Skip to main content

Overview

This page provides a complete reference of all ./configure flags available when building the Intel QAT OpenSSL Engine. Options are organized by category for easy navigation.
All flags are used with the ./configure command during the build process. For build instructions, see Building from Source.

Required Options

Specify QAT Hardware driver source directory
--with-qat_hw_dir=/path/to/qat_driver
Specifies the path to the Intel QAT Driver source code directory. Required for compilation to locate QAT header files.Example:
./configure --with-qat_hw_dir=/QAT
When NOT required:
  • Building against in-tree driver via qatlib RPM
  • Building for QAT_SW only
Specify OpenSSL installation directory
--with-openssl_install_dir=/path/to/openssl_install
Specifies where OpenSSL was installed. The qatengine.so library will be copied to the engines directory during make install.Example:
./configure --with-openssl_install_dir=/usr/local/ssl
When NOT required:
  • System already includes OpenSSL 3.x library and devel packages
  • In this case, qatengine.so installs to system enginesdir (e.g., /usr/lib64/engines-3)

QAT Software Options

Enable or disable QAT Software acceleration
--enable-qat_sw
--disable-qat_sw
Enables QAT_SW acceleration using Intel Crypto Multi-buffer and Intel Multi-buffer crypto for IPsec libraries.Default: DisabledDefault library paths:
  • crypto_mb: /usr/local/lib
  • ipsec_mb: /usr/lib
Custom paths: Use --with-qat_sw_crypto_mb_install_dir and --with-qat_sw_ipsec_mb_install_dir if libraries are elsewhere.
Disable QAT Hardware acceleration
--disable-qat_hw
Forces use of QAT_SW acceleration when both QAT_HW and QAT_SW capabilities are available via in-tree driver.Use case:
  • System has both QAT_HW and QAT_SW
  • In-tree driver installed via qatlib RPM
  • Prefer QAT_SW over QAT_HW
By default, QAT_HW takes precedence when both are available.
Custom crypto_mb installation path
--with-qat_sw_crypto_mb_install_dir=/custom/path
Default: /usr/localSpecify if Intel Crypto Multi-buffer library is installed in a non-default location.
Custom IPsec_MB installation path
--with-qat_sw_ipsec_mb_install_dir=/custom/path
Default: /usrSpecify if Intel Multi-buffer crypto for IPsec library is installed in a non-default location.

Advanced Options

OpenSSL source directory for error generation
--with-openssl_dir=/path/to/openssl
Path to OpenSSL source code, only needed to regenerate engine-specific error files using mkerr.pl script.When to use:
  • Adding new error messages to QAT Engine source
  • Updates qat_err.c, qat_err.h, and qat.txt
Default behavior: Uses existing error files from QAT Engine directory.
QAT driver build directory
--with-qat_hw_install_dir=/QAT/build
Path to built QAT Hardware driver library files for linking.Default: <qat_hw_dir>/buildOnly specify if driver libraries are built in a non-default location.
USDM component directory
--with-qat_hw_usdm_dir=/path/to/usdm
Path to User Space DMA-able Memory component.Default: <qat_hw_dir>/quickassist/utilities/libusdm_drvOnly specify if using USDM and path differs from default.
Custom engine ID
--with-qat_engine_id="custom_id"
Default: "qatengine"Set a custom engine ID. Useful for applications using the legacy “qat” ID.Example:
./configure --with-qat_engine_id="qat"
Debug log file path
--with-qat_debug_file=/path/to/logfile
Enable logging to file instead of stderr. Works with:
  • --enable-qat_warnings
  • --enable-qat_debug
  • --enable-qat_mem_warnings
  • --enable-qat_mem_debug
Security Risk: Logs may contain private keys and plaintext. Never use in production.
Requirements:
  • Full absolute path and filename
  • Directory must be writable
  • File is replaced (not appended) on each run

Provider & FIPS Support

Enable OpenSSL 3.0 Provider interface
--enable-qat_provider
Default: Disabled (uses engine interface)Enable Provider support instead of engine for OpenSSL 3.0+.Supported algorithms:
  • RSA
  • ECDSA
  • ECDH
  • ECX
  • AES-GCM
Only valid when built against OpenSSL 3.0 or later.
Enable FIPS support
--enable-qat_fips
Default: DisabledRequirements:
  • Must be used with --enable-qat_provider
  • OpenSSL 3.0 or later
Enables FIPS mode when provider is enabled.

