DPDK patches and discussions
 help / color / mirror / Atom feed
* [PATCH] crypto/qat: support to enable insecure algorithms
@ 2023-04-20  9:58 Vikash Poddar
  2023-05-23  9:14 ` [PATCH v2] " Vikash Poddar
  0 siblings, 1 reply; 14+ messages in thread
From: Vikash Poddar @ 2023-04-20  9:58 UTC (permalink / raw)
  To: Kai Ji; +Cc: dev, Vikash Poddar

All the insecure algorithms are default disable from
cryptodev.
use qat_legacy_capa to enable all the legacy
algorithms.

Signed-off-by: Vikash Poddar <vikash.chandrax.poddar@intel.com>
---
 drivers/common/qat/qat_device.c              |  1 +
 drivers/common/qat/qat_device.h              |  3 +-
 drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c | 90 ++++++++++++--------
 drivers/crypto/qat/qat_crypto.h              |  1 +
 drivers/crypto/qat/qat_sym.c                 |  3 +
 5 files changed, 62 insertions(+), 36 deletions(-)

diff --git a/drivers/common/qat/qat_device.c b/drivers/common/qat/qat_device.c
index 8bce2ac073..b8da684973 100644
--- a/drivers/common/qat/qat_device.c
+++ b/drivers/common/qat/qat_device.c
@@ -365,6 +365,7 @@ static int qat_pci_probe(struct rte_pci_driver *pci_drv __rte_unused,
 	struct qat_pci_device *qat_pci_dev;
 	struct qat_dev_hw_spec_funcs *ops_hw;
 	struct qat_dev_cmd_param qat_dev_cmd_param[] = {
+			{ QAT_LEGACY_CAPA, 0 },
 			{ QAT_IPSEC_MB_LIB, 0 },
 			{ SYM_ENQ_THRESHOLD_NAME, 0 },
 			{ ASYM_ENQ_THRESHOLD_NAME, 0 },
diff --git a/drivers/common/qat/qat_device.h b/drivers/common/qat/qat_device.h
index bc3da04238..12b8cc46b1 100644
--- a/drivers/common/qat/qat_device.h
+++ b/drivers/common/qat/qat_device.h
@@ -17,12 +17,13 @@
 
 #define QAT_DEV_NAME_MAX_LEN	64
 
+#define QAT_LEGACY_CAPA "qat_legacy_capa"
 #define QAT_IPSEC_MB_LIB "qat_ipsec_mb_lib"
 #define SYM_ENQ_THRESHOLD_NAME "qat_sym_enq_threshold"
 #define ASYM_ENQ_THRESHOLD_NAME "qat_asym_enq_threshold"
 #define COMP_ENQ_THRESHOLD_NAME "qat_comp_enq_threshold"
 #define QAT_CMD_SLICE_MAP "qat_cmd_slice_disable"
-#define QAT_CMD_SLICE_MAP_POS	4
+#define QAT_CMD_SLICE_MAP_POS	5
 #define MAX_QP_THRESHOLD_SIZE	32
 
 /**
diff --git a/drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c b/drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c
index 60ca0fc0d2..3cd1c42d94 100644
--- a/drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c
+++ b/drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c
@@ -12,10 +12,39 @@
 
 #define MIXED_CRYPTO_MIN_FW_VER 0x04090000
 
-static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
+static struct rte_cryptodev_capabilities qat_sym_crypto_legacy_caps_gen2[] = {
+	QAT_SYM_CIPHER_CAP(DES_CBC,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(3DES_CBC,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(3DES_CTR,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
 	QAT_SYM_PLAIN_AUTH_CAP(SHA1,
 		CAP_SET(block_size, 64),
 		CAP_RNG(digest_size, 1, 20, 1)),
+	QAT_SYM_AUTH_CAP(SHA224,
+		CAP_SET(block_size, 64),
+		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA224_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA1_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
+};
+
+
+static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
 	QAT_SYM_AEAD_CAP(AES_GCM,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 32, 8), CAP_RNG(digest_size, 8, 16, 4),
@@ -32,10 +61,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 4, 16, 4),
 			CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA224,
-		CAP_SET(block_size, 64),
-		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256,
 		CAP_SET(block_size, 64),
 		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 32, 1),
@@ -51,14 +76,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
 	QAT_SYM_PLAIN_AUTH_CAP(SHA3_256,
 		CAP_SET(block_size, 136),
 		CAP_RNG(digest_size, 32, 32, 0)),
-	QAT_SYM_AUTH_CAP(SHA1_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA224_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256_HMAC,
 		CAP_SET(block_size, 64),
 		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 32, 1),
@@ -112,18 +129,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
 	QAT_SYM_CIPHER_CAP(NULL,
 		CAP_SET(block_size, 1),
 		CAP_RNG_ZERO(key_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_CIPHER_CAP(3DES_CBC,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(3DES_CTR,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(DES_CBC,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
 	QAT_SYM_CIPHER_CAP(ZUC_EEA3,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(iv_size, 16, 16, 0)),
@@ -131,7 +136,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 4, 4, 0),
 		CAP_RNG_ZERO(aad_size), CAP_RNG(iv_size, 16, 16, 0)),
-	RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
 };
 
 static int
@@ -283,8 +287,16 @@ qat_sym_crypto_cap_get_gen2(struct qat_cryptodev_private *internals,
 			const char *capa_memz_name,
 			const uint16_t __rte_unused slice_map)
 {
-	const uint32_t size = sizeof(qat_sym_crypto_caps_gen2);
-	uint32_t i;
+	uint32_t i, j;
+	uint32_t curr_capa = 0;
+	uint32_t capa_num, legacy_capa_num;
+	uint32_t size = sizeof(qat_sym_crypto_caps_gen2);
+	uint32_t legacy_size = sizeof(qat_sym_crypto_legacy_caps_gen2);
+	capa_num = size/sizeof(struct rte_cryptodev_capabilities);
+	legacy_capa_num = legacy_size/sizeof(struct rte_cryptodev_capabilities);
+
+	if (unlikely(qat_legacy_capa))
+		size = size + legacy_size;
 
 	internals->capa_mz = rte_memzone_lookup(capa_memz_name);
 	if (internals->capa_mz == NULL) {
@@ -300,16 +312,24 @@ qat_sym_crypto_cap_get_gen2(struct qat_cryptodev_private *internals,
 	struct rte_cryptodev_capabilities *addr =
 			(struct rte_cryptodev_capabilities *)
 				internals->capa_mz->addr;
-	const struct rte_cryptodev_capabilities *capabilities =
-		qat_sym_crypto_caps_gen2;
-	const uint32_t capa_num =
-		size / sizeof(struct rte_cryptodev_capabilities);
-	uint32_t curr_capa = 0;
+	struct rte_cryptodev_capabilities *capabilities;
 
-	for (i = 0; i < capa_num; i++) {
-		memcpy(addr + curr_capa, capabilities + i,
+	capabilities = qat_sym_crypto_caps_gen2;
+	if (unlikely(qat_legacy_capa))
+		capa_num += legacy_capa_num;
+
+	for (i = 0, j = 0; i < capa_num; i++) {
+		memcpy(addr + curr_capa, capabilities + j,
 			sizeof(struct rte_cryptodev_capabilities));
 		curr_capa++;
+		j++;
+
+		if (unlikely(qat_legacy_capa) && (i == capa_num-legacy_capa_num-1)) {
+			capabilities = qat_sym_crypto_legacy_caps_gen2;
+			addr += curr_capa;
+			j = 0;
+			curr_capa = 0;
+		}
 	}
 	internals->qat_dev_capabilities = internals->capa_mz->addr;
 
diff --git a/drivers/crypto/qat/qat_crypto.h b/drivers/crypto/qat/qat_crypto.h
index 6fe1326c51..a4152302bc 100644
--- a/drivers/crypto/qat/qat_crypto.h
+++ b/drivers/crypto/qat/qat_crypto.h
@@ -11,6 +11,7 @@
 
 extern uint8_t qat_sym_driver_id;
 extern uint8_t qat_asym_driver_id;
+extern int qat_legacy_capa;
 
 /**
  * helper macro to set cryptodev capability range
diff --git a/drivers/crypto/qat/qat_sym.c b/drivers/crypto/qat/qat_sym.c
index 08e92191a3..61f5cd9a36 100644
--- a/drivers/crypto/qat/qat_sym.c
+++ b/drivers/crypto/qat/qat_sym.c
@@ -17,6 +17,7 @@
 
 uint8_t qat_sym_driver_id;
 int qat_ipsec_mb_lib;
+int qat_legacy_capa;
 
 struct qat_crypto_gen_dev_ops qat_sym_gen_dev_ops[QAT_N_GENS];
 
@@ -281,6 +282,8 @@ qat_sym_dev_create(struct qat_pci_device *qat_pci_dev,
 					qat_dev_cmd_param[i].val;
 		if (!strcmp(qat_dev_cmd_param[i].name, QAT_IPSEC_MB_LIB))
 			qat_ipsec_mb_lib = qat_dev_cmd_param[i].val;
+		if (!strcmp(qat_dev_cmd_param[i].name, QAT_LEGACY_CAPA))
+			qat_legacy_capa = qat_dev_cmd_param[i].val;
 		if (!strcmp(qat_dev_cmd_param[i].name, QAT_CMD_SLICE_MAP))
 			slice_map = qat_dev_cmd_param[i].val;
 		i++;
-- 
2.25.1

--------------------------------------------------------------
Intel Research and Development Ireland Limited
Registered in Ireland
Registered Office: Collinstown Industrial Park, Leixlip, County Kildare
Registered Number: 308263


This e-mail and any attachments may contain confidential material for the sole
use of the intended recipient(s). Any review or distribution by others is
strictly prohibited. If you are not the intended recipient, please contact the
sender and delete all copies.


^ permalink raw reply	[flat|nested] 14+ messages in thread

* [PATCH v2] crypto/qat: support to enable insecure algorithms
  2023-04-20  9:58 [PATCH] crypto/qat: support to enable insecure algorithms Vikash Poddar
@ 2023-05-23  9:14 ` Vikash Poddar
  2023-05-23 14:35   ` Ji, Kai
                     ` (2 more replies)
  0 siblings, 3 replies; 14+ messages in thread
From: Vikash Poddar @ 2023-05-23  9:14 UTC (permalink / raw)
  To: Akhil Goyal, Fan Zhang, Kai Ji; +Cc: dev, Vikash Poddar

All the insecure algorithms are default disable from
cryptodev Gen 1,2,3 and 4.
use qat_legacy_capa to enable all the legacy
algorithms.
These change effects both sym and asym insecure crypto
algorithms.

Signed-off-by: Vikash Poddar <vikash.chandrax.poddar@intel.com>
---
v2:
Extend the support to enable the insecure algorithm in
QAT Gen 1,3 and 4 for sym as well as asym.
---
 app/test/test_cryptodev_asym.c               |  28 +++--
 doc/guides/cryptodevs/qat.rst                |  13 +++
 drivers/common/qat/qat_device.c              |   1 +
 drivers/common/qat/qat_device.h              |   3 +-
 drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c |  88 ++++++++-------
 drivers/crypto/qat/dev/qat_crypto_pmd_gen3.c | 113 +++++++++++--------
 drivers/crypto/qat/dev/qat_crypto_pmd_gen4.c |  64 ++++++-----
 drivers/crypto/qat/dev/qat_sym_pmd_gen1.c    |  90 ++++++++-------
 drivers/crypto/qat/qat_asym.c                |  16 ++-
 drivers/crypto/qat/qat_crypto.h              |   1 +
 drivers/crypto/qat/qat_sym.c                 |   3 +
 11 files changed, 255 insertions(+), 165 deletions(-)

diff --git a/app/test/test_cryptodev_asym.c b/app/test/test_cryptodev_asym.c
index 9236817650..bb32d81e57 100644
--- a/app/test/test_cryptodev_asym.c
+++ b/app/test/test_cryptodev_asym.c
@@ -453,11 +453,14 @@ test_cryptodev_asym_op(struct crypto_testsuite_params_asym *ts_params,
 		ret = rte_cryptodev_asym_session_create(dev_id, &xform_tc,
 				ts_params->session_mpool, &sess);
 		if (ret < 0) {
-			snprintf(test_msg, ASYM_TEST_MSG_LEN,
-					"line %u "
-					"FAILED: %s", __LINE__,
-					"Session creation failed");
 			status = (ret == -ENOTSUP) ? TEST_SKIPPED : TEST_FAILED;
+			if (status == TEST_SKIPPED)
+				snprintf(test_msg, ASYM_TEST_MSG_LEN, "SKIPPED");
+			else
+				snprintf(test_msg, ASYM_TEST_MSG_LEN,
+						"line %u "
+						"FAILED: %s", __LINE__,
+						"Session creation failed");
 			goto error_exit;
 		}
 
@@ -489,6 +492,11 @@ test_cryptodev_asym_op(struct crypto_testsuite_params_asym *ts_params,
 	}
 
 	if (test_cryptodev_asym_ver(op, &xform_tc, data_tc, result_op) != TEST_SUCCESS) {
+		if (result_op->status == RTE_CRYPTO_OP_STATUS_INVALID_ARGS) {
+			snprintf(test_msg, ASYM_TEST_MSG_LEN, "SESSIONLESS SKIPPED");
+			status = TEST_SKIPPED;
+			goto error_exit;
+		}
 		snprintf(test_msg, ASYM_TEST_MSG_LEN,
 			"line %u FAILED: %s",
 			__LINE__, "Verification failed ");
@@ -619,13 +627,19 @@ test_one_by_one(void)
 	/* Go through all test cases */
 	test_index = 0;
 	for (i = 0; i < test_vector.size; i++) {
-		if (test_one_case(test_vector.address[i], 0) != TEST_SUCCESS)
+		status = test_one_case(test_vector.address[i], 0);
+		if (status == TEST_SUCCESS || status == TEST_SKIPPED)
+			status = TEST_SUCCESS;
+		else
 			status = TEST_FAILED;
 	}
+
 	if (sessionless) {
 		for (i = 0; i < test_vector.size; i++) {
-			if (test_one_case(test_vector.address[i], 1)
-					!= TEST_SUCCESS)
+			status = test_one_case(test_vector.address[i], 1);
+			if (status == TEST_SUCCESS || status == TEST_SKIPPED)
+				status = TEST_SUCCESS;
+			else
 				status = TEST_FAILED;
 		}
 	}
diff --git a/doc/guides/cryptodevs/qat.rst b/doc/guides/cryptodevs/qat.rst
index ef754106a8..f91a5e19e5 100644
--- a/doc/guides/cryptodevs/qat.rst
+++ b/doc/guides/cryptodevs/qat.rst
@@ -294,6 +294,19 @@ by comma. When the same parameter is used more than once first occurrence of the
 is used.
 Maximum threshold that can be set is 32.
 
+Running QAT PMD with insecure crypto algorithms
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+A few insecure crypto algorithms are deprecated from QAT drivers. This needs to be reflected in DPDK QAT PMD.
+DPDK QAT PMD has by default disabled all the insecure crypto algorithms from Gen 1,2,3 and 4.
+A PMD parameter is used to enable the capability.
+
+- qat_legacy_capa
+
+To use this feature the user must set the parameter on process start as a device additional parameter::
+
+  -a b1:01.2,qat_legacy_capa=1
+
 Running QAT PMD with Intel IPSEC MB library for symmetric precomputes function
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
diff --git a/drivers/common/qat/qat_device.c b/drivers/common/qat/qat_device.c
index 8bce2ac073..b8da684973 100644
--- a/drivers/common/qat/qat_device.c
+++ b/drivers/common/qat/qat_device.c
@@ -365,6 +365,7 @@ static int qat_pci_probe(struct rte_pci_driver *pci_drv __rte_unused,
 	struct qat_pci_device *qat_pci_dev;
 	struct qat_dev_hw_spec_funcs *ops_hw;
 	struct qat_dev_cmd_param qat_dev_cmd_param[] = {
+			{ QAT_LEGACY_CAPA, 0 },
 			{ QAT_IPSEC_MB_LIB, 0 },
 			{ SYM_ENQ_THRESHOLD_NAME, 0 },
 			{ ASYM_ENQ_THRESHOLD_NAME, 0 },
diff --git a/drivers/common/qat/qat_device.h b/drivers/common/qat/qat_device.h
index bc3da04238..12b8cc46b1 100644
--- a/drivers/common/qat/qat_device.h
+++ b/drivers/common/qat/qat_device.h
@@ -17,12 +17,13 @@
 
 #define QAT_DEV_NAME_MAX_LEN	64
 
+#define QAT_LEGACY_CAPA "qat_legacy_capa"
 #define QAT_IPSEC_MB_LIB "qat_ipsec_mb_lib"
 #define SYM_ENQ_THRESHOLD_NAME "qat_sym_enq_threshold"
 #define ASYM_ENQ_THRESHOLD_NAME "qat_asym_enq_threshold"
 #define COMP_ENQ_THRESHOLD_NAME "qat_comp_enq_threshold"
 #define QAT_CMD_SLICE_MAP "qat_cmd_slice_disable"
-#define QAT_CMD_SLICE_MAP_POS	4
+#define QAT_CMD_SLICE_MAP_POS	5
 #define MAX_QP_THRESHOLD_SIZE	32
 
 /**
diff --git a/drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c b/drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c
index 60ca0fc0d2..d4f4a85451 100644
--- a/drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c
+++ b/drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c
@@ -12,10 +12,41 @@
 
 #define MIXED_CRYPTO_MIN_FW_VER 0x04090000
 
-static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
+static struct rte_cryptodev_capabilities qat_sym_crypto_legacy_caps_gen2[] = {
+	QAT_SYM_CIPHER_CAP(DES_CBC,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(3DES_CBC,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(3DES_CTR,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
 	QAT_SYM_PLAIN_AUTH_CAP(SHA1,
 		CAP_SET(block_size, 64),
 		CAP_RNG(digest_size, 1, 20, 1)),
+	QAT_SYM_AUTH_CAP(SHA224,
+		CAP_SET(block_size, 64),
+		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA224_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA1_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(MD5_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
+};
+
+static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
 	QAT_SYM_AEAD_CAP(AES_GCM,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 32, 8), CAP_RNG(digest_size, 8, 16, 4),
@@ -32,10 +63,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 4, 16, 4),
 			CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA224,
-		CAP_SET(block_size, 64),
-		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256,
 		CAP_SET(block_size, 64),
 		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 32, 1),
@@ -51,14 +78,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
 	QAT_SYM_PLAIN_AUTH_CAP(SHA3_256,
 		CAP_SET(block_size, 136),
 		CAP_RNG(digest_size, 32, 32, 0)),
-	QAT_SYM_AUTH_CAP(SHA1_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA224_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256_HMAC,
 		CAP_SET(block_size, 64),
 		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 32, 1),
@@ -71,10 +90,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
 		CAP_SET(block_size, 128),
 		CAP_RNG(key_size, 1, 128, 1), CAP_RNG(digest_size, 1, 64, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(MD5_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(AES_XCBC_MAC,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 12, 12, 0),
@@ -112,18 +127,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
 	QAT_SYM_CIPHER_CAP(NULL,
 		CAP_SET(block_size, 1),
 		CAP_RNG_ZERO(key_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_CIPHER_CAP(3DES_CBC,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(3DES_CTR,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(DES_CBC,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
 	QAT_SYM_CIPHER_CAP(ZUC_EEA3,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(iv_size, 16, 16, 0)),
@@ -283,8 +286,13 @@ qat_sym_crypto_cap_get_gen2(struct qat_cryptodev_private *internals,
 			const char *capa_memz_name,
 			const uint16_t __rte_unused slice_map)
 {
-	const uint32_t size = sizeof(qat_sym_crypto_caps_gen2);
-	uint32_t i;
+	uint32_t legacy_capa_num;
+	uint32_t size = sizeof(qat_sym_crypto_caps_gen2);
+	uint32_t legacy_size = sizeof(qat_sym_crypto_legacy_caps_gen2);
+	legacy_capa_num = legacy_size/sizeof(struct rte_cryptodev_capabilities);
+
+	if (unlikely(qat_legacy_capa))
+		size = size + legacy_size;
 
 	internals->capa_mz = rte_memzone_lookup(capa_memz_name);
 	if (internals->capa_mz == NULL) {
@@ -300,17 +308,15 @@ qat_sym_crypto_cap_get_gen2(struct qat_cryptodev_private *internals,
 	struct rte_cryptodev_capabilities *addr =
 			(struct rte_cryptodev_capabilities *)
 				internals->capa_mz->addr;
-	const struct rte_cryptodev_capabilities *capabilities =
-		qat_sym_crypto_caps_gen2;
-	const uint32_t capa_num =
-		size / sizeof(struct rte_cryptodev_capabilities);
-	uint32_t curr_capa = 0;
-
-	for (i = 0; i < capa_num; i++) {
-		memcpy(addr + curr_capa, capabilities + i,
-			sizeof(struct rte_cryptodev_capabilities));
-		curr_capa++;
+	struct rte_cryptodev_capabilities *capabilities;
+
+	if (unlikely(qat_legacy_capa)) {
+		capabilities = qat_sym_crypto_legacy_caps_gen2;
+		memcpy(addr, capabilities, legacy_size);
+		addr += legacy_capa_num;
 	}
+	capabilities = qat_sym_crypto_caps_gen2;
+	memcpy(addr, capabilities, sizeof(qat_sym_crypto_caps_gen2));
 	internals->qat_dev_capabilities = internals->capa_mz->addr;
 
 	return 0;
diff --git a/drivers/crypto/qat/dev/qat_crypto_pmd_gen3.c b/drivers/crypto/qat/dev/qat_crypto_pmd_gen3.c
index 6013fed721..d1809cf2f0 100644
--- a/drivers/crypto/qat/dev/qat_crypto_pmd_gen3.c
+++ b/drivers/crypto/qat/dev/qat_crypto_pmd_gen3.c
@@ -10,10 +10,45 @@
 #include "qat_crypto.h"
 #include "qat_crypto_pmd_gens.h"
 
-static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
+
+static struct rte_cryptodev_capabilities qat_sym_crypto_legacy_caps_gen3[] = {
+	QAT_SYM_CIPHER_CAP(3DES_CBC,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(DES_CBC,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(3DES_CTR,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
 	QAT_SYM_PLAIN_AUTH_CAP(SHA1,
 		CAP_SET(block_size, 64),
 		CAP_RNG(digest_size, 1, 20, 1)),
+	QAT_SYM_AUTH_CAP(SHA224,
+		CAP_SET(block_size, 64),
+		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA224_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA1_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(MD5_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_PLAIN_AUTH_CAP(SHA3_224,
+		CAP_SET(block_size, 144),
+		CAP_RNG(digest_size, 28, 28, 0)),
+};
+
+static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
 	QAT_SYM_AEAD_CAP(AES_GCM,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 32, 8), CAP_RNG(digest_size, 8, 16, 4),
@@ -30,10 +65,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 4, 16, 4),
 			CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA224,
-		CAP_SET(block_size, 64),
-		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256,
 		CAP_SET(block_size, 64),
 		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 32, 1),
@@ -46,9 +77,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
 		CAP_SET(block_size, 128),
 		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 64, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_PLAIN_AUTH_CAP(SHA3_224,
-		CAP_SET(block_size, 144),
-		CAP_RNG(digest_size, 28, 28, 0)),
 	QAT_SYM_PLAIN_AUTH_CAP(SHA3_256,
 		CAP_SET(block_size, 136),
 		CAP_RNG(digest_size, 32, 32, 0)),
@@ -58,14 +86,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
 	QAT_SYM_PLAIN_AUTH_CAP(SHA3_512,
 		CAP_SET(block_size, 72),
 		CAP_RNG(digest_size, 64, 64, 0)),
-	QAT_SYM_AUTH_CAP(SHA1_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA224_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256_HMAC,
 		CAP_SET(block_size, 64),
 		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 32, 1),
@@ -78,10 +98,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
 		CAP_SET(block_size, 128),
 		CAP_RNG(key_size, 1, 128, 1), CAP_RNG(digest_size, 1, 64, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(MD5_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(AES_XCBC_MAC,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 12, 12, 0),
@@ -119,18 +135,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
 	QAT_SYM_CIPHER_CAP(NULL,
 		CAP_SET(block_size, 1),
 		CAP_RNG_ZERO(key_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_CIPHER_CAP(3DES_CBC,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(3DES_CTR,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(DES_CBC,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
 	QAT_SYM_CIPHER_CAP(ZUC_EEA3,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(iv_size, 16, 16, 0)),
@@ -188,8 +192,17 @@ static int
 qat_sym_crypto_cap_get_gen3(struct qat_cryptodev_private *internals,
 			const char *capa_memz_name, const uint16_t slice_map)
 {
-	const uint32_t size = sizeof(qat_sym_crypto_caps_gen3);
-	uint32_t i;
+
+	uint32_t i, iter = 0;
+	uint32_t curr_capa = 0;
+	uint32_t capa_num, legacy_capa_num;
+	uint32_t size = sizeof(qat_sym_crypto_caps_gen3);
+	uint32_t legacy_size = sizeof(qat_sym_crypto_legacy_caps_gen3);
+	capa_num = size/sizeof(struct rte_cryptodev_capabilities);
+	legacy_capa_num = legacy_size/sizeof(struct rte_cryptodev_capabilities);
+
+	if (unlikely(qat_legacy_capa))
+		size = size + legacy_size;
 
 	internals->capa_mz = rte_memzone_lookup(capa_memz_name);
 	if (internals->capa_mz == NULL) {
@@ -205,30 +218,40 @@ qat_sym_crypto_cap_get_gen3(struct qat_cryptodev_private *internals,
 	struct rte_cryptodev_capabilities *addr =
 			(struct rte_cryptodev_capabilities *)
 				internals->capa_mz->addr;
-	const struct rte_cryptodev_capabilities *capabilities =
-		qat_sym_crypto_caps_gen3;
-	const uint32_t capa_num =
-		size / sizeof(struct rte_cryptodev_capabilities);
-	uint32_t curr_capa = 0;
+	struct rte_cryptodev_capabilities *capabilities;
 
-	for (i = 0; i < capa_num; i++) {
+	if (unlikely(qat_legacy_capa)) {
+		capabilities = qat_sym_crypto_legacy_caps_gen3;
+		capa_num += legacy_capa_num;
+	} else {
+		capabilities = qat_sym_crypto_caps_gen3;
+	}
+
+	for (i = 0; i < capa_num; i++, iter++) {
 		if (slice_map & ICP_ACCEL_MASK_SM4_SLICE && (
-			check_cipher_capa(&capabilities[i],
+			check_cipher_capa(&capabilities[iter],
 				RTE_CRYPTO_CIPHER_SM4_ECB) ||
-			check_cipher_capa(&capabilities[i],
+			check_cipher_capa(&capabilities[iter],
 				RTE_CRYPTO_CIPHER_SM4_CBC) ||
-			check_cipher_capa(&capabilities[i],
+			check_cipher_capa(&capabilities[iter],
 				RTE_CRYPTO_CIPHER_SM4_CTR))) {
 			continue;
 		}
 		if (slice_map & ICP_ACCEL_MASK_SM3_SLICE && (
-			check_auth_capa(&capabilities[i],
+			check_auth_capa(&capabilities[iter],
 				RTE_CRYPTO_AUTH_SM3))) {
 			continue;
 		}
-		memcpy(addr + curr_capa, capabilities + i,
+		memcpy(addr + curr_capa, capabilities + iter,
 			sizeof(struct rte_cryptodev_capabilities));
 		curr_capa++;
+
+		if (unlikely(qat_legacy_capa) && (i == legacy_capa_num-1)) {
+			capabilities = qat_sym_crypto_caps_gen3;
+			addr += curr_capa;
+			curr_capa = 0;
+			iter = -1;
+		}
 	}
 	internals->qat_dev_capabilities = internals->capa_mz->addr;
 
diff --git a/drivers/crypto/qat/dev/qat_crypto_pmd_gen4.c b/drivers/crypto/qat/dev/qat_crypto_pmd_gen4.c
index b219a418ba..6fb062bb94 100644
--- a/drivers/crypto/qat/dev/qat_crypto_pmd_gen4.c
+++ b/drivers/crypto/qat/dev/qat_crypto_pmd_gen4.c
@@ -10,18 +10,32 @@
 #include "qat_crypto.h"
 #include "qat_crypto_pmd_gens.h"
 
-static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen4[] = {
-	QAT_SYM_CIPHER_CAP(AES_CBC,
-		CAP_SET(block_size, 16),
-		CAP_RNG(key_size, 16, 32, 8), CAP_RNG(iv_size, 16, 16, 0)),
-	QAT_SYM_AUTH_CAP(SHA1_HMAC,
+
+static struct rte_cryptodev_capabilities qat_sym_crypto_legacy_caps_gen4[] = {
+	QAT_SYM_PLAIN_AUTH_CAP(SHA1,
 		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
+		CAP_RNG(digest_size, 1, 20, 1)),
+	QAT_SYM_AUTH_CAP(SHA224,
+		CAP_SET(block_size, 64),
+		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA224_HMAC,
 		CAP_SET(block_size, 64),
 		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA1_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_CIPHER_CAP(SM4_ECB,
+		CAP_SET(block_size, 16),
+		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(iv_size, 0, 0, 0)),
+};
+
+static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen4[] = {
+	QAT_SYM_CIPHER_CAP(AES_CBC,
+		CAP_SET(block_size, 16),
+		CAP_RNG(key_size, 16, 32, 8), CAP_RNG(iv_size, 16, 16, 0)),
 	QAT_SYM_AUTH_CAP(SHA256_HMAC,
 		CAP_SET(block_size, 64),
 		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 32, 1),
@@ -52,13 +66,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen4[] = {
 	QAT_SYM_CIPHER_CAP(NULL,
 		CAP_SET(block_size, 1),
 		CAP_RNG_ZERO(key_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_PLAIN_AUTH_CAP(SHA1,
-		CAP_SET(block_size, 64),
-		CAP_RNG(digest_size, 1, 20, 1)),
-	QAT_SYM_AUTH_CAP(SHA224,
-		CAP_SET(block_size, 64),
-		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256,
 		CAP_SET(block_size, 64),
 		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 32, 1),
@@ -91,9 +98,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen4[] = {
 		CAP_RNG(key_size, 32, 32, 0),
 		CAP_RNG(digest_size, 16, 16, 0),
 		CAP_RNG(aad_size, 0, 240, 1), CAP_RNG(iv_size, 12, 12, 0)),
-	QAT_SYM_CIPHER_CAP(SM4_ECB,
-		CAP_SET(block_size, 16),
-		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(iv_size, 0, 0, 0)),
 	QAT_SYM_CIPHER_CAP(SM4_CBC,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(iv_size, 16, 16, 0)),
@@ -111,8 +115,13 @@ qat_sym_crypto_cap_get_gen4(struct qat_cryptodev_private *internals,
 			const char *capa_memz_name,
 			const uint16_t __rte_unused slice_map)
 {
-	const uint32_t size = sizeof(qat_sym_crypto_caps_gen4);
-	uint32_t i;
+	uint32_t legacy_capa_num;
+	uint32_t size = sizeof(qat_sym_crypto_caps_gen4);
+	uint32_t legacy_size = sizeof(qat_sym_crypto_legacy_caps_gen4);
+	legacy_capa_num = legacy_size/sizeof(struct rte_cryptodev_capabilities);
+
+	if (unlikely(qat_legacy_capa))
+		size = size + legacy_size;
 
 	internals->capa_mz = rte_memzone_lookup(capa_memz_name);
 	if (internals->capa_mz == NULL) {
@@ -128,17 +137,16 @@ qat_sym_crypto_cap_get_gen4(struct qat_cryptodev_private *internals,
 	struct rte_cryptodev_capabilities *addr =
 			(struct rte_cryptodev_capabilities *)
 				internals->capa_mz->addr;
-	const struct rte_cryptodev_capabilities *capabilities =
-		qat_sym_crypto_caps_gen4;
-	const uint32_t capa_num =
-		size / sizeof(struct rte_cryptodev_capabilities);
-	uint32_t curr_capa = 0;
-
-	for (i = 0; i < capa_num; i++) {
-		memcpy(addr + curr_capa, capabilities + i,
-			sizeof(struct rte_cryptodev_capabilities));
-		curr_capa++;
+
+	struct rte_cryptodev_capabilities *capabilities;
+
+	if (unlikely(qat_legacy_capa)) {
+		capabilities = qat_sym_crypto_legacy_caps_gen4;
+		memcpy(addr, capabilities, legacy_size);
+		addr += legacy_capa_num;
 	}
+	capabilities = qat_sym_crypto_caps_gen4;
+	memcpy(addr, capabilities, sizeof(qat_sym_crypto_caps_gen4));
 	internals->qat_dev_capabilities = internals->capa_mz->addr;
 
 	return 0;
diff --git a/drivers/crypto/qat/dev/qat_sym_pmd_gen1.c b/drivers/crypto/qat/dev/qat_sym_pmd_gen1.c
index 91d5cfa71d..0cfac70aef 100644
--- a/drivers/crypto/qat/dev/qat_sym_pmd_gen1.c
+++ b/drivers/crypto/qat/dev/qat_sym_pmd_gen1.c
@@ -16,10 +16,41 @@
 #include "qat_crypto.h"
 #include "qat_crypto_pmd_gens.h"
 
