From 07012109f0893cfb39ce1108760d58fdb8230eda Mon Sep 17 00:00:00 2001 From: Yogaraj Alamenda Date: Thu, 23 Mar 2023 13:23:32 +0530 Subject: [PATCH] Readme Update for v1.0.0 with QAT_HW v2.0 information. Signed-off-by: Yogaraj Alamenda --- README.md | 68 ++++++++++++--------- configure.ac | 4 +- docs/config_options.md | 108 ++++++++++++++++++++-------------- docs/features.md | 24 ++++---- docs/hardware_requirements.md | 21 ++++--- docs/limitations.md | 2 - docs/qat_hw.md | 4 +- docs/qat_hw_algo.md | 34 +++++++++++ docs/software_requirements.md | 23 +++++--- e_qat.c | 6 +- qat_prov_ciphers.c | 8 +-- qat_provider.h | 4 +- qatengine-sw.spec | 5 +- qatengine.spec | 5 +- 14 files changed, 198 insertions(+), 118 deletions(-) create mode 100644 docs/qat_hw_algo.md diff --git a/README.md b/README.md index 4dc13a93..aa8a2c71 100644 --- a/README.md +++ b/README.md @@ -49,11 +49,12 @@ Installation consists of the following: | Platform | Getting Started Guide | |----| -| -|Intel® Xeon® with Intel® C62X Series Chipset
Intel® Atom™ Processor
Intel® Communications Chipset 8925 to 8955 Series:|Intel® QuickAssist Technology Software for Linux\* - [Getting Started Guide - HW version 1.7 (336212)](https://01.org/sites/default/files/downloads/336212007qatswgsg.pdf) | +|Intel® Xeon® with Intel® C62X Series Chipset
Intel® Atom™ Processor with Intel® C3xx series
Intel® Communications Chipset 8925 to 8955 Series|Intel® QAT Software for Linux\* - [Getting Started Guide Hardware v1.x CE Release](https://cdrdv2.intel.com/v1/dl/getContent/710059) | +|Intel® Xeon® Scalable Processor family with Intel® QAT Gen4/Gen4m| Intel® QAT Software for Linux\* - [Getting Started Guide Hardware v2.0](https://cdrdv2.intel.com/v1/dl/getContent/632506) | Other technical collaterals of the Intel® QuickAssist Technology driver can be found in the below page. -- [Intel® QuickAssist Technology](https://developer.intel.com/quickassist) +* [Intel® QuickAssist Technology](https://developer.intel.com/quickassist) ## Contiguous memory driver @@ -65,22 +66,23 @@ drivers: ### User Space DMA-able Memory (USDM) Component -The Intel® QAT Driver HW Version 1.7 comes with its own +The Intel® QAT Driver for QAT_HW comes with its own contiguous pinned memory driver that is compatible with the Intel® QAT OpenSSL\* Engine. The USDM component is of a higher quality than the qat\_contig\_mem driver provided within the Intel® QAT OpenSSL\* Engine, and is the preferred option. The USDM component is used by the Intel® QAT -Driver HW Version 1.7 itself, and also has the following additional features: +Driver itself, and also has the following additional features: * Support for virtualization * Support for configurable slab sizes * Support for configurable secure freeing of memory (overwrite with zeros) * Support for configurable slab caching * Support for newer kernels +* Support for thread specific memory to avoid locks (QAT_HW Version 1.7 & 1.8 only) -The USDM component is located within the Intel® QAT Driver HW Version 1.7 +The USDM component is located within the Intel® QAT Driver for QAT_HW source code in the following subdirectory: `quickassist/utilities/libusdm_drv`. -As the USDM component is also used by the 1.7 driver itself it will have +As the USDM component is also used by the QAT_HW driver itself it will have already been built when the driver was built. It may also already be loaded as well, and you can check by running `lsmod` and looking for usdm_drv in the list. If not present it can be loaded as follows: @@ -88,6 +90,13 @@ If not present it can be loaded as follows: ```bash modprobe usdm_drv.ko ``` +The USDM thread specific memory can be enabled in QAT_HW driver using the below +configure flags in driver build which is only needed for multithreaded +application for performance improvement. + +```bash +./configure --enable-icp-thread-specific-usdm --enable-128k-slab +``` #### Example contiguous memory driver - qat\_contig\_mem @@ -131,12 +140,12 @@ following:
-Install OpenSSL* (Note this step is not required if OpenSSL* 1.1.1 is already installed) +Install OpenSSL* (Note this step is not required if OpenSSL* 1.1.1 or 3.0 is already installed) ## Build OpenSSL\* This step is not required if building the Intel® QAT OpenSSL\* Engine -against system prebuilt OpenSSL\* 1.1.1. When using the prebuild system OpenSSL library +against system prebuilt OpenSSL\* 1.1.1 or 3.0. When using the prebuild system OpenSSL library the engine library is installed in the system OpenSSL engines directory. Clone OpenSSL\* from Github\* at the following location: @@ -150,10 +159,6 @@ and 3.0 are only supported. Due to the nature of the Intel® QAT OpenSSL\* Engine being a dynamic engine it can only be used with shared library builds of OpenSSL\*. -Note: The OpenSSL\* 1.1.0 and 1.1.1 baselines build as a shared library by -default now so there is no longer any need to specify the `shared` option when -running `./config`. - Note: It is not recommended to install the accelerated version of OpenSSL\* as your default system library. If you do, you may find that acceleration is used unexpectedly by other applications on the system resulting in @@ -208,10 +213,12 @@ important to tell OpenSSL\* where to find the dynamic engines at runtime. This is achieved by exporting the following environment variable (assuming the example paths above): - export OPENSSL_ENGINES=/usr/local/ssl/lib/engines-1.1 + OpenSSL 1.1.1: export OPENSSL_ENGINES=/usr/local/ssl/lib/engines-1.1 + + OpenSSL 3.0: export OPENSSL_ENGINES=/usr/local/ssl/lib64/engines-3 Note: This variable will need to be present in the environment whenever the -engine is used. +engine is used and not needed when provider is used. Load/Initialize Engine using the OpenSSL\* config file is located [here](docs/openssl_config.md) @@ -251,16 +258,16 @@ Here are a few example builds that demonstrate how the Intel® QAT OpenSSL\* Engine can be configured to use qat_hw and/or qat_sw.
