[dpdk-dev] [PATCH 0 6/8] crypto/bcmfs: add session handling and capabilities

[Vikas Gupta <vikas.gupta@broadcom.com>]

Add session handling and capabilities supported by crypto h/w
accelerator.

Signed-off-by: Vikas Gupta <vikas.gupta@broadcom.com>
---
 doc/guides/cryptodevs/bcmfs.rst               |  46 ++
 doc/guides/cryptodevs/features/bcmfs.ini      |  56 ++
 drivers/crypto/bcmfs/bcmfs_sym_capabilities.c | 764 ++++++++++++++++++
 drivers/crypto/bcmfs/bcmfs_sym_capabilities.h |  16 +
 drivers/crypto/bcmfs/bcmfs_sym_defs.h         | 170 ++++
 drivers/crypto/bcmfs/bcmfs_sym_pmd.c          |  13 +
 drivers/crypto/bcmfs/bcmfs_sym_session.c      | 426 ++++++++++
 drivers/crypto/bcmfs/bcmfs_sym_session.h      |  99 +++
 drivers/crypto/bcmfs/meson.build              |   4 +-
 9 files changed, 1593 insertions(+), 1 deletion(-)
 create mode 100644 doc/guides/cryptodevs/features/bcmfs.ini
 create mode 100644 drivers/crypto/bcmfs/bcmfs_sym_capabilities.c
 create mode 100644 drivers/crypto/bcmfs/bcmfs_sym_capabilities.h
 create mode 100644 drivers/crypto/bcmfs/bcmfs_sym_defs.h
 create mode 100644 drivers/crypto/bcmfs/bcmfs_sym_session.c
 create mode 100644 drivers/crypto/bcmfs/bcmfs_sym_session.h

diff --git a/doc/guides/cryptodevs/bcmfs.rst b/doc/guides/cryptodevs/bcmfs.rst
index 752ce028a..2488b19f7 100644
--- a/doc/guides/cryptodevs/bcmfs.rst
+++ b/doc/guides/cryptodevs/bcmfs.rst
@@ -18,9 +18,55 @@ CONFIG_RTE_LIBRTE_PMD_BCMFS setting is set to `y` in config/common_base file.
 
