intel
diff --git a/‎README.md‎
Lines changed: 66 additions & 11 deletions b/‎README.md‎
Lines changed: 66 additions & 11 deletions
diff --git a/‎docs/apps.md‎
Lines changed: 11 additions & 9 deletions b/‎docs/apps.md‎
Lines changed: 11 additions & 9 deletions
diff --git a/‎docs/bssl_support.md‎
Lines changed: 2 additions & 0 deletions b/‎docs/bssl_support.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎docs/config_options.md‎
Lines changed: 12 additions & 9 deletions b/‎docs/config_options.md‎
Lines changed: 12 additions & 9 deletions
diff --git a/‎docs/features.md‎
Lines changed: 30 additions & 20 deletions b/‎docs/features.md‎
Lines changed: 30 additions & 20 deletions
diff --git a/‎docs/install.md‎
Lines changed: 30 additions & 2 deletions b/‎docs/install.md‎
Lines changed: 30 additions & 2 deletions
@@ -11,7 +11,10 @@ Tongsuo(BabaSSL)\*, BoringSSL\*, etc. OpenSSL\* is a toolkit for TLS/SSL protoco
 has developed a modular system to plugin device-specific engines and provider.
 Depending on the particular use case, the QAT_Engine can be configured to accelerate
 via the QAT Hardware or QAT Software or both based on the platform to meet your specific
-acceleration needs.
+acceleration needs. QAT_Engine supports both the **Engine** interface (all OpenSSL versions)
+and the **Provider** interface (`qatprovider`, recommended for OpenSSL 3.x). Use
+`--enable-qat_provider` at build time to enable the Provider interface; see
+[OpenSSL v3 Provider Support](docs/qat_common.md#openssl-v3-provider-support) for details.
 
 <p align=center>
 <img src="docs/images/qat_engine.png" alt="drawing" width="300"/>
@@ -28,16 +31,17 @@ Limitations and known issues for the QAT_Engine are described [here](docs/limita
 - [Software Requirements](docs/software_requirements.md)
 
 ## Installation Instructions
-Installation instructions are described [here](docs/install.md)
+Installation instructions, including build steps for the Engine and Provider
+interfaces across QAT_HW, QAT_SW and Co-existence configurations, are described [here](docs/install.md)
 
 ## Testing
-</details>
 <details>
-<summary>Test using OpenSSL Engine command </summary>
+<summary>Verify QAT Engine and Provider loading</summary>
+
+### Verify QAT Engine loading
 
-### Test using OpenSSL\* Engine command
 Run this command to verify the Intel&reg; QAT OpenSSL\* Engine is loaded
-correctly: This should not be used to determine QAT Engine capabilities as
+correctly. This should not be used to determine QAT Engine capabilities as
 it will not display all the algorithms that are supported in QAT Engine.
 
 ```text
@@ -72,13 +76,31 @@ qat_sw target output will be:
 
 Detailed information about the engine specific messages is available [here](docs/engine_specific_messages.md).
 Also `./openssl engine -t -c -vvvv qatengine` gives brief description about each ctrl command.
-<br>
+
+### Verify QAT Provider loading
+
+When built with `--enable-qat_provider`, run the following to verify `qatprovider` is
+loaded correctly. Always load the `default` provider alongside `qatprovider` to ensure
+complete algorithm coverage.
+
+```text
+cd /path/to/openssl_install/bin
+./openssl list -providers -provider qatprovider -provider default
+```
+
+Expected output will list `qatprovider` with its name, version and loaded status.
+
+> **Note:** Always activate the `default` provider alongside `qatprovider` — either via
+> `-provider default` on the command line or by adding it to your `openssl.cnf`.
+> See [OpenSSL Provider Support](docs/qat_common.md#openssl-provider-support) for details.
 </details>
 <details>
-<summary>Test using OpenSSL speed utility</summary>
+<summary>Test using OpenSSL* speed utility</summary>
 
 ### Test using OpenSSL\* speed utility
 
+**QAT Engine (`-engine qatengine`)**
+
 ```text
 cd /path/to/openssl_install/bin
 