-Example 1: qat_hw target with OpenSSL\* 1.1.1 built from source +Example 1: qat_hw target with OpenSSL\* 1.1.1 or 3.0 built from source
The following example is assuming: * The Intel® QAT OpenSSL\* Engine was cloned to its own location at the root of the drive: `/`. -* The Intel® QAT Driver was unpacked within `/QAT` and using +* The Intel® QAT Driver version 1.7 or 2.0 was unpacked within `/QAT` and using the USDM component. -* OpenSSL\* 1.1.1 built from source is being used and installed to `/usr/local/ssl`. +* OpenSSL\* 1.1.1 or 3.0 built from source is being used and installed to `/usr/local/ssl`. To build and install the Intel® QAT OpenSSL\* Engine: @@ -275,11 +282,20 @@ make install In the above example this will create the file `qatengine.so` and copy it to `/usr/local/ssl/lib/engines-1.1`. + +For building QAT Engine against qatlib(intree driver) from source which is +installed to default location "/usr/local" use `--with-qat_hw_dir=/usr/local` +or provide the path that is used in the prefix to build qatlib. + +If qatlib is installed via RPM then `-with-qat_hw_dir` is not needed as +qatengine automatically picks qatlib libraries and header from default +location `/usr/lib64`. +
-Example 2: qat_hw target with Prebuilt OpenSSL\* 1.1.1 +Example 2: qat_hw target with Prebuilt OpenSSL\* 1.1.1 or 3.0
The following example is assuming: @@ -288,7 +304,7 @@ The following example is assuming: * The Intel® QAT Driver was unpacked within `/QAT` and using the USDM component. * Prebuilt OpenSSL\* (both library and devel RPM packages) are installed in - the system and the OpenSSL\* version is in the `1.1.1` series. + the system and the OpenSSL\* version is in the `1.1.1 or 3.0` series. To build and install the Intel® QAT OpenSSL\* Engine: @@ -302,17 +318,11 @@ In the above example this will create the file `qatengine.so` and copy it to the engines dir of the system which can be checked using `pkg-config --variable=enginesdir libcrypto`. -If OpenSSL\* version in the system can not be updated to 1.1.1 series, then -the engine needs to be built from source using the option -`--with-openssl_install_dir`. An additional option `--with-openssl_dir` pointing -to the top directory of the OpenSSL\* source needs to be provided for regenerating -err files if there are any new error messages added/deleted in the source code. -
-Example 3: qat_hw + qat_sw target with Prebuilt OpenSSL\* 1.1.1 +Example 3: qat_hw + qat_sw target with Prebuilt OpenSSL\* 1.1.1 or 3.0
The following example is assuming: @@ -322,7 +332,7 @@ The following example is assuming: * The Intel® QAT Driver was unpacked within `/QAT` and using the USDM component. * Intel® Multi-Buffer Crypto for IPsec Library was installed to the default path -* OpenSSL\* 1.1.1 built from source is being used and installed to `/usr/local/ssl`. +* OpenSSL\* 1.1.1 or 3.0 built from source is being used and installed to `/usr/local/ssl`. To build and install the Intel® QAT OpenSSL\* Engine: @@ -345,7 +355,7 @@ make install
-Example 4: qat_sw target with Prebuilt OpenSSL\* 1.1.1 +Example 4: qat_sw target with Prebuilt OpenSSL\* 1.1.1 or 3.0
The following example is assuming: @@ -356,7 +366,7 @@ The following example is assuming: (/usr/local). * The Intel® Multi-Buffer crypto for IPsec Library was installed to its default path (/usr/). (Optional if QAT SW AES-GCM support is not needed). -* Prebuilt OpenSSL\* 1.1.1 from the system is used. +* Prebuilt OpenSSL\* 1.1.1 or 3.0 from the system is used. To build and install the Intel® QAT OpenSSL\* Engine with QAT Software support: diff --git a/configure.ac b/configure.ac index d1558ee4..94faeda9 100644 --- a/configure.ac +++ b/configure.ac @@ -2,7 +2,7 @@ # Process this file with autoconf to produce a configure script. AC_PREREQ([2.68]) -AC_INIT([qatengine], [0.6.19], []) +AC_INIT([qatengine], [1.0.0], []) AC_CONFIG_SRCDIR([config.h.in]) AC_CONFIG_HEADERS([config.h]) AC_CONFIG_AUX_DIR([.]) @@ -507,8 +507,6 @@ if test "x$enable_qat_insecure_algorithms" = "xyes" then AC_MSG_NOTICE([Insecure Algorithms