 * ``CONFIG_RTE_LIBRTE_PMD_BCMFS=y``
 
+Features
+~~~~~~~~
+
+The BCMFS SYM PMD has support for:
+
+Cipher algorithms:
+
+* ``RTE_CRYPTO_CIPHER_3DES_CBC``
+* ``RTE_CRYPTO_CIPHER_3DES_CTR``
+* ``RTE_CRYPTO_CIPHER_AES128_CBC``
+* ``RTE_CRYPTO_CIPHER_AES192_CBC``
+* ``RTE_CRYPTO_CIPHER_AES256_CBC``
+* ``RTE_CRYPTO_CIPHER_AES128_CTR``
+* ``RTE_CRYPTO_CIPHER_AES192_CTR``
+* ``RTE_CRYPTO_CIPHER_AES256_CTR``
+* ``RTE_CRYPTO_CIPHER_AES_XTS``
+* ``RTE_CRYPTO_CIPHER_DES_CBC``
+
+Hash algorithms:
+
+* ``RTE_CRYPTO_AUTH_SHA1``
+* ``RTE_CRYPTO_AUTH_SHA1_HMAC``
+* ``RTE_CRYPTO_AUTH_SHA224``
+* ``RTE_CRYPTO_AUTH_SHA224_HMAC``
+* ``RTE_CRYPTO_AUTH_SHA256``
+* ``RTE_CRYPTO_AUTH_SHA256_HMAC``
+* ``RTE_CRYPTO_AUTH_SHA384``
+* ``RTE_CRYPTO_AUTH_SHA384_HMAC``
+* ``RTE_CRYPTO_AUTH_SHA512``
+* ``RTE_CRYPTO_AUTH_SHA512_HMAC``
+* ``RTE_CRYPTO_AUTH_AES_XCBC_MAC``
+* ``RTE_CRYPTO_AUTH_MD5_HMAC``
+* ``RTE_CRYPTO_AUTH_AES_GMAC``
+* ``RTE_CRYPTO_AUTH_AES_CMAC``
+
+Supported AEAD algorithms:
+
+* ``RTE_CRYPTO_AEAD_AES_GCM``
+* ``RTE_CRYPTO_AEAD_AES_CCM``
+
 Initialization
 --------------
 BCMFS crypto PMD depend upon the devices present in the path
 /sys/bus/platform/devices/fs<version>/<dev_name> on the platform.
 Each cryptodev PMD instance can be attached to the nodes present
 in the mentioned path.
+
+Limitations
+~~~~~~~~~~~
+
+* Only supports the session-oriented API implementation (session-less APIs are not supported).
+* CCM is not supported on Broadcom`s SoCs having FlexSparc4 unit.
diff --git a/doc/guides/cryptodevs/features/bcmfs.ini b/doc/guides/cryptodevs/features/bcmfs.ini
new file mode 100644
index 000000000..82d2c639d
--- /dev/null
+++ b/doc/guides/cryptodevs/features/bcmfs.ini
@@ -0,0 +1,56 @@
+;
+; Supported features of the 'bcmfs' crypto driver.
+;
+; Refer to default.ini for the full list of available PMD features.
+;
+[Features]
+Symmetric crypto       = Y
+Sym operation chaining = Y
+HW Accelerated         = Y
+Protocol offload       = Y
+In Place SGL           = Y
+
+;
+; Supported crypto algorithms of the 'bcmfs' crypto driver.
+;
+[Cipher]
+AES CBC (128)  = Y
+AES CBC (192)  = Y
+AES CBC (256)  = Y
+AES CTR (128)  = Y
+AES CTR (192)  = Y
+AES CTR (256)  = Y
+AES XTS (128)  = Y
+AES XTS (256)  = Y
+3DES CBC       = Y
+DES CBC        = Y
+;
+; Supported authentication algorithms of the 'bcmfs' crypto driver.
+;
+[Auth]
+MD5 HMAC     = Y
+SHA1         = Y
+SHA1 HMAC    = Y
+SHA224       = Y
+SHA224 HMAC  = Y
+SHA256       = Y
+SHA256 HMAC  = Y
+SHA384       = Y
+SHA384 HMAC  = Y
+SHA512       = Y
+SHA512 HMAC  = Y
+AES GMAC     = Y
+AES CMAC (128) = Y
+AES CBC = Y
+AES XCBC = Y
+
+;
+; Supported AEAD algorithms of the 'bcmfs' crypto driver.
+;
+[AEAD]
+AES GCM (128)     = Y
+AES GCM (192)     = Y
+AES GCM (256)     = Y
+AES CCM (128)     = Y
+AES CCM (192)     = Y
+AES CCM (256)     = Y
diff --git a/drivers/crypto/bcmfs/bcmfs_sym_capabilities.c b/drivers/crypto/bcmfs/bcmfs_sym_capabilities.c
new file mode 100644
index 000000000..bb8fa9f81
--- /dev/null
+++ b/drivers/crypto/bcmfs/bcmfs_sym_capabilities.c
@@ -0,0 +1,764 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(c) 2020 Broadcom
+ * All rights reserved.
+ */
+
+#include <rte_cryptodev.h>
+
+#include "bcmfs_sym_capabilities.h"
+
+static const struct rte_cryptodev_capabilities bcmfs_sym_capabilities[] = {
+	{
+		/* SHA1 */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_SHA1,
+				.block_size = 64,
+				.key_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				},
+				.digest_size = {
+					.min = 20,
+					.max = 20,
+					.increment = 0
+				},
+				.aad_size = { 0 }
+			}, }
+		}, }
+	},
+	{
+		/* MD5 */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_MD5,
+				.block_size = 64,
+				.key_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				},
+				.digest_size = {
+					.min = 16,
+					.max = 16,
+					.increment = 0
+				},
+			}, }
+		}, }
+	},
+	{
+		/* SHA224 */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_SHA224,
+				.block_size = 64,
+				.key_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				},
+				.digest_size = {
+					.min = 28,
+					.max = 28,
+					.increment = 0
+				},
+				.aad_size = { 0 }
+			}, }
+		}, }
+	},
+	{
+		/* SHA256 */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_SHA256,
+				.block_size = 64,
+				.key_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				},
+				.digest_size = {
+					.min = 32,
+					.max = 32,
+					.increment = 0
+				},
+				.aad_size = { 0 }
+			}, }
+		}, }
+	},
+	{
+		/* SHA384 */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_SHA384,
+				.block_size = 64,
+				.key_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				},
+				.digest_size = {
+					.min = 48,
+					.max = 48,
+					.increment = 0
+				},
+				.aad_size = { 0 }
+			}, }
+		}, }
+	},
+	{
+		/* SHA512 */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_SHA512,
+				.block_size = 64,
+				.key_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				},
+				.digest_size = {
+					.min = 64,
+					.max = 64,
+					.increment = 0
+				},
+				.aad_size = { 0 }
+			}, }
+		}, }
+	},
+	{
+		/* SHA3_224 */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_SHA3_224,
+				.block_size = 144,
+				.key_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				},
+				.digest_size = {
+					.min = 28,
+					.max = 28,
+					.increment = 0
+				},
+				.aad_size = { 0 }
+			}, }
+		}, }
+	},
+	{
+		/* SHA3_256 */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_SHA3_256,
+				.block_size = 136,
+				.key_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				},
+				.digest_size = {
+					.min = 32,
+					.max = 32,
+					.increment = 0
+				},
+				.aad_size = { 0 }
+			}, }
+		}, }
+	},
+	{
+		/* SHA3_384 */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_SHA3_384,
+				.block_size = 104,
+				.key_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				},
+				.digest_size = {
+					.min = 48,
+					.max = 48,
+					.increment = 0
+				},
+				.aad_size = { 0 }
+			}, }
+		}, }
+	},
+	{
+		/* SHA3_512 */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_SHA3_512,
+				.block_size = 72,
+				.key_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				},
+				.digest_size = {
+					.min = 64,
+					.max = 64,
+					.increment = 0
+				},
+				.aad_size = { 0 }
+			}, }
+		}, }
+	},
+	{
+		/* SHA1 HMAC */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_SHA1_HMAC,
+				.block_size = 64,
+				.key_size = {
+					.min = 1,
+					.max = 64,
+					.increment = 0
+				},
+				.digest_size = {
