From b2dcde468d51513db5d7aa0fd393f4818d83a65d Mon Sep 17 00:00:00 2001 From: Yogaraj Alamenda Date: Wed, 14 Jun 2023 22:21:01 +0530 Subject: [PATCH] Version bump to v1.2.0 and README update Signed-off-by: Yogaraj Alamenda --- README.md | 3 +- configure.ac | 2 +- docs/features.md | 4 +-- docs/limitations.md | 6 ++-- docs/qat_common.md | 28 ++++++++++------- docs/software_requirements.md | 11 +++---- docs/troubleshooting.md | 6 ++-- e_qat.c | 6 ++-- fips/qatprovider-fips.spec | 58 ++++++++++++++++++----------------- qat_provider.h | 4 +-- qatengine.spec | 5 ++- 11 files changed, 70 insertions(+), 63 deletions(-) diff --git a/README.md b/README.md index aa8a2c71..119945f3 100644 --- a/README.md +++ b/README.md @@ -92,7 +92,8 @@ modprobe usdm_drv.ko ``` The USDM thread specific memory can be enabled in QAT_HW driver using the below configure flags in driver build which is only needed for multithreaded -application for performance improvement. +application for performance improvement. This is supported from version 4.20 +of QAT_HW Version 1.7 driver only. ```bash ./configure --enable-icp-thread-specific-usdm --enable-128k-slab diff --git a/configure.ac b/configure.ac index 697e6b51..09cdeb09 100644 --- a/configure.ac +++ b/configure.ac @@ -2,7 +2,7 @@ # Process this file with autoconf to produce a configure script. AC_PREREQ([2.68]) -AC_INIT([qatengine], [1.1.0], []) +AC_INIT([qatengine], [1.2.0], []) AC_CONFIG_SRCDIR([config.h.in]) AC_CONFIG_HEADERS([config.h]) AC_CONFIG_AUX_DIR([.]) diff --git a/docs/features.md b/docs/features.md index 61da459f..37e29dd2 100644 --- a/docs/features.md +++ b/docs/features.md @@ -24,7 +24,7 @@ * [Pipelined Operations](qat_hw.md#using-the-openssl-pipelining-capability) * [Intel® QAT OpenSSL\* Engine Software Fallback](qat_hw.md#intel-qat-openssl-engine-software-fallback-feature) * [BoringSSL Support](bssl_support.md) -* Algorithms specific to Hardware driver v2.0 and qatlib(QAT gen4 devices) +* Algorithms specific to QAT Hardware driver v2.0 and qatlib(QAT gen4 devices) * RSA8K * DH8K * SM4-CBC (Not supported in qatlib) @@ -53,7 +53,7 @@ Please refer [here](qat_hw_algo.md) for supported platforms list and default beh ## Common Features to qat_hw & qat_sw * [QAT_HW & QAT_SW Co-existence with runtime configuration](qat_common.md#qat-hw-and-qat-sw-co-existence) * [OpenSSL 3.0 Provider Support](qat_common.md#openssl-30-provider-support) -* [FIPS Support](qat_common.md#fips-support) +* [FIPS 140-3 Certification requirements Support using QAT Provider](qat_common.md#fips-140-3-certification-requirements-support-using-qat-provider) Note: RSA Padding schemes are handled by OpenSSL\* or BoringSSL\* rather than accelerated, so the engine supports the same padding schemes as OpenSSL\* or BoringSSL\* does natively. diff --git a/docs/limitations.md b/docs/limitations.md index 09153805..44cbb55c 100644 --- a/docs/limitations.md +++ b/docs/limitations.md @@ -47,15 +47,13 @@ ## Known Issues ### Functional -* Known issue with OpenSSL 3.0 s_server using qatengine with cipher **"DHE-RSA-CHACHA20-POLY1305"** which - works fine with Nginx. The issue is due to failure at EVP_PKEY_copy_parameter() in OpenSSL. * AES-CBC-HMAC-SHA chained ciphers does not support **pipeline feature** when built with OpenSSL 3.0 as the corresponding support is not available in OpenSSL 3.0 - [OpenSSL#18298][2] * There is an issue in **sshd** daemon application when using the QAT for default openssl. sshd looks to be closing the file descriptors associated with QAT engine and driver after initialising openssl. Similar issue was present which prevents the ability to ssh out of the system using the QAT engine in versions of the ssh application