[v2] cryptodev: add asymmetric operational capability

Message ID 20241004181255.916-1-gmuthukrishn@marvell.com (mailing list archive)
State Superseded
Delegated to: akhil goyal
Headers
Series [v2] cryptodev: add asymmetric operational capability |

Checks

Context Check Description
ci/checkpatch success coding style OK
ci/loongarch-compilation success Compilation OK
ci/loongarch-unit-testing success Unit Testing PASS
ci/Intel-compilation success Compilation OK
ci/intel-Testing success Testing PASS
ci/github-robot: build success github build: passed
ci/intel-Functional success Functional PASS
ci/iol-mellanox-Performance success Performance Testing PASS
ci/iol-broadcom-Performance success Performance Testing PASS
ci/iol-unit-amd64-testing pending Testing pending
ci/iol-marvell-Functional success Functional Testing PASS
ci/iol-unit-arm64-testing pending Testing pending
ci/iol-intel-Functional success Functional Testing PASS
ci/iol-compile-arm64-testing pending Testing pending
ci/iol-compile-amd64-testing success Testing PASS
ci/iol-sample-apps-testing success Testing PASS

Commit Message

Gowrishankar Muthukrishnan Oct. 4, 2024, 6:12 p.m. UTC
Asymmetric crypto algorithms such as SM2, EdDSA would need per op
capability and based on it, the input param to a crypto operation
is chosen wisely.

Signed-off-by: Gowrishankar Muthukrishnan <gmuthukrishn@marvell.com>
---
v2:
 - op_capa is array of int instead of structure.
 - compilation issues addressed.
---
 app/test/test_cryptodev_asym.c                | 24 ++++++++++++-------
 .../crypto/cnxk/cnxk_cryptodev_capabilities.c |  8 ++++++-
 drivers/crypto/openssl/rte_openssl_pmd_ops.c  | 17 +++++++++----
 lib/cryptodev/rte_crypto_asym.h               | 12 ++++++++++
 lib/cryptodev/rte_cryptodev.c                 | 16 +++++++++++++
 lib/cryptodev/rte_cryptodev.h                 | 23 ++++++++++++++++++
 lib/cryptodev/version.map                     |  3 +++
 7 files changed, 89 insertions(+), 14 deletions(-)
  

Comments

Kusztal, ArkadiuszX Oct. 8, 2024, 5:06 p.m. UTC | #1
Acked-by: Arkadiusz Kusztal <arkadiuszx.kusztal@intel.com>

With some comments.