@@ -110,14 +132,47 @@ qat_sw
 * AES-128-GCM
   taskset -c 1 ./openssl speed -engine qatengine -elapsed -evp aes-128-gcm
 ```
-Note: Run the test without "-engine qatengine" for each algorithm to see the performance against OpenSSL.
-This only covers key algorithms, additional algorithms can be tested by changing algo parameter.
 
+**QAT Provider (`-provider qatprovider -provider default`)**
+
+```text
+cd /path/to/openssl_install/bin
+
+qat_hw
+
+* RSA 2K Sign/Verify
+  taskset -c 1 ./openssl speed -provider qatprovider -provider default -elapsed -async_jobs 72 rsa2048
+* ECDH P-256 Compute Key
+  taskset -c 1 ./openssl speed -provider qatprovider -provider default -elapsed -async_jobs 72 ecdhp256
+* ECDSA P-256 Sign/Verify
+  taskset -c 1 ./openssl speed -provider qatprovider -provider default -elapsed -async_jobs 72 ecdsap256
+* AES-256-GCM
+  taskset -c 1 ./openssl speed -provider qatprovider -provider default -elapsed -async_jobs 72 -evp aes-256-gcm
+
+qat_sw
+
+* RSA 2K Sign/Verify
+  taskset -c 1 ./openssl speed -provider qatprovider -provider default -elapsed -async_jobs 8 rsa2048
+* ECDH X25519 Compute Key
+  taskset -c 1 ./openssl speed -provider qatprovider -provider default -elapsed -async_jobs 8 ecdhx25519
+* ECDSA P-256 Sign/Verify
+  taskset -c 1 ./openssl speed -provider qatprovider -provider default -elapsed -async_jobs 8 ecdsap256
+* AES-256-GCM
+  taskset -c 1 ./openssl speed -provider qatprovider -provider default -elapsed -evp aes-256-gcm
+```
+
+Note: Run the test without `-engine qatengine` or `-provider qatprovider` for each algorithm to
+compare against OpenSSL\* software. This covers key algorithms; additional algorithms can be tested
+by changing the algo parameter. Additional provider test commands are described in
+[docs/qat_common.md](docs/qat_common.md#openssl-provider-support).
 </details>
 <details>
 <summary>Test using inbuilt testapp utility</summary>
 
-## Test using inbuilt testapp utility</summary>
+### Test using inbuilt testapp utility
+
+> **Note:** The `testapp` utility supports the QAT Engine (`qatengine`) interface only.
+> It does not support the QAT Provider (`qatprovider`) interface.
 
 ```text
 cd /path/to/qat_engine
 
@@ -8,34 +8,36 @@ repository:
 * [Intel&reg; QuickAssist Technology (QAT) Async Mode NGINX\*](https://github.com/intel/asynch_mode_nginx)
 
 Follow the below link on how to enable Async mode Nginx\* with QAT Hardware and software
-Aceeleration using best known configuration.
+Acceleration using best known configuration.
 [Async mode for Nginx\*](https://intel.github.io/quickassist/qatlib/asynch_nginx.html)
 
-### NGINX\* QUIC with QAT
-Experimental QUIC support for NGINX\* with Intel&reg; QAT Engine for
-BoringSSL\* Library can be found [here](https://www.intel.com/content/www/us/en/content-details/737522/experimental-quic-support-for-nginx.html)
-
 ### HAProxy\* with QAT
 HAProxy\* is a free, very fast and reliable reverse-proxy offering high availability,
 load balancing, and proxying for TCP and HTTP-based applications.
 