before OpenSSH 8.7. - The issue has been fixed with this commit [c9f7bba][4] . This update can be applied to + The issue has been fixed with this commit [c9f7bba][3] . This update can be applied to sshd to work-around the issue. * Known issue with QAT_SW SM2 in ntls mode since QAT_SW SM2 doesn't have plain sign and verify operation support in engine. Disable QAT_SW SM2 to workaround the issue with ntls. @@ -68,7 +66,7 @@ or in multi-process mode. * SM3 is disabled by default due to performance drop observed in **mulithread scenario** for all ciphers suites due to the additional locks at engine_table_select introduced by - engine digest registration in OpenSSL - [OpenSSL#18509][5] + engine digest registration in OpenSSL - [OpenSSL#18509][4] * In Co-Existence mode, performance will drop for PKE algorithms compared with QAT_SW when process number >= 64. diff --git a/docs/qat_common.md b/docs/qat_common.md index 6e8801c1..a8881878 100644 --- a/docs/qat_common.md +++ b/docs/qat_common.md @@ -137,18 +137,24 @@ Example OpenSSL Speed command to test using qatprovider: * QAT_SW ./openssl speed -provider qatprovider -elapsed -async_jobs 8 rsa2048 -# FIPS 140-3 Certification requirements Support +# FIPS 140-3 Certification requirements Support using QAT Provider -Intel® QAT OpenSSL\* Engine contains changes to fulfill FIPS 140-3 Level 1 Certification requirements -using QAT Provider against OpenSSL 3.0 -The FIPS support can be enabled using the configure flag `--enable-qat_fips` -only with OpenSSL 3.0 using provider interface which needs to be enabled using `--enable-qat_provider`. +Intel® QAT OpenSSL\* Engine contains changes to comply with FIPS 140-3 Level-1 +Certification requirements using QAT Provider against OpenSSL 3.0.8. The FIPS +support can be enabled using the configure flag `--enable-qat_fips` only with +OpenSSL 3.0 using provider interface which needs to be enabled using `--enable-qat_provider`. -When FIPS flag is enabled along with provider for OpenSSL3.0, it will run self tests, integrity tests -and will satisfy other FIPS 140-3 CMVP & CAVP requirements. -The FIPS is build as RPM using the spec file fips/qatengine_fips.spec with QAT_HW & QAT_SW Coexistence -enabled along with other flags enabled. +When FIPS flag is enabled along with provider for OpenSSL3.0, it will run +self tests, integrity tests and will satisfy other FIPS 140-3 CMVP & CAVP +requirements. The FIPS is build as RPM using the specfile fips/qatengine_fips.spec +with QAT_HW & QAT_SW Coexistence enabled along with other flags enabled. + +Please note that the version v1.2.0 is only satisfying FIPS 140-3 Level-1 +certification requirements and not FIPS certified yet. +The FIPS 140-3 certification is under process. ## Support Algorithms in FIPS mode -QAT_HW target: RSA, ECDSA, ECDH, ECDHX25519, ECDHX448, AES_GCM, DSA, DH, PRF, HKDF & SHA3 algorithms. -QAT_SW target: RSA, ECDSA, ECDH, ECDHX25519, AES_GCM & SHA2 algorithms. +| Mode | Algorithms | +| :---: | :---: | +| QAT_HW | RSA, ECDSA, ECDH, ECDHX25519, ECDHX448, DSA, DH, TLS1.2-KDF(PRF), TLS1.3-KDF(HKDF), SHA3 & AES-GCM | +| QAT_SW | RSA, ECDSA, ECDH, ECDHX25519, SHA2 & AES-GCM | diff --git a/docs/software_requirements.md b/docs/software_requirements.md index 6e283a0d..8b6052ec 100644 --- a/docs/software_requirements.md +++ b/docs/software_requirements.md @@ -6,11 +6,10 @@ that supports OpenSSL\* 1.1.1 or OpenSSL\* 3.0 or BoringSSL\* and Intel® Qui Technology Driver for Linux or Intel® QuickAssist Technology Driver for FreeBSD. This release was validated on the following: -* Operating system: CentOS* 8.4, Ubuntu\* 20.04.2 LTS & FreeBSD\* 12.3 -* Intel® QuickAssist Technology Driver for Linux\* HW