> -----Original Message-----
> From: Gowrishankar Muthukrishnan <gmuthukrishn@marvell.com>
> Sent: Friday, October 4, 2024 8:13 PM
> To: dev@dpdk.org; Kusztal, ArkadiuszX <arkadiuszx.kusztal@intel.com>; Akhil
> Goyal <gakhil@marvell.com>; Fan Zhang <fanzhang.oss@gmail.com>; Ankur
> Dwivedi <adwivedi@marvell.com>; Anoob Joseph <anoobj@marvell.com>;
> Tejasree Kondoj <ktejasree@marvell.com>; Ji, Kai <kai.ji@intel.com>
> Cc: FanZhangfanzhang.oss@gmail.com; jerinj@marvell.com; Gowrishankar
> Muthukrishnan <gmuthukrishn@marvell.com>
> Subject: [PATCH v2] cryptodev: add asymmetric operational capability
> 
> Asymmetric crypto algorithms such as SM2, EdDSA would need per op capability
> and based on it, the input param to a crypto operation is chosen wisely.
> 
> Signed-off-by: Gowrishankar Muthukrishnan <gmuthukrishn@marvell.com>
> ---
> v2:
>  - op_capa is array of int instead of structure.
>  - compilation issues addressed.
> ---
>  app/test/test_cryptodev_asym.c                | 24 ++++++++++++-------
>  .../crypto/cnxk/cnxk_cryptodev_capabilities.c |  8 ++++++-
> drivers/crypto/openssl/rte_openssl_pmd_ops.c  | 17 +++++++++----
>  lib/cryptodev/rte_crypto_asym.h               | 12 ++++++++++
>  lib/cryptodev/rte_cryptodev.c                 | 16 +++++++++++++
>  lib/cryptodev/rte_cryptodev.h                 | 23 ++++++++++++++++++
>  lib/cryptodev/version.map                     |  3 +++
>  7 files changed, 89 insertions(+), 14 deletions(-)
> 
> diff --git a/app/test/test_cryptodev_asym.c b/app/test/test_cryptodev_asym.c
> index f0b5d38543..d9b260d50e 100644
> --- a/app/test/test_cryptodev_asym.c
> +++ b/app/test/test_cryptodev_asym.c
> @@ -2611,7 +2611,8 @@ test_sm2_sign(void)
> 
>  	/* Populate op with operational details */
>  	asym_op->sm2.op_type = RTE_CRYPTO_ASYM_OP_SIGN;
> -	if (rte_cryptodev_asym_xform_capability_check_hash(capa,
> RTE_CRYPTO_AUTH_SM3))
> +	if (rte_cryptodev_asym_xform_capability_check_opcap(capa,
> +			RTE_CRYPTO_ASYM_OP_SIGN, RTE_CRYPTO_SM2_PH))
>  		asym_op->sm2.hash = RTE_CRYPTO_AUTH_SM3;
>  	else
>  		asym_op->sm2.hash = RTE_CRYPTO_AUTH_NULL; @@ -2628,7
> +2629,8 @@ test_sm2_sign(void)
>  		asym_op->sm2.id.length = 0;
>  	}
> 
> -	if (capa->internal_rng != 0) {
> +	if (rte_cryptodev_asym_xform_capability_check_opcap(capa,
> +			RTE_CRYPTO_ASYM_OP_ENCRYPT,
> RTE_CRYPTO_SM2_RNG)) {
>  		asym_op->sm2.k.data = NULL;
>  		asym_op->sm2.k.length = 0;
>  	} else {
> @@ -2677,7 +2679,8 @@ test_sm2_sign(void)
>  	debug_hexdump(stdout, "s:",
>  			asym_op->sm2.s.data, asym_op->sm2.s.length);
> 
> -	if (capa->internal_rng == 0) {
> +	if (!rte_cryptodev_asym_xform_capability_check_opcap(capa,
> +			RTE_CRYPTO_ASYM_OP_SIGN,
> RTE_CRYPTO_SM2_RNG)) {
>  		/* Verify sign (by comparison). */
>  		if (memcmp(input_params.sign_r.data, asym_op->sm2.r.data,
>  				   asym_op->sm2.r.length) != 0) {
> @@ -2802,7 +2805,8 @@ test_sm2_verify(void)
>  	/* Populate op with operational details */
>  	asym_op->sm2.op_type = RTE_CRYPTO_ASYM_OP_VERIFY;
> 
> -	if (rte_cryptodev_asym_xform_capability_check_hash(capa,
> RTE_CRYPTO_AUTH_SM3))
> +	if (rte_cryptodev_asym_xform_capability_check_opcap(capa,
> +			RTE_CRYPTO_ASYM_OP_VERIFY,
> RTE_CRYPTO_SM2_PH))
>  		asym_op->sm2.hash = RTE_CRYPTO_AUTH_SM3;
>  	else
>  		asym_op->sm2.hash = RTE_CRYPTO_AUTH_NULL; @@ -2924,7
> +2928,8 @@ test_sm2_enc(void)
> 
>  	/* Populate op with operational details */
>  	asym_op->sm2.op_type = RTE_CRYPTO_ASYM_OP_ENCRYPT;
> -	if (rte_cryptodev_asym_xform_capability_check_hash(capa,
> RTE_CRYPTO_AUTH_SM3))
> +	if (rte_cryptodev_asym_xform_capability_check_opcap(capa,
