Spec File with QAT OOT driver for Binary RPM.

Binary RPM Package for RHEL9.1, Ubuntu 22.04
& SUSE SLES15 SP3 based out of QAT2.0 OOT driver
with QAT_SW Co-ex.

Signed-off-by: Nagha Abirami <naghax.abirami@intel.com>

Author: naghaabirami

.gitignore

@@ -68,3 +68,4 @@ test_bssl/.dirstamp
 /compile
 /depcomp
 /ltmain.sh
+/rpmbuild

Makefile.am

@@ -203,7 +203,7 @@ mostlyclean-generic:
 	-rm -rf *.obj bin lib tags core .pure .nfs* \
 	*.old *.bak fluff *.so *.sl *.dll test/*.obj testapp \
 	test/.dirstamp test/*.o test_bssl/*obj test_bssl/.dirstamp \
-    test_bssl/*.o qatengine_test
+        test_bssl/*.o qatengine_test rpmbuild
 
 if QAT_ERR_FILES_BUILD
 MAKE = make err-files && make
@@ -250,3 +250,10 @@ ipsec_mb:
 crypto_mb:
 	cd ipp-crypto/sources/ippcp/crypto_mb && rm -rf build && cmake . -B"build" -DOPENSSL_INCLUDE_DIR=$(with_openssl_install_dir)/include -DOPENSSL_LIBRARIES=$(with_openssl_install_dir) -DOPENSSL_ROOT_DIR=$(PWD)/openssl && cd build && make clean && make -j$(nproc) && make install -j$(nproc)
 endif
+
+if QAT_4XXX
+rpm:
+	mkdir -p rpmbuild/BUILD rpmbuild/RPMS rpmbuild/SOURCES rpmbuild/SPECS rpmbuild/SRPMS
+	cp qatengine-oot.spec rpmbuild/SPECS/
+	rpmbuild --undefine=_disable_source_fetch --define "_topdir $(abs_srcdir)/rpmbuild" -ba rpmbuild/SPECS/qatengine-oot.spec
+endif

docs/features.md

@@ -55,6 +55,7 @@ Please refer [here](qat_hw_algo.md) for supported platforms list and default beh
 * [QAT_HW & QAT_SW Co-existence with runtime configuration](qat_coex.md#qat-hw-and-qat-sw-co-existence)
 * [OpenSSL 3.0 Provider Support](qat_common.md#openssl-30-provider-support)
 * [FIPS 140-3 Certification requirements Support using QAT Provider](qat_common.md#fips-140-3-certification-requirements-support-using-qat-provider)
+* [Binary RPM Package](qat_common.md#binary-rpm-package)
 
 Note: RSA Padding schemes are handled by OpenSSL\* or BoringSSL\* rather than accelerated, so the
 engine supports the same padding schemes as OpenSSL\* or BoringSSL\* does natively.

docs/qat_common.md

@@ -59,3 +59,36 @@ The FIPS 140-3 certification is under process.
 | :---: | :---: |
 | QAT_HW | RSA, ECDSA, ECDH, ECDHX25519, ECDHX448, DSA, DH, TLS1.2-KDF(PRF), TLS1.3-KDF(HKDF), SHA3 & AES-GCM |
 | QAT_SW | RSA, ECDSA, ECDH, ECDHX25519, SHA2 & AES-GCM |
+
+# Binary RPM Package
+
+QAT_Engine supports Binary Package via RPM which can be found in the Release page (Assests section)
+The Current Binary RPM Package is created for the distros RHEL 9.1, Ubuntu 22.04 and SUSE SLES15 SP3 with
+with default Kernel and other dependant packages from the system default.
+The RPM is generated using QAT2.0 OOT driver with QAT_SW Co-existence which means
+it will accelerate via QAT_HW for asymmetic PKE and QAT_SW for AES-GCM and supported only on
+[Intel® Xeon® Scalable Processor family with Intel® QAT Gen4/Gen4m][1] with default build configuration
+in QAT Engine against OpenSSL 3.0 engine and can be build using `make rpm` target.
+Dependant library versions used for building binary package are mentioned in Software requirements section.
+
+Example commands below to install and uninstall RPM Package
+
+```
+install:
+    RHEL & SUSE: rpm -ivh QAT_Engine-<version>.x86_64.rpm --target noarch
+    Ubuntu: alien -i QAT_Engine-<version>.x86_64.rpm --scripts
+uninstall
+    RHEL & SUSE: rpm -e QAT_Engine
+    Ubuntu: apt-get remove QAT_Engine
+```
+
+The binary RPM Package will take care of installing dependant libraries and kernel modules in the
+default path and OpenSSL being installed in `/usr/local/ssl`
+Since it is using different OpenSSL version(refer Software requirements for verion) than what is
+present in thesystem. LD_LIBRARY_PATH must be set to this path below.
+
+```
+export LD_LIBRARY_PATH=/usr/local/ssl/lib64
+```
+
+[1]:https://www.intel.com/content/www/us/en/products/docs/processors/xeon-accelerated/4th-gen-xeon-scalable-processors.html