QAT Hardware Algorithm Control

Asymmetric Crypto

--disable-qat_hw_rsa  # Disable QAT_HW RSA
--enable-qat_hw_rsa   # Enable QAT_HW RSA (default)
Default: Enabled
--disable-qat_hw_dsa  # Disable QAT_HW DSA
--enable-qat_hw_dsa   # Enable QAT_HW DSA (default)
Default: Enabled
--disable-qat_hw_dh  # Disable QAT_HW DH
--enable-qat_hw_dh   # Enable QAT_HW DH (default)
Default: Enabled
--disable-qat_hw_ecdh  # Disable QAT_HW ECDH
--enable-qat_hw_ecdh   # Enable QAT_HW ECDH (default)
Default: Enabled
--disable-qat_hw_ecdsa  # Disable QAT_HW ECDSA
--enable-qat_hw_ecdsa   # Enable QAT_HW ECDSA (default)
Default: Enabled
--disable-qat_hw_ecx  # Disable QAT_HW ECX
--enable-qat_hw_ecx   # Enable QAT_HW ECX (default)
Default: Enabled

Symmetric Crypto & Ciphers

--disable-qat_hw_ciphers  # Disable chained cipher acceleration
--enable-qat_hw_ciphers   # Enable chained cipher acceleration (default)
Default: Enabled
--disable-qat_hw_gcm  # Disable AES-GCM
--enable-qat_hw_gcm   # Enable AES-GCM
Default: Disabled
--disable-qat_hw_ccm  # Disable AES-CCM
--enable-qat_hw_ccm   # Enable AES-CCM (default)
Default: Enabled
--disable-qat_hw_chachapoly  # Disable CHACHA20-POLY1305
--enable-qat_hw_chachapoly   # Enable CHACHA20-POLY1305
Default: Disabled
Only supported on 4xxx (QAT gen 4) devices.
--disable-qat_hw_sm4_cbc  # Disable SM4-CBC
--enable-qat_hw_sm4_cbc   # Enable SM4-CBC
Default: DisabledRequirements:
  • QAT gen 4 devices (4xxx)
  • Built with Tongsuo

Key Derivation & Hashing

--disable-qat_hw_prf  # Disable PRF
--enable-qat_hw_prf   # Enable PRF (default)
Default: Enabled
--disable-qat_hw_hkdf  # Disable HKDF
--enable-qat_hw_hkdf   # Enable HKDF
Default: Disabled
--disable-qat_hw_sha3  # Disable SHA-3
--enable-qat_hw_sha3   # Enable SHA-3
Default: Disabled
Only supported on 4xxx (QAT gen 4) devices.
--disable-qat_hw_sm3  # Disable SM3
--enable-qat_hw_sm3   # Enable SM3
Default: Disabled
Only supported on 4xxx (QAT gen 4) devices.
--disable-qat_hw_sm2  # Disable SM2
--enable-qat_hw_sm2   # Enable SM2
Default: Disabled
Only supported on 4xxx (QAT gen 4) devices.

QAT Software Algorithm Control

--disable-qat_sw_rsa  # Disable QAT_SW RSA
--enable-qat_sw_rsa   # Enable QAT_SW RSA (default when qat_sw enabled)
Default: Enabled when --enable-qat_sw is set
--disable-qat_sw_gcm  # Disable QAT_SW AES-GCM
--enable-qat_sw_gcm   # Enable QAT_SW AES-GCM (default when qat_sw enabled)
Default: Enabled when --enable-qat_sw is setRequirement: IPSec_mb library must be installed
--disable-qat_sw_ecx  # Disable QAT_SW X25519
--enable-qat_sw_ecx   # Enable QAT_SW X25519 (default when qat_sw enabled)
Default: Enabled when --enable-qat_sw is set
--disable-qat_sw_ecdsa  # Disable QAT_SW ECDSA
--enable-qat_sw_ecdsa   # Enable QAT_SW ECDSA (default when qat_sw enabled)
Default: Enabled when --enable-qat_sw is set
--disable-qat_sw_ecdh  # Disable QAT_SW ECDH
--enable-qat_sw_ecdh   # Enable QAT_SW ECDH (default when qat_sw enabled)
Default: Enabled when --enable-qat_sw is set
--disable-qat_sw_sm2  # Disable QAT_SW SM2
--enable-qat_sw_sm2   # Enable QAT_SW SM2 (default when qat_sw enabled)
Default: Enabled when --enable-qat_sw is set
--disable-qat_sw_sm3  # Disable QAT_SW SM3
--enable-qat_sw_sm3   # Enable QAT_SW SM3
Default: Disabled
--disable-qat_sw_sm4_cbc  # Disable QAT_SW SM4-CBC
--enable-qat_sw_sm4_cbc   # Enable QAT_SW SM4-CBC
Default: DisabledRequirement: Must be built with Tongsuo
--disable-qat_sw_sm4_gcm  # Disable QAT_SW SM4-GCM
--enable-qat_sw_sm4_gcm   # Enable QAT_SW SM4-GCM
Default: DisabledRequirement: Must be built with Tongsuo
--disable-qat_sw_sm4_ccm  # Disable QAT_SW SM4-CCM
--enable-qat_sw_sm4_ccm   # Enable QAT_SW SM4-CCM
Default: DisabledRequirement: Must be built with Tongsuo