enabled]) cflags_common="${cflags_common} -DQAT_INSECURE_ALGO" - AC_SUBST([enable_qat_hw_dsa], ["yes"]) - AC_SUBST([enable_qat_hw_dh], ["yes"]) else AC_MSG_NOTICE([Insecure Algorithms disabled]) AC_SUBST([enable_qat_hw_dsa], ["no"]) diff --git a/docs/config_options.md b/docs/config_options.md index a3a9d3f6..cf7d29c0 100644 --- a/docs/config_options.md +++ b/docs/config_options.md @@ -6,11 +6,11 @@ The following is a list of the options that can be used with the ### qat_hw options: ``` --with-qat_hw_dir=/path/to/qat_driver - Specify the path to the source code directory of the Intel(R) QAT Driver. This path - is needed for compilation in order to locate the Intel(R) QAT header files. - For example if using Intel(R) QAT Driver HW version 1.7 package that was + Specify the path to the source code directory of the Intel(R) QAT Driver. + This path is needed for compilation in order to locate the Intel(R) QAT + header files. For example if using Intel(R) QAT Driver package that was unpacked to `/QAT` you would use the following setting: - --with-qat_dir=/QAT + --with-qat_hw_dir=/QAT This option is not required when building against the in-tree driver installed via qatlib RPM. @@ -100,10 +100,10 @@ The following is a list of the options that can be used with the You only need to specify this parameter if the Intel(R) IPSec_MB library files have been built somewhere other than the default. ---enable-qat_hw_contig_mem/--disable-qat_hw_contig_mem - Enable/Disable compiling against the qat_contig_mem driver supplied within +--enable-qat_hw_contig_mem + Enables build against the qat_contig_mem driver supplied within QAT Engine instead of the USDM component distributed with the Intel(R) QAT - Driver HW Version 1.7 (disabled by default). + Driver (disabled by default). --with-qat_hw_usdm_dir=/path/to/usdm/directory Specify the path to the location of the USDM component. The default if not @@ -133,9 +133,6 @@ The following is a list of the options that can be used with the --disable-qat_hw_ecdsa/--enable-qat_hw_ecdsa Disable/Enable Intel(R) QAT Hardware ECDSA acceleration (enabled by default). ---disable-qat_hw_gcm/--enable-qat_hw_gcm - Disable/Enable Intel(R) QAT Hardware AES-GCM acceleration (disabled by default). - --disable-qat_hw_ciphers/--enable-qat_hw_ciphers Disable/Enable Intel(R) QAT Hardware Chained Cipher acceleration (enabled by default). @@ -143,14 +140,20 @@ The following is a list of the options that can be used with the --disable-qat_hw_prf/--enable-qat_hw_prf Disable/Enable Intel(R) QAT Hardware PRF acceleration (enabled by default). +--disable-qat_hw_ecx/--enable-qat_hw_ecx + Disable/Enable Intel(R) QAT Hardware X25519/X448 acceleration (enabled by default). + --disable-qat_hw_hkdf/--enable-qat_hw_hkdf Disable/Enable Intel(R) QAT Hardware HKDF acceleration (disabled by default). ---disable-qat_hw_ecx/--enable-qat_hw_ecx - Disable/Enable Intel(R) QAT Hardware X25519/X448 acceleration (enabled by default). +--disable-qat_hw_gcm/--enable-qat_hw_gcm + Disable/Enable Intel(R) QAT Hardware AES-GCM acceleration (disabled by default). --disable-qat_hw_sm4_cbc/--enable-qat_hw_sm4_cbc - Disable/Enable Intel(R) QAT Hardware SM4-CBC acceleration (disabled by default). + Disable/Enable Intel(R) QAT Hardware SM4-CBC acceleration.(disabled by default) + This flag is valid only on 4xxx(QAT gen 4 devices) as the support is not available + for earlier generations of QAT devices (e.g. c62x, dh895xxcc, etc.) and QAT Engine + is built with BabaSSL only --disable-qat_hw_sha3/--enable-qat_hw_sha3 Disable/Enable Intel(R) QAT Hardware SHA-3 acceleration (disabled by default). @@ -193,51 +196,54 @@ The following is a list of the options that can be used with the This flag is valid only when QAT SW acceleration is enabled using the flag '--enable-qat_sw' (enabled by default if qat_sw is enabled). ---disable-qat_sw_sm4_cbc/--enable-qat_sw_sm4_cbc - Disable/Enable Intel(R) QAT Software SM4-CBC acceleration. - This flag is valid only when QAT SW acceleration is enabled using the flag - '--enable-qat_sw' (disabled by default if qat_sw is enabled). - --disable-qat_sw_sm3/--enable-qat_sw_sm3 Disable/Enable