drivers/crypto/cnxk/cn10k_ipsec.c

   1 /* SPDX-License-Identifier: BSD-3-Clause
   2  * Copyright(C) 2021 Marvell.
   3  */
   4
   5 #include <cryptodev_pmd.h>
   6 #include <rte_esp.h>
   7 #include <rte_ip.h>
   8 #include <rte_malloc.h>
   9 #include <rte_security.h>
  10 #include <rte_security_driver.h>
  11 #include <rte_udp.h>
  12
  13 #include "cn10k_ipsec.h"
  14 #include "cnxk_cryptodev.h"
  15 #include "cnxk_cryptodev_ops.h"
  16 #include "cnxk_ipsec.h"
  17 #include "cnxk_security.h"
  18
  19 #include "roc_api.h"
  20
  21 static uint64_t
  22 ipsec_cpt_inst_w7_get(struct roc_cpt *roc_cpt, void *sa)
  23 {
  24         union cpt_inst_w7 w7;
  25
  26         w7.u64 = 0;
  27         w7.s.egrp = roc_cpt->eng_grp[CPT_ENG_TYPE_IE];
  28         w7.s.ctx_val = 1;
  29         w7.s.cptr = (uint64_t)sa;
  30         rte_mb();
  31
  32         return w7.u64;
  33 }
  34
  35 static int
  36 cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt, struct roc_cpt_lf *lf,
  37                            struct rte_security_ipsec_xform *ipsec_xfrm,
  38                            struct rte_crypto_sym_xform *crypto_xfrm,
  39                            struct rte_security_session *sec_sess)
  40 {
  41         union roc_ot_ipsec_outb_param1 param1;
  42         struct roc_ot_ipsec_outb_sa *sa_dptr;
  43         struct cnxk_ipsec_outb_rlens rlens;
  44         struct cn10k_sec_session *sess;
  45         struct cn10k_ipsec_sa *sa;
  46         union cpt_inst_w4 inst_w4;
  47         void *out_sa;
  48         int ret = 0;
  49
  50         sess = get_sec_session_private_data(sec_sess);
  51         sa = &sess->sa;
  52         out_sa = &sa->out_sa;
  53
  54         /* Allocate memory to be used as dptr for CPT ucode WRITE_SA op */
  55         sa_dptr = plt_zmalloc(sizeof(struct roc_ot_ipsec_outb_sa), 8);
  56         if (sa_dptr == NULL) {
  57                 plt_err("Couldn't allocate memory for SA dptr");
  58                 return -ENOMEM;
  59         }
  60
  61         /* Translate security parameters to SA */
  62         ret = cnxk_ot_ipsec_outb_sa_fill(sa_dptr, ipsec_xfrm, crypto_xfrm);
  63         if (ret) {
  64                 plt_err("Could not fill outbound session parameters");
  65                 goto sa_dptr_free;
  66         }
  67
  68         sa->inst.w7 = ipsec_cpt_inst_w7_get(roc_cpt, out_sa);
  69
  70 #ifdef LA_IPSEC_DEBUG
  71         /* Use IV from application in debug mode */
  72         if (ipsec_xfrm->options.iv_gen_disable == 1) {
  73                 sa_dptr->w2.s.iv_src = ROC_IE_OT_SA_IV_SRC_FROM_SA;
  74                 if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
  75                         sa->iv_offset = crypto_xfrm->aead.iv.offset;
  76                         sa->iv_length = crypto_xfrm->aead.iv.length;
  77                 } else {
  78                         sa->iv_offset = crypto_xfrm->cipher.iv.offset;
  79                         sa->iv_length = crypto_xfrm->cipher.iv.length;
  80                 }
  81         }
  82 #else
  83         if (ipsec_xfrm->options.iv_gen_disable != 0) {
  84                 plt_err("Application provided IV not supported");
  85                 ret = -ENOTSUP;
  86                 goto sa_dptr_free;
  87         }
  88 #endif
  89
  90         sa->is_outbound = true;
  91
  92         /* Get Rlen calculation data */
