[RFC,3/4] cryptodev: introduce cpu-crypto API
diff mbox series

Message ID 20191105184122.15172-4-konstantin.ananyev@intel.com
State New
Delegated to: akhil goyal
Headers show
Series
  • cpu-crypto API choices
Related show

Checks

Context Check Description
ci/Intel-compilation success Compilation OK
ci/checkpatch warning coding style issues

Commit Message

Ananyev, Konstantin Nov. 5, 2019, 6:41 p.m. UTC
This patch extends rte_cryptodev API with CPU-CRYPTO mode.
This is done by reusing existing rte_crypto_sym_session structure itself
and related control-path cryptodev API (init/clear/get_size/etc.) 
 For data-path new sym_cpu_ process() function is added into
rte_cryptodev dev_ops.   

Crypto PMD that wants to support that functionality would need to:
1. claim RTE_CRYPTODEV_FF_SYM_CPU_CRYPTO capability supported.
2. change at least the following functions inside rte_cryptodev_ops:
	. sym_session_get_size,
	. sym_session_configure,
	. sym_session_clear
to accommodate support for both sync and async modes,
3. implement new function inside rte_cryptodev_ops:
	sym_cpu_process

For data-path processing consumer of that API would have to maintain:
	struct rte_cryptodev_sym_session *sess,
	list of dev ids for which this session was properly initialized 

As an advantage of this approach - reuse of existing API
and minimal visible changes for crypto PMDs. 

Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
---
 lib/librte_cryptodev/rte_crypto_sym.h    | 11 ++++++++++-
 lib/librte_cryptodev/rte_cryptodev.c     | 14 ++++++++++++++
 lib/librte_cryptodev/rte_cryptodev.h     | 24 ++++++++++++++++++++++++
 lib/librte_cryptodev/rte_cryptodev_pmd.h | 22 ++++++++++++++++++++++
 4 files changed, 70 insertions(+), 1 deletion(-)

Comments

Akhil Goyal Nov. 5, 2019, 9:41 p.m. UTC | #1
Hi Konstantin,

> 
> This patch extends rte_cryptodev API with CPU-CRYPTO mode.
> This is done by reusing existing rte_crypto_sym_session structure itself
> and related control-path cryptodev API (init/clear/get_size/etc.)
>  For data-path new sym_cpu_ process() function is added into
> rte_cryptodev dev_ops.
> 
> Crypto PMD that wants to support that functionality would need to:
> 1. claim RTE_CRYPTODEV_FF_SYM_CPU_CRYPTO capability supported.
> 2. change at least the following functions inside rte_cryptodev_ops:
> 	. sym_session_get_size,
> 	. sym_session_configure,
> 	. sym_session_clear
> to accommodate support for both sync and async modes,
> 3. implement new function inside rte_cryptodev_ops:
> 	sym_cpu_process
> 
> For data-path processing consumer of that API would have to maintain:
> 	struct rte_cryptodev_sym_session *sess,
> 	list of dev ids for which this session was properly initialized
> 
> As an advantage of this approach - reuse of existing API
> and minimal visible changes for crypto PMDs.
> 
> Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
> ---
>  lib/librte_cryptodev/rte_crypto_sym.h    | 11 ++++++++++-
>  lib/librte_cryptodev/rte_cryptodev.c     | 14 ++++++++++++++
>  lib/librte_cryptodev/rte_cryptodev.h     | 24 ++++++++++++++++++++++++
>  lib/librte_cryptodev/rte_cryptodev_pmd.h | 22 ++++++++++++++++++++++
>  4 files changed, 70 insertions(+), 1 deletion(-)
> 
> diff --git a/lib/librte_cryptodev/rte_crypto_sym.h
> b/lib/librte_cryptodev/rte_crypto_sym.h
> index d8d9e9514..790c77524 100644
> --- a/lib/librte_cryptodev/rte_crypto_sym.h
> +++ b/lib/librte_cryptodev/rte_crypto_sym.h
> @@ -166,6 +166,10 @@ struct rte_crypto_cipher_xform {
>  	 *  - Both keys must have the same size.
>  	 **/
> 
> +	/**
> +         * CPU-CRYPTO specific data, should be set properly when
> +	 * (xform->type & RTE_CRYPTO_SYM_CPU_CRYPTO) != 0, otherwise
> ignored.
> +	 */
>  	struct {
>  		/**
>  		 * offset for cipher to start within user provided data buffer.