Intel(R) QAT Software SM3 acceleration. This flag is valid only when QAT SW acceleration is enabled using the flag '--enable-qat_sw' (disabled by default). +--disable-qat_sw_sm4_cbc/--enable-qat_sw_sm4_cbc + Disable/Enable Intel(R) QAT Software SM4-CBC acceleration. + This flag is valid only when QAT SW acceleration is enabled using the + flag '--enable-qat_sw' and QAT Engine is built with BabaSSL only + (disabled by default if qat_sw is enabled). + --disable-qat_sw_sm4_gcm/--enable-qat_sw_sm4_gcm Disable/Enable Intel(R) QAT Software SM4-GCM acceleration. - This flag is valid only when QAT SW acceleration is enabled using the flag - '--enable-qat_sw' (disabled by default if qat_sw is enabled). + This flag is valid only when QAT SW acceleration is enabled using the + flag '--enable-qat_sw' and QAT Engine is built with BabaSSL only + (disabled by default if qat_sw is enabled). --disable-qat_sw_sm4_ccm/--enable-qat_sw_sm4_ccm Disable/Enable Intel(R) QAT Software SM4-CCM acceleration. - This flag is valid only when QAT SW acceleration is enabled using the flag - '--enable-qat_sw' (disabled by default if qat_sw is enabled). + This flag is valid only when QAT SW acceleration is enabled using the + flag '--enable-qat_sw' and QAT Engine is built with BabaSSL only + (disabled by default if qat_sw is enabled). ---disable-qat_small_pkt_offload/--enable-qat_small_pkt_offload +--enable-qat_small_pkt_offload Enable the acceleration of small packet cipher operations to Intel(R) QAT Hardware. When disabled, these operations are performed using the CPU (disabled by default). ---disable-qat_warnings/--enable-qat_warnings - Disable/Enable warnings to aid debugging. Warning: This option should never +--enable-qat_warnings + Enable warnings to aid debugging. Warning: This option should never be left on in a production environment as it may introduce side channel timing attack vulnerabilities (disabled by default). ---disable-qat_debug/--enable-qat_debug - Disable/Enable debug output to aid debugging. This will also enable the +--enable-qat_debug + Enable debug output to aid debugging. This will also enable the warning messages above. Warning: This option should never be enabled in a production environment as it may output private key information to the console/logs and may also introduce side channel timing attack vulnerabilities (disabled by default). ---disable-qat_mem_warnings/--enable-qat_mem_warnings - Disable/Enable warnings from the userspace memory management code to aid +--enable-qat_mem_warnings + Enable warnings from the userspace memory management code to aid debugging. Warning: This option should never be left on in a production environment as it may introduce side channel timing attack vulnerabilities (disabled by default). ---disable-qat_mem_debug/--enable-qat_mem_debug - Disable/Enable debug output from the userspace memory management code to +--enable-qat_mem_debug + Enable debug output from the userspace memory management code to aid debugging. This will also enable the warning messages above. This option produces quite verbose output hence why it is separate to the standard debug. Warning: This option should never be enabled in a @@ -268,8 +274,8 @@ The following is a list of the options that can be used with the can be used to set engine id as "qat" for application that still uses older engine id within the application(disabled by default). ---disable-qat_hw_multi_thread/--enable-qat_hw_multi_thread - Disable/Enable an alternative way of managing within userspace the pinned +--enable-qat_hw_multi_thread + Enable an alternative way of managing within userspace the pinned contiguous memory allocated by the qat_contig_mem driver. This alternative method will give improved performance in a multi-threaded environment by making the slab pools thread local to avoid locking between threads. @@ -287,13 +293,25 @@ The following is a list of the options that can be used with the performance benefit (disabled by default). --enable-qat_plock - Enables Plock optimization within QAT Engine which is an alternative to - pthread's rwlock for