Version 2.0 - **QAT20.L.1.0.10-00005** -* Intel® QuickAssist Technology Driver for Linux\* HW Version 1.7 & 1.8 - **QAT.L.4.20.0-00001** -* Intel® QuickAssist Technology Driver for FreeBSD\* HW Version 1.7 - **QAT.B.3.12.0-00004** -* OpenSSL\* 1.1.1t & 3.0.8 +* Intel® QuickAssist Technology Driver for Linux\* HW Version 2.0 (RHEL\* 8.6) - **QAT20.L.1.0.40-00004** +* Intel® QuickAssist Technology Driver for Linux\* HW Version 1.7 & 1.8 (CentOS\* 8.4 & Ubuntu\* 20.04.2) - **QAT.L.4.22.0-00001** +* Intel® QuickAssist Technology Driver for FreeBSD\* HW Version 1.7 (FreeBSD\* 12.4) - **QAT.B.3.12.0-00004** +* OpenSSL\* 1.1.1u & 3.0.9 * BoringSSL\* commit - [987dff1][1] * BabaSSL - 8.3.2 @@ -32,7 +31,7 @@ This release was validated on the following: * Intel® Crypto Multi-buffer library from the [ipp-crypto][2] release version **IPP Crypto 2021.7.1** * Intel® Multi-Buffer crypto for IPsec Library release version **v1.3** -* OpenSSL\* 1.1.1t & 3.0.8 +* OpenSSL\* 1.1.1u & 3.0.9 * BoringSSL\* commit - [987dff1][1] * BabaSSL - 8.3.2 diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md index 5e4f7d55..e6102d8e 100644 --- a/docs/troubleshooting.md +++ b/docs/troubleshooting.md @@ -21,12 +21,10 @@ If this occurs some of the things to check are: 5. Has the environment variable `OPENSSL_ENGINES` been correctly defined and exported to the shell? Also check it is really pointing to the correct location. - 6. If building for OpenSSL 1.1.0 was the configure option - `--with-openssl_dir` specified? (Linux Specific) - 7. If building from OpenSSL prebuilt RPM Package, has the OpenSSL developement + 6. If building from OpenSSL prebuilt RPM Package, has the OpenSSL developement packages (openssl-devel for Redhat* based distribution and libssl-devel for Debian* based distibution) been installed ? - 8. Incase of qat_sw acceleration, has the dependant libraries are installed in + 7. Incase of qat_sw acceleration, has the dependant libraries are installed in the default path or provide the path via `--with-qat_sw_crypto_mb_install_dir` (for crypto_mb) and `--with-qat_sw_ipsec_mb_install_dir` (for ipsec_mb) if installed in the path other than default. diff --git a/e_qat.c b/e_qat.c index 49100b32..3e74468a 100644 --- a/e_qat.c +++ b/e_qat.c @@ -163,13 +163,13 @@ int qat_fips_kat_test; const char *engine_qat_id = STR(QAT_ENGINE_ID); #if defined(QAT_HW) && defined(QAT_SW) const char *engine_qat_name = - "Reference implementation of QAT crypto engine(qat_hw & qat_sw) v1.1.0"; + "Reference implementation of QAT crypto engine(qat_hw & qat_sw) v1.2.0"; #elif QAT_HW const char *engine_qat_name = - "Reference implementation of QAT crypto engine(qat_hw) v1.1.0"; + "Reference implementation of QAT crypto engine(qat_hw) v1.2.0"; #else const char *engine_qat_name = - "Reference implementation of QAT crypto engine(qat_sw) v1.1.0"; + "Reference implementation of QAT crypto engine(qat_sw) v1.2.0"; #endif unsigned int engine_inited = 0; int fallback_to_openssl = 0; diff --git a/fips/qatprovider-fips.spec b/fips/qatprovider-fips.spec index 9b774ea0..a6bc34f0 100644 --- a/fips/qatprovider-fips.spec +++ b/fips/qatprovider-fips.spec @@ -1,7 +1,7 @@ %undefine __cmake_in_source_build %global _lto_cflags %{nil} %global debug_package %{nil} -# Versions numbers +# Dependant Library Versions %global major 1 %global minor 3 %global rev 0 @@ -10,36 +10,38 @@ %global ipsecfull %{ipsec}-%{ipsecver} %global fullversion %{major}.%{minor}.%{rev} - -%global ippcp_major 11 +%global ippcp_major 11 %global ippcp_minor 6 -%global ippcp ipp-crypto -%global ippcpver ippcp_2021.7.1 -%global ippcpfull %{ippcp}-%{ippcpver} +%global ippcp ipp-crypto +%global ippcpver ippcp_2021.7.1 +%global ippcpfull %{ippcp}-%{ippcpver} %global ippcpfullversion %{ippcp_major}.