-Follow the instructions from HAProxy [Install](https://github.com/haproxy/haproxy/blob/master/INSTALL)
-to build and install Haproxy. Use `USE_PTHREAD_EMULATION=1` option in the make command which improves performance
+Follow the instructions from the HAProxy [INSTALL](https://github.com/haproxy/haproxy/blob/master/INSTALL) file
+to build and install HAProxy. The validated release is listed in [Software Requirements](software_requirements.md#applications). Use `USE_PTHREAD_EMULATION=1` option in the make command which improves performance
 utilizing HAProxy's much lighter locks replacing OpensSL\* Pthread locks.
 
 Add the following options along with other standard settings in the
 HAProxy\* [Configuration File](https://www.haproxy.com/documentation/haproxy-configuration-manual/latest)
 to utilize QAT Acceleration.
 
+#### QAT Engine Configuration
 ```bash
 ssl-engine qatengine algo ALL
 ssl-mode-async
 ```
 
+#### QAT Provider Configuration
+```bash
+ssl-provider qatprovider
+ssl-mode-async
+```
+
 ## Case Studies
-* [Intel&reg; QuickAssist Technology and OpenSSL-1.1.0:Performance](https://www.intel.com/content/www/us/en/content-details/709581/intel-quickassist-technology-and-openssl-1-1-0-performance.html)
 * [Intel® QuickAssist Technology - NGINX\* Performance White Paper](https://networkbuilders.intel.com/solutionslibrary/intel-quickassist-technology-nginx-performance-white-paper)
-* [Accelerate HAProxy\* with Intel QAT](https://www.intel.com/content/www/us/en/content-details/814574/accelerating-haproxy-with-intel-quickassist-technology.html)
+* [Accelerate HAProxy\* with Intel QAT](https://builders.intel.com/solutionslibrary/accelerating-haproxy-with-intel-quickassist-technology)
 
 Other Application Integration and more case studies can be found at QAT link below
 * [Intel® QuickAssist Technology (Intel® QAT)](https://www.intel.com/content/www/us/en/developer/topic-technology/open/quick-assist-technology/overview.html)
@@ -17,6 +17,8 @@ Some limitations specific for the current BoringSSL\* Library:
 * `RSA_padding_add_PKCS1_OAEP` function is exported by BoringSSL\* `libdecrepit.so`,
 so it needs to be linked in the BoringSSL\* Library. It may cause linking error while
 building with the system lack of that library.
+* The QAT Provider (`qatprovider`) is not supported with BoringSSL\*. Only the QAT
+Engine interface is available for BoringSSL\* builds.
 
 ## Requirements
 - [Hardware Requirements](hardware_requirements.md)
 
@@ -29,10 +29,9 @@ The following is a list of the options that can be used with the
     `/usr/local/ssl` then you would use the following setting:
     --with-openssl_install_dir=/usr/local/ssl
 