fips/driver_install.sh

@@ -8,11 +8,11 @@ if ( lsmod | grep qat >/dev/null ); then
       rmmod usdm_drv
       rmmod qat_4xxx
       rmmod intel_qat
-      echo "Removed existing driver........."
+      echo "Removed existing driver"
    elif (lsmod | grep intel_qat >/dev/null); then
       rmmod qat_4xxx
       rmmod intel_qat
-      echo "Removed existing driver........"
+      echo "Removed existing driver"
    fi
 else
    echo "Shutdown qat services"
@@ -31,7 +31,7 @@ sudo modprobe uio
 cp -rf /usr/lib64/build/qat_4xxx.bin /lib/firmware/
 cp -rf /usr/lib64/build/qat_4xxx_mmp.bin /lib/firmware/
 
-echo "Installing the QAT driver......."
+echo "Installing QAT Kernel Modules"
 
 sudo insmod /usr/lib64/build/intel_qat.ko
 sudo insmod /usr/lib64/build/usdm_drv.ko
@@ -48,6 +48,4 @@ cp /usr/lib64/build/adf_ctl /usr/bin
 
 cd /usr/lib64/build
 
-./qat_service start
-
 sudo adf_ctl restart

qatengine-oot.spec

@@ -0,0 +1,183 @@
+%undefine __cmake_in_source_build
+%undefine _disable_source_fetch
+%global _lto_cflags %{nil}
+%global debug_package %{nil}
+# Dependent Library Versions
+%global major        1
+%global minor        4
+%global rev          0
+%global ipsec        intel-ipsec-mb
+%global ipsecver     %{major}.%{minor}
+%global ipsecfull    %{ipsec}-%{ipsecver}
+%global fullversion  %{major}.%{minor}.%{rev}
+
+%global ippcp_major        11
+%global ippcp_minor        8
+%global ippcp              ipp-crypto
+%global ippcpver           ippcp_2021.8
+%global ippcpfull          %{ippcp}-%{ippcpver}
+%global ippcpfullversion   %{ippcp_major}.%{ippcp_minor}
+
+%global openssl            openssl-3.0.10
+%global qatdriver          QAT20.L.1.0.50-00003
+
+%global openssl_source     %{_builddir}/%{openssl}
+%global openssl_install    %{buildroot}/%{_prefix}/local/ssl
+
+Name:       QAT_Engine
+Version:    1.4.0
+Release:    1%{?dist}
+Summary:    Intel QuickAssist Technology(QAT) OpenSSL Engine
+License:    BSD-3-Clause AND OpenSSL
+
+Source0:    https://github.com/intel/QAT_Engine/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
+Source1:    https://github.com/openssl/openssl/releases/download/%{openssl}/%{openssl}.tar.gz#/%{openssl}.tar.gz
+Source2:    https://downloadmirror.intel.com/783270/%{qatdriver}.tar.gz#/%{qatdriver}.tar.gz
+%if !0%{?suse_version}
+Source3:    https://github.com/intel/ipp-crypto/archive/refs/tags/%{ippcpver}.tar.gz#/%{ippcp}-%{ippcpver}.tar.gz
+Source4:    https://github.com/intel/intel-ipsec-mb/archive/refs/tags/v%{ipsecver}.tar.gz#/%{ipsecfull}.tar.gz
+%endif
+
+%description
+This package provides the Intel QuickAssist Technology OpenSSL Engine
