1 /* SPDX-License-Identifier: BSD-3-Clause
2 * Copyright(C) 2021 Marvell.
5 #include <rte_cryptodev.h>
7 #include <rte_security.h>
8 #include <rte_security_driver.h>
10 #include "cnxk_cryptodev.h"
11 #include "cnxk_cryptodev_ops.h"
12 #include "cnxk_ipsec.h"
13 #include "cnxk_security.h"
14 #include "cn9k_ipsec.h"
19 cn9k_cpt_enq_sa_write(struct cn9k_ipsec_sa *sa, struct cnxk_cpt_qp *qp,
20 uint8_t opcode, size_t ctx_len)
22 uint64_t lmtline = qp->lmtline.lmt_base;
23 uint64_t io_addr = qp->lmtline.io_addr;
24 uint64_t lmt_status, time_out;
25 struct cpt_cn9k_res_s *res;
26 struct cpt_inst_s inst;
30 if (unlikely(rte_mempool_get(qp->meta_info.pool, (void **)&mdata) < 0))
33 res = (struct cpt_cn9k_res_s *)RTE_PTR_ALIGN(mdata, 16);
34 res->compcode = CPT_COMP_NOT_DONE;
36 inst.w4.s.opcode_major = opcode;
37 inst.w4.s.opcode_minor = ctx_len >> 3;
40 inst.w4.s.dlen = ctx_len;
41 inst.dptr = rte_mempool_virt2iova(sa);
43 inst.w7.s.cptr = rte_mempool_virt2iova(sa);
44 inst.w7.s.egrp = ROC_CPT_DFLT_ENG_GRP_SE;
49 inst.res_addr = rte_mempool_virt2iova(res);
54 /* Copy CPT command to LMTLINE */
55 roc_lmt_mov((void *)lmtline, &inst, 2);
56 lmt_status = roc_lmt_submit_ldeor(io_addr);
57 } while (lmt_status == 0);
59 time_out = rte_get_timer_cycles() +
60 DEFAULT_COMMAND_TIMEOUT * rte_get_timer_hz();
62 while (res->compcode == CPT_COMP_NOT_DONE) {
63 if (rte_get_timer_cycles() > time_out) {
64 rte_mempool_put(qp->meta_info.pool, mdata);
65 plt_err("Request timed out");
71 if (unlikely(res->compcode != CPT_COMP_GOOD)) {
74 case CPT_COMP_INSTERR:
75 plt_err("Request failed with instruction error");
78 plt_err("Request failed with DMA fault");
81 plt_err("Request failed with hardware error");
84 plt_err("Request failed with unknown hardware "
85 "completion code : 0x%x",
92 if (unlikely(res->uc_compcode != ROC_IE_ON_UCC_SUCCESS)) {
93 ret = res->uc_compcode;
95 case ROC_IE_ON_AUTH_UNSUPPORTED:
96 plt_err("Invalid auth type");
98 case ROC_IE_ON_ENCRYPT_UNSUPPORTED:
99 plt_err("Invalid encrypt type");
102 plt_err("Request failed with unknown microcode "
103 "completion code : 0x%x",
110 rte_mempool_put(qp->meta_info.pool, mdata);
115 ipsec_sa_ctl_set(struct rte_security_ipsec_xform *ipsec,
116 struct rte_crypto_sym_xform *crypto_xform,
117 struct roc_ie_on_sa_ctl *ctl)
119 struct rte_crypto_sym_xform *cipher_xform, *auth_xform;
122 if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
123 ctl->direction = ROC_IE_SA_DIR_OUTBOUND;
124 cipher_xform = crypto_xform;
125 auth_xform = crypto_xform->next;
126 } else if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
127 ctl->direction = ROC_IE_SA_DIR_INBOUND;
128 auth_xform = crypto_xform;
129 cipher_xform = crypto_xform->next;
134 if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
135 if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4)
136 ctl->outer_ip_ver = ROC_IE_SA_IP_VERSION_4;
137 else if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6)
138 ctl->outer_ip_ver = ROC_IE_SA_IP_VERSION_6;
143 ctl->inner_ip_ver = ctl->outer_ip_ver;
145 if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT)
146 ctl->ipsec_mode = ROC_IE_SA_MODE_TRANSPORT;
147 else if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
148 ctl->ipsec_mode = ROC_IE_SA_MODE_TUNNEL;
152 if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH)
153 ctl->ipsec_proto = ROC_IE_SA_PROTOCOL_AH;
154 else if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP)
155 ctl->ipsec_proto = ROC_IE_SA_PROTOCOL_ESP;
159 if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
160 if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
161 ctl->enc_type = ROC_IE_ON_SA_ENC_AES_GCM;
162 aes_key_len = crypto_xform->aead.key.length;
166 } else if (cipher_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
167 ctl->enc_type = ROC_IE_ON_SA_ENC_AES_CBC;
168 aes_key_len = cipher_xform->cipher.key.length;
173 switch (aes_key_len) {
175 ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_128;
178 ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_192;
181 ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_256;
187 if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_AEAD) {
188 switch (auth_xform->auth.algo) {
189 case RTE_CRYPTO_AUTH_NULL:
190 ctl->auth_type = ROC_IE_ON_SA_AUTH_NULL;