+					.min = 20,
+					.max = 20,
+					.increment = 0
+				},
+				.aad_size = { 0 }
+			}, }
+		}, }
+	},
+	{
+		/* MD5 HMAC */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_MD5_HMAC,
+				.block_size = 64,
+				.key_size = {
+					.min = 1,
+					.max = 64,
+					.increment = 0
+				},
+				.digest_size = {
+					.min = 16,
+					.max = 16,
+					.increment = 0
+				},
+				.aad_size = { 0 }
+			}, }
+		}, }
+	},
+	{
+		/* SHA224 HMAC */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_SHA224_HMAC,
+				.block_size = 64,
+				.key_size = {
+					.min = 1,
+					.max = 64,
+					.increment = 0
+				},
+				.digest_size = {
+					.min = 28,
+					.max = 28,
+					.increment = 0
+				},
+				.aad_size = { 0 }
+			}, }
+		}, }
+	},
+	{
+		/* SHA256 HMAC */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_SHA256_HMAC,
+				.block_size = 64,
+				.key_size = {
+					.min = 1,
+					.max = 64,
+					.increment = 0
+				},
+				.digest_size = {
+					.min = 32,
+					.max = 32,
+					.increment = 0
+				},
+				.aad_size = { 0 }
+			}, }
+		}, }
+	},
+	{
+		/* SHA384 HMAC */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_SHA384_HMAC,
+				.block_size = 128,
+				.key_size = {
+					.min = 1,
+					.max = 128,
+					.increment = 0
+				},
+				.digest_size = {
+					.min = 48,
+					.max = 48,
+					.increment = 0
+				},
+				.aad_size = { 0 }
+			}, }
+		}, }
+	},
+	{
+		/* SHA512 HMAC*/
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_SHA512_HMAC,
+				.block_size = 128,
+				.key_size = {
+					.min = 1,
+					.max = 128,
+					.increment = 0
+				},
+				.digest_size = {
+					.min = 64,
+					.max = 64,
+					.increment = 0
+				},
+				.aad_size = { 0 }
+			}, }
+		}, }
+	},
+	{
+		/* SHA3_224 HMAC */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_SHA3_224_HMAC,
+				.block_size = 144,
+				.key_size = {
+					.min = 1,
+					.max = 144,
+					.increment = 0
+				},
+				.digest_size = {
+					.min = 28,
+					.max = 28,
+					.increment = 0
+				},
+				.aad_size = { 0 }
+			}, }
+		}, }
+	},
+	{
+		/* SHA3_256 HMAC */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_SHA3_256_HMAC,
+				.block_size = 136,
+				.key_size = {
+					.min = 1,
+					.max = 136,
+					.increment = 0
+				},
+				.digest_size = {
+					.min = 32,
+					.max = 32,
+					.increment = 0
+				},
+				.aad_size = { 0 }
+			}, }
+		}, }
+	},
+	{
+		/* SHA3_384 HMAC */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_SHA3_384_HMAC,
+				.block_size = 104,
+				.key_size = {
+					.min = 1,
+					.max = 104,
+					.increment = 0
+				},
+				.digest_size = {
+					.min = 48,
+					.max = 48,
+					.increment = 0
+				},
+				.aad_size = { 0 }
+			}, }
+		}, }
+	},
+	{
+		/* SHA3_512 HMAC */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_SHA3_512_HMAC,
+				.block_size = 72,
+				.key_size = {
+					.min = 1,
+					.max = 72,
+					.increment = 0
+				},
+				.digest_size = {
+					.min = 64,
+					.max = 64,
+					.increment = 0
+				},
+				.aad_size = { 0 }
+			}, }
+		}, }
+	},
+	{
+		/* AES XCBC MAC */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_AES_XCBC_MAC,
+				.block_size = 16,
+				.key_size = {
+					.min = 1,
+					.max = 16,
+					.increment = 0
+				},
+				.digest_size = {
+					.min = 16,
+					.max = 16,
+					.increment = 0
+				},
+				.aad_size = { 0 }
+			}, }
+		}, }
+	},
+	{
+		/* AES GMAC */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.aead = {
+				.algo = RTE_CRYPTO_AUTH_AES_GMAC,
+				.block_size = 16,
+				.key_size = {
+					.min = 16,
+					.max = 32,
+					.increment = 8
+				},
+				.digest_size = {
+					.min = 16,
+					.max = 16,
+					.increment = 0
+				},
+				.aad_size = {
+					.min = 0,
+					.max = 65535,
+					.increment = 1
+				},
+				.iv_size = {
+					.min = 12,
+					.max = 16,
+					.increment = 4
+				},
+			}, }
+		}, }
+	},
+	{
+		/* AES CMAC */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_AES_CMAC,
+				.block_size = 16,
+				.key_size = {
+					.min = 1,
+					.max = 16,
+					.increment = 0
+				},
+				.digest_size = {
+					.min = 16,
+					.max = 16,
+					.increment = 0
+				},
+				.aad_size = { 0 }
+			}, }
+		}, }
+	},
+	{
+		/* AES CBC MAC */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_AES_CBC_MAC,
+				.block_size = 16,
+				.key_size = {
+					.min = 1,
+					.max = 16,
+					.increment = 0
+				},
+				.digest_size = {
+					.min = 16,
+					.max = 16,
+					.increment = 0
+				},
+				.aad_size = { 0 }
+			}, }
+		}, }
+	},
+	{
+		/* AES ECB */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+			{.cipher = {
+				.algo = RTE_CRYPTO_CIPHER_AES_ECB,
+				.block_size = 16,
+				.key_size = {
+					.min = 16,
+					.max = 32,
+					.increment = 8
+				},
+				.iv_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				}
+			}, }
+		}, }
+	},
+	{
+		/* AES CBC */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+			{.cipher = {
+				.algo = RTE_CRYPTO_CIPHER_AES_CBC,
+				.block_size = 16,
+				.key_size = {
+					.min = 16,
+					.max = 32,
+					.increment = 8
+				},
+				.iv_size = {
+					.min = 16,
+					.max = 16,
+					.increment = 0
+				}
+			}, }
+		}, }
+	},
+	{
+		/* AES CTR */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+			{.cipher = {
+				.algo = RTE_CRYPTO_CIPHER_AES_CTR,
+				.block_size = 16,
+				.key_size = {
+					.min = 16,
+					.max = 32,
+					.increment = 8
+				},
+				.iv_size = {
+					.min = 16,
+					.max = 16,
+					.increment = 0
+				}
+			}, }
+		}, }
+	},
+	{
+		/* AES XTS */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+			{.cipher = {
+				.algo = RTE_CRYPTO_CIPHER_AES_XTS,
+				.block_size = 16,
+				.key_size = {
+					.min = 32,
+					.max = 64,
+					.increment = 32
+				},
+				.iv_size = {
+					.min = 16,
+					.max = 16,
+					.increment = 0
+				}
+			}, }
+		}, }
+	},
+	{
+		/* DES CBC */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+			{.cipher = {
+				.algo = RTE_CRYPTO_CIPHER_DES_CBC,
+				.block_size = 8,
+				.key_size = {
+					.min = 8,
+					.max = 8,
+					.increment = 0
+				},
+				.iv_size = {
+					.min = 16,
+					.max = 16,
+					.increment = 0
+				}
+			}, }
+		}, }
+	},
+	{
+		/* 3DES CBC */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+			{.cipher = {
+				.algo = RTE_CRYPTO_CIPHER_3DES_CBC,
+				.block_size = 8,
+				.key_size = {
+					.min = 24,
+					.max = 24,
+					.increment = 0
+				},
+				.iv_size = {
+					.min = 16,
+					.max = 16,
+					.increment = 0
+				}
+			}, }
+		}, }
+	},
+	{
