You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Changes from 23.08.0 to 23.11.0:
* Support DC NS (NoSession) APIs
* Support Symmetric Crypto SM3 & SM4
* Support Asymmetric Crypto SM2
* DC compressBound APIs
* Bug Fixes. See Resolved section in README.md
Signed-off-by: Firos Sadarul <[email protected]>
Copy file name to clipboardExpand all lines: README.md
+61-33Lines changed: 61 additions & 33 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -26,6 +26,7 @@
26
26
27
27
| Date | Doc Revision | Version | Details |
28
28
|----------|:-------------:|------:|:------|
29
+
| November 2023 | 011 | 23.11 | - Support DC NS (NoSession) APIs. <br> - Support DC compressBound APIs. <br> - Support Symmetric Crypto SM3 & SM4. <br> - Support Asymmetric Crypto SM2. <br> - Bug Fixes. See [Resolved Issues](#resolved-issues). |
29
30
| August 2023 | 010 | 23.08 | - Removal of following insecure algorithms: Diffie-Hellman and Elliptic curves less than 256-bits. <br> - Additional configuration profiles, including sym which facilitates improved symmetric crypto performance. <br> - DC Chaining (Hash then compress) <br> - Bug Fixes. See [Resolved Issues](#resolved-issues). |
30
31
| February 2023 | 009 | 23.02 | - Added configuration option --enable-legacy-algorithms to use these insecure crypto algorithms and disabled them by default (AES-ECB, SHA-1, SHA2-224, SHA3-224, RSA512/1024/1536, DSA)<br>- Refactored code in quickassist/utilities/libusdm_drv<br>- Bugfixes<br>- Updated documentation with configuration and tuning information |
31
32
| November 2022 | 008 | 22.07.2 | - Changed from yasm to nasm for assembly compilation<br> - Added configuration option to use C implementation of soft CRC implementation instead of asm<br>- Added support for pkg-config<br>- Added missing lock around accesses to some global data in qatmgr |
@@ -56,9 +57,10 @@ sample codes.
56
57
The following services are available in qatlib via the QuickAssist API:
57
58
* Symmetric (Bulk) Cryptography
58
59
* Ciphers ([AES-ECB](#insecure-algorithms), AES-CBC, AES-CTR (no partials support),
59
-
AES-XTS (no partials support), AES-GCM, AES-CCM (192/256)
60
+
AES-XTS (no partials support), AES-GCM, AES-CCM (192/256), [SM4-ECB](#insecure-algorithms),
The following algorithms are considered insecure and are disabled by default.
97
102
* AES-ECB
98
103
* SHA-1
99
-
* SHA2-224
104
+
* SHA2-224
100
105
* SHA3-224
101
106
* RSA512/1024/1536
102
107
* DSA
103
108
* Diffie-Helman
104
109
* Elliptic Curve Cryptography algorithms with less 256 bits
110
+
* SM4-ECB
105
111
106
112
To enable these algorithms, use the following configuration option:
107
113
*`--enable-legacy-algorithms`
@@ -122,6 +128,9 @@ supported.
122
128
## Limitations
123
129
* If an error occurs on the host driver (Heartbeat, Uncorrectable error) it
124
130
will not be communicated to the library.
131
+
* For simplicity, only one configuration file is used by qatlib. For guidance
132
+
on how to use this to allocate resources for processes, please refer to
133
+
Configuration and Tuning section in [QATlib User’s Guide](https://intel.github.io/quickassist/qatlib/index.html).
125
134
126
135
The following features are not currently supported:
127
136
* Dynamic instances
@@ -147,8 +156,6 @@ The following assumptions are made concerning the deployment environment:
147
156
discovered and initialized the device, exposing the VFs. This driver is
148
157
included in the Linux kernel, see [INSTALL](INSTALL) for information about which kernel
149
158
to use.
150
-
* The library can be used by unprivileged users if that user is included in
151
-
the 'qat' group.