  93         ret = cnxk_ipsec_outb_rlens_get(&rlens, ipsec_xfrm, crypto_xfrm);
  94         if (ret)
  95                 goto sa_dptr_free;
  96
  97         sa->max_extended_len = rlens.max_extended_len;
  98
  99         /* pre-populate CPT INST word 4 */
 100         inst_w4.u64 = 0;
 101         inst_w4.s.opcode_major = ROC_IE_OT_MAJOR_OP_PROCESS_OUTBOUND_IPSEC;
 102
 103         param1.u16 = 0;
 104
 105         /* Disable IP checksum computation by default */
 106         param1.s.ip_csum_disable = ROC_IE_OT_SA_INNER_PKT_IP_CSUM_DISABLE;
 107
 108         if (ipsec_xfrm->options.ip_csum_enable) {
 109                 param1.s.ip_csum_disable =
 110                         ROC_IE_OT_SA_INNER_PKT_IP_CSUM_ENABLE;
 111         }
 112
 113         /* Disable L4 checksum computation by default */
 114         param1.s.l4_csum_disable = ROC_IE_OT_SA_INNER_PKT_L4_CSUM_DISABLE;
 115
 116         if (ipsec_xfrm->options.l4_csum_enable) {
 117                 param1.s.l4_csum_disable =
 118                         ROC_IE_OT_SA_INNER_PKT_L4_CSUM_ENABLE;
 119         }
 120
 121         inst_w4.s.param1 = param1.u16;
 122
 123         sa->inst.w4 = inst_w4.u64;
 124
 125         memset(out_sa, 0, sizeof(struct roc_ot_ipsec_outb_sa));
 126
 127         /* Copy word0 from sa_dptr to populate ctx_push_sz ctx_size fields */
 128         memcpy(out_sa, sa_dptr, 8);
 129
 130         plt_atomic_thread_fence(__ATOMIC_SEQ_CST);
 131
 132         /* Write session using microcode opcode */
 133         ret = roc_cpt_ctx_write(lf, sa_dptr, out_sa,
 134                                 sizeof(struct roc_ot_ipsec_outb_sa));
 135         if (ret) {
 136                 plt_err("Could not write outbound session to hardware");
 137                 goto sa_dptr_free;
 138         }
 139
 140         /* Trigger CTX flush so that data is written back to DRAM */
 141         roc_cpt_lf_ctx_flush(lf, out_sa, false);
 142
 143         plt_atomic_thread_fence(__ATOMIC_SEQ_CST);
 144
 145 sa_dptr_free:
 146         plt_free(sa_dptr);
 147
 148         return ret;
 149 }
 150
 151 static int
 152 cn10k_ipsec_inb_sa_create(struct roc_cpt *roc_cpt, struct roc_cpt_lf *lf,
 153                           struct rte_security_ipsec_xform *ipsec_xfrm,
 154                           struct rte_crypto_sym_xform *crypto_xfrm,
 155                           struct rte_security_session *sec_sess)
 156 {
 157         union roc_ot_ipsec_inb_param1 param1;
 158         struct roc_ot_ipsec_inb_sa *sa_dptr;
 159         struct cn10k_sec_session *sess;
 160         struct cn10k_ipsec_sa *sa;
 161         union cpt_inst_w4 inst_w4;
 162         void *in_sa;
 163         int ret = 0;
 164
 165         sess = get_sec_session_private_data(sec_sess);
 166         sa = &sess->sa;
 167         in_sa = &sa->in_sa;
 168
 169         /* Allocate memory to be used as dptr for CPT ucode WRITE_SA op */
 170         sa_dptr = plt_zmalloc(sizeof(struct roc_ot_ipsec_inb_sa), 8);
 171         if (sa_dptr == NULL) {
 172                 plt_err("Couldn't allocate memory for SA dptr");
 173                 return -ENOMEM;
 174         }
 175
 176         /* Translate security parameters to SA */
 177         ret = cnxk_ot_ipsec_inb_sa_fill(sa_dptr, ipsec_xfrm, crypto_xfrm);
 178         if (ret) {
 179                 plt_err("Could not fill inbound session parameters");
