rovided by the driver. The FreeBSD, OpenBSD and Linux kernels(2) include already a number of hardware assisted implementations, and also provide an interface to access them, called ‘/dev/crypto’. GnuTLS will take advantage of this interface if compiled with special options. That is because in most systems where hardware-assisted cryptographic operations are not available, using this interface might actually harm performance. In systems that include cryptographic instructions with the CPU's instructions set, using the kernel interface will introduce an unneeded layer. For this reason GnuTLS includes such optimizations found in popular processors such as the AES-NI or VIA PADLOCK instruction sets. This is achieved using a mechanism that detects CPU capabilities and overrides parts of crypto back-end at runtime. The next section discusses the registration of a detected algorithm optimization. For more information please consult the GnuTLS source code in ‘lib/accelerated/’. Overriding specific algorithms .............................. When an optimized implementation of a single algorithm is available, say a hardware assisted version of AES-CBC then the following functions, from ‘crypto.h’, can be used to register those algorithms. • *note gnutls_crypto_register_cipher::: To register a cipher algorithm. • *note gnutls_crypto_register_aead_cipher::: To register an AEAD cipher algorithm. • *note gnutls_crypto_register_mac::: To register a MAC algorithm. • *note gnutls_crypto_register_digest::: To register a hash algorithm. Those registration functions will only replace the specified algorithm and leave the rest of subsystem intact. Protecting keys through isolation --------------------------------- For asymmetric or public keys, GnuTLS supports PKCS #11 which allows operation without access to long term keys, in addition to CPU offloading. For more information see *note Hardware security modules and abstract key types::. ---------- Footnotes ---------- (1) See . (2) Check for the Linux kernel implementation of ‘/dev/crypto’.