Version bump to v1.2.0 and README update

Signed-off-by: Yogaraj Alamenda <[email protected]>

README.md

@@ -92,7 +92,8 @@ modprobe usdm_drv.ko
 ```
 The USDM thread specific memory can be enabled in QAT_HW driver using the below
 configure flags in driver build which is only needed for multithreaded
-application for performance improvement.
+application for performance improvement. This is supported from version 4.20
+of QAT_HW Version 1.7 driver only.
 
 ```bash
 ./configure --enable-icp-thread-specific-usdm --enable-128k-slab

configure.ac

@@ -2,7 +2,7 @@
 # Process this file with autoconf to produce a configure script.
 
 AC_PREREQ([2.68])
-AC_INIT([qatengine], [1.1.0], [])
+AC_INIT([qatengine], [1.2.0], [])
 AC_CONFIG_SRCDIR([config.h.in])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_AUX_DIR([.])

docs/features.md

@@ -24,7 +24,7 @@
 * [Pipelined Operations](qat_hw.md#using-the-openssl-pipelining-capability)
 * [Intel® QAT OpenSSL\* Engine Software Fallback](qat_hw.md#intel-qat-openssl-engine-software-fallback-feature)
 * [BoringSSL Support](bssl_support.md)
-* Algorithms specific to Hardware driver v2.0 and qatlib(QAT gen4 devices)
+* Algorithms specific to QAT Hardware driver v2.0 and qatlib(QAT gen4 devices)
   *  RSA8K
   *  DH8K
   *  SM4-CBC (Not supported in qatlib)
@@ -53,7 +53,7 @@ Please refer [here](qat_hw_algo.md) for supported platforms list and default beh
 ## Common Features to qat_hw & qat_sw
 * [QAT_HW & QAT_SW Co-existence with runtime configuration](qat_common.md#qat-hw-and-qat-sw-co-existence)
 * [OpenSSL 3.0 Provider Support](qat_common.md#openssl-30-provider-support)
-* [FIPS Support](qat_common.md#fips-support)
+* [FIPS 140-3 Certification requirements Support using QAT Provider](qat_common.md#fips-140-3-certification-requirements-support-using-qat-provider)
 
 Note: RSA Padding schemes are handled by OpenSSL\* or BoringSSL\* rather than accelerated, so the
 engine supports the same padding schemes as OpenSSL\* or BoringSSL\* does natively.

docs/limitations.md

@@ -47,15 +47,13 @@
 ## Known Issues
 
 ### Functional
-* Known issue with OpenSSL 3.0 s_server using qatengine with cipher **"DHE-RSA-CHACHA20-POLY1305"** which
-  works fine with Nginx. The issue is due to failure at EVP_PKEY_copy_parameter() in OpenSSL.
 * AES-CBC-HMAC-SHA chained ciphers does not support **pipeline feature** when built with
   OpenSSL 3.0 as the corresponding support is not available in OpenSSL 3.0 - [OpenSSL#18298][2]
 * There is an issue in **sshd** daemon application when using the QAT for default openssl.
   sshd looks to be closing the file descriptors associated with QAT engine and driver after
   initialising openssl. Similar issue was present which prevents the ability to ssh out of
   the system using the QAT engine in versions of the ssh application before OpenSSH 8.7.
-  The issue has been fixed with this commit [c9f7bba][4] . This update can be applied to
+  The issue has been fixed with this commit [c9f7bba][3] . This update can be applied to
   sshd to work-around the issue.
 * Known issue with QAT_SW SM2 in ntls mode since QAT_SW SM2 doesn't have plain sign and
   verify operation support in engine. Disable QAT_SW SM2 to workaround the issue with ntls.
@@ -68,7 +66,7 @@
   or in multi-process mode.
 * SM3 is disabled by default due to performance drop observed in **mulithread scenario**
   for all ciphers suites due to the additional locks at engine_table_select introduced by
-  engine digest registration in OpenSSL - [OpenSSL#18509][5]
+  engine digest registration in OpenSSL - [OpenSSL#18509][4]
 * In Co-Existence mode, performance will drop for PKE algorithms compared with
   QAT_SW when process number >= 64.
 

docs/qat_common.md

@@ -137,18 +137,24 @@ Example OpenSSL Speed command to test using qatprovider:
 * QAT_SW
      ./openssl speed -provider qatprovider -elapsed -async_jobs 8 rsa2048
 