Earlier I was ok to have this offset but on another thought, why do you need this?
User can give the exact pointer in the process() API from where he wants to do ciphering.
You will be adding this offset in the driver if you keep this in xform/session. So I think there is
no difference whether you add in the driver or the application. Am I missing something?

> @@ -415,6 +419,10 @@ struct rte_crypto_aead_xform {
>  		uint16_t length;	/**< key length in bytes */
>  	} __attribute__((__packed__)) key;
> 
> +	/**
> +         * CPU-CRYPTO specific data, should be set properly when
> +	 * (xform->type & RTE_CRYPTO_SYM_CPU_CRYPTO) != 0, otherwise
> ignored.
> +	 */
>  	struct {
>  		/**
>  		 * offset for cipher to start within user provided data buffer.
> @@ -471,7 +479,8 @@ enum rte_crypto_sym_xform_type {
>  	RTE_CRYPTO_SYM_XFORM_NOT_SPECIFIED = 0,	/**< No xform
> specified */
>  	RTE_CRYPTO_SYM_XFORM_AUTH,		/**< Authentication
> xform */
>  	RTE_CRYPTO_SYM_XFORM_CIPHER,		/**< Cipher xform  */
> -	RTE_CRYPTO_SYM_XFORM_AEAD		/**< AEAD xform  */
> +	RTE_CRYPTO_SYM_XFORM_AEAD,		/**< AEAD xform  */
> +	RTE_CRYPTO_SYM_CPU_CRYPTO = INT32_MIN,  /**< xform for cpu-
> crypto */

This is not a correct place to have this. All types of xforms CIPHER/AUTH/AEAD 
can be used in SYNC mode

