diff mbox

[v3,04/10] cryptodev: introduce gcrypt lib as a new cryptodev backend

Message ID 1474272982-275836-5-git-send-email-arei.gonglei@huawei.com (mailing list archive)
State New, archived
Headers show

Commit Message

Gonglei (Arei) Sept. 19, 2016, 8:16 a.m. UTC
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
---
 crypto/Makefile.objs      |   1 +
 crypto/cryptodev-gcrypt.c | 329 ++++++++++++++++++++++++++++++++++++++++++++++
 qemu-options.hx           |  18 +++
 3 files changed, 348 insertions(+)
 create mode 100644 crypto/cryptodev-gcrypt.c

Comments

Daniel P. Berrangé Sept. 19, 2016, 8:29 a.m. UTC | #1
AFAICT you are not using gcrypt here - you're using QEMU
cipher APIs (which is good). These APIs can be backed by
either nettle or gcrypt though, so the subject is misleading.


Regards,
Daniel
Gonglei (Arei) Sept. 19, 2016, 8:36 a.m. UTC | #2
Hi Daniel,


> -----Original Message-----

> From: Daniel P. Berrange [mailto:berrange@redhat.com]

> Sent: Monday, September 19, 2016 4:30 PM

> Subject: Re: [PATCH v3 04/10] cryptodev: introduce gcrypt lib as a new

> cryptodev backend

> 

> AFAICT you are not using gcrypt here - you're using QEMU

> cipher APIs (which is good). These APIs can be backed by

> either nettle or gcrypt though, so the subject is misleading.

> 

Oops, thanks for your reminding :)

Will fix in the next version.


Regards,
-Gonglei
Daniel P. Berrangé Sept. 19, 2016, 8:56 a.m. UTC | #3
On Mon, Sep 19, 2016 at 04:16:16PM +0800, Gonglei wrote:
> Signed-off-by: Gonglei <arei.gonglei@huawei.com>
> ---
>  crypto/Makefile.objs      |   1 +
>  crypto/cryptodev-gcrypt.c | 329 ++++++++++++++++++++++++++++++++++++++++++++++
>  qemu-options.hx           |  18 +++
>  3 files changed, 348 insertions(+)
>  create mode 100644 crypto/cryptodev-gcrypt.c
> 
> diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs
> index f7f3c4f..bd8aea7 100644
> --- a/crypto/Makefile.objs
> +++ b/crypto/Makefile.objs
> @@ -27,6 +27,7 @@ crypto-obj-y += block.o
>  crypto-obj-y += block-qcow.o
>  crypto-obj-y += block-luks.o
>  crypto-obj-y += cryptodev.o
> +crypto-obj-$(CONFIG_GCRYPT) += cryptodev-gcrypt.o

This can be just crypto-obj-y +=

>  # Let the userspace emulators avoid linking gnutls/etc
>  crypto-aes-obj-y = aes.o
> diff --git a/crypto/cryptodev-gcrypt.c b/crypto/cryptodev-gcrypt.c
> new file mode 100644
> index 0000000..66a0e5e
> --- /dev/null
> +++ b/crypto/cryptodev-gcrypt.c
> +/**
> + * @TYPE_QCRYPTO_CRYPTODEV_BACKEND_GCRYPT:
> + * name of backend that uses gcrypt library
> + */
> +#define TYPE_QCRYPTO_CRYPTODEV_BACKEND_GCRYPT "cryptodev-backend-gcrypt"

I'd suggest we just call this backend "builtin", so do a
replace of "gcrypt" with "builtin" throughout.

> +static void qcrypto_cryptodev_backend_gcrypt_init(
> +             QCryptoCryptoDevBackend *backend, Error **errp)
> +{
> +    /* Only support one queue */
> +    int queues = MAX(backend->conf.peers.queues, 1);
> +    int i;

Nitpick, I prefer to see 'size_t' for list iterators
that are always positive. Similar comment in other
places in this series using int i