-static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen1[] = {
+static struct rte_cryptodev_capabilities qat_sym_crypto_legacy_caps_gen1[] = {
+	QAT_SYM_CIPHER_CAP(DES_CBC,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(3DES_CBC,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(3DES_CTR,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
 	QAT_SYM_PLAIN_AUTH_CAP(SHA1,
 		CAP_SET(block_size, 64),
 		CAP_RNG(digest_size, 1, 20, 1)),
+	QAT_SYM_AUTH_CAP(SHA224,
+		CAP_SET(block_size, 64),
+		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA1_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA224_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(MD5_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
+};
+
+static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen1[] = {
 	QAT_SYM_AEAD_CAP(AES_GCM,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 32, 8), CAP_RNG(digest_size, 8, 16, 4),
@@ -36,10 +67,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen1[] = {
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 4, 16, 4),
 			CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA224,
-		CAP_SET(block_size, 64),
-		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256,
 		CAP_SET(block_size, 64),
 		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 32, 1),
@@ -52,14 +79,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen1[] = {
 		CAP_SET(block_size, 128),
 		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 64, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA1_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA224_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256_HMAC,
 		CAP_SET(block_size, 64),
 		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 32, 1),
@@ -72,10 +91,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen1[] = {
 		CAP_SET(block_size, 128),
 		CAP_RNG(key_size, 1, 128, 1), CAP_RNG(digest_size, 1, 64, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(MD5_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(AES_XCBC_MAC,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 12, 12, 0),
@@ -113,18 +128,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen1[] = {
 	QAT_SYM_CIPHER_CAP(NULL,
 		CAP_SET(block_size, 1),
 		CAP_RNG_ZERO(key_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_CIPHER_CAP(3DES_CBC,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(3DES_CTR,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(DES_CBC,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
 	RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
 };
 
@@ -157,8 +160,14 @@ qat_sym_crypto_cap_get_gen1(struct qat_cryptodev_private *internals,
 			const char *capa_memz_name,
 			const uint16_t __rte_unused slice_map)
 {
-	const uint32_t size = sizeof(qat_sym_crypto_caps_gen1);
-	uint32_t i;
+
+	uint32_t legacy_capa_num;
+	uint32_t size = sizeof(qat_sym_crypto_caps_gen1);
+	uint32_t legacy_size = sizeof(qat_sym_crypto_legacy_caps_gen1);
+	legacy_capa_num = legacy_size/sizeof(struct rte_cryptodev_capabilities);
+
+	if (unlikely(qat_legacy_capa))
+		size = size + legacy_size;
 
 	internals->capa_mz = rte_memzone_lookup(capa_memz_name);
 	if (internals->capa_mz == NULL) {
@@ -174,17 +183,16 @@ qat_sym_crypto_cap_get_gen1(struct qat_cryptodev_private *internals,
 	struct rte_cryptodev_capabilities *addr =
 			(struct rte_cryptodev_capabilities *)
 				internals->capa_mz->addr;
-	const struct rte_cryptodev_capabilities *capabilities =
-		qat_sym_crypto_caps_gen1;
-	const uint32_t capa_num =
-		size / sizeof(struct rte_cryptodev_capabilities);
-	uint32_t curr_capa = 0;
-
-	for (i = 0; i < capa_num; i++) {
-		memcpy(addr + curr_capa, capabilities + i,
-			sizeof(struct rte_cryptodev_capabilities));
-		curr_capa++;
+
+	struct rte_cryptodev_capabilities *capabilities;
+
+	if (unlikely(qat_legacy_capa)) {
+		capabilities = qat_sym_crypto_legacy_caps_gen1;
+		memcpy(addr, capabilities, legacy_size);
+		addr += legacy_capa_num;
 	}
+	capabilities = qat_sym_crypto_caps_gen1;
+	memcpy(addr, capabilities, sizeof(qat_sym_crypto_caps_gen1));
 	internals->qat_dev_capabilities = internals->capa_mz->addr;
 
 	return 0;
diff --git a/drivers/crypto/qat/qat_asym.c b/drivers/crypto/qat/qat_asym.c
index 82e165538d..7abd513423 100644
--- a/drivers/crypto/qat/qat_asym.c
+++ b/drivers/crypto/qat/qat_asym.c
@@ -15,6 +15,8 @@
 #include "qat_pke.h"
 #include "qat_ec.h"
 
+#define RSA_MODULUS_2048_BITS 2048
+
 uint8_t qat_asym_driver_id;
 
 struct qat_crypto_gen_dev_ops qat_asym_gen_dev_ops[QAT_N_GENS];
@@ -913,8 +915,12 @@ asym_set_input(struct icp_qat_fw_pke_request *qat_req,
 		return modexp_set_input(qat_req, cookie, asym_op, xform);
 	case RTE_CRYPTO_ASYM_XFORM_MODINV:
 		return modinv_set_input(qat_req, cookie, asym_op, xform);
-	case RTE_CRYPTO_ASYM_XFORM_RSA:
+	case RTE_CRYPTO_ASYM_XFORM_RSA:{
+		if (unlikely((xform->rsa.n.length < RSA_MODULUS_2048_BITS)
+					&& (qat_legacy_capa == 0)))
+			return RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
 		return rsa_set_input(qat_req, cookie, asym_op, xform);
+	}
 	case RTE_CRYPTO_ASYM_XFORM_ECDSA:
 		return ecdsa_set_input(qat_req, cookie, asym_op, xform);
 	case RTE_CRYPTO_ASYM_XFORM_ECPM:
@@ -1273,8 +1279,14 @@ qat_asym_session_configure(struct rte_cryptodev *dev __rte_unused,
 	case RTE_CRYPTO_ASYM_XFORM_MODINV:
 		ret = session_set_modinv(qat_session, xform);
 		break;
-	case RTE_CRYPTO_ASYM_XFORM_RSA:
+	case RTE_CRYPTO_ASYM_XFORM_RSA: {
+		if (unlikely((xform->rsa.n.length < RSA_MODULUS_2048_BITS)
+					&& (qat_legacy_capa == 0))) {
+			ret = -ENOTSUP;
+			return ret;
+		}
 		ret = session_set_rsa(qat_session, xform);
+		}
 		break;
 	case RTE_CRYPTO_ASYM_XFORM_ECDSA:
 	case RTE_CRYPTO_ASYM_XFORM_ECPM:
diff --git a/drivers/crypto/qat/qat_crypto.h b/drivers/crypto/qat/qat_crypto.h
index 6fe1326c51..a4152302bc 100644
--- a/drivers/crypto/qat/qat_crypto.h
+++ b/drivers/crypto/qat/qat_crypto.h
@@ -11,6 +11,7 @@
 
 extern uint8_t qat_sym_driver_id;
 extern uint8_t qat_asym_driver_id;
+extern int qat_legacy_capa;
 
 /**
  * helper macro to set cryptodev capability range
diff --git a/drivers/crypto/qat/qat_sym.c b/drivers/crypto/qat/qat_sym.c
index 08e92191a3..61f5cd9a36 100644
--- a/drivers/crypto/qat/qat_sym.c
+++ b/drivers/crypto/qat/qat_sym.c
@@ -17,6 +17,7 @@
 
 uint8_t qat_sym_driver_id;
 int qat_ipsec_mb_lib;
+int qat_legacy_capa;
 
 struct qat_crypto_gen_dev_ops qat_sym_gen_dev_ops[QAT_N_GENS];
 
@@ -281,6 +282,8 @@ qat_sym_dev_create(struct qat_pci_device *qat_pci_dev,
 					qat_dev_cmd_param[i].val;
 		if (!strcmp(qat_dev_cmd_param[i].name, QAT_IPSEC_MB_LIB))
 			qat_ipsec_mb_lib = qat_dev_cmd_param[i].val;
+		if (!strcmp(qat_dev_cmd_param[i].name, QAT_LEGACY_CAPA))
+			qat_legacy_capa = qat_dev_cmd_param[i].val;
 		if (!strcmp(qat_dev_cmd_param[i].name, QAT_CMD_SLICE_MAP))
 			slice_map = qat_dev_cmd_param[i].val;
 		i++;
-- 
2.25.1

--------------------------------------------------------------
Intel Research and Development Ireland Limited
Registered in Ireland
Registered Office: Collinstown Industrial Park, Leixlip, County Kildare
Registered Number: 308263


This e-mail and any attachments may contain confidential material for the sole
use of the intended recipient(s). Any review or distribution by others is
strictly prohibited. If you are not the intended recipient, please contact the
sender and delete all copies.


^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: [PATCH v2] crypto/qat: support to enable insecure algorithms
  2023-05-23  9:14 ` [PATCH v2] " Vikash Poddar
@ 2023-05-23 14:35   ` Ji, Kai
  2023-05-25  7:56   ` [EXT] " Akhil Goyal
  2023-05-25 16:10   ` [PATCH v3] " Vikash Poddar
  2 siblings, 0 replies; 14+ messages in thread
From: Ji, Kai @ 2023-05-23 14:35 UTC (permalink / raw)
  To: Poddar, Vikash ChandraX, Akhil Goyal, Fan Zhang; +Cc: dev

[-- Attachment #1: Type: text/plain, Size: 836 bytes --]

Acked-by: Kai Ji <kai.ji@intel.com>

________________________________
From: Poddar, Vikash ChandraX <vikash.chandrax.poddar@intel.com>
Sent: Tuesday, May 23, 2023 10:14
To: Akhil Goyal <gakhil@marvell.com>; Fan Zhang <fanzhang.oss@gmail.com>; Ji, Kai <kai.ji@intel.com>
Cc: dev@dpdk.org <dev@dpdk.org>; Poddar, Vikash ChandraX <vikash.chandrax.poddar@intel.com>
Subject: [PATCH v2] crypto/qat: support to enable insecure algorithms

All the insecure algorithms are default disable from
cryptodev Gen 1,2,3 and 4.
use qat_legacy_capa to enable all the legacy
algorithms.
These change effects both sym and asym insecure crypto
algorithms.

Signed-off-by: Vikash Poddar <vikash.chandrax.poddar@intel.com>
---
v2:
Extend the support to enable the insecure algorithm in
QAT Gen 1,3 and 4 for sym as well as asym.
---


[-- Attachment #2: Type: text/html, Size: 1915 bytes --]

^ permalink raw reply	[flat|nested] 14+ messages in thread

* RE: [EXT] [PATCH v2] crypto/qat: support to enable insecure algorithms
  2023-05-23  9:14 ` [PATCH v2] " Vikash Poddar
  2023-05-23 14:35   ` Ji, Kai
@ 2023-05-25  7:56   ` Akhil Goyal
  2023-05-25 16:10   ` [PATCH v3] " Vikash Poddar
  2 siblings, 0 replies; 14+ messages in thread
From: Akhil Goyal @ 2023-05-25  7:56 UTC (permalink / raw)
  To: Vikash Poddar, Fan Zhang, Kai Ji; +Cc: dev

> All the insecure algorithms are default disable from
> cryptodev Gen 1,2,3 and 4.
> use qat_legacy_capa to enable all the legacy
> algorithms.
> These change effects both sym and asym insecure crypto
> algorithms.
> 
> Signed-off-by: Vikash Poddar <vikash.chandrax.poddar@intel.com>
Please rebase and specify patch dependencies if any.

^ permalink raw reply	[flat|nested] 14+ messages in thread

* [PATCH v3] crypto/qat: support to enable insecure algorithms
  2023-05-23  9:14 ` [PATCH v2] " Vikash Poddar
  2023-05-23 14:35   ` Ji, Kai
  2023-05-25  7:56   ` [EXT] " Akhil Goyal
@ 2023-05-25 16:10   ` Vikash Poddar
  2023-05-26  6:48     ` [PATCH v4] " Vikash Poddar
  2023-05-29  6:32     ` [PATCH v5] " Vikash Poddar
  2 siblings, 2 replies; 14+ messages in thread
From: Vikash Poddar @ 2023-05-25 16:10 UTC (permalink / raw)
  To: Akhil Goyal, Fan Zhang, Kai Ji; +Cc: dev, Vikash Poddar

All the insecure algorithms are default disable from
cryptodev Gen 1,2,3 and 4.
use qat_legacy_capa to enable all the legacy
algorithms.
These change effects both sym and asym insecure crypto
algorithms.

Signed-off-by: Vikash Poddar <vikash.chandrax.poddar@intel.com>
---
Depends-on: patch-28182 ("[v2] common/qat: fix qat_dev_cmd_param
corruption")
v3:
Rebased the patch.
v2:
Extend the support to enable the insecure algorithm in
QAT Gen 1,3 and 4 for sym as well as asym.
---
 app/test/test_cryptodev_asym.c               |  28 +++--
 doc/guides/cryptodevs/qat.rst                |  14 +++
 drivers/common/qat/qat_device.c              |   1 +
 drivers/common/qat/qat_device.h              |   1 +
 drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c |  88 ++++++++-------
 drivers/crypto/qat/dev/qat_crypto_pmd_gen3.c | 113 +++++++++++--------
 drivers/crypto/qat/dev/qat_crypto_pmd_gen4.c |  64 ++++++-----
 drivers/crypto/qat/dev/qat_sym_pmd_gen1.c    |  90 ++++++++-------
 drivers/crypto/qat/qat_asym.c                |  16 ++-
 drivers/crypto/qat/qat_crypto.h              |   1 +
 drivers/crypto/qat/qat_sym.c                 |   3 +
 11 files changed, 255 insertions(+), 164 deletions(-)

diff --git a/app/test/test_cryptodev_asym.c b/app/test/test_cryptodev_asym.c
index 9236817650..bb32d81e57 100644
--- a/app/test/test_cryptodev_asym.c
+++ b/app/test/test_cryptodev_asym.c
@@ -453,11 +453,14 @@ test_cryptodev_asym_op(struct crypto_testsuite_params_asym *ts_params,
 		ret = rte_cryptodev_asym_session_create(dev_id, &xform_tc,
 				ts_params->session_mpool, &sess);
 		if (ret < 0) {
-			snprintf(test_msg, ASYM_TEST_MSG_LEN,
-					"line %u "
-					"FAILED: %s", __LINE__,
-					"Session creation failed");
 			status = (ret == -ENOTSUP) ? TEST_SKIPPED : TEST_FAILED;
+			if (status == TEST_SKIPPED)
+				snprintf(test_msg, ASYM_TEST_MSG_LEN, "SKIPPED");
+			else
+				snprintf(test_msg, ASYM_TEST_MSG_LEN,
+						"line %u "
+						"FAILED: %s", __LINE__,
+						"Session creation failed");
 			goto error_exit;
 		}
 
@@ -489,6 +492,11 @@ test_cryptodev_asym_op(struct crypto_testsuite_params_asym *ts_params,
 	}
 
 	if (test_cryptodev_asym_ver(op, &xform_tc, data_tc, result_op) != TEST_SUCCESS) {
+		if (result_op->status == RTE_CRYPTO_OP_STATUS_INVALID_ARGS) {
+			snprintf(test_msg, ASYM_TEST_MSG_LEN, "SESSIONLESS SKIPPED");
+			status = TEST_SKIPPED;
+			goto error_exit;
+		}
 		snprintf(test_msg, ASYM_TEST_MSG_LEN,
 			"line %u FAILED: %s",
 			__LINE__, "Verification failed ");
@@ -619,13 +627,19 @@ test_one_by_one(void)
 	/* Go through all test cases */
 	test_index = 0;
 	for (i = 0; i < test_vector.size; i++) {
-		if (test_one_case(test_vector.address[i], 0) != TEST_SUCCESS)
+		status = test_one_case(test_vector.address[i], 0);
+		if (status == TEST_SUCCESS || status == TEST_SKIPPED)
+			status = TEST_SUCCESS;
+		else
 			status = TEST_FAILED;
 	}
+
 	if (sessionless) {
 		for (i = 0; i < test_vector.size; i++) {
-			if (test_one_case(test_vector.address[i], 1)
-					!= TEST_SUCCESS)
+			status = test_one_case(test_vector.address[i], 1);
+			if (status == TEST_SUCCESS || status == TEST_SKIPPED)
+				status = TEST_SUCCESS;
+			else
 				status = TEST_FAILED;
 		}
 	}
diff --git a/doc/guides/cryptodevs/qat.rst b/doc/guides/cryptodevs/qat.rst
index a4a25711ed..08a2551082 100644
--- a/doc/guides/cryptodevs/qat.rst
+++ b/doc/guides/cryptodevs/qat.rst
@@ -317,6 +317,20 @@ To use this feature the user must set the devarg on process start as a device ad
  -a 03:01.1,qat_sym_cipher_crc_enable=1
 
 
+Running QAT PMD with insecure crypto algorithms
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+A few insecure crypto algorithms are deprecated from QAT drivers. This needs to be reflected in DPDK QAT PMD.
+DPDK QAT PMD has by default disabled all the insecure crypto algorithms from Gen 1,2,3 and 4.
+A PMD parameter is used to enable the capability.
+
+- qat_legacy_capa
+
+To use this feature the user must set the parameter on process start as a device additional parameter::
+
+  -a b1:01.2,qat_legacy_capa=1
+
+
 Running QAT PMD with Intel IPSEC MB library for symmetric precomputes function
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
diff --git a/drivers/common/qat/qat_device.c b/drivers/common/qat/qat_device.c
index 0479175b65..4b844263ea 100644
--- a/drivers/common/qat/qat_device.c
+++ b/drivers/common/qat/qat_device.c
@@ -371,6 +371,7 @@ static int qat_pci_probe(struct rte_pci_driver *pci_drv __rte_unused,
 	struct qat_pci_device *qat_pci_dev;
 	struct qat_dev_hw_spec_funcs *ops_hw;
 	struct qat_dev_cmd_param qat_dev_cmd_param[] = {
+			{ QAT_LEGACY_CAPA, 0 },
 			{ QAT_IPSEC_MB_LIB, 0 },
 			{ SYM_ENQ_THRESHOLD_NAME, 0 },
 			{ ASYM_ENQ_THRESHOLD_NAME, 0 },
diff --git a/drivers/common/qat/qat_device.h b/drivers/common/qat/qat_device.h
index 4188474dde..db024d05ae 100644
--- a/drivers/common/qat/qat_device.h
+++ b/drivers/common/qat/qat_device.h
@@ -17,6 +17,7 @@
 
 #define QAT_DEV_NAME_MAX_LEN	64
 
+#define QAT_LEGACY_CAPA "qat_legacy_capa"
 #define QAT_IPSEC_MB_LIB "qat_ipsec_mb_lib"
 #define SYM_ENQ_THRESHOLD_NAME "qat_sym_enq_threshold"
 #define ASYM_ENQ_THRESHOLD_NAME "qat_asym_enq_threshold"
diff --git a/drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c b/drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c
index 1f3e2b1d99..3447bd2a7e 100644
--- a/drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c
+++ b/drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c
@@ -12,10 +12,41 @@
 
 #define MIXED_CRYPTO_MIN_FW_VER 0x04090000
 
-static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
+static struct rte_cryptodev_capabilities qat_sym_crypto_legacy_caps_gen2[] = {
+	QAT_SYM_CIPHER_CAP(DES_CBC,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(3DES_CBC,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(3DES_CTR,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
 	QAT_SYM_PLAIN_AUTH_CAP(SHA1,
 		CAP_SET(block_size, 64),
 		CAP_RNG(digest_size, 1, 20, 1)),
+	QAT_SYM_AUTH_CAP(SHA224,
+		CAP_SET(block_size, 64),
+		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA224_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA1_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(MD5_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
+};
+
+static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
 	QAT_SYM_AEAD_CAP(AES_GCM,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 32, 8), CAP_RNG(digest_size, 8, 16, 4),
@@ -32,10 +63,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 4, 16, 4),
 			CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA224,
-		CAP_SET(block_size, 64),
-		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256,
 		CAP_SET(block_size, 64),
 		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 32, 1),
@@ -51,14 +78,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
 	QAT_SYM_PLAIN_AUTH_CAP(SHA3_256,
 		CAP_SET(block_size, 136),
 		CAP_RNG(digest_size, 32, 32, 0)),
-	QAT_SYM_AUTH_CAP(SHA1_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA224_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256_HMAC,
 		CAP_SET(block_size, 64),
 		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 32, 1),
@@ -71,10 +90,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
 		CAP_SET(block_size, 128),
 		CAP_RNG(key_size, 1, 128, 1), CAP_RNG(digest_size, 1, 64, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(MD5_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(AES_XCBC_MAC,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 12, 12, 0),
@@ -112,18 +127,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
 	QAT_SYM_CIPHER_CAP(NULL,
 		CAP_SET(block_size, 1),
 		CAP_RNG_ZERO(key_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_CIPHER_CAP(3DES_CBC,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(3DES_CTR,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(DES_CBC,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
 	QAT_SYM_CIPHER_CAP(ZUC_EEA3,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(iv_size, 16, 16, 0)),
@@ -283,8 +286,13 @@ qat_sym_crypto_cap_get_gen2(struct qat_cryptodev_private *internals,
 			const char *capa_memz_name,
 			const uint16_t __rte_unused slice_map)
 {
-	const uint32_t size = sizeof(qat_sym_crypto_caps_gen2);
-	uint32_t i;
+	uint32_t legacy_capa_num;
+	uint32_t size = sizeof(qat_sym_crypto_caps_gen2);
+	uint32_t legacy_size = sizeof(qat_sym_crypto_legacy_caps_gen2);
+	legacy_capa_num = legacy_size/sizeof(struct rte_cryptodev_capabilities);
+
+	if (unlikely(qat_legacy_capa))
+		size = size + legacy_size;
 
 	internals->capa_mz = rte_memzone_lookup(capa_memz_name);
 	if (internals->capa_mz == NULL) {
@@ -300,17 +308,15 @@ qat_sym_crypto_cap_get_gen2(struct qat_cryptodev_private *internals,
 	struct rte_cryptodev_capabilities *addr =
 			(struct rte_cryptodev_capabilities *)
 				internals->capa_mz->addr;
-	const struct rte_cryptodev_capabilities *capabilities =
-		qat_sym_crypto_caps_gen2;
-	const uint32_t capa_num =
-		size / sizeof(struct rte_cryptodev_capabilities);
-	uint32_t curr_capa = 0;
-
-	for (i = 0; i < capa_num; i++) {
-		memcpy(addr + curr_capa, capabilities + i,
-			sizeof(struct rte_cryptodev_capabilities));
-		curr_capa++;
+	struct rte_cryptodev_capabilities *capabilities;
+
+	if (unlikely(qat_legacy_capa)) {
+		capabilities = qat_sym_crypto_legacy_caps_gen2;
+		memcpy(addr, capabilities, legacy_size);
+		addr += legacy_capa_num;
 	}
+	capabilities = qat_sym_crypto_caps_gen2;
+	memcpy(addr, capabilities, sizeof(qat_sym_crypto_caps_gen2));
 	internals->qat_dev_capabilities = internals->capa_mz->addr;
 
 	return 0;
diff --git a/drivers/crypto/qat/dev/qat_crypto_pmd_gen3.c b/drivers/crypto/qat/dev/qat_crypto_pmd_gen3.c
index 6013fed721..d1809cf2f0 100644
--- a/drivers/crypto/qat/dev/qat_crypto_pmd_gen3.c
+++ b/drivers/crypto/qat/dev/qat_crypto_pmd_gen3.c
@@ -10,10 +10,45 @@
 #include "qat_crypto.h"
 #include "qat_crypto_pmd_gens.h"
 
-static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
+
+static struct rte_cryptodev_capabilities qat_sym_crypto_legacy_caps_gen3[] = {
+	QAT_SYM_CIPHER_CAP(3DES_CBC,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(DES_CBC,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(3DES_CTR,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
 	QAT_SYM_PLAIN_AUTH_CAP(SHA1,
 		CAP_SET(block_size, 64),
 		CAP_RNG(digest_size, 1, 20, 1)),
+	QAT_SYM_AUTH_CAP(SHA224,
+		CAP_SET(block_size, 64),
+		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA224_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA1_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(MD5_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_PLAIN_AUTH_CAP(SHA3_224,
+		CAP_SET(block_size, 144),
+		CAP_RNG(digest_size, 28, 28, 0)),
+};
+
+static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
 	QAT_SYM_AEAD_CAP(AES_GCM,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 32, 8), CAP_RNG(digest_size, 8, 16, 4),
@@ -30,10 +65,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 4, 16, 4),
 			CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA224,
-		CAP_SET(block_size, 64),
-		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256,
 		CAP_SET(block_size, 64),
 		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 32, 1),
@@ -46,9 +77,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
 		CAP_SET(block_size, 128),
 		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 64, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_PLAIN_AUTH_CAP(SHA3_224,
-		CAP_SET(block_size, 144),
-		CAP_RNG(digest_size, 28, 28, 0)),
 	QAT_SYM_PLAIN_AUTH_CAP(SHA3_256,
 		CAP_SET(block_size, 136),
 		CAP_RNG(digest_size, 32, 32, 0)),
@@ -58,14 +86,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
 	QAT_SYM_PLAIN_AUTH_CAP(SHA3_512,
 		CAP_SET(block_size, 72),
 		CAP_RNG(digest_size, 64, 64, 0)),
-	QAT_SYM_AUTH_CAP(SHA1_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA224_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256_HMAC,
 		CAP_SET(block_size, 64),
 		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 32, 1),
@@ -78,10 +98,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
 		CAP_SET(block_size, 128),
 		CAP_RNG(key_size, 1, 128, 1), CAP_RNG(digest_size, 1, 64, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(MD5_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(AES_XCBC_MAC,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 12, 12, 0),
@@ -119,18 +135,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
 	QAT_SYM_CIPHER_CAP(NULL,
 		CAP_SET(block_size, 1),
 		CAP_RNG_ZERO(key_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_CIPHER_CAP(3DES_CBC,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(3DES_CTR,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(DES_CBC,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
 	QAT_SYM_CIPHER_CAP(ZUC_EEA3,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(iv_size, 16, 16, 0)),
@@ -188,8 +192,17 @@ static int
 qat_sym_crypto_cap_get_gen3(struct qat_cryptodev_private *internals,
 			const char *capa_memz_name, const uint16_t slice_map)
 {
-	const uint32_t size = sizeof(qat_sym_crypto_caps_gen3);
-	uint32_t i;
+
+	uint32_t i, iter = 0;
+	uint32_t curr_capa = 0;
+	uint32_t capa_num, legacy_capa_num;
+	uint32_t size = sizeof(qat_sym_crypto_caps_gen3);
+	uint32_t legacy_size = sizeof(qat_sym_crypto_legacy_caps_gen3);
+	capa_num = size/sizeof(struct rte_cryptodev_capabilities);
+	legacy_capa_num = legacy_size/sizeof(struct rte_cryptodev_capabilities);
+
+	if (unlikely(qat_legacy_capa))
+		size = size + legacy_size;
 
 	internals->capa_mz = rte_memzone_lookup(capa_memz_name);
 	if (internals->capa_mz == NULL) {
@@ -205,30 +218,40 @@ qat_sym_crypto_cap_get_gen3(struct qat_cryptodev_private *internals,
 	struct rte_cryptodev_capabilities *addr =
 			(struct rte_cryptodev_capabilities *)
 				internals->capa_mz->addr;
-	const struct rte_cryptodev_capabilities *capabilities =
-		qat_sym_crypto_caps_gen3;
-	const uint32_t capa_num =
-		size / sizeof(struct rte_cryptodev_capabilities);
-	uint32_t curr_capa = 0;
+	struct rte_cryptodev_capabilities *capabilities;
 
-	for (i = 0; i < capa_num; i++) {
+	if (unlikely(qat_legacy_capa)) {
+		capabilities = qat_sym_crypto_legacy_caps_gen3;
+		capa_num += legacy_capa_num;
+	} else {
+		capabilities = qat_sym_crypto_caps_gen3;
+	}
+
+	for (i = 0; i < capa_num; i++, iter++) {
 		if (slice_map & ICP_ACCEL_MASK_SM4_SLICE && (
-			check_cipher_capa(&capabilities[i],
+			check_cipher_capa(&capabilities[iter],
 				RTE_CRYPTO_CIPHER_SM4_ECB) ||
-			check_cipher_capa(&capabilities[i],
+			check_cipher_capa(&capabilities[iter],
 				RTE_CRYPTO_CIPHER_SM4_CBC) ||
-			check_cipher_capa(&capabilities[i],
+			check_cipher_capa(&capabilities[iter],
 				RTE_CRYPTO_CIPHER_SM4_CTR))) {
 			continue;
 		}
 		if (slice_map & ICP_ACCEL_MASK_SM3_SLICE && (
-			check_auth_capa(&capabilities[i],
+			check_auth_capa(&capabilities[iter],
 				RTE_CRYPTO_AUTH_SM3))) {
 			continue;
 		}
-		memcpy(addr + curr_capa, capabilities + i,
+		memcpy(addr + curr_capa, capabilities + iter,
 			sizeof(struct rte_cryptodev_capabilities));
 		curr_capa++;
+
+		if (unlikely(qat_legacy_capa) && (i == legacy_capa_num-1)) {
+			capabilities = qat_sym_crypto_caps_gen3;
+			addr += curr_capa;
+			curr_capa = 0;
+			iter = -1;
+		}
 	}
 	internals->qat_dev_capabilities = internals->capa_mz->addr;
 
diff --git a/drivers/crypto/qat/dev/qat_crypto_pmd_gen4.c b/drivers/crypto/qat/dev/qat_crypto_pmd_gen4.c
index b219a418ba..6fb062bb94 100644
--- a/drivers/crypto/qat/dev/qat_crypto_pmd_gen4.c
+++ b/drivers/crypto/qat/dev/qat_crypto_pmd_gen4.c
@@ -10,18 +10,32 @@
 #include "qat_crypto.h"
 #include "qat_crypto_pmd_gens.h"
 
-static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen4[] = {
-	QAT_SYM_CIPHER_CAP(AES_CBC,
-		CAP_SET(block_size, 16),
-		CAP_RNG(key_size, 16, 32, 8), CAP_RNG(iv_size, 16, 16, 0)),
-	QAT_SYM_AUTH_CAP(SHA1_HMAC,
+
+static struct rte_cryptodev_capabilities qat_sym_crypto_legacy_caps_gen4[] = {
+	QAT_SYM_PLAIN_AUTH_CAP(SHA1,
 		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
+		CAP_RNG(digest_size, 1, 20, 1)),
+	QAT_SYM_AUTH_CAP(SHA224,
+		CAP_SET(block_size, 64),
+		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA224_HMAC,
 		CAP_SET(block_size, 64),
 		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA1_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_CIPHER_CAP(SM4_ECB,
+		CAP_SET(block_size, 16),
+		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(iv_size, 0, 0, 0)),
+};
+
+static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen4[] = {
+	QAT_SYM_CIPHER_CAP(AES_CBC,
+		CAP_SET(block_size, 16),
+		CAP_RNG(key_size, 16, 32, 8), CAP_RNG(iv_size, 16, 16, 0)),
 	QAT_SYM_AUTH_CAP(SHA256_HMAC,
 		CAP_SET(block_size, 64),
 		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 32, 1),
@@ -52,13 +66,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen4[] = {
 	QAT_SYM_CIPHER_CAP(NULL,
 		CAP_SET(block_size, 1),
 		CAP_RNG_ZERO(key_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_PLAIN_AUTH_CAP(SHA1,
-		CAP_SET(block_size, 64),
-		CAP_RNG(digest_size, 1, 20, 1)),
-	QAT_SYM_AUTH_CAP(SHA224,
-		CAP_SET(block_size, 64),
-		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256,
 		CAP_SET(block_size, 64),
 		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 32, 1),
@@ -91,9 +98,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen4[] = {
 		CAP_RNG(key_size, 32, 32, 0),
 		CAP_RNG(digest_size, 16, 16, 0),
 		CAP_RNG(aad_size, 0, 240, 1), CAP_RNG(iv_size, 12, 12, 0)),
-	QAT_SYM_CIPHER_CAP(SM4_ECB,
-		CAP_SET(block_size, 16),
-		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(iv_size, 0, 0, 0)),
 	QAT_SYM_CIPHER_CAP(SM4_CBC,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(iv_size, 16, 16, 0)),
@@ -111,8 +115,13 @@ qat_sym_crypto_cap_get_gen4(struct qat_cryptodev_private *internals,
 			const char *capa_memz_name,
 			const uint16_t __rte_unused slice_map)
 {
-	const uint32_t size = sizeof(qat_sym_crypto_caps_gen4);
-	uint32_t i;
+	uint32_t legacy_capa_num;
+	uint32_t size = sizeof(qat_sym_crypto_caps_gen4);
+	uint32_t legacy_size = sizeof(qat_sym_crypto_legacy_caps_gen4);
+	legacy_capa_num = legacy_size/sizeof(struct rte_cryptodev_capabilities);
+
+	if (unlikely(qat_legacy_capa))
+		size = size + legacy_size;
 
 	internals->capa_mz = rte_memzone_lookup(capa_memz_name);
 	if (internals->capa_mz == NULL) {
@@ -128,17 +137,16 @@ qat_sym_crypto_cap_get_gen4(struct qat_cryptodev_private *internals,
 	struct rte_cryptodev_capabilities *addr =
 			(struct rte_cryptodev_capabilities *)
 				internals->capa_mz->addr;
-	const struct rte_cryptodev_capabilities *capabilities =
-		qat_sym_crypto_caps_gen4;
-	const uint32_t capa_num =
-		size / sizeof(struct rte_cryptodev_capabilities);
-	uint32_t curr_capa = 0;
-
-	for (i = 0; i < capa_num; i++) {
-		memcpy(addr + curr_capa, capabilities + i,
-			sizeof(struct rte_cryptodev_capabilities));
-		curr_capa++;
+
+	struct rte_cryptodev_capabilities *capabilities;
+
+	if (unlikely(qat_legacy_capa)) {
+		capabilities = qat_sym_crypto_legacy_caps_gen4;
+		memcpy(addr, capabilities, legacy_size);
+		addr += legacy_capa_num;
 	}
+	capabilities = qat_sym_crypto_caps_gen4;
+	memcpy(addr, capabilities, sizeof(qat_sym_crypto_caps_gen4));
 	internals->qat_dev_capabilities = internals->capa_mz->addr;
 
 	return 0;
diff --git a/drivers/crypto/qat/dev/qat_sym_pmd_gen1.c b/drivers/crypto/qat/dev/qat_sym_pmd_gen1.c
index 590eaa0057..d363ba4f43 100644
--- a/drivers/crypto/qat/dev/qat_sym_pmd_gen1.c
+++ b/drivers/crypto/qat/dev/qat_sym_pmd_gen1.c
@@ -16,10 +16,41 @@
 #include "qat_crypto.h"
 #include "qat_crypto_pmd_gens.h"
 