> +			RTE_CRYPTO_ASYM_OP_ENCRYPT,
> RTE_CRYPTO_SM2_PH))
>  		asym_op->sm2.hash = RTE_CRYPTO_AUTH_SM3;
>  	else
>  		asym_op->sm2.hash = RTE_CRYPTO_AUTH_NULL; @@ -2932,7
> +2937,8 @@ test_sm2_enc(void)
>  	asym_op->sm2.message.data = input_params.message.data;
>  	asym_op->sm2.message.length = input_params.message.length;
> 
> -	if (capa->internal_rng != 0) {
> +	if (rte_cryptodev_asym_xform_capability_check_opcap(capa,
> +			RTE_CRYPTO_ASYM_OP_ENCRYPT,
> RTE_CRYPTO_SM2_RNG)) {
>  		asym_op->sm2.k.data = NULL;
>  		asym_op->sm2.k.length = 0;
>  	} else {
> @@ -2978,7 +2984,8 @@ test_sm2_enc(void)
>  	debug_hexdump(stdout, "cipher:",
>  			asym_op->sm2.cipher.data, asym_op-
> >sm2.cipher.length);
> 
> -	if (capa->internal_rng == 0) {
> +	if (!rte_cryptodev_asym_xform_capability_check_opcap(capa,
> +			RTE_CRYPTO_ASYM_OP_ENCRYPT,
> RTE_CRYPTO_SM2_RNG)) {
>  		if (memcmp(input_params.cipher.data, asym_op-
> >sm2.cipher.data,
>  				   asym_op->sm2.cipher.length) != 0) {
>  			status = TEST_FAILED;
> @@ -3105,7 +3112,8 @@ test_sm2_dec(void)
> 
>  	/* Populate op with operational details */
>  	asym_op->sm2.op_type = RTE_CRYPTO_ASYM_OP_DECRYPT;
> -	if (rte_cryptodev_asym_xform_capability_check_hash(capa,
> RTE_CRYPTO_AUTH_SM3))
> +	if (rte_cryptodev_asym_xform_capability_check_opcap(capa,
> +			RTE_CRYPTO_ASYM_OP_DECRYPT,
> RTE_CRYPTO_SM2_PH))
>  		asym_op->sm2.hash = RTE_CRYPTO_AUTH_SM3;
>  	else
>  		asym_op->sm2.hash = RTE_CRYPTO_AUTH_NULL; diff --git
> a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
> b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
> index 0d5d64b6e7..0a19fc732b 100644
> --- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
> +++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
> @@ -1194,7 +1194,13 @@ static const struct rte_cryptodev_capabilities
> caps_sm2[] = {
>  			.xform_capa = {
>  				.xform_type =
> RTE_CRYPTO_ASYM_XFORM_SM2,
>  				.op_types = ((1 <<
> RTE_CRYPTO_ASYM_OP_SIGN) |
> -					     (1 <<
> RTE_CRYPTO_ASYM_OP_VERIFY))
> +					     (1 <<
> RTE_CRYPTO_ASYM_OP_VERIFY) |
> +					     (1 <<
> RTE_CRYPTO_ASYM_OP_ENCRYPT) |
> +					     (1 <<
> RTE_CRYPTO_ASYM_OP_DECRYPT)),
> +				.op_capa = {
> +					(1 << RTE_CRYPTO_SM2_PKE_KDF),
> +					(1 << RTE_CRYPTO_SM2_PKE_KDF),
> +				}
>  			}
>  		}
>  		}
> diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
> b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
> index b7b612fc57..6f81bcb110 100644
> --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
> +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
> @@ -598,15 +598,22 @@ static const struct rte_cryptodev_capabilities
> openssl_pmd_capabilities[] = {
>  		{.asym = {
>  			.xform_capa = {
>  				.xform_type =
> RTE_CRYPTO_ASYM_XFORM_SM2,
> -				.hash_algos = (1 << RTE_CRYPTO_AUTH_SM3),
>  				.op_types =
> -				((1<<RTE_CRYPTO_ASYM_OP_SIGN) |
> +				((1 << RTE_CRYPTO_ASYM_OP_SIGN) |
>  				 (1 << RTE_CRYPTO_ASYM_OP_VERIFY) |
>  				 (1 << RTE_CRYPTO_ASYM_OP_ENCRYPT) |
>  				 (1 << RTE_CRYPTO_ASYM_OP_DECRYPT)),
> -				{.internal_rng = 1
> -				}
> -			}
Designated initializers could probably help with readability.
> +				.op_capa = {
> +					
[RTE_CRYPTO_ASYM_OP_ENCRYPT] = (1 << RTE_CRYPTO_SM2_RNG) |
> +					(1 << RTE_CRYPTO_SM2_PKE_KDF),
> +					
[RTE_CRYPTO_ASYM_OP_DECRYPT] = (1 << RTE_CRYPTO_SM2_RNG) |
> +					(1 << RTE_CRYPTO_SM2_PKE_KDF),
> +					
[RTE_CRYPTO_ASYM_OP_SIGN] = (1 << RTE_CRYPTO_SM2_RNG) |
> +					(1 << RTE_CRYPTO_SM2_PH),
> +					
[RTE_CRYPTO_ASYM_OP_VERIFY] = (1 << RTE_CRYPTO_SM2_RNG) |
> +					(1 << RTE_CRYPTO_SM2_PH)
> +				},
> +			},
>  		}

