diff --git a/.cirrus.yml b/.cirrus.yml
index 197a379..62ff294 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -8,7 +8,7 @@ task:
     TPM2TOOLS_TCTI: "tabrmd:bus_name=com.intel.tss2.Tabrmd"
     TPM2OPENSSL_TCTI: ${TPM2TOOLS_TCTI}
     IBMSWTPM_VER: rev183-2024-08-02
-    TPM2_TEST_HASHES: "sha1 sha256 sha384 sha512"
+    TPM2_TEST_HASHES: "sha1 sha256 sha384 sha512 sm3"
 
   install_packages_script: |
     pkg install -y bash wget gmake libtool pkgconf automake autoconf autoconf-archive \
@@ -25,6 +25,7 @@ task:
     wget --no-verbose https://github.com/kgoldman/ibmswtpm2/archive/refs/tags/$IBMSWTPM_VER.tar.gz
     tar xfz rev183-2024-08-02.tar.gz
     cd ibmswtpm2-$IBMSWTPM_VER/src
+    sed -i '' -e 's/-DTPM_NUVOTON/-DTPM_NUVOTON -DALG_SM3_256=1/g' makefile
     sed -i '' -e 's/gcc/clang/g' makefile
     sed -i '' -e 's/-Wall //g' makefile
     sed -i '' -e 's/-Werror //g' makefile
diff --git a/.github/workflows/clang-asan-check.yml b/.github/workflows/clang-asan-check.yml
index 33d4b50..0c071b0 100644
--- a/.github/workflows/clang-asan-check.yml
+++ b/.github/workflows/clang-asan-check.yml
@@ -8,7 +8,7 @@ on:
 env:
   IBMSWTPM_VER: rev183-2024-08-02
   # sha1 is not tested by default because Fedora 41+ does not support it
-  TPM2_TEST_HASHES: "sha1 sha256 sha384 sha512"
+  TPM2_TEST_HASHES: "sha1 sha256 sha384 sha512 sm3"
 
 jobs:
   build:
@@ -26,6 +26,7 @@ jobs:
       run: |
         curl -Ls https://github.com/kgoldman/ibmswtpm2/archive/refs/tags/$IBMSWTPM_VER.tar.gz | tar xz
         cd ibmswtpm2-$IBMSWTPM_VER/src
+        sed -i 's/#define ALG_SM3_256.*/#define ALG_SM3_256 ALG_YES/' TpmProfile.h
         make
 
     - name: Build openssl
@@ -40,7 +41,7 @@ jobs:
                     no-filenames no-fips no-fips-securitychecks no-gost no-idea \
                     no-ktls no-makedepend no-md4 no-multiblock \
                     no-ocb no-poly1305 no-psk no-rc2 no-rc4 no-rfc3779 \
-                    no-rmd160 no-seed no-siphash no-siv no-sm3 no-sm4 \
+                    no-rmd160 no-seed no-siphash no-siv no-sm4 \
                     no-srtp no-ssl3-method no-tests no-ts no-whirlpool
         make build_sw
         sudo make install_sw install_ssldirs
@@ -78,6 +79,7 @@ jobs:
       run: |
         openssl version
         tpm2_getcap properties-fixed | head -n 20
+        tpm2_getcap algorithms
         make check
       env:
         TPM2TOOLS_TCTI: ${{ env.TCTI_ADDRESS }}
diff --git a/.github/workflows/gcc-distcheck.yml b/.github/workflows/gcc-distcheck.yml
index 4ede0c6..d72b5d4 100644
--- a/.github/workflows/gcc-distcheck.yml
+++ b/.github/workflows/gcc-distcheck.yml
@@ -4,7 +4,7 @@ on:
 env:
   IBMSWTPM_VER: rev183-2024-08-02
   # sha1 is not tested by default because Fedora 41+ does not support it
-  TPM2_TEST_HASHES: "sha1 sha256 sha384 sha512"
+  TPM2_TEST_HASHES: "sha1 sha256 sha384 sha512 sm3"
 
 jobs:
   build:
@@ -19,6 +19,7 @@ jobs:
       run: |
         curl -Ls https://github.com/kgoldman/ibmswtpm2/archive/refs/tags/$IBMSWTPM_VER.tar.gz | tar xz
         cd ibmswtpm2-$IBMSWTPM_VER/src
+        sed -i 's/#define ALG_SM3_256.*/#define ALG_SM3_256 ALG_YES/' TpmProfile.h
         make
 