+		/* 3DES ECB */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER,
+			{.cipher = {
+				.algo = RTE_CRYPTO_CIPHER_3DES_ECB,
+				.block_size = 8,
+				.key_size = {
+					.min = 24,
+					.max = 24,
+					.increment = 0
+				},
+				.iv_size = {
+					.min = 0,
+					.max = 0,
+					.increment = 0
+				}
+			}, }
+		}, }
+	},
+	{
+		/* AES GCM */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AEAD,
+			{.aead = {
+				.algo = RTE_CRYPTO_AEAD_AES_GCM,
+				.block_size = 16,
+				.key_size = {
+					.min = 16,
+					.max = 32,
+					.increment = 8
+				},
+				.digest_size = {
+					.min = 16,
+					.max = 16,
+					.increment = 0
+				},
+				.aad_size = {
+					.min = 0,
+					.max = 65535,
+					.increment = 1
+				},
+				.iv_size = {
+					.min = 12,
+					.max = 16,
+					.increment = 4
+				},
+			}, }
+		}, }
+	},
+	{
+		/* AES CCM */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AEAD,
+			{.aead = {
+				.algo = RTE_CRYPTO_AEAD_AES_CCM,
+				.block_size = 16,
+				.key_size = {
+					.min = 16,
+					.max = 32,
+					.increment = 8
+				},
+				.digest_size = {
+					.min = 4,
+					.max = 16,
+					.increment = 2
+				},
+				.aad_size = {
+					.min = 0,
+					.max = 65535,
+					.increment = 1
+				},
+				.iv_size = {
+					.min = 7,
+					.max = 13,
+					.increment = 1
+				},
+			}, }
+		}, }
+	},
+
+	RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
+};
+
+const struct rte_cryptodev_capabilities *
+bcmfs_sym_get_capabilities(void)
+{
+	return bcmfs_sym_capabilities;
+}
diff --git a/drivers/crypto/bcmfs/bcmfs_sym_capabilities.h b/drivers/crypto/bcmfs/bcmfs_sym_capabilities.h
new file mode 100644
index 000000000..3ff61b7d2
--- /dev/null
+++ b/drivers/crypto/bcmfs/bcmfs_sym_capabilities.h
@@ -0,0 +1,16 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(c) 2020 Broadcom
+ * All rights reserved.
+ */
+
+#ifndef _BCMFS_SYM_CAPABILITIES_H_
+#define _BCMFS_SYM_CAPABILITIES_H_
+
+/*
+ * Get capabilities list for the device
+ *
+ */
+const struct rte_cryptodev_capabilities *bcmfs_sym_get_capabilities(void);
+
+#endif /* _BCMFS_SYM_CAPABILITIES_H__ */
+
diff --git a/drivers/crypto/bcmfs/bcmfs_sym_defs.h b/drivers/crypto/bcmfs/bcmfs_sym_defs.h
new file mode 100644
index 000000000..b5657a9bc
--- /dev/null
+++ b/drivers/crypto/bcmfs/bcmfs_sym_defs.h
@@ -0,0 +1,170 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(c) 2020 Broadcom
+ * All rights reserved.
+ */
+
+#ifndef _BCMFS_SYM_DEFS_H_
+#define _BCMFS_SYM_DEFS_H_
+
+/*
+ * Max block size of hash algorithm
+ * currently SHA3 supports max block size
+ * of 144 bytes
+ */
+#define BCMFS_MAX_KEY_SIZE	144
+#define BCMFS_MAX_IV_SIZE	16
+#define BCMFS_MAX_DIGEST_SIZE	64
+
+/** Symmetric Cipher Direction */
+enum bcmfs_crypto_cipher_op {
+	/** Encrypt cipher operation */
+	BCMFS_CRYPTO_CIPHER_OP_ENCRYPT,
+
+	/** Decrypt cipher operation */
+	BCMFS_CRYPTO_CIPHER_OP_DECRYPT,
+};
+
+/** Symmetric Cipher Algorithms */
+enum bcmfs_crypto_cipher_algorithm {
+	/** NULL cipher algorithm. No mode applies to the NULL algorithm. */
+	BCMFS_CRYPTO_CIPHER_NONE = 0,
+
+	/** Triple DES algorithm in CBC mode */
+	BCMFS_CRYPTO_CIPHER_DES_CBC,
+
+	/** Triple DES algorithm in ECB mode */
+	BCMFS_CRYPTO_CIPHER_DES_ECB,
+
+	/** Triple DES algorithm in CBC mode */
+	BCMFS_CRYPTO_CIPHER_3DES_CBC,
+
+	/** Triple DES algorithm in ECB mode */
+	BCMFS_CRYPTO_CIPHER_3DES_ECB,
+
+	/** AES algorithm in CBC mode */
+	BCMFS_CRYPTO_CIPHER_AES_CBC,
+
+	/** AES algorithm in CCM mode. */
+	BCMFS_CRYPTO_CIPHER_AES_CCM,
+
+	/** AES algorithm in Counter mode */
+	BCMFS_CRYPTO_CIPHER_AES_CTR,
+
+	/** AES algorithm in ECB mode */
+	BCMFS_CRYPTO_CIPHER_AES_ECB,
+
+	/** AES algorithm in GCM mode. */
+	BCMFS_CRYPTO_CIPHER_AES_GCM,
+
+	/** AES algorithm in XTS mode */
+	BCMFS_CRYPTO_CIPHER_AES_XTS,
+
+	/** AES algorithm in OFB mode */
+	BCMFS_CRYPTO_CIPHER_AES_OFB,
+};
+
+/** Symmetric Authentication Algorithms */
+enum bcmfs_crypto_auth_algorithm {
+	/** NULL hash algorithm. */
+	BCMFS_CRYPTO_AUTH_NONE = 0,
+
+	/** MD5 algorithm */
+	BCMFS_CRYPTO_AUTH_MD5,
+
+	/** MD5-HMAC algorithm */
+	BCMFS_CRYPTO_AUTH_MD5_HMAC,
+
+	/** SHA1 algorithm */
+	BCMFS_CRYPTO_AUTH_SHA1,
+
+	/** SHA1-HMAC algorithm */
+	BCMFS_CRYPTO_AUTH_SHA1_HMAC,
+
+	/** 224 bit SHA algorithm. */
+	BCMFS_CRYPTO_AUTH_SHA224,
+
+	/** 224 bit SHA-HMAC algorithm. */
+	BCMFS_CRYPTO_AUTH_SHA224_HMAC,
+
+	/** 256 bit SHA algorithm. */
+	BCMFS_CRYPTO_AUTH_SHA256,
+
+	/** 256 bit SHA-HMAC algorithm. */
+	BCMFS_CRYPTO_AUTH_SHA256_HMAC,
+
+	/** 384 bit SHA algorithm. */
+	BCMFS_CRYPTO_AUTH_SHA384,
+
+	/** 384 bit SHA-HMAC algorithm. */
+	BCMFS_CRYPTO_AUTH_SHA384_HMAC,
+
+	/** 512 bit SHA algorithm. */
+	BCMFS_CRYPTO_AUTH_SHA512,
+
+	/** 512 bit SHA-HMAC algorithm. */
+	BCMFS_CRYPTO_AUTH_SHA512_HMAC,
+
+	/** 224 bit SHA3 algorithm. */
+	BCMFS_CRYPTO_AUTH_SHA3_224,
+
+	/** 224 bit SHA-HMAC algorithm. */
+	BCMFS_CRYPTO_AUTH_SHA3_224_HMAC,
+
+	/** 256 bit SHA3 algorithm. */
+	BCMFS_CRYPTO_AUTH_SHA3_256,
+
+	/** 256 bit SHA3-HMAC algorithm. */
+	BCMFS_CRYPTO_AUTH_SHA3_256_HMAC,
+
+	/** 384 bit SHA3 algorithm. */
+	BCMFS_CRYPTO_AUTH_SHA3_384,
+
+	/** 384 bit SHA3-HMAC algorithm. */
+	BCMFS_CRYPTO_AUTH_SHA3_384_HMAC,
+
+	/** 512 bit SHA3 algorithm. */
+	BCMFS_CRYPTO_AUTH_SHA3_512,
+
+	/** 512 bit SHA3-HMAC algorithm. */
+	BCMFS_CRYPTO_AUTH_SHA3_512_HMAC,
+
+	/** AES XCBC MAC algorithm */
+	BCMFS_CRYPTO_AUTH_AES_XCBC_MAC,
+
+	/** AES CMAC algorithm */
+	BCMFS_CRYPTO_AUTH_AES_CMAC,
+
+	/** AES CBC-MAC algorithm */
+	BCMFS_CRYPTO_AUTH_AES_CBC_MAC,
+
+	/** AES CBC-MAC algorithm */
+	BCMFS_CRYPTO_AUTH_AES_GMAC,
+
+	/** AES algorithm in GCM mode. */
+	BCMFS_CRYPTO_AUTH_AES_GCM,
+
+	/** AES algorithm in CCM mode. */
+	BCMFS_CRYPTO_AUTH_AES_CCM,
+};
+
+/** Symmetric Authentication Operations */
+enum bcmfs_crypto_auth_op {
+	/** Verify authentication digest */
+	BCMFS_CRYPTO_AUTH_OP_VERIFY,
+
+	/** Generate authentication digest */
+	BCMFS_CRYPTO_AUTH_OP_GENERATE,
+};
+
+enum bcmfs_sym_crypto_class {
+	/** Cipher algorithm */
+	BCMFS_CRYPTO_CIPHER,
+
+	/** Hash algorithm */
+	BCMFS_CRYPTO_HASH,
+
+	/** Authenticated Encryption with Assosciated Data algorithm */
+	BCMFS_CRYPTO_AEAD,
+};
+
+#endif /* _BCMFS_SYM_DEFS_H_ */
diff --git a/drivers/crypto/bcmfs/bcmfs_sym_pmd.c b/drivers/crypto/bcmfs/bcmfs_sym_pmd.c
index 0f96915f7..381ca8ea4 100644
--- a/drivers/crypto/bcmfs/bcmfs_sym_pmd.c
+++ b/drivers/crypto/bcmfs/bcmfs_sym_pmd.c
@@ -14,6 +14,8 @@
 #include "bcmfs_qp.h"
 #include "bcmfs_sym_pmd.h"
 #include "bcmfs_sym_req.h"
+#include "bcmfs_sym_session.h"
+#include "bcmfs_sym_capabilities.h"
 