-static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen1[] = {
+static struct rte_cryptodev_capabilities qat_sym_crypto_legacy_caps_gen1[] = {
+	QAT_SYM_CIPHER_CAP(DES_CBC,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(3DES_CBC,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(3DES_CTR,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
 	QAT_SYM_PLAIN_AUTH_CAP(SHA1,
 		CAP_SET(block_size, 64),
 		CAP_RNG(digest_size, 1, 20, 1)),
+	QAT_SYM_AUTH_CAP(SHA224,
+		CAP_SET(block_size, 64),
+		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA1_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA224_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(MD5_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
+};
+
+static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen1[] = {
 	QAT_SYM_AEAD_CAP(AES_GCM,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 32, 8), CAP_RNG(digest_size, 8, 16, 4),
@@ -36,10 +67,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen1[] = {
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 4, 16, 4),
 			CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA224,
-		CAP_SET(block_size, 64),
-		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256,
 		CAP_SET(block_size, 64),
 		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 32, 1),
@@ -52,14 +79,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen1[] = {
 		CAP_SET(block_size, 128),
 		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 64, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA1_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA224_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256_HMAC,
 		CAP_SET(block_size, 64),
 		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 32, 1),
@@ -72,10 +91,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen1[] = {
 		CAP_SET(block_size, 128),
 		CAP_RNG(key_size, 1, 128, 1), CAP_RNG(digest_size, 1, 64, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(MD5_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(AES_XCBC_MAC,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 12, 12, 0),
@@ -113,18 +128,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen1[] = {
 	QAT_SYM_CIPHER_CAP(NULL,
 		CAP_SET(block_size, 1),
 		CAP_RNG_ZERO(key_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_CIPHER_CAP(3DES_CBC,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(3DES_CTR,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(DES_CBC,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
 	RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
 };
 
@@ -157,8 +160,14 @@ qat_sym_crypto_cap_get_gen1(struct qat_cryptodev_private *internals,
 			const char *capa_memz_name,
 			const uint16_t __rte_unused slice_map)
 {
-	const uint32_t size = sizeof(qat_sym_crypto_caps_gen1);
-	uint32_t i;
+
+	uint32_t legacy_capa_num;
+	uint32_t size = sizeof(qat_sym_crypto_caps_gen1);
+	uint32_t legacy_size = sizeof(qat_sym_crypto_legacy_caps_gen1);
+	legacy_capa_num = legacy_size/sizeof(struct rte_cryptodev_capabilities);
+
+	if (unlikely(qat_legacy_capa))
+		size = size + legacy_size;
 
 	internals->capa_mz = rte_memzone_lookup(capa_memz_name);
 	if (internals->capa_mz == NULL) {
@@ -174,17 +183,16 @@ qat_sym_crypto_cap_get_gen1(struct qat_cryptodev_private *internals,
 	struct rte_cryptodev_capabilities *addr =
 			(struct rte_cryptodev_capabilities *)
 				internals->capa_mz->addr;
-	const struct rte_cryptodev_capabilities *capabilities =
-		qat_sym_crypto_caps_gen1;
-	const uint32_t capa_num =
-		size / sizeof(struct rte_cryptodev_capabilities);
-	uint32_t curr_capa = 0;
-
-	for (i = 0; i < capa_num; i++) {
-		memcpy(addr + curr_capa, capabilities + i,
-			sizeof(struct rte_cryptodev_capabilities));
-		curr_capa++;
+
+	struct rte_cryptodev_capabilities *capabilities;
+
+	if (unlikely(qat_legacy_capa)) {
+		capabilities = qat_sym_crypto_legacy_caps_gen1;
+		memcpy(addr, capabilities, legacy_size);
+		addr += legacy_capa_num;
 	}
+	capabilities = qat_sym_crypto_caps_gen1;
+	memcpy(addr, capabilities, sizeof(qat_sym_crypto_caps_gen1));
 	internals->qat_dev_capabilities = internals->capa_mz->addr;
 
 	return 0;
diff --git a/drivers/crypto/qat/qat_asym.c b/drivers/crypto/qat/qat_asym.c
index 82e165538d..7abd513423 100644
--- a/drivers/crypto/qat/qat_asym.c
+++ b/drivers/crypto/qat/qat_asym.c
@@ -15,6 +15,8 @@
 #include "qat_pke.h"
 #include "qat_ec.h"
 
+#define RSA_MODULUS_2048_BITS 2048
+
 uint8_t qat_asym_driver_id;
 
 struct qat_crypto_gen_dev_ops qat_asym_gen_dev_ops[QAT_N_GENS];
@@ -913,8 +915,12 @@ asym_set_input(struct icp_qat_fw_pke_request *qat_req,
 		return modexp_set_input(qat_req, cookie, asym_op, xform);
 	case RTE_CRYPTO_ASYM_XFORM_MODINV:
 		return modinv_set_input(qat_req, cookie, asym_op, xform);
-	case RTE_CRYPTO_ASYM_XFORM_RSA:
+	case RTE_CRYPTO_ASYM_XFORM_RSA:{
+		if (unlikely((xform->rsa.n.length < RSA_MODULUS_2048_BITS)
+					&& (qat_legacy_capa == 0)))
+			return RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
 		return rsa_set_input(qat_req, cookie, asym_op, xform);
+	}
 	case RTE_CRYPTO_ASYM_XFORM_ECDSA:
 		return ecdsa_set_input(qat_req, cookie, asym_op, xform);
 	case RTE_CRYPTO_ASYM_XFORM_ECPM:
@@ -1273,8 +1279,14 @@ qat_asym_session_configure(struct rte_cryptodev *dev __rte_unused,
 	case RTE_CRYPTO_ASYM_XFORM_MODINV:
 		ret = session_set_modinv(qat_session, xform);
 		break;
-	case RTE_CRYPTO_ASYM_XFORM_RSA:
+	case RTE_CRYPTO_ASYM_XFORM_RSA: {
+		if (unlikely((xform->rsa.n.length < RSA_MODULUS_2048_BITS)
+					&& (qat_legacy_capa == 0))) {
+			ret = -ENOTSUP;
+			return ret;
+		}
 		ret = session_set_rsa(qat_session, xform);
+		}
 		break;
 	case RTE_CRYPTO_ASYM_XFORM_ECDSA:
 	case RTE_CRYPTO_ASYM_XFORM_ECPM:
diff --git a/drivers/crypto/qat/qat_crypto.h b/drivers/crypto/qat/qat_crypto.h
index e20f16236e..126fe5c822 100644
--- a/drivers/crypto/qat/qat_crypto.h
+++ b/drivers/crypto/qat/qat_crypto.h
@@ -11,6 +11,7 @@
 
 extern uint8_t qat_sym_driver_id;
 extern uint8_t qat_asym_driver_id;
+extern int qat_legacy_capa;
 
 /**
  * helper macro to set cryptodev capability range
diff --git a/drivers/crypto/qat/qat_sym.c b/drivers/crypto/qat/qat_sym.c
index 345c845325..d07132aaa1 100644
--- a/drivers/crypto/qat/qat_sym.c
+++ b/drivers/crypto/qat/qat_sym.c
@@ -17,6 +17,7 @@
 
 uint8_t qat_sym_driver_id;
 int qat_ipsec_mb_lib;
+int qat_legacy_capa;
 
 struct qat_crypto_gen_dev_ops qat_sym_gen_dev_ops[QAT_N_GENS];
 
@@ -285,6 +286,8 @@ qat_sym_dev_create(struct qat_pci_device *qat_pci_dev,
 					qat_dev_cmd_param[i].val;
 		if (!strcmp(qat_dev_cmd_param[i].name, QAT_IPSEC_MB_LIB))
 			qat_ipsec_mb_lib = qat_dev_cmd_param[i].val;
+		if (!strcmp(qat_dev_cmd_param[i].name, QAT_LEGACY_CAPA))
+			qat_legacy_capa = qat_dev_cmd_param[i].val;
 		if (!strcmp(qat_dev_cmd_param[i].name, QAT_CMD_SLICE_MAP))
 			slice_map = qat_dev_cmd_param[i].val;
 		i++;
-- 
2.25.1

--------------------------------------------------------------
Intel Research and Development Ireland Limited
Registered in Ireland
Registered Office: Collinstown Industrial Park, Leixlip, County Kildare
Registered Number: 308263


This e-mail and any attachments may contain confidential material for the sole
use of the intended recipient(s). Any review or distribution by others is
strictly prohibited. If you are not the intended recipient, please contact the
sender and delete all copies.


^ permalink raw reply	[flat|nested] 14+ messages in thread

* [PATCH v4] crypto/qat: support to enable insecure algorithms
  2023-05-25 16:10   ` [PATCH v3] " Vikash Poddar
@ 2023-05-26  6:48     ` Vikash Poddar
  2023-05-29  6:32     ` [PATCH v5] " Vikash Poddar
  1 sibling, 0 replies; 14+ messages in thread
From: Vikash Poddar @ 2023-05-26  6:48 UTC (permalink / raw)
  To: Akhil Goyal, Fan Zhang, Kai Ji; +Cc: dev, Vikash Poddar

All the insecure algorithms are default disable from
cryptodev Gen 1,2,3 and 4.
use qat_legacy_capa to enable all the legacy
algorithms.
These change effects both sym and asym insecure crypto
algorithms.

Signed-off-by: Vikash Poddar <vikash.chandrax.poddar@intel.com>
---
Depends-on: patch-28182 ("[v2] common/qat: fix qat_dev_cmd_param
corruption")
v4:
Resolved rebase conflict.
v3:
Rebased the patch.
v2:
Extend the support to enable the insecure algorithm in
QAT Gen 1,3 and 4 for sym as well as asym.
---
 app/test/test_cryptodev_asym.c               |  28 +++--
 doc/guides/cryptodevs/qat.rst                |  16 ++-
 drivers/common/qat/qat_device.c              |   1 +
 drivers/common/qat/qat_device.h              |   3 +-
 drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c |  88 ++++++++-------
 drivers/crypto/qat/dev/qat_crypto_pmd_gen3.c | 113 +++++++++++--------
 drivers/crypto/qat/dev/qat_crypto_pmd_gen4.c |  64 ++++++-----
 drivers/crypto/qat/dev/qat_sym_pmd_gen1.c    |  90 ++++++++-------
 drivers/crypto/qat/qat_asym.c                |  16 ++-
 drivers/crypto/qat/qat_crypto.h              |   1 +
 drivers/crypto/qat/qat_sym.c                 |   3 +
 11 files changed, 257 insertions(+), 166 deletions(-)

diff --git a/app/test/test_cryptodev_asym.c b/app/test/test_cryptodev_asym.c
index 9236817650..bb32d81e57 100644
--- a/app/test/test_cryptodev_asym.c
+++ b/app/test/test_cryptodev_asym.c
@@ -453,11 +453,14 @@ test_cryptodev_asym_op(struct crypto_testsuite_params_asym *ts_params,
 		ret = rte_cryptodev_asym_session_create(dev_id, &xform_tc,
 				ts_params->session_mpool, &sess);
 		if (ret < 0) {
-			snprintf(test_msg, ASYM_TEST_MSG_LEN,
-					"line %u "
-					"FAILED: %s", __LINE__,
-					"Session creation failed");
 			status = (ret == -ENOTSUP) ? TEST_SKIPPED : TEST_FAILED;
+			if (status == TEST_SKIPPED)
+				snprintf(test_msg, ASYM_TEST_MSG_LEN, "SKIPPED");
+			else
+				snprintf(test_msg, ASYM_TEST_MSG_LEN,
+						"line %u "
+						"FAILED: %s", __LINE__,
+						"Session creation failed");
 			goto error_exit;
 		}
 
@@ -489,6 +492,11 @@ test_cryptodev_asym_op(struct crypto_testsuite_params_asym *ts_params,
 	}
 
 	if (test_cryptodev_asym_ver(op, &xform_tc, data_tc, result_op) != TEST_SUCCESS) {
+		if (result_op->status == RTE_CRYPTO_OP_STATUS_INVALID_ARGS) {
+			snprintf(test_msg, ASYM_TEST_MSG_LEN, "SESSIONLESS SKIPPED");
+			status = TEST_SKIPPED;
+			goto error_exit;
+		}
 		snprintf(test_msg, ASYM_TEST_MSG_LEN,
 			"line %u FAILED: %s",
 			__LINE__, "Verification failed ");
@@ -619,13 +627,19 @@ test_one_by_one(void)
 	/* Go through all test cases */
 	test_index = 0;
 	for (i = 0; i < test_vector.size; i++) {
-		if (test_one_case(test_vector.address[i], 0) != TEST_SUCCESS)
+		status = test_one_case(test_vector.address[i], 0);
+		if (status == TEST_SUCCESS || status == TEST_SKIPPED)
+			status = TEST_SUCCESS;
+		else
 			status = TEST_FAILED;
 	}
+
 	if (sessionless) {
 		for (i = 0; i < test_vector.size; i++) {
-			if (test_one_case(test_vector.address[i], 1)
-					!= TEST_SUCCESS)
+			status = test_one_case(test_vector.address[i], 1);
+			if (status == TEST_SUCCESS || status == TEST_SKIPPED)
+				status = TEST_SUCCESS;
+			else
 				status = TEST_FAILED;
 		}
 	}
diff --git a/doc/guides/cryptodevs/qat.rst b/doc/guides/cryptodevs/qat.rst
index a4a25711ed..ae16e47611 100644
--- a/doc/guides/cryptodevs/qat.rst
+++ b/doc/guides/cryptodevs/qat.rst
@@ -314,7 +314,21 @@ If not supported, the CRC is calculated by the QAT PMD using the NET CRC API.
 
 To use this feature the user must set the devarg on process start as a device additional devarg::
 
- -a 03:01.1,qat_sym_cipher_crc_enable=1
+  -a 03:01.1,qat_sym_cipher_crc_enable=1
+
+
+Running QAT PMD with insecure crypto algorithms
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+A few insecure crypto algorithms are deprecated from QAT drivers. This needs to be reflected in DPDK QAT PMD.
+DPDK QAT PMD has by default disabled all the insecure crypto algorithms from Gen 1,2,3 and 4.
+A PMD parameter is used to enable the capability.
+
+- qat_legacy_capa
+
+To use this feature the user must set the parameter on process start as a device additional parameter::
+
+  -a b1:01.2,qat_legacy_capa=1
 
 
 Running QAT PMD with Intel IPSEC MB library for symmetric precomputes function
diff --git a/drivers/common/qat/qat_device.c b/drivers/common/qat/qat_device.c
index 0479175b65..4b844263ea 100644
--- a/drivers/common/qat/qat_device.c
+++ b/drivers/common/qat/qat_device.c
@@ -371,6 +371,7 @@ static int qat_pci_probe(struct rte_pci_driver *pci_drv __rte_unused,
 	struct qat_pci_device *qat_pci_dev;
 	struct qat_dev_hw_spec_funcs *ops_hw;
 	struct qat_dev_cmd_param qat_dev_cmd_param[] = {
+			{ QAT_LEGACY_CAPA, 0 },
 			{ QAT_IPSEC_MB_LIB, 0 },
 			{ SYM_ENQ_THRESHOLD_NAME, 0 },
 			{ ASYM_ENQ_THRESHOLD_NAME, 0 },
diff --git a/drivers/common/qat/qat_device.h b/drivers/common/qat/qat_device.h
index 4188474dde..940ff5c278 100644
--- a/drivers/common/qat/qat_device.h
+++ b/drivers/common/qat/qat_device.h
@@ -17,13 +17,14 @@
 
 #define QAT_DEV_NAME_MAX_LEN	64
 
+#define QAT_LEGACY_CAPA "qat_legacy_capa"
 #define QAT_IPSEC_MB_LIB "qat_ipsec_mb_lib"
 #define SYM_ENQ_THRESHOLD_NAME "qat_sym_enq_threshold"
 #define ASYM_ENQ_THRESHOLD_NAME "qat_asym_enq_threshold"
 #define COMP_ENQ_THRESHOLD_NAME "qat_comp_enq_threshold"
 #define SYM_CIPHER_CRC_ENABLE_NAME "qat_sym_cipher_crc_enable"
 #define QAT_CMD_SLICE_MAP "qat_cmd_slice_disable"
-#define QAT_CMD_SLICE_MAP_POS	5
+#define QAT_CMD_SLICE_MAP_POS	6
 #define MAX_QP_THRESHOLD_SIZE	32
 
 /**
diff --git a/drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c b/drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c
index 1f3e2b1d99..3447bd2a7e 100644
--- a/drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c
+++ b/drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c
@@ -12,10 +12,41 @@
 
 #define MIXED_CRYPTO_MIN_FW_VER 0x04090000
 
-static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
+static struct rte_cryptodev_capabilities qat_sym_crypto_legacy_caps_gen2[] = {
+	QAT_SYM_CIPHER_CAP(DES_CBC,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(3DES_CBC,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(3DES_CTR,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
 	QAT_SYM_PLAIN_AUTH_CAP(SHA1,
 		CAP_SET(block_size, 64),
 		CAP_RNG(digest_size, 1, 20, 1)),
+	QAT_SYM_AUTH_CAP(SHA224,
+		CAP_SET(block_size, 64),
+		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA224_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA1_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(MD5_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
+};
+
+static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
 	QAT_SYM_AEAD_CAP(AES_GCM,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 32, 8), CAP_RNG(digest_size, 8, 16, 4),
@@ -32,10 +63,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 4, 16, 4),
 			CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA224,
-		CAP_SET(block_size, 64),
-		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256,
 		CAP_SET(block_size, 64),
 		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 32, 1),
@@ -51,14 +78,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
 	QAT_SYM_PLAIN_AUTH_CAP(SHA3_256,
 		CAP_SET(block_size, 136),
 		CAP_RNG(digest_size, 32, 32, 0)),
-	QAT_SYM_AUTH_CAP(SHA1_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA224_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256_HMAC,
 		CAP_SET(block_size, 64),
 		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 32, 1),
@@ -71,10 +90,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
 		CAP_SET(block_size, 128),
 		CAP_RNG(key_size, 1, 128, 1), CAP_RNG(digest_size, 1, 64, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(MD5_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(AES_XCBC_MAC,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 12, 12, 0),
@@ -112,18 +127,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
 	QAT_SYM_CIPHER_CAP(NULL,
 		CAP_SET(block_size, 1),
 		CAP_RNG_ZERO(key_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_CIPHER_CAP(3DES_CBC,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(3DES_CTR,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(DES_CBC,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
 	QAT_SYM_CIPHER_CAP(ZUC_EEA3,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(iv_size, 16, 16, 0)),
@@ -283,8 +286,13 @@ qat_sym_crypto_cap_get_gen2(struct qat_cryptodev_private *internals,
 			const char *capa_memz_name,
 			const uint16_t __rte_unused slice_map)
 {
-	const uint32_t size = sizeof(qat_sym_crypto_caps_gen2);
-	uint32_t i;
+	uint32_t legacy_capa_num;
+	uint32_t size = sizeof(qat_sym_crypto_caps_gen2);
+	uint32_t legacy_size = sizeof(qat_sym_crypto_legacy_caps_gen2);
+	legacy_capa_num = legacy_size/sizeof(struct rte_cryptodev_capabilities);
+
+	if (unlikely(qat_legacy_capa))
+		size = size + legacy_size;
 
 	internals->capa_mz = rte_memzone_lookup(capa_memz_name);
 	if (internals->capa_mz == NULL) {
@@ -300,17 +308,15 @@ qat_sym_crypto_cap_get_gen2(struct qat_cryptodev_private *internals,
 	struct rte_cryptodev_capabilities *addr =
 			(struct rte_cryptodev_capabilities *)
 				internals->capa_mz->addr;
-	const struct rte_cryptodev_capabilities *capabilities =
-		qat_sym_crypto_caps_gen2;
-	const uint32_t capa_num =
-		size / sizeof(struct rte_cryptodev_capabilities);
-	uint32_t curr_capa = 0;
-
-	for (i = 0; i < capa_num; i++) {
-		memcpy(addr + curr_capa, capabilities + i,
-			sizeof(struct rte_cryptodev_capabilities));
-		curr_capa++;
+	struct rte_cryptodev_capabilities *capabilities;
+
+	if (unlikely(qat_legacy_capa)) {
+		capabilities = qat_sym_crypto_legacy_caps_gen2;
+		memcpy(addr, capabilities, legacy_size);
+		addr += legacy_capa_num;
 	}
+	capabilities = qat_sym_crypto_caps_gen2;
+	memcpy(addr, capabilities, sizeof(qat_sym_crypto_caps_gen2));
 	internals->qat_dev_capabilities = internals->capa_mz->addr;
 
 	return 0;
diff --git a/drivers/crypto/qat/dev/qat_crypto_pmd_gen3.c b/drivers/crypto/qat/dev/qat_crypto_pmd_gen3.c
index 6013fed721..d1809cf2f0 100644
--- a/drivers/crypto/qat/dev/qat_crypto_pmd_gen3.c
+++ b/drivers/crypto/qat/dev/qat_crypto_pmd_gen3.c
@@ -10,10 +10,45 @@
 #include "qat_crypto.h"
 #include "qat_crypto_pmd_gens.h"
 
-static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
+
+static struct rte_cryptodev_capabilities qat_sym_crypto_legacy_caps_gen3[] = {
+	QAT_SYM_CIPHER_CAP(3DES_CBC,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(DES_CBC,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(3DES_CTR,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
 	QAT_SYM_PLAIN_AUTH_CAP(SHA1,
 		CAP_SET(block_size, 64),
 		CAP_RNG(digest_size, 1, 20, 1)),
+	QAT_SYM_AUTH_CAP(SHA224,
+		CAP_SET(block_size, 64),
+		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA224_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA1_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(MD5_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_PLAIN_AUTH_CAP(SHA3_224,
+		CAP_SET(block_size, 144),
+		CAP_RNG(digest_size, 28, 28, 0)),
+};
+
+static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
 	QAT_SYM_AEAD_CAP(AES_GCM,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 32, 8), CAP_RNG(digest_size, 8, 16, 4),
@@ -30,10 +65,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 4, 16, 4),
 			CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA224,
-		CAP_SET(block_size, 64),
-		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256,
 		CAP_SET(block_size, 64),
 		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 32, 1),
@@ -46,9 +77,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
 		CAP_SET(block_size, 128),
 		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 64, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_PLAIN_AUTH_CAP(SHA3_224,
-		CAP_SET(block_size, 144),
-		CAP_RNG(digest_size, 28, 28, 0)),
 	QAT_SYM_PLAIN_AUTH_CAP(SHA3_256,
 		CAP_SET(block_size, 136),
 		CAP_RNG(digest_size, 32, 32, 0)),
@@ -58,14 +86,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
 	QAT_SYM_PLAIN_AUTH_CAP(SHA3_512,
 		CAP_SET(block_size, 72),
 		CAP_RNG(digest_size, 64, 64, 0)),
-	QAT_SYM_AUTH_CAP(SHA1_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA224_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256_HMAC,
 		CAP_SET(block_size, 64),
 		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 32, 1),
@@ -78,10 +98,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
 		CAP_SET(block_size, 128),
 		CAP_RNG(key_size, 1, 128, 1), CAP_RNG(digest_size, 1, 64, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(MD5_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(AES_XCBC_MAC,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 12, 12, 0),
@@ -119,18 +135,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
 	QAT_SYM_CIPHER_CAP(NULL,
 		CAP_SET(block_size, 1),
 		CAP_RNG_ZERO(key_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_CIPHER_CAP(3DES_CBC,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(3DES_CTR,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(DES_CBC,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
 	QAT_SYM_CIPHER_CAP(ZUC_EEA3,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(iv_size, 16, 16, 0)),
@@ -188,8 +192,17 @@ static int
 qat_sym_crypto_cap_get_gen3(struct qat_cryptodev_private *internals,
 			const char *capa_memz_name, const uint16_t slice_map)
 {
-	const uint32_t size = sizeof(qat_sym_crypto_caps_gen3);
-	uint32_t i;
+
+	uint32_t i, iter = 0;
+	uint32_t curr_capa = 0;
+	uint32_t capa_num, legacy_capa_num;
+	uint32_t size = sizeof(qat_sym_crypto_caps_gen3);
+	uint32_t legacy_size = sizeof(qat_sym_crypto_legacy_caps_gen3);
+	capa_num = size/sizeof(struct rte_cryptodev_capabilities);
+	legacy_capa_num = legacy_size/sizeof(struct rte_cryptodev_capabilities);
+
+	if (unlikely(qat_legacy_capa))
+		size = size + legacy_size;
 
 	internals->capa_mz = rte_memzone_lookup(capa_memz_name);
 	if (internals->capa_mz == NULL) {
@@ -205,30 +218,40 @@ qat_sym_crypto_cap_get_gen3(struct qat_cryptodev_private *internals,
 	struct rte_cryptodev_capabilities *addr =
 			(struct rte_cryptodev_capabilities *)
 				internals->capa_mz->addr;
-	const struct rte_cryptodev_capabilities *capabilities =
-		qat_sym_crypto_caps_gen3;
-	const uint32_t capa_num =
-		size / sizeof(struct rte_cryptodev_capabilities);
-	uint32_t curr_capa = 0;
+	struct rte_cryptodev_capabilities *capabilities;
 
-	for (i = 0; i < capa_num; i++) {
+	if (unlikely(qat_legacy_capa)) {
+		capabilities = qat_sym_crypto_legacy_caps_gen3;
+		capa_num += legacy_capa_num;
+	} else {
+		capabilities = qat_sym_crypto_caps_gen3;
+	}
+
+	for (i = 0; i < capa_num; i++, iter++) {
 		if (slice_map & ICP_ACCEL_MASK_SM4_SLICE && (
-			check_cipher_capa(&capabilities[i],
+			check_cipher_capa(&capabilities[iter],
 				RTE_CRYPTO_CIPHER_SM4_ECB) ||
-			check_cipher_capa(&capabilities[i],
+			check_cipher_capa(&capabilities[iter],
 				RTE_CRYPTO_CIPHER_SM4_CBC) ||
-			check_cipher_capa(&capabilities[i],
+			check_cipher_capa(&capabilities[iter],
 				RTE_CRYPTO_CIPHER_SM4_CTR))) {
 			continue;
 		}
 		if (slice_map & ICP_ACCEL_MASK_SM3_SLICE && (
-			check_auth_capa(&capabilities[i],
+			check_auth_capa(&capabilities[iter],
 				RTE_CRYPTO_AUTH_SM3))) {
 			continue;
 		}
-		memcpy(addr + curr_capa, capabilities + i,
+		memcpy(addr + curr_capa, capabilities + iter,
 			sizeof(struct rte_cryptodev_capabilities));
 		curr_capa++;
+
+		if (unlikely(qat_legacy_capa) && (i == legacy_capa_num-1)) {
+			capabilities = qat_sym_crypto_caps_gen3;
+			addr += curr_capa;
+			curr_capa = 0;
+			iter = -1;
+		}
 	}
 	internals->qat_dev_capabilities = internals->capa_mz->addr;
 
diff --git a/drivers/crypto/qat/dev/qat_crypto_pmd_gen4.c b/drivers/crypto/qat/dev/qat_crypto_pmd_gen4.c
index b219a418ba..6fb062bb94 100644
--- a/drivers/crypto/qat/dev/qat_crypto_pmd_gen4.c
+++ b/drivers/crypto/qat/dev/qat_crypto_pmd_gen4.c
@@ -10,18 +10,32 @@
 #include "qat_crypto.h"
 #include "qat_crypto_pmd_gens.h"
 
-static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen4[] = {
-	QAT_SYM_CIPHER_CAP(AES_CBC,
-		CAP_SET(block_size, 16),
-		CAP_RNG(key_size, 16, 32, 8), CAP_RNG(iv_size, 16, 16, 0)),
-	QAT_SYM_AUTH_CAP(SHA1_HMAC,
+
+static struct rte_cryptodev_capabilities qat_sym_crypto_legacy_caps_gen4[] = {
+	QAT_SYM_PLAIN_AUTH_CAP(SHA1,
 		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
+		CAP_RNG(digest_size, 1, 20, 1)),
+	QAT_SYM_AUTH_CAP(SHA224,
+		CAP_SET(block_size, 64),
+		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA224_HMAC,
 		CAP_SET(block_size, 64),
 		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA1_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_CIPHER_CAP(SM4_ECB,
+		CAP_SET(block_size, 16),
+		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(iv_size, 0, 0, 0)),
+};
+
+static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen4[] = {
+	QAT_SYM_CIPHER_CAP(AES_CBC,
+		CAP_SET(block_size, 16),
+		CAP_RNG(key_size, 16, 32, 8), CAP_RNG(iv_size, 16, 16, 0)),
 	QAT_SYM_AUTH_CAP(SHA256_HMAC,
 		CAP_SET(block_size, 64),
 		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 32, 1),
@@ -52,13 +66,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen4[] = {
 	QAT_SYM_CIPHER_CAP(NULL,
 		CAP_SET(block_size, 1),
 		CAP_RNG_ZERO(key_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_PLAIN_AUTH_CAP(SHA1,
-		CAP_SET(block_size, 64),
-		CAP_RNG(digest_size, 1, 20, 1)),
-	QAT_SYM_AUTH_CAP(SHA224,
-		CAP_SET(block_size, 64),
-		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256,
 		CAP_SET(block_size, 64),
 		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 32, 1),
@@ -91,9 +98,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen4[] = {
 		CAP_RNG(key_size, 32, 32, 0),
 		CAP_RNG(digest_size, 16, 16, 0),
 		CAP_RNG(aad_size, 0, 240, 1), CAP_RNG(iv_size, 12, 12, 0)),
-	QAT_SYM_CIPHER_CAP(SM4_ECB,
-		CAP_SET(block_size, 16),
-		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(iv_size, 0, 0, 0)),
 	QAT_SYM_CIPHER_CAP(SM4_CBC,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(iv_size, 16, 16, 0)),
@@ -111,8 +115,13 @@ qat_sym_crypto_cap_get_gen4(struct qat_cryptodev_private *internals,
 			const char *capa_memz_name,
 			const uint16_t __rte_unused slice_map)
 {
-	const uint32_t size = sizeof(qat_sym_crypto_caps_gen4);
-	uint32_t i;
+	uint32_t legacy_capa_num;
+	uint32_t size = sizeof(qat_sym_crypto_caps_gen4);
+	uint32_t legacy_size = sizeof(qat_sym_crypto_legacy_caps_gen4);
+	legacy_capa_num = legacy_size/sizeof(struct rte_cryptodev_capabilities);
+
+	if (unlikely(qat_legacy_capa))
+		size = size + legacy_size;
 
 	internals->capa_mz = rte_memzone_lookup(capa_memz_name);
 	if (internals->capa_mz == NULL) {
@@ -128,17 +137,16 @@ qat_sym_crypto_cap_get_gen4(struct qat_cryptodev_private *internals,
 	struct rte_cryptodev_capabilities *addr =
 			(struct rte_cryptodev_capabilities *)
 				internals->capa_mz->addr;
-	const struct rte_cryptodev_capabilities *capabilities =
-		qat_sym_crypto_caps_gen4;
-	const uint32_t capa_num =
-		size / sizeof(struct rte_cryptodev_capabilities);
-	uint32_t curr_capa = 0;
-
-	for (i = 0; i < capa_num; i++) {
-		memcpy(addr + curr_capa, capabilities + i,
-			sizeof(struct rte_cryptodev_capabilities));
-		curr_capa++;
+
+	struct rte_cryptodev_capabilities *capabilities;
+
+	if (unlikely(qat_legacy_capa)) {
+		capabilities = qat_sym_crypto_legacy_caps_gen4;
+		memcpy(addr, capabilities, legacy_size);
+		addr += legacy_capa_num;
 	}
+	capabilities = qat_sym_crypto_caps_gen4;
+	memcpy(addr, capabilities, sizeof(qat_sym_crypto_caps_gen4));
 	internals->qat_dev_capabilities = internals->capa_mz->addr;
 
 	return 0;
diff --git a/drivers/crypto/qat/dev/qat_sym_pmd_gen1.c b/drivers/crypto/qat/dev/qat_sym_pmd_gen1.c
index 590eaa0057..d363ba4f43 100644
--- a/drivers/crypto/qat/dev/qat_sym_pmd_gen1.c
+++ b/drivers/crypto/qat/dev/qat_sym_pmd_gen1.c
@@ -16,10 +16,41 @@
 #include "qat_crypto.h"
 #include "qat_crypto_pmd_gens.h"
 