-# FIPS 140-3 Certification requirements Support
+# FIPS 140-3 Certification requirements Support using QAT Provider
 
-Intel® QAT OpenSSL\* Engine contains changes to fulfill FIPS 140-3 Level 1 Certification requirements
-using QAT Provider against OpenSSL 3.0
-The FIPS support can be enabled using the configure flag `--enable-qat_fips`
-only with OpenSSL 3.0 using provider interface which needs to be enabled using `--enable-qat_provider`.
+Intel® QAT OpenSSL\* Engine contains changes to comply with FIPS 140-3 Level-1
+Certification requirements using QAT Provider against OpenSSL 3.0.8. The FIPS
+support can be enabled using the configure flag `--enable-qat_fips` only with
+OpenSSL 3.0 using provider interface which needs to be enabled using `--enable-qat_provider`.
 
-When FIPS flag is enabled along with provider for OpenSSL3.0, it will run self tests, integrity tests
-and will satisfy other FIPS 140-3 CMVP & CAVP requirements.
-The FIPS is build as RPM using the spec file fips/qatengine_fips.spec with QAT_HW & QAT_SW Coexistence
-enabled along with other flags enabled.
+When FIPS flag is enabled along with provider for OpenSSL3.0, it will run
+self tests, integrity tests and will satisfy other FIPS 140-3 CMVP & CAVP
+requirements. The FIPS is build as RPM using the specfile fips/qatengine_fips.spec
+with QAT_HW & QAT_SW Coexistence enabled along with other flags enabled.
+
+Please note that the version v1.2.0 is only satisfying FIPS 140-3 Level-1
+certification requirements and not FIPS certified yet.
+The FIPS 140-3 certification is under process.
 
 ## Support Algorithms in FIPS mode
-QAT_HW target: RSA, ECDSA, ECDH, ECDHX25519, ECDHX448, AES_GCM, DSA, DH, PRF, HKDF & SHA3 algorithms.
-QAT_SW target: RSA, ECDSA, ECDH, ECDHX25519, AES_GCM & SHA2 algorithms.
+| Mode | Algorithms |
+| :---: | :---: |
+| QAT_HW | RSA, ECDSA, ECDH, ECDHX25519, ECDHX448, DSA, DH, TLS1.2-KDF(PRF), TLS1.3-KDF(HKDF), SHA3 & AES-GCM |
+| QAT_SW | RSA, ECDSA, ECDH, ECDHX25519, SHA2 & AES-GCM |

docs/software_requirements.md

@@ -6,11 +6,10 @@ that supports OpenSSL\* 1.1.1 or OpenSSL\* 3.0 or BoringSSL\* and Intel® Qui
 Technology Driver for Linux or Intel®  QuickAssist Technology
 Driver for FreeBSD. This release was validated on the following:
 
-* Operating system: CentOS* 8.4, Ubuntu\* 20.04.2 LTS & FreeBSD\* 12.3
-* Intel® QuickAssist Technology Driver for Linux\* HW Version 2.0 - **QAT20.L.1.0.10-00005**
-* Intel® QuickAssist Technology Driver for Linux\* HW Version 1.7 & 1.8 - **QAT.L.4.20.0-00001**
-* Intel® QuickAssist Technology Driver for FreeBSD\* HW Version 1.7 - **QAT.B.3.12.0-00004**
-* OpenSSL\* 1.1.1t & 3.0.8
+* Intel® QuickAssist Technology Driver for Linux\* HW Version 2.0 (RHEL\* 8.6) - **QAT20.L.1.0.40-00004**
+* Intel® QuickAssist Technology Driver for Linux\* HW Version 1.7 & 1.8 (CentOS\* 8.4 & Ubuntu\* 20.04.2) - **QAT.L.4.22.0-00001**
+* Intel® QuickAssist Technology Driver for FreeBSD\* HW Version 1.7 (FreeBSD\* 12.4) - **QAT.B.3.12.0-00004**
+* OpenSSL\* 1.1.1u & 3.0.9
 * BoringSSL\* commit - [987dff1][1]
 * BabaSSL - 8.3.2
 