>  };
> 
>  /**
> diff --git a/lib/librte_cryptodev/rte_cryptodev.c
> b/lib/librte_cryptodev/rte_cryptodev.c
> index 89aa2ed3e..b1dbaf4c1 100644
> --- a/lib/librte_cryptodev/rte_cryptodev.c
> +++ b/lib/librte_cryptodev/rte_cryptodev.c
> @@ -1616,6 +1616,20 @@ rte_cryptodev_sym_session_get_user_data(
>  	return (void *)(sess->sess_data + sess->nb_drivers);
>  }
> 
> +__rte_experimental
> +int
> +rte_cryptodev_sym_cpu_crypto_process(uint8_t dev_id,
> +	struct rte_cryptodev_sym_session *sess, struct rte_crypto_sym_vec
> *vec,
> +	int32_t status[], uint32_t num)
> +{
> +	struct rte_cryptodev *dev;
> +
> +	dev = rte_cryptodev_pmd_get_dev(dev_id);
> +	RTE_FUNC_PTR_OR_ERR_RET(*dev->dev_ops->sym_cpu_process,-
> ENOTSUP);
> +
> +	return dev->dev_ops->sym_cpu_process(dev, sess, vec, status, num);
> +}
> +
>  /** Initialise rte_crypto_op mempool element */
>  static void
>  rte_crypto_op_init(struct rte_mempool *mempool,
> diff --git a/lib/librte_cryptodev/rte_cryptodev.h
> b/lib/librte_cryptodev/rte_cryptodev.h
> index c6ffa3b35..24877006c 100644
> --- a/lib/librte_cryptodev/rte_cryptodev.h
> +++ b/lib/librte_cryptodev/rte_cryptodev.h
> @@ -450,6 +450,8 @@ rte_cryptodev_asym_get_xform_enum(enum
> rte_crypto_asym_xform_type *xform_enum,
>  /**< Support encrypted-digest operations where digest is appended to data */
>  #define RTE_CRYPTODEV_FF_ASYM_SESSIONLESS		(1ULL << 20)
>  /**< Support asymmetric session-less operations */
> +#define	RTE_CRYPTODEV_FF_SYM_CPU_CRYPTO
> 	(1ULL << 21)
> +/**< Support symmeteric cpu-crypto processing */
> 
> 
>  /**
> @@ -1274,6 +1276,28 @@ void *
>  rte_cryptodev_sym_session_get_user_data(
>  					struct rte_cryptodev_sym_session
> *sess);
> 
> +/**
> + * Perform actual crypto processing (encrypt/digest or auth/decrypt)
> + * on user provided data.
> + *
> + * @param	dev_id	The device identifier.
> + * @param	sess	Cryptodev session structure
> + * @param	vec	Array of vectors for input data
> + * @param	status	Array of status values (one per vec)
> + *			(RTE_CRYPTO_OP_STATUS_* values)
> + * @param	num	Number of elems in vec and status arrays.
> + *
> + * @return
> + *  - Returns negative errno value on error, or non-negative number
> + *    of successfully processed input vectors.
> + *
> +*/
> +__rte_experimental
> +int
> +rte_cryptodev_sym_cpu_crypto_process(uint8_t dev_id,
> +	struct rte_cryptodev_sym_session *sess, struct rte_crypto_sym_vec
> *vec,
> +	int32_t status[], uint32_t num);
> +
>  #ifdef __cplusplus
>  }
>  #endif
> diff --git a/lib/librte_cryptodev/rte_cryptodev_pmd.h
> b/lib/librte_cryptodev/rte_cryptodev_pmd.h
> index fba14f2fa..02e7a19ae 100644
> --- a/lib/librte_cryptodev/rte_cryptodev_pmd.h
> +++ b/lib/librte_cryptodev/rte_cryptodev_pmd.h
> @@ -308,6 +308,26 @@ typedef void (*cryptodev_sym_free_session_t)(struct
> rte_cryptodev *dev,
>   */
>  typedef void (*cryptodev_asym_free_session_t)(struct rte_cryptodev *dev,
>  		struct rte_cryptodev_asym_session *sess);
> +/**
> + * Perform actual crypto processing (encrypt/digest or auth/decrypt)
> + * on user provided data.
> + *
> + * @param	dev		Crypto device pointer
> + * @param	sess	Cryptodev session structure
> + * @param	vec	Array of vectors for input data
> + * @param	status	Array of status values (one per vec)
> + *			(RTE_CRYPTO_OP_STATUS_* values)
> + * @param	num	Number of elems in vec and status arrays.
> + *
> + * @return
> + *  - Returns negative errno value on error, or non-negative number
> + *    of successfully processed input vectors.
> + *
> +*/
> +typedef int (*cryptodev_sym_cpu_crypto_process_t)(struct rte_cryptodev *dev,
> +	struct rte_cryptodev_sym_session *sess, struct rte_crypto_sym_vec
> *vec,
> +	int32_t status[], uint32_t num);
> +
> 
>  /** Crypto device operations function pointer table */
>  struct rte_cryptodev_ops {
> @@ -342,6 +362,8 @@ struct rte_cryptodev_ops {
>  	/**< Clear a Crypto sessions private data. */
>  	cryptodev_asym_free_session_t asym_session_clear;
>  	/**< Clear a Crypto sessions private data. */
> +	cryptodev_sym_cpu_crypto_process_t sym_cpu_process;
> +	/**< process input data synchronously (cpu-crypto). */
>  };
> 
> 
> --
> 2.17.1
Ananyev, Konstantin Nov. 6, 2019, 2:49 p.m. UTC | #2
Hi Akhil,


