When your feature page is completed and ready for review -->
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->

Latest revision as of 07:42, 15 July 2010

Feature: Dev Crypto Userspace API

Summary

Allow the user space applications directly or indirectly through existing crypto libraries interfacing with the kernel crypto implementation.

Owner

Current status

  • Targeted release: Fedora 14
  • Last updated: 2010-07-13
  • Percentage of completion: 5%

Detailed Description

The /dev/crypto is a special device which is currently in development for the upstream kernel inclusion. This device allows user space applications to directly call the cryptographic routines that are part of the Linux kernel code. Similar device is available also on other kernels.

Separation of the cryptographic primitives into the kernel allows fulfilling the requirements of the new U.S. Government standards (such as FIPS-140-3) in regards to the implementation and usage of the cryptographic algorithms on general purpose operating systems.

This separation allows isolation of the private and secret keys from the user space applications so these critical security parameters (CSP) are not leaked in case the user space applications are for example exploited by malicious users. It also allows proper auditing of any administrative manipulation with these CSP.

Benefit to Fedora

Fedora will be able to declare being the leader in developing and enabling users of the cryptographic algorithms to comply with the newest government standards.

Scope

Required steps are:

  • /dev/crypto interface built into the kernel
  • user space library allowing easy access to the /dev/crypto interface

Optional steps (maybe a feature for Fedora 15):

  • PKCS#11 module directly pluggable into the Mozilla NSS crypto library
  • Configurable replacement of the crypto implementation in other system crypto libraries such as OpenSSL or libgcrypt

How To Test

The accomplishment of this feature does not require much testing. Mainly the testing will be provided by the tests included in the build of the user space API library. More testing will need to be done when the integration with the existing system crypto libraries is implemented. This testing will be necessary to ensure that by using this kernel API instead of the native crypto algorithm implementations the crypto algorithms supported still work correctly.

User Experience

No visible changes.

Dependencies

None external dependencies.

Contingency Plan

None necessary for the required parts of the feature. We would simply not ship the library if it is not completed.

Documentation

  • /dev/crypto: [1]
  • Public Git source tree: [2]

Release Notes

  • /dev/crypto kernel cryptographic algorithms interface for user space applications is available in Fedora 14. This feature allows calling the cryptographic algorithms implementations which are included in the kernel, directly from the user space applications and libraries. By separating the cryptographic implementations from the user space higher isolation of critical security parameters (such as private and secret keys) from the potentially exploitable user space code can be reached.

Comments and Discussion