Probably driver/test changes should be in different patches.

>  		}
>  	},
> diff --git a/lib/cryptodev/rte_crypto_asym.h b/lib/cryptodev/rte_crypto_asym.h
> index 39d3da3952..157f597d5d 100644
> --- a/lib/cryptodev/rte_crypto_asym.h
> +++ b/lib/cryptodev/rte_crypto_asym.h
> @@ -633,6 +633,18 @@ struct rte_crypto_asym_xform {
>  	};
>  };
> 
> +/**
> + * SM2 operation capabilities
> + */
> +enum rte_crypto_sm2_op_capa {
> +	RTE_CRYPTO_SM2_RNG,
> +	/**< Random number generator supported in SM2 ops. */
> +	RTE_CRYPTO_SM2_PH,
> +	/**< Prehash message before crypto op. */
> +	RTE_CRYPTO_SM2_PKE_KDF,
> +	/**< KDF support in SM2 public key encryption */ };
> +
>  /**
>   * SM2 operation params.
>   */
> diff --git a/lib/cryptodev/rte_cryptodev.c b/lib/cryptodev/rte_cryptodev.c index
> 682c9f49d0..d3d8e25b39 100644
> --- a/lib/cryptodev/rte_cryptodev.c
> +++ b/lib/cryptodev/rte_cryptodev.c
> @@ -628,6 +628,22 @@ rte_cryptodev_asym_xform_capability_check_hash(
>  	return ret;
>  }
> 
> +int
> +rte_cryptodev_asym_xform_capability_check_opcap(
> +	const struct rte_cryptodev_asymmetric_xform_capability *capability,
> +	enum rte_crypto_asym_op_type op_type, uint8_t cap) {
> +	int ret = 0;
> +
> +	if (!(capability->op_types & (1 << op_type)))
> +		return ret;
> +
> +	if (capability->op_capa[op_type] & (1 << cap))
> +		ret = 1;
> +
> +	return ret;
> +}
> +
>  /* spinlock for crypto device enq callbacks */  static rte_spinlock_t
> rte_cryptodev_callback_lock = RTE_SPINLOCK_INITIALIZER;
> 
> diff --git a/lib/cryptodev/rte_cryptodev.h b/lib/cryptodev/rte_cryptodev.h index
> bec947f6d5..aa6ef3a94d 100644
> --- a/lib/cryptodev/rte_cryptodev.h
> +++ b/lib/cryptodev/rte_cryptodev.h
> @@ -185,6 +185,9 @@ struct rte_cryptodev_asymmetric_xform_capability {
>  		 * Value 0 means unavailable, and application should pass the
> required
>  		 * random value. Otherwise, PMD would internally compute the
> random number.
>  		 */
> +
> +		uint32_t op_capa[RTE_CRYPTO_ASYM_OP_LIST_END];
> +		/**< Operation specific capabilities. */
>  	};
> 
>  	uint64_t hash_algos;
> @@ -359,6 +362,26 @@ rte_cryptodev_asym_xform_capability_check_hash(
>  	const struct rte_cryptodev_asymmetric_xform_capability *capability,
>  	enum rte_crypto_auth_algorithm hash);
> 
> +/**
> + * @warning
> + * @b EXPERIMENTAL: this API may change without prior notice.
> + *
> + * Check if op capability is supported
> + *
> + * @param	capability	Description of the asymmetric crypto
> capability.
> + * @param	op_type		op type
> + * @param	cap		op capability
> + *
> + * @return
> + *   - Return 1 if the op capability is supported
> + *   - Return 0 if unsupported
> + */
> +__rte_experimental
> +int
> +rte_cryptodev_asym_xform_capability_check_opcap(
> +	const struct rte_cryptodev_asymmetric_xform_capability *capability,
> +	enum rte_crypto_asym_op_type op_type, uint8_t cap);
> +
>  /**
>   * Provide the cipher algorithm enum, given an algorithm string
>   *
> diff --git a/lib/cryptodev/version.map b/lib/cryptodev/version.map index
> 594c501855..5d40b7fed0 100644
> --- a/lib/cryptodev/version.map
> +++ b/lib/cryptodev/version.map
> @@ -87,6 +87,9 @@ EXPERIMENTAL {
> 
>  	# added in 24.03
>  	__rte_cryptodev_trace_qp_depth_used;
> +
> +	# added in 24.11
> +	rte_cryptodev_asym_xform_capability_check_opcap;
>  };
> 
>  INTERNAL {
> --
> 2.21.0
  