> > This patch extends rte_cryptodev API with CPU-CRYPTO mode.
> > This is done by reusing existing rte_crypto_sym_session structure itself
> > and related control-path cryptodev API (init/clear/get_size/etc.)
> >  For data-path new sym_cpu_ process() function is added into
> > rte_cryptodev dev_ops.
> >
> > Crypto PMD that wants to support that functionality would need to:
> > 1. claim RTE_CRYPTODEV_FF_SYM_CPU_CRYPTO capability supported.
> > 2. change at least the following functions inside rte_cryptodev_ops:
> > 	. sym_session_get_size,
> > 	. sym_session_configure,
> > 	. sym_session_clear
> > to accommodate support for both sync and async modes,
> > 3. implement new function inside rte_cryptodev_ops:
> > 	sym_cpu_process
> >
> > For data-path processing consumer of that API would have to maintain:
> > 	struct rte_cryptodev_sym_session *sess,
> > 	list of dev ids for which this session was properly initialized
> >
> > As an advantage of this approach - reuse of existing API
> > and minimal visible changes for crypto PMDs.
> >
> > Signed-off-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
> > ---
> >  lib/librte_cryptodev/rte_crypto_sym.h    | 11 ++++++++++-
> >  lib/librte_cryptodev/rte_cryptodev.c     | 14 ++++++++++++++
> >  lib/librte_cryptodev/rte_cryptodev.h     | 24 ++++++++++++++++++++++++
> >  lib/librte_cryptodev/rte_cryptodev_pmd.h | 22 ++++++++++++++++++++++
> >  4 files changed, 70 insertions(+), 1 deletion(-)
> >
> > diff --git a/lib/librte_cryptodev/rte_crypto_sym.h
> > b/lib/librte_cryptodev/rte_crypto_sym.h
> > index d8d9e9514..790c77524 100644
> > --- a/lib/librte_cryptodev/rte_crypto_sym.h
> > +++ b/lib/librte_cryptodev/rte_crypto_sym.h
> > @@ -166,6 +166,10 @@ struct rte_crypto_cipher_xform {
> >  	 *  - Both keys must have the same size.
> >  	 **/
> >
> > +	/**
> > +         * CPU-CRYPTO specific data, should be set properly when
> > +	 * (xform->type & RTE_CRYPTO_SYM_CPU_CRYPTO) != 0, otherwise
> > ignored.
> > +	 */
> >  	struct {
> >  		/**
> >  		 * offset for cipher to start within user provided data buffer.
> 
> Earlier I was ok to have this offset but on another thought, why do you need this?
> User can give the exact pointer in the process() API from where he wants to do ciphering.
> You will be adding this offset in the driver if you keep this in xform/session. So I think there is
> no difference whether you add in the driver or the application. Am I missing something?

At least for ipsec this value is always constant for session (usually ESP header + IV). 
So seems better to set it once inside session, instead of passing an
array of same constant values for each process() call.

> 
> > @@ -415,6 +419,10 @@ struct rte_crypto_aead_xform {
> >  		uint16_t length;	/**< key length in bytes */
> >  	} __attribute__((__packed__)) key;
> >
> > +	/**
> > +         * CPU-CRYPTO specific data, should be set properly when
> > +	 * (xform->type & RTE_CRYPTO_SYM_CPU_CRYPTO) != 0, otherwise
> > ignored.
> > +	 */
> >  	struct {
> >  		/**
> >  		 * offset for cipher to start within user provided data buffer.
> > @@ -471,7 +479,8 @@ enum rte_crypto_sym_xform_type {
> >  	RTE_CRYPTO_SYM_XFORM_NOT_SPECIFIED = 0,	/**< No xform
> > specified */
> >  	RTE_CRYPTO_SYM_XFORM_AUTH,		/**< Authentication
> > xform */
> >  	RTE_CRYPTO_SYM_XFORM_CIPHER,		/**< Cipher xform  */
> > -	RTE_CRYPTO_SYM_XFORM_AEAD		/**< AEAD xform  */
> > +	RTE_CRYPTO_SYM_XFORM_AEAD,		/**< AEAD xform  */
> > +	RTE_CRYPTO_SYM_CPU_CRYPTO = INT32_MIN,  /**< xform for cpu-
> > crypto */
> 
> This is not a correct place to have this. All types of xforms CIPHER/AUTH/AEAD
> can be used in SYNC mode

The intention is to use it as a flag.
For async mode only we just do let say
.type = RTE_CRYPTO_SYM_XFORM_AEAD;
(as we do now)
For async+sync modes:
.type = RTE_CRYPTO_SYM_XFORM_AEAD | RTE_CRYPTO_SYM_CPU_CRYPTO;