@@ -32,7 +31,7 @@ This release was validated on the following:
 * Intel® Crypto Multi-buffer library from the [ipp-crypto][2] release
   version **IPP Crypto 2021.7.1**
 * Intel® Multi-Buffer crypto for IPsec Library release version **v1.3**
-* OpenSSL\* 1.1.1t & 3.0.8
+* OpenSSL\* 1.1.1u & 3.0.9
 * BoringSSL\* commit - [987dff1][1]
 * BabaSSL - 8.3.2
 

docs/troubleshooting.md

@@ -21,12 +21,10 @@ If this occurs some of the things to check are:
    5. Has the environment variable `OPENSSL_ENGINES` been correctly defined and
       exported to the shell?
       Also check it is really pointing to the correct location.
-   6. If building for OpenSSL 1.1.0 was the configure option
-      `--with-openssl_dir` specified? (Linux Specific)
-   7. If building from OpenSSL prebuilt RPM Package, has the OpenSSL developement
+   6. If building from OpenSSL prebuilt RPM Package, has the OpenSSL developement
       packages (openssl-devel for Redhat* based distribution and libssl-devel
       for Debian* based distibution) been installed ?
-   8. Incase of qat_sw acceleration, has the dependant libraries are installed in
+   7. Incase of qat_sw acceleration, has the dependant libraries are installed in
       the default path or provide the path via `--with-qat_sw_crypto_mb_install_dir`
       (for crypto_mb) and `--with-qat_sw_ipsec_mb_install_dir` (for ipsec_mb) if
       installed in the path other than default.

e_qat.c

@@ -163,13 +163,13 @@ int qat_fips_kat_test;
 const char *engine_qat_id = STR(QAT_ENGINE_ID);
 #if defined(QAT_HW) && defined(QAT_SW)
 const char *engine_qat_name =
-    "Reference implementation of QAT crypto engine(qat_hw & qat_sw) v1.1.0";
+    "Reference implementation of QAT crypto engine(qat_hw & qat_sw) v1.2.0";
 #elif QAT_HW
 const char *engine_qat_name =
-    "Reference implementation of QAT crypto engine(qat_hw) v1.1.0";
+    "Reference implementation of QAT crypto engine(qat_hw) v1.2.0";
 #else
 const char *engine_qat_name =
-    "Reference implementation of QAT crypto engine(qat_sw) v1.1.0";
+    "Reference implementation of QAT crypto engine(qat_sw) v1.2.0";
 #endif
 unsigned int engine_inited = 0;
 int fallback_to_openssl = 0;

fips/qatprovider-fips.spec

@@ -1,7 +1,7 @@
 %undefine __cmake_in_source_build
 %global _lto_cflags %{nil}
 %global debug_package %{nil}
-# Versions numbers
+# Dependant Library Versions
 %global major        1
 %global minor        3
 %global rev          0
@@ -10,36 +10,38 @@
 %global ipsecfull    %{ipsec}-%{ipsecver}
 %global fullversion  %{major}.%{minor}.%{rev}
 
-
-%global ippcp_major       11
+%global ippcp_major        11
 %global ippcp_minor        6
-%global ippcp		   ipp-crypto
-%global ippcpver	   ippcp_2021.7.1
-%global ippcpfull    	   %{ippcp}-%{ippcpver}
+%global ippcp              ipp-crypto
+%global ippcpver           ippcp_2021.7.1
+%global ippcpfull          %{ippcp}-%{ippcpver}
 %global ippcpfullversion   %{ippcp_major}.%{ippcp_minor}
 
-%global qatengine   QAT_Engine
-%global qatdriver   QAT20.l.1.0.40-00004
+%global qatdriver          QAT20.l.1.0.40-00004
 
-%global openssl_lib_path        /root/openssl_install
-%global openssl_src_path        /root/openssl
+%global openssl_lib_path   /root/openssl_install
+%global openssl_src_path   /root/openssl
 
