diff mbox series

[v3,1/4] security: support PDCP short MAC-I

Message ID 20210908120115.3548009-2-g.singh@nxp.com
State New
Headers show
Series [v3,1/4] security: support PDCP short MAC-I | expand

Commit Message

Gagandeep Singh Sept. 8, 2021, 12:01 p.m. UTC
From: Hemant Agrawal <hemant.agrawal@nxp.com>


This patch add support to handle PDCP short MAC-I domain
along with standard control and data domains as it has to
be treated as special case with PDCP protocol offload support.

ShortMAC-I is the 16 least significant bits of calculated MAC-I. Usually
when a RRC message is exchanged between UE and eNodeB it is integrity &
ciphered protected.

MAC-I = f(key, varShortMAC-I, count, bearer, direction).
Here varShortMAC-I is prepared by using (current cellId, pci of source cell
and C-RNTI of old cell). Other parameters like count, bearer and
direction set to all 1.

Signed-off-by: Gagandeep Singh <g.singh@nxp.com>

Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>

---
 app/test-crypto-perf/cperf_options_parsing.c |  8 ++++++-
 doc/guides/prog_guide/rte_security.rst       | 11 ++++++++-
 doc/guides/tools/cryptoperf.rst              |  4 ++--
 drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c  | 25 ++++++++++----------
 lib/security/rte_security.h                  |  1 +
 5 files changed, 33 insertions(+), 16 deletions(-)

-- 
2.25.1

Comments

Akhil Goyal Sept. 8, 2021, 12:15 p.m. UTC | #1
> From: Hemant Agrawal <hemant.agrawal@nxp.com>

> 

> This patch add support to handle PDCP short MAC-I domain

> along with standard control and data domains as it has to

> be treated as special case with PDCP protocol offload support.

> 

> ShortMAC-I is the 16 least significant bits of calculated MAC-I. Usually

> when a RRC message is exchanged between UE and eNodeB it is integrity &

> ciphered protected.

> 

> MAC-I = f(key, varShortMAC-I, count, bearer, direction).

> Here varShortMAC-I is prepared by using (current cellId, pci of source cell

> and C-RNTI of old cell). Other parameters like count, bearer and

> direction set to all 1.

> 

> Signed-off-by: Gagandeep Singh <g.singh@nxp.com>

> Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>

> ---

>  app/test-crypto-perf/cperf_options_parsing.c |  8 ++++++-

>  doc/guides/prog_guide/rte_security.rst       | 11 ++++++++-

>  doc/guides/tools/cryptoperf.rst              |  4 ++--

>  drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c  | 25 ++++++++++----------


Why is the dpaa2_sec patch squashed in this patch?
I asked to have it as a separate patch in this series instead of the dpaa_sec series.

>  lib/security/rte_security.h                  |  1 +

>  5 files changed, 33 insertions(+), 16 deletions(-)

> 

> diff --git a/app/test-crypto-perf/cperf_options_parsing.c b/app/test-crypto-

> perf/cperf_options_parsing.c

> index e84f56cfaa..0348972c85 100644

> --- a/app/test-crypto-perf/cperf_options_parsing.c

> +++ b/app/test-crypto-perf/cperf_options_parsing.c

> @@ -662,7 +662,8 @@ parse_pdcp_sn_sz(struct cperf_options *opts, const

> char *arg)

> 

>  const char *cperf_pdcp_domain_strs[] = {

>  	[RTE_SECURITY_PDCP_MODE_CONTROL] = "control",

> -	[RTE_SECURITY_PDCP_MODE_DATA] = "data"

> +	[RTE_SECURITY_PDCP_MODE_DATA] = "data",

> +	[RTE_SECURITY_PDCP_MODE_SHORT_MAC] = "short_mac"

>  };

> 

>  static int

> @@ -677,6 +678,11 @@ parse_pdcp_domain(struct cperf_options *opts,

> const char *arg)