-    If your system already includes OpenSSL 1.1.1 library and devel package this
-    option is not required.
-    In this case qatengine.so is installed in the system enginesdir
-    (eg: /usr/lib64/engine-1.1).
+    If using the system OpenSSL, this option is not required.
+    In this case qatengine.so is installed in the system engines directory
+    (e.g., `/usr/lib64/engines-3` for OpenSSL 3.x).
 
 ```
 ### qat_sw options
@@ -108,15 +107,19 @@ The following is a list of the options that can be used with the
     is different from the default.
 
 --enable-qat_provider
-    Enables Provider support instead of engine for OpenSSL. Valid only
-    when built against OpenSSL 3.0, default if not specified will use engine
-    interface. Currently RSA, ECDSA, ECDH, ECX and AES-GCM algorithms are
-    only supported (disabled by default).
+    Enables the QAT Provider (`qatprovider`) interface for OpenSSL 3.x.
+    The default, if not specified, is the Engine interface.
+```
+Refer to [OpenSSL Provider Support](qat_common.md#openssl-provider-support) for supported algorithms and test examples.
+```
 
 --enable-qat_fips
     Enables FIPS support when provider is enabled. Valid only
-    when built against OpenSSL 3.0 along with the flag `--enable-qat_provider`,
+    when built against OpenSSL 3.0.8 along with the flag `--enable-qat_provider`,
     (disabled by default).
+```
+Refer to [FIPS 140-3 Certification](qat_common.md#fips-140-3-certification) for more details.
+```
 
 --disable-qat_hw_rsa/--enable-qat_hw_rsa
     Disable/Enable Intel(R) QAT Hardware RSA acceleration (enabled by default).
 
@@ -22,7 +22,7 @@
     * AES128-GCM, AES256-GCM.
     * ChaCha20-Poly1305
     * SM4-CBC
-* Key Derivation 
+* Key Derivation
     * PRF
     * HKDF
 * Hashing
@@ -33,32 +33,42 @@
 * [Intel&reg; QAT OpenSSL\* Engine Software Fallback](qat_hw.md#intel-qat-openssl-engine-software-fallback-feature)
 * [Key Protection Technology (KPT) Support using QAT_HW driver v2.0](qat_hw_kpt.md)
 
-Please refer [here](qat_hw_algo.md) for applicable QAT Hardware versions and algorithms enabled by default.
+> **Algorithm default status:**
+> - **Enabled by default:** RSA (2048–4096 on all platforms; up to 8192 on QAT Gen4/v2.x and intree),
+>   ECDH/ECDSA (curves ≥256-bit, X25519/X448), PRF,
+>   AES-256-CBC-HMAC-SHA256, AES-256-CCM (v2.x/intree only).
+> - **Insecure — disabled by default** (enable with `--enable-qat_insecure_algorithms`):
+>   RSA (<2048), DSA, DH (all key sizes), ECDH/ECDSA on curves <256-bit (Binary/Koblitz),
+>   AES-128-GCM, AES-128/192-CCM, AES-128/256-CBC-HMAC-SHA1, AES-128-CBC-HMAC-SHA256, SHA3-224.
+> - **Experimental — disabled by default** (enable with corresponding `--enable-qat_hw_*` flag):
+>   AES-256-GCM, HKDF, SHA3-256/384/512, ChaCha20-Poly1305, SM2, SM3.
+> - **Tongsuo/BabaSSL only — disabled by default:** SM4-CBC.
+>
+> See [qat_hw_algo.md](qat_hw_algo.md) for the full per-platform default status and configure flags.
 
 ## qat_sw Features
-* [Intel&reg; QAT Software Acceleration](qat_sw.md)
-* Asymmetric PKE
-    * RSA for Key size 2048, 3072, 4096
-    * ECDH for the following curves:
-        * Montgomery EC Curve: X25519
-        * NIST Prime Curves: P-256/P-384
-        * SM2
-    * ECDSA for the following curves:
-        * NIST Prime Curves: P-256/P-384
-        * SM2
-* Symmetric Ciphers
-    * AES128-GCM, AES192-GCM and AES256-GCM
-    * SM4-CBC using 16 Multibuffer requests (Tongsuo only)
-    * SM4-GCM using 16 Multibuffer requests (Tongsuo only)
-    * SM4-CCM using 16 Multibuffer requests (Tongsuo only)
-* Hashing
-    * SM3 Hash using 16 Multibuffer requests (Experimental)