-Name:		qatprovider-fips
+Name:       qatprovider-fips
 Version:    1.2.0
 Release:    1%{?dist}
-Summary:    Intel QuickAssist Technology (QAT) OpenSSL Provider
-
-License: 	BSD-3-Clause AND OpenSSL
-Source0:	https://github.com/intel/%{qatengine}/archive/v%{version}/%{name}-%{version}.tar.gz 
-Source1:	https://github.com/intel/%{ippcp}/archive/refs/tags/%{ippcpver}.tar.gz#/%{ippcp}-%{ippcpver}.tar.gz
-Source2:	https://github.com/intel/%{ipsec}/archive/v%{ipsecver}.tar.gz#/%{ipsecfull}.tar.gz
-Source3:	https://downloadmirror.intel.com/777529/QAT20.L.1.0.20-00008.tar.gz
-Source4:	driver_install.tar.gz
-
-BuildRequires:      cmake >= 3.10
-BuildRequires:      gcc-c++ >= 8.2
-BuildRequires:      make
-BuildRequires:      nasm >= 2.14
+Summary:    Intel QuickAssist Technology(QAT) OpenSSL Provider
+
+License:    BSD-3-Clause AND OpenSSL
+Source0:    https://github.com/intel/QAT_Engine/archive/v%{version}/%{name}-%{version}.tar.gz
+Source1:    https://github.com/intel/%{ippcp}/archive/refs/tags/%{ippcpver}.tar.gz#/%{ippcp}-%{ippcpver}.tar.gz
+Source2:    https://github.com/intel/%{ipsec}/archive/v%{ipsecver}.tar.gz#/%{ipsecfull}.tar.gz
+Source3:    https://downloadmirror.intel.com/781387/QAT20.L.1.0.40-00004.tar.gz
+Source4:    driver_install.tar.gz
+
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  make
+BuildRequires:  gcc
+BuildRequires:  libtool
+BuildRequires:  cmake >= 3.10
+BuildRequires:  nasm >= 2.14
+BuildRequires:  gcc-c++ >= 8.2
 
 %description
 This package provides the Intel QuickAssist Technology OpenSSL Provider
@@ -106,13 +108,12 @@ ln -s libIPSec_MB.so.%{fullversion} libIPSec_MB.so
 export OPENSSL_ENGINES="/root/openssl_install/lib64/ossl-modules"
 export OPENSSL_ROOT="/root/openssl"
 export SYS_OPENSSL_PATH="/root/openssl_install"
-export LD_LIBRARY_PATH=/root/openssl_install/lib64
-export OPENSSL_LIB=/root/openssl_install
+export LD_LIBRARY_PATH="/root/openssl_install/lib64"
+export OPENSSL_LIB="/root/openssl_install"
 export QAT_HW_ENABLED="1"
 export QAT_SW_ENABLED="1"
 
 cd /root/rpmbuild/BUILD/%{name}-%{version}
-#git checkout dev_qat_fips_drop2_release
 
 autoreconf -ivf
 
@@ -200,4 +201,5 @@ rm -rf %{buildroot}
 %{_includedir}/crypto_mb/sm4_gcm.h
 
 %changelog
-* Mon May 29 2023 Ponnam Srinivas <[email protected]>
+* Wed Jun 14 2023 Ponnam Srinivas <[email protected]> - 1.2.0-1
+- Initial Version of RPM for QAT Provider with FIPS Support.

qat_provider.h

@@ -51,8 +51,8 @@
 # include <openssl/bio.h>
 # include <openssl/core_dispatch.h>
 
-# define QAT_PROVIDER_VERSION_STR "v1.1.0"
-# define QAT_PROVIDER_FULL_VERSION_STR "QAT Provider v1.1.0"
+# define QAT_PROVIDER_VERSION_STR "v1.2.0"
+# define QAT_PROVIDER_FULL_VERSION_STR "QAT Provider v1.2.0"
 
 # if defined(QAT_HW) && defined(QAT_SW)
 #  define QAT_PROVIDER_NAME_STR "QAT Provider for QAT_HW and QAT_SW"

qatengine.spec

@@ -4,7 +4,7 @@
 %global enginesdir %(pkg-config --variable=enginesdir libcrypto)
 
 Name:           qatengine
-Version:        1.1.0
+Version:        1.2.0
 Release:        1%{?dist}
 Summary:        Intel QuickAssist Technology (QAT) OpenSSL Engine
 
@@ -70,6 +70,9 @@ openssl engine -v %{name}
 %{enginesdir}/%{name}.so
 
 %changelog
+* Wed Jun 14 2023 Yogaraj Alamenda <[email protected]> - 1.2.0-1
+- Update to qatengine v1.2.0
+
 * Thu May 04 2023 Yogaraj Alamenda <[email protected]> - 1.1.0-1
 - Update to qatengine v1.1.0