Hi Akhil,
Thank you for your question about PMD support for the SM4-CBC and SM3-HMAC
combination.
The SM4-CBC + SM3-HMAC algorithm combination is supported by the following PMDs
in DPDK:
1. QAT PMD (Intel QuickAssist Technology)
Hardware accelerated crypto operations
Full support for both SM4-CBC and SM3-HMAC
Recommended for production environments with QAT hardware
2. AESNI-MB PMD (Intel Multi-Buffer Crypto)
CPU-based implementation using Intel AES-NI instructions
Supports both SM4-CBC and SM3-HMAC algorithms
Suitable for Intel CPUs without dedicated crypto hardware
3. CN10K/CN20K PMD (Marvell Octeon)
Hardware accelerated support for Chinese crypto algorithms
Full SM4-CBC and SM3-HMAC support
The patch implementation in examples/ipsec-secgw adds the algorithm definitions
and parsing support, making it compatible with any PMD that supports these
algorithms. Users can choose to use the appropriate PMD based on their hardware
availability:
For QAT: --vdev crypto_qat
For AESNI-MB: --vdev crypto_aesni_mb (default on Intel CPUs)
For CN10K: Platform-specific driver
Example configuration with QAT PMD:
./build/examples/ipsec-secgw -l 0-3 -n 4 --vdev crypto_qat -- -p 0x3 -u 0x1
--config="(0,0,qat_device0)" -f ep0.cfg
SA configuration example:
sa out 30 cipher_algo sm4-cbc cipher_key
01:23:45:67:89:ab:cd:ef:fe:dc:ba:98:76:54:32:10 auth_algo sm3-hmac auth_key
01:23:45:67:89:ab:cd:ef:fe:dc:ba:98:76:54:32:10:11:22:33:44 mode ipv4-tunnel
src 172.16.1.5 dst 172.16.2.5
The implementation follows the same pattern as existing algorithms and
integrates seamlessly with the current IPsec framework.
Best regards,
Sunyang Wu
-----邮件原件-----
发件人: Akhil Goyal <[email protected]>
发送时间: 2025年11月19日 17:26
收件人: Sunyang Wu <[email protected]>; [email protected]
主题: RE: [EXTERNAL] [PATCH v2] examples/ipsec-secgw: add support for SM4-CBC
cipher and SM3-HMAC auth
External Mail: This email originated from OUTSIDE of the organization!
Do not click links, open attachments or provide ANY information unless you
recognize the sender and know the content is safe.
> This patch adds support for Chinese cryptographic algorithms in the
> IPsec security gateway example application:
>
> 1 Add SM4-CBC cipher algorithm support with 16-byte IV and key;
> 2 Add SM3-HMAC authentication algorithm support with 20-byte key;
> 3 Update SA configuration parsing to recognize "sm4-cbc" and "sm3-hmac"
> keywords;
> 4 Implement proper IV handling and authentication offset/length
> configuration.
>
> These additions enable the IPsec security gateway to use Chinese
> national cryptographic standards for secure communications.
>
> Signed-off-by: Sunyang Wu <[email protected]>
Which PMD is used to support this combination for IPsec?