>  			cperf_pdcp_domain_strs

>  			[RTE_SECURITY_PDCP_MODE_DATA],

>  			RTE_SECURITY_PDCP_MODE_DATA

> +		},

> +		{

> +			cperf_pdcp_domain_strs

> +			[RTE_SECURITY_PDCP_MODE_SHORT_MAC],

> +			RTE_SECURITY_PDCP_MODE_SHORT_MAC

>  		}

>  	};

> 

> diff --git a/doc/guides/prog_guide/rte_security.rst

> b/doc/guides/prog_guide/rte_security.rst

> index f72bc8a78f..ad92c16868 100644

> --- a/doc/guides/prog_guide/rte_security.rst

> +++ b/doc/guides/prog_guide/rte_security.rst

> @@ -1,5 +1,5 @@

>  ..  SPDX-License-Identifier: BSD-3-Clause

> -    Copyright 2017,2020 NXP

> +    Copyright 2017,2020-2021 NXP

> 

> 

> 

> @@ -408,6 +408,15 @@ PMD which supports the IPsec and PDCP protocol.

>                  },

>                  .crypto_capabilities = pmd_capabilities

>          },

> +	{ /* PDCP Lookaside Protocol offload short MAC-I */

> +                .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,

> +                .protocol = RTE_SECURITY_PROTOCOL_PDCP,

> +                .pdcp = {

> +                        .domain = RTE_SECURITY_PDCP_MODE_SHORT_MAC,

> +                        .capa_flags = 0

> +                },

> +                .crypto_capabilities = pmd_capabilities

> +        },

>          {

>                  .action = RTE_SECURITY_ACTION_TYPE_NONE

>          }

> diff --git a/doc/guides/tools/cryptoperf.rst b/doc/guides/tools/cryptoperf.rst

> index be3109054d..d3963f23e3 100644

> --- a/doc/guides/tools/cryptoperf.rst

> +++ b/doc/guides/tools/cryptoperf.rst

> @@ -316,9 +316,9 @@ The following are the application command-line

> options:

>          Set PDCP sequence number size(n) in bits. Valid values of n will

>          be 5/7/12/15/18.

> 

> -* ``--pdcp-domain <control/user>``

> +* ``--pdcp-domain <control/user/short_mac>``

> 

> -        Set PDCP domain to specify Control/user plane.

> +        Set PDCP domain to specify short_mac/control/user plane.

> 

>  * ``--docsis-hdr-sz <n>``

> 

> diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c

> b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c

> index d6a101499a..b8d57c2b22 100644

> --- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c

> +++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c

> @@ -3104,7 +3104,7 @@ dpaa2_sec_set_pdcp_session(struct rte_cryptodev

> *dev,

>  	struct rte_security_pdcp_xform *pdcp_xform = &conf->pdcp;

>  	struct rte_crypto_sym_xform *xform = conf->crypto_xform;

>  	struct rte_crypto_auth_xform *auth_xform = NULL;

> -	struct rte_crypto_cipher_xform *cipher_xform;

> +	struct rte_crypto_cipher_xform *cipher_xform = NULL;

>  	dpaa2_sec_session *session = (dpaa2_sec_session *)sess;

>  	struct ctxt_priv *priv;

>  	struct dpaa2_sec_dev_private *dev_priv = dev->data->dev_private;

> @@ -3136,18 +3136,18 @@ dpaa2_sec_set_pdcp_session(struct

> rte_cryptodev *dev,

>  	flc = &priv->flc_desc[0].flc;

> 

>  	/* find xfrm types */

> -	if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER && xform-

> >next == NULL) {

> -		cipher_xform = &xform->cipher;

> -	} else if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER &&

> -		   xform->next->type == RTE_CRYPTO_SYM_XFORM_AUTH) {

> -		session->ext_params.aead_ctxt.auth_cipher_text = true;

> +	if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {

>  		cipher_xform = &xform->cipher;

> -		auth_xform = &xform->next->auth;

> -	} else if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH &&

> -		   xform->next->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {

> -		session->ext_params.aead_ctxt.auth_cipher_text = false;

> -		cipher_xform = &xform->next->cipher;

> +		if (xform->next != NULL) {

> +			session->ext_params.aead_ctxt.auth_cipher_text =

> true;

> +			auth_xform = &xform->next->auth;