+(an OpenSSL Plug-In Engine) which provides cryptographic acceleration
+for both hardware and optimized software using Intel QuickAssist Technology
+enabled Intel platforms.
+
+%prep
+%setup -b 0
+%setup -b 1
+%if !0%{?suse_version}
+%setup -b 3
+%setup -b 4
+%endif
+# Setup Source2 driver package manually
+mkdir -p %{_builddir}/%{qatdriver}
+tar -zxvf %{_sourcedir}/%{qatdriver}.tar.gz -C %{_builddir}/%{qatdriver}
+cp -rf %{_builddir}/%{name}-%{version}/fips/driver_install.sh %{_builddir}
+
+%build
+cd %{_builddir}/%{openssl}
+./config --prefix=%{_builddir}/openssl_install
+%make_build
+make install
+mkdir -p %{buildroot}/%{_prefix}/local/ssl/lib64
+mkdir -p %{buildroot}/%{_prefix}/local/ssl/bin
+mkdir -p %{buildroot}/%{_prefix}/local/ssl/include
+mkdir -p %{buildroot}/%{_prefix}/local/lib
+mkdir -p %{buildroot}/%{_prefix}/lib
+cp -rf %{_builddir}/openssl_install/lib64/libcrypto.so.3 %{buildroot}/%{_prefix}/local/ssl/lib64
+cp -rf %{_builddir}/openssl_install/lib64/libssl.so.3 %{buildroot}/%{_prefix}/local/ssl/lib64
+cp -rf %{_builddir}/openssl_install/bin %{buildroot}/%{_prefix}/local/ssl/
+cp -rf %{_builddir}/openssl_install/include %{buildroot}/%{_prefix}/local/ssl/
+cd %{buildroot}/%{_prefix}/local/ssl/lib64
+ln -sf libcrypto.so.3 libcrypto.so
+ln -sf libssl.so.3 libssl.so
+
+cd %{_builddir}/%{qatdriver}
+unset ICP_ROOT
+unset ICP_BUILD_OUTPUT
+./configure
+%make_build
+
+%if !0%{?suse_version}
+cd %{_builddir}/%{ippcpfull}/sources/ippcp/crypto_mb
+cmake . -B"build" -DOPENSSL_INCLUDE_DIR=%{openssl_install}/include -DOPENSSL_LIBRARIES=%{openssl_install} -DOPENSSL_ROOT_DIR=%{openssl_source}
+cd build
+%make_build
+
+install -d %{buildroot}/%{_includedir}/crypto_mb
+cp -rf   %{_builddir}/%{ippcpfull}/sources/ippcp/crypto_mb/include/crypto_mb/*.h /%{buildroot}/%{_includedir}/crypto_mb/
+install -d %{buildroot}/%{_libdir}
+cp %{_builddir}/%{ippcpfull}/sources/ippcp/crypto_mb/build/bin/libcrypto_mb.so.%{ippcpfullversion} %{buildroot}/%{_libdir}
+cd %{buildroot}/%{_libdir}
+
+ln -sf libcrypto_mb.so.%{ippcpfullversion} libcrypto_mb.so.%{ippcp_major}
+ln -sf libcrypto_mb.so.%{ippcpfullversion} libcrypto_mb.so
+
+cp -rf %{buildroot}/%{_libdir}/libcrypto_mb.so.%{ippcpfullversion} %{buildroot}/%{_prefix}/local/lib
+cp -rf %{buildroot}/%{_libdir}/libcrypto_mb.so.%{ippcp_major} %{buildroot}/%{_prefix}/local/lib
+cp -rf %{buildroot}/%{_libdir} libcrypto_mb.so %{buildroot}/%{_prefix}/local/lib
+
+cd %{_builddir}/%{ipsecfull}
+cd lib
+%make_build
+
+install -d  %{buildroot}/%{_includedir}
+install -m 0644  %{_builddir}/%{ipsecfull}/lib/intel-ipsec-mb.h %{buildroot}/%{_includedir}
+cp  %{buildroot}/%{_includedir}/intel-ipsec-mb.h /usr/include/