152
159
153
160
## Examples
154
161
Example applications that showcase usage of the QAT APIs are included in the
@@ -180,8 +187,7 @@ where: \<Component\> is one of the following:
180
187
| QATE-41707 |[CY - Incorrect digest returned when performing a plain hash operation on input data of size 4GB or larger.](#qate-41707)|
181
188
| QATE-76073 |[GEN - If PF device configuration is modified without restarting qatmgr, undefined behavior may occur.](#qate-76073)|
182
189
| QATE-76698 |[GEN - Multi-process applications running in guest will fail when running with default Policy settings.](#qate-76698)|
183
-
| QATE-94286 |[CY - Compression services not detected when crypto-capable VFs are added to VM.](#qate-94286)|
184
-
| QATE-94369 |[GEN - SELinux Preventing QAT Service Startup](#qate-94369)|
190
+
| QATE-94369 |[GEN - SELinux Preventing QAT Service Startup.](#qate-94369)|
185
191
186
192
## QATE-3241
187
193
| Title | CY - cpaCySymPerformOp when used with parameter checking may reveal the amount of padding. |
@@ -224,20 +230,10 @@ where: \<Component\> is one of the following:
224
230
| Affected OS | Linux |
225
231
| Driver/Module | CPM-IA - General |
226
232
227
-
## QATE-94286
228
-
| Title | GEN - Compression services not detected when crypto-capable VFs are also added to VM. |
229
-
|----------|:-------------
230
-
| Reference # | QATE-94286 |
231
-
| Description | When configuring a system with different services on different QAT end-points, e.g. asym;sym on one and dc on another, and exposing only one of those Virtual Function (VF) types to the Virtual Machine (VM), the application works as expected. However, when VFs of more than one type are passed to the same VM, the application may only recognize one service-type, e.g. it may detect crypto instances, but not compression instances. There is an assumption that all VFs provide the same services if they come from the same PF. However, detecting which PF they come from is based on domain+bus, which is not always a valid assumption on a VM. |
232
-
| Implication | This issue prevents the detection of compression services in a virtualized environment when the default kernel configuration is used, and crypto and dc VFs are passed to the VM, potentially impacting the proper functioning of the system. |
233
-
| Resolution | When passing VFs to a guest, the BDFs on the guest should facilitate qatlib recognizing whether VFs are from the same PF or not. See RUNNING IN A VIRTUAL MACHINE / GUEST section of INSTALL for details. |
234
-
| Affected OS | Linux |
235
-
| Driver/Module | CPM-IA - General |
236
-
237
233
## QATE-94369
238
234
| Title | GEN - SELinux Preventing QAT Service Startup |
239
235
|----------|:-------------
240
-
| Reference # | QATE-94286|
236
+
| Reference # | QATE-94369|
241
237
| Description | The qat service fails to start due to SELinux preventing the qat_init.sh script and qatmgr from accessing resources. The issue occurs when the system is running with SELinux enabled, causing insufficient permissions for the qat_init.sh script and qatmgr to function correctly. |
242
238
| Implication | This issue affects the proper functioning of the qat service on systems with SELinux enabled, potentially preventing QAT virtual functions (VFs) from functioning. |
243
239
| Resolution | None available. |
@@ -250,23 +246,45 @@ in this section.
250
246
251
247
| Issue ID | Description |
252
248
|-------------|------------|
253
-
| QATE-90845 |[GEN - QAT service fails to start, issue #38](#qate-90845)|
249
+
| QATE-94286 |[GEN - Compression services not detected when crypto-capable VFs are added to VM.](#qate-94286)|
250
+
| QATE-95905 |[GEN - Fix build when building outside of main directory, issue #56](#qate-95905)|
251
+
| QATE-93844 | [DC - cpaDcLZ4SCompressBound is not returning correct value, which could lead to a buffer overflow.](#qate-93844)
| QATE-90845 |[GEN - QAT service fails to start, issue #38](#qate-90845)|
254
+
| QATE-78459 |[DC - cpaDcDeflateCompressBound API returns incorrect output buffer size when input size exceeds 477218588 bytes.](#qate-78459)|
255
255
| QATE-76846 |[GEN - Forking and re-initializing use-cases do not work](#qate-76846)|
256
-
| QATE-78459 |[DC - cpaDcDeflateCompressBound API returns incorrect output buffer size when input size exceeds 477218588 bytes.](#qate-74786)|
257
256
| QATE-12241 |[CY - TLS1.2 with secret key lengths greater than 64 are not supported.](#qate-12241)|
258
257
258
+
## QATE-94286
259
+
| Title | GEN - Compression services not detected when crypto-capable VFs are also added to VM. |
260
+
|----------|:-------------
261
+
| Reference # | QATE-94286 |
262
+
| Description | When configuring a system with different services on different QAT end-points, e.g. asym;sym on one and dc on another, and exposing only one of those Virtual Function (VF) types to the Virtual Machine (VM), the application works as expected. However, when VFs of more than one type are passed to the same VM, the application may only recognize one service-type, e.g. it may detect crypto instances, but not compression instances. There is an assumption that all VFs provide the same services if they come from the same PF. However, detecting which PF they come from is based on domain+bus, which is not always a valid assumption on a VM. |
263
+