multithread application. This flag when enabled uses - plock using preload as mentioned in QAT Engine install instructions and - improves performance for higher number of thread (disabled by default). + Enables Plock optimization within QAT Engine which is an alternative to + pthread's rwlock for multithread application. This flag when enabled uses + plock using preload as mentioned in QAT Engine install instructions and + improves performance for higher number of threads (disabled by default). + +--enable-qat_ntls + Enable ntls in engine for handing NTLS requests which is needed for SMx + with BabaSSL (disabled by default). + +--enable-qat_insecure_algorithms + Enables insecure algorithms RSA < 2048, DH, DSA, ECDH curves with bitlen + < 256, ECDSA Curves with bitlen < 256, AES128-CBC-HMAC-SHA1, + AES256-CBC-HMAC-SHA1 & SHA3-224. These insecure algorithms are disabled + by default. QAT HW driver version v1.7 needs to be built with the flag + `./configure --enable-legacy-algorithms` to enable these algorithms + (disabled by default). ---disable-qat_hw_lenstra_protection/--enable-qat_hw_lenstra_protection - Disable/Enable protection against Lenstra attack (CVE-2017-5681) +--disable-qat_hw_lenstra_protection + Disable protection against Lenstra attack (CVE-2017-5681) (protection is enabled by default). The RSA-CRT implementation in the Intel(R) QAT OpenSSL* Engine, for OpenSSL* versions prior to v0.5.19, may allow remote attackers to obtain private RSA keys by conducting a @@ -313,8 +331,8 @@ The following is a list of the options that can be used with the Enable Lenstra Verify using QAT HW instead of OpenSSL Software method. (disabled by default). ---disable-qat_auto_engine_init_on_fork/--enable-qat_auto_engine_init_on_fork - Disable/Enable the engine from being initialized automatically following a +--disable-qat_auto_engine_init_on_fork + Disable the engine from being initialized automatically following a fork operation. This is useful in a situation where you want to tightly control how many instances are being used for processes. For instance if an application forks to start a process that does not utilize QAT currently @@ -324,13 +342,13 @@ The following is a list of the options that can be used with the INIT_ENGINE or will automatically get initialized on the first QAT crypto operation. The initialization on fork is enabled by default. ---enable-qat_sw_heuristic_timeout/--disable-qat_sw_heuristic_timeout - Disable/Enable self tuning of the timeout in the polling thread in the +--enable-qat_sw_heuristic_timeout + Enable self tuning of the timeout in the polling thread in the Intel(R) QAT SW. This flag is valid only incase of QAT SW (disabled by default). ---disable-qat_cycle_counts/--enable-qat_cycle_counts - Disable/Enable cycle count measurement in the qat_sw acceleration. +--enable-qat_cycle_counts + Enable cycle count measurement in the qat_sw acceleration. This support is only extended to qat_sw acceleration code path (disabled by default). diff --git a/docs/features.md b/docs/features.md index 077fe723..f0082f8d 100644 --- a/docs/features.md +++ b/docs/features.md @@ -3,7 +3,7 @@ ## qat_hw Features * Synchronous and [Asynchronous](async_job.md) Operation * Asymmetric PKE Acceleration - * RSA Support for Key Sizes 1024/2048/4096. + * RSA Support for Key Sizes 512/1024/2048/4096. * DH Support for Key Sizes 768/1024/1536/2048/3072/4096. * DSA Support for Key Sizes 160/1024, 224/2048, 256/2048, 256/3072. * ECDH Support for the following curves: @@ -18,16 +18,20 @@ * Symmetric Chained Cipher acceleration with pipelining capability: * AES128-CBC-HMAC-SHA1/AES256-CBC-HMAC-SHA1. * AES128-CBC-HMAC-SHA256/AES256-CBC-HMAC-SHA256. -* The following algorithms are supported when using 4xxx (QAT gen4 devices) only - * RSA8K - * SM4-CBC - * SHA3-224/256/384/512 - * ChaCha20-Poly1305 +* Symmetric ciphers AES128-GCM and AES256-GCM * Pseudo Random Function (PRF) Acceleration. * [HMAC Key Derivation Function (HKDF) Acceleration.](qat_hw.md#intel-qat-openssl-engine-hkdf-support) * [Pipelined Operations](qat_hw.md#using-the-openssl-pipelining-capability) * [Intel® QAT