-static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen1[] = {
+static struct rte_cryptodev_capabilities qat_sym_crypto_legacy_caps_gen1[] = {
+	QAT_SYM_CIPHER_CAP(DES_CBC,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(3DES_CBC,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(3DES_CTR,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
 	QAT_SYM_PLAIN_AUTH_CAP(SHA1,
 		CAP_SET(block_size, 64),
 		CAP_RNG(digest_size, 1, 20, 1)),
+	QAT_SYM_AUTH_CAP(SHA224,
+		CAP_SET(block_size, 64),
+		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA1_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA224_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(MD5_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
+};
+
+static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen1[] = {
 	QAT_SYM_AEAD_CAP(AES_GCM,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 32, 8), CAP_RNG(digest_size, 8, 16, 4),
@@ -36,10 +67,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen1[] = {
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 4, 16, 4),
 			CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA224,
-		CAP_SET(block_size, 64),
-		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256,
 		CAP_SET(block_size, 64),
 		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 32, 1),
@@ -52,14 +79,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen1[] = {
 		CAP_SET(block_size, 128),
 		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 64, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA1_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA224_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256_HMAC,
 		CAP_SET(block_size, 64),
 		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 32, 1),
@@ -72,10 +91,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen1[] = {
 		CAP_SET(block_size, 128),
 		CAP_RNG(key_size, 1, 128, 1), CAP_RNG(digest_size, 1, 64, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(MD5_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(AES_XCBC_MAC,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 12, 12, 0),
@@ -113,18 +128,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen1[] = {
 	QAT_SYM_CIPHER_CAP(NULL,
 		CAP_SET(block_size, 1),
 		CAP_RNG_ZERO(key_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_CIPHER_CAP(3DES_CBC,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(3DES_CTR,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(DES_CBC,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
 	RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
 };
 
@@ -157,8 +160,14 @@ qat_sym_crypto_cap_get_gen1(struct qat_cryptodev_private *internals,
 			const char *capa_memz_name,
 			const uint16_t __rte_unused slice_map)
 {
-	const uint32_t size = sizeof(qat_sym_crypto_caps_gen1);
-	uint32_t i;
+
+	uint32_t legacy_capa_num;
+	uint32_t size = sizeof(qat_sym_crypto_caps_gen1);
+	uint32_t legacy_size = sizeof(qat_sym_crypto_legacy_caps_gen1);
+	legacy_capa_num = legacy_size/sizeof(struct rte_cryptodev_capabilities);
+
+	if (unlikely(qat_legacy_capa))
+		size = size + legacy_size;
 
 	internals->capa_mz = rte_memzone_lookup(capa_memz_name);
 	if (internals->capa_mz == NULL) {
@@ -174,17 +183,16 @@ qat_sym_crypto_cap_get_gen1(struct qat_cryptodev_private *internals,
 	struct rte_cryptodev_capabilities *addr =
 			(struct rte_cryptodev_capabilities *)
 				internals->capa_mz->addr;
-	const struct rte_cryptodev_capabilities *capabilities =
-		qat_sym_crypto_caps_gen1;
-	const uint32_t capa_num =
-		size / sizeof(struct rte_cryptodev_capabilities);
-	uint32_t curr_capa = 0;
-
-	for (i = 0; i < capa_num; i++) {
-		memcpy(addr + curr_capa, capabilities + i,
-			sizeof(struct rte_cryptodev_capabilities));
-		curr_capa++;
+
+	struct rte_cryptodev_capabilities *capabilities;
+
+	if (unlikely(qat_legacy_capa)) {
+		capabilities = qat_sym_crypto_legacy_caps_gen1;
+		memcpy(addr, capabilities, legacy_size);
+		addr += legacy_capa_num;
 	}
+	capabilities = qat_sym_crypto_caps_gen1;
+	memcpy(addr, capabilities, sizeof(qat_sym_crypto_caps_gen1));
 	internals->qat_dev_capabilities = internals->capa_mz->addr;
 
 	return 0;
diff --git a/drivers/crypto/qat/qat_asym.c b/drivers/crypto/qat/qat_asym.c
index 82e165538d..7abd513423 100644
--- a/drivers/crypto/qat/qat_asym.c
+++ b/drivers/crypto/qat/qat_asym.c
@@ -15,6 +15,8 @@
 #include "qat_pke.h"
 #include "qat_ec.h"
 
+#define RSA_MODULUS_2048_BITS 2048
+
 uint8_t qat_asym_driver_id;
 
 struct qat_crypto_gen_dev_ops qat_asym_gen_dev_ops[QAT_N_GENS];
@@ -913,8 +915,12 @@ asym_set_input(struct icp_qat_fw_pke_request *qat_req,
 		return modexp_set_input(qat_req, cookie, asym_op, xform);
 	case RTE_CRYPTO_ASYM_XFORM_MODINV:
 		return modinv_set_input(qat_req, cookie, asym_op, xform);
-	case RTE_CRYPTO_ASYM_XFORM_RSA:
+	case RTE_CRYPTO_ASYM_XFORM_RSA:{
+		if (unlikely((xform->rsa.n.length < RSA_MODULUS_2048_BITS)
+					&& (qat_legacy_capa == 0)))
+			return RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
 		return rsa_set_input(qat_req, cookie, asym_op, xform);
+	}
 	case RTE_CRYPTO_ASYM_XFORM_ECDSA:
 		return ecdsa_set_input(qat_req, cookie, asym_op, xform);
 	case RTE_CRYPTO_ASYM_XFORM_ECPM:
@@ -1273,8 +1279,14 @@ qat_asym_session_configure(struct rte_cryptodev *dev __rte_unused,
 	case RTE_CRYPTO_ASYM_XFORM_MODINV:
 		ret = session_set_modinv(qat_session, xform);
 		break;
-	case RTE_CRYPTO_ASYM_XFORM_RSA:
+	case RTE_CRYPTO_ASYM_XFORM_RSA: {
+		if (unlikely((xform->rsa.n.length < RSA_MODULUS_2048_BITS)
+					&& (qat_legacy_capa == 0))) {
+			ret = -ENOTSUP;
+			return ret;
+		}
 		ret = session_set_rsa(qat_session, xform);
+		}
 		break;
 	case RTE_CRYPTO_ASYM_XFORM_ECDSA:
 	case RTE_CRYPTO_ASYM_XFORM_ECPM:
diff --git a/drivers/crypto/qat/qat_crypto.h b/drivers/crypto/qat/qat_crypto.h
index e20f16236e..126fe5c822 100644
--- a/drivers/crypto/qat/qat_crypto.h
+++ b/drivers/crypto/qat/qat_crypto.h
@@ -11,6 +11,7 @@
 
 extern uint8_t qat_sym_driver_id;
 extern uint8_t qat_asym_driver_id;
+extern int qat_legacy_capa;
 
 /**
  * helper macro to set cryptodev capability range
diff --git a/drivers/crypto/qat/qat_sym.c b/drivers/crypto/qat/qat_sym.c
index 345c845325..d07132aaa1 100644
--- a/drivers/crypto/qat/qat_sym.c
+++ b/drivers/crypto/qat/qat_sym.c
@@ -17,6 +17,7 @@
 
 uint8_t qat_sym_driver_id;
 int qat_ipsec_mb_lib;
+int qat_legacy_capa;
 
 struct qat_crypto_gen_dev_ops qat_sym_gen_dev_ops[QAT_N_GENS];
 
@@ -285,6 +286,8 @@ qat_sym_dev_create(struct qat_pci_device *qat_pci_dev,
 					qat_dev_cmd_param[i].val;
 		if (!strcmp(qat_dev_cmd_param[i].name, QAT_IPSEC_MB_LIB))
 			qat_ipsec_mb_lib = qat_dev_cmd_param[i].val;
+		if (!strcmp(qat_dev_cmd_param[i].name, QAT_LEGACY_CAPA))
+			qat_legacy_capa = qat_dev_cmd_param[i].val;
 		if (!strcmp(qat_dev_cmd_param[i].name, QAT_CMD_SLICE_MAP))
 			slice_map = qat_dev_cmd_param[i].val;
 		i++;
-- 
2.25.1

--------------------------------------------------------------
Intel Research and Development Ireland Limited
Registered in Ireland
Registered Office: Collinstown Industrial Park, Leixlip, County Kildare
Registered Number: 308263


This e-mail and any attachments may contain confidential material for the sole
use of the intended recipient(s). Any review or distribution by others is
strictly prohibited. If you are not the intended recipient, please contact the
sender and delete all copies.


^ permalink raw reply	[flat|nested] 14+ messages in thread

* [PATCH v5] crypto/qat: support to enable insecure algorithms
  2023-05-25 16:10   ` [PATCH v3] " Vikash Poddar
  2023-05-26  6:48     ` [PATCH v4] " Vikash Poddar
@ 2023-05-29  6:32     ` Vikash Poddar
  2023-05-29 10:45       ` [PATCH v6] " Vikash Poddar
  1 sibling, 1 reply; 14+ messages in thread
From: Vikash Poddar @ 2023-05-29  6:32 UTC (permalink / raw)
  To: Akhil Goyal, Fan Zhang, Kai Ji; +Cc: dev, Vikash Poddar

All the insecure algorithms are default disable from
cryptodev Gen 1,2,3 and 4.
use qat_legacy_capa to enable all the legacy
algorithms.
These change effects both sym and asym insecure crypto
algorithms.

Signed-off-by: Vikash Poddar <vikash.chandrax.poddar@intel.com>
---
Depends-on: patch-28182 ("[v2] common/qat: fix qat_dev_cmd_param
corruption")
v5:
Resolving apply patch warning
v4:
Resolved rebase conflict.
v3:
Rebased the patch.
v2:
Extend the support to enable the insecure algorithm in
QAT Gen 1,3 and 4 for sym as well as asym.
---
 app/test/test_cryptodev_asym.c               |  28 +++--
 doc/guides/cryptodevs/qat.rst                |  14 +++
 drivers/common/qat/qat_device.c              |   1 +
 drivers/common/qat/qat_device.h              |   3 +-
 drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c |  88 ++++++++-------
 drivers/crypto/qat/dev/qat_crypto_pmd_gen3.c | 113 +++++++++++--------
 drivers/crypto/qat/dev/qat_crypto_pmd_gen4.c |  64 ++++++-----
 drivers/crypto/qat/dev/qat_sym_pmd_gen1.c    |  90 ++++++++-------
 drivers/crypto/qat/qat_asym.c                |  16 ++-
 drivers/crypto/qat/qat_crypto.h              |   1 +
 drivers/crypto/qat/qat_sym.c                 |   3 +
 11 files changed, 256 insertions(+), 165 deletions(-)

diff --git a/app/test/test_cryptodev_asym.c b/app/test/test_cryptodev_asym.c
index 9236817650..bb32d81e57 100644
--- a/app/test/test_cryptodev_asym.c
+++ b/app/test/test_cryptodev_asym.c
@@ -453,11 +453,14 @@ test_cryptodev_asym_op(struct crypto_testsuite_params_asym *ts_params,
 		ret = rte_cryptodev_asym_session_create(dev_id, &xform_tc,
 				ts_params->session_mpool, &sess);
 		if (ret < 0) {
-			snprintf(test_msg, ASYM_TEST_MSG_LEN,
-					"line %u "
-					"FAILED: %s", __LINE__,
-					"Session creation failed");
 			status = (ret == -ENOTSUP) ? TEST_SKIPPED : TEST_FAILED;
+			if (status == TEST_SKIPPED)
+				snprintf(test_msg, ASYM_TEST_MSG_LEN, "SKIPPED");
+			else
+				snprintf(test_msg, ASYM_TEST_MSG_LEN,
+						"line %u "
+						"FAILED: %s", __LINE__,
+						"Session creation failed");
 			goto error_exit;
 		}
 
@@ -489,6 +492,11 @@ test_cryptodev_asym_op(struct crypto_testsuite_params_asym *ts_params,
 	}
 
 	if (test_cryptodev_asym_ver(op, &xform_tc, data_tc, result_op) != TEST_SUCCESS) {
+		if (result_op->status == RTE_CRYPTO_OP_STATUS_INVALID_ARGS) {
+			snprintf(test_msg, ASYM_TEST_MSG_LEN, "SESSIONLESS SKIPPED");
+			status = TEST_SKIPPED;
+			goto error_exit;
+		}
 		snprintf(test_msg, ASYM_TEST_MSG_LEN,
 			"line %u FAILED: %s",
 			__LINE__, "Verification failed ");
@@ -619,13 +627,19 @@ test_one_by_one(void)
 	/* Go through all test cases */
 	test_index = 0;
 	for (i = 0; i < test_vector.size; i++) {
-		if (test_one_case(test_vector.address[i], 0) != TEST_SUCCESS)
+		status = test_one_case(test_vector.address[i], 0);
+		if (status == TEST_SUCCESS || status == TEST_SKIPPED)
+			status = TEST_SUCCESS;
+		else
 			status = TEST_FAILED;
 	}
+
 	if (sessionless) {
 		for (i = 0; i < test_vector.size; i++) {
-			if (test_one_case(test_vector.address[i], 1)
-					!= TEST_SUCCESS)
+			status = test_one_case(test_vector.address[i], 1);
+			if (status == TEST_SUCCESS || status == TEST_SKIPPED)
+				status = TEST_SUCCESS;
+			else
 				status = TEST_FAILED;
 		}
 	}
diff --git a/doc/guides/cryptodevs/qat.rst b/doc/guides/cryptodevs/qat.rst
index a4a25711ed..9360a6a9e5 100644
--- a/doc/guides/cryptodevs/qat.rst
+++ b/doc/guides/cryptodevs/qat.rst
@@ -272,6 +272,20 @@ allocated while for GEN1 devices, 12 buffers are allocated, plus 1472 bytes over
 	larger than the input size).
 
 
+Running QAT PMD with insecure crypto algorithms
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+A few insecure crypto algorithms are deprecated from QAT drivers. This needs to be reflected in DPDK QAT PMD.
+DPDK QAT PMD has by default disabled all the insecure crypto algorithms from Gen 1,2,3 and 4.
+A PMD parameter is used to enable the capability.
+
+- qat_legacy_capa
+
+To use this feature the user must set the parameter on process start as a device additional parameter::
+
+  -a b1:01.2,qat_legacy_capa=1
+
+
 Running QAT PMD with minimum threshold for burst size
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
diff --git a/drivers/common/qat/qat_device.c b/drivers/common/qat/qat_device.c
index 0479175b65..4b844263ea 100644
--- a/drivers/common/qat/qat_device.c
+++ b/drivers/common/qat/qat_device.c
@@ -371,6 +371,7 @@ static int qat_pci_probe(struct rte_pci_driver *pci_drv __rte_unused,
 	struct qat_pci_device *qat_pci_dev;
 	struct qat_dev_hw_spec_funcs *ops_hw;
 	struct qat_dev_cmd_param qat_dev_cmd_param[] = {
+			{ QAT_LEGACY_CAPA, 0 },
 			{ QAT_IPSEC_MB_LIB, 0 },
 			{ SYM_ENQ_THRESHOLD_NAME, 0 },
 			{ ASYM_ENQ_THRESHOLD_NAME, 0 },
diff --git a/drivers/common/qat/qat_device.h b/drivers/common/qat/qat_device.h
index 4188474dde..940ff5c278 100644
--- a/drivers/common/qat/qat_device.h
+++ b/drivers/common/qat/qat_device.h
@@ -17,13 +17,14 @@
 
 #define QAT_DEV_NAME_MAX_LEN	64
 
+#define QAT_LEGACY_CAPA "qat_legacy_capa"
 #define QAT_IPSEC_MB_LIB "qat_ipsec_mb_lib"
 #define SYM_ENQ_THRESHOLD_NAME "qat_sym_enq_threshold"
 #define ASYM_ENQ_THRESHOLD_NAME "qat_asym_enq_threshold"
 #define COMP_ENQ_THRESHOLD_NAME "qat_comp_enq_threshold"
 #define SYM_CIPHER_CRC_ENABLE_NAME "qat_sym_cipher_crc_enable"
 #define QAT_CMD_SLICE_MAP "qat_cmd_slice_disable"
-#define QAT_CMD_SLICE_MAP_POS	5
+#define QAT_CMD_SLICE_MAP_POS	6
 #define MAX_QP_THRESHOLD_SIZE	32
 
 /**
diff --git a/drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c b/drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c
index 1f3e2b1d99..3447bd2a7e 100644
--- a/drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c
+++ b/drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c
@@ -12,10 +12,41 @@
 
 #define MIXED_CRYPTO_MIN_FW_VER 0x04090000
 
-static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
+static struct rte_cryptodev_capabilities qat_sym_crypto_legacy_caps_gen2[] = {
+	QAT_SYM_CIPHER_CAP(DES_CBC,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(3DES_CBC,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(3DES_CTR,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
 	QAT_SYM_PLAIN_AUTH_CAP(SHA1,
 		CAP_SET(block_size, 64),
 		CAP_RNG(digest_size, 1, 20, 1)),
+	QAT_SYM_AUTH_CAP(SHA224,
+		CAP_SET(block_size, 64),
+		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA224_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA1_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(MD5_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
+};
+
+static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
 	QAT_SYM_AEAD_CAP(AES_GCM,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 32, 8), CAP_RNG(digest_size, 8, 16, 4),
@@ -32,10 +63,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 4, 16, 4),
 			CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA224,
-		CAP_SET(block_size, 64),
-		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256,
 		CAP_SET(block_size, 64),
 		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 32, 1),
@@ -51,14 +78,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
 	QAT_SYM_PLAIN_AUTH_CAP(SHA3_256,
 		CAP_SET(block_size, 136),
 		CAP_RNG(digest_size, 32, 32, 0)),
-	QAT_SYM_AUTH_CAP(SHA1_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA224_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256_HMAC,
 		CAP_SET(block_size, 64),
 		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 32, 1),
@@ -71,10 +90,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
 		CAP_SET(block_size, 128),
 		CAP_RNG(key_size, 1, 128, 1), CAP_RNG(digest_size, 1, 64, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(MD5_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(AES_XCBC_MAC,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 12, 12, 0),
@@ -112,18 +127,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
 	QAT_SYM_CIPHER_CAP(NULL,
 		CAP_SET(block_size, 1),
 		CAP_RNG_ZERO(key_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_CIPHER_CAP(3DES_CBC,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(3DES_CTR,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(DES_CBC,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
 	QAT_SYM_CIPHER_CAP(ZUC_EEA3,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(iv_size, 16, 16, 0)),
@@ -283,8 +286,13 @@ qat_sym_crypto_cap_get_gen2(struct qat_cryptodev_private *internals,
 			const char *capa_memz_name,
 			const uint16_t __rte_unused slice_map)
 {
-	const uint32_t size = sizeof(qat_sym_crypto_caps_gen2);
-	uint32_t i;
+	uint32_t legacy_capa_num;
+	uint32_t size = sizeof(qat_sym_crypto_caps_gen2);
+	uint32_t legacy_size = sizeof(qat_sym_crypto_legacy_caps_gen2);
+	legacy_capa_num = legacy_size/sizeof(struct rte_cryptodev_capabilities);
+
+	if (unlikely(qat_legacy_capa))
+		size = size + legacy_size;
 
 	internals->capa_mz = rte_memzone_lookup(capa_memz_name);
 	if (internals->capa_mz == NULL) {
@@ -300,17 +308,15 @@ qat_sym_crypto_cap_get_gen2(struct qat_cryptodev_private *internals,
 	struct rte_cryptodev_capabilities *addr =
 			(struct rte_cryptodev_capabilities *)
 				internals->capa_mz->addr;
-	const struct rte_cryptodev_capabilities *capabilities =
-		qat_sym_crypto_caps_gen2;
-	const uint32_t capa_num =
-		size / sizeof(struct rte_cryptodev_capabilities);
-	uint32_t curr_capa = 0;
-
-	for (i = 0; i < capa_num; i++) {
-		memcpy(addr + curr_capa, capabilities + i,
-			sizeof(struct rte_cryptodev_capabilities));
-		curr_capa++;
+	struct rte_cryptodev_capabilities *capabilities;
+
+	if (unlikely(qat_legacy_capa)) {
+		capabilities = qat_sym_crypto_legacy_caps_gen2;
+		memcpy(addr, capabilities, legacy_size);
+		addr += legacy_capa_num;
 	}
+	capabilities = qat_sym_crypto_caps_gen2;
+	memcpy(addr, capabilities, sizeof(qat_sym_crypto_caps_gen2));
 	internals->qat_dev_capabilities = internals->capa_mz->addr;
 
 	return 0;
diff --git a/drivers/crypto/qat/dev/qat_crypto_pmd_gen3.c b/drivers/crypto/qat/dev/qat_crypto_pmd_gen3.c
index 6013fed721..d1809cf2f0 100644
--- a/drivers/crypto/qat/dev/qat_crypto_pmd_gen3.c
+++ b/drivers/crypto/qat/dev/qat_crypto_pmd_gen3.c
@@ -10,10 +10,45 @@
 #include "qat_crypto.h"
 #include "qat_crypto_pmd_gens.h"
 
-static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
+
+static struct rte_cryptodev_capabilities qat_sym_crypto_legacy_caps_gen3[] = {
+	QAT_SYM_CIPHER_CAP(3DES_CBC,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(DES_CBC,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(3DES_CTR,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
 	QAT_SYM_PLAIN_AUTH_CAP(SHA1,
 		CAP_SET(block_size, 64),
 		CAP_RNG(digest_size, 1, 20, 1)),
+	QAT_SYM_AUTH_CAP(SHA224,
+		CAP_SET(block_size, 64),
+		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA224_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA1_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(MD5_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_PLAIN_AUTH_CAP(SHA3_224,
+		CAP_SET(block_size, 144),
+		CAP_RNG(digest_size, 28, 28, 0)),
+};
+
+static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
 	QAT_SYM_AEAD_CAP(AES_GCM,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 32, 8), CAP_RNG(digest_size, 8, 16, 4),
@@ -30,10 +65,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 4, 16, 4),
 			CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA224,
-		CAP_SET(block_size, 64),
-		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256,
 		CAP_SET(block_size, 64),
 		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 32, 1),
@@ -46,9 +77,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
 		CAP_SET(block_size, 128),
 		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 64, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_PLAIN_AUTH_CAP(SHA3_224,
-		CAP_SET(block_size, 144),
-		CAP_RNG(digest_size, 28, 28, 0)),
 	QAT_SYM_PLAIN_AUTH_CAP(SHA3_256,
 		CAP_SET(block_size, 136),
 		CAP_RNG(digest_size, 32, 32, 0)),
@@ -58,14 +86,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
 	QAT_SYM_PLAIN_AUTH_CAP(SHA3_512,
 		CAP_SET(block_size, 72),
 		CAP_RNG(digest_size, 64, 64, 0)),
-	QAT_SYM_AUTH_CAP(SHA1_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA224_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256_HMAC,
 		CAP_SET(block_size, 64),
 		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 32, 1),
@@ -78,10 +98,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
 		CAP_SET(block_size, 128),
 		CAP_RNG(key_size, 1, 128, 1), CAP_RNG(digest_size, 1, 64, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(MD5_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(AES_XCBC_MAC,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 12, 12, 0),
@@ -119,18 +135,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
 	QAT_SYM_CIPHER_CAP(NULL,
 		CAP_SET(block_size, 1),
 		CAP_RNG_ZERO(key_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_CIPHER_CAP(3DES_CBC,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(3DES_CTR,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(DES_CBC,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
 	QAT_SYM_CIPHER_CAP(ZUC_EEA3,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(iv_size, 16, 16, 0)),
@@ -188,8 +192,17 @@ static int
 qat_sym_crypto_cap_get_gen3(struct qat_cryptodev_private *internals,
 			const char *capa_memz_name, const uint16_t slice_map)
 {
-	const uint32_t size = sizeof(qat_sym_crypto_caps_gen3);
-	uint32_t i;
+
+	uint32_t i, iter = 0;
+	uint32_t curr_capa = 0;
+	uint32_t capa_num, legacy_capa_num;
+	uint32_t size = sizeof(qat_sym_crypto_caps_gen3);
+	uint32_t legacy_size = sizeof(qat_sym_crypto_legacy_caps_gen3);
+	capa_num = size/sizeof(struct rte_cryptodev_capabilities);
+	legacy_capa_num = legacy_size/sizeof(struct rte_cryptodev_capabilities);
+
+	if (unlikely(qat_legacy_capa))
+		size = size + legacy_size;
 
 	internals->capa_mz = rte_memzone_lookup(capa_memz_name);
 	if (internals->capa_mz == NULL) {
@@ -205,30 +218,40 @@ qat_sym_crypto_cap_get_gen3(struct qat_cryptodev_private *internals,
 	struct rte_cryptodev_capabilities *addr =
 			(struct rte_cryptodev_capabilities *)
 				internals->capa_mz->addr;
-	const struct rte_cryptodev_capabilities *capabilities =
-		qat_sym_crypto_caps_gen3;
-	const uint32_t capa_num =
-		size / sizeof(struct rte_cryptodev_capabilities);
-	uint32_t curr_capa = 0;
+	struct rte_cryptodev_capabilities *capabilities;
 
-	for (i = 0; i < capa_num; i++) {
+	if (unlikely(qat_legacy_capa)) {
+		capabilities = qat_sym_crypto_legacy_caps_gen3;
+		capa_num += legacy_capa_num;
+	} else {
+		capabilities = qat_sym_crypto_caps_gen3;
+	}
+
+	for (i = 0; i < capa_num; i++, iter++) {
 		if (slice_map & ICP_ACCEL_MASK_SM4_SLICE && (
-			check_cipher_capa(&capabilities[i],
+			check_cipher_capa(&capabilities[iter],
 				RTE_CRYPTO_CIPHER_SM4_ECB) ||
-			check_cipher_capa(&capabilities[i],
+			check_cipher_capa(&capabilities[iter],
 				RTE_CRYPTO_CIPHER_SM4_CBC) ||
-			check_cipher_capa(&capabilities[i],
+			check_cipher_capa(&capabilities[iter],
 				RTE_CRYPTO_CIPHER_SM4_CTR))) {
 			continue;
 		}
 		if (slice_map & ICP_ACCEL_MASK_SM3_SLICE && (
-			check_auth_capa(&capabilities[i],
+			check_auth_capa(&capabilities[iter],
 				RTE_CRYPTO_AUTH_SM3))) {
 			continue;
 		}
-		memcpy(addr + curr_capa, capabilities + i,
+		memcpy(addr + curr_capa, capabilities + iter,
 			sizeof(struct rte_cryptodev_capabilities));
 		curr_capa++;
+
+		if (unlikely(qat_legacy_capa) && (i == legacy_capa_num-1)) {
+			capabilities = qat_sym_crypto_caps_gen3;
+			addr += curr_capa;
+			curr_capa = 0;
+			iter = -1;
+		}
 	}
 	internals->qat_dev_capabilities = internals->capa_mz->addr;
 
diff --git a/drivers/crypto/qat/dev/qat_crypto_pmd_gen4.c b/drivers/crypto/qat/dev/qat_crypto_pmd_gen4.c
index b219a418ba..6fb062bb94 100644
--- a/drivers/crypto/qat/dev/qat_crypto_pmd_gen4.c
+++ b/drivers/crypto/qat/dev/qat_crypto_pmd_gen4.c
@@ -10,18 +10,32 @@
 #include "qat_crypto.h"
 #include "qat_crypto_pmd_gens.h"
 
-static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen4[] = {
-	QAT_SYM_CIPHER_CAP(AES_CBC,
-		CAP_SET(block_size, 16),
-		CAP_RNG(key_size, 16, 32, 8), CAP_RNG(iv_size, 16, 16, 0)),
-	QAT_SYM_AUTH_CAP(SHA1_HMAC,
+
+static struct rte_cryptodev_capabilities qat_sym_crypto_legacy_caps_gen4[] = {
+	QAT_SYM_PLAIN_AUTH_CAP(SHA1,
 		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
+		CAP_RNG(digest_size, 1, 20, 1)),
+	QAT_SYM_AUTH_CAP(SHA224,
+		CAP_SET(block_size, 64),
+		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA224_HMAC,
 		CAP_SET(block_size, 64),
 		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA1_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_CIPHER_CAP(SM4_ECB,
+		CAP_SET(block_size, 16),
+		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(iv_size, 0, 0, 0)),
+};
+
+static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen4[] = {
+	QAT_SYM_CIPHER_CAP(AES_CBC,
+		CAP_SET(block_size, 16),
+		CAP_RNG(key_size, 16, 32, 8), CAP_RNG(iv_size, 16, 16, 0)),
 	QAT_SYM_AUTH_CAP(SHA256_HMAC,
 		CAP_SET(block_size, 64),
 		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 32, 1),
@@ -52,13 +66,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen4[] = {
 	QAT_SYM_CIPHER_CAP(NULL,
 		CAP_SET(block_size, 1),
 		CAP_RNG_ZERO(key_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_PLAIN_AUTH_CAP(SHA1,
-		CAP_SET(block_size, 64),
-		CAP_RNG(digest_size, 1, 20, 1)),
-	QAT_SYM_AUTH_CAP(SHA224,
-		CAP_SET(block_size, 64),
-		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256,
 		CAP_SET(block_size, 64),
 		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 32, 1),
@@ -91,9 +98,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen4[] = {
 		CAP_RNG(key_size, 32, 32, 0),
 		CAP_RNG(digest_size, 16, 16, 0),
 		CAP_RNG(aad_size, 0, 240, 1), CAP_RNG(iv_size, 12, 12, 0)),
-	QAT_SYM_CIPHER_CAP(SM4_ECB,
-		CAP_SET(block_size, 16),
-		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(iv_size, 0, 0, 0)),
 	QAT_SYM_CIPHER_CAP(SM4_CBC,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(iv_size, 16, 16, 0)),
@@ -111,8 +115,13 @@ qat_sym_crypto_cap_get_gen4(struct qat_cryptodev_private *internals,
 			const char *capa_memz_name,
 			const uint16_t __rte_unused slice_map)
 {
-	const uint32_t size = sizeof(qat_sym_crypto_caps_gen4);
-	uint32_t i;
+	uint32_t legacy_capa_num;
+	uint32_t size = sizeof(qat_sym_crypto_caps_gen4);
+	uint32_t legacy_size = sizeof(qat_sym_crypto_legacy_caps_gen4);
+	legacy_capa_num = legacy_size/sizeof(struct rte_cryptodev_capabilities);
+
+	if (unlikely(qat_legacy_capa))
+		size = size + legacy_size;
 
 	internals->capa_mz = rte_memzone_lookup(capa_memz_name);
 	if (internals->capa_mz == NULL) {
@@ -128,17 +137,16 @@ qat_sym_crypto_cap_get_gen4(struct qat_cryptodev_private *internals,
 	struct rte_cryptodev_capabilities *addr =
 			(struct rte_cryptodev_capabilities *)
 				internals->capa_mz->addr;
-	const struct rte_cryptodev_capabilities *capabilities =
-		qat_sym_crypto_caps_gen4;
-	const uint32_t capa_num =
-		size / sizeof(struct rte_cryptodev_capabilities);
-	uint32_t curr_capa = 0;
-
-	for (i = 0; i < capa_num; i++) {
-		memcpy(addr + curr_capa, capabilities + i,
-			sizeof(struct rte_cryptodev_capabilities));
-		curr_capa++;
+
+	struct rte_cryptodev_capabilities *capabilities;
+
+	if (unlikely(qat_legacy_capa)) {
+		capabilities = qat_sym_crypto_legacy_caps_gen4;
+		memcpy(addr, capabilities, legacy_size);
+		addr += legacy_capa_num;
 	}
+	capabilities = qat_sym_crypto_caps_gen4;
+	memcpy(addr, capabilities, sizeof(qat_sym_crypto_caps_gen4));
 	internals->qat_dev_capabilities = internals->capa_mz->addr;
 
 	return 0;
diff --git a/drivers/crypto/qat/dev/qat_sym_pmd_gen1.c b/drivers/crypto/qat/dev/qat_sym_pmd_gen1.c
index 590eaa0057..d363ba4f43 100644
--- a/drivers/crypto/qat/dev/qat_sym_pmd_gen1.c
+++ b/drivers/crypto/qat/dev/qat_sym_pmd_gen1.c
@@ -16,10 +16,41 @@
 #include "qat_crypto.h"
 #include "qat_crypto_pmd_gens.h"
 