> +		}

> +	} else if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH) {

>  		auth_xform = &xform->auth;

> +		if (xform->next != NULL) {

> +			session->ext_params.aead_ctxt.auth_cipher_text =

> false;

> +			cipher_xform = &xform->next->cipher;

> +		}

>  	} else {

>  		DPAA2_SEC_ERR("Invalid crypto type");

>  		return -EINVAL;

> @@ -3186,7 +3186,8 @@ dpaa2_sec_set_pdcp_session(struct rte_cryptodev

> *dev,

>  	session->pdcp.hfn_threshold = pdcp_xform->hfn_threshold;

>  	session->pdcp.hfn_ovd = pdcp_xform->hfn_ovrd;

>  	/* hfv ovd offset location is stored in iv.offset value*/

> -	session->pdcp.hfn_ovd_offset = cipher_xform->iv.offset;

> +	if (cipher_xform)

> +		session->pdcp.hfn_ovd_offset = cipher_xform->iv.offset;

> 

>  	cipherdata.key = (size_t)session->cipher_key.data;

>  	cipherdata.keylen = session->cipher_key.length;

> diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h

> index 88d31de0a6..2e136d7929 100644

> --- a/lib/security/rte_security.h

> +++ b/lib/security/rte_security.h

> @@ -233,6 +233,7 @@ struct rte_security_macsec_xform {

>  enum rte_security_pdcp_domain {

>  	RTE_SECURITY_PDCP_MODE_CONTROL,	/**< PDCP control

> plane */

>  	RTE_SECURITY_PDCP_MODE_DATA,	/**< PDCP data plane */

> +	RTE_SECURITY_PDCP_MODE_SHORT_MAC,	/**< PDCP short mac

> */

>  };

> 

>  /** PDCP Frame direction */

> --

> 2.25.1
Gagandeep Singh Sept. 8, 2021, 12:33 p.m. UTC | #2
> -----Original Message-----

> From: Akhil Goyal <gakhil@marvell.com>

> Sent: Wednesday, September 8, 2021 5:45 PM

> To: Gagandeep Singh <G.Singh@nxp.com>; dev@dpdk.org

> Cc: thomas@monjalon.net; Hemant Agrawal <hemant.agrawal@nxp.com>

> Subject: RE: [EXT] [PATCH v3 1/4] security: support PDCP short MAC-I

> 

> > From: Hemant Agrawal <hemant.agrawal@nxp.com>

> >

> > This patch add support to handle PDCP short MAC-I domain

> > along with standard control and data domains as it has to

> > be treated as special case with PDCP protocol offload support.

> >

> > ShortMAC-I is the 16 least significant bits of calculated MAC-I. Usually

> > when a RRC message is exchanged between UE and eNodeB it is integrity &

> > ciphered protected.

> >

> > MAC-I = f(key, varShortMAC-I, count, bearer, direction).

> > Here varShortMAC-I is prepared by using (current cellId, pci of source cell

> > and C-RNTI of old cell). Other parameters like count, bearer and

> > direction set to all 1.

> >

> > Signed-off-by: Gagandeep Singh <g.singh@nxp.com>

> > Signed-off-by: Hemant Agrawal <hemant.agrawal@nxp.com>

> > ---

> >  app/test-crypto-perf/cperf_options_parsing.c |  8 ++++++-

> >  doc/guides/prog_guide/rte_security.rst       | 11 ++++++++-

> >  doc/guides/tools/cryptoperf.rst              |  4 ++--

> >  drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c  | 25 ++++++++++----------

> 

> Why is the dpaa2_sec patch squashed in this patch?

> I asked to have it as a separate patch in this series instead of the dpaa_sec

> series.


Ok, I will send  v4  with a separate  patch for dpaa2_sec in this series.