 180                 goto sa_dptr_free;
 181         }
 182
 183         sa->is_outbound = false;
 184         sa->inst.w7 = ipsec_cpt_inst_w7_get(roc_cpt, in_sa);
 185
 186         /* pre-populate CPT INST word 4 */
 187         inst_w4.u64 = 0;
 188         inst_w4.s.opcode_major = ROC_IE_OT_MAJOR_OP_PROCESS_INBOUND_IPSEC;
 189
 190         param1.u16 = 0;
 191
 192         /* Disable IP checksum verification by default */
 193         param1.s.ip_csum_disable = ROC_IE_OT_SA_INNER_PKT_IP_CSUM_DISABLE;
 194
 195         if (ipsec_xfrm->options.ip_csum_enable) {
 196                 param1.s.ip_csum_disable =
 197                         ROC_IE_OT_SA_INNER_PKT_IP_CSUM_ENABLE;
 198                 sa->ip_csum_enable = true;
 199         }
 200
 201         /* Disable L4 checksum verification by default */
 202         param1.s.l4_csum_disable = ROC_IE_OT_SA_INNER_PKT_L4_CSUM_DISABLE;
 203
 204         if (ipsec_xfrm->options.l4_csum_enable) {
 205                 param1.s.l4_csum_disable =
 206                         ROC_IE_OT_SA_INNER_PKT_L4_CSUM_ENABLE;
 207         }
 208
 209         param1.s.esp_trailer_disable = 1;
 210
 211         inst_w4.s.param1 = param1.u16;
 212
 213         sa->inst.w4 = inst_w4.u64;
 214
 215         memset(in_sa, 0, sizeof(struct roc_ot_ipsec_inb_sa));
 216
 217         /* Copy word0 from sa_dptr to populate ctx_push_sz ctx_size fields */
 218         memcpy(in_sa, sa_dptr, 8);
 219
 220         plt_atomic_thread_fence(__ATOMIC_SEQ_CST);
 221
 222         /* Write session using microcode opcode */
 223         ret = roc_cpt_ctx_write(lf, sa_dptr, in_sa,
 224                                 sizeof(struct roc_ot_ipsec_inb_sa));
 225         if (ret) {
 226                 plt_err("Could not write inbound session to hardware");
 227                 goto sa_dptr_free;
 228         }
 229
 230         /* Trigger CTX flush so that data is written back to DRAM */
 231         roc_cpt_lf_ctx_flush(lf, in_sa, false);
 232
 233         plt_atomic_thread_fence(__ATOMIC_SEQ_CST);
 234
 235 sa_dptr_free:
 236         plt_free(sa_dptr);
 237
 238         return ret;
 239 }
 240
 241 static int
 242 cn10k_ipsec_session_create(void *dev,
 243                            struct rte_security_ipsec_xform *ipsec_xfrm,
 244                            struct rte_crypto_sym_xform *crypto_xfrm,
 245                            struct rte_security_session *sess)
 246 {
 247         struct rte_cryptodev *crypto_dev = dev;
 248         struct roc_cpt *roc_cpt;
 249         struct cnxk_cpt_vf *vf;
 250         struct cnxk_cpt_qp *qp;
 251         int ret;
 252
 253         qp = crypto_dev->data->queue_pairs[0];
 254         if (qp == NULL) {
 255                 plt_err("Setup cpt queue pair before creating security session");
 256                 return -EPERM;
 257         }
 258
 259         ret = cnxk_ipsec_xform_verify(ipsec_xfrm, crypto_xfrm);
 260         if (ret)
 261                 return ret;
 262
 263         vf = crypto_dev->data->dev_private;
 264         roc_cpt = &vf->cpt;
 265
 266         if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
 267                 return cn10k_ipsec_inb_sa_create(roc_cpt, &qp->lf, ipsec_xfrm,
 268                                                  crypto_xfrm, sess);
 269         else