-static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen1[] = {
+static struct rte_cryptodev_capabilities qat_sym_crypto_legacy_caps_gen1[] = {
+	QAT_SYM_CIPHER_CAP(DES_CBC,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(3DES_CBC,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(3DES_CTR,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
 	QAT_SYM_PLAIN_AUTH_CAP(SHA1,
 		CAP_SET(block_size, 64),
 		CAP_RNG(digest_size, 1, 20, 1)),
+	QAT_SYM_AUTH_CAP(SHA224,
+		CAP_SET(block_size, 64),
+		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA1_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA224_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(MD5_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
+};
+
+static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen1[] = {
 	QAT_SYM_AEAD_CAP(AES_GCM,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 32, 8), CAP_RNG(digest_size, 8, 16, 4),
@@ -36,10 +67,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen1[] = {
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 4, 16, 4),
 			CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA224,
-		CAP_SET(block_size, 64),
-		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256,
 		CAP_SET(block_size, 64),
 		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 32, 1),
@@ -52,14 +79,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen1[] = {
 		CAP_SET(block_size, 128),
 		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 64, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA1_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA224_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256_HMAC,
 		CAP_SET(block_size, 64),
 		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 32, 1),
@@ -72,10 +91,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen1[] = {
 		CAP_SET(block_size, 128),
 		CAP_RNG(key_size, 1, 128, 1), CAP_RNG(digest_size, 1, 64, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(MD5_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(AES_XCBC_MAC,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 12, 12, 0),
@@ -113,18 +128,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen1[] = {
 	QAT_SYM_CIPHER_CAP(NULL,
 		CAP_SET(block_size, 1),
 		CAP_RNG_ZERO(key_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_CIPHER_CAP(3DES_CBC,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(3DES_CTR,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(DES_CBC,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
 	RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
 };
 
@@ -157,8 +160,14 @@ qat_sym_crypto_cap_get_gen1(struct qat_cryptodev_private *internals,
 			const char *capa_memz_name,
 			const uint16_t __rte_unused slice_map)
 {
-	const uint32_t size = sizeof(qat_sym_crypto_caps_gen1);
-	uint32_t i;
+
+	uint32_t legacy_capa_num;
+	uint32_t size = sizeof(qat_sym_crypto_caps_gen1);
+	uint32_t legacy_size = sizeof(qat_sym_crypto_legacy_caps_gen1);
+	legacy_capa_num = legacy_size/sizeof(struct rte_cryptodev_capabilities);
+
+	if (unlikely(qat_legacy_capa))
+		size = size + legacy_size;
 
 	internals->capa_mz = rte_memzone_lookup(capa_memz_name);
 	if (internals->capa_mz == NULL) {
@@ -174,17 +183,16 @@ qat_sym_crypto_cap_get_gen1(struct qat_cryptodev_private *internals,
 	struct rte_cryptodev_capabilities *addr =
 			(struct rte_cryptodev_capabilities *)
 				internals->capa_mz->addr;
-	const struct rte_cryptodev_capabilities *capabilities =
-		qat_sym_crypto_caps_gen1;
-	const uint32_t capa_num =
-		size / sizeof(struct rte_cryptodev_capabilities);
-	uint32_t curr_capa = 0;
-
-	for (i = 0; i < capa_num; i++) {
-		memcpy(addr + curr_capa, capabilities + i,
-			sizeof(struct rte_cryptodev_capabilities));
-		curr_capa++;
+
+	struct rte_cryptodev_capabilities *capabilities;
+
+	if (unlikely(qat_legacy_capa)) {
+		capabilities = qat_sym_crypto_legacy_caps_gen1;
+		memcpy(addr, capabilities, legacy_size);
+		addr += legacy_capa_num;
 	}
+	capabilities = qat_sym_crypto_caps_gen1;
+	memcpy(addr, capabilities, sizeof(qat_sym_crypto_caps_gen1));
 	internals->qat_dev_capabilities = internals->capa_mz->addr;
 
 	return 0;
diff --git a/drivers/crypto/qat/qat_asym.c b/drivers/crypto/qat/qat_asym.c
index 82e165538d..7abd513423 100644
--- a/drivers/crypto/qat/qat_asym.c
+++ b/drivers/crypto/qat/qat_asym.c
@@ -15,6 +15,8 @@
 #include "qat_pke.h"
 #include "qat_ec.h"
 
+#define RSA_MODULUS_2048_BITS 2048
+
 uint8_t qat_asym_driver_id;
 
 struct qat_crypto_gen_dev_ops qat_asym_gen_dev_ops[QAT_N_GENS];
@@ -913,8 +915,12 @@ asym_set_input(struct icp_qat_fw_pke_request *qat_req,
 		return modexp_set_input(qat_req, cookie, asym_op, xform);
 	case RTE_CRYPTO_ASYM_XFORM_MODINV:
 		return modinv_set_input(qat_req, cookie, asym_op, xform);
-	case RTE_CRYPTO_ASYM_XFORM_RSA:
+	case RTE_CRYPTO_ASYM_XFORM_RSA:{
+		if (unlikely((xform->rsa.n.length < RSA_MODULUS_2048_BITS)
+					&& (qat_legacy_capa == 0)))
+			return RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
 		return rsa_set_input(qat_req, cookie, asym_op, xform);
+	}
 	case RTE_CRYPTO_ASYM_XFORM_ECDSA:
 		return ecdsa_set_input(qat_req, cookie, asym_op, xform);
 	case RTE_CRYPTO_ASYM_XFORM_ECPM:
@@ -1273,8 +1279,14 @@ qat_asym_session_configure(struct rte_cryptodev *dev __rte_unused,
 	case RTE_CRYPTO_ASYM_XFORM_MODINV:
 		ret = session_set_modinv(qat_session, xform);
 		break;
-	case RTE_CRYPTO_ASYM_XFORM_RSA:
+	case RTE_CRYPTO_ASYM_XFORM_RSA: {
+		if (unlikely((xform->rsa.n.length < RSA_MODULUS_2048_BITS)
+					&& (qat_legacy_capa == 0))) {
+			ret = -ENOTSUP;
+			return ret;
+		}
 		ret = session_set_rsa(qat_session, xform);
+		}
 		break;
 	case RTE_CRYPTO_ASYM_XFORM_ECDSA:
 	case RTE_CRYPTO_ASYM_XFORM_ECPM:
diff --git a/drivers/crypto/qat/qat_crypto.h b/drivers/crypto/qat/qat_crypto.h
index e20f16236e..126fe5c822 100644
--- a/drivers/crypto/qat/qat_crypto.h
+++ b/drivers/crypto/qat/qat_crypto.h
@@ -11,6 +11,7 @@
 
 extern uint8_t qat_sym_driver_id;
 extern uint8_t qat_asym_driver_id;
+extern int qat_legacy_capa;
 
 /**
  * helper macro to set cryptodev capability range
diff --git a/drivers/crypto/qat/qat_sym.c b/drivers/crypto/qat/qat_sym.c
index 345c845325..d07132aaa1 100644
--- a/drivers/crypto/qat/qat_sym.c
+++ b/drivers/crypto/qat/qat_sym.c
@@ -17,6 +17,7 @@
 
 uint8_t qat_sym_driver_id;
 int qat_ipsec_mb_lib;
+int qat_legacy_capa;
 
 struct qat_crypto_gen_dev_ops qat_sym_gen_dev_ops[QAT_N_GENS];
 
@@ -285,6 +286,8 @@ qat_sym_dev_create(struct qat_pci_device *qat_pci_dev,
 					qat_dev_cmd_param[i].val;
 		if (!strcmp(qat_dev_cmd_param[i].name, QAT_IPSEC_MB_LIB))
 			qat_ipsec_mb_lib = qat_dev_cmd_param[i].val;
+		if (!strcmp(qat_dev_cmd_param[i].name, QAT_LEGACY_CAPA))
+			qat_legacy_capa = qat_dev_cmd_param[i].val;
 		if (!strcmp(qat_dev_cmd_param[i].name, QAT_CMD_SLICE_MAP))
 			slice_map = qat_dev_cmd_param[i].val;
 		i++;
-- 
2.25.1

--------------------------------------------------------------
Intel Research and Development Ireland Limited
Registered in Ireland
Registered Office: Collinstown Industrial Park, Leixlip, County Kildare
Registered Number: 308263


This e-mail and any attachments may contain confidential material for the sole
use of the intended recipient(s). Any review or distribution by others is
strictly prohibited. If you are not the intended recipient, please contact the
sender and delete all copies.


^ permalink raw reply	[flat|nested] 14+ messages in thread

* [PATCH v6] crypto/qat: support to enable insecure algorithms
  2023-05-29  6:32     ` [PATCH v5] " Vikash Poddar
@ 2023-05-29 10:45       ` Vikash Poddar
  2023-06-08 13:14         ` Power, Ciara
                           ` (2 more replies)
  0 siblings, 3 replies; 14+ messages in thread
From: Vikash Poddar @ 2023-05-29 10:45 UTC (permalink / raw)
  To: Akhil Goyal, Fan Zhang, Kai Ji; +Cc: dev, Vikash Poddar

All the insecure algorithms are default disable from
cryptodev Gen 1,2,3 and 4.
use qat_legacy_capa to enable all the legacy
algorithms.
These change effects both sym and asym insecure crypto
algorithms.

Signed-off-by: Vikash Poddar <vikash.chandrax.poddar@intel.com>
---
Depends-on: patch-28182 ("[v2] common/qat: fix qat_dev_cmd_param
corruption")
v6:
Rebased patch
v5:
Resolving apply patch warning
v4:
Resolved rebase conflict.
v3:
Rebased the patch.
v2:
Extend the support to enable the insecure algorithm in
QAT Gen 1,3 and 4 for sym as well as asym.
---
 app/test/test_cryptodev_asym.c               |  28 +++--
 doc/guides/cryptodevs/qat.rst                |  14 +++
 drivers/common/qat/qat_device.c              |   1 +
 drivers/common/qat/qat_device.h              |   3 +-
 drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c |  88 ++++++++-------
 drivers/crypto/qat/dev/qat_crypto_pmd_gen3.c | 113 +++++++++++--------
 drivers/crypto/qat/dev/qat_crypto_pmd_gen4.c |  64 ++++++-----
 drivers/crypto/qat/dev/qat_sym_pmd_gen1.c    |  90 ++++++++-------
 drivers/crypto/qat/qat_asym.c                |  16 ++-
 drivers/crypto/qat/qat_crypto.h              |   1 +
 drivers/crypto/qat/qat_sym.c                 |   3 +
 11 files changed, 256 insertions(+), 165 deletions(-)

diff --git a/app/test/test_cryptodev_asym.c b/app/test/test_cryptodev_asym.c
index 9236817650..bb32d81e57 100644
--- a/app/test/test_cryptodev_asym.c
+++ b/app/test/test_cryptodev_asym.c
@@ -453,11 +453,14 @@ test_cryptodev_asym_op(struct crypto_testsuite_params_asym *ts_params,
 		ret = rte_cryptodev_asym_session_create(dev_id, &xform_tc,
 				ts_params->session_mpool, &sess);
 		if (ret < 0) {
-			snprintf(test_msg, ASYM_TEST_MSG_LEN,
-					"line %u "
-					"FAILED: %s", __LINE__,
-					"Session creation failed");
 			status = (ret == -ENOTSUP) ? TEST_SKIPPED : TEST_FAILED;
+			if (status == TEST_SKIPPED)
+				snprintf(test_msg, ASYM_TEST_MSG_LEN, "SKIPPED");
+			else
+				snprintf(test_msg, ASYM_TEST_MSG_LEN,
+						"line %u "
+						"FAILED: %s", __LINE__,
+						"Session creation failed");
 			goto error_exit;
 		}
 
@@ -489,6 +492,11 @@ test_cryptodev_asym_op(struct crypto_testsuite_params_asym *ts_params,
 	}
 
 	if (test_cryptodev_asym_ver(op, &xform_tc, data_tc, result_op) != TEST_SUCCESS) {
+		if (result_op->status == RTE_CRYPTO_OP_STATUS_INVALID_ARGS) {
+			snprintf(test_msg, ASYM_TEST_MSG_LEN, "SESSIONLESS SKIPPED");
+			status = TEST_SKIPPED;
+			goto error_exit;
+		}
 		snprintf(test_msg, ASYM_TEST_MSG_LEN,
 			"line %u FAILED: %s",
 			__LINE__, "Verification failed ");
@@ -619,13 +627,19 @@ test_one_by_one(void)
 	/* Go through all test cases */
 	test_index = 0;
 	for (i = 0; i < test_vector.size; i++) {
-		if (test_one_case(test_vector.address[i], 0) != TEST_SUCCESS)
+		status = test_one_case(test_vector.address[i], 0);
+		if (status == TEST_SUCCESS || status == TEST_SKIPPED)
+			status = TEST_SUCCESS;
+		else
 			status = TEST_FAILED;
 	}
+
 	if (sessionless) {
 		for (i = 0; i < test_vector.size; i++) {
-			if (test_one_case(test_vector.address[i], 1)
-					!= TEST_SUCCESS)
+			status = test_one_case(test_vector.address[i], 1);
+			if (status == TEST_SUCCESS || status == TEST_SKIPPED)
+				status = TEST_SUCCESS;
+			else
 				status = TEST_FAILED;
 		}
 	}
diff --git a/doc/guides/cryptodevs/qat.rst b/doc/guides/cryptodevs/qat.rst
index a4a25711ed..9360a6a9e5 100644
--- a/doc/guides/cryptodevs/qat.rst
+++ b/doc/guides/cryptodevs/qat.rst
@@ -272,6 +272,20 @@ allocated while for GEN1 devices, 12 buffers are allocated, plus 1472 bytes over
 	larger than the input size).
 
 
+Running QAT PMD with insecure crypto algorithms
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+A few insecure crypto algorithms are deprecated from QAT drivers. This needs to be reflected in DPDK QAT PMD.
+DPDK QAT PMD has by default disabled all the insecure crypto algorithms from Gen 1,2,3 and 4.
+A PMD parameter is used to enable the capability.
+
+- qat_legacy_capa
+
+To use this feature the user must set the parameter on process start as a device additional parameter::
+
+  -a b1:01.2,qat_legacy_capa=1
+
+
 Running QAT PMD with minimum threshold for burst size
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
diff --git a/drivers/common/qat/qat_device.c b/drivers/common/qat/qat_device.c
index 0479175b65..4b844263ea 100644
--- a/drivers/common/qat/qat_device.c
+++ b/drivers/common/qat/qat_device.c
@@ -371,6 +371,7 @@ static int qat_pci_probe(struct rte_pci_driver *pci_drv __rte_unused,
 	struct qat_pci_device *qat_pci_dev;
 	struct qat_dev_hw_spec_funcs *ops_hw;
 	struct qat_dev_cmd_param qat_dev_cmd_param[] = {
+			{ QAT_LEGACY_CAPA, 0 },
 			{ QAT_IPSEC_MB_LIB, 0 },
 			{ SYM_ENQ_THRESHOLD_NAME, 0 },
 			{ ASYM_ENQ_THRESHOLD_NAME, 0 },
diff --git a/drivers/common/qat/qat_device.h b/drivers/common/qat/qat_device.h
index 4188474dde..940ff5c278 100644
--- a/drivers/common/qat/qat_device.h
+++ b/drivers/common/qat/qat_device.h
@@ -17,13 +17,14 @@
 
 #define QAT_DEV_NAME_MAX_LEN	64
 
+#define QAT_LEGACY_CAPA "qat_legacy_capa"
 #define QAT_IPSEC_MB_LIB "qat_ipsec_mb_lib"
 #define SYM_ENQ_THRESHOLD_NAME "qat_sym_enq_threshold"
 #define ASYM_ENQ_THRESHOLD_NAME "qat_asym_enq_threshold"
 #define COMP_ENQ_THRESHOLD_NAME "qat_comp_enq_threshold"
 #define SYM_CIPHER_CRC_ENABLE_NAME "qat_sym_cipher_crc_enable"
 #define QAT_CMD_SLICE_MAP "qat_cmd_slice_disable"
-#define QAT_CMD_SLICE_MAP_POS	5
+#define QAT_CMD_SLICE_MAP_POS	6
 #define MAX_QP_THRESHOLD_SIZE	32
 
 /**
diff --git a/drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c b/drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c
index 1f3e2b1d99..3447bd2a7e 100644
--- a/drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c
+++ b/drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c
@@ -12,10 +12,41 @@
 
 #define MIXED_CRYPTO_MIN_FW_VER 0x04090000
 
-static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
+static struct rte_cryptodev_capabilities qat_sym_crypto_legacy_caps_gen2[] = {
+	QAT_SYM_CIPHER_CAP(DES_CBC,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(3DES_CBC,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(3DES_CTR,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
 	QAT_SYM_PLAIN_AUTH_CAP(SHA1,
 		CAP_SET(block_size, 64),
 		CAP_RNG(digest_size, 1, 20, 1)),
+	QAT_SYM_AUTH_CAP(SHA224,
+		CAP_SET(block_size, 64),
+		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA224_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA1_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(MD5_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
+};
+
+static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
 	QAT_SYM_AEAD_CAP(AES_GCM,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 32, 8), CAP_RNG(digest_size, 8, 16, 4),
@@ -32,10 +63,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 4, 16, 4),
 			CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA224,
-		CAP_SET(block_size, 64),
-		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256,
 		CAP_SET(block_size, 64),
 		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 32, 1),
@@ -51,14 +78,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
 	QAT_SYM_PLAIN_AUTH_CAP(SHA3_256,
 		CAP_SET(block_size, 136),
 		CAP_RNG(digest_size, 32, 32, 0)),
-	QAT_SYM_AUTH_CAP(SHA1_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA224_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256_HMAC,
 		CAP_SET(block_size, 64),
 		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 32, 1),
@@ -71,10 +90,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
 		CAP_SET(block_size, 128),
 		CAP_RNG(key_size, 1, 128, 1), CAP_RNG(digest_size, 1, 64, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(MD5_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(AES_XCBC_MAC,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 12, 12, 0),
@@ -112,18 +127,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
 	QAT_SYM_CIPHER_CAP(NULL,
 		CAP_SET(block_size, 1),
 		CAP_RNG_ZERO(key_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_CIPHER_CAP(3DES_CBC,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(3DES_CTR,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(DES_CBC,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
 	QAT_SYM_CIPHER_CAP(ZUC_EEA3,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(iv_size, 16, 16, 0)),
@@ -283,8 +286,13 @@ qat_sym_crypto_cap_get_gen2(struct qat_cryptodev_private *internals,
 			const char *capa_memz_name,
 			const uint16_t __rte_unused slice_map)
 {
-	const uint32_t size = sizeof(qat_sym_crypto_caps_gen2);
-	uint32_t i;
+	uint32_t legacy_capa_num;
+	uint32_t size = sizeof(qat_sym_crypto_caps_gen2);
+	uint32_t legacy_size = sizeof(qat_sym_crypto_legacy_caps_gen2);
+	legacy_capa_num = legacy_size/sizeof(struct rte_cryptodev_capabilities);
+
+	if (unlikely(qat_legacy_capa))
+		size = size + legacy_size;
 
 	internals->capa_mz = rte_memzone_lookup(capa_memz_name);
 	if (internals->capa_mz == NULL) {
@@ -300,17 +308,15 @@ qat_sym_crypto_cap_get_gen2(struct qat_cryptodev_private *internals,
 	struct rte_cryptodev_capabilities *addr =
 			(struct rte_cryptodev_capabilities *)
 				internals->capa_mz->addr;
-	const struct rte_cryptodev_capabilities *capabilities =
-		qat_sym_crypto_caps_gen2;
-	const uint32_t capa_num =
-		size / sizeof(struct rte_cryptodev_capabilities);
-	uint32_t curr_capa = 0;
-
-	for (i = 0; i < capa_num; i++) {
-		memcpy(addr + curr_capa, capabilities + i,
-			sizeof(struct rte_cryptodev_capabilities));
-		curr_capa++;
+	struct rte_cryptodev_capabilities *capabilities;
+
+	if (unlikely(qat_legacy_capa)) {
+		capabilities = qat_sym_crypto_legacy_caps_gen2;
+		memcpy(addr, capabilities, legacy_size);
+		addr += legacy_capa_num;
 	}
+	capabilities = qat_sym_crypto_caps_gen2;
+	memcpy(addr, capabilities, sizeof(qat_sym_crypto_caps_gen2));
 	internals->qat_dev_capabilities = internals->capa_mz->addr;
 
 	return 0;
diff --git a/drivers/crypto/qat/dev/qat_crypto_pmd_gen3.c b/drivers/crypto/qat/dev/qat_crypto_pmd_gen3.c
index 6013fed721..d1809cf2f0 100644
--- a/drivers/crypto/qat/dev/qat_crypto_pmd_gen3.c
+++ b/drivers/crypto/qat/dev/qat_crypto_pmd_gen3.c
@@ -10,10 +10,45 @@
 #include "qat_crypto.h"
 #include "qat_crypto_pmd_gens.h"
 
-static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
+
+static struct rte_cryptodev_capabilities qat_sym_crypto_legacy_caps_gen3[] = {
+	QAT_SYM_CIPHER_CAP(3DES_CBC,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(DES_CBC,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(3DES_CTR,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
 	QAT_SYM_PLAIN_AUTH_CAP(SHA1,
 		CAP_SET(block_size, 64),
 		CAP_RNG(digest_size, 1, 20, 1)),
+	QAT_SYM_AUTH_CAP(SHA224,
+		CAP_SET(block_size, 64),
+		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA224_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA1_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(MD5_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_PLAIN_AUTH_CAP(SHA3_224,
+		CAP_SET(block_size, 144),
+		CAP_RNG(digest_size, 28, 28, 0)),
+};
+
+static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
 	QAT_SYM_AEAD_CAP(AES_GCM,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 32, 8), CAP_RNG(digest_size, 8, 16, 4),
@@ -30,10 +65,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 4, 16, 4),
 			CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA224,
-		CAP_SET(block_size, 64),
-		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256,
 		CAP_SET(block_size, 64),
 		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 32, 1),
@@ -46,9 +77,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
 		CAP_SET(block_size, 128),
 		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 64, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_PLAIN_AUTH_CAP(SHA3_224,
-		CAP_SET(block_size, 144),
-		CAP_RNG(digest_size, 28, 28, 0)),
 	QAT_SYM_PLAIN_AUTH_CAP(SHA3_256,
 		CAP_SET(block_size, 136),
 		CAP_RNG(digest_size, 32, 32, 0)),
@@ -58,14 +86,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
 	QAT_SYM_PLAIN_AUTH_CAP(SHA3_512,
 		CAP_SET(block_size, 72),
 		CAP_RNG(digest_size, 64, 64, 0)),
-	QAT_SYM_AUTH_CAP(SHA1_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA224_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256_HMAC,
 		CAP_SET(block_size, 64),
 		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 32, 1),
@@ -78,10 +98,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
 		CAP_SET(block_size, 128),
 		CAP_RNG(key_size, 1, 128, 1), CAP_RNG(digest_size, 1, 64, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(MD5_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(AES_XCBC_MAC,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 12, 12, 0),
@@ -119,18 +135,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
 	QAT_SYM_CIPHER_CAP(NULL,
 		CAP_SET(block_size, 1),
 		CAP_RNG_ZERO(key_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_CIPHER_CAP(3DES_CBC,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(3DES_CTR,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(DES_CBC,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
 	QAT_SYM_CIPHER_CAP(ZUC_EEA3,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(iv_size, 16, 16, 0)),
@@ -188,8 +192,17 @@ static int
 qat_sym_crypto_cap_get_gen3(struct qat_cryptodev_private *internals,
 			const char *capa_memz_name, const uint16_t slice_map)
 {
-	const uint32_t size = sizeof(qat_sym_crypto_caps_gen3);
-	uint32_t i;
+
+	uint32_t i, iter = 0;
+	uint32_t curr_capa = 0;
+	uint32_t capa_num, legacy_capa_num;
+	uint32_t size = sizeof(qat_sym_crypto_caps_gen3);
+	uint32_t legacy_size = sizeof(qat_sym_crypto_legacy_caps_gen3);
+	capa_num = size/sizeof(struct rte_cryptodev_capabilities);
+	legacy_capa_num = legacy_size/sizeof(struct rte_cryptodev_capabilities);
+
+	if (unlikely(qat_legacy_capa))
+		size = size + legacy_size;
 
 	internals->capa_mz = rte_memzone_lookup(capa_memz_name);
 	if (internals->capa_mz == NULL) {
@@ -205,30 +218,40 @@ qat_sym_crypto_cap_get_gen3(struct qat_cryptodev_private *internals,
 	struct rte_cryptodev_capabilities *addr =
 			(struct rte_cryptodev_capabilities *)
 				internals->capa_mz->addr;
-	const struct rte_cryptodev_capabilities *capabilities =
-		qat_sym_crypto_caps_gen3;
-	const uint32_t capa_num =
-		size / sizeof(struct rte_cryptodev_capabilities);
-	uint32_t curr_capa = 0;
+	struct rte_cryptodev_capabilities *capabilities;
 
-	for (i = 0; i < capa_num; i++) {
+	if (unlikely(qat_legacy_capa)) {
+		capabilities = qat_sym_crypto_legacy_caps_gen3;
+		capa_num += legacy_capa_num;
+	} else {
+		capabilities = qat_sym_crypto_caps_gen3;
+	}
+
+	for (i = 0; i < capa_num; i++, iter++) {
 		if (slice_map & ICP_ACCEL_MASK_SM4_SLICE && (
-			check_cipher_capa(&capabilities[i],
+			check_cipher_capa(&capabilities[iter],
 				RTE_CRYPTO_CIPHER_SM4_ECB) ||
-			check_cipher_capa(&capabilities[i],
+			check_cipher_capa(&capabilities[iter],
 				RTE_CRYPTO_CIPHER_SM4_CBC) ||
-			check_cipher_capa(&capabilities[i],
+			check_cipher_capa(&capabilities[iter],
 				RTE_CRYPTO_CIPHER_SM4_CTR))) {
 			continue;
 		}
 		if (slice_map & ICP_ACCEL_MASK_SM3_SLICE && (
-			check_auth_capa(&capabilities[i],
+			check_auth_capa(&capabilities[iter],
 				RTE_CRYPTO_AUTH_SM3))) {
 			continue;
 		}
-		memcpy(addr + curr_capa, capabilities + i,
+		memcpy(addr + curr_capa, capabilities + iter,
 			sizeof(struct rte_cryptodev_capabilities));
 		curr_capa++;
+
+		if (unlikely(qat_legacy_capa) && (i == legacy_capa_num-1)) {
+			capabilities = qat_sym_crypto_caps_gen3;
+			addr += curr_capa;
+			curr_capa = 0;
+			iter = -1;
+		}
 	}
 	internals->qat_dev_capabilities = internals->capa_mz->addr;
 
diff --git a/drivers/crypto/qat/dev/qat_crypto_pmd_gen4.c b/drivers/crypto/qat/dev/qat_crypto_pmd_gen4.c
index b219a418ba..6fb062bb94 100644
--- a/drivers/crypto/qat/dev/qat_crypto_pmd_gen4.c
+++ b/drivers/crypto/qat/dev/qat_crypto_pmd_gen4.c
@@ -10,18 +10,32 @@
 #include "qat_crypto.h"
 #include "qat_crypto_pmd_gens.h"
 
-static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen4[] = {
-	QAT_SYM_CIPHER_CAP(AES_CBC,
-		CAP_SET(block_size, 16),
-		CAP_RNG(key_size, 16, 32, 8), CAP_RNG(iv_size, 16, 16, 0)),
-	QAT_SYM_AUTH_CAP(SHA1_HMAC,
+
+static struct rte_cryptodev_capabilities qat_sym_crypto_legacy_caps_gen4[] = {
+	QAT_SYM_PLAIN_AUTH_CAP(SHA1,
 		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
+		CAP_RNG(digest_size, 1, 20, 1)),
+	QAT_SYM_AUTH_CAP(SHA224,
+		CAP_SET(block_size, 64),
+		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA224_HMAC,
 		CAP_SET(block_size, 64),
 		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA1_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_CIPHER_CAP(SM4_ECB,
+		CAP_SET(block_size, 16),
+		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(iv_size, 0, 0, 0)),
+};
+
+static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen4[] = {
+	QAT_SYM_CIPHER_CAP(AES_CBC,
+		CAP_SET(block_size, 16),
+		CAP_RNG(key_size, 16, 32, 8), CAP_RNG(iv_size, 16, 16, 0)),
 	QAT_SYM_AUTH_CAP(SHA256_HMAC,
 		CAP_SET(block_size, 64),
 		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 32, 1),
@@ -52,13 +66,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen4[] = {
 	QAT_SYM_CIPHER_CAP(NULL,
 		CAP_SET(block_size, 1),
 		CAP_RNG_ZERO(key_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_PLAIN_AUTH_CAP(SHA1,
-		CAP_SET(block_size, 64),
-		CAP_RNG(digest_size, 1, 20, 1)),
-	QAT_SYM_AUTH_CAP(SHA224,
-		CAP_SET(block_size, 64),
-		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256,
 		CAP_SET(block_size, 64),
 		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 32, 1),
@@ -91,9 +98,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen4[] = {
 		CAP_RNG(key_size, 32, 32, 0),
 		CAP_RNG(digest_size, 16, 16, 0),
 		CAP_RNG(aad_size, 0, 240, 1), CAP_RNG(iv_size, 12, 12, 0)),
-	QAT_SYM_CIPHER_CAP(SM4_ECB,
-		CAP_SET(block_size, 16),
-		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(iv_size, 0, 0, 0)),
 	QAT_SYM_CIPHER_CAP(SM4_CBC,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(iv_size, 16, 16, 0)),
@@ -111,8 +115,13 @@ qat_sym_crypto_cap_get_gen4(struct qat_cryptodev_private *internals,
 			const char *capa_memz_name,
 			const uint16_t __rte_unused slice_map)
 {
-	const uint32_t size = sizeof(qat_sym_crypto_caps_gen4);
-	uint32_t i;
+	uint32_t legacy_capa_num;
+	uint32_t size = sizeof(qat_sym_crypto_caps_gen4);
+	uint32_t legacy_size = sizeof(qat_sym_crypto_legacy_caps_gen4);
+	legacy_capa_num = legacy_size/sizeof(struct rte_cryptodev_capabilities);
+
+	if (unlikely(qat_legacy_capa))
+		size = size + legacy_size;
 
 	internals->capa_mz = rte_memzone_lookup(capa_memz_name);
 	if (internals->capa_mz == NULL) {
@@ -128,17 +137,16 @@ qat_sym_crypto_cap_get_gen4(struct qat_cryptodev_private *internals,
 	struct rte_cryptodev_capabilities *addr =
 			(struct rte_cryptodev_capabilities *)
 				internals->capa_mz->addr;
-	const struct rte_cryptodev_capabilities *capabilities =
-		qat_sym_crypto_caps_gen4;
-	const uint32_t capa_num =
-		size / sizeof(struct rte_cryptodev_capabilities);
-	uint32_t curr_capa = 0;
-
-	for (i = 0; i < capa_num; i++) {
-		memcpy(addr + curr_capa, capabilities + i,
-			sizeof(struct rte_cryptodev_capabilities));
-		curr_capa++;
+
+	struct rte_cryptodev_capabilities *capabilities;
+
+	if (unlikely(qat_legacy_capa)) {
+		capabilities = qat_sym_crypto_legacy_caps_gen4;
+		memcpy(addr, capabilities, legacy_size);
+		addr += legacy_capa_num;
 	}
+	capabilities = qat_sym_crypto_caps_gen4;
+	memcpy(addr, capabilities, sizeof(qat_sym_crypto_caps_gen4));
 	internals->qat_dev_capabilities = internals->capa_mz->addr;
 
 	return 0;
diff --git a/drivers/crypto/qat/dev/qat_sym_pmd_gen1.c b/drivers/crypto/qat/dev/qat_sym_pmd_gen1.c
index 590eaa0057..d363ba4f43 100644
--- a/drivers/crypto/qat/dev/qat_sym_pmd_gen1.c
+++ b/drivers/crypto/qat/dev/qat_sym_pmd_gen1.c
@@ -16,10 +16,41 @@
 #include "qat_crypto.h"
 #include "qat_crypto_pmd_gens.h"
 