OpenSSL\* Engine Software Fallback](qat_hw.md#intel-qat-openssl-engine-software-fallback-feature) * [BoringSSL Support](bssl_support.md) +* Algorithms specific to Hardware driver v2.0 and qatlib(QAT gen4 devices) + * RSA8K + * DH8K + * SM4-CBC (Not supported in qatlib) + * SHA3-224/256/384/512 + * ChaCha20-Poly1305 + +Please refer [here](qat_hw_algo.md) for supported platforms list and default behaviour. ## qat_sw Features * [Intel® QAT Software Acceleration for Asymmetric PKE and AES-GCM](qat_sw.md) @@ -39,10 +43,10 @@ * ECDSA Support for the following curves: * NIST Prime Curves: P-256/P-384 * SM2 - * SM3 Hash Support using 16 Multibuffer requests (Experimental). - * SM4-CBC Support using 16 Multibuffer requests. - * SM4-GCM Support using 16 Multibuffer requests. - * SM4-CCM Support using 16 Multibuffer requests. + * SM3 Hash Support using 16 Multibuffer requests (Experimental) + * SM4-CBC Support using 16 Multibuffer requests (BabaSSL only) + * SM4-GCM Support using 16 Multibuffer requests (BabaSSL only) + * SM4-CCM Support using 16 Multibuffer requests (BabaSSL only) * AES128-GCM, AES192-GCM and AES256-GCM ## Common Features to qat_hw & qat_sw diff --git a/docs/hardware_requirements.md b/docs/hardware_requirements.md index 23cf1fcb..9cd0c369 100644 --- a/docs/hardware_requirements.md +++ b/docs/hardware_requirements.md @@ -5,16 +5,19 @@ This Intel® QAT OpenSSL\* Engine supports crypto Hardware acceleration to the following acceleration devices: -* [Intel® Xeon® with Intel® C62X Series Chipset][1] -* [Intel® Atom™ Processor C3000][2] -* [Intel® Communications Chipset 8925 to 8955 Series][3] - -[1]:https://www.intel.com/content/www/us/en/design/products-and-solutions/processors-and-chipsets/purley/intel-xeon-scalable-processors.html -[2]:https://www.intel.com/content/www/us/en/design/products-and-solutions/processors-and-chipsets/denverton/ns/atom-processor-c3000-series.html -[3]:https://www.intel.com/content/www/us/en/ethernet-products/gigabit-server-adapters/quickassist-adapter-8950-brief.html +* [Intel® Xeon® Scalable Processor family with Intel® QAT Gen4/Gen4m][1] +* [Intel® QuickAssist Adapter 8970][2] +* [Intel® QuickAssist Adapter 8960][3] +* [Intel® QuickAssist Adapter 8950][4] +* [Intel® Atom™ Processor C3000][5] ## qat_sw Requirements -The [qat_sw features](features.md#qat_sw-features) are only supported in the platforms starting with [3rd Generation Intel® Xeon® Scalable Processors family][4] +The [qat_sw features](features.md#qat_sw-features) are only supported in the platforms starting with [3rd Generation Intel® Xeon® Scalable Processors family][6] and later. -[4]:https://www.intel.com/content/www/us/en/products/docs/processors/xeon/3rd-gen-xeon-scalable-processors-brief.html +[1]:https://www.intel.com/content/www/us/en/products/docs/processors/xeon-accelerated/4th-gen-xeon-scalable-processors.html +[2]:https://www.intel.com/content/www/us/en/products/sku/125200/intel-quickassist-adapter-8970/downloads.html +[3]:https://www.intel.com/content/www/us/en/products/sku/125199/intel-quickassist-adapter-8960/downloads.html +[4]:https://www.intel.com/content/www/us/en/products/sku/80371/intel-communications-chipset-8950/specifications.html +[5]:https://www.intel.com/content/www/us/en/design/products-and-solutions/processors-and-chipsets/denverton/ns/atom-processor-c3000-series.html +[5]:https://www.intel.com/content/www/us/en/products/docs/processors/xeon/3rd-gen-xeon-scalable-processors-brief.html diff --git a/docs/limitations.md b/docs/limitations.md index 18ec15d5..34a5a403 100644 --- a/docs/limitations.md +++ b/docs/limitations.md @@ -59,8 +59,6 @@ the system using the QAT engine in versions of the ssh application before OpenSSH 8.7. The issue has been fixed with this commit [c9f7bba][4] . This update can be applied to sshd to work-around the issue. -* Failures with QAT_HW SHA3 for 0 bytes file, Big file with multiple SHA3 update and - HMAC with SHA3. * Known issue with QAT_SW SM2 in ntls mode since QAT_SW SM2 doesn't have plain sign and verify operation support in engine. Disable QAT_SW