Intel Adds Zstd Compression Support to QAT Gen6

Zstd Offload Comes to QAT Across Multiple Generations

The Intel QAT crypto driver now supports Zstd compression offloading, with implementation differences across hardware versions. QAT Gen4 and Gen5 accelerators receive basic Zstandard crypto offload capability, while the newer QAT Gen6 processors, which power Intel’s Diamond Rapids platform, introduce a cleaner native Zstd implementation. Critically, Gen6 adds bidirectional support: both compression and decompression offloading, whereas earlier generations handled only compression tasks.

This distinction matters for workloads that require symmetric compression operations. Decompression offload reduces CPU overhead during data retrieval and processing pipelines.

Gen6 Brings Security and Wireless Enhancements

Beyond compression, QAT Gen6 hardware receives new wireless mode support, expanding the accelerator’s applicability to telecommunications and mobile infrastructure. The most significant security addition is an anti-rollback feature that prevents installation of outdated QAT firmware versions containing known vulnerabilities. This protection mechanism blocks downgrade attacks, a critical concern for systems managing sensitive cryptographic operations.

These additions position Gen6 as a more comprehensive platform for both legacy and emerging encryption workloads.

Broader Cryptography Subsystem Modernization

The Intel QAT changes are part of a larger cryptography subsystem overhaul in Linux 7.1. The TI DTHEv2 driver expanded its algorithm support to include CTR(AES), GCM(AES), and CCM(AES) modes, addressing gaps in hardware-accelerated authentication and counter-mode encryption.

The kernel also removed legacy CPU-based DES and 3DES acceleration code, reflecting the industry’s move away from aging symmetric ciphers. Additionally, SIMD SKCIPHER support was dropped from the crypto API due to lack of active use, streamlining the codebase for maintenance and future optimization.

What This Means for Infrastructure and Performance

Hardware-accelerated compression and cryptography reduce CPU cycles spent on data transformation, freeing processor resources for application workloads. Organizations running Intel Xeon systems with QAT Gen6 accelerators can now offload both compression and decompression tasks, potentially improving throughput in data centers handling large-scale storage, backup, or streaming operations.

The anti-rollback security feature addresses operational risk by preventing accidental or malicious firmware downgrades that could expose systems to known exploits. This is particularly relevant for enterprises managing heterogeneous infrastructure where firmware consistency is critical.

The Bigger Picture for Linux Kernel Crypto

Notable libcrypto optimizations and improvements across Linux 7.1 signal continued investment in hardware acceleration as a path to performance scaling. As CPU clock speeds plateau, offloading cryptographic and compression workloads to specialized silicon becomes essential for meeting throughput demands in cloud infrastructure, content delivery networks, and storage systems.

The removal of legacy algorithms and unused code paths reflects a pragmatic cleanup effort. However, organizations still dependent on 3DES for legacy systems will need to plan migration strategies as support recedes from the mainline kernel.

Intel’s QAT Gen6 enhancements, combined with broader crypto subsystem improvements, position Linux 7.1 as a more capable platform for hardware-accelerated cryptography. The addition of decompression offload and firmware security protections addresses real operational demands, though the full performance impact will depend on workload patterns and adoption rates among system vendors and cloud providers deploying these accelerators at scale.