-static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen1[] = {
+static struct rte_cryptodev_capabilities qat_sym_crypto_legacy_caps_gen1[] = {
+	QAT_SYM_CIPHER_CAP(DES_CBC,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(3DES_CBC,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(3DES_CTR,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
 	QAT_SYM_PLAIN_AUTH_CAP(SHA1,
 		CAP_SET(block_size, 64),
 		CAP_RNG(digest_size, 1, 20, 1)),
+	QAT_SYM_AUTH_CAP(SHA224,
+		CAP_SET(block_size, 64),
+		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA1_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA224_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(MD5_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
+};
+
+static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen1[] = {
 	QAT_SYM_AEAD_CAP(AES_GCM,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 32, 8), CAP_RNG(digest_size, 8, 16, 4),
@@ -36,10 +67,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen1[] = {
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 4, 16, 4),
 			CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA224,
-		CAP_SET(block_size, 64),
-		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256,
 		CAP_SET(block_size, 64),
 		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 32, 1),
@@ -52,14 +79,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen1[] = {
 		CAP_SET(block_size, 128),
 		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 64, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA1_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA224_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256_HMAC,
 		CAP_SET(block_size, 64),
 		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 32, 1),
@@ -72,10 +91,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen1[] = {
 		CAP_SET(block_size, 128),
 		CAP_RNG(key_size, 1, 128, 1), CAP_RNG(digest_size, 1, 64, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(MD5_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(AES_XCBC_MAC,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 12, 12, 0),
@@ -113,18 +128,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen1[] = {
 	QAT_SYM_CIPHER_CAP(NULL,
 		CAP_SET(block_size, 1),
 		CAP_RNG_ZERO(key_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_CIPHER_CAP(3DES_CBC,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(3DES_CTR,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(DES_CBC,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
 	RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
 };
 
@@ -157,8 +160,14 @@ qat_sym_crypto_cap_get_gen1(struct qat_cryptodev_private *internals,
 			const char *capa_memz_name,
 			const uint16_t __rte_unused slice_map)
 {
-	const uint32_t size = sizeof(qat_sym_crypto_caps_gen1);
-	uint32_t i;
+
+	uint32_t legacy_capa_num;
+	uint32_t size = sizeof(qat_sym_crypto_caps_gen1);
+	uint32_t legacy_size = sizeof(qat_sym_crypto_legacy_caps_gen1);
+	legacy_capa_num = legacy_size/sizeof(struct rte_cryptodev_capabilities);
+
+	if (unlikely(qat_legacy_capa))
+		size = size + legacy_size;
 
 	internals->capa_mz = rte_memzone_lookup(capa_memz_name);
 	if (internals->capa_mz == NULL) {
@@ -174,17 +183,16 @@ qat_sym_crypto_cap_get_gen1(struct qat_cryptodev_private *internals,
 	struct rte_cryptodev_capabilities *addr =
 			(struct rte_cryptodev_capabilities *)
 				internals->capa_mz->addr;
-	const struct rte_cryptodev_capabilities *capabilities =
-		qat_sym_crypto_caps_gen1;
-	const uint32_t capa_num =
-		size / sizeof(struct rte_cryptodev_capabilities);
-	uint32_t curr_capa = 0;
-
-	for (i = 0; i < capa_num; i++) {
-		memcpy(addr + curr_capa, capabilities + i,
-			sizeof(struct rte_cryptodev_capabilities));
-		curr_capa++;
+
+	struct rte_cryptodev_capabilities *capabilities;
+
+	if (unlikely(qat_legacy_capa)) {
+		capabilities = qat_sym_crypto_legacy_caps_gen1;
+		memcpy(addr, capabilities, legacy_size);
+		addr += legacy_capa_num;
 	}
+	capabilities = qat_sym_crypto_caps_gen1;
+	memcpy(addr, capabilities, sizeof(qat_sym_crypto_caps_gen1));
 	internals->qat_dev_capabilities = internals->capa_mz->addr;
 
 	return 0;
diff --git a/drivers/crypto/qat/qat_asym.c b/drivers/crypto/qat/qat_asym.c
index 82e165538d..7abd513423 100644
--- a/drivers/crypto/qat/qat_asym.c
+++ b/drivers/crypto/qat/qat_asym.c
@@ -15,6 +15,8 @@
 #include "qat_pke.h"
 #include "qat_ec.h"
 
+#define RSA_MODULUS_2048_BITS 2048
+
 uint8_t qat_asym_driver_id;
 
 struct qat_crypto_gen_dev_ops qat_asym_gen_dev_ops[QAT_N_GENS];
@@ -913,8 +915,12 @@ asym_set_input(struct icp_qat_fw_pke_request *qat_req,
 		return modexp_set_input(qat_req, cookie, asym_op, xform);
 	case RTE_CRYPTO_ASYM_XFORM_MODINV:
 		return modinv_set_input(qat_req, cookie, asym_op, xform);
-	case RTE_CRYPTO_ASYM_XFORM_RSA:
+	case RTE_CRYPTO_ASYM_XFORM_RSA:{
+		if (unlikely((xform->rsa.n.length < RSA_MODULUS_2048_BITS)
+					&& (qat_legacy_capa == 0)))
+			return RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
 		return rsa_set_input(qat_req, cookie, asym_op, xform);
+	}
 	case RTE_CRYPTO_ASYM_XFORM_ECDSA:
 		return ecdsa_set_input(qat_req, cookie, asym_op, xform);
 	case RTE_CRYPTO_ASYM_XFORM_ECPM:
@@ -1273,8 +1279,14 @@ qat_asym_session_configure(struct rte_cryptodev *dev __rte_unused,
 	case RTE_CRYPTO_ASYM_XFORM_MODINV:
 		ret = session_set_modinv(qat_session, xform);
 		break;
-	case RTE_CRYPTO_ASYM_XFORM_RSA:
+	case RTE_CRYPTO_ASYM_XFORM_RSA: {
+		if (unlikely((xform->rsa.n.length < RSA_MODULUS_2048_BITS)
+					&& (qat_legacy_capa == 0))) {
+			ret = -ENOTSUP;
+			return ret;
+		}
 		ret = session_set_rsa(qat_session, xform);
+		}
 		break;
 	case RTE_CRYPTO_ASYM_XFORM_ECDSA:
 	case RTE_CRYPTO_ASYM_XFORM_ECPM:
diff --git a/drivers/crypto/qat/qat_crypto.h b/drivers/crypto/qat/qat_crypto.h
index e20f16236e..126fe5c822 100644
--- a/drivers/crypto/qat/qat_crypto.h
+++ b/drivers/crypto/qat/qat_crypto.h
@@ -11,6 +11,7 @@
 
 extern uint8_t qat_sym_driver_id;
 extern uint8_t qat_asym_driver_id;
+extern int qat_legacy_capa;
 
 /**
  * helper macro to set cryptodev capability range
diff --git a/drivers/crypto/qat/qat_sym.c b/drivers/crypto/qat/qat_sym.c
index 345c845325..d07132aaa1 100644
--- a/drivers/crypto/qat/qat_sym.c
+++ b/drivers/crypto/qat/qat_sym.c
@@ -17,6 +17,7 @@
 
 uint8_t qat_sym_driver_id;
 int qat_ipsec_mb_lib;
+int qat_legacy_capa;
 
 struct qat_crypto_gen_dev_ops qat_sym_gen_dev_ops[QAT_N_GENS];
 
@@ -285,6 +286,8 @@ qat_sym_dev_create(struct qat_pci_device *qat_pci_dev,
 					qat_dev_cmd_param[i].val;
 		if (!strcmp(qat_dev_cmd_param[i].name, QAT_IPSEC_MB_LIB))
 			qat_ipsec_mb_lib = qat_dev_cmd_param[i].val;
+		if (!strcmp(qat_dev_cmd_param[i].name, QAT_LEGACY_CAPA))
+			qat_legacy_capa = qat_dev_cmd_param[i].val;
 		if (!strcmp(qat_dev_cmd_param[i].name, QAT_CMD_SLICE_MAP))
 			slice_map = qat_dev_cmd_param[i].val;
 		i++;
-- 
2.25.1

--------------------------------------------------------------
Intel Research and Development Ireland Limited
Registered in Ireland
Registered Office: Collinstown Industrial Park, Leixlip, County Kildare
Registered Number: 308263


This e-mail and any attachments may contain confidential material for the sole
use of the intended recipient(s). Any review or distribution by others is
strictly prohibited. If you are not the intended recipient, please contact the
sender and delete all copies.


^ permalink raw reply	[flat|nested] 14+ messages in thread

* RE: [PATCH v6] crypto/qat: support to enable insecure algorithms
  2023-05-29 10:45       ` [PATCH v6] " Vikash Poddar
@ 2023-06-08 13:14         ` Power, Ciara
  2023-06-14 18:30         ` [EXT] " Akhil Goyal
  2023-06-16 14:00         ` [PATCH v7 1/3] common/qat: fix qat_dev_cmd_param corruption Vikash Poddar
  2 siblings, 0 replies; 14+ messages in thread
From: Power, Ciara @ 2023-06-08 13:14 UTC (permalink / raw)
  To: Poddar, Vikash ChandraX, Akhil Goyal, Fan Zhang, Ji, Kai
  Cc: dev, Poddar, Vikash ChandraX



> -----Original Message-----
> From: Vikash Poddar <vikash.chandrax.poddar@intel.com>
> Sent: Monday 29 May 2023 11:45
> To: Akhil Goyal <gakhil@marvell.com>; Fan Zhang
> <fanzhang.oss@gmail.com>; Ji, Kai <kai.ji@intel.com>
> Cc: dev@dpdk.org; Poddar, Vikash ChandraX
> <vikash.chandrax.poddar@intel.com>
> Subject: [PATCH v6] crypto/qat: support to enable insecure algorithms
> 
> All the insecure algorithms are default disable from cryptodev Gen 1,2,3 and
> 4.
> use qat_legacy_capa to enable all the legacy algorithms.
> These change effects both sym and asym insecure crypto algorithms.
> 
> Signed-off-by: Vikash Poddar <vikash.chandrax.poddar@intel.com>
> ---
> Depends-on: patch-28182 ("[v2] common/qat: fix qat_dev_cmd_param
> corruption")
> v6:
> Rebased patch
> v5:
> Resolving apply patch warning
> v4:
> Resolved rebase conflict.
> v3:
> Rebased the patch.
> v2:
> Extend the support to enable the insecure algorithm in QAT Gen 1,3 and 4 for
> sym as well as asym.

Acked-by: Ciara Power <ciara.power@intel.com>

^ permalink raw reply	[flat|nested] 14+ messages in thread

* RE: [EXT] [PATCH v6] crypto/qat: support to enable insecure algorithms
  2023-05-29 10:45       ` [PATCH v6] " Vikash Poddar
  2023-06-08 13:14         ` Power, Ciara
@ 2023-06-14 18:30         ` Akhil Goyal
  2023-06-16 14:00         ` [PATCH v7 1/3] common/qat: fix qat_dev_cmd_param corruption Vikash Poddar
  2 siblings, 0 replies; 14+ messages in thread
From: Akhil Goyal @ 2023-06-14 18:30 UTC (permalink / raw)
  To: Vikash Poddar, Fan Zhang, Kai Ji; +Cc: dev

> All the insecure algorithms are default disable from
> cryptodev Gen 1,2,3 and 4.
> use qat_legacy_capa to enable all the legacy
> algorithms.
> These change effects both sym and asym insecure crypto
> algorithms.
> 
> Signed-off-by: Vikash Poddar <vikash.chandrax.poddar@intel.com>
> ---
> Depends-on: patch-28182 ("[v2] common/qat: fix qat_dev_cmd_param
> corruption")

Can we add the dependent patch and this patch in a series of patches,
So that CI can run on the patches.

> v6:
> Rebased patch
> v5:
> Resolving apply patch warning
> v4:
> Resolved rebase conflict.
> v3:
> Rebased the patch.
> v2:
> Extend the support to enable the insecure algorithm in
> QAT Gen 1,3 and 4 for sym as well as asym.
> ---
>  app/test/test_cryptodev_asym.c               |  28 +++--

How are these test app changes linked to this patch?
These should be explained as a separate patch.


>  doc/guides/cryptodevs/qat.rst                |  14 +++
>  drivers/common/qat/qat_device.c              |   1 +
>  drivers/common/qat/qat_device.h              |   3 +-
>  drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c |  88 ++++++++-------
>  drivers/crypto/qat/dev/qat_crypto_pmd_gen3.c | 113 +++++++++++--------
>  drivers/crypto/qat/dev/qat_crypto_pmd_gen4.c |  64 ++++++-----
>  drivers/crypto/qat/dev/qat_sym_pmd_gen1.c    |  90 ++++++++-------
>  drivers/crypto/qat/qat_asym.c                |  16 ++-
>  drivers/crypto/qat/qat_crypto.h              |   1 +
>  drivers/crypto/qat/qat_sym.c                 |   3 +
>  11 files changed, 256 insertions(+), 165 deletions(-)
> 
> diff --git a/app/test/test_cryptodev_asym.c b/app/test/test_cryptodev_asym.c
> index 9236817650..bb32d81e57 100644
> --- a/app/test/test_cryptodev_asym.c
> +++ b/app/test/test_cryptodev_asym.c
> @@ -453,11 +453,14 @@ test_cryptodev_asym_op(struct
> crypto_testsuite_params_asym *ts_params,
>  		ret = rte_cryptodev_asym_session_create(dev_id, &xform_tc,
>  				ts_params->session_mpool, &sess);
>  		if (ret < 0) {
> -			snprintf(test_msg, ASYM_TEST_MSG_LEN,
> -					"line %u "
> -					"FAILED: %s", __LINE__,
> -					"Session creation failed");
>  			status = (ret == -ENOTSUP) ? TEST_SKIPPED :
> TEST_FAILED;
> +			if (status == TEST_SKIPPED)
> +				snprintf(test_msg, ASYM_TEST_MSG_LEN,
> "SKIPPED");
> +			else
> +				snprintf(test_msg, ASYM_TEST_MSG_LEN,
> +						"line %u "
> +						"FAILED: %s", __LINE__,
> +						"Session creation failed");
>  			goto error_exit;
>  		}
> 
> @@ -489,6 +492,11 @@ test_cryptodev_asym_op(struct
> crypto_testsuite_params_asym *ts_params,
>  	}
> 
>  	if (test_cryptodev_asym_ver(op, &xform_tc, data_tc, result_op) !=
> TEST_SUCCESS) {
> +		if (result_op->status ==
> RTE_CRYPTO_OP_STATUS_INVALID_ARGS) {
> +			snprintf(test_msg, ASYM_TEST_MSG_LEN,
> "SESSIONLESS SKIPPED");
> +			status = TEST_SKIPPED;
> +			goto error_exit;
> +		}
>  		snprintf(test_msg, ASYM_TEST_MSG_LEN,
>  			"line %u FAILED: %s",
>  			__LINE__, "Verification failed ");
> @@ -619,13 +627,19 @@ test_one_by_one(void)
>  	/* Go through all test cases */
>  	test_index = 0;
>  	for (i = 0; i < test_vector.size; i++) {
> -		if (test_one_case(test_vector.address[i], 0) != TEST_SUCCESS)
> +		status = test_one_case(test_vector.address[i], 0);
> +		if (status == TEST_SUCCESS || status == TEST_SKIPPED)
> +			status = TEST_SUCCESS;
> +		else
>  			status = TEST_FAILED;
>  	}
> +
>  	if (sessionless) {
>  		for (i = 0; i < test_vector.size; i++) {
> -			if (test_one_case(test_vector.address[i], 1)
> -					!= TEST_SUCCESS)
> +			status = test_one_case(test_vector.address[i], 1);
> +			if (status == TEST_SUCCESS || status == TEST_SKIPPED)
> +				status = TEST_SUCCESS;
> +			else
>  				status = TEST_FAILED;
>  		}
>  	}
> diff --git a/doc/guides/cryptodevs/qat.rst b/doc/guides/cryptodevs/qat.rst
> index a4a25711ed..9360a6a9e5 100644
> --- a/doc/guides/cryptodevs/qat.rst
> +++ b/doc/guides/cryptodevs/qat.rst
> @@ -272,6 +272,20 @@ allocated while for GEN1 devices, 12 buffers are
> allocated, plus 1472 bytes over
>  	larger than the input size).
> 
> 
> +Running QAT PMD with insecure crypto algorithms
> +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> +
> +A few insecure crypto algorithms are deprecated from QAT drivers. This needs
> to be reflected in DPDK QAT PMD.
> +DPDK QAT PMD has by default disabled all the insecure crypto algorithms from
> Gen 1,2,3 and 4.
> +A PMD parameter is used to enable the capability.
> +
> +- qat_legacy_capa
> +
> +To use this feature the user must set the parameter on process start as a device
> additional parameter::

Use the word devarg to be consistent with rest of DPDK.