Gowrishankar Muthukrishnan Oct. 9, 2024, 3:38 a.m. UTC | #2
> Acked-by: Arkadiusz Kusztal <arkadiuszx. kusztal@ intel. com> 

Thanks.
> With some comments.
> 
<cut>

> > diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
> > b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
> > index b7b612fc57..6f81bcb110 100644
> > --- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
> > +++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
> > @@ -598,15 +598,22 @@ static const struct rte_cryptodev_capabilities
> > openssl_pmd_capabilities[] = {
> >  		{.asym = {
> >  			.xform_capa = {
> >  				.xform_type =
> > RTE_CRYPTO_ASYM_XFORM_SM2,
> > -				.hash_algos = (1 <<
> RTE_CRYPTO_AUTH_SM3),
> >  				.op_types =
> > -				((1<<RTE_CRYPTO_ASYM_OP_SIGN) |
> > +				((1 << RTE_CRYPTO_ASYM_OP_SIGN) |
> >  				 (1 << RTE_CRYPTO_ASYM_OP_VERIFY) |
> >  				 (1 << RTE_CRYPTO_ASYM_OP_ENCRYPT) |
> >  				 (1 << RTE_CRYPTO_ASYM_OP_DECRYPT)),
> > -				{.internal_rng = 1
> > -				}
> > -			}
> Designated initializers could probably help with readability.
> > +				.op_capa = {
> > +
> [RTE_CRYPTO_ASYM_OP_ENCRYPT] = (1 << RTE_CRYPTO_SM2_RNG) |
> > +					(1 << RTE_CRYPTO_SM2_PKE_KDF),
> > +
> [RTE_CRYPTO_ASYM_OP_DECRYPT] = (1 << RTE_CRYPTO_SM2_RNG) |
> > +					(1 << RTE_CRYPTO_SM2_PKE_KDF),
> > +
> [RTE_CRYPTO_ASYM_OP_SIGN] = (1 << RTE_CRYPTO_SM2_RNG) |
> > +					(1 << RTE_CRYPTO_SM2_PH),
> > +
> [RTE_CRYPTO_ASYM_OP_VERIFY] = (1 << RTE_CRYPTO_SM2_RNG) |
> > +					(1 << RTE_CRYPTO_SM2_PH)
> > +				},
> > +			},
> >  		}
> 
Ack.

> Probably driver/test changes should be in different patches.
> 

Ack.

