wait... how do other systems such as APFS and ZFS do acceleration ?

I should add there is one hardware crypto devices that you can find in most laptops that will do signing, and that's the TPM. A few months ago, James Bottomley blogged[1] about interesting ways to use the TPM, including as a way of securing your SSH keys. (That's actually an encryption function, not a signing function, but the TPM can also do signature operations. Still, it's a good introduction to the TPM technology, so it's worth a read.)

[1] https://blog.hansenpartnership.com/using-your-tpm-as-a-se...

But a TPM is really not a crypto *accelerator*; in fact, pretty much all TPM's are incredibly S-L-O-W at doing crypto operations. So why does a TPM exist? Because it will only encrypt, decrypt, or sign messages on your behalf if you give it the correct password or PIN. And if you try too many bad passwords, the TPM will lock you out. So this is useful if you want to protect someone from stealing your password, since the password by itself won't be enough; they will also need to be able to get your laptop. It's also really good at making Jim Comey, head of the FBI, really angry. Oh, well. :-)

You can certainly use a TPM, or some other secure element, in conjunction with an in-line crypto engine. The two technologies are very complementary. This is why I want to make sure that whatever inline crypto encryption support gets landed in the upstream kernel can be easily extended to support device designs where the host CPU does not have access to the encryption keys, and where the keys are provisioned via some kind of secure element directly to the inline crypto engine.