> +
> +  -a b1:01.2,qat_legacy_capa=1
> +
> +
>  Running QAT PMD with minimum threshold for burst size
>  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> diff --git a/drivers/common/qat/qat_device.c
> b/drivers/common/qat/qat_device.c
> index 0479175b65..4b844263ea 100644
> --- a/drivers/common/qat/qat_device.c
> +++ b/drivers/common/qat/qat_device.c
> @@ -371,6 +371,7 @@ static int qat_pci_probe(struct rte_pci_driver *pci_drv
> __rte_unused,
>  	struct qat_pci_device *qat_pci_dev;
>  	struct qat_dev_hw_spec_funcs *ops_hw;
>  	struct qat_dev_cmd_param qat_dev_cmd_param[] = {
> +			{ QAT_LEGACY_CAPA, 0 },
>  			{ QAT_IPSEC_MB_LIB, 0 },
>  			{ SYM_ENQ_THRESHOLD_NAME, 0 },
>  			{ ASYM_ENQ_THRESHOLD_NAME, 0 },
> diff --git a/drivers/common/qat/qat_device.h
> b/drivers/common/qat/qat_device.h
> index 4188474dde..940ff5c278 100644
> --- a/drivers/common/qat/qat_device.h
> +++ b/drivers/common/qat/qat_device.h
> @@ -17,13 +17,14 @@
> 
>  #define QAT_DEV_NAME_MAX_LEN	64
> 
> +#define QAT_LEGACY_CAPA "qat_legacy_capa"
>  #define QAT_IPSEC_MB_LIB "qat_ipsec_mb_lib"
>  #define SYM_ENQ_THRESHOLD_NAME "qat_sym_enq_threshold"
>  #define ASYM_ENQ_THRESHOLD_NAME "qat_asym_enq_threshold"
>  #define COMP_ENQ_THRESHOLD_NAME "qat_comp_enq_threshold"
>  #define SYM_CIPHER_CRC_ENABLE_NAME "qat_sym_cipher_crc_enable"
>  #define QAT_CMD_SLICE_MAP "qat_cmd_slice_disable"
> -#define QAT_CMD_SLICE_MAP_POS	5
> +#define QAT_CMD_SLICE_MAP_POS	6
>  #define MAX_QP_THRESHOLD_SIZE	32
> 
>  /**
> diff --git a/drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c
> b/drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c
> index 1f3e2b1d99..3447bd2a7e 100644
> --- a/drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c
> +++ b/drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c
> @@ -12,10 +12,41 @@
> 
>  #define MIXED_CRYPTO_MIN_FW_VER 0x04090000
> 
> -static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
> +static struct rte_cryptodev_capabilities qat_sym_crypto_legacy_caps_gen2[] =
> {
> +	QAT_SYM_CIPHER_CAP(DES_CBC,
> +		CAP_SET(block_size, 8),
> +		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
> +	QAT_SYM_CIPHER_CAP(3DES_CBC,
> +		CAP_SET(block_size, 8),
> +		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
> +	QAT_SYM_CIPHER_CAP(3DES_CTR,
> +		CAP_SET(block_size, 8),
> +		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
>  	QAT_SYM_PLAIN_AUTH_CAP(SHA1,
>  		CAP_SET(block_size, 64),
>  		CAP_RNG(digest_size, 1, 20, 1)),
> +	QAT_SYM_AUTH_CAP(SHA224,
> +		CAP_SET(block_size, 64),
> +		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
> +		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
> +	QAT_SYM_AUTH_CAP(SHA224_HMAC,
> +		CAP_SET(block_size, 64),
> +		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
> +		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
> +	QAT_SYM_AUTH_CAP(SHA1_HMAC,
> +		CAP_SET(block_size, 64),
> +		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
> +		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
> +	QAT_SYM_AUTH_CAP(MD5_HMAC,
> +		CAP_SET(block_size, 64),
> +		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
> +		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
> +	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
> +		CAP_SET(block_size, 8),
> +		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
> +};
> +
> +static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
>  	QAT_SYM_AEAD_CAP(AES_GCM,
>  		CAP_SET(block_size, 16),
>  		CAP_RNG(key_size, 16, 32, 8), CAP_RNG(digest_size, 8, 16, 4),
> @@ -32,10 +63,6 @@ static struct rte_cryptodev_capabilities
> qat_sym_crypto_caps_gen2[] = {
>  		CAP_SET(block_size, 16),
>  		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 4, 16, 4),
>  			CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
> -	QAT_SYM_AUTH_CAP(SHA224,
> -		CAP_SET(block_size, 64),
> -		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
> -		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
>  	QAT_SYM_AUTH_CAP(SHA256,
>  		CAP_SET(block_size, 64),
>  		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 32, 1),
> @@ -51,14 +78,6 @@ static struct rte_cryptodev_capabilities
> qat_sym_crypto_caps_gen2[] = {
>  	QAT_SYM_PLAIN_AUTH_CAP(SHA3_256,
>  		CAP_SET(block_size, 136),
>  		CAP_RNG(digest_size, 32, 32, 0)),
> -	QAT_SYM_AUTH_CAP(SHA1_HMAC,
> -		CAP_SET(block_size, 64),
> -		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
> -		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
> -	QAT_SYM_AUTH_CAP(SHA224_HMAC,
> -		CAP_SET(block_size, 64),
> -		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
> -		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
>  	QAT_SYM_AUTH_CAP(SHA256_HMAC,
>  		CAP_SET(block_size, 64),
>  		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 32, 1),
> @@ -71,10 +90,6 @@ static struct rte_cryptodev_capabilities
> qat_sym_crypto_caps_gen2[] = {
>  		CAP_SET(block_size, 128),
>  		CAP_RNG(key_size, 1, 128, 1), CAP_RNG(digest_size, 1, 64, 1),
>  		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
> -	QAT_SYM_AUTH_CAP(MD5_HMAC,
> -		CAP_SET(block_size, 64),
> -		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
> -		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
>  	QAT_SYM_AUTH_CAP(AES_XCBC_MAC,
>  		CAP_SET(block_size, 16),
>  		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 12, 12, 0),
> @@ -112,18 +127,6 @@ static struct rte_cryptodev_capabilities
> qat_sym_crypto_caps_gen2[] = {
>  	QAT_SYM_CIPHER_CAP(NULL,
>  		CAP_SET(block_size, 1),
>  		CAP_RNG_ZERO(key_size), CAP_RNG_ZERO(iv_size)),
> -	QAT_SYM_CIPHER_CAP(3DES_CBC,
> -		CAP_SET(block_size, 8),
> -		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
> -	QAT_SYM_CIPHER_CAP(3DES_CTR,
> -		CAP_SET(block_size, 8),
> -		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
> -	QAT_SYM_CIPHER_CAP(DES_CBC,
> -		CAP_SET(block_size, 8),
> -		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
> -	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
> -		CAP_SET(block_size, 8),
> -		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
>  	QAT_SYM_CIPHER_CAP(ZUC_EEA3,
>  		CAP_SET(block_size, 16),
>  		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(iv_size, 16, 16, 0)),
> @@ -283,8 +286,13 @@ qat_sym_crypto_cap_get_gen2(struct
> qat_cryptodev_private *internals,
>  			const char *capa_memz_name,
>  			const uint16_t __rte_unused slice_map)
>  {
> -	const uint32_t size = sizeof(qat_sym_crypto_caps_gen2);
> -	uint32_t i;
> +	uint32_t legacy_capa_num;
> +	uint32_t size = sizeof(qat_sym_crypto_caps_gen2);
> +	uint32_t legacy_size = sizeof(qat_sym_crypto_legacy_caps_gen2);
> +	legacy_capa_num = legacy_size/sizeof(struct
> rte_cryptodev_capabilities);
> +
> +	if (unlikely(qat_legacy_capa))
> +		size = size + legacy_size;
> 
>  	internals->capa_mz = rte_memzone_lookup(capa_memz_name);
>  	if (internals->capa_mz == NULL) {
> @@ -300,17 +308,15 @@ qat_sym_crypto_cap_get_gen2(struct
> qat_cryptodev_private *internals,
>  	struct rte_cryptodev_capabilities *addr =
>  			(struct rte_cryptodev_capabilities *)
>  				internals->capa_mz->addr;
> -	const struct rte_cryptodev_capabilities *capabilities =
> -		qat_sym_crypto_caps_gen2;
> -	const uint32_t capa_num =
> -		size / sizeof(struct rte_cryptodev_capabilities);
> -	uint32_t curr_capa = 0;
> -
> -	for (i = 0; i < capa_num; i++) {
> -		memcpy(addr + curr_capa, capabilities + i,
> -			sizeof(struct rte_cryptodev_capabilities));
> -		curr_capa++;
> +	struct rte_cryptodev_capabilities *capabilities;
> +
> +	if (unlikely(qat_legacy_capa)) {
> +		capabilities = qat_sym_crypto_legacy_caps_gen2;
> +		memcpy(addr, capabilities, legacy_size);
> +		addr += legacy_capa_num;
>  	}
> +	capabilities = qat_sym_crypto_caps_gen2;
> +	memcpy(addr, capabilities, sizeof(qat_sym_crypto_caps_gen2));
>  	internals->qat_dev_capabilities = internals->capa_mz->addr;
> 
>  	return 0;
> diff --git a/drivers/crypto/qat/dev/qat_crypto_pmd_gen3.c
> b/drivers/crypto/qat/dev/qat_crypto_pmd_gen3.c
> index 6013fed721..d1809cf2f0 100644
> --- a/drivers/crypto/qat/dev/qat_crypto_pmd_gen3.c
> +++ b/drivers/crypto/qat/dev/qat_crypto_pmd_gen3.c
> @@ -10,10 +10,45 @@
>  #include "qat_crypto.h"
>  #include "qat_crypto_pmd_gens.h"
> 
> -static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
> +
> +static struct rte_cryptodev_capabilities qat_sym_crypto_legacy_caps_gen3[] =
> {
> +	QAT_SYM_CIPHER_CAP(3DES_CBC,
> +		CAP_SET(block_size, 8),
> +		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
> +	QAT_SYM_CIPHER_CAP(DES_CBC,
> +		CAP_SET(block_size, 8),
> +		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
> +	QAT_SYM_CIPHER_CAP(3DES_CTR,
> +		CAP_SET(block_size, 8),
> +		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
>  	QAT_SYM_PLAIN_AUTH_CAP(SHA1,
>  		CAP_SET(block_size, 64),
>  		CAP_RNG(digest_size, 1, 20, 1)),
> +	QAT_SYM_AUTH_CAP(SHA224,
> +		CAP_SET(block_size, 64),
> +		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
> +		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
> +	QAT_SYM_AUTH_CAP(SHA224_HMAC,
> +		CAP_SET(block_size, 64),
> +		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
> +		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
> +	QAT_SYM_AUTH_CAP(SHA1_HMAC,
> +		CAP_SET(block_size, 64),
> +		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
> +		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
> +	QAT_SYM_AUTH_CAP(MD5_HMAC,
> +		CAP_SET(block_size, 64),
> +		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
> +		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
> +	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
> +		CAP_SET(block_size, 8),
> +		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
> +	QAT_SYM_PLAIN_AUTH_CAP(SHA3_224,
> +		CAP_SET(block_size, 144),
> +		CAP_RNG(digest_size, 28, 28, 0)),
> +};
> +
> +static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
>  	QAT_SYM_AEAD_CAP(AES_GCM,
>  		CAP_SET(block_size, 16),
>  		CAP_RNG(key_size, 16, 32, 8), CAP_RNG(digest_size, 8, 16, 4),
> @@ -30,10 +65,6 @@ static struct rte_cryptodev_capabilities
> qat_sym_crypto_caps_gen3[] = {
>  		CAP_SET(block_size, 16),
>  		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 4, 16, 4),
>  			CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
> -	QAT_SYM_AUTH_CAP(SHA224,
> -		CAP_SET(block_size, 64),
> -		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
> -		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
>  	QAT_SYM_AUTH_CAP(SHA256,
>  		CAP_SET(block_size, 64),
>  		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 32, 1),
> @@ -46,9 +77,6 @@ static struct rte_cryptodev_capabilities
> qat_sym_crypto_caps_gen3[] = {
>  		CAP_SET(block_size, 128),
>  		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 64, 1),
>  		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
> -	QAT_SYM_PLAIN_AUTH_CAP(SHA3_224,
> -		CAP_SET(block_size, 144),
> -		CAP_RNG(digest_size, 28, 28, 0)),
>  	QAT_SYM_PLAIN_AUTH_CAP(SHA3_256,
>  		CAP_SET(block_size, 136),
>  		CAP_RNG(digest_size, 32, 32, 0)),
> @@ -58,14 +86,6 @@ static struct rte_cryptodev_capabilities
> qat_sym_crypto_caps_gen3[] = {
>  	QAT_SYM_PLAIN_AUTH_CAP(SHA3_512,
>  		CAP_SET(block_size, 72),
>  		CAP_RNG(digest_size, 64, 64, 0)),
> -	QAT_SYM_AUTH_CAP(SHA1_HMAC,
> -		CAP_SET(block_size, 64),
> -		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
> -		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
> -	QAT_SYM_AUTH_CAP(SHA224_HMAC,
> -		CAP_SET(block_size, 64),
> -		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
> -		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
>  	QAT_SYM_AUTH_CAP(SHA256_HMAC,
>  		CAP_SET(block_size, 64),
>  		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 32, 1),
> @@ -78,10 +98,6 @@ static struct rte_cryptodev_capabilities
> qat_sym_crypto_caps_gen3[] = {
>  		CAP_SET(block_size, 128),
>  		CAP_RNG(key_size, 1, 128, 1), CAP_RNG(digest_size, 1, 64, 1),
>  		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
> -	QAT_SYM_AUTH_CAP(MD5_HMAC,
> -		CAP_SET(block_size, 64),
> -		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
> -		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
>  	QAT_SYM_AUTH_CAP(AES_XCBC_MAC,
>  		CAP_SET(block_size, 16),
>  		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 12, 12, 0),
> @@ -119,18 +135,6 @@ static struct rte_cryptodev_capabilities
> qat_sym_crypto_caps_gen3[] = {
>  	QAT_SYM_CIPHER_CAP(NULL,
>  		CAP_SET(block_size, 1),
>  		CAP_RNG_ZERO(key_size), CAP_RNG_ZERO(iv_size)),
> -	QAT_SYM_CIPHER_CAP(3DES_CBC,
> -		CAP_SET(block_size, 8),
> -		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
> -	QAT_SYM_CIPHER_CAP(3DES_CTR,
> -		CAP_SET(block_size, 8),
> -		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
> -	QAT_SYM_CIPHER_CAP(DES_CBC,
> -		CAP_SET(block_size, 8),
> -		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
> -	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
> -		CAP_SET(block_size, 8),
> -		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
>  	QAT_SYM_CIPHER_CAP(ZUC_EEA3,
>  		CAP_SET(block_size, 16),
>  		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(iv_size, 16, 16, 0)),
> @@ -188,8 +192,17 @@ static int
>  qat_sym_crypto_cap_get_gen3(struct qat_cryptodev_private *internals,
>  			const char *capa_memz_name, const uint16_t
> slice_map)
>  {
> -	const uint32_t size = sizeof(qat_sym_crypto_caps_gen3);
> -	uint32_t i;
> +
> +	uint32_t i, iter = 0;
> +	uint32_t curr_capa = 0;
> +	uint32_t capa_num, legacy_capa_num;
> +	uint32_t size = sizeof(qat_sym_crypto_caps_gen3);
> +	uint32_t legacy_size = sizeof(qat_sym_crypto_legacy_caps_gen3);
> +	capa_num = size/sizeof(struct rte_cryptodev_capabilities);
> +	legacy_capa_num = legacy_size/sizeof(struct
> rte_cryptodev_capabilities);
> +
> +	if (unlikely(qat_legacy_capa))
> +		size = size + legacy_size;
> 
>  	internals->capa_mz = rte_memzone_lookup(capa_memz_name);
>  	if (internals->capa_mz == NULL) {
> @@ -205,30 +218,40 @@ qat_sym_crypto_cap_get_gen3(struct
> qat_cryptodev_private *internals,
>  	struct rte_cryptodev_capabilities *addr =
>  			(struct rte_cryptodev_capabilities *)
>  				internals->capa_mz->addr;
> -	const struct rte_cryptodev_capabilities *capabilities =
> -		qat_sym_crypto_caps_gen3;
> -	const uint32_t capa_num =
> -		size / sizeof(struct rte_cryptodev_capabilities);
> -	uint32_t curr_capa = 0;
> +	struct rte_cryptodev_capabilities *capabilities;
> 
> -	for (i = 0; i < capa_num; i++) {
> +	if (unlikely(qat_legacy_capa)) {
> +		capabilities = qat_sym_crypto_legacy_caps_gen3;
> +		capa_num += legacy_capa_num;
> +	} else {
> +		capabilities = qat_sym_crypto_caps_gen3;
> +	}
> +
> +	for (i = 0; i < capa_num; i++, iter++) {
>  		if (slice_map & ICP_ACCEL_MASK_SM4_SLICE && (
> -			check_cipher_capa(&capabilities[i],
> +			check_cipher_capa(&capabilities[iter],
>  				RTE_CRYPTO_CIPHER_SM4_ECB) ||
> -			check_cipher_capa(&capabilities[i],
> +			check_cipher_capa(&capabilities[iter],
>  				RTE_CRYPTO_CIPHER_SM4_CBC) ||
> -			check_cipher_capa(&capabilities[i],
> +			check_cipher_capa(&capabilities[iter],
>  				RTE_CRYPTO_CIPHER_SM4_CTR))) {
>  			continue;
>  		}
>  		if (slice_map & ICP_ACCEL_MASK_SM3_SLICE && (
> -			check_auth_capa(&capabilities[i],
> +			check_auth_capa(&capabilities[iter],
>  				RTE_CRYPTO_AUTH_SM3))) {
>  			continue;
>  		}
> -		memcpy(addr + curr_capa, capabilities + i,
> +		memcpy(addr + curr_capa, capabilities + iter,
>  			sizeof(struct rte_cryptodev_capabilities));
>  		curr_capa++;
> +
> +		if (unlikely(qat_legacy_capa) && (i == legacy_capa_num-1)) {
> +			capabilities = qat_sym_crypto_caps_gen3;
> +			addr += curr_capa;
> +			curr_capa = 0;
> +			iter = -1;
> +		}
>  	}
>  	internals->qat_dev_capabilities = internals->capa_mz->addr;
> 
> diff --git a/drivers/crypto/qat/dev/qat_crypto_pmd_gen4.c
> b/drivers/crypto/qat/dev/qat_crypto_pmd_gen4.c
> index b219a418ba..6fb062bb94 100644
> --- a/drivers/crypto/qat/dev/qat_crypto_pmd_gen4.c
> +++ b/drivers/crypto/qat/dev/qat_crypto_pmd_gen4.c
> @@ -10,18 +10,32 @@
>  #include "qat_crypto.h"
>  #include "qat_crypto_pmd_gens.h"
> 
> -static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen4[] = {
> -	QAT_SYM_CIPHER_CAP(AES_CBC,
> -		CAP_SET(block_size, 16),
> -		CAP_RNG(key_size, 16, 32, 8), CAP_RNG(iv_size, 16, 16, 0)),
> -	QAT_SYM_AUTH_CAP(SHA1_HMAC,
> +
> +static struct rte_cryptodev_capabilities qat_sym_crypto_legacy_caps_gen4[] =
> {
> +	QAT_SYM_PLAIN_AUTH_CAP(SHA1,
>  		CAP_SET(block_size, 64),
> -		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
> +		CAP_RNG(digest_size, 1, 20, 1)),
> +	QAT_SYM_AUTH_CAP(SHA224,
> +		CAP_SET(block_size, 64),
> +		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
>  		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
>  	QAT_SYM_AUTH_CAP(SHA224_HMAC,
>  		CAP_SET(block_size, 64),
>  		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
>  		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
> +	QAT_SYM_AUTH_CAP(SHA1_HMAC,
> +		CAP_SET(block_size, 64),
> +		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
> +		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
> +	QAT_SYM_CIPHER_CAP(SM4_ECB,
> +		CAP_SET(block_size, 16),
> +		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(iv_size, 0, 0, 0)),
> +};
> +
> +static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen4[] = {
> +	QAT_SYM_CIPHER_CAP(AES_CBC,
> +		CAP_SET(block_size, 16),
> +		CAP_RNG(key_size, 16, 32, 8), CAP_RNG(iv_size, 16, 16, 0)),
>  	QAT_SYM_AUTH_CAP(SHA256_HMAC,
>  		CAP_SET(block_size, 64),
>  		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 32, 1),
> @@ -52,13 +66,6 @@ static struct rte_cryptodev_capabilities
> qat_sym_crypto_caps_gen4[] = {
>  	QAT_SYM_CIPHER_CAP(NULL,
>  		CAP_SET(block_size, 1),
>  		CAP_RNG_ZERO(key_size), CAP_RNG_ZERO(iv_size)),
> -	QAT_SYM_PLAIN_AUTH_CAP(SHA1,
> -		CAP_SET(block_size, 64),
> -		CAP_RNG(digest_size, 1, 20, 1)),
> -	QAT_SYM_AUTH_CAP(SHA224,
> -		CAP_SET(block_size, 64),
> -		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
> -		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
>  	QAT_SYM_AUTH_CAP(SHA256,
>  		CAP_SET(block_size, 64),
>  		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 32, 1),
> @@ -91,9 +98,6 @@ static struct rte_cryptodev_capabilities
> qat_sym_crypto_caps_gen4[] = {
>  		CAP_RNG(key_size, 32, 32, 0),
>  		CAP_RNG(digest_size, 16, 16, 0),
>  		CAP_RNG(aad_size, 0, 240, 1), CAP_RNG(iv_size, 12, 12, 0)),
> -	QAT_SYM_CIPHER_CAP(SM4_ECB,
> -		CAP_SET(block_size, 16),
> -		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(iv_size, 0, 0, 0)),
>  	QAT_SYM_CIPHER_CAP(SM4_CBC,
>  		CAP_SET(block_size, 16),
>  		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(iv_size, 16, 16, 0)),
> @@ -111,8 +115,13 @@ qat_sym_crypto_cap_get_gen4(struct
> qat_cryptodev_private *internals,
>  			const char *capa_memz_name,
>  			const uint16_t __rte_unused slice_map)
>  {
> -	const uint32_t size = sizeof(qat_sym_crypto_caps_gen4);
> -	uint32_t i;
> +	uint32_t legacy_capa_num;
> +	uint32_t size = sizeof(qat_sym_crypto_caps_gen4);
> +	uint32_t legacy_size = sizeof(qat_sym_crypto_legacy_caps_gen4);
> +	legacy_capa_num = legacy_size/sizeof(struct
> rte_cryptodev_capabilities);
> +
> +	if (unlikely(qat_legacy_capa))
> +		size = size + legacy_size;
> 
>  	internals->capa_mz = rte_memzone_lookup(capa_memz_name);
>  	if (internals->capa_mz == NULL) {
> @@ -128,17 +137,16 @@ qat_sym_crypto_cap_get_gen4(struct
> qat_cryptodev_private *internals,
>  	struct rte_cryptodev_capabilities *addr =
>  			(struct rte_cryptodev_capabilities *)
>  				internals->capa_mz->addr;
> -	const struct rte_cryptodev_capabilities *capabilities =
> -		qat_sym_crypto_caps_gen4;
> -	const uint32_t capa_num =
> -		size / sizeof(struct rte_cryptodev_capabilities);
> -	uint32_t curr_capa = 0;
> -
> -	for (i = 0; i < capa_num; i++) {
> -		memcpy(addr + curr_capa, capabilities + i,
> -			sizeof(struct rte_cryptodev_capabilities));
> -		curr_capa++;
> +
> +	struct rte_cryptodev_capabilities *capabilities;
> +
> +	if (unlikely(qat_legacy_capa)) {
> +		capabilities = qat_sym_crypto_legacy_caps_gen4;
> +		memcpy(addr, capabilities, legacy_size);
> +		addr += legacy_capa_num;
>  	}
> +	capabilities = qat_sym_crypto_caps_gen4;
> +	memcpy(addr, capabilities, sizeof(qat_sym_crypto_caps_gen4));
>  	internals->qat_dev_capabilities = internals->capa_mz->addr;
> 
>  	return 0;
> diff --git a/drivers/crypto/qat/dev/qat_sym_pmd_gen1.c
> b/drivers/crypto/qat/dev/qat_sym_pmd_gen1.c
> index 590eaa0057..d363ba4f43 100644
> --- a/drivers/crypto/qat/dev/qat_sym_pmd_gen1.c
> +++ b/drivers/crypto/qat/dev/qat_sym_pmd_gen1.c
> @@ -16,10 +16,41 @@
>  #include "qat_crypto.h"
>  #include "qat_crypto_pmd_gens.h"
> 
> -static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen1[] = {
> +static struct rte_cryptodev_capabilities qat_sym_crypto_legacy_caps_gen1[] =
> {
> +	QAT_SYM_CIPHER_CAP(DES_CBC,
> +		CAP_SET(block_size, 8),
> +		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
> +	QAT_SYM_CIPHER_CAP(3DES_CBC,
> +		CAP_SET(block_size, 8),
> +		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
> +	QAT_SYM_CIPHER_CAP(3DES_CTR,
> +		CAP_SET(block_size, 8),
> +		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
>  	QAT_SYM_PLAIN_AUTH_CAP(SHA1,
>  		CAP_SET(block_size, 64),
>  		CAP_RNG(digest_size, 1, 20, 1)),
> +	QAT_SYM_AUTH_CAP(SHA224,
> +		CAP_SET(block_size, 64),
> +		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
> +		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
> +	QAT_SYM_AUTH_CAP(SHA1_HMAC,
> +		CAP_SET(block_size, 64),
> +		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
> +		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
> +	QAT_SYM_AUTH_CAP(SHA224_HMAC,
> +		CAP_SET(block_size, 64),
> +		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
> +		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
> +	QAT_SYM_AUTH_CAP(MD5_HMAC,
> +		CAP_SET(block_size, 64),
> +		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
> +		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
> +	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
> +		CAP_SET(block_size, 8),
> +		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
> +};
> +
> +static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen1[] = {
>  	QAT_SYM_AEAD_CAP(AES_GCM,
>  		CAP_SET(block_size, 16),
>  		CAP_RNG(key_size, 16, 32, 8), CAP_RNG(digest_size, 8, 16, 4),
> @@ -36,10 +67,6 @@ static struct rte_cryptodev_capabilities
> qat_sym_crypto_caps_gen1[] = {
>  		CAP_SET(block_size, 16),
>  		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 4, 16, 4),
>  			CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
> -	QAT_SYM_AUTH_CAP(SHA224,
> -		CAP_SET(block_size, 64),
> -		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
> -		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
>  	QAT_SYM_AUTH_CAP(SHA256,
>  		CAP_SET(block_size, 64),
>  		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 32, 1),
> @@ -52,14 +79,6 @@ static struct rte_cryptodev_capabilities
> qat_sym_crypto_caps_gen1[] = {
>  		CAP_SET(block_size, 128),
>  		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 64, 1),
>  		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
> -	QAT_SYM_AUTH_CAP(SHA1_HMAC,
> -		CAP_SET(block_size, 64),
> -		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
> -		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
> -	QAT_SYM_AUTH_CAP(SHA224_HMAC,
> -		CAP_SET(block_size, 64),
> -		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
> -		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
>  	QAT_SYM_AUTH_CAP(SHA256_HMAC,
>  		CAP_SET(block_size, 64),
>  		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 32, 1),
> @@ -72,10 +91,6 @@ static struct rte_cryptodev_capabilities
> qat_sym_crypto_caps_gen1[] = {
>  		CAP_SET(block_size, 128),
>  		CAP_RNG(key_size, 1, 128, 1), CAP_RNG(digest_size, 1, 64, 1),
>  		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
> -	QAT_SYM_AUTH_CAP(MD5_HMAC,
> -		CAP_SET(block_size, 64),
> -		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
> -		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
>  	QAT_SYM_AUTH_CAP(AES_XCBC_MAC,
>  		CAP_SET(block_size, 16),
>  		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 12, 12, 0),
> @@ -113,18 +128,6 @@ static struct rte_cryptodev_capabilities
> qat_sym_crypto_caps_gen1[] = {
>  	QAT_SYM_CIPHER_CAP(NULL,
>  		CAP_SET(block_size, 1),
>  		CAP_RNG_ZERO(key_size), CAP_RNG_ZERO(iv_size)),
> -	QAT_SYM_CIPHER_CAP(3DES_CBC,
> -		CAP_SET(block_size, 8),
> -		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
> -	QAT_SYM_CIPHER_CAP(3DES_CTR,
> -		CAP_SET(block_size, 8),
> -		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
> -	QAT_SYM_CIPHER_CAP(DES_CBC,
> -		CAP_SET(block_size, 8),
> -		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
> -	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
> -		CAP_SET(block_size, 8),
> -		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
>  	RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
>  };
> 
> @@ -157,8 +160,14 @@ qat_sym_crypto_cap_get_gen1(struct
> qat_cryptodev_private *internals,
>  			const char *capa_memz_name,
>  			const uint16_t __rte_unused slice_map)
>  {
> -	const uint32_t size = sizeof(qat_sym_crypto_caps_gen1);
> -	uint32_t i;
> +
> +	uint32_t legacy_capa_num;
> +	uint32_t size = sizeof(qat_sym_crypto_caps_gen1);
> +	uint32_t legacy_size = sizeof(qat_sym_crypto_legacy_caps_gen1);
> +	legacy_capa_num = legacy_size/sizeof(struct
> rte_cryptodev_capabilities);
> +
> +	if (unlikely(qat_legacy_capa))
> +		size = size + legacy_size;
> 
>  	internals->capa_mz = rte_memzone_lookup(capa_memz_name);
>  	if (internals->capa_mz == NULL) {
> @@ -174,17 +183,16 @@ qat_sym_crypto_cap_get_gen1(struct
> qat_cryptodev_private *internals,
>  	struct rte_cryptodev_capabilities *addr =
>  			(struct rte_cryptodev_capabilities *)
>  				internals->capa_mz->addr;
> -	const struct rte_cryptodev_capabilities *capabilities =
> -		qat_sym_crypto_caps_gen1;
> -	const uint32_t capa_num =
> -		size / sizeof(struct rte_cryptodev_capabilities);
> -	uint32_t curr_capa = 0;
> -
> -	for (i = 0; i < capa_num; i++) {
> -		memcpy(addr + curr_capa, capabilities + i,
> -			sizeof(struct rte_cryptodev_capabilities));
> -		curr_capa++;
> +
> +	struct rte_cryptodev_capabilities *capabilities;
> +
> +	if (unlikely(qat_legacy_capa)) {
> +		capabilities = qat_sym_crypto_legacy_caps_gen1;
> +		memcpy(addr, capabilities, legacy_size);
> +		addr += legacy_capa_num;
>  	}
> +	capabilities = qat_sym_crypto_caps_gen1;
> +	memcpy(addr, capabilities, sizeof(qat_sym_crypto_caps_gen1));
>  	internals->qat_dev_capabilities = internals->capa_mz->addr;
> 
>  	return 0;
> diff --git a/drivers/crypto/qat/qat_asym.c b/drivers/crypto/qat/qat_asym.c
> index 82e165538d..7abd513423 100644
> --- a/drivers/crypto/qat/qat_asym.c
> +++ b/drivers/crypto/qat/qat_asym.c
> @@ -15,6 +15,8 @@
>  #include "qat_pke.h"
>  #include "qat_ec.h"
> 
> +#define RSA_MODULUS_2048_BITS 2048
> +
>  uint8_t qat_asym_driver_id;
> 
>  struct qat_crypto_gen_dev_ops qat_asym_gen_dev_ops[QAT_N_GENS];
> @@ -913,8 +915,12 @@ asym_set_input(struct icp_qat_fw_pke_request
> *qat_req,
>  		return modexp_set_input(qat_req, cookie, asym_op, xform);
>  	case RTE_CRYPTO_ASYM_XFORM_MODINV:
>  		return modinv_set_input(qat_req, cookie, asym_op, xform);
> -	case RTE_CRYPTO_ASYM_XFORM_RSA:
> +	case RTE_CRYPTO_ASYM_XFORM_RSA:{
> +		if (unlikely((xform->rsa.n.length < RSA_MODULUS_2048_BITS)
> +					&& (qat_legacy_capa == 0)))
> +			return RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
>  		return rsa_set_input(qat_req, cookie, asym_op, xform);
> +	}
>  	case RTE_CRYPTO_ASYM_XFORM_ECDSA:
>  		return ecdsa_set_input(qat_req, cookie, asym_op, xform);
>  	case RTE_CRYPTO_ASYM_XFORM_ECPM:
> @@ -1273,8 +1279,14 @@ qat_asym_session_configure(struct rte_cryptodev
> *dev __rte_unused,
>  	case RTE_CRYPTO_ASYM_XFORM_MODINV:
>  		ret = session_set_modinv(qat_session, xform);
>  		break;
> -	case RTE_CRYPTO_ASYM_XFORM_RSA:
> +	case RTE_CRYPTO_ASYM_XFORM_RSA: {
> +		if (unlikely((xform->rsa.n.length < RSA_MODULUS_2048_BITS)
> +					&& (qat_legacy_capa == 0))) {
> +			ret = -ENOTSUP;
> +			return ret;
> +		}
>  		ret = session_set_rsa(qat_session, xform);
> +		}
>  		break;
>  	case RTE_CRYPTO_ASYM_XFORM_ECDSA:
>  	case RTE_CRYPTO_ASYM_XFORM_ECPM:
> diff --git a/drivers/crypto/qat/qat_crypto.h b/drivers/crypto/qat/qat_crypto.h
> index e20f16236e..126fe5c822 100644
> --- a/drivers/crypto/qat/qat_crypto.h
> +++ b/drivers/crypto/qat/qat_crypto.h
> @@ -11,6 +11,7 @@
> 
>  extern uint8_t qat_sym_driver_id;
>  extern uint8_t qat_asym_driver_id;
> +extern int qat_legacy_capa;
> 
>  /**
>   * helper macro to set cryptodev capability range
> diff --git a/drivers/crypto/qat/qat_sym.c b/drivers/crypto/qat/qat_sym.c
> index 345c845325..d07132aaa1 100644
> --- a/drivers/crypto/qat/qat_sym.c
> +++ b/drivers/crypto/qat/qat_sym.c
> @@ -17,6 +17,7 @@
> 
>  uint8_t qat_sym_driver_id;
>  int qat_ipsec_mb_lib;
> +int qat_legacy_capa;
> 
>  struct qat_crypto_gen_dev_ops qat_sym_gen_dev_ops[QAT_N_GENS];
> 
> @@ -285,6 +286,8 @@ qat_sym_dev_create(struct qat_pci_device
> *qat_pci_dev,
>  					qat_dev_cmd_param[i].val;
>  		if (!strcmp(qat_dev_cmd_param[i].name, QAT_IPSEC_MB_LIB))
>  			qat_ipsec_mb_lib = qat_dev_cmd_param[i].val;
> +		if (!strcmp(qat_dev_cmd_param[i].name, QAT_LEGACY_CAPA))
> +			qat_legacy_capa = qat_dev_cmd_param[i].val;
>  		if (!strcmp(qat_dev_cmd_param[i].name,
> QAT_CMD_SLICE_MAP))
>  			slice_map = qat_dev_cmd_param[i].val;
>  		i++;
> --
> 2.25.1
> 
> --------------------------------------------------------------
> Intel Research and Development Ireland Limited
> Registered in Ireland
> Registered Office: Collinstown Industrial Park, Leixlip, County Kildare
> Registered Number: 308263
> 
> 
> This e-mail and any attachments may contain confidential material for the sole
> use of the intended recipient(s). Any review or distribution by others is
> strictly prohibited. If you are not the intended recipient, please contact the
> sender and delete all copies.


^ permalink raw reply	[flat|nested] 14+ messages in thread

* [PATCH v7 1/3] common/qat: fix qat_dev_cmd_param corruption
  2023-05-29 10:45       ` [PATCH v6] " Vikash Poddar
  2023-06-08 13:14         ` Power, Ciara
  2023-06-14 18:30         ` [EXT] " Akhil Goyal
@ 2023-06-16 14:00         ` Vikash Poddar
  2023-06-16 14:00           ` [PATCH v7 2/3] crypto/qat: support to enable insecure algorithms Vikash Poddar
                             ` (2 more replies)
  2 siblings, 3 replies; 14+ messages in thread
From: Vikash Poddar @ 2023-06-16 14:00 UTC (permalink / raw)
  To: Kai Ji; +Cc: dev, Vikash Poddar, stable, arkadiuszx.kusztal, Ciara Power

Adding fix to address the memory corruption issue for
qat_dev_cmd_param structure on QAT GEN3.

This fix aligns the storage where it stores the value
on 4 byte unsigned integer data type after
reading slice configuration of QAT capabilities.

Fixes: b3cbbcdffa4f ("common/qat: read HW slice configuration")
Cc: stable@dpdk.org
Cc: arkadiuszx.kusztal@intel.com

Signed-off-by: Vikash Poddar <vikash.chandrax.poddar@intel.com>
Acked-by: Ciara Power <ciara.power@intel.com>
---
v7:
"support to enable insecure algorithms" commit is dependent on
this patch
---
 drivers/common/qat/dev/qat_dev_gen1.c | 2 +-
 drivers/common/qat/dev/qat_dev_gen2.c | 2 +-
 drivers/common/qat/dev/qat_dev_gen3.c | 2 +-
 drivers/common/qat/dev/qat_dev_gen4.c | 2 +-
 drivers/common/qat/qat_device.c       | 2 +-
 drivers/common/qat/qat_device.h       | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/common/qat/dev/qat_dev_gen1.c b/drivers/common/qat/dev/qat_dev_gen1.c
index cf480dcba8..dd2e878e90 100644
--- a/drivers/common/qat/dev/qat_dev_gen1.c
+++ b/drivers/common/qat/dev/qat_dev_gen1.c
@@ -242,7 +242,7 @@ qat_dev_get_extra_size_gen1(void)
 }
 
 static int
-qat_get_dev_slice_map_gen1(uint16_t *map __rte_unused,
+qat_get_dev_slice_map_gen1(uint32_t *map __rte_unused,
 	const struct rte_pci_device *pci_dev __rte_unused)
 {
 	return 0;
diff --git a/drivers/common/qat/dev/qat_dev_gen2.c b/drivers/common/qat/dev/qat_dev_gen2.c
index f51be46eb0..061dfdb698 100644
--- a/drivers/common/qat/dev/qat_dev_gen2.c
+++ b/drivers/common/qat/dev/qat_dev_gen2.c
@@ -22,7 +22,7 @@ static struct qat_qp_hw_spec_funcs qat_qp_hw_spec_gen2 = {
 };
 
 static int
-qat_dev_get_slice_map_gen2(uint16_t *map __rte_unused,
+qat_dev_get_slice_map_gen2(uint32_t *map __rte_unused,
 	const struct rte_pci_device *pci_dev __rte_unused)
 {
 	return 0;
diff --git a/drivers/common/qat/dev/qat_dev_gen3.c b/drivers/common/qat/dev/qat_dev_gen3.c
index e4197f3c0f..f01b98ff86 100644
--- a/drivers/common/qat/dev/qat_dev_gen3.c
+++ b/drivers/common/qat/dev/qat_dev_gen3.c
@@ -68,7 +68,7 @@ static struct qat_qp_hw_spec_funcs qat_qp_hw_spec_gen3 = {
 };
 
 static int
-qat_dev_get_slice_map_gen3(uint16_t *map,
+qat_dev_get_slice_map_gen3(uint32_t *map,
 	const struct rte_pci_device *pci_dev)
 {
 	if (rte_pci_read_config(pci_dev, map,
diff --git a/drivers/common/qat/dev/qat_dev_gen4.c b/drivers/common/qat/dev/qat_dev_gen4.c
index 1b3a5deabf..1ce262f715 100644
--- a/drivers/common/qat/dev/qat_dev_gen4.c
+++ b/drivers/common/qat/dev/qat_dev_gen4.c
@@ -283,7 +283,7 @@ qat_dev_get_misc_bar_gen4(struct rte_mem_resource **mem_resource,
 }
 
 static int
-qat_dev_get_slice_map_gen4(uint16_t *map __rte_unused,
+qat_dev_get_slice_map_gen4(uint32_t *map __rte_unused,
 	const struct rte_pci_device *pci_dev __rte_unused)
 {
 	return 0;
diff --git a/drivers/common/qat/qat_device.c b/drivers/common/qat/qat_device.c
index 0479175b65..ac705e385e 100644
--- a/drivers/common/qat/qat_device.c
+++ b/drivers/common/qat/qat_device.c
@@ -367,7 +367,7 @@ static int qat_pci_probe(struct rte_pci_driver *pci_drv __rte_unused,
 {
 	int sym_ret = 0, asym_ret = 0, comp_ret = 0;
 	int num_pmds_created = 0;
-	uint16_t capa = 0;
+	uint32_t capa = 0;
 	struct qat_pci_device *qat_pci_dev;
 	struct qat_dev_hw_spec_funcs *ops_hw;
 	struct qat_dev_cmd_param qat_dev_cmd_param[] = {
diff --git a/drivers/common/qat/qat_device.h b/drivers/common/qat/qat_device.h
index 4188474dde..5691320040 100644
--- a/drivers/common/qat/qat_device.h
+++ b/drivers/common/qat/qat_device.h
@@ -38,7 +38,7 @@ typedef int (*qat_dev_get_misc_bar_t)
 typedef int (*qat_dev_read_config_t)
 		(struct qat_pci_device *);
 typedef int (*qat_dev_get_extra_size_t)(void);
-typedef int (*qat_dev_get_slice_map_t)(uint16_t *map,
+typedef int (*qat_dev_get_slice_map_t)(uint32_t *map,
 		const struct rte_pci_device *pci_dev);
 
 struct qat_dev_hw_spec_funcs {
-- 
2.25.1

--------------------------------------------------------------
Intel Research and Development Ireland Limited
Registered in Ireland
Registered Office: Collinstown Industrial Park, Leixlip, County Kildare
Registered Number: 308263


This e-mail and any attachments may contain confidential material for the sole
use of the intended recipient(s). Any review or distribution by others is
strictly prohibited. If you are not the intended recipient, please contact the
sender and delete all copies.


^ permalink raw reply	[flat|nested] 14+ messages in thread

* [PATCH v7 2/3] crypto/qat: support to enable insecure algorithms
  2023-06-16 14:00         ` [PATCH v7 1/3] common/qat: fix qat_dev_cmd_param corruption Vikash Poddar
@ 2023-06-16 14:00           ` Vikash Poddar
  2023-06-16 14:00           ` [PATCH v7 3/3] test/crypto: skip asym test for " Vikash Poddar
  2023-06-20  7:33           ` [EXT] [PATCH v7 1/3] common/qat: fix qat_dev_cmd_param corruption Akhil Goyal
  2 siblings, 0 replies; 14+ messages in thread
From: Vikash Poddar @ 2023-06-16 14:00 UTC (permalink / raw)
  To: Kai Ji; +Cc: dev, Vikash Poddar, Ciara Power

All the insecure algorithms are default disable from
cryptodev Gen 1,2,3 and 4.
use qat_legacy_capa to enable all the legacy
algorithms.
These change effects both sym and asym insecure crypto
algorithms.

Signed-off-by: Vikash Poddar <vikash.chandrax.poddar@intel.com>
Acked-by: Ciara Power <ciara.power@intel.com>
---
v7:
patch is splitted, new patch is created for asym test
related changes
v6:
Rebased patch
v5:
Resolving apply patch warning
v4:
Resolved rebase conflict.
v3:
Rebased the patch.
v2:
Extend the support to enable the insecure algorithm in
QAT Gen 1,3 and 4 for sym as well as asym.
---
 doc/guides/cryptodevs/qat.rst                |  14 +++
 drivers/common/qat/qat_device.c              |   1 +
 drivers/common/qat/qat_device.h              |   3 +-
 drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c |  88 ++++++++-------
 drivers/crypto/qat/dev/qat_crypto_pmd_gen3.c | 113 +++++++++++--------
 drivers/crypto/qat/dev/qat_crypto_pmd_gen4.c |  64 ++++++-----
 drivers/crypto/qat/dev/qat_sym_pmd_gen1.c    |  90 ++++++++-------
 drivers/crypto/qat/qat_asym.c                |  16 ++-
 drivers/crypto/qat/qat_crypto.h              |   1 +
 drivers/crypto/qat/qat_sym.c                 |   3 +
 10 files changed, 235 insertions(+), 158 deletions(-)

diff --git a/doc/guides/cryptodevs/qat.rst b/doc/guides/cryptodevs/qat.rst
index a4a25711ed..b454e1855d 100644
--- a/doc/guides/cryptodevs/qat.rst
+++ b/doc/guides/cryptodevs/qat.rst
@@ -272,6 +272,20 @@ allocated while for GEN1 devices, 12 buffers are allocated, plus 1472 bytes over
 	larger than the input size).
 
