1 /* SPDX-License-Identifier: BSD-3-Clause
2 * Copyright(c) 2001-2021 Intel Corporation
5 #ifndef _VIRTCHNL_INLINE_IPSEC_H_
6 #define _VIRTCHNL_INLINE_IPSEC_H_
8 #define VIRTCHNL_IPSEC_MAX_CRYPTO_CAP_NUM 3
9 #define VIRTCHNL_IPSEC_MAX_ALGO_CAP_NUM 16
10 #define VIRTCHNL_IPSEC_MAX_TX_DESC_NUM 128
11 #define VIRTCHNL_IPSEC_MAX_CRYPTO_ITEM_NUMBER 2
12 #define VIRTCHNL_IPSEC_MAX_KEY_LEN 128
13 #define VIRTCHNL_IPSEC_MAX_SA_DESTROY_NUM 8
14 #define VIRTCHNL_IPSEC_SA_DESTROY 0
15 #define VIRTCHNL_IPSEC_BROADCAST_VFID 0xFFFFFFFF
16 #define VIRTCHNL_IPSEC_INVALID_REQ_ID 0xFFFF
17 #define VIRTCHNL_IPSEC_INVALID_SA_CFG_RESP 0xFFFFFFFF
18 #define VIRTCHNL_IPSEC_INVALID_SP_CFG_RESP 0xFFFFFFFF
21 #define VIRTCHNL_AUTH 1
22 #define VIRTCHNL_CIPHER 2
23 #define VIRTCHNL_AEAD 3
26 #define VIRTCHNL_IPSEC_ESN_ENA BIT(0)
27 #define VIRTCHNL_IPSEC_UDP_ENCAP_ENA BIT(1)
28 #define VIRTCHNL_IPSEC_SA_INDEX_SW_ENA BIT(2)
29 #define VIRTCHNL_IPSEC_AUDIT_ENA BIT(3)
30 #define VIRTCHNL_IPSEC_BYTE_LIMIT_ENA BIT(4)
31 #define VIRTCHNL_IPSEC_DROP_ON_AUTH_FAIL_ENA BIT(5)
32 #define VIRTCHNL_IPSEC_ARW_CHECK_ENA BIT(6)
33 #define VIRTCHNL_IPSEC_24BIT_SPI_ENA BIT(7)
37 #define VIRTCHNL_HASH_NO_ALG 0 /* NULL algorithm */
38 #define VIRTCHNL_AES_CBC_MAC 1 /* AES-CBC-MAC algorithm */
39 #define VIRTCHNL_AES_CMAC 2 /* AES CMAC algorithm */
40 #define VIRTCHNL_AES_GMAC 3 /* AES GMAC algorithm */
41 #define VIRTCHNL_AES_XCBC_MAC 4 /* AES XCBC algorithm */
42 #define VIRTCHNL_MD5_HMAC 5 /* HMAC using MD5 algorithm */
43 #define VIRTCHNL_SHA1_HMAC 6 /* HMAC using 128 bit SHA algorithm */
44 #define VIRTCHNL_SHA224_HMAC 7 /* HMAC using 224 bit SHA algorithm */
45 #define VIRTCHNL_SHA256_HMAC 8 /* HMAC using 256 bit SHA algorithm */
46 #define VIRTCHNL_SHA384_HMAC 9 /* HMAC using 384 bit SHA algorithm */
47 #define VIRTCHNL_SHA512_HMAC 10 /* HMAC using 512 bit SHA algorithm */
48 #define VIRTCHNL_SHA3_224_HMAC 11 /* HMAC using 224 bit SHA3 algorithm */
49 #define VIRTCHNL_SHA3_256_HMAC 12 /* HMAC using 256 bit SHA3 algorithm */
50 #define VIRTCHNL_SHA3_384_HMAC 13 /* HMAC using 384 bit SHA3 algorithm */
51 #define VIRTCHNL_SHA3_512_HMAC 14 /* HMAC using 512 bit SHA3 algorithm */
52 /* Cipher Algorithm */
53 #define VIRTCHNL_CIPHER_NO_ALG 15 /* NULL algorithm */
54 #define VIRTCHNL_3DES_CBC 16 /* Triple DES algorithm in CBC mode */
55 #define VIRTCHNL_AES_CBC 17 /* AES algorithm in CBC mode */
56 #define VIRTCHNL_AES_CTR 18 /* AES algorithm in Counter mode */
58 #define VIRTCHNL_AES_CCM 19 /* AES algorithm in CCM mode */
59 #define VIRTCHNL_AES_GCM 20 /* AES algorithm in GCM mode */
60 #define VIRTCHNL_CHACHA20_POLY1305 21 /* algorithm of ChaCha20-Poly1305 */
63 #define VIRTCHNL_PROTO_ESP 1
64 #define VIRTCHNL_PROTO_AH 2