Regards,
Gowrishankar
  

Patch

diff --git a/app/test/test_cryptodev_asym.c b/app/test/test_cryptodev_asym.c
index f0b5d38543..d9b260d50e 100644
--- a/app/test/test_cryptodev_asym.c
+++ b/app/test/test_cryptodev_asym.c
@@ -2611,7 +2611,8 @@  test_sm2_sign(void)
 
 	/* Populate op with operational details */
 	asym_op->sm2.op_type = RTE_CRYPTO_ASYM_OP_SIGN;
-	if (rte_cryptodev_asym_xform_capability_check_hash(capa, RTE_CRYPTO_AUTH_SM3))
+	if (rte_cryptodev_asym_xform_capability_check_opcap(capa,
+			RTE_CRYPTO_ASYM_OP_SIGN, RTE_CRYPTO_SM2_PH))
 		asym_op->sm2.hash = RTE_CRYPTO_AUTH_SM3;
 	else
 		asym_op->sm2.hash = RTE_CRYPTO_AUTH_NULL;
@@ -2628,7 +2629,8 @@  test_sm2_sign(void)
 		asym_op->sm2.id.length = 0;
 	}
 
-	if (capa->internal_rng != 0) {
+	if (rte_cryptodev_asym_xform_capability_check_opcap(capa,
+			RTE_CRYPTO_ASYM_OP_ENCRYPT, RTE_CRYPTO_SM2_RNG)) {
 		asym_op->sm2.k.data = NULL;
 		asym_op->sm2.k.length = 0;
 	} else {
@@ -2677,7 +2679,8 @@  test_sm2_sign(void)
 	debug_hexdump(stdout, "s:",
 			asym_op->sm2.s.data, asym_op->sm2.s.length);
 
-	if (capa->internal_rng == 0) {
+	if (!rte_cryptodev_asym_xform_capability_check_opcap(capa,
+			RTE_CRYPTO_ASYM_OP_SIGN, RTE_CRYPTO_SM2_RNG)) {
 		/* Verify sign (by comparison). */
 		if (memcmp(input_params.sign_r.data, asym_op->sm2.r.data,
 				   asym_op->sm2.r.length) != 0) {
@@ -2802,7 +2805,8 @@  test_sm2_verify(void)
 	/* Populate op with operational details */
 	asym_op->sm2.op_type = RTE_CRYPTO_ASYM_OP_VERIFY;
 
-	if (rte_cryptodev_asym_xform_capability_check_hash(capa, RTE_CRYPTO_AUTH_SM3))
+	if (rte_cryptodev_asym_xform_capability_check_opcap(capa,
+			RTE_CRYPTO_ASYM_OP_VERIFY, RTE_CRYPTO_SM2_PH))
 		asym_op->sm2.hash = RTE_CRYPTO_AUTH_SM3;
 	else
 		asym_op->sm2.hash = RTE_CRYPTO_AUTH_NULL;
@@ -2924,7 +2928,8 @@  test_sm2_enc(void)
 
 	/* Populate op with operational details */
 	asym_op->sm2.op_type = RTE_CRYPTO_ASYM_OP_ENCRYPT;
-	if (rte_cryptodev_asym_xform_capability_check_hash(capa, RTE_CRYPTO_AUTH_SM3))
+	if (rte_cryptodev_asym_xform_capability_check_opcap(capa,
+			RTE_CRYPTO_ASYM_OP_ENCRYPT, RTE_CRYPTO_SM2_PH))
 		asym_op->sm2.hash = RTE_CRYPTO_AUTH_SM3;
 	else
 		asym_op->sm2.hash = RTE_CRYPTO_AUTH_NULL;
@@ -2932,7 +2937,8 @@  test_sm2_enc(void)
 	asym_op->sm2.message.data = input_params.message.data;
 	asym_op->sm2.message.length = input_params.message.length;
 