     - name: Configure tpm2-openssl
@@ -45,6 +46,7 @@ jobs:
       run: |
         openssl version
         tpm2_getcap properties-fixed | head -n 20
+        tpm2_getcap algorithms
         make check-code-coverage
       env:
         TPM2TOOLS_TCTI: ${{ env.TCTI_ADDRESS }}
diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
index 98f3e88..0450e05 100644
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -6,6 +6,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/)
 ## [1.3.0] - 2024-xx-yy
 ### Added
 - Added support for RSA-OAEP decryption.
+- Added support for SM2 curves and SM3 hashes.
 - Added Parent to textual information printed by 'openssl pkey -text'.
 ### Fixed
 - Fixed multi-threaded operation, preventing the 'Esys called in bad sequence'
diff --git a/src/tpm2-provider-types.c b/src/tpm2-provider-types.c
index 22d0e3e..5000c7c 100644
--- a/src/tpm2-provider-types.c
+++ b/src/tpm2-provider-types.c
@@ -30,6 +30,7 @@ static const hash_names_t hashes[] = {
     { "SHA512", TPM2_ALG_SHA512 },
     { "SHA-512", TPM2_ALG_SHA512 },
     { "SHA2-512", TPM2_ALG_SHA512 },
+    { "SM3", TPM2_ALG_SM3_256 },
     { NULL, TPM2_ALG_ERROR }
 };
 
@@ -126,6 +127,7 @@ static const curve_nids_t curves[] = {
     { NID_X9_62_prime256v1, TPM2_ECC_NIST_P256 },
     { NID_secp384r1, TPM2_ECC_NIST_P384 },
     { NID_secp521r1, TPM2_ECC_NIST_P521 },
+    { NID_sm2, TPM2_ECC_SM2_P256 },
     { NID_undef, TPM2_ECC_NONE }
 };
 
diff --git a/test/digest.sh b/test/digest.sh
index 9d5a26b..13bd52d 100755
--- a/test/digest.sh
+++ b/test/digest.sh
@@ -4,7 +4,7 @@ set -eufx
 
 echo -n "abcde12345abcde12345" > testdata
 
-for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512}; do
+for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512 sm3}; do
     # skip unsupported algorithms
     tpm2_getcap algorithms | grep $HASH || continue
 
diff --git a/test/ecdsa_genpkey_sign_rawin.sh b/test/ecdsa_genpkey_sign_rawin.sh
index 7266049..cb5602c 100755
--- a/test/ecdsa_genpkey_sign_rawin.sh
+++ b/test/ecdsa_genpkey_sign_rawin.sh
@@ -11,7 +11,7 @@ openssl genpkey -provider tpm2 -algorithm EC -pkeyopt group:P-256 -out testkey.p
 openssl pkey -provider tpm2 -provider base -in testkey.priv -pubout -out testkey.pub
 
 # check various digests
-for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512}; do
+for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512 sm3}; do
     # skip unsupported algorithms
     tpm2_getcap algorithms | grep $HASH || continue
 
diff --git a/test/rsa_genpkey_sign_rawin.sh b/test/rsa_genpkey_sign_rawin.sh
index f2b9a94..98937bc 100755
--- a/test/rsa_genpkey_sign_rawin.sh
+++ b/test/rsa_genpkey_sign_rawin.sh
@@ -11,7 +11,7 @@ openssl genpkey -provider tpm2 -algorithm RSA -pkeyopt bits:1024 -out testkey.pr
 openssl pkey -provider tpm2 -provider base -in testkey.priv -pubout -out testkey.pub
 
 # check default scheme with various digests
-for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512}; do
+for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512 sm3}; do
     # skip unsupported algorithms
     tpm2_getcap algorithms | grep $HASH || continue
 
diff --git a/test/rsapss_genpkey_sign_rawin.sh b/test/rsapss_genpkey_sign_rawin.sh
index 99f8d63..4bd0283 100755
--- a/test/rsapss_genpkey_sign_rawin.sh
+++ b/test/rsapss_genpkey_sign_rawin.sh
@@ -5,7 +5,7 @@ set -eufx
 echo -n "abcde12345abcde12345" > testdata
 
 # check default scheme with various digests
-for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512}; do
+for HASH in ${TPM2_TEST_HASHES:-sha256 sha384 sha512 sm3}; do
     # skip unsupported algorithms
     tpm2_getcap algorithms | grep $HASH || continue