> +    QCryptoCryptoDevBackendClientState *cc;
> +
> +    for (i = 0; i < queues; i++) {
> +        cc = qcrypto_cryptodev_backend_new_client(
> +                  "cryptodev-gcrypt", NULL);
> +        snprintf(cc->info_str, sizeof(cc->info_str),
> +                 "cryptodev-gcrypt%d", i);
> +        cc->queue_index = i;
> +
> +        backend->conf.peers.ccs[i] = cc;
> +    }
> +
> +    backend->conf.crypto_services =
> +                         1u << VIRTIO_CRYPTO_SERVICE_CIPHER |
> +                         1u << VIRTIO_CRYPTO_SERVICE_HASH |
> +                         1u << VIRTIO_CRYPTO_SERVICE_MAC;
> +    backend->conf.cipher_algo_l = 1u << VIRTIO_CRYPTO_CIPHER_AES_CBC;
> +    backend->conf.hash_algo = 1u << VIRTIO_CRYPTO_HASH_SHA1;
> +}
> +
> +static int
> +qcrypto_cryptodev_backend_gcrypt_get_unused_session_index(
> +      QCryptoCryptoDevBackendGcrypt *gcrypt)
> +{
> +    int i;
> +
> +    for (i = 0; i < MAX_NUM_SESSIONS; i++) {
> +        if (gcrypt->sessions[i] == NULL) {
> +            return i;
> +        }
> +    }
> +
> +    return -1;
> +}
> +
> +static int qcrypto_cryptodev_backend_gcrypt_create_cipher_session(
> +                    QCryptoCryptoDevBackendGcrypt *gcrypt,
> +                    QCryptoCryptoDevBackendSymSessionInfo *sess_info,
> +                    Error **errp)
> +{
> +    int algo;
> +    int mode;
> +    QCryptoCipher *cipher;
> +    int index;
> +    QCryptoCryptoDevBackendGcryptSession *sess;
> +
> +    if (sess_info->op_type != VIRTIO_CRYPTO_SYM_OP_CIPHER) {
> +        error_setg(errp, "unsupported optype :%u", sess_info->op_type);
> +        return -1;
> +    }
> +
> +    index = qcrypto_cryptodev_backend_gcrypt_get_unused_session_index(gcrypt);
> +    if (index < 0) {
> +        error_setg(errp, "the total number of created session exceed %u",
> +                  MAX_NUM_SESSIONS);
> +        return -1;
> +    }
> +
> +    switch (sess_info->cipher_alg) {
> +    case VIRTIO_CRYPTO_CIPHER_AES_ECB:
> +        if (sess_info->key_len == 128 / 8) {
> +            algo = QCRYPTO_CIPHER_ALG_AES_128;
> +        } else if (sess_info->key_len == 192 / 8) {
> +            algo = QCRYPTO_CIPHER_ALG_AES_192;
> +        } else if (sess_info->key_len == 256 / 8) {
> +            algo = QCRYPTO_CIPHER_ALG_AES_256;
> +        } else {
> +            error_setg(errp, "unsupported key length :%u",
> +                       sess_info->key_len);
> +            return -1;
> +        }
> +        mode = QCRYPTO_CIPHER_MODE_ECB;
> +        break;
> +    case VIRTIO_CRYPTO_CIPHER_AES_CBC:
> +        if (sess_info->key_len == 128 / 8) {
> +            algo = QCRYPTO_CIPHER_ALG_AES_128;
> +        } else if (sess_info->key_len == 192 / 8) {
> +            algo = QCRYPTO_CIPHER_ALG_AES_192;
> +        } else if (sess_info->key_len == 256 / 8) {
> +            algo = QCRYPTO_CIPHER_ALG_AES_256;
> +        } else {
> +            error_setg(errp, "unsupported key length :%u",
> +                       sess_info->key_len);
> +            return -1;
> +        }
> +        mode = QCRYPTO_CIPHER_MODE_CBC;
> +        break;
> +    case VIRTIO_CRYPTO_CIPHER_AES_CTR:

Although the QEMU cipher.h API does not export CTR mode currently
it should be trivial to add it. So feel free to add a patch at
the start of the series implementing CTR mode in the cipher API.
Both gcrypt and nettle have support for it which is all we need.

> +    default:
> +        error_setg(errp, "unsupported cipher alg :%u",
> +                   sess_info->cipher_alg);
> +        return -1;
> +    }
> +
> +    cipher = qcrypto_cipher_new(algo, mode,
> +                               sess_info->cipher_key,
> +                               sess_info->key_len,
> +                               errp);
> +    if (!cipher) {
> +        return -1;
> +    }
> +
> +    sess = g_new0(QCryptoCryptoDevBackendGcryptSession, 1);
> +    sess->cipher = cipher;
> +    sess->direction = sess_info->direction;
> +    sess->type = sess_info->op_type;
> +
> +    gcrypt->sessions[index] = sess;
> +
> +    return index;
> +}