-	if (capa->internal_rng != 0) {
+	if (rte_cryptodev_asym_xform_capability_check_opcap(capa,
+			RTE_CRYPTO_ASYM_OP_ENCRYPT, RTE_CRYPTO_SM2_RNG)) {
 		asym_op->sm2.k.data = NULL;
 		asym_op->sm2.k.length = 0;
 	} else {
@@ -2978,7 +2984,8 @@  test_sm2_enc(void)
 	debug_hexdump(stdout, "cipher:",
 			asym_op->sm2.cipher.data, asym_op->sm2.cipher.length);
 
-	if (capa->internal_rng == 0) {
+	if (!rte_cryptodev_asym_xform_capability_check_opcap(capa,
+			RTE_CRYPTO_ASYM_OP_ENCRYPT, RTE_CRYPTO_SM2_RNG)) {
 		if (memcmp(input_params.cipher.data, asym_op->sm2.cipher.data,
 				   asym_op->sm2.cipher.length) != 0) {
 			status = TEST_FAILED;
@@ -3105,7 +3112,8 @@  test_sm2_dec(void)
 
 	/* Populate op with operational details */
 	asym_op->sm2.op_type = RTE_CRYPTO_ASYM_OP_DECRYPT;
-	if (rte_cryptodev_asym_xform_capability_check_hash(capa, RTE_CRYPTO_AUTH_SM3))
+	if (rte_cryptodev_asym_xform_capability_check_opcap(capa,
+			RTE_CRYPTO_ASYM_OP_DECRYPT, RTE_CRYPTO_SM2_PH))
 		asym_op->sm2.hash = RTE_CRYPTO_AUTH_SM3;
 	else
 		asym_op->sm2.hash = RTE_CRYPTO_AUTH_NULL;
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index 0d5d64b6e7..0a19fc732b 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -1194,7 +1194,13 @@  static const struct rte_cryptodev_capabilities caps_sm2[] = {
 			.xform_capa = {
 				.xform_type = RTE_CRYPTO_ASYM_XFORM_SM2,
 				.op_types = ((1 << RTE_CRYPTO_ASYM_OP_SIGN) |
-					     (1 << RTE_CRYPTO_ASYM_OP_VERIFY))
+					     (1 << RTE_CRYPTO_ASYM_OP_VERIFY) |
+					     (1 << RTE_CRYPTO_ASYM_OP_ENCRYPT) |
+					     (1 << RTE_CRYPTO_ASYM_OP_DECRYPT)),
+				.op_capa = {
+					(1 << RTE_CRYPTO_SM2_PKE_KDF),
+					(1 << RTE_CRYPTO_SM2_PKE_KDF),
+				}
 			}
 		}
 		}
diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
index b7b612fc57..6f81bcb110 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
@@ -598,15 +598,22 @@  static const struct rte_cryptodev_capabilities openssl_pmd_capabilities[] = {
 		{.asym = {
 			.xform_capa = {
 				.xform_type = RTE_CRYPTO_ASYM_XFORM_SM2,
-				.hash_algos = (1 << RTE_CRYPTO_AUTH_SM3),
 				.op_types =
-				((1<<RTE_CRYPTO_ASYM_OP_SIGN) |
+				((1 << RTE_CRYPTO_ASYM_OP_SIGN) |
 				 (1 << RTE_CRYPTO_ASYM_OP_VERIFY) |
 				 (1 << RTE_CRYPTO_ASYM_OP_ENCRYPT) |
 				 (1 << RTE_CRYPTO_ASYM_OP_DECRYPT)),
-				{.internal_rng = 1
-				}
-			}
+				.op_capa = {
+					(1 << RTE_CRYPTO_SM2_RNG) |
+					(1 << RTE_CRYPTO_SM2_PKE_KDF),
+					(1 << RTE_CRYPTO_SM2_RNG) |
+					(1 << RTE_CRYPTO_SM2_PKE_KDF),
+					(1 << RTE_CRYPTO_SM2_RNG) |
+					(1 << RTE_CRYPTO_SM2_PH),
+					(1 << RTE_CRYPTO_SM2_RNG) |
+					(1 << RTE_CRYPTO_SM2_PH)
+				},
+			},
 		}
 		}
 	},
diff --git a/lib/cryptodev/rte_crypto_asym.h b/lib/cryptodev/rte_crypto_asym.h
index 39d3da3952..157f597d5d 100644
--- a/lib/cryptodev/rte_crypto_asym.h
+++ b/lib/cryptodev/rte_crypto_asym.h
@@ -633,6 +633,18 @@  struct rte_crypto_asym_xform {
 	};
 };
 