| Implication | This issue prevents the detection of compression services in a virtualized environment when the default kernel configuration is used, and crypto and dc VFs are passed to the VM, potentially impacting the proper functioning of the system. |
264
+
| Resolution | Fixed in 23.11. <br>Temporary solution: use a custom libvirt XML file like QATE-76698 here: https://github.com/intel/qatlib/tree/main#qate-76698 . |
265
+
| Affected OS | Linux |
266
+
| Driver/Module | CPM-IA - General |
259
267
260
-
## QATE-90845
261
-
| Title |GEN - QAT service fails to start, issue #38|
268
+
## QATE-95905
269
+
| Title | GEN - Fix build when building outside of main directory, issue #56|
262
270
|----------|:-------------
263
-
| Reference # | QATE-90845 |
264
-
| Description |QAT service fails to start. The qat service may fail if the kernel driver's initialization is not fully finished when the service starts. See [issue 38](https://github.com/intel/qatlib/issues/38). |
265
-
| Implication |The qatmgr may not detect any or all of the vfio devices. |
266
-
| Resolution | Fixed in 23.08. The service waits until the kernel driver has completed initialization of all PFs before starting the service. |
271
+
| Reference # | QATE-95905 |<F3>
272
+
| Description |Fix build when building outside of main directory. Added changes to autoconfig to be able to build outside main directory. See [issue 56](https://github.com/intel/qatlib/issues/56). |
273
+
| Implication |A fatal error occurs when trying to build outside main directory. |
274
+
| Resolution | Fixed in 23.11. |
267
275
| Affected OS | Linux |
268
276
| Driver/Module | CPM-IA - General |
269
277
278
+
## QATE-93844
279
+
| Title | DC - cpaDcLZ4SCompressBound is not returning correct value, which could lead to a buffer overflow. |
280
+
|----------|:-------------
281
+
| Reference # | QATE-93844 |
282
+
| Description | CompressBound API (cpaDcLZ4SCompressBound()) is intended to return the maximum size of the output buffer. However, this API is not returning the correct value, which can lead to a lz4s buffer overflow. |
283
+
| Implication | Applications may experience buffer overflows even when using the output of compressBound API to allocate output buffers. |
284
+
| Resolution | Fixed in 23.11 |
285
+
| Affected OS | Linux |
286
+
| Driver/Module | QAT IA - Compression |
287
+
270
288
## QATE-93278
271
289
| Title | GEN - sample_code potential seg-fault, issue #46|
272
290
|----------|:-------------
@@ -277,13 +295,13 @@ in this section.
277
295
| Affected OS | Linux |
278
296
| Driver/Module | CPM-IA - General |
279
297
280
-
## QATE-76846
281
-
| Title | GEN - Forking and re-initializing use-cases do not work |
298
+
## QATE-90845
299
+
| Title | GEN - QAT service fails to start, issue #38|
282
300
|----------|:-------------
283
-
| Reference # | QATE-76846|
284
-
| Description |Forking and re-initializing use-cases do not work:<br>-icp_sal_userStart()/icp_sal_userStop()/icp_sal_userStart() in single process<br>-icp_sal_userStart()/fork()/icp_sal_userStart() in child.<br> This is the use case in openssh + QAT_Engine. |
285
-
| Implication | The process will have undefined behavior in these use-cases. |
286
-
| Resolution |This issue is resolved with the 21.08 release. If using release prior to this release and using these flows, call qaeMemDestroy() immediately after icp_sal_userStop() to prevent this issue. |
301
+
| Reference # | QATE-90845|
302
+
| Description |QAT service fails to start. The qat service may fail if the kernel driver's initialization is not fully finished when the service starts. See [issue 38](https://github.com/intel/qatlib/issues/38). |
303
+
| Implication | The qatmgr may not detect any or all of the vfio devices. |
304
+
| Resolution |Fixed in 23.08. The service waits until the kernel driver has completed initialization of all PFs before starting the service. |
287
305
| Affected OS | Linux |
288
306
| Driver/Module | CPM-IA - General |
289
307
@@ -297,13 +315,23 @@ in this section.
297
315
| Affected OS | Linux |
298
316
| Driver/Module | CPM-IA - Data Compression |
299
317
318
+
## QATE-76846
319
+
| Title | GEN - Forking and re-initializing use-cases do not work |
320
+
|----------|:-------------
321
+
| Reference # | QATE-76846 |
322
+
| Description | Forking and re-initializing use-cases do not work:<br>-icp_sal_userStart()/icp_sal_userStop()/icp_sal_userStart() in single process<br>-icp_sal_userStart()/fork()/icp_sal_userStart() in child.<br> This is the use case in openssh + QAT_Engine. |
323
+
| Implication | The process will have undefined behavior in these use-cases. |
324
+
| Resolution | Fixed in 21.08. If using release prior to this release and using these flows, call qaeMemDestroy() immediately after icp_sal_userStop() to prevent this issue. |
325
+
| Affected OS | Linux |
326
+
| Driver/Module | CPM-IA - General |
327
+
300
328
## QATE-12241
301
329
| Title | CY - TLS1.2 with secret key lengths greater than 64 are not supported |
302
330
|----------|:-------------
303
331
| Reference # | QATE-12241 |
304
332
| Description | Algorithms, as with Diffie-Hellman using 8K parameters that can use a secret key length greater than 64 bytes is not supported.|
305
333
| Implication | Key generation would fail for TLS1.2 algorithms that use more than 64 bytes secret length keys. |
306
-
| Resolution |This is resolved with the 22.07 release. |
0 commit comments