> 

> >  lib/security/rte_security.h                  |  1 +

> >  5 files changed, 33 insertions(+), 16 deletions(-)

> >

> > diff --git a/app/test-crypto-perf/cperf_options_parsing.c b/app/test-crypto-

> > perf/cperf_options_parsing.c

> > index e84f56cfaa..0348972c85 100644

> > --- a/app/test-crypto-perf/cperf_options_parsing.c

> > +++ b/app/test-crypto-perf/cperf_options_parsing.c

> > @@ -662,7 +662,8 @@ parse_pdcp_sn_sz(struct cperf_options *opts, const

> > char *arg)

> >

> >  const char *cperf_pdcp_domain_strs[] = {

> >  	[RTE_SECURITY_PDCP_MODE_CONTROL] = "control",

> > -	[RTE_SECURITY_PDCP_MODE_DATA] = "data"

> > +	[RTE_SECURITY_PDCP_MODE_DATA] = "data",

> > +	[RTE_SECURITY_PDCP_MODE_SHORT_MAC] = "short_mac"

> >  };

> >

> >  static int

> > @@ -677,6 +678,11 @@ parse_pdcp_domain(struct cperf_options *opts,

> > const char *arg)

> >  			cperf_pdcp_domain_strs

> >  			[RTE_SECURITY_PDCP_MODE_DATA],

> >  			RTE_SECURITY_PDCP_MODE_DATA

> > +		},

> > +		{

> > +			cperf_pdcp_domain_strs

> > +			[RTE_SECURITY_PDCP_MODE_SHORT_MAC],

> > +			RTE_SECURITY_PDCP_MODE_SHORT_MAC

> >  		}

> >  	};

> >

> > diff --git a/doc/guides/prog_guide/rte_security.rst

> > b/doc/guides/prog_guide/rte_security.rst

> > index f72bc8a78f..ad92c16868 100644

> > --- a/doc/guides/prog_guide/rte_security.rst

> > +++ b/doc/guides/prog_guide/rte_security.rst

> > @@ -1,5 +1,5 @@

> >  ..  SPDX-License-Identifier: BSD-3-Clause

> > -    Copyright 2017,2020 NXP

> > +    Copyright 2017,2020-2021 NXP

> >

> >

> >

> > @@ -408,6 +408,15 @@ PMD which supports the IPsec and PDCP protocol.

> >                  },

> >                  .crypto_capabilities = pmd_capabilities

> >          },

> > +	{ /* PDCP Lookaside Protocol offload short MAC-I */

> > +                .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,

> > +                .protocol = RTE_SECURITY_PROTOCOL_PDCP,

> > +                .pdcp = {

> > +                        .domain = RTE_SECURITY_PDCP_MODE_SHORT_MAC,

> > +                        .capa_flags = 0

> > +                },

> > +                .crypto_capabilities = pmd_capabilities

> > +        },

> >          {

> >                  .action = RTE_SECURITY_ACTION_TYPE_NONE

> >          }

> > diff --git a/doc/guides/tools/cryptoperf.rst b/doc/guides/tools/cryptoperf.rst

> > index be3109054d..d3963f23e3 100644

> > --- a/doc/guides/tools/cryptoperf.rst

> > +++ b/doc/guides/tools/cryptoperf.rst

> > @@ -316,9 +316,9 @@ The following are the application command-line

> > options:

> >          Set PDCP sequence number size(n) in bits. Valid values of n will

> >          be 5/7/12/15/18.

> >

> > -* ``--pdcp-domain <control/user>``

> > +* ``--pdcp-domain <control/user/short_mac>``

> >

> > -        Set PDCP domain to specify Control/user plane.

> > +        Set PDCP domain to specify short_mac/control/user plane.

> >

> >  * ``--docsis-hdr-sz <n>``

> >

> > diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c

> > b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c

> > index d6a101499a..b8d57c2b22 100644

> > --- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c

> > +++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c

> > @@ -3104,7 +3104,7 @@ dpaa2_sec_set_pdcp_session(struct rte_cryptodev

> > *dev,

> >  	struct rte_security_pdcp_xform *pdcp_xform = &conf->pdcp;

> >  	struct rte_crypto_sym_xform *xform = conf->crypto_xform;

> >  	struct rte_crypto_auth_xform *auth_xform = NULL;

> > -	struct rte_crypto_cipher_xform *cipher_xform;

> > +	struct rte_crypto_cipher_xform *cipher_xform = NULL;