 uint8_t cryptodev_bcmfs_driver_id;
 
@@ -65,6 +67,7 @@ bcmfs_sym_dev_info_get(struct rte_cryptodev *dev,
 		dev_info->max_nb_queue_pairs = fsdev->max_hw_qps;
 		/* No limit of number of sessions */
 		dev_info->sym.max_nb_sessions = 0;
+		dev_info->capabilities = bcmfs_sym_get_capabilities();
 	}
 }
 
@@ -228,6 +231,10 @@ static struct rte_cryptodev_ops crypto_bcmfs_ops = {
 	/* Queue-Pair management */
 	.queue_pair_setup       = bcmfs_sym_qp_setup,
 	.queue_pair_release     = bcmfs_sym_qp_release,
+	/* Crypto session related operations */
+	.sym_session_get_size   = bcmfs_sym_session_get_private_size,
+	.sym_session_configure  = bcmfs_sym_session_configure,
+	.sym_session_clear      = bcmfs_sym_session_clear
 };
 
 /** Enqueue burst */
@@ -239,6 +246,7 @@ bcmfs_sym_pmd_enqueue_op_burst(void *queue_pair,
 	int i, j;
 	uint16_t enq = 0;
 	struct bcmfs_sym_request *sreq;
+	struct bcmfs_sym_session *sess;
 	struct bcmfs_qp *qp = (struct bcmfs_qp *)queue_pair;
 
 	if (nb_ops == 0)
@@ -252,6 +260,10 @@ bcmfs_sym_pmd_enqueue_op_burst(void *queue_pair,
 		nb_ops = qp->nb_descriptors - qp->nb_pending_requests;
 
 	for (i = 0; i < nb_ops; i++) {
+		sess = bcmfs_sym_get_session(ops[i]);
+		if (unlikely(sess == NULL))
+			goto enqueue_err;
+
 		if (rte_mempool_get(qp->sr_mp, (void **)&sreq))
 			goto enqueue_err;
 
@@ -356,6 +368,7 @@ bcmfs_sym_dev_create(struct bcmfs_device *fsdev)
 	fsdev->sym_dev = internals;
 
 	internals->sym_dev_id = cryptodev->data->dev_id;
+	internals->fsdev_capabilities = bcmfs_sym_get_capabilities();
 