 270                 return cn10k_ipsec_outb_sa_create(roc_cpt, &qp->lf, ipsec_xfrm,
 271                                                   crypto_xfrm, sess);
 272 }
 273
 274 static int
 275 cn10k_sec_session_create(void *device, struct rte_security_session_conf *conf,
 276                          struct rte_security_session *sess,
 277                          struct rte_mempool *mempool)
 278 {
 279         struct cn10k_sec_session *priv;
 280         int ret;
 281
 282         if (conf->action_type != RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL)
 283                 return -EINVAL;
 284
 285         if (rte_mempool_get(mempool, (void **)&priv)) {
 286                 plt_err("Could not allocate security session private data");
 287                 return -ENOMEM;
 288         }
 289
 290         set_sec_session_private_data(sess, priv);
 291
 292         if (conf->protocol != RTE_SECURITY_PROTOCOL_IPSEC) {
 293                 ret = -ENOTSUP;
 294                 goto mempool_put;
 295         }
 296         ret = cn10k_ipsec_session_create(device, &conf->ipsec,
 297                                          conf->crypto_xform, sess);
 298         if (ret)
 299                 goto mempool_put;
 300
 301         return 0;
 302
 303 mempool_put:
 304         rte_mempool_put(mempool, priv);
 305         set_sec_session_private_data(sess, NULL);
 306         return ret;
 307 }
 308
 309 static int
 310 cn10k_sec_session_destroy(void *dev, struct rte_security_session *sec_sess)
 311 {
 312         struct rte_cryptodev *crypto_dev = dev;
 313         union roc_ot_ipsec_sa_word2 *w2;
 314         struct cn10k_sec_session *sess;
 315         struct rte_mempool *sess_mp;
 316         struct cn10k_ipsec_sa *sa;
 317         struct cnxk_cpt_qp *qp;
 318         struct roc_cpt_lf *lf;
 319
 320         sess = get_sec_session_private_data(sec_sess);
 321         if (sess == NULL)
 322                 return 0;
 323
 324         qp = crypto_dev->data->queue_pairs[0];
 325         if (qp == NULL)
 326                 return 0;
 327
 328         lf = &qp->lf;
 329
 330         sa = &sess->sa;
 331
 332         /* Trigger CTX flush to write dirty data back to DRAM */
 333         roc_cpt_lf_ctx_flush(lf, &sa->in_sa, false);
 334
 335         /* Wait for 1 ms so that flush is complete */
 336         rte_delay_ms(1);
 337
 338         w2 = (union roc_ot_ipsec_sa_word2 *)&sa->in_sa.w2;
 339         w2->s.valid = 0;
 340
 341         plt_atomic_thread_fence(__ATOMIC_SEQ_CST);
 342
 343         /* Trigger CTX reload to fetch new data from DRAM */
 344         roc_cpt_lf_ctx_reload(lf, &sa->in_sa);
 345
 346         sess_mp = rte_mempool_from_obj(sess);
 347
 348         set_sec_session_private_data(sec_sess, NULL);
 349         rte_mempool_put(sess_mp, sess);
 350
 351         return 0;
 352 }
 353
 354 static unsigned int
 355 cn10k_sec_session_get_size(void *device __rte_unused)
 356 {
 357         return sizeof(struct cn10k_sec_session);
 358 }
 359
 360 /* Update platform specific security ops */
 361 void
 362 cn10k_sec_ops_override(void)
 363 {
 364         /* Update platform specific ops */
 365         cnxk_sec_ops.session_create = cn10k_sec_session_create;
 366         cnxk_sec_ops.session_destroy = cn10k_sec_session_destroy;
 367         cnxk_sec_ops.session_get_size = cn10k_sec_session_get_size;
 368 }