> 
> >  };
> >
> >  /**
> > diff --git a/lib/librte_cryptodev/rte_cryptodev.c
> > b/lib/librte_cryptodev/rte_cryptodev.c
> > index 89aa2ed3e..b1dbaf4c1 100644
> > --- a/lib/librte_cryptodev/rte_cryptodev.c
> > +++ b/lib/librte_cryptodev/rte_cryptodev.c
> > @@ -1616,6 +1616,20 @@ rte_cryptodev_sym_session_get_user_data(
> >  	return (void *)(sess->sess_data + sess->nb_drivers);
> >  }
> >
> > +__rte_experimental
> > +int
> > +rte_cryptodev_sym_cpu_crypto_process(uint8_t dev_id,
> > +	struct rte_cryptodev_sym_session *sess, struct rte_crypto_sym_vec
> > *vec,
> > +	int32_t status[], uint32_t num)
> > +{
> > +	struct rte_cryptodev *dev;
> > +
> > +	dev = rte_cryptodev_pmd_get_dev(dev_id);
> > +	RTE_FUNC_PTR_OR_ERR_RET(*dev->dev_ops->sym_cpu_process,-
> > ENOTSUP);
> > +
> > +	return dev->dev_ops->sym_cpu_process(dev, sess, vec, status, num);
> > +}
> > +
> >  /** Initialise rte_crypto_op mempool element */
> >  static void
> >  rte_crypto_op_init(struct rte_mempool *mempool,
> > diff --git a/lib/librte_cryptodev/rte_cryptodev.h
> > b/lib/librte_cryptodev/rte_cryptodev.h
> > index c6ffa3b35..24877006c 100644
> > --- a/lib/librte_cryptodev/rte_cryptodev.h
> > +++ b/lib/librte_cryptodev/rte_cryptodev.h
> > @@ -450,6 +450,8 @@ rte_cryptodev_asym_get_xform_enum(enum
> > rte_crypto_asym_xform_type *xform_enum,
> >  /**< Support encrypted-digest operations where digest is appended to data */
> >  #define RTE_CRYPTODEV_FF_ASYM_SESSIONLESS		(1ULL << 20)
> >  /**< Support asymmetric session-less operations */
> > +#define	RTE_CRYPTODEV_FF_SYM_CPU_CRYPTO
> > 	(1ULL << 21)
> > +/**< Support symmeteric cpu-crypto processing */
> >
> >
> >  /**
> > @@ -1274,6 +1276,28 @@ void *
> >  rte_cryptodev_sym_session_get_user_data(
> >  					struct rte_cryptodev_sym_session
> > *sess);
> >
> > +/**
> > + * Perform actual crypto processing (encrypt/digest or auth/decrypt)
> > + * on user provided data.
> > + *
> > + * @param	dev_id	The device identifier.
> > + * @param	sess	Cryptodev session structure
> > + * @param	vec	Array of vectors for input data
> > + * @param	status	Array of status values (one per vec)
> > + *			(RTE_CRYPTO_OP_STATUS_* values)
> > + * @param	num	Number of elems in vec and status arrays.
> > + *
> > + * @return
> > + *  - Returns negative errno value on error, or non-negative number
> > + *    of successfully processed input vectors.
> > + *
> > +*/
> > +__rte_experimental
> > +int
> > +rte_cryptodev_sym_cpu_crypto_process(uint8_t dev_id,
> > +	struct rte_cryptodev_sym_session *sess, struct rte_crypto_sym_vec
> > *vec,
> > +	int32_t status[], uint32_t num);
> > +
> >  #ifdef __cplusplus
> >  }
> >  #endif
> > diff --git a/lib/librte_cryptodev/rte_cryptodev_pmd.h
> > b/lib/librte_cryptodev/rte_cryptodev_pmd.h
> > index fba14f2fa..02e7a19ae 100644
> > --- a/lib/librte_cryptodev/rte_cryptodev_pmd.h
> > +++ b/lib/librte_cryptodev/rte_cryptodev_pmd.h
> > @@ -308,6 +308,26 @@ typedef void (*cryptodev_sym_free_session_t)(struct
> > rte_cryptodev *dev,
> >   */
> >  typedef void (*cryptodev_asym_free_session_t)(struct rte_cryptodev *dev,
> >  		struct rte_cryptodev_asym_session *sess);
> > +/**
> > + * Perform actual crypto processing (encrypt/digest or auth/decrypt)
> > + * on user provided data.
> > + *
> > + * @param	dev		Crypto device pointer
> > + * @param	sess	Cryptodev session structure
> > + * @param	vec	Array of vectors for input data
> > + * @param	status	Array of status values (one per vec)
> > + *			(RTE_CRYPTO_OP_STATUS_* values)
> > + * @param	num	Number of elems in vec and status arrays.
> > + *
> > + * @return
> > + *  - Returns negative errno value on error, or non-negative number
> > + *    of successfully processed input vectors.
> > + *
> > +*/
> > +typedef int (*cryptodev_sym_cpu_crypto_process_t)(struct rte_cryptodev *dev,
> > +	struct rte_cryptodev_sym_session *sess, struct rte_crypto_sym_vec
> > *vec,
> > +	int32_t status[], uint32_t num);
> > +
> >
> >  /** Crypto device operations function pointer table */
> >  struct rte_cryptodev_ops {
> > @@ -342,6 +362,8 @@ struct rte_cryptodev_ops {
> >  	/**< Clear a Crypto sessions private data. */
> >  	cryptodev_asym_free_session_t asym_session_clear;
> >  	/**< Clear a Crypto sessions private data. */
> > +	cryptodev_sym_cpu_crypto_process_t sym_cpu_process;
> > +	/**< process input data synchronously (cpu-crypto). */
> >  };
> >
> >
> > --
> > 2.17.1