+/**
+ * SM2 operation capabilities
+ */
+enum rte_crypto_sm2_op_capa {
+	RTE_CRYPTO_SM2_RNG,
+	/**< Random number generator supported in SM2 ops. */
+	RTE_CRYPTO_SM2_PH,
+	/**< Prehash message before crypto op. */
+	RTE_CRYPTO_SM2_PKE_KDF,
+	/**< KDF support in SM2 public key encryption */
+};
+
 /**
  * SM2 operation params.
  */
diff --git a/lib/cryptodev/rte_cryptodev.c b/lib/cryptodev/rte_cryptodev.c
index 682c9f49d0..d3d8e25b39 100644
--- a/lib/cryptodev/rte_cryptodev.c
+++ b/lib/cryptodev/rte_cryptodev.c
@@ -628,6 +628,22 @@  rte_cryptodev_asym_xform_capability_check_hash(
 	return ret;
 }
 
+int
+rte_cryptodev_asym_xform_capability_check_opcap(
+	const struct rte_cryptodev_asymmetric_xform_capability *capability,
+	enum rte_crypto_asym_op_type op_type, uint8_t cap)
+{
+	int ret = 0;
+
+	if (!(capability->op_types & (1 << op_type)))
+		return ret;
+
+	if (capability->op_capa[op_type] & (1 << cap))
+		ret = 1;
+
+	return ret;
+}
+
 /* spinlock for crypto device enq callbacks */
 static rte_spinlock_t rte_cryptodev_callback_lock = RTE_SPINLOCK_INITIALIZER;
 
diff --git a/lib/cryptodev/rte_cryptodev.h b/lib/cryptodev/rte_cryptodev.h
index bec947f6d5..aa6ef3a94d 100644
--- a/lib/cryptodev/rte_cryptodev.h
+++ b/lib/cryptodev/rte_cryptodev.h
@@ -185,6 +185,9 @@  struct rte_cryptodev_asymmetric_xform_capability {
 		 * Value 0 means unavailable, and application should pass the required
 		 * random value. Otherwise, PMD would internally compute the random number.
 		 */
+
+		uint32_t op_capa[RTE_CRYPTO_ASYM_OP_LIST_END];
+		/**< Operation specific capabilities. */
 	};
 
 	uint64_t hash_algos;
@@ -359,6 +362,26 @@  rte_cryptodev_asym_xform_capability_check_hash(
 	const struct rte_cryptodev_asymmetric_xform_capability *capability,
 	enum rte_crypto_auth_algorithm hash);
 
+/**
+ * @warning
+ * @b EXPERIMENTAL: this API may change without prior notice.
+ *
+ * Check if op capability is supported
+ *
+ * @param	capability	Description of the asymmetric crypto capability.
+ * @param	op_type		op type
+ * @param	cap		op capability
+ *
+ * @return
+ *   - Return 1 if the op capability is supported
+ *   - Return 0 if unsupported
+ */
+__rte_experimental
+int
+rte_cryptodev_asym_xform_capability_check_opcap(
+	const struct rte_cryptodev_asymmetric_xform_capability *capability,
+	enum rte_crypto_asym_op_type op_type, uint8_t cap);
+
 /**
  * Provide the cipher algorithm enum, given an algorithm string
  *
diff --git a/lib/cryptodev/version.map b/lib/cryptodev/version.map
index 594c501855..5d40b7fed0 100644
--- a/lib/cryptodev/version.map
+++ b/lib/cryptodev/version.map
@@ -87,6 +87,9 @@  EXPERIMENTAL {
 
 	# added in 24.03
 	__rte_cryptodev_trace_qp_depth_used;
+
+	# added in 24.11
+	rte_cryptodev_asym_xform_capability_check_opcap;
 };
 
 INTERNAL {