+[Intel&reg; QAT Software Acceleration](qat_sw.md) provides multi-buffer based acceleration
+for the following algorithms:
+
+| QAT_SW Algorithm | Status |
+| :--- | :---: |
+| RSA 2048/3072/4096 | \* |
+| ECDH X25519, P-256/P-384, SM2 | \* |
+| ECDSA P-256/P-384, SM2 | \* |
+| AES128-GCM, AES192-GCM, AES256-GCM | \* |
+| SM4-CBC, SM4-GCM, SM4-CCM (16 multibuffer requests) | \# |
+| SM3 (16 multibuffer requests) | \*\* |
+
+\* Enabled by default in the standard build.<br>
+\# Disabled by default; applicable to Tongsuo/BabaSSL builds only.<br>
+\*\* Disabled by default due to performance degradation in multithreaded scenarios; see [Known Issues](limitations.md#known-issues).
 
 ## Common Features to qat_hw & qat_sw
 * [BoringSSL Support](bssl_support.md)
-* [OpenSSL 3.0 Provider Support](qat_common.md#openssl-30-provider-support)
+* [OpenSSL Provider Support](qat_common.md#openssl-provider-support)
 * [QAT_HW & QAT_SW Co-existence](qat_coex.md#qat-hw-and-qat-sw-co-existence)
 * [FIPS 140-3 Certification](qat_common.md#fips-140-3-certification)
+* [Hybrid PQC Interoperability](qat_common.md#interoperability-with-openssl-default-provider-for-hybrid-pqc)
 
 Note: RSA Padding schemes are handled by OpenSSL\* or BoringSSL\* rather than accelerated, so the
 engine supports the same padding schemes as OpenSSL\* or BoringSSL\* does natively.
@@ -39,6 +39,7 @@ libtool and pkg-config) installed in the system.
 - [Build QAT Engine for QAT_HW](#build-qat-engine-for-qat_hw)
 - [Build QAT Engine for QAT_SW](#build-qat-engine-for-qat_sw)
 - [Build QAT Engine with QAT_HW & QAT_SW Co-existence ](#build-qat-engine-with-qat_hw--qat_sw-co-existence)
+- [Build with QAT Provider Interface](#build-with-qat-provider-interface)
 - [Build Instructions for BoringSSL Library](bssl_support.md)
 
 ### Install with make depend target
@@ -100,7 +101,16 @@ at OpenSSL\*
 ```
 export OPENSSL_ENGINES=/usr/local/ssl/lib64/engines-3
 ```
-Load/Initialize Engine using the the OpenSSL conf file is located [here](openssl_config.md)
+
+For the QAT Provider, the `qatprovider.so` module must be placed in the OpenSSL\*
+modules directory. Set `OPENSSL_MODULES` if the module is installed outside the
+default location (e.g. `<openssl-install>/lib64/ossl-modules/`):
+
+```
+export OPENSSL_MODULES=/usr/local/ssl/lib64/ossl-modules
+```
+
+Load/Initialize Engine or Provider using the OpenSSL conf file is located [here](openssl_config.md)
 
 ### Install QAT_HW & QAT_SW dependencies
 
@@ -276,7 +286,25 @@ make install
 The default behaviour and working mechanism of co-existence is described
 [here](qat_coex.md#qat_hw-and-qat_sw-co-existence)
 
-### Build Instructions for BoringSSL Library
+### Build with QAT Provider Interface
+
+The QAT Provider (`qatprovider`) is the recommended interface for OpenSSL 3.x
+applications. Add `--enable-qat_provider` to any of the build configurations
+above to build `qatprovider.so` instead of (or alongside) the engine.
+
+After installation, `qatprovider.so` is placed in the OpenSSL\* modules
+directory (`<openssl-install>/lib64/ossl-modules/`). Set `OPENSSL_MODULES`
+if using a non-default path:
+
+```
+export OPENSSL_MODULES=/usr/local/ssl/lib64/ossl-modules
+```
+
+Refer to [OpenSSL\* Configuration File](openssl_config.md) for loading the
+provider via `openssl.cnf`, and to [qat_common.md](qat_common.md#openssl-v3-provider-support)
+for test commands and further details. Note that when `qatprovider` is activated via
+`openssl.cnf`, the `default` provider is not loaded automatically — ensure it is also
+listed in the providers section to avoid "unknown algorithm" errors.
 
 Refer [BoringSSL section](bssl_support.md)
 for steps to build the  Intel® QAT Engine for BoringSSL\* library