> >  	dpaa2_sec_session *session = (dpaa2_sec_session *)sess;

> >  	struct ctxt_priv *priv;

> >  	struct dpaa2_sec_dev_private *dev_priv = dev->data->dev_private;

> > @@ -3136,18 +3136,18 @@ dpaa2_sec_set_pdcp_session(struct

> > rte_cryptodev *dev,

> >  	flc = &priv->flc_desc[0].flc;

> >

> >  	/* find xfrm types */

> > -	if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER && xform-

> > >next == NULL) {

> > -		cipher_xform = &xform->cipher;

> > -	} else if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER &&

> > -		   xform->next->type == RTE_CRYPTO_SYM_XFORM_AUTH) {

> > -		session->ext_params.aead_ctxt.auth_cipher_text = true;

> > +	if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {

> >  		cipher_xform = &xform->cipher;

> > -		auth_xform = &xform->next->auth;

> > -	} else if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH &&

> > -		   xform->next->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {

> > -		session->ext_params.aead_ctxt.auth_cipher_text = false;

> > -		cipher_xform = &xform->next->cipher;

> > +		if (xform->next != NULL) {

> > +			session->ext_params.aead_ctxt.auth_cipher_text =

> > true;

> > +			auth_xform = &xform->next->auth;

> > +		}

> > +	} else if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH) {

> >  		auth_xform = &xform->auth;

> > +		if (xform->next != NULL) {

> > +			session->ext_params.aead_ctxt.auth_cipher_text =

> > false;

> > +			cipher_xform = &xform->next->cipher;

> > +		}

> >  	} else {

> >  		DPAA2_SEC_ERR("Invalid crypto type");

> >  		return -EINVAL;

> > @@ -3186,7 +3186,8 @@ dpaa2_sec_set_pdcp_session(struct rte_cryptodev

> > *dev,

> >  	session->pdcp.hfn_threshold = pdcp_xform->hfn_threshold;

> >  	session->pdcp.hfn_ovd = pdcp_xform->hfn_ovrd;

> >  	/* hfv ovd offset location is stored in iv.offset value*/

> > -	session->pdcp.hfn_ovd_offset = cipher_xform->iv.offset;

> > +	if (cipher_xform)

> > +		session->pdcp.hfn_ovd_offset = cipher_xform->iv.offset;

> >

> >  	cipherdata.key = (size_t)session->cipher_key.data;

> >  	cipherdata.keylen = session->cipher_key.length;

> > diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h

> > index 88d31de0a6..2e136d7929 100644

> > --- a/lib/security/rte_security.h

> > +++ b/lib/security/rte_security.h

> > @@ -233,6 +233,7 @@ struct rte_security_macsec_xform {

> >  enum rte_security_pdcp_domain {

> >  	RTE_SECURITY_PDCP_MODE_CONTROL,	/**< PDCP control

> > plane */

> >  	RTE_SECURITY_PDCP_MODE_DATA,	/**< PDCP data plane */

> > +	RTE_SECURITY_PDCP_MODE_SHORT_MAC,	/**< PDCP short mac

> > */

> >  };

> >

> >  /** PDCP Frame direction */

> > --

> > 2.25.1
Akhil Goyal Sept. 8, 2021, 3:21 p.m. UTC | #3
> -----Original Message----- 

> ----------------------------------------------------------------------

> This series add support of Message Authentication Code

> - Integrity on DPAAX platforms.

> 

> v2-change-log:

> * update commit message

> * merged an existing patch with this series:

> https://urldefense.proofpoint.com/v2/url?u=https-

> 3A__patches.dpdk.org_project_dpdk_patch_20210825081837.23830-2D1-

> 2Dhemant.agrawal-

> 40nxp.com_mbox_&d=DwIDAg&c=nKjWec2b6R0mOyPaz7xtfQ&r=DnL7Si2wl

> _PRwpZ9TWey3eu68gBzn7DkPwuqhd6WNyo&m=uVb88j-BcZCOk-

> dj_YN250HwoG6vE4oaTbdZ0crhu_o&s=ke0c8NuRQj2AR4pX7yDDk5gytngbs6

> O1D6Urd1Xk5qk&e=

> 

> v3-change-log:

> * updated release notes

> 

> v4-change-log:

> * move the dpaa2_sec changes from first patch to a separate patch

> 

> Gagandeep Singh (3):

>   test/crypto: add pdcp security short MAC-I support

>   crypto/dpaa2_sec: add PDCP short MAC-I support

>   crypto/dpaa_sec: add pdcp short MAC-I support

> 

> Hemant Agrawal (2):

>   crypto/dpaa2_sec: support integrity only case for PDCP

>   security: add pdcp short MAC-I support

> 

>  app/test-crypto-perf/cperf_options_parsing.c  |   8 +-

>  app/test/test_cryptodev.c                     |  48 ++++++++

>  ...est_cryptodev_security_pdcp_test_vectors.h | 105 +++++++++++++++++-

>  doc/guides/prog_guide/rte_security.rst        |  11 +-

>  doc/guides/rel_notes/release_21_11.rst        |   8 ++

>  doc/guides/tools/cryptoperf.rst               |   2 +-

>  drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c   |  29 +++--

>  drivers/crypto/dpaa2_sec/dpaa2_sec_priv.h     |   9 ++

>  drivers/crypto/dpaa_sec/dpaa_sec.c            |   3 +

>  drivers/crypto/dpaa_sec/dpaa_sec.h            |  11 +-

>  lib/security/rte_security.h                   |   1 +

>  11 files changed, 218 insertions(+), 17 deletions(-)

> 

Series Acked-by: Akhil Goyal <gakhil@marvell.com>

Applied to dpdk-next-crypto

Thanks.
diff mbox series

Patch

diff --git a/app/test-crypto-perf/cperf_options_parsing.c b/app/test-crypto-perf/cperf_options_parsing.c
index e84f56cfaa..0348972c85 100644
--- a/app/test-crypto-perf/cperf_options_parsing.c
+++ b/app/test-crypto-perf/cperf_options_parsing.c
@@ -662,7 +662,8 @@  parse_pdcp_sn_sz(struct cperf_options *opts, const char *arg)
 
 const char *cperf_pdcp_domain_strs[] = {
 	[RTE_SECURITY_PDCP_MODE_CONTROL] = "control",
-	[RTE_SECURITY_PDCP_MODE_DATA] = "data"
+	[RTE_SECURITY_PDCP_MODE_DATA] = "data",
+	[RTE_SECURITY_PDCP_MODE_SHORT_MAC] = "short_mac"
 };
 
 static int
@@ -677,6 +678,11 @@  parse_pdcp_domain(struct cperf_options *opts, const char *arg)
 			cperf_pdcp_domain_strs
 			[RTE_SECURITY_PDCP_MODE_DATA],
 			RTE_SECURITY_PDCP_MODE_DATA
+		},
+		{
+			cperf_pdcp_domain_strs
+			[RTE_SECURITY_PDCP_MODE_SHORT_MAC],
+			RTE_SECURITY_PDCP_MODE_SHORT_MAC
 		}
 	};
 
diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst
index f72bc8a78f..ad92c16868 100644
--- a/doc/guides/prog_guide/rte_security.rst
+++ b/doc/guides/prog_guide/rte_security.rst
@@ -1,5 +1,5 @@ 
 ..  SPDX-License-Identifier: BSD-3-Clause
-    Copyright 2017,2020 NXP
+    Copyright 2017,2020-2021 NXP
 
 
 
@@ -408,6 +408,15 @@  PMD which supports the IPsec and PDCP protocol.
                 },
                 .crypto_capabilities = pmd_capabilities
         },
+	{ /* PDCP Lookaside Protocol offload short MAC-I */
+                .action = RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
+                .protocol = RTE_SECURITY_PROTOCOL_PDCP,
+                .pdcp = {
+                        .domain = RTE_SECURITY_PDCP_MODE_SHORT_MAC,
+                        .capa_flags = 0
+                },
+                .crypto_capabilities = pmd_capabilities
+        },
         {
                 .action = RTE_SECURITY_ACTION_TYPE_NONE
         }
diff --git a/doc/guides/tools/cryptoperf.rst b/doc/guides/tools/cryptoperf.rst
index be3109054d..d3963f23e3 100644
--- a/doc/guides/tools/cryptoperf.rst
+++ b/doc/guides/tools/cryptoperf.rst
@@ -316,9 +316,9 @@  The following are the application command-line options:
         Set PDCP sequence number size(n) in bits. Valid values of n will
         be 5/7/12/15/18.
 