Patch
diff mbox series

diff --git a/lib/librte_cryptodev/rte_crypto_sym.h b/lib/librte_cryptodev/rte_crypto_sym.h
index d8d9e9514..790c77524 100644
--- a/lib/librte_cryptodev/rte_crypto_sym.h
+++ b/lib/librte_cryptodev/rte_crypto_sym.h
@@ -166,6 +166,10 @@  struct rte_crypto_cipher_xform {
 	 *  - Both keys must have the same size.
 	 **/
 
+	/**
+         * CPU-CRYPTO specific data, should be set properly when
+	 * (xform->type & RTE_CRYPTO_SYM_CPU_CRYPTO) != 0, otherwise ignored.
+	 */
 	struct {
 		/**
 		 * offset for cipher to start within user provided data buffer.
@@ -415,6 +419,10 @@  struct rte_crypto_aead_xform {
 		uint16_t length;	/**< key length in bytes */
 	} __attribute__((__packed__)) key;
 
+	/**
+         * CPU-CRYPTO specific data, should be set properly when
+	 * (xform->type & RTE_CRYPTO_SYM_CPU_CRYPTO) != 0, otherwise ignored.
+	 */
 	struct {
 		/**
 		 * offset for cipher to start within user provided data buffer.
@@ -471,7 +479,8 @@  enum rte_crypto_sym_xform_type {
 	RTE_CRYPTO_SYM_XFORM_NOT_SPECIFIED = 0,	/**< No xform specified */
 	RTE_CRYPTO_SYM_XFORM_AUTH,		/**< Authentication xform */
 	RTE_CRYPTO_SYM_XFORM_CIPHER,		/**< Cipher xform  */
-	RTE_CRYPTO_SYM_XFORM_AEAD		/**< AEAD xform  */
+	RTE_CRYPTO_SYM_XFORM_AEAD,		/**< AEAD xform  */
+	RTE_CRYPTO_SYM_CPU_CRYPTO = INT32_MIN,  /**< xform for cpu-crypto */
 };
 
 /**
diff --git a/lib/librte_cryptodev/rte_cryptodev.c b/lib/librte_cryptodev/rte_cryptodev.c
index 89aa2ed3e..b1dbaf4c1 100644
--- a/lib/librte_cryptodev/rte_cryptodev.c
+++ b/lib/librte_cryptodev/rte_cryptodev.c
@@ -1616,6 +1616,20 @@  rte_cryptodev_sym_session_get_user_data(
 	return (void *)(sess->sess_data + sess->nb_drivers);
 }
 