 	BCMFS_LOG(DEBUG, "Created bcmfs-sym device %s as cryptodev instance %d",
 		  cryptodev->data->name, internals->sym_dev_id);
diff --git a/drivers/crypto/bcmfs/bcmfs_sym_session.c b/drivers/crypto/bcmfs/bcmfs_sym_session.c
new file mode 100644
index 000000000..3d1fce629
--- /dev/null
+++ b/drivers/crypto/bcmfs/bcmfs_sym_session.c
@@ -0,0 +1,426 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(c) 2020 Broadcom
+ * All rights reserved.
+ */
+
+#include <rte_crypto.h>
+#include <rte_crypto_sym.h>
+#include <rte_log.h>
+
+#include "bcmfs_logs.h"
+#include "bcmfs_sym_defs.h"
+#include "bcmfs_sym_pmd.h"
+#include "bcmfs_sym_session.h"
+
+/** Configure the session from a crypto xform chain */
+static enum bcmfs_sym_chain_order
+crypto_get_chain_order(const struct rte_crypto_sym_xform *xform)
+{
+	enum bcmfs_sym_chain_order res = BCMFS_SYM_CHAIN_NOT_SUPPORTED;
+
+
+	if (xform != NULL) {
+		if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD)
+			res = BCMFS_SYM_CHAIN_AEAD;
+
+		if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
+			if (xform->next == NULL)
+				res =  BCMFS_SYM_CHAIN_ONLY_AUTH;
+			else if (xform->next->type ==
+					RTE_CRYPTO_SYM_XFORM_CIPHER)
+				res = BCMFS_SYM_CHAIN_AUTH_CIPHER;
+		}
+		if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
+			if (xform->next == NULL)
+				res =  BCMFS_SYM_CHAIN_ONLY_CIPHER;
+			else if (xform->next->type == RTE_CRYPTO_SYM_XFORM_AUTH)
+				res =  BCMFS_SYM_CHAIN_CIPHER_AUTH;
+		}
+	}
+
+	return res;
+}
+
+/* Get session cipher key from input cipher key */
+static void
+get_key(const uint8_t *input_key, int keylen, uint8_t *session_key)
+{
+	memcpy(session_key, input_key, keylen);
+}
+
+/* Set session cipher parameters */
+static int
+crypto_set_session_cipher_parameters
+			(struct bcmfs_sym_session *sess,
+			 const struct rte_crypto_cipher_xform *cipher_xform)
+{
+	int rc = 0;
+
+	/* Select cipher direction */
+	sess->cipher.direction = cipher_xform->op;
+	sess->cipher.key.length = cipher_xform->key.length;
+	sess->cipher.iv.offset = cipher_xform->iv.offset;
+	sess->cipher.iv.length = cipher_xform->iv.length;
+
+	/* Select cipher algo */
+	switch (cipher_xform->algo) {
+	case RTE_CRYPTO_CIPHER_3DES_CBC:
+		sess->cipher.algo = BCMFS_CRYPTO_CIPHER_3DES_CBC;
+		break;
+	case RTE_CRYPTO_CIPHER_3DES_ECB:
+		sess->cipher.algo = BCMFS_CRYPTO_CIPHER_3DES_ECB;
+		break;
+	case RTE_CRYPTO_CIPHER_DES_CBC:
+		sess->cipher.algo = BCMFS_CRYPTO_CIPHER_DES_CBC;
+		break;
+	case RTE_CRYPTO_CIPHER_AES_CBC:
+		sess->cipher.algo = BCMFS_CRYPTO_CIPHER_AES_CBC;
+		break;
+	case RTE_CRYPTO_CIPHER_AES_ECB:
+		sess->cipher.algo = BCMFS_CRYPTO_CIPHER_AES_ECB;
+		break;
+	case RTE_CRYPTO_CIPHER_AES_CTR:
+		sess->cipher.algo = BCMFS_CRYPTO_CIPHER_AES_CTR;
+		break;
+	case RTE_CRYPTO_CIPHER_AES_XTS:
+		sess->cipher.algo = BCMFS_CRYPTO_CIPHER_AES_XTS;
+		break;
+	default:
+		BCMFS_DP_LOG(ERR, "set session failed. unknown algo");
+		sess->cipher.algo = RTE_CRYPTO_CIPHER_NULL;
+		rc = -EINVAL;
+		break;
+	}
+
+	if (!rc)
+		get_key(cipher_xform->key.data,
+			sess->cipher.key.length,
+			sess->cipher.key.data);
+
+	return rc;
+}
+
+/* Set session auth parameters */
+static int
+crypto_set_session_auth_parameters(struct bcmfs_sym_session *sess,
+				   const struct rte_crypto_auth_xform
+				   *auth_xform)
+{
+	int rc = 0;
+
+	/* Select auth generate/verify */
+	sess->auth.operation = auth_xform->op ?
+			       BCMFS_CRYPTO_AUTH_OP_GENERATE :
+			       BCMFS_CRYPTO_AUTH_OP_VERIFY;
+	sess->auth.key.length = auth_xform->key.length;
+	sess->auth.digest_length = auth_xform->digest_length;
+	sess->auth.iv.length = auth_xform->iv.length;
+	sess->auth.iv.offset = auth_xform->iv.offset;
+
+	/* Select auth algo */
+	switch (auth_xform->algo) {
+	case RTE_CRYPTO_AUTH_MD5:
+		sess->auth.algo = BCMFS_CRYPTO_AUTH_MD5;
+		break;
+	case RTE_CRYPTO_AUTH_SHA1:
+		sess->auth.algo = BCMFS_CRYPTO_AUTH_SHA1;
+		break;
+	case RTE_CRYPTO_AUTH_SHA224:
+		sess->auth.algo = BCMFS_CRYPTO_AUTH_SHA224;
+		break;
+	case RTE_CRYPTO_AUTH_SHA256:
+		sess->auth.algo = BCMFS_CRYPTO_AUTH_SHA256;
+		break;
+	case RTE_CRYPTO_AUTH_SHA384:
+		sess->auth.algo = BCMFS_CRYPTO_AUTH_SHA384;
+		break;
+	case RTE_CRYPTO_AUTH_SHA512:
+		sess->auth.algo = BCMFS_CRYPTO_AUTH_SHA512;
+		break;
+	case RTE_CRYPTO_AUTH_SHA3_224:
+		sess->auth.algo = BCMFS_CRYPTO_AUTH_SHA3_224;
+		break;
+	case RTE_CRYPTO_AUTH_SHA3_256:
+		sess->auth.algo = BCMFS_CRYPTO_AUTH_SHA3_256;
+		break;
+	case RTE_CRYPTO_AUTH_SHA3_384:
+		sess->auth.algo = BCMFS_CRYPTO_AUTH_SHA3_384;
+		break;
+	case RTE_CRYPTO_AUTH_SHA3_512:
+		sess->auth.algo = BCMFS_CRYPTO_AUTH_SHA3_512;
+		break;
+	case RTE_CRYPTO_AUTH_MD5_HMAC:
+		sess->auth.algo = BCMFS_CRYPTO_AUTH_MD5_HMAC;
+		break;
+	case RTE_CRYPTO_AUTH_SHA1_HMAC:
+		sess->auth.algo = BCMFS_CRYPTO_AUTH_SHA1_HMAC;
+		break;
+	case RTE_CRYPTO_AUTH_SHA224_HMAC:
+		sess->auth.algo = BCMFS_CRYPTO_AUTH_SHA224_HMAC;
+		break;
+	case RTE_CRYPTO_AUTH_SHA256_HMAC:
+		sess->auth.algo = BCMFS_CRYPTO_AUTH_SHA256_HMAC;
+		break;
+	case RTE_CRYPTO_AUTH_SHA384_HMAC:
+		sess->auth.algo = BCMFS_CRYPTO_AUTH_SHA384_HMAC;
+		break;
+	case RTE_CRYPTO_AUTH_SHA512_HMAC:
+		sess->auth.algo = BCMFS_CRYPTO_AUTH_SHA512_HMAC;
+		break;
+	case RTE_CRYPTO_AUTH_SHA3_224_HMAC:
+		sess->auth.algo = BCMFS_CRYPTO_AUTH_SHA3_224_HMAC;
+		break;
+	case RTE_CRYPTO_AUTH_SHA3_256_HMAC:
+		sess->auth.algo = BCMFS_CRYPTO_AUTH_SHA3_256_HMAC;
+		break;
+	case RTE_CRYPTO_AUTH_SHA3_384_HMAC:
+		sess->auth.algo = BCMFS_CRYPTO_AUTH_SHA3_384_HMAC;
+		break;
+	case RTE_CRYPTO_AUTH_SHA3_512_HMAC:
+		sess->auth.algo = BCMFS_CRYPTO_AUTH_SHA3_512_HMAC;
+		break;
+	case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
+		sess->auth.algo = BCMFS_CRYPTO_AUTH_AES_XCBC_MAC;
+		break;
+	case RTE_CRYPTO_AUTH_AES_GMAC:
+		sess->auth.algo = BCMFS_CRYPTO_AUTH_AES_GMAC;
+		break;
+	case RTE_CRYPTO_AUTH_AES_CBC_MAC:
+		sess->auth.algo = BCMFS_CRYPTO_AUTH_AES_CBC_MAC;
+		break;
+	case RTE_CRYPTO_AUTH_AES_CMAC:
+		sess->auth.algo = BCMFS_CRYPTO_AUTH_AES_CMAC;
+		break;
+	default:
+		BCMFS_DP_LOG(ERR, "Invalid Auth algorithm\n");
+		rc = -EINVAL;
+		break;
+	}
+
+	if (!rc)
+		get_key(auth_xform->key.data,
+			auth_xform->key.length,
+			sess->auth.key.data);
+
+	return rc;
+}
+
+/* Set session aead parameters */
+static int
+crypto_set_session_aead_parameters(struct bcmfs_sym_session *sess,
+				   const struct rte_crypto_sym_xform *xform)
+{
+	int rc = 0;
+
+	sess->cipher.direction = xform->aead.op;
+	sess->cipher.iv.offset = xform->aead.iv.offset;
+	sess->cipher.iv.length = xform->aead.iv.length;
+	sess->aead.aad_length = xform->aead.aad_length;
+	sess->cipher.key.length = xform->aead.key.length;
+	sess->auth.digest_length = xform->aead.digest_length;
+
+	/* Select aead algo */
+	switch (xform->aead.algo) {
+	case RTE_CRYPTO_AEAD_AES_CCM:
+		sess->auth.algo = BCMFS_CRYPTO_AUTH_AES_CCM;
+		sess->cipher.algo = BCMFS_CRYPTO_CIPHER_AES_CCM;
+		break;
+	case RTE_CRYPTO_AEAD_AES_GCM:
+		sess->auth.algo = BCMFS_CRYPTO_AUTH_AES_GCM;
+		sess->cipher.algo = BCMFS_CRYPTO_CIPHER_AES_GCM;
+		break;
+	default:
+		BCMFS_DP_LOG(ERR, "Invalid aead algorithm\n");
+		rc = -EINVAL;
+		break;
+	}
+
+	if (!rc)
+		get_key(xform->aead.key.data,
+			xform->aead.key.length,
+			sess->cipher.key.data);
+
+	return rc;
+}
+
+static struct rte_crypto_auth_xform *
+crypto_get_auth_xform(struct rte_crypto_sym_xform *xform)
+{
+	do {
+		if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH)
+			return &xform->auth;
+
+		xform = xform->next;
+	} while (xform);
+
+	return NULL;
+}
+
+static struct rte_crypto_cipher_xform *
+crypto_get_cipher_xform(struct rte_crypto_sym_xform *xform)
+{
+	do {
+		if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER)
+			return &xform->cipher;
+
+		xform = xform->next;
+	} while (xform);
+
+	return NULL;
+}
+
+
+/** Parse crypto xform chain and set private session parameters */
+static int
+crypto_set_session_parameters(struct bcmfs_sym_session *sess,
+			      struct rte_crypto_sym_xform *xform)
+{
+	int rc = 0;
+	struct rte_crypto_cipher_xform *cipher_xform =
+			crypto_get_cipher_xform(xform);
+	struct rte_crypto_auth_xform *auth_xform =
+			crypto_get_auth_xform(xform);
+
+	sess->chain_order = crypto_get_chain_order(xform);
+
+	switch (sess->chain_order) {
+	case BCMFS_SYM_CHAIN_ONLY_CIPHER:
+		if (crypto_set_session_cipher_parameters(sess,
+							cipher_xform)) {
+			BCMFS_DP_LOG(ERR, "Invalid cipher");
+			rc = -EINVAL;
+		}
+		break;
+	case BCMFS_SYM_CHAIN_ONLY_AUTH:
+		if (crypto_set_session_auth_parameters(sess,
+							auth_xform)) {
+			BCMFS_DP_LOG(ERR, "Invalid auth");
+			rc = -EINVAL;
+		}
+		break;
+	case BCMFS_SYM_CHAIN_AUTH_CIPHER:
+		sess->cipher_first = false;
+		if (crypto_set_session_auth_parameters(sess,
+							auth_xform)) {
+			BCMFS_DP_LOG(ERR, "Invalid auth");
+			rc = -EINVAL;
+			goto error;
+		}
+
+		if (crypto_set_session_cipher_parameters(sess,
+							cipher_xform)) {
+			BCMFS_DP_LOG(ERR, "Invalid cipher");
+			rc = -EINVAL;
+		}
+		break;
+	case BCMFS_SYM_CHAIN_CIPHER_AUTH:
+		sess->cipher_first = true;
+		if (crypto_set_session_auth_parameters(sess,
+							auth_xform)) {
+			BCMFS_DP_LOG(ERR, "Invalid auth");
+			rc = -EINVAL;
+			goto error;
+		}
+
+		if (crypto_set_session_cipher_parameters(sess,
+							cipher_xform)) {
+			BCMFS_DP_LOG(ERR, "Invalid cipher");
+			rc = -EINVAL;
+		}
+		break;
+	case BCMFS_SYM_CHAIN_AEAD:
+		if (crypto_set_session_aead_parameters(sess,
+							xform)) {
+			BCMFS_DP_LOG(ERR, "Invalid aead");
+			rc = -EINVAL;
+		}
+		break;
+	default:
+		BCMFS_DP_LOG(ERR, "Invalid chain order\n");
+		rc = -EINVAL;
+		break;
+	}
+
+error:
+	return rc;
+}
+
+struct bcmfs_sym_session *
+bcmfs_sym_get_session(struct rte_crypto_op *op)
+{
+	struct bcmfs_sym_session *sess = NULL;