192 case RTE_CRYPTO_AUTH_MD5_HMAC:
193 ctl->auth_type = ROC_IE_ON_SA_AUTH_MD5;
195 case RTE_CRYPTO_AUTH_SHA1_HMAC:
196 ctl->auth_type = ROC_IE_ON_SA_AUTH_SHA1;
198 case RTE_CRYPTO_AUTH_SHA224_HMAC:
199 ctl->auth_type = ROC_IE_ON_SA_AUTH_SHA2_224;
201 case RTE_CRYPTO_AUTH_SHA256_HMAC:
202 ctl->auth_type = ROC_IE_ON_SA_AUTH_SHA2_256;
204 case RTE_CRYPTO_AUTH_SHA384_HMAC:
205 ctl->auth_type = ROC_IE_ON_SA_AUTH_SHA2_384;
207 case RTE_CRYPTO_AUTH_SHA512_HMAC:
208 ctl->auth_type = ROC_IE_ON_SA_AUTH_SHA2_512;
210 case RTE_CRYPTO_AUTH_AES_GMAC:
211 ctl->auth_type = ROC_IE_ON_SA_AUTH_AES_GMAC;
213 case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
214 ctl->auth_type = ROC_IE_ON_SA_AUTH_AES_XCBC_128;
221 if (ipsec->options.esn)
224 if (ipsec->options.udp_encap == 1)
225 ctl->encap_type = ROC_IE_ON_SA_ENCAP_UDP;
227 ctl->spi = rte_cpu_to_be_32(ipsec->spi);
237 fill_ipsec_common_sa(struct rte_security_ipsec_xform *ipsec,
238 struct rte_crypto_sym_xform *crypto_xform,
239 struct roc_ie_on_common_sa *common_sa)
241 struct rte_crypto_sym_xform *cipher_xform;
242 const uint8_t *cipher_key;
243 int cipher_key_len = 0;
246 if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
247 cipher_xform = crypto_xform->next;
249 cipher_xform = crypto_xform;
251 ret = ipsec_sa_ctl_set(ipsec, crypto_xform, &common_sa->ctl);
255 if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
256 if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM)
257 memcpy(common_sa->iv.gcm.nonce, &ipsec->salt, 4);
258 cipher_key = crypto_xform->aead.key.data;
259 cipher_key_len = crypto_xform->aead.key.length;
261 cipher_key = cipher_xform->cipher.key.data;
262 cipher_key_len = cipher_xform->cipher.key.length;
265 if (cipher_key_len != 0)
266 memcpy(common_sa->cipher_key, cipher_key, cipher_key_len);
274 cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
275 struct rte_security_ipsec_xform *ipsec,
276 struct rte_crypto_sym_xform *crypto_xform,
277 struct rte_security_session *sec_sess)
279 struct rte_crypto_sym_xform *auth_xform = crypto_xform->next;
280 struct roc_ie_on_ip_template *template = NULL;
281 struct cnxk_cpt_inst_tmpl *inst_tmpl;
282 struct roc_ie_on_outb_sa *out_sa;
283 struct cn9k_sec_session *sess;
284 struct roc_ie_on_sa_ctl *ctl;
285 struct cn9k_ipsec_sa *sa;
286 struct rte_ipv6_hdr *ip6;
287 struct rte_ipv4_hdr *ip4;
288 const uint8_t *auth_key;
289 union cpt_inst_w4 w4;
290 union cpt_inst_w7 w7;
291 int auth_key_len = 0;
295 sess = get_sec_session_private_data(sec_sess);
297 out_sa = &sa->out_sa;
298 ctl = &out_sa->common_sa.ctl;
300 memset(sa, 0, sizeof(struct cn9k_ipsec_sa));
302 /* Initialize lookaside IPsec private data */
303 sa->dir = RTE_SECURITY_IPSEC_SA_DIR_EGRESS;
304 /* Start ip id from 1 */
309 ret = fill_ipsec_common_sa(ipsec, crypto_xform, &out_sa->common_sa);
313 ret = cnxk_ipsec_outb_rlens_get(&sa->rlens, ipsec, crypto_xform);
317 if (ctl->enc_type == ROC_IE_ON_SA_ENC_AES_GCM) {
318 template = &out_sa->aes_gcm.template;
319 ctx_len = offsetof(struct roc_ie_on_outb_sa, aes_gcm.template);
320 } else if (ctl->auth_type == ROC_IE_ON_SA_AUTH_SHA1) {
321 template = &out_sa->sha1.template;
322 ctx_len = offsetof(struct roc_ie_on_outb_sa, sha1.template);
323 } else if (ctl->auth_type == ROC_IE_ON_SA_AUTH_SHA2_256) {
324 template = &out_sa->sha2.template;
325 ctx_len = offsetof(struct roc_ie_on_outb_sa, sha2.template);
330 ip4 = (struct rte_ipv4_hdr *)&template->ip4.ipv4_hdr;
331 if (ipsec->options.udp_encap) {
332 ip4->next_proto_id = IPPROTO_UDP;
333 template->ip4.udp_src = rte_be_to_cpu_16(4500);
334 template->ip4.udp_dst = rte_be_to_cpu_16(4500);
336 ip4->next_proto_id = IPPROTO_ESP;
339 if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
340 if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
341 ctx_len += sizeof(template->ip4);
343 ip4->version_ihl = RTE_IPV4_VHL_DEF;
344 ip4->time_to_live = ipsec->tunnel.ipv4.ttl;
345 ip4->type_of_service |= (ipsec->tunnel.ipv4.dscp << 2);
346 if (ipsec->tunnel.ipv4.df)
347 ip4->fragment_offset = BIT(14);
348 memcpy(&ip4->src_addr, &ipsec->tunnel.ipv4.src_ip,
349 sizeof(struct in_addr));
350 memcpy(&ip4->dst_addr, &ipsec->tunnel.ipv4.dst_ip,
351 sizeof(struct in_addr));
352 } else if (ipsec->tunnel.type ==
353 RTE_SECURITY_IPSEC_TUNNEL_IPV6) {
354 ctx_len += sizeof(template