%{ippcp_minor} -%global qatengine QAT_Engine -%global qatdriver QAT20.l.1.0.40-00004 +%global qatdriver QAT20.l.1.0.40-00004 -%global openssl_lib_path /root/openssl_install -%global openssl_src_path /root/openssl +%global openssl_lib_path /root/openssl_install +%global openssl_src_path /root/openssl -Name: qatprovider-fips +Name: qatprovider-fips Version: 1.2.0 Release: 1%{?dist} -Summary: Intel QuickAssist Technology (QAT) OpenSSL Provider - -License: BSD-3-Clause AND OpenSSL -Source0: https://github.com/intel/%{qatengine}/archive/v%{version}/%{name}-%{version}.tar.gz -Source1: https://github.com/intel/%{ippcp}/archive/refs/tags/%{ippcpver}.tar.gz#/%{ippcp}-%{ippcpver}.tar.gz -Source2: https://github.com/intel/%{ipsec}/archive/v%{ipsecver}.tar.gz#/%{ipsecfull}.tar.gz -Source3: https://downloadmirror.intel.com/777529/QAT20.L.1.0.20-00008.tar.gz -Source4: driver_install.tar.gz - -BuildRequires: cmake >= 3.10 -BuildRequires: gcc-c++ >= 8.2 -BuildRequires: make -BuildRequires: nasm >= 2.14 +Summary: Intel QuickAssist Technology(QAT) OpenSSL Provider + +License: BSD-3-Clause AND OpenSSL +Source0: https://github.com/intel/QAT_Engine/archive/v%{version}/%{name}-%{version}.tar.gz +Source1: https://github.com/intel/%{ippcp}/archive/refs/tags/%{ippcpver}.tar.gz#/%{ippcp}-%{ippcpver}.tar.gz +Source2: https://github.com/intel/%{ipsec}/archive/v%{ipsecver}.tar.gz#/%{ipsecfull}.tar.gz +Source3: https://downloadmirror.intel.com/781387/QAT20.L.1.0.40-00004.tar.gz +Source4: driver_install.tar.gz + +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: make +BuildRequires: gcc +BuildRequires: libtool +BuildRequires: cmake >= 3.10 +BuildRequires: nasm >= 2.14 +BuildRequires: gcc-c++ >= 8.2 %description This package provides the Intel QuickAssist Technology OpenSSL Provider @@ -106,13 +108,12 @@ ln -s libIPSec_MB.so.%{fullversion} libIPSec_MB.so export OPENSSL_ENGINES="/root/openssl_install/lib64/ossl-modules" export OPENSSL_ROOT="/root/openssl" export SYS_OPENSSL_PATH="/root/openssl_install" -export LD_LIBRARY_PATH=/root/openssl_install/lib64 -export OPENSSL_LIB=/root/openssl_install +export LD_LIBRARY_PATH="/root/openssl_install/lib64" +export OPENSSL_LIB="/root/openssl_install" export QAT_HW_ENABLED="1" export QAT_SW_ENABLED="1" cd /root/rpmbuild/BUILD/%{name}-%{version} -#git checkout dev_qat_fips_drop2_release autoreconf -ivf @@ -200,4 +201,5 @@ rm -rf %{buildroot} %{_includedir}/crypto_mb/sm4_gcm.h %changelog -* Mon May 29 2023 Ponnam Srinivas +* Wed Jun 14 2023 Ponnam Srinivas - 1.2.0-1 +- Initial Version of RPM for QAT Provider with FIPS Support. diff --git a/qat_provider.h b/qat_provider.h index b9e4b2f4..5361f458 100644 --- a/qat_provider.h +++ b/qat_provider.h @@ -51,8 +51,8 @@ # include # include -# define QAT_PROVIDER_VERSION_STR "v1.1.0" -# define QAT_PROVIDER_FULL_VERSION_STR "QAT Provider v1.1.0" +# define QAT_PROVIDER_VERSION_STR "v1.2.0" +# define QAT_PROVIDER_FULL_VERSION_STR "QAT Provider v1.2.0" # if defined(QAT_HW) && defined(QAT_SW) # define QAT_PROVIDER_NAME_STR "QAT Provider for QAT_HW and QAT_SW" diff --git a/qatengine.spec b/qatengine.spec index d7ad5124..c139d553 100644 --- a/qatengine.spec +++ b/qatengine.spec @@ -4,7 +4,7 @@ %global enginesdir %(pkg-config --variable=enginesdir libcrypto) Name: qatengine -Version: 1.1.0 +Version: 1.2.0 Release: 1%{?dist} Summary: Intel QuickAssist Technology (QAT) OpenSSL Engine @@ -70,6 +70,9 @@ openssl engine -v %{name} %{enginesdir}/%{name}.so %changelog +* Wed Jun 14 2023 Yogaraj Alamenda - 1.2.0-1 +- Update to qatengine v1.2.0 + * Thu May 04 2023 Yogaraj Alamenda - 1.1.0-1 - Update to qatengine v1.1.0