65 #define VIRTCHNL_PROTO_RSVD1 3
68 #define VIRTCHNL_SA_MODE_TRANSPORT 1
69 #define VIRTCHNL_SA_MODE_TUNNEL 2
70 #define VIRTCHNL_SA_MODE_TRAN_TUN 3
71 #define VIRTCHNL_SA_MODE_UNKNOWN 4
74 #define VIRTCHNL_DIR_INGRESS 1
75 #define VIRTCHNL_DIR_EGRESS 2
76 #define VIRTCHNL_DIR_INGRESS_EGRESS 3
79 #define VIRTCHNL_TERM_SOFTWARE 1
80 #define VIRTCHNL_TERM_HARDWARE 2
83 #define VIRTCHNL_IPV4 1
84 #define VIRTCHNL_IPV6 2
86 /* for virtchnl_ipsec_resp */
87 enum inline_ipsec_resp {
88 INLINE_IPSEC_SUCCESS = 0,
89 INLINE_IPSEC_FAIL = -1,
90 INLINE_IPSEC_ERR_FIFO_FULL = -2,
91 INLINE_IPSEC_ERR_NOT_READY = -3,
92 INLINE_IPSEC_ERR_VF_DOWN = -4,
93 INLINE_IPSEC_ERR_INVALID_PARAMS = -5,
94 INLINE_IPSEC_ERR_NO_MEM = -6,
97 /* Detailed opcodes for DPDK and IPsec use */
98 enum inline_ipsec_ops {
99 INLINE_IPSEC_OP_GET_CAP = 0,
100 INLINE_IPSEC_OP_GET_STATUS = 1,
101 INLINE_IPSEC_OP_SA_CREATE = 2,
102 INLINE_IPSEC_OP_SA_UPDATE = 3,
103 INLINE_IPSEC_OP_SA_DESTROY = 4,
104 INLINE_IPSEC_OP_SP_CREATE = 5,
105 INLINE_IPSEC_OP_SP_DESTROY = 6,
106 INLINE_IPSEC_OP_SA_READ = 7,
107 INLINE_IPSEC_OP_EVENT = 8,
108 INLINE_IPSEC_OP_RESP = 9,
111 /* Not all valid, if certain field is invalid, set 1 for all bits */
112 struct virtchnl_algo_cap {
134 /* vf record the capability of crypto from the virtchnl */
135 struct virtchnl_sym_crypto_cap {
138 struct virtchnl_algo_cap algo_cap_list[VIRTCHNL_IPSEC_MAX_ALGO_CAP_NUM];
141 /* VIRTCHNL_OP_GET_IPSEC_CAP
142 * VF pass virtchnl_ipsec_cap to PF
143 * and PF return capability of ipsec from virtchnl.
145 struct virtchnl_ipsec_cap {
146 /* max number of SA per VF */
149 /* IPsec SA Protocol - value ref VIRTCHNL_PROTO_XXX */
150 u8 virtchnl_protocol_type;
152 /* IPsec SA Mode - value ref VIRTCHNL_SA_MODE_XXX */
155 /* IPSec SA Direction - value ref VIRTCHNL_DIR_XXX */
156 u8 virtchnl_direction;
158 /* termination mode - value ref VIRTCHNL_TERM_XXX */
161 /* number of supported crypto capability */
167 /* capabilities enabled - value ref VIRTCHNL_IPSEC_XXX_ENA */
170 /* crypto capabilities */
171 struct virtchnl_sym_crypto_cap cap[VIRTCHNL_IPSEC_MAX_CRYPTO_CAP_NUM];
174 /* configuration of crypto function */
175 struct virtchnl_ipsec_crypto_cfg_item {
180 /* Length of valid IV data. */
183 /* Length of digest */
189 /* The length of the symmetric key */
192 /* key data buffer */
193 u8 key_data[VIRTCHNL_IPSEC_MAX_KEY_LEN];
196 struct virtchnl_ipsec_sym_crypto_cfg {
197 struct virtchnl_ipsec_crypto_cfg_item
198 items[VIRTCHNL_IPSEC_MAX_CRYPTO_ITEM_NUMBER];
201 /* VIRTCHNL_OP_IPSEC_SA_CREATE
202 * VF send this SA configuration to PF using virtchnl;
203 * PF create SA as configuration and PF driver will return
204 * an unique index (sa_idx) for the created SA.
