From 52344fe37304acae8a3140b1430324672861d749 Mon Sep 17 00:00:00 2001
From: jmg <jmg@FreeBSD.org>
Date: Tue, 14 Jul 2015 05:09:58 +0000
Subject: [PATCH] cryptodev is not needed for TCP_SIGNATURE...

Comment that cryptodev shouldn't be used unless you know what you're
doing...

The various arm/mips and one powerpc configs that have cryptodev in
them need to be addressed, audited if they provide benefit and removed
if they don't...
---
 sys/conf/NOTES | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/sys/conf/NOTES b/sys/conf/NOTES
index fef0323dc377..d90cdb4e65ec 100644
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@@ -997,8 +997,7 @@ options 	ACCEPT_FILTER_HTTP
 # carried in TCP option 19. This option is commonly used to protect
 # TCP sessions (e.g. BGP) where IPSEC is not available nor desirable.
 # This is enabled on a per-socket basis using the TCP_MD5SIG socket option.
-# This requires the use of 'device crypto', 'options IPSEC'
-# or 'device cryptodev'.
+# This requires the use of 'device crypto' and 'options IPSEC'.
 options 	TCP_SIGNATURE		#include support for RFC 2385
 
 # DUMMYNET enables the "dummynet" bandwidth limiter.  You need IPFIREWALL
@@ -2817,6 +2816,10 @@ options 	DCONS_FORCE_GDB=1	# force to be the gdb device
 # been fed back to OpenBSD.
 
 device		crypto		# core crypto support
+
+# Only install the cryptodev device if you are running tests, or know
+# specificly why you need it.  Most cases, it is not needed and will
+# make things slower.
 device		cryptodev	# /dev/crypto for access to h/w
 
 device		rndtest		# FIPS 140-2 entropy tester