SM2 to workaround the issue with ntls. No issues with TLS mode since it uses digestsign and digestverify which is supported. diff --git a/docs/qat_hw.md b/docs/qat_hw.md index 2d43770c..f57d311e 100644 --- a/docs/qat_hw.md +++ b/docs/qat_hw.md @@ -69,8 +69,8 @@ qatlib RPM. ### Additional Information Additional information on this Heartbeat feature can be found in: -Intel® QuickAssist Technology Software for Linux\* - Programmer's Guide - HW -version 1.7 (336210) - Section 3.17 Heartbeat. +Intel® QAT Software for Linux\* - Programmer's Guide: Hardware +v1.x CE Release - Section 3.17 Heartbeat. This document can be found on the 01.org website at the following hyperlink: * [Intel® QuickAssist Technology Programmer's Guide][2] diff --git a/docs/qat_hw_algo.md b/docs/qat_hw_algo.md new file mode 100644 index 00000000..33b9e86d --- /dev/null +++ b/docs/qat_hw_algo.md @@ -0,0 +1,34 @@ +# QAT_HW Algorithms list, its supported platforms and default behaviour + +| QAT_HW Algorithms | v1.7 | v1.8 | v2.0 | qatlib(intree) | +| :---: | :---: | :---: | :---: | :---: | +| RSA Key size < 2048 | ** | ** | ** | ** | +| RSA Key size >= 2048 <= 4096 | * | * | * | * | +| RSA Key size 8192 | | | | * | +| ECDSA Curves with bitlen < 256 | ** | ** | ** | ** | +| ECDSA Curves with bitlen >= 256 | * | * | * | * | +| ECDH Curves with bitlen < 256| ** | ** | ** | ** | +| ECDH Curves with bitlen >= 256 | * | * | * | * | +| ECDH X25519 & X448(ECX)| * | * | * | * | +| DSA | ** | ** | ** | ** | +| DH key size < 8192 | ** | ** | ** | ** | +| DH key size >=8192 | | | | ** | +| HKDF | *** | *** | *** | *** | +| PRF | * | * | * | * | +| AES-128-GCM | *** | *** | *** | *** | +| AES-256-GCM | *** | *** | *** | *** | +| AES128_CBC_HMAC_SHA1 | ** | ** | ** | ** | +| AES256_CBC_HMAC_SHA1 | ** | ** | ** | ** | +| AES128_CBC_HMAC_SHA256 | * | * | * | * | +| AES256_CBC_HMAC_SHA256 | * | * | * | * | +| SHA3-224 | | ** | ** | ** | +| SHA3-256/384/512 | | *** | *** | *** | +| ChachaPoly | | *** | *** | *** | +| SM4-CBC | | # | # | | + +\* Enabled in the default build of qatengine for the specified platforms when `--with-qat_hw_dir` is provided in qatengine/qatprovider build configure.
+\** Insecure algorithms which are disabled by default in QAT_HW driver version 1.7 & 1.8 and qatengine/qatprovider. Can be enabled using configure flag `--enable-qat_insecure_algorithms`. Driver will also needs to be built with the flag `./configure --enable-legacy-algorithms` to enable these algortihms at driver.
+\*** Algorithms disabled by default as those are experimental.
+\# Disabled by default as it is specific to BabaSSL and not applicable to OpenSSL. To be enabled when qatengine is built with BabaSSL. + +Please refer [config_options](config_options.md) on details about algorithm enable/disable flags. diff --git a/docs/software_requirements.md b/docs/software_requirements.md index 6f6c9718..87829897 100644 --- a/docs/software_requirements.md +++ b/docs/software_requirements.md @@ -7,10 +7,11 @@ Technology Driver for Linux or Intel® QuickAssist Technology Driver for FreeBSD. This release was validated on the following: * Operating system: CentOS* 8.4, Ubuntu\* 20.04.2 LTS & FreeBSD\* 12.3 -* Intel® Communications Chipset C62X Series Software for Linux\*, version **4.20** -* Intel® Communications Chipset C62X Series Software for FreeBSD\*, version **3.12** -* OpenSSL\* 1.1.1s & 3.0.7 -* BoringSSL\* commit - [15596efa5f][1] +* Intel® QuickAssist Technology Driver for Linux\* HW Version 2.0 - **QAT20.L.1.0.10-00005** +* Intel® QuickAssist Technology Driver for Linux\* HW Version 1.7 & 1.8 - **QAT.L.4.20.0-00001** +* Intel® QuickAssist Technology Driver for FreeBSD\* HW Version 1.7 - **QAT.B.3.12.0-00004** +* OpenSSL\* 1.1.1t & 3.0.8 +* BoringSSL\* commit - [987dff1][1] * BabaSSL - 8.3.2 ## qat_sw Requirements @@ -31,11 +32,19 @@ This release was validated on the following: * Intel® Crypto Multi-buffer library from the [ipp-crypto][2] release version **IPP Crypto 2021.7** * Intel® Multi-Buffer crypto for IPsec Library release version **v1.3** -* OpenSSL\* 1.1.1s & 3.0.7 -* BoringSSL\* commit - [15596efa5f][1] +* OpenSSL\* 1.1.1t & 3.0.8 +* BoringSSL\* commit - [987dff1][1] * BabaSSL - 8.3.2 -[1]:https://github.com/google/boringssl/tree/15596efa5fe18e43bdc0ecd32d4ef93437f51d49 +-------------------------------------------------------------------------------- + +Note : OpenSSL\* Version 1.1.1 will be EOL from Sep'23 for general use hence +QAT Engine(qat_hw & qat_sw) is also planning to drop the support for OpenSSL\* +1.1.1 after the OpenSSL\* 1.1.1 EOL. + +-------------------------------------------------------------------------------- + +[1]:https://github.com/google/boringssl/commit/987dff1a9fa953a8c7dffa369d78caae02b8d9ab [2]:https://github.com/intel/ipp-crypto [3]:https://github.com/intel/ipp-crypto/tree/develop/sources/ippcp/crypto_mb [4]:https://github.com/intel/intel-ipsec-mb diff --git a/e_qat.c b/e_qat.c index d768a912..f53c7121 100644 --- a/e_qat.c +++ b/e_qat.c @@ -156,13 +156,13 @@ const char *engine_qat_id = STR(QAT_ENGINE_ID); #if defined(QAT_HW) && defined(QAT_SW) const char *engine_qat_name = - "Reference implementation of QAT crypto engine(qat_hw & qat_sw) v0.6.19"; + "Reference implementation of QAT crypto engine(qat_hw & qat_sw) v1.0.0"; #elif QAT_HW const char *engine_qat_name = - "Reference implementation of QAT crypto engine(qat_hw) v0.6.19"; + "Reference implementation of QAT crypto engine(qat_hw) v1.0.0"; #else const char *engine_qat_name = - "Reference implementation of QAT crypto engine(qat_sw) v0.6.19"; + "Reference implementation of QAT crypto engine(qat_sw) v1.0.0"; #endif unsigned int engine_inited = 0; diff --git a/qat_prov_ciphers.c b/qat_prov_ciphers.c index bc59d614..ead12fa8 100644 --- a/qat_prov_ciphers.c +++ b/qat_prov_ciphers.c @@ -293,12 +293,12 @@ int qat_gcm_stream_update(void *vctx, unsigned char *out, size_t *outl, size_t outsize, const unsigned char *in, size_t inl) { - int ret = 0; #if defined(ENABLE_QAT_HW_GCM) || defined(ENABLE_QAT_SW_GCM) + int ret = 0; QAT_GCM_CTX *ctx = (QAT_GCM_CTX *)vctx; #endif -if (inl == 0) { + if (inl == 0) { *outl = 0; return 1; } @@ -315,9 +315,9 @@ if (inl == 0) { #endif #ifdef ENABLE_QAT_SW_GCM - if (vaesgcm_ciphers_do_cipher(ctx, out, outl, in, inl) <= 0) { + if ((ret = vaesgcm_ciphers_do_cipher(ctx, out, outl, in, inl)) <= 0) { QATerr(ERR_LIB_PROV, PROV_R_CIPHER_OPERATION_FAILED); - return 0; + return ret; } #endif return 1; diff --git a/qat_provider.h b/qat_provider.h index 84d76493..5d7896d0 100644 --- a/qat_provider.h +++ b/qat_provider.h @@ -51,8 +51,8 @@ # include # include -# define QAT_PROVIDER_VERSION_STR "v0.6.19" -# define QAT_PROVIDER_FULL_VERSION_STR "QAT Provider v0.6.19" +# define QAT_PROVIDER_VERSION_STR "v1.0.0" +# define QAT_PROVIDER_FULL_VERSION_STR "QAT Provider v1.0.0" # if defined(QAT_HW) && defined(QAT_SW) # define QAT_PROVIDER_NAME_STR "QAT Provider for QAT_HW and QAT_SW" diff --git a/qatengine-sw.spec b/qatengine-sw.spec index 5cd74728..28cc217a 100644 --- a/qatengine-sw.spec +++ b/qatengine-sw.spec @@ -4,7 +4,7 @@ %global enginesdir %(pkg-config --variable=enginesdir libcrypto) Name: qatengine-sw -Version: 0.6.19 +Version: 1.0.0 Release: 1%{?dist} Summary: Intel QuickAssist Technology (QAT) OpenSSL Engine # Most of the source code is BSD, with the following exceptions: @@ -49,6 +49,9 @@ autoreconf -ivf %exclude %{enginesdir}/qatengine.la %changelog +* Wed Mar 22 2023 Yogaraj Alamenda - 1.0.0-1 +- Update to qatengine v1.0.0 + * Thu Feb 09 2023 Yogaraj Alamenda - 0.6.19-1 - Update to qatengine v0.6.19 diff --git a/qatengine.spec b/qatengine.spec index 3cc389ef..e3343851 100644 --- a/qatengine.spec +++ b/qatengine.spec @@ -4,7 +4,7 @@ %global enginesdir %(pkg-config --variable=enginesdir libcrypto) Name: qatengine -Version: 0.6.19 +Version: 1.0.0 Release: 1%{?dist} Summary: Intel QuickAssist Technology (QAT) OpenSSL Engine # Most of the source code is BSD, with the following exceptions: @@ -46,6 +46,9 @@ autoreconf -ivf %exclude %{enginesdir}/qatengine.la %changelog +* Wed Mar 22 2023 Yogaraj Alamenda - 1.0.0-1 +- Update to qatengine v1.0.0 + * Thu Feb 09 2023 Yogaraj Alamenda - 0.6.19-1 - Update to qatengine v0.6.19