206 struct virtchnl_ipsec_sa_cfg {
207 /* IPsec SA Protocol - AH/ESP */
208 u8 virtchnl_protocol_type;
210 /* termination mode - value ref VIRTCHNL_TERM_XXX */
211 u8 virtchnl_termination;
213 /* type of outer IP - IPv4/IPv6 */
216 /* type of esn - !0:enable/0:disable */
219 /* udp encap - !0:enable/0:disable */
220 u8 udp_encap_enabled;
222 /* IPSec SA Direction - value ref VIRTCHNL_DIR_XXX */
223 u8 virtchnl_direction;
228 /* SA security parameter index */
231 /* outer src ip address */
234 /* outer dst ip address */
237 /* SPD reference. Used to link an SA with its policy.
238 * PF drivers may ignore this field.
242 /* high 32 bits of esn */
245 /* low 32 bits of esn */
248 /* When enabled, sa_index must be valid */
251 /* SA index when sa_index_en is true */
254 /* auditing mode - enable/disable */
257 /* lifetime byte limit - enable/disable
258 * When enabled, byte_limit_hard and byte_limit_soft
263 /* hard byte limit count */
266 /* soft byte limit count */
269 /* drop on authentication failure - enable/disable */
270 u8 drop_on_auth_fail_en;
272 /* anti-reply window check - enable/disable
273 * When enabled, arw_size must be valid.
277 /* size of arw window, offset by 1. Setting to 0
278 * represents ARW window size of 1. Setting to 127
279 * represents ARW window size of 128
283 /* no ip offload mode - enable/disable
284 * When enabled, ip type and address must not be valid.
288 /* SA Domain. Used to logical separate an SADB into groups.
289 * PF drivers supporting a single group ignore this field.
293 /* crypto configuration */
294 struct virtchnl_ipsec_sym_crypto_cfg crypto_cfg;
297 /* VIRTCHNL_OP_IPSEC_SA_UPDATE
298 * VF send configuration of index of SA to PF
299 * PF will update SA according to configuration
301 struct virtchnl_ipsec_sa_update {
302 u32 sa_index; /* SA to update */
303 u32 esn_hi; /* high 32 bits of esn */
304 u32 esn_low; /* low 32 bits of esn */
307 /* VIRTCHNL_OP_IPSEC_SA_DESTROY
308 * VF send configuration of index of SA to PF
309 * PF will destroy SA according to configuration
310 * flag bitmap indicate all SA or just selected SA will
313 struct virtchnl_ipsec_sa_destroy {
314 /* All zero bitmap indicates all SA will be destroyed.
315 * Non-zero bitmap indicates the selected SA in
316 * array sa_index will be destroyed.
320 /* selected SA index */
321 u32 sa_index[VIRTCHNL_IPSEC_MAX_SA_DESTROY_NUM];
324 /* VIRTCHNL_OP_IPSEC_SA_READ
325 * VF send this SA configuration to PF using virtchnl;
326 * PF read SA and will return configuration for the created SA.
328 struct virtchnl_ipsec_sa_read {
329 /* SA valid - invalid/valid */
332 /* SA active - inactive/active */
335 /* SA SN rollover - not_rollover/rollover */
338 /* IPsec SA Protocol - AH/ESP */
339 u8 virtchnl_protocol_type;
341 /* termination mode - value ref VIRTCHNL_TERM_XXX */
342 u8 virtchnl_termination;
344 /* auditing mode - enable/disable */
347 /* lifetime byte limit - enable/disable
348 * When set to limit, byte_limit_hard and byte_limit_soft
353 /* hard byte limit count */
356 /* soft byte limit count */
359 /* drop on authentication failure - enable/disable */
360 u8 drop_on_auth_fail_en;
362 /* anti-replay window check - enable/disable
363 * When set to check, arw_size, arw_top, and arw must be valid
367 /* size of arw window, offset by 1. Setting to 0
368 * represents ARW window size of 1. Setting to 127
369 * represents ARW window size of 128
376 /* top of anti-replay-window */
379 /* anti-replay-window */
382 /* packets processed */
383 u64 packets_processed;
385 /* bytes processed */
388 /* packets dropped */
391 /* authentication failures */
394 /* ARW check failures */
397 /* type of esn - enable/disable */
400 /* IPSec SA Direction - value ref VIRTCHNL_DIR_XXX */
401 u8 virtchnl_direction;
403 /* SA security parameter index */
409 /* high 32 bits of esn */
412 /* low 32 bits of esn */
415 /* SA Domain. Used to logical separate an SADB into groups.