+
+	if (unlikely(op->sess_type == RTE_CRYPTO_OP_SESSIONLESS)) {
+		BCMFS_DP_LOG(ERR, "operations op(%p) is sessionless", op);
+	} else if (likely(op->sym->session != NULL)) {
+		/* get existing session */
+		sess = (struct bcmfs_sym_session *)
+			  get_sym_session_private_data(op->sym->session,
+						       cryptodev_bcmfs_driver_id);
+	}
+
+	if (sess == NULL)
+		op->status = RTE_CRYPTO_OP_STATUS_INVALID_SESSION;
+
+	return sess;
+}
+
+int
+bcmfs_sym_session_configure(struct rte_cryptodev *dev,
+			    struct rte_crypto_sym_xform *xform,
+			    struct rte_cryptodev_sym_session *sess,
+			    struct rte_mempool *mempool)
+{
+	void *sess_private_data;
+	int ret;
+
+	if (unlikely(sess == NULL)) {
+		BCMFS_DP_LOG(ERR, "Invalid session struct");
+		return -EINVAL;
+	}
+
+	if (rte_mempool_get(mempool, &sess_private_data)) {
+		BCMFS_DP_LOG(ERR,
+			"Couldn't get object from session mempool");
+		return -ENOMEM;
+	}
+
+	ret = crypto_set_session_parameters(sess_private_data, xform);
+
+	if (ret != 0) {
+		BCMFS_DP_LOG(ERR, "Failed configure session parameters");
+		/* Return session to mempool */
+		rte_mempool_put(mempool, sess_private_data);
+		return ret;
+	}
+
+	set_sym_session_private_data(sess, dev->driver_id,
+				     sess_private_data);
+
+	return 0;
+}
+
+/* Clear the memory of session so it doesn't leave key material behind */
+void
+bcmfs_sym_session_clear(struct rte_cryptodev *dev,
+			struct rte_cryptodev_sym_session  *sess)
+{
+	uint8_t index = dev->driver_id;
+	void *sess_priv = get_sym_session_private_data(sess, index);
+
+	if (sess_priv) {
+		struct rte_mempool *sess_mp;
+
+		memset(sess_priv, 0, sizeof(struct bcmfs_sym_session));
+		sess_mp = rte_mempool_from_obj(sess_priv);
+
+		set_sym_session_private_data(sess, index, NULL);
+		rte_mempool_put(sess_mp, sess_priv);
+	}
+}
+
+unsigned int
+bcmfs_sym_session_get_private_size(struct rte_cryptodev *dev __rte_unused)
+{
+	return sizeof(struct bcmfs_sym_session);
+}
diff --git a/drivers/crypto/bcmfs/bcmfs_sym_session.h b/drivers/crypto/bcmfs/bcmfs_sym_session.h
new file mode 100644
index 000000000..43deedcf8
--- /dev/null
+++ b/drivers/crypto/bcmfs/bcmfs_sym_session.h
@@ -0,0 +1,99 @@
+/* SPDX-License-Identifier: BSD-3-Clause
+ * Copyright(c) 2020 Broadcom
+ * All rights reserved.
+ */
+
+#ifndef _BCMFS_SYM_SESSION_H_
+#define _BCMFS_SYM_SESSION_H_
+
+#include <stdbool.h>
+#include <rte_crypto.h>
+#include <rte_cryptodev_pmd.h>
+
+#include "bcmfs_sym_defs.h"
+#include "bcmfs_sym_req.h"
+
+/* BCMFS_SYM operation order mode enumerator */
+enum bcmfs_sym_chain_order {
+	BCMFS_SYM_CHAIN_ONLY_CIPHER,
+	BCMFS_SYM_CHAIN_ONLY_AUTH,
+	BCMFS_SYM_CHAIN_CIPHER_AUTH,
+	BCMFS_SYM_CHAIN_AUTH_CIPHER,
+	BCMFS_SYM_CHAIN_AEAD,
+	BCMFS_SYM_CHAIN_NOT_SUPPORTED
+};
+
+/* BCMFS_SYM crypto private session structure */
+struct bcmfs_sym_session {
+	enum bcmfs_sym_chain_order chain_order;
+
+	/* Cipher Parameters */
+	struct {
+		enum bcmfs_crypto_cipher_op direction;
+		/* cipher operation direction */
+		enum bcmfs_crypto_cipher_algorithm algo;
+		/* cipher algorithm */
+
+		struct {
+			uint8_t data[BCMFS_MAX_KEY_SIZE];
+			/* key data */
+			size_t length;
+			/* key length in bytes */
+		} key;
+
+		struct {
+			uint16_t offset;
+			uint16_t length;
+		} iv;
+	} cipher;
+
+	/* Authentication Parameters */
+	struct {
+		enum bcmfs_crypto_auth_op operation;
+		/* auth operation generate or verify */
+		enum bcmfs_crypto_auth_algorithm algo;
+		/* cipher algorithm */
+
+		struct {
+			uint8_t data[BCMFS_MAX_KEY_SIZE];
+			/* key data */
+			size_t length;
+			/* key length in bytes */
+		} key;
+	struct {
+			uint16_t offset;
+			uint16_t length;
+		} iv;
+
+		uint16_t digest_length;
+	} auth;
+
+	/* aead Parameters */
+	struct {
+		uint16_t aad_length;
+	} aead;
+	bool cipher_first;
+} __rte_cache_aligned;
+
+int
+bcmfs_process_crypto_op(struct rte_crypto_op *op,
+			struct bcmfs_sym_session *sess,
+			struct bcmfs_sym_request *req);
+
+int
+bcmfs_sym_session_configure(struct rte_cryptodev *dev,
+			    struct rte_crypto_sym_xform *xform,
+			    struct rte_cryptodev_sym_session *sess,
+			    struct rte_mempool *mempool);
+
+void
+bcmfs_sym_session_clear(struct rte_cryptodev *dev,
+			struct rte_cryptodev_sym_session  *sess);
+
+unsigned int
+bcmfs_sym_session_get_private_size(struct rte_cryptodev *dev __rte_unused);
+
+struct bcmfs_sym_session *
+bcmfs_sym_get_session(struct rte_crypto_op *op);
+
+#endif /* _BCMFS_SYM_SESSION_H_ */
diff --git a/drivers/crypto/bcmfs/meson.build b/drivers/crypto/bcmfs/meson.build
index d9a3d73e9..2e86c733e 100644
--- a/drivers/crypto/bcmfs/meson.build
+++ b/drivers/crypto/bcmfs/meson.build
@@ -12,5 +12,7 @@ sources = files(
 		'hw/bcmfs4_rm.c',
 		'hw/bcmfs5_rm.c',
 		'hw/bcmfs_rm_common.c',
-		'bcmfs_sym_pmd.c'
+		'bcmfs_sym_pmd.c',
+		'bcmfs_sym_capabilities.c',
+		'bcmfs_sym_session.c'
 		)
-- 
2.17.1