> +
> +static int64_t qcrypto_cryptodev_backend_gcrypt_sym_create_session(
> +           QCryptoCryptoDevBackend *backend,
> +           QCryptoCryptoDevBackendSymSessionInfo *sess_info,
> +           uint32_t queue_index, Error **errp)
> +{
> +    QCryptoCryptoDevBackendGcrypt *gcrypt =
> +                      QCRYPTO_CRYPTODEV_BACKEND_GCRYPT(backend);
> +    int64_t session_id = -1;
> +    int ret;
> +
> +    switch (sess_info->op_code) {
> +    case VIRTIO_CRYPTO_CIPHER_CREATE_SESSION:
> +        ret = qcrypto_cryptodev_backend_gcrypt_create_cipher_session(
> +                           gcrypt, sess_info, errp);
> +        if (ret < 0) {
> +            return ret;
> +        } else {
> +            session_id = ret;
> +        }
> +        break;
> +    case VIRTIO_CRYPTO_HASH_CREATE_SESSION:
> +    case VIRTIO_CRYPTO_MAC_CREATE_SESSION:
> +    default:
> +        error_setg(errp, "unsupported opcode :%" PRIu32 "",
> +                   sess_info->op_code);
> +        return -1;
> +    }
> +
> +    return session_id;
> +}
> +
> +static int qcrypto_cryptodev_backend_gcrypt_sym_close_session(
> +           QCryptoCryptoDevBackend *backend,
> +           uint64_t session_id, Error **errp)
> +{
> +    QCryptoCryptoDevBackendGcrypt *gcrypt =
> +                      QCRYPTO_CRYPTODEV_BACKEND_GCRYPT(backend);
> +
> +    if (session_id >= MAX_NUM_SESSIONS ||
> +              gcrypt->sessions[session_id] == NULL) {
> +        error_setg(errp, "Cannot find a valid session id: %" PRIu64 "",
> +                      session_id);
> +        return -1;
> +    }
> +
> +    qcrypto_cipher_free(gcrypt->sessions[session_id]->cipher);
> +    g_free(gcrypt->sessions[session_id]);
> +    gcrypt->sessions[session_id] = NULL;
> +    return 0;
> +}
> +
> +static int qcrypto_cryptodev_backend_gcrypt_sym_operation(
> +                 QCryptoCryptoDevBackend *backend,
> +                 QCryptoCryptoDevBackendSymOpInfo *op_info,
> +                 uint32_t queue_index, Error **errp)
> +{
> +    QCryptoCryptoDevBackendGcrypt *gcrypt =
> +                      QCRYPTO_CRYPTODEV_BACKEND_GCRYPT(backend);
> +    QCryptoCryptoDevBackendGcryptSession *sess;
> +    int ret;
> +
> +    if (op_info->session_id >= MAX_NUM_SESSIONS ||
> +              gcrypt->sessions[op_info->session_id] == NULL) {
> +        error_setg(errp, "Cannot find a valid session id: %" PRIu64 "",
> +                   op_info->session_id);
> +        return -VIRTIO_CRYPTO_OP_INVSESS;
> +    }
> +
> +    sess = gcrypt->sessions[op_info->session_id];
> +
> +    ret = qcrypto_cipher_setiv(sess->cipher, op_info->iv,
> +                               op_info->iv_len, errp);
> +    if (ret < 0) {
> +        return -VIRTIO_CRYPTO_OP_ERR;
> +    }
> +
> +    if (sess->direction == VIRTIO_CRYPTO_OP_ENCRYPT) {
> +        ret = qcrypto_cipher_encrypt(sess->cipher, op_info->src,
> +                                     op_info->dst, op_info->src_len, errp);
> +        if (ret < 0) {
> +            return -VIRTIO_CRYPTO_OP_ERR;
> +        }
> +    } else {
> +        ret = qcrypto_cipher_decrypt(sess->cipher, op_info->src,
> +                                     op_info->dst, op_info->src_len, errp);
> +        if (ret < 0) {
> +            return -VIRTIO_CRYPTO_OP_ERR;
> +        }
> +    }
> +    return 0;
> +}


Regards,
Daniel
Gonglei (Arei) Sept. 19, 2016, 9:02 a.m. UTC | #4
> -----Original Message-----

> From: Daniel P. Berrange [mailto:berrange@redhat.com]

> Sent: Monday, September 19, 2016 4:56 PM

> Subject: Re: [PATCH v3 04/10] cryptodev: introduce gcrypt lib as a new

> cryptodev backend

> 

> On Mon, Sep 19, 2016 at 04:16:16PM +0800, Gonglei wrote:

> > Signed-off-by: Gonglei <arei.gonglei@huawei.com>

> > ---

> >  crypto/Makefile.objs      |   1 +

> >  crypto/cryptodev-gcrypt.c | 329

> ++++++++++++++++++++++++++++++++++++++++++++++

> >  qemu-options.hx           |  18 +++

> >  3 files changed, 348 insertions(+)

> >  create mode 100644 crypto/cryptodev-gcrypt.c

> >

> > diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs

> > index f7f3c4f..bd8aea7 100644

> > --- a/crypto/Makefile.objs

> > +++ b/crypto/Makefile.objs

> > @@ -27,6 +27,7 @@ crypto-obj-y += block.o

> >  crypto-obj-y += block-qcow.o

> >  crypto-obj-y += block-luks.o

> >  crypto-obj-y += cryptodev.o

> > +crypto-obj-$(CONFIG_GCRYPT) += cryptodev-gcrypt.o

> 

> This can be just crypto-obj-y +=

> 

Yes.

> >  # Let the userspace emulators avoid linking gnutls/etc

> >  crypto-aes-obj-y = aes.o

> > diff --git a/crypto/cryptodev-gcrypt.c b/crypto/cryptodev-gcrypt.c

> > new file mode 100644

> > index 0000000..66a0e5e

> > --- /dev/null

> > +++ b/crypto/cryptodev-gcrypt.c

> > +/**

> > + * @TYPE_QCRYPTO_CRYPTODEV_BACKEND_GCRYPT:

> > + * name of backend that uses gcrypt library

> > + */

> > +#define TYPE_QCRYPTO_CRYPTODEV_BACKEND_GCRYPT

> "cryptodev-backend-gcrypt"

> 

> I'd suggest we just call this backend "builtin", so do a

> replace of "gcrypt" with "builtin" throughout.

> 

OK, good name ;)

> > +static void qcrypto_cryptodev_backend_gcrypt_init(

> > +             QCryptoCryptoDevBackend *backend, Error **errp)

> > +{

> > +    /* Only support one queue */

> > +    int queues = MAX(backend->conf.peers.queues, 1);

> > +    int i;

> 

> Nitpick, I prefer to see 'size_t' for list iterators

> that are always positive. Similar comment in other

> places in this series using int i

> 

OK

> > +    QCryptoCryptoDevBackendClientState *cc;

> > +

> > +    for (i = 0; i < queues; i++) {

> > +        cc = qcrypto_cryptodev_backend_new_client(

> > +                  "cryptodev-gcrypt", NULL);

> > +        snprintf(cc->info_str, sizeof(cc->info_str),

> > +                 "cryptodev-gcrypt%d", i);

> > +        cc->queue_index = i;

> > +

> > +        backend->conf.peers.ccs[i] = cc;

> > +    }

> > +

> > +    backend->conf.crypto_services =

> > +                         1u << VIRTIO_CRYPTO_SERVICE_CIPHER |

> > +                         1u << VIRTIO_CRYPTO_SERVICE_HASH |

> > +                         1u << VIRTIO_CRYPTO_SERVICE_MAC;

> > +    backend->conf.cipher_algo_l = 1u <<

> VIRTIO_CRYPTO_CIPHER_AES_CBC;

> > +    backend->conf.hash_algo = 1u << VIRTIO_CRYPTO_HASH_SHA1;

> > +}

> > +

> > +static int

> > +qcrypto_cryptodev_backend_gcrypt_get_unused_session_index(

> > +      QCryptoCryptoDevBackendGcrypt *gcrypt)

> > +{

> > +    int i;

> > +

> > +    for (i = 0; i < MAX_NUM_SESSIONS; i++) {

> > +        if (gcrypt->sessions[i] == NULL) {

> > +            return i;

> > +        }

> > +    }

> > +

> > +    return -1;

> > +}

> > +

> > +static int qcrypto_cryptodev_backend_gcrypt_create_cipher_session(

> > +                    QCryptoCryptoDevBackendGcrypt *gcrypt,

> > +                    QCryptoCryptoDevBackendSymSessionInfo

> *sess_info,

> > +                    Error **errp)

> > +{

> > +    int algo;

> > +    int mode;

> > +    QCryptoCipher *cipher;

> > +    int index;

> > +    QCryptoCryptoDevBackendGcryptSession *sess;