 
+Running QAT PMD with insecure crypto algorithms
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+A few insecure crypto algorithms are deprecated from QAT drivers. This needs to be reflected in DPDK QAT PMD.
+DPDK QAT PMD has by default disabled all the insecure crypto algorithms from Gen 1,2,3 and 4.
+A PMD devarg is used to enable the capability.
+
+- qat_legacy_capa
+
+To use this feature the user must set the devarg on process start as a device additional devarg::
+
+  -a b1:01.2,qat_legacy_capa=1
+
+
 Running QAT PMD with minimum threshold for burst size
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
diff --git a/drivers/common/qat/qat_device.c b/drivers/common/qat/qat_device.c
index ac705e385e..bdd3f689f3 100644
--- a/drivers/common/qat/qat_device.c
+++ b/drivers/common/qat/qat_device.c
@@ -371,6 +371,7 @@ static int qat_pci_probe(struct rte_pci_driver *pci_drv __rte_unused,
 	struct qat_pci_device *qat_pci_dev;
 	struct qat_dev_hw_spec_funcs *ops_hw;
 	struct qat_dev_cmd_param qat_dev_cmd_param[] = {
+			{ QAT_LEGACY_CAPA, 0 },
 			{ QAT_IPSEC_MB_LIB, 0 },
 			{ SYM_ENQ_THRESHOLD_NAME, 0 },
 			{ ASYM_ENQ_THRESHOLD_NAME, 0 },
diff --git a/drivers/common/qat/qat_device.h b/drivers/common/qat/qat_device.h
index 5691320040..ed752b9f28 100644
--- a/drivers/common/qat/qat_device.h
+++ b/drivers/common/qat/qat_device.h
@@ -17,13 +17,14 @@
 
 #define QAT_DEV_NAME_MAX_LEN	64
 
+#define QAT_LEGACY_CAPA "qat_legacy_capa"
 #define QAT_IPSEC_MB_LIB "qat_ipsec_mb_lib"
 #define SYM_ENQ_THRESHOLD_NAME "qat_sym_enq_threshold"
 #define ASYM_ENQ_THRESHOLD_NAME "qat_asym_enq_threshold"
 #define COMP_ENQ_THRESHOLD_NAME "qat_comp_enq_threshold"
 #define SYM_CIPHER_CRC_ENABLE_NAME "qat_sym_cipher_crc_enable"
 #define QAT_CMD_SLICE_MAP "qat_cmd_slice_disable"
-#define QAT_CMD_SLICE_MAP_POS	5
+#define QAT_CMD_SLICE_MAP_POS	6
 #define MAX_QP_THRESHOLD_SIZE	32
 
 /**
diff --git a/drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c b/drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c
index 1f3e2b1d99..3447bd2a7e 100644
--- a/drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c
+++ b/drivers/crypto/qat/dev/qat_crypto_pmd_gen2.c
@@ -12,10 +12,41 @@
 
 #define MIXED_CRYPTO_MIN_FW_VER 0x04090000
 
-static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
+static struct rte_cryptodev_capabilities qat_sym_crypto_legacy_caps_gen2[] = {
+	QAT_SYM_CIPHER_CAP(DES_CBC,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(3DES_CBC,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(3DES_CTR,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
 	QAT_SYM_PLAIN_AUTH_CAP(SHA1,
 		CAP_SET(block_size, 64),
 		CAP_RNG(digest_size, 1, 20, 1)),
+	QAT_SYM_AUTH_CAP(SHA224,
+		CAP_SET(block_size, 64),
+		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA224_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA1_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(MD5_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
+};
+
+static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
 	QAT_SYM_AEAD_CAP(AES_GCM,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 32, 8), CAP_RNG(digest_size, 8, 16, 4),
@@ -32,10 +63,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 4, 16, 4),
 			CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA224,
-		CAP_SET(block_size, 64),
-		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256,
 		CAP_SET(block_size, 64),
 		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 32, 1),
@@ -51,14 +78,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
 	QAT_SYM_PLAIN_AUTH_CAP(SHA3_256,
 		CAP_SET(block_size, 136),
 		CAP_RNG(digest_size, 32, 32, 0)),
-	QAT_SYM_AUTH_CAP(SHA1_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA224_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256_HMAC,
 		CAP_SET(block_size, 64),
 		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 32, 1),
@@ -71,10 +90,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
 		CAP_SET(block_size, 128),
 		CAP_RNG(key_size, 1, 128, 1), CAP_RNG(digest_size, 1, 64, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(MD5_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(AES_XCBC_MAC,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 12, 12, 0),
@@ -112,18 +127,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen2[] = {
 	QAT_SYM_CIPHER_CAP(NULL,
 		CAP_SET(block_size, 1),
 		CAP_RNG_ZERO(key_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_CIPHER_CAP(3DES_CBC,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(3DES_CTR,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(DES_CBC,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
 	QAT_SYM_CIPHER_CAP(ZUC_EEA3,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(iv_size, 16, 16, 0)),
@@ -283,8 +286,13 @@ qat_sym_crypto_cap_get_gen2(struct qat_cryptodev_private *internals,
 			const char *capa_memz_name,
 			const uint16_t __rte_unused slice_map)
 {
-	const uint32_t size = sizeof(qat_sym_crypto_caps_gen2);
-	uint32_t i;
+	uint32_t legacy_capa_num;
+	uint32_t size = sizeof(qat_sym_crypto_caps_gen2);
+	uint32_t legacy_size = sizeof(qat_sym_crypto_legacy_caps_gen2);
+	legacy_capa_num = legacy_size/sizeof(struct rte_cryptodev_capabilities);
+
+	if (unlikely(qat_legacy_capa))
+		size = size + legacy_size;
 
 	internals->capa_mz = rte_memzone_lookup(capa_memz_name);
 	if (internals->capa_mz == NULL) {
@@ -300,17 +308,15 @@ qat_sym_crypto_cap_get_gen2(struct qat_cryptodev_private *internals,
 	struct rte_cryptodev_capabilities *addr =
 			(struct rte_cryptodev_capabilities *)
 				internals->capa_mz->addr;
-	const struct rte_cryptodev_capabilities *capabilities =
-		qat_sym_crypto_caps_gen2;
-	const uint32_t capa_num =
-		size / sizeof(struct rte_cryptodev_capabilities);
-	uint32_t curr_capa = 0;
-
-	for (i = 0; i < capa_num; i++) {
-		memcpy(addr + curr_capa, capabilities + i,
-			sizeof(struct rte_cryptodev_capabilities));
-		curr_capa++;
+	struct rte_cryptodev_capabilities *capabilities;
+
+	if (unlikely(qat_legacy_capa)) {
+		capabilities = qat_sym_crypto_legacy_caps_gen2;
+		memcpy(addr, capabilities, legacy_size);
+		addr += legacy_capa_num;
 	}
+	capabilities = qat_sym_crypto_caps_gen2;
+	memcpy(addr, capabilities, sizeof(qat_sym_crypto_caps_gen2));
 	internals->qat_dev_capabilities = internals->capa_mz->addr;
 
 	return 0;
diff --git a/drivers/crypto/qat/dev/qat_crypto_pmd_gen3.c b/drivers/crypto/qat/dev/qat_crypto_pmd_gen3.c
index 6013fed721..d1809cf2f0 100644
--- a/drivers/crypto/qat/dev/qat_crypto_pmd_gen3.c
+++ b/drivers/crypto/qat/dev/qat_crypto_pmd_gen3.c
@@ -10,10 +10,45 @@
 #include "qat_crypto.h"
 #include "qat_crypto_pmd_gens.h"
 
-static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
+
+static struct rte_cryptodev_capabilities qat_sym_crypto_legacy_caps_gen3[] = {
+	QAT_SYM_CIPHER_CAP(3DES_CBC,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(DES_CBC,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(3DES_CTR,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
 	QAT_SYM_PLAIN_AUTH_CAP(SHA1,
 		CAP_SET(block_size, 64),
 		CAP_RNG(digest_size, 1, 20, 1)),
+	QAT_SYM_AUTH_CAP(SHA224,
+		CAP_SET(block_size, 64),
+		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA224_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA1_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(MD5_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_PLAIN_AUTH_CAP(SHA3_224,
+		CAP_SET(block_size, 144),
+		CAP_RNG(digest_size, 28, 28, 0)),
+};
+
+static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
 	QAT_SYM_AEAD_CAP(AES_GCM,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 32, 8), CAP_RNG(digest_size, 8, 16, 4),
@@ -30,10 +65,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 4, 16, 4),
 			CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA224,
-		CAP_SET(block_size, 64),
-		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256,
 		CAP_SET(block_size, 64),
 		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 32, 1),
@@ -46,9 +77,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
 		CAP_SET(block_size, 128),
 		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 64, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_PLAIN_AUTH_CAP(SHA3_224,
-		CAP_SET(block_size, 144),
-		CAP_RNG(digest_size, 28, 28, 0)),
 	QAT_SYM_PLAIN_AUTH_CAP(SHA3_256,
 		CAP_SET(block_size, 136),
 		CAP_RNG(digest_size, 32, 32, 0)),
@@ -58,14 +86,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
 	QAT_SYM_PLAIN_AUTH_CAP(SHA3_512,
 		CAP_SET(block_size, 72),
 		CAP_RNG(digest_size, 64, 64, 0)),
-	QAT_SYM_AUTH_CAP(SHA1_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA224_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256_HMAC,
 		CAP_SET(block_size, 64),
 		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 32, 1),
@@ -78,10 +98,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
 		CAP_SET(block_size, 128),
 		CAP_RNG(key_size, 1, 128, 1), CAP_RNG(digest_size, 1, 64, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(MD5_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(AES_XCBC_MAC,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 12, 12, 0),
@@ -119,18 +135,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen3[] = {
 	QAT_SYM_CIPHER_CAP(NULL,
 		CAP_SET(block_size, 1),
 		CAP_RNG_ZERO(key_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_CIPHER_CAP(3DES_CBC,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(3DES_CTR,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(DES_CBC,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
 	QAT_SYM_CIPHER_CAP(ZUC_EEA3,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(iv_size, 16, 16, 0)),
@@ -188,8 +192,17 @@ static int
 qat_sym_crypto_cap_get_gen3(struct qat_cryptodev_private *internals,
 			const char *capa_memz_name, const uint16_t slice_map)
 {
-	const uint32_t size = sizeof(qat_sym_crypto_caps_gen3);
-	uint32_t i;
+
+	uint32_t i, iter = 0;
+	uint32_t curr_capa = 0;
+	uint32_t capa_num, legacy_capa_num;
+	uint32_t size = sizeof(qat_sym_crypto_caps_gen3);
+	uint32_t legacy_size = sizeof(qat_sym_crypto_legacy_caps_gen3);
+	capa_num = size/sizeof(struct rte_cryptodev_capabilities);
+	legacy_capa_num = legacy_size/sizeof(struct rte_cryptodev_capabilities);
+
+	if (unlikely(qat_legacy_capa))
+		size = size + legacy_size;
 
 	internals->capa_mz = rte_memzone_lookup(capa_memz_name);
 	if (internals->capa_mz == NULL) {
@@ -205,30 +218,40 @@ qat_sym_crypto_cap_get_gen3(struct qat_cryptodev_private *internals,
 	struct rte_cryptodev_capabilities *addr =
 			(struct rte_cryptodev_capabilities *)
 				internals->capa_mz->addr;
-	const struct rte_cryptodev_capabilities *capabilities =
-		qat_sym_crypto_caps_gen3;
-	const uint32_t capa_num =
-		size / sizeof(struct rte_cryptodev_capabilities);
-	uint32_t curr_capa = 0;
+	struct rte_cryptodev_capabilities *capabilities;
 
-	for (i = 0; i < capa_num; i++) {
+	if (unlikely(qat_legacy_capa)) {
+		capabilities = qat_sym_crypto_legacy_caps_gen3;
+		capa_num += legacy_capa_num;
+	} else {
+		capabilities = qat_sym_crypto_caps_gen3;
+	}
+
+	for (i = 0; i < capa_num; i++, iter++) {
 		if (slice_map & ICP_ACCEL_MASK_SM4_SLICE && (
-			check_cipher_capa(&capabilities[i],
+			check_cipher_capa(&capabilities[iter],
 				RTE_CRYPTO_CIPHER_SM4_ECB) ||
-			check_cipher_capa(&capabilities[i],
+			check_cipher_capa(&capabilities[iter],
 				RTE_CRYPTO_CIPHER_SM4_CBC) ||
-			check_cipher_capa(&capabilities[i],
+			check_cipher_capa(&capabilities[iter],
 				RTE_CRYPTO_CIPHER_SM4_CTR))) {
 			continue;
 		}
 		if (slice_map & ICP_ACCEL_MASK_SM3_SLICE && (
-			check_auth_capa(&capabilities[i],
+			check_auth_capa(&capabilities[iter],
 				RTE_CRYPTO_AUTH_SM3))) {
 			continue;
 		}
-		memcpy(addr + curr_capa, capabilities + i,
+		memcpy(addr + curr_capa, capabilities + iter,
 			sizeof(struct rte_cryptodev_capabilities));
 		curr_capa++;
+
+		if (unlikely(qat_legacy_capa) && (i == legacy_capa_num-1)) {
+			capabilities = qat_sym_crypto_caps_gen3;
+			addr += curr_capa;
+			curr_capa = 0;
+			iter = -1;
+		}
 	}
 	internals->qat_dev_capabilities = internals->capa_mz->addr;
 
diff --git a/drivers/crypto/qat/dev/qat_crypto_pmd_gen4.c b/drivers/crypto/qat/dev/qat_crypto_pmd_gen4.c
index b219a418ba..6fb062bb94 100644
--- a/drivers/crypto/qat/dev/qat_crypto_pmd_gen4.c
+++ b/drivers/crypto/qat/dev/qat_crypto_pmd_gen4.c
@@ -10,18 +10,32 @@
 #include "qat_crypto.h"
 #include "qat_crypto_pmd_gens.h"
 
-static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen4[] = {
-	QAT_SYM_CIPHER_CAP(AES_CBC,
-		CAP_SET(block_size, 16),
-		CAP_RNG(key_size, 16, 32, 8), CAP_RNG(iv_size, 16, 16, 0)),
-	QAT_SYM_AUTH_CAP(SHA1_HMAC,
+
+static struct rte_cryptodev_capabilities qat_sym_crypto_legacy_caps_gen4[] = {
+	QAT_SYM_PLAIN_AUTH_CAP(SHA1,
 		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
+		CAP_RNG(digest_size, 1, 20, 1)),
+	QAT_SYM_AUTH_CAP(SHA224,
+		CAP_SET(block_size, 64),
+		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA224_HMAC,
 		CAP_SET(block_size, 64),
 		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA1_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_CIPHER_CAP(SM4_ECB,
+		CAP_SET(block_size, 16),
+		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(iv_size, 0, 0, 0)),
+};
+
+static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen4[] = {
+	QAT_SYM_CIPHER_CAP(AES_CBC,
+		CAP_SET(block_size, 16),
+		CAP_RNG(key_size, 16, 32, 8), CAP_RNG(iv_size, 16, 16, 0)),
 	QAT_SYM_AUTH_CAP(SHA256_HMAC,
 		CAP_SET(block_size, 64),
 		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 32, 1),
@@ -52,13 +66,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen4[] = {
 	QAT_SYM_CIPHER_CAP(NULL,
 		CAP_SET(block_size, 1),
 		CAP_RNG_ZERO(key_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_PLAIN_AUTH_CAP(SHA1,
-		CAP_SET(block_size, 64),
-		CAP_RNG(digest_size, 1, 20, 1)),
-	QAT_SYM_AUTH_CAP(SHA224,
-		CAP_SET(block_size, 64),
-		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256,
 		CAP_SET(block_size, 64),
 		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 32, 1),
@@ -91,9 +98,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen4[] = {
 		CAP_RNG(key_size, 32, 32, 0),
 		CAP_RNG(digest_size, 16, 16, 0),
 		CAP_RNG(aad_size, 0, 240, 1), CAP_RNG(iv_size, 12, 12, 0)),
-	QAT_SYM_CIPHER_CAP(SM4_ECB,
-		CAP_SET(block_size, 16),
-		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(iv_size, 0, 0, 0)),
 	QAT_SYM_CIPHER_CAP(SM4_CBC,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(iv_size, 16, 16, 0)),
@@ -111,8 +115,13 @@ qat_sym_crypto_cap_get_gen4(struct qat_cryptodev_private *internals,
 			const char *capa_memz_name,
 			const uint16_t __rte_unused slice_map)
 {
-	const uint32_t size = sizeof(qat_sym_crypto_caps_gen4);
-	uint32_t i;
+	uint32_t legacy_capa_num;
+	uint32_t size = sizeof(qat_sym_crypto_caps_gen4);
+	uint32_t legacy_size = sizeof(qat_sym_crypto_legacy_caps_gen4);
+	legacy_capa_num = legacy_size/sizeof(struct rte_cryptodev_capabilities);
+
+	if (unlikely(qat_legacy_capa))
+		size = size + legacy_size;
 
 	internals->capa_mz = rte_memzone_lookup(capa_memz_name);
 	if (internals->capa_mz == NULL) {
@@ -128,17 +137,16 @@ qat_sym_crypto_cap_get_gen4(struct qat_cryptodev_private *internals,
 	struct rte_cryptodev_capabilities *addr =
 			(struct rte_cryptodev_capabilities *)
 				internals->capa_mz->addr;
-	const struct rte_cryptodev_capabilities *capabilities =
-		qat_sym_crypto_caps_gen4;
-	const uint32_t capa_num =
-		size / sizeof(struct rte_cryptodev_capabilities);
-	uint32_t curr_capa = 0;
-
-	for (i = 0; i < capa_num; i++) {
-		memcpy(addr + curr_capa, capabilities + i,
-			sizeof(struct rte_cryptodev_capabilities));
-		curr_capa++;
+
+	struct rte_cryptodev_capabilities *capabilities;
+
+	if (unlikely(qat_legacy_capa)) {
+		capabilities = qat_sym_crypto_legacy_caps_gen4;
+		memcpy(addr, capabilities, legacy_size);
+		addr += legacy_capa_num;
 	}
+	capabilities = qat_sym_crypto_caps_gen4;
+	memcpy(addr, capabilities, sizeof(qat_sym_crypto_caps_gen4));
 	internals->qat_dev_capabilities = internals->capa_mz->addr;
 
 	return 0;
diff --git a/drivers/crypto/qat/dev/qat_sym_pmd_gen1.c b/drivers/crypto/qat/dev/qat_sym_pmd_gen1.c
index 590eaa0057..d363ba4f43 100644
--- a/drivers/crypto/qat/dev/qat_sym_pmd_gen1.c
+++ b/drivers/crypto/qat/dev/qat_sym_pmd_gen1.c
@@ -16,10 +16,41 @@
 #include "qat_crypto.h"
 #include "qat_crypto_pmd_gens.h"
 
-static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen1[] = {
+static struct rte_cryptodev_capabilities qat_sym_crypto_legacy_caps_gen1[] = {
+	QAT_SYM_CIPHER_CAP(DES_CBC,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(3DES_CBC,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
+	QAT_SYM_CIPHER_CAP(3DES_CTR,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
 	QAT_SYM_PLAIN_AUTH_CAP(SHA1,
 		CAP_SET(block_size, 64),
 		CAP_RNG(digest_size, 1, 20, 1)),
+	QAT_SYM_AUTH_CAP(SHA224,
+		CAP_SET(block_size, 64),
+		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA1_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(SHA224_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_AUTH_CAP(MD5_HMAC,
+		CAP_SET(block_size, 64),
+		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
+		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
+	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
+		CAP_SET(block_size, 8),
+		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
+};
+
+static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen1[] = {
 	QAT_SYM_AEAD_CAP(AES_GCM,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 32, 8), CAP_RNG(digest_size, 8, 16, 4),
@@ -36,10 +67,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen1[] = {
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 4, 16, 4),
 			CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA224,
-		CAP_SET(block_size, 64),
-		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256,
 		CAP_SET(block_size, 64),
 		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 32, 1),
@@ -52,14 +79,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen1[] = {
 		CAP_SET(block_size, 128),
 		CAP_RNG_ZERO(key_size), CAP_RNG(digest_size, 1, 64, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA1_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 20, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(SHA224_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 28, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(SHA256_HMAC,
 		CAP_SET(block_size, 64),
 		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 32, 1),
@@ -72,10 +91,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen1[] = {
 		CAP_SET(block_size, 128),
 		CAP_RNG(key_size, 1, 128, 1), CAP_RNG(digest_size, 1, 64, 1),
 		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_AUTH_CAP(MD5_HMAC,
-		CAP_SET(block_size, 64),
-		CAP_RNG(key_size, 1, 64, 1), CAP_RNG(digest_size, 1, 16, 1),
-		CAP_RNG_ZERO(aad_size), CAP_RNG_ZERO(iv_size)),
 	QAT_SYM_AUTH_CAP(AES_XCBC_MAC,
 		CAP_SET(block_size, 16),
 		CAP_RNG(key_size, 16, 16, 0), CAP_RNG(digest_size, 12, 12, 0),
@@ -113,18 +128,6 @@ static struct rte_cryptodev_capabilities qat_sym_crypto_caps_gen1[] = {
 	QAT_SYM_CIPHER_CAP(NULL,
 		CAP_SET(block_size, 1),
 		CAP_RNG_ZERO(key_size), CAP_RNG_ZERO(iv_size)),
-	QAT_SYM_CIPHER_CAP(3DES_CBC,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(3DES_CTR,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 16, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(DES_CBC,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 24, 8), CAP_RNG(iv_size, 8, 8, 0)),
-	QAT_SYM_CIPHER_CAP(DES_DOCSISBPI,
-		CAP_SET(block_size, 8),
-		CAP_RNG(key_size, 8, 8, 0), CAP_RNG(iv_size, 8, 8, 0)),
 	RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
 };
 
@@ -157,8 +160,14 @@ qat_sym_crypto_cap_get_gen1(struct qat_cryptodev_private *internals,
 			const char *capa_memz_name,
 			const uint16_t __rte_unused slice_map)
 {
-	const uint32_t size = sizeof(qat_sym_crypto_caps_gen1);
-	uint32_t i;
+
+	uint32_t legacy_capa_num;
+	uint32_t size = sizeof(qat_sym_crypto_caps_gen1);
+	uint32_t legacy_size = sizeof(qat_sym_crypto_legacy_caps_gen1);
+	legacy_capa_num = legacy_size/sizeof(struct rte_cryptodev_capabilities);
+
+	if (unlikely(qat_legacy_capa))
+		size = size + legacy_size;
 
 	internals->capa_mz = rte_memzone_lookup(capa_memz_name);
 	if (internals->capa_mz == NULL) {
@@ -174,17 +183,16 @@ qat_sym_crypto_cap_get_gen1(struct qat_cryptodev_private *internals,
 	struct rte_cryptodev_capabilities *addr =
 			(struct rte_cryptodev_capabilities *)
 				internals->capa_mz->addr;
-	const struct rte_cryptodev_capabilities *capabilities =
-		qat_sym_crypto_caps_gen1;
-	const uint32_t capa_num =
-		size / sizeof(struct rte_cryptodev_capabilities);
-	uint32_t curr_capa = 0;
-
-	for (i = 0; i < capa_num; i++) {
-		memcpy(addr + curr_capa, capabilities + i,
-			sizeof(struct rte_cryptodev_capabilities));
-		curr_capa++;
+
+	struct rte_cryptodev_capabilities *capabilities;
+
+	if (unlikely(qat_legacy_capa)) {
+		capabilities = qat_sym_crypto_legacy_caps_gen1;
+		memcpy(addr, capabilities, legacy_size);
+		addr += legacy_capa_num;
 	}
+	capabilities = qat_sym_crypto_caps_gen1;
+	memcpy(addr, capabilities, sizeof(qat_sym_crypto_caps_gen1));
 	internals->qat_dev_capabilities = internals->capa_mz->addr;
 
 	return 0;
diff --git a/drivers/crypto/qat/qat_asym.c b/drivers/crypto/qat/qat_asym.c
index 82e165538d..7abd513423 100644
--- a/drivers/crypto/qat/qat_asym.c
+++ b/drivers/crypto/qat/qat_asym.c
@@ -15,6 +15,8 @@
 #include "qat_pke.h"
 #include "qat_ec.h"
 
+#define RSA_MODULUS_2048_BITS 2048
+
 uint8_t qat_asym_driver_id;
 
 struct qat_crypto_gen_dev_ops qat_asym_gen_dev_ops[QAT_N_GENS];
@@ -913,8 +915,12 @@ asym_set_input(struct icp_qat_fw_pke_request *qat_req,
 		return modexp_set_input(qat_req, cookie, asym_op, xform);
 	case RTE_CRYPTO_ASYM_XFORM_MODINV:
 		return modinv_set_input(qat_req, cookie, asym_op, xform);
-	case RTE_CRYPTO_ASYM_XFORM_RSA:
+	case RTE_CRYPTO_ASYM_XFORM_RSA:{
+		if (unlikely((xform->rsa.n.length < RSA_MODULUS_2048_BITS)
+					&& (qat_legacy_capa == 0)))
+			return RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
 		return rsa_set_input(qat_req, cookie, asym_op, xform);
+	}
 	case RTE_CRYPTO_ASYM_XFORM_ECDSA:
 		return ecdsa_set_input(qat_req, cookie, asym_op, xform);
 	case RTE_CRYPTO_ASYM_XFORM_ECPM:
@@ -1273,8 +1279,14 @@ qat_asym_session_configure(struct rte_cryptodev *dev __rte_unused,
 	case RTE_CRYPTO_ASYM_XFORM_MODINV:
 		ret = session_set_modinv(qat_session, xform);
 		break;
-	case RTE_CRYPTO_ASYM_XFORM_RSA:
+	case RTE_CRYPTO_ASYM_XFORM_RSA: {
+		if (unlikely((xform->rsa.n.length < RSA_MODULUS_2048_BITS)
+					&& (qat_legacy_capa == 0))) {
+			ret = -ENOTSUP;
+			return ret;
+		}
 		ret = session_set_rsa(qat_session, xform);
+		}
 		break;
 	case RTE_CRYPTO_ASYM_XFORM_ECDSA:
 	case RTE_CRYPTO_ASYM_XFORM_ECPM:
diff --git a/drivers/crypto/qat/qat_crypto.h b/drivers/crypto/qat/qat_crypto.h
index e20f16236e..126fe5c822 100644
--- a/drivers/crypto/qat/qat_crypto.h
+++ b/drivers/crypto/qat/qat_crypto.h
@@ -11,6 +11,7 @@
 
 extern uint8_t qat_sym_driver_id;
 extern uint8_t qat_asym_driver_id;
+extern int qat_legacy_capa;
 
 /**
  * helper macro to set cryptodev capability range
diff --git a/drivers/crypto/qat/qat_sym.c b/drivers/crypto/qat/qat_sym.c
index 345c845325..d07132aaa1 100644
--- a/drivers/crypto/qat/qat_sym.c
+++ b/drivers/crypto/qat/qat_sym.c
@@ -17,6 +17,7 @@
 
 uint8_t qat_sym_driver_id;
 int qat_ipsec_mb_lib;
+int qat_legacy_capa;
 
 struct qat_crypto_gen_dev_ops qat_sym_gen_dev_ops[QAT_N_GENS];
 
@@ -285,6 +286,8 @@ qat_sym_dev_create(struct qat_pci_device *qat_pci_dev,
 					qat_dev_cmd_param[i].val;
 		if (!strcmp(qat_dev_cmd_param[i].name, QAT_IPSEC_MB_LIB))
 			qat_ipsec_mb_lib = qat_dev_cmd_param[i].val;
+		if (!strcmp(qat_dev_cmd_param[i].name, QAT_LEGACY_CAPA))
+			qat_legacy_capa = qat_dev_cmd_param[i].val;
 		if (!strcmp(qat_dev_cmd_param[i].name, QAT_CMD_SLICE_MAP))
 			slice_map = qat_dev_cmd_param[i].val;
 		i++;
-- 
2.25.1

--------------------------------------------------------------
Intel Research and Development Ireland Limited
Registered in Ireland
Registered Office: Collinstown Industrial Park, Leixlip, County Kildare
Registered Number: 308263


This e-mail and any attachments may contain confidential material for the sole
use of the intended recipient(s). Any review or distribution by others is
strictly prohibited. If you are not the intended recipient, please contact the
sender and delete all copies.


^ permalink raw reply	[flat|nested] 14+ messages in thread

* [PATCH v7 3/3] test/crypto: skip asym test for insecure algorithms
  2023-06-16 14:00         ` [PATCH v7 1/3] common/qat: fix qat_dev_cmd_param corruption Vikash Poddar
  2023-06-16 14:00           ` [PATCH v7 2/3] crypto/qat: support to enable insecure algorithms Vikash Poddar
@ 2023-06-16 14:00           ` Vikash Poddar
  2023-06-20  7:33           ` [EXT] [PATCH v7 1/3] common/qat: fix qat_dev_cmd_param corruption Akhil Goyal
  2 siblings, 0 replies; 14+ messages in thread
From: Vikash Poddar @ 2023-06-16 14:00 UTC (permalink / raw)
  To: Akhil Goyal, Fan Zhang; +Cc: dev, Vikash Poddar, Ciara Power

Added support to skip the insecure asym algorithms

Signed-off-by: Vikash Poddar <vikash.chandrax.poddar@intel.com>
Acked-by: Ciara Power <ciara.power@intel.com>
---
v7:
splitted from "support to enable insecure algorithms" patch
---
 app/test/test_cryptodev_asym.c | 28 +++++++++++++++++++++-------
 1 file changed, 21 insertions(+), 7 deletions(-)

diff --git a/app/test/test_cryptodev_asym.c b/app/test/test_cryptodev_asym.c
index e884556a2d..15a1f3d638 100644
--- a/app/test/test_cryptodev_asym.c
+++ b/app/test/test_cryptodev_asym.c
@@ -454,11 +454,14 @@ test_cryptodev_asym_op(struct crypto_testsuite_params_asym *ts_params,
 		ret = rte_cryptodev_asym_session_create(dev_id, &xform_tc,
 				ts_params->session_mpool, &sess);
 		if (ret < 0) {
-			snprintf(test_msg, ASYM_TEST_MSG_LEN,
-					"line %u "
-					"FAILED: %s", __LINE__,
-					"Session creation failed");
 			status = (ret == -ENOTSUP) ? TEST_SKIPPED : TEST_FAILED;
+			if (status == TEST_SKIPPED)
+				snprintf(test_msg, ASYM_TEST_MSG_LEN, "SKIPPED");
+			else
+				snprintf(test_msg, ASYM_TEST_MSG_LEN,
+						"line %u "
+						"FAILED: %s", __LINE__,
+						"Session creation failed");
 			goto error_exit;
 		}
 
@@ -490,6 +493,11 @@ test_cryptodev_asym_op(struct crypto_testsuite_params_asym *ts_params,
 	}
 
 	if (test_cryptodev_asym_ver(op, &xform_tc, data_tc, result_op) != TEST_SUCCESS) {
+		if (result_op->status == RTE_CRYPTO_OP_STATUS_INVALID_ARGS) {
+			snprintf(test_msg, ASYM_TEST_MSG_LEN, "SESSIONLESS SKIPPED");
+			status = TEST_SKIPPED;
+			goto error_exit;
+		}
 		snprintf(test_msg, ASYM_TEST_MSG_LEN,
 			"line %u FAILED: %s",
 			__LINE__, "Verification failed ");
@@ -620,13 +628,19 @@ test_one_by_one(void)
 	/* Go through all test cases */
 	test_index = 0;
 	for (i = 0; i < test_vector.size; i++) {
-		if (test_one_case(test_vector.address[i], 0) != TEST_SUCCESS)
+		status = test_one_case(test_vector.address[i], 0);
+		if (status == TEST_SUCCESS || status == TEST_SKIPPED)
+			status = TEST_SUCCESS;
+		else
 			status = TEST_FAILED;
 	}
+
 	if (sessionless) {
 		for (i = 0; i < test_vector.size; i++) {
-			if (test_one_case(test_vector.address[i], 1)
-					!= TEST_SUCCESS)
+			status = test_one_case(test_vector.address[i], 1);
+			if (status == TEST_SUCCESS || status == TEST_SKIPPED)
+				status = TEST_SUCCESS;
+			else
 				status = TEST_FAILED;
 		}
 	}
-- 
2.25.1

--------------------------------------------------------------
Intel Research and Development Ireland Limited
Registered in Ireland
Registered Office: Collinstown Industrial Park, Leixlip, County Kildare
Registered Number: 308263


This e-mail and any attachments may contain confidential material for the sole
use of the intended recipient(s). Any review or distribution by others is
strictly prohibited. If you are not the intended recipient, please contact the
sender and delete all copies.


^ permalink raw reply	[flat|nested] 14+ messages in thread

* RE: [EXT] [PATCH v7 1/3] common/qat: fix qat_dev_cmd_param corruption
  2023-06-16 14:00         ` [PATCH v7 1/3] common/qat: fix qat_dev_cmd_param corruption Vikash Poddar
  2023-06-16 14:00           ` [PATCH v7 2/3] crypto/qat: support to enable insecure algorithms Vikash Poddar
  2023-06-16 14:00           ` [PATCH v7 3/3] test/crypto: skip asym test for " Vikash Poddar
@ 2023-06-20  7:33           ` Akhil Goyal
  2 siblings, 0 replies; 14+ messages in thread
From: Akhil Goyal @ 2023-06-20  7:33 UTC (permalink / raw)
  To: Vikash Poddar, Kai Ji; +Cc: dev, stable, arkadiuszx.kusztal, Ciara Power

> Adding fix to address the memory corruption issue for
> qat_dev_cmd_param structure on QAT GEN3.
> 
> This fix aligns the storage where it stores the value
> on 4 byte unsigned integer data type after
> reading slice configuration of QAT capabilities.
> 
> Fixes: b3cbbcdffa4f ("common/qat: read HW slice configuration")
> Cc: stable@dpdk.org
> Cc: arkadiuszx.kusztal@intel.com
> 
> Signed-off-by: Vikash Poddar <vikash.chandrax.poddar@intel.com>
> Acked-by: Ciara Power <ciara.power@intel.com>

Series
Applied to dpdk-next-crypto
Thanks.

^ permalink raw reply	[flat|nested] 14+ messages in thread

end of thread, other threads:[~2023-06-20  7:33 UTC | newest]

Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-04-20  9:58 [PATCH] crypto/qat: support to enable insecure algorithms Vikash Poddar
2023-05-23  9:14 ` [PATCH v2] " Vikash Poddar
2023-05-23 14:35   ` Ji, Kai
2023-05-25  7:56   ` [EXT] " Akhil Goyal
2023-05-25 16:10   ` [PATCH v3] " Vikash Poddar
2023-05-26  6:48     ` [PATCH v4] " Vikash Poddar
2023-05-29  6:32     ` [PATCH v5] " Vikash Poddar
2023-05-29 10:45       ` [PATCH v6] " Vikash Poddar
2023-06-08 13:14         ` Power, Ciara
2023-06-14 18:30         ` [EXT] " Akhil Goyal
2023-06-16 14:00         ` [PATCH v7 1/3] common/qat: fix qat_dev_cmd_param corruption Vikash Poddar
2023-06-16 14:00           ` [PATCH v7 2/3] crypto/qat: support to enable insecure algorithms Vikash Poddar
2023-06-16 14:00           ` [PATCH v7 3/3] test/crypto: skip asym test for " Vikash Poddar
2023-06-20  7:33           ` [EXT] [PATCH v7 1/3] common/qat: fix qat_dev_cmd_param corruption Akhil Goyal

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).