416 * PF drivers supporting a single group ignore this field.
420 /* SPD reference. Used to link an SA with its policy.
421 * PF drivers may ignore this field.
425 /* crypto configuration. Salt and keys are set to 0 */
426 struct virtchnl_ipsec_sym_crypto_cfg crypto_cfg;
430 #define VIRTCHNL_IPSEC_INBOUND_SPD_TBL_IPV4 (0)
431 #define VIRTCHNL_IPSEC_INBOUND_SPD_TBL_IPV6 (1)
433 /* Add allowlist entry in IES */
434 struct virtchnl_ipsec_sp_cfg {
438 /* Drop frame if true or redirect to QAT if false. */
441 /* Congestion domain. For future use. */
444 /* 0 for IPv4 table, 1 for IPv6 table. */
447 /* Set TC (congestion domain) if true. For future use. */
452 /* Delete allowlist entry in IES */
453 struct virtchnl_ipsec_sp_destroy {
454 /* 0 for IPv4 table, 1 for IPv6 table. */
459 /* Response from IES to allowlist operations */
460 struct virtchnl_ipsec_sp_cfg_resp {
464 struct virtchnl_ipsec_sa_cfg_resp {
468 #define INLINE_IPSEC_EVENT_RESET 0x1
469 #define INLINE_IPSEC_EVENT_CRYPTO_ON 0x2
470 #define INLINE_IPSEC_EVENT_CRYPTO_OFF 0x4
472 struct virtchnl_ipsec_event {
473 u32 ipsec_event_data;
476 #define INLINE_IPSEC_STATUS_AVAILABLE 0x1
477 #define INLINE_IPSEC_STATUS_UNAVAILABLE 0x2
479 struct virtchnl_ipsec_status {
483 struct virtchnl_ipsec_resp {
487 /* Internal message descriptor for VF <-> IPsec communication */
488 struct inline_ipsec_msg {
494 struct virtchnl_ipsec_sa_cfg sa_cfg[0];
495 struct virtchnl_ipsec_sp_cfg sp_cfg[0];
496 struct virtchnl_ipsec_sa_update sa_update[0];
497 struct virtchnl_ipsec_sa_destroy sa_destroy[0];
498 struct virtchnl_ipsec_sp_destroy sp_destroy[0];
501 struct virtchnl_ipsec_sa_cfg_resp sa_cfg_resp[0];
502 struct virtchnl_ipsec_sp_cfg_resp sp_cfg_resp[0];
503 struct virtchnl_ipsec_cap ipsec_cap[0];
504 struct virtchnl_ipsec_status ipsec_status[0];
505 /* response to del_sa, del_sp, update_sa */
506 struct virtchnl_ipsec_resp ipsec_resp[0];
508 /* IPsec event (no req_id is required) */
509 struct virtchnl_ipsec_event event[0];
512 struct virtchnl_ipsec_sa_read sa_read[0];
516 static inline u16 virtchnl_inline_ipsec_val_msg_len(u16 opcode)
518 u16 valid_len = sizeof(struct inline_ipsec_msg);
521 case INLINE_IPSEC_OP_GET_CAP:
522 case INLINE_IPSEC_OP_GET_STATUS:
524 case INLINE_IPSEC_OP_SA_CREATE:
525 valid_len += sizeof(struct virtchnl_ipsec_sa_cfg);
527 case INLINE_IPSEC_OP_SP_CREATE:
528 valid_len += sizeof(struct virtchnl_ipsec_sp_cfg);
530 case INLINE_IPSEC_OP_SA_UPDATE:
531 valid_len += sizeof(struct virtchnl_ipsec_sa_update);
533 case INLINE_IPSEC_OP_SA_DESTROY:
534 valid_len += sizeof(struct virtchnl_ipsec_sa_destroy);
536 case INLINE_IPSEC_OP_SP_DESTROY:
537 valid_len += sizeof(struct virtchnl_ipsec_sp_destroy);
539 /* Only for msg length calculation of response to VF in case of
540 * inline ipsec failure.
542 case INLINE_IPSEC_OP_RESP:
543 valid_len += sizeof(struct virtchnl_ipsec_resp);
553 #endif /* _VIRTCHNL_INLINE_IPSEC_H_ */