> > +

> > +    if (sess_info->op_type != VIRTIO_CRYPTO_SYM_OP_CIPHER) {

> > +        error_setg(errp, "unsupported optype :%u", sess_info->op_type);

> > +        return -1;

> > +    }

> > +

> > +    index =

> qcrypto_cryptodev_backend_gcrypt_get_unused_session_index(gcrypt);

> > +    if (index < 0) {

> > +        error_setg(errp, "the total number of created session

> exceed %u",

> > +                  MAX_NUM_SESSIONS);

> > +        return -1;

> > +    }

> > +

> > +    switch (sess_info->cipher_alg) {

> > +    case VIRTIO_CRYPTO_CIPHER_AES_ECB:

> > +        if (sess_info->key_len == 128 / 8) {

> > +            algo = QCRYPTO_CIPHER_ALG_AES_128;

> > +        } else if (sess_info->key_len == 192 / 8) {

> > +            algo = QCRYPTO_CIPHER_ALG_AES_192;

> > +        } else if (sess_info->key_len == 256 / 8) {

> > +            algo = QCRYPTO_CIPHER_ALG_AES_256;

> > +        } else {

> > +            error_setg(errp, "unsupported key length :%u",

> > +                       sess_info->key_len);

> > +            return -1;

> > +        }

> > +        mode = QCRYPTO_CIPHER_MODE_ECB;

> > +        break;

> > +    case VIRTIO_CRYPTO_CIPHER_AES_CBC:

> > +        if (sess_info->key_len == 128 / 8) {

> > +            algo = QCRYPTO_CIPHER_ALG_AES_128;

> > +        } else if (sess_info->key_len == 192 / 8) {

> > +            algo = QCRYPTO_CIPHER_ALG_AES_192;

> > +        } else if (sess_info->key_len == 256 / 8) {

> > +            algo = QCRYPTO_CIPHER_ALG_AES_256;

> > +        } else {

> > +            error_setg(errp, "unsupported key length :%u",

> > +                       sess_info->key_len);

> > +            return -1;

> > +        }

> > +        mode = QCRYPTO_CIPHER_MODE_CBC;

> > +        break;

> > +    case VIRTIO_CRYPTO_CIPHER_AES_CTR:

> 

> Although the QEMU cipher.h API does not export CTR mode currently

> it should be trivial to add it. So feel free to add a patch at

> the start of the series implementing CTR mode in the cipher API.

> Both gcrypt and nettle have support for it which is all we need.

> 

OK, will do.

Thanks,
-Gonglei
diff mbox

Patch

diff --git a/crypto/Makefile.objs b/crypto/Makefile.objs
index f7f3c4f..bd8aea7 100644
--- a/crypto/Makefile.objs
+++ b/crypto/Makefile.objs
@@ -27,6 +27,7 @@  crypto-obj-y += block.o
 crypto-obj-y += block-qcow.o
 crypto-obj-y += block-luks.o
 crypto-obj-y += cryptodev.o
+crypto-obj-$(CONFIG_GCRYPT) += cryptodev-gcrypt.o
 