+install -s -m 0755  %{_builddir}/%{ipsecfull}/lib/libIPSec_MB.so.%{fullversion}  %{buildroot}/%{_libdir}
+cp -rf %{_builddir}/%{ipsecfull}/lib/libIPSec_MB.so.%{fullversion} %{buildroot}/%{_prefix}/lib
+cp -rf %{_builddir}/%{ipsecfull}/lib/libIPSec_MB.so %{buildroot}/%{_prefix}/lib
+cp -rf %{_builddir}/%{ipsecfull}/lib/libIPSec_MB.so.%{major} %{buildroot}/%{_prefix}/lib
+
+cd %{buildroot}/%{_libdir}
+ln -sf libIPSec_MB.so.%{fullversion} libIPSec_MB.so.%{major}
+ln -sf libIPSec_MB.so.%{fullversion} libIPSec_MB.so
+%endif
+
+cd %{_builddir}/%{name}-%{version}
+autoreconf -ivf
+
+%if !0%{?suse_version}
+# Enable QAT_HW & QAT_SW Co-existence acceleration
+./configure --with-openssl_install_dir=%{openssl_install} --with-qat_hw_dir=%{_builddir}/%{qatdriver} --enable-qat_sw
+%else
+# Enable QAT_HW acceleration for SUSE
+./configure --with-openssl_install_dir=%{openssl_install} --with-qat_hw_dir=%{_builddir}/%{qatdriver}
+%endif
+%make_build
+
+install -d %{buildroot}/%{_prefix}/local/ssl/lib64/engines-3
+cp -rf %{_builddir}/%{name}-%{version}/.libs/qatengine.so %{buildroot}/%{_prefix}/local/ssl/lib64/engines-3
+
+install -d %{buildroot}/%{_libdir}/build
+cp -rf %{_builddir}/%{name}-%{version}/qat_hw_config/4xxx/multi_process/4xxx_dev0.conf %{buildroot}/%{_libdir}/build
+cp -rf %{_builddir}/%{qatdriver}/build/libusdm_drv_s.so %{buildroot}/%{_libdir}
+cp -rf %{_builddir}/%{qatdriver}/build/libqat_s.so %{buildroot}/%{_libdir}
+cp -rf %{_builddir}/%{qatdriver}/build %{buildroot}/%{_libdir}
+cp %{_builddir}/%{name}-%{version}/fips/driver_install.sh %{buildroot}/%{_libdir}
+
+%post
+   echo "RPM is getting installed"
+if (lspci | grep Co- >/dev/null )
+then
+   ./%{_libdir}/driver_install.sh
+fi
+
+%clean
+rm -rf %{buildroot}
+
+%files
+%exclude %{_prefix}/local/lib/lib64
+%{_prefix}/local/ssl/lib64/engines-3/qatengine.so
+%{_prefix}/local/ssl/lib64
+%{_prefix}/local/ssl/bin
+%{_prefix}/local/ssl/include
+%{_libdir}/libqat_s.so
+%{_libdir}/libusdm_drv_s.so
+%{_libdir}/build
+%{_libdir}/driver_install.sh
+%license LICENSE*
+%doc README.md docs*
+
+%if !0%{?suse_version}
+%{_libdir}/libcrypto_mb.so.%{ippcpfullversion}
+%{_libdir}/libcrypto_mb.so.%{ippcp_major}
+%{_libdir}/libcrypto_mb.so
+
+%{_libdir}/libIPSec_MB.so.%{fullversion}
+%{_libdir}/libIPSec_MB.so.%{major}
+%{_libdir}/libIPSec_MB.so
+
+%{_prefix}/lib/libIPSec_MB.so.%{fullversion}
+%{_prefix}/lib/libIPSec_MB.so.%{major}
+%{_prefix}/lib/libIPSec_MB.so
+
+%{_prefix}/local/lib/libcrypto_mb.so.%{ippcpfullversion}
+%{_prefix}/local/lib/libcrypto_mb.so.%{ippcp_major}
+%{_prefix}/local/lib/libcrypto_mb.so
+
+%{_includedir}/crypto_mb
+%{_includedir}/intel-ipsec-mb.h
+%endif