Performance & Optimization

Offload small packet operations to QAT_HW
--enable-qat_small_pkt_offload
Default: Disabled (small packets processed by CPU)Enables acceleration of small packet cipher operations to QAT Hardware.
Plock optimization for multi-thread
--enable-qat_plock
Default: DisabledAlternative to pthread’s rwlock for multi-thread applications. Improves performance with higher thread counts.Note: Requires plock preload library.
Self-tuning polling timeout for QAT_SW
--enable-qat_sw_heuristic_timeout
Default: DisabledEnables self-tuning of the timeout in the QAT_SW polling thread.
Cycle count measurement for QAT_SW
--enable-qat_cycle_counts
Default: DisabledEnable cycle count measurement in QAT_SW acceleration code paths.

Security & Special Features

Disable Lenstra attack protection
--disable-qat_hw_lenstra_protection
Default: Protection enabledDisables protection against Lenstra attack (CVE-2017-5681) in RSA-CRT implementation.
Only disable if QAT driver/firmware provides this protection. See:
Lenstra verify using QAT_HW
--enable-qat_hw_lenstra_verify_hw
Default: Disabled (uses OpenSSL software method)Use QAT Hardware for Lenstra protection verification instead of software.
Disable automatic engine init after fork
--disable-qat_auto_engine_init_on_fork
Default: Auto-init enabledPrevents engine from automatically initializing after fork operations.Use case: Tight control over instance usage in forked processesManual initialization: Use INIT_ENGINE message or wait for first QAT crypto operation
Enable insecure/legacy algorithms
--enable-qat_insecure_algorithms
Default: DisabledEnables:
  • RSA < 2048 bits
  • DSA, DH
  • ECDH curves with bitlen < 256
  • ECDSA curves with bitlen < 256
  • AES128-CBC-HMAC-SHA1
  • AES256-CBC-HMAC-SHA1
  • SHA3-224
QAT_HW driver v1.7+ must be built with --enable-legacy-algorithms.
Enable NTLS support
--enable-qat_ntls
Default: DisabledEnable NTLS in engine for handling NTLS requests.Requirement: Must be built with Tongsuo for SMx algorithms

Debug Options

Never enable debug options in production! They may:
  • Output private key material to console/logs
  • Introduce side-channel timing vulnerabilities
  • Significantly impact performance
Enable debug warnings
--enable-qat_warnings
Default: DisabledEnable warnings to aid debugging.
May introduce side-channel timing attack vulnerabilities.
Enable debug output
--enable-qat_debug
Default: DisabledEnable debug output to console. Also enables warnings.
Security Risk: May output private keys to console/logs.
Enable memory management warnings
--enable-qat_mem_warnings
Default: DisabledEnable warnings from userspace memory management code.
Enable memory management debug
--enable-qat_mem_debug
Default: DisabledEnable verbose debug output from userspace memory management. Also enables memory warnings.
Very verbose output. May expose private key information.

Compiler & Linker Options

Additional compiler flags
--with-cc-opt="-O3 -march=native"
Sets additional parameters added to CFLAGS at compile time.Example:
./configure --with-cc-opt="-O3 -march=native -DDEBUG"
Additional linker flags
--with-ld-opt="-L/custom/lib -Wl,-rpath,/custom/lib"
Sets additional parameters used during linking.Example:
./configure --with-ld-opt="-L/opt/openssl/lib64"

Example Configurations

./autogen.sh
./configure \
  --with-qat_hw_dir=/QAT \
  --with-openssl_install_dir=/usr/local/ssl
make
make install

Next Steps

Build from Source

Follow the complete build instructions

Configuration

Configure QAT Engine runtime behavior

Build docs developers (and LLMs) love

Get started for freeTalk to us