 # Let the userspace emulators avoid linking gnutls/etc
 crypto-aes-obj-y = aes.o
diff --git a/crypto/cryptodev-gcrypt.c b/crypto/cryptodev-gcrypt.c
new file mode 100644
index 0000000..66a0e5e
--- /dev/null
+++ b/crypto/cryptodev-gcrypt.c
@@ -0,0 +1,329 @@ 
+/*
+ * QEMU Cryptodev backend for gcrypt
+ *
+ * Copyright (c) 2016 HUAWEI TECHNOLOGIES CO., LTD.
+ *
+ * Authors:
+ *    Gonglei <arei.gonglei@huawei.com>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "qemu/osdep.h"
+#include "crypto/cryptodev.h"
+#include "hw/boards.h"
+#include "qapi/error.h"
+#include "standard-headers/linux/virtio_crypto.h"
+#include "crypto/cipher.h"
+
+
+/**
+ * @TYPE_QCRYPTO_CRYPTODEV_BACKEND_GCRYPT:
+ * name of backend that uses gcrypt library
+ */
+#define TYPE_QCRYPTO_CRYPTODEV_BACKEND_GCRYPT "cryptodev-backend-gcrypt"
+
+#define QCRYPTO_CRYPTODEV_BACKEND_GCRYPT(obj) \
+    OBJECT_CHECK(QCryptoCryptoDevBackendGcrypt, \
+                 (obj), TYPE_QCRYPTO_CRYPTODEV_BACKEND_GCRYPT)
+
+typedef struct QCryptoCryptoDevBackendGcrypt
+                         QCryptoCryptoDevBackendGcrypt;
+
+typedef struct QCryptoCryptoDevBackendGcryptSession {
+    QCryptoCipher *cipher;
+    uint8_t direction; /* encryption or decryption */
+    uint8_t type; /* cipher? hash? aead? */
+    QTAILQ_ENTRY(QCryptoCryptoDevBackendGcryptSession) next;
+} QCryptoCryptoDevBackendGcryptSession;
+
+/* Max number of symetrical sessions */
+#define MAX_NUM_SESSIONS 256
+
+
+struct QCryptoCryptoDevBackendGcrypt {
+    QCryptoCryptoDevBackend parent_obj;
+
+    QCryptoCryptoDevBackendGcryptSession *sessions[MAX_NUM_SESSIONS];
+};
+
+static void qcrypto_cryptodev_backend_gcrypt_init(
+             QCryptoCryptoDevBackend *backend, Error **errp)
+{
+    /* Only support one queue */
+    int queues = MAX(backend->conf.peers.queues, 1);
+    int i;
+    QCryptoCryptoDevBackendClientState *cc;
+
+    for (i = 0; i < queues; i++) {
+        cc = qcrypto_cryptodev_backend_new_client(
+                  "cryptodev-gcrypt", NULL);
+        snprintf(cc->info_str, sizeof(cc->info_str),
+                 "cryptodev-gcrypt%d", i);
+        cc->queue_index = i;
+
+        backend->conf.peers.ccs[i] = cc;
+    }
+
+    backend->conf.crypto_services =
+                         1u << VIRTIO_CRYPTO_SERVICE_CIPHER |
+                         1u << VIRTIO_CRYPTO_SERVICE_HASH |
+                         1u << VIRTIO_CRYPTO_SERVICE_MAC;
+    backend->conf.cipher_algo_l = 1u << VIRTIO_CRYPTO_CIPHER_AES_CBC;
+    backend->conf.hash_algo = 1u << VIRTIO_CRYPTO_HASH_SHA1;
+}
+
+static int
+qcrypto_cryptodev_backend_gcrypt_get_unused_session_index(
+      QCryptoCryptoDevBackendGcrypt *gcrypt)
+{
+    int i;
+
+    for (i = 0; i < MAX_NUM_SESSIONS; i++) {
+        if (gcrypt->sessions[i] == NULL) {
+            return i;
+        }
+    }
+
+    return -1;
+}
+
+static int qcrypto_cryptodev_backend_gcrypt_create_cipher_session(
+                    QCryptoCryptoDevBackendGcrypt *gcrypt,
+                    QCryptoCryptoDevBackendSymSessionInfo *sess_info,
+                    Error **errp)
+{
+    int algo;
+    int mode;
+    QCryptoCipher *cipher;
+    int index;
+    QCryptoCryptoDevBackendGcryptSession *sess;
+
+    if (sess_info->op_type != VIRTIO_CRYPTO_SYM_OP_CIPHER) {
+        error_setg(errp, "unsupported optype :%u", sess_info->op_type);
+        return -1;
+    }
+
+    index = qcrypto_cryptodev_backend_gcrypt_get_unused_session_index(gcrypt);
+    if (index < 0) {
+        error_setg(errp, "the total number of created session exceed %u",
+                  MAX_NUM_SESSIONS);
+        return -1;
+    }
+
+    switch (sess_info->cipher_alg) {
+    case VIRTIO_CRYPTO_CIPHER_AES_ECB:
+        if (sess_info->key_len == 128 / 8) {
+            algo = QCRYPTO_CIPHER_ALG_AES_128;
+        } else if (sess_info->key_len == 192 / 8) {
+            algo = QCRYPTO_CIPHER_ALG_AES_192;