-* ``--pdcp-domain <control/user>``
+* ``--pdcp-domain <control/user/short_mac>``
 
-        Set PDCP domain to specify Control/user plane.
+        Set PDCP domain to specify short_mac/control/user plane.
 
 * ``--docsis-hdr-sz <n>``
 
diff --git a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
index d6a101499a..b8d57c2b22 100644
--- a/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
+++ b/drivers/crypto/dpaa2_sec/dpaa2_sec_dpseci.c
@@ -3104,7 +3104,7 @@  dpaa2_sec_set_pdcp_session(struct rte_cryptodev *dev,
 	struct rte_security_pdcp_xform *pdcp_xform = &conf->pdcp;
 	struct rte_crypto_sym_xform *xform = conf->crypto_xform;
 	struct rte_crypto_auth_xform *auth_xform = NULL;
-	struct rte_crypto_cipher_xform *cipher_xform;
+	struct rte_crypto_cipher_xform *cipher_xform = NULL;
 	dpaa2_sec_session *session = (dpaa2_sec_session *)sess;
 	struct ctxt_priv *priv;
 	struct dpaa2_sec_dev_private *dev_priv = dev->data->dev_private;
@@ -3136,18 +3136,18 @@  dpaa2_sec_set_pdcp_session(struct rte_cryptodev *dev,
 	flc = &priv->flc_desc[0].flc;
 
 	/* find xfrm types */
-	if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER && xform->next == NULL) {
-		cipher_xform = &xform->cipher;
-	} else if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER &&
-		   xform->next->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
-		session->ext_params.aead_ctxt.auth_cipher_text = true;
+	if (xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
 		cipher_xform = &xform->cipher;
-		auth_xform = &xform->next->auth;
-	} else if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH &&
-		   xform->next->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
-		session->ext_params.aead_ctxt.auth_cipher_text = false;
-		cipher_xform = &xform->next->cipher;
+		if (xform->next != NULL) {
+			session->ext_params.aead_ctxt.auth_cipher_text = true;
+			auth_xform = &xform->next->auth;
+		}
+	} else if (xform->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
 		auth_xform = &xform->auth;
+		if (xform->next != NULL) {
+			session->ext_params.aead_ctxt.auth_cipher_text = false;
+			cipher_xform = &xform->next->cipher;
+		}
 	} else {
 		DPAA2_SEC_ERR("Invalid crypto type");
 		return -EINVAL;
@@ -3186,7 +3186,8 @@  dpaa2_sec_set_pdcp_session(struct rte_cryptodev *dev,
 	session->pdcp.hfn_threshold = pdcp_xform->hfn_threshold;
 	session->pdcp.hfn_ovd = pdcp_xform->hfn_ovrd;
 	/* hfv ovd offset location is stored in iv.offset value*/
-	session->pdcp.hfn_ovd_offset = cipher_xform->iv.offset;
+	if (cipher_xform)
+		session->pdcp.hfn_ovd_offset = cipher_xform->iv.offset;
 
 	cipherdata.key = (size_t)session->cipher_key.data;
 	cipherdata.keylen = session->cipher_key.length;
diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index 88d31de0a6..2e136d7929 100644
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -233,6 +233,7 @@  struct rte_security_macsec_xform {
 enum rte_security_pdcp_domain {
 	RTE_SECURITY_PDCP_MODE_CONTROL,	/**< PDCP control plane */
 	RTE_SECURITY_PDCP_MODE_DATA,	/**< PDCP data plane */
+	RTE_SECURITY_PDCP_MODE_SHORT_MAC,	/**< PDCP short mac */
 };
 
 /** PDCP Frame direction */