[eqvinox]

If neither a hardware component nor kernel key management is involved, crypto should be done in userspace, end of sentence.

The more I think about it, the more I think it should be behind CAP_SYS_ADMIN, or a new CAP_KCRYPT (better name TBD. CAP_CRYPT_OFFLOAD?)

[angry_octet]

Yes it should definitely require a capability.

Still a risk that some admin-enabled method (like enabling an IPsec VPN) provides a path to it, but would reduce the potential for crafting weird inputs.

[angry_octet]

I'm also wondering if it couldn't be rewritten to use io_uring interfaces.

[eqvinox]

That's really orthogonal (and you can already do io_uring with AF_ALG, at the end of the day AF_ALG is just recvmsg() and sendmsg(), which work just fine in io_uring...)

[angry_octet]

I mean for more efficient and easier to verify out-of-kernel implementations of crypto with kernel like speeds.