+        } else if (sess_info->key_len == 256 / 8) {
+            algo = QCRYPTO_CIPHER_ALG_AES_256;
+        } else {
+            error_setg(errp, "unsupported key length :%u",
+                       sess_info->key_len);
+            return -1;
+        }
+        mode = QCRYPTO_CIPHER_MODE_ECB;
+        break;
+    case VIRTIO_CRYPTO_CIPHER_AES_CBC:
+        if (sess_info->key_len == 128 / 8) {
+            algo = QCRYPTO_CIPHER_ALG_AES_128;
+        } else if (sess_info->key_len == 192 / 8) {
+            algo = QCRYPTO_CIPHER_ALG_AES_192;
+        } else if (sess_info->key_len == 256 / 8) {
+            algo = QCRYPTO_CIPHER_ALG_AES_256;
+        } else {
+            error_setg(errp, "unsupported key length :%u",
+                       sess_info->key_len);
+            return -1;
+        }
+        mode = QCRYPTO_CIPHER_MODE_CBC;
+        break;
+    case VIRTIO_CRYPTO_CIPHER_AES_CTR:
+    default:
+        error_setg(errp, "unsupported cipher alg :%u",
+                   sess_info->cipher_alg);
+        return -1;
+    }
+
+    cipher = qcrypto_cipher_new(algo, mode,
+                               sess_info->cipher_key,
+                               sess_info->key_len,
+                               errp);
+    if (!cipher) {
+        return -1;
+    }
+
+    sess = g_new0(QCryptoCryptoDevBackendGcryptSession, 1);
+    sess->cipher = cipher;
+    sess->direction = sess_info->direction;
+    sess->type = sess_info->op_type;
+
+    gcrypt->sessions[index] = sess;
+
+    return index;
+}
+
+static int64_t qcrypto_cryptodev_backend_gcrypt_sym_create_session(
+           QCryptoCryptoDevBackend *backend,
+           QCryptoCryptoDevBackendSymSessionInfo *sess_info,
+           uint32_t queue_index, Error **errp)
+{
+    QCryptoCryptoDevBackendGcrypt *gcrypt =
+                      QCRYPTO_CRYPTODEV_BACKEND_GCRYPT(backend);
+    int64_t session_id = -1;
+    int ret;
+
+    switch (sess_info->op_code) {
+    case VIRTIO_CRYPTO_CIPHER_CREATE_SESSION:
+        ret = qcrypto_cryptodev_backend_gcrypt_create_cipher_session(
+                           gcrypt, sess_info, errp);
+        if (ret < 0) {
+            return ret;
+        } else {
+            session_id = ret;
+        }
+        break;
+    case VIRTIO_CRYPTO_HASH_CREATE_SESSION:
+    case VIRTIO_CRYPTO_MAC_CREATE_SESSION:
+    default:
+        error_setg(errp, "unsupported opcode :%" PRIu32 "",
+                   sess_info->op_code);
+        return -1;
+    }
+
+    return session_id;
+}
+
+static int qcrypto_cryptodev_backend_gcrypt_sym_close_session(
+           QCryptoCryptoDevBackend *backend,
+           uint64_t session_id, Error **errp)
+{
+    QCryptoCryptoDevBackendGcrypt *gcrypt =
+                      QCRYPTO_CRYPTODEV_BACKEND_GCRYPT(backend);
+
+    if (session_id >= MAX_NUM_SESSIONS ||
+              gcrypt->sessions[session_id] == NULL) {
+        error_setg(errp, "Cannot find a valid session id: %" PRIu64 "",
+                      session_id);
+        return -1;
+    }
+
+    qcrypto_cipher_free(gcrypt->sessions[session_id]->cipher);
+    g_free(gcrypt->sessions[session_id]);
+    gcrypt->sessions[session_id] = NULL;
+    return 0;
+}
+
+static int qcrypto_cryptodev_backend_gcrypt_sym_operation(
+                 QCryptoCryptoDevBackend *backend,
+                 QCryptoCryptoDevBackendSymOpInfo *op_info,
+                 uint32_t queue_index, Error **errp)
+{
+    QCryptoCryptoDevBackendGcrypt *gcrypt =
+                      QCRYPTO_CRYPTODEV_BACKEND_GCRYPT(backend);
+    QCryptoCryptoDevBackendGcryptSession *sess;
+    int ret;
+
+    if (op_info->session_id >= MAX_NUM_SESSIONS ||
+              gcrypt->sessions[op_info->session_id] == NULL) {
+        error_setg(errp, "Cannot find a valid session id: %" PRIu64 "",
+                   op_info->session_id);
+        return -VIRTIO_CRYPTO_OP_INVSESS;
+    }
+