+__rte_experimental
+int
+rte_cryptodev_sym_cpu_crypto_process(uint8_t dev_id,
+	struct rte_cryptodev_sym_session *sess, struct rte_crypto_sym_vec *vec,
+	int32_t status[], uint32_t num)
+{
+	struct rte_cryptodev *dev;
+
+	dev = rte_cryptodev_pmd_get_dev(dev_id);
+	RTE_FUNC_PTR_OR_ERR_RET(*dev->dev_ops->sym_cpu_process,-ENOTSUP);
+
+	return dev->dev_ops->sym_cpu_process(dev, sess, vec, status, num);
+}
+
 /** Initialise rte_crypto_op mempool element */
 static void
 rte_crypto_op_init(struct rte_mempool *mempool,
diff --git a/lib/librte_cryptodev/rte_cryptodev.h b/lib/librte_cryptodev/rte_cryptodev.h
index c6ffa3b35..24877006c 100644
--- a/lib/librte_cryptodev/rte_cryptodev.h
+++ b/lib/librte_cryptodev/rte_cryptodev.h
@@ -450,6 +450,8 @@  rte_cryptodev_asym_get_xform_enum(enum rte_crypto_asym_xform_type *xform_enum,
 /**< Support encrypted-digest operations where digest is appended to data */
 #define RTE_CRYPTODEV_FF_ASYM_SESSIONLESS		(1ULL << 20)
 /**< Support asymmetric session-less operations */
+#define	RTE_CRYPTODEV_FF_SYM_CPU_CRYPTO			(1ULL << 21)
+/**< Support symmeteric cpu-crypto processing */
 
 
 /**
@@ -1274,6 +1276,28 @@  void *
 rte_cryptodev_sym_session_get_user_data(
 					struct rte_cryptodev_sym_session *sess);
 
+/**
+ * Perform actual crypto processing (encrypt/digest or auth/decrypt)
+ * on user provided data.
+ *
+ * @param	dev_id	The device identifier.
+ * @param	sess	Cryptodev session structure
+ * @param	vec	Array of vectors for input data
+ * @param	status	Array of status values (one per vec)
+ *			(RTE_CRYPTO_OP_STATUS_* values)
+ * @param	num	Number of elems in vec and status arrays.
+ *
+ * @return
+ *  - Returns negative errno value on error, or non-negative number
+ *    of successfully processed input vectors.
+ *
+*/
+__rte_experimental
+int
+rte_cryptodev_sym_cpu_crypto_process(uint8_t dev_id,
+	struct rte_cryptodev_sym_session *sess, struct rte_crypto_sym_vec *vec,
+	int32_t status[], uint32_t num);
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/lib/librte_cryptodev/rte_cryptodev_pmd.h b/lib/librte_cryptodev/rte_cryptodev_pmd.h
index fba14f2fa..02e7a19ae 100644
--- a/lib/librte_cryptodev/rte_cryptodev_pmd.h
+++ b/lib/librte_cryptodev/rte_cryptodev_pmd.h
@@ -308,6 +308,26 @@  typedef void (*cryptodev_sym_free_session_t)(struct rte_cryptodev *dev,
  */
 typedef void (*cryptodev_asym_free_session_t)(struct rte_cryptodev *dev,
 		struct rte_cryptodev_asym_session *sess);
+/**
+ * Perform actual crypto processing (encrypt/digest or auth/decrypt)
+ * on user provided data.
+ *
+ * @param	dev		Crypto device pointer
+ * @param	sess	Cryptodev session structure
+ * @param	vec	Array of vectors for input data
+ * @param	status	Array of status values (one per vec)
+ *			(RTE_CRYPTO_OP_STATUS_* values)
+ * @param	num	Number of elems in vec and status arrays.
+ *
+ * @return
+ *  - Returns negative errno value on error, or non-negative number
+ *    of successfully processed input vectors.
+ *
+*/
+typedef int (*cryptodev_sym_cpu_crypto_process_t)(struct rte_cryptodev *dev,
+	struct rte_cryptodev_sym_session *sess, struct rte_crypto_sym_vec *vec,
+	int32_t status[], uint32_t num);
+
 
 /** Crypto device operations function pointer table */
 struct rte_cryptodev_ops {
@@ -342,6 +362,8 @@  struct rte_cryptodev_ops {
 	/**< Clear a Crypto sessions private data. */
 	cryptodev_asym_free_session_t asym_session_clear;
 	/**< Clear a Crypto sessions private data. */
+	cryptodev_sym_cpu_crypto_process_t sym_cpu_process;
+	/**< process input data synchronously (cpu-crypto). */
 };