+    sess = gcrypt->sessions[op_info->session_id];
+
+    ret = qcrypto_cipher_setiv(sess->cipher, op_info->iv,
+                               op_info->iv_len, errp);
+    if (ret < 0) {
+        return -VIRTIO_CRYPTO_OP_ERR;
+    }
+
+    if (sess->direction == VIRTIO_CRYPTO_OP_ENCRYPT) {
+        ret = qcrypto_cipher_encrypt(sess->cipher, op_info->src,
+                                     op_info->dst, op_info->src_len, errp);
+        if (ret < 0) {
+            return -VIRTIO_CRYPTO_OP_ERR;
+        }
+    } else {
+        ret = qcrypto_cipher_decrypt(sess->cipher, op_info->src,
+                                     op_info->dst, op_info->src_len, errp);
+        if (ret < 0) {
+            return -VIRTIO_CRYPTO_OP_ERR;
+        }
+    }
+    return 0;
+}
+
+static void qcrypto_cryptodev_backend_gcrypt_cleanup(
+             QCryptoCryptoDevBackend *backend,
+             Error **errp)
+{
+    QCryptoCryptoDevBackendGcrypt *gcrypt =
+                      QCRYPTO_CRYPTODEV_BACKEND_GCRYPT(backend);
+    int i;
+    int queues = backend->conf.peers.queues;
+    QCryptoCryptoDevBackendClientState *cc;
+
+    for (i = 0; i < MAX_NUM_SESSIONS; i++) {
+        if (gcrypt->sessions[i] != NULL) {
+            qcrypto_cryptodev_backend_gcrypt_sym_close_session(
+                    backend, i, errp);
+        }
+    }
+
+    for (i = 0; i < queues; i++) {
+        cc = backend->conf.peers.ccs[i];
+        if (cc) {
+            qcrypto_cryptodev_backend_free_client(cc);
+            backend->conf.peers.ccs[i] = NULL;
+        }
+    }
+}
+
+static void qcrypto_cryptodev_backend_gcrypt_finalize(Object *obj)
+{
+
+}
+
+static void
+qcrypto_cryptodev_backend_gcrypt_class_init(ObjectClass *oc, void *data)
+{
+    QCryptoCryptoDevBackendClass *bc = QCRYPTO_CRYPTODEV_BACKEND_CLASS(oc);
+
+    bc->init = qcrypto_cryptodev_backend_gcrypt_init;
+    bc->cleanup = qcrypto_cryptodev_backend_gcrypt_cleanup;
+    bc->create_session = qcrypto_cryptodev_backend_gcrypt_sym_create_session;
+    bc->close_session = qcrypto_cryptodev_backend_gcrypt_sym_close_session;
+    bc->do_sym_op = qcrypto_cryptodev_backend_gcrypt_sym_operation;
+}
+
+static const TypeInfo qcrypto_cryptodev_backend_gcrypt_info = {
+    .name = TYPE_QCRYPTO_CRYPTODEV_BACKEND_GCRYPT,
+    .parent = TYPE_QCRYPTO_CRYPTODEV_BACKEND,
+    .class_init = qcrypto_cryptodev_backend_gcrypt_class_init,
+    .instance_finalize = qcrypto_cryptodev_backend_gcrypt_finalize,
+    .instance_size = sizeof(QCryptoCryptoDevBackendGcrypt),
+};
+
+static void
+qcrypto_cryptodev_backend_gcrypt_register_types(void)
+{
+    type_register_static(&qcrypto_cryptodev_backend_gcrypt_info);
+}
+
+type_init(qcrypto_cryptodev_backend_gcrypt_register_types);
diff --git a/qemu-options.hx b/qemu-options.hx
index a71aaf8..aff1217 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -3887,6 +3887,24 @@  Dump the network traffic on netdev @var{dev} to the file specified by
 The file format is libpcap, so it can be analyzed with tools such as tcpdump
 or Wireshark.
 
+@item -object cryptodev-backend-gcrypt,id=@var{id}[,queues=@var{queues}]
+
+Creates a cryptodev backend which executes crypto opreation from
+the gcrypt library on the host. The @var{id} parameter is
+a unique ID that will be used to reference this cryptodev backend from
+the @option{virtio-crypto} device. The @var{queues} parameter is optional,
+which specify the queue number of cryptodev backend, the default of
+@var{queues} is 1.
+
+@example
+
+ # qemu-system-x86_64 \
+   [...] \
+       -object cryptodev-backend-gcrypt,id=cryptodev0 \
+       -device virtio-crypto-pci,id=crypto0,cryptodev=cryptodev0 \
+   [...]
+@end example
+
 @item -object secret,id=@var{id},data=@var{string},format=@var{raw|base64}[,keyid=@var{secretid},iv=@var{string}]
 @item -object secret,id=@var{id},file=@var{filename},format=@var{raw|base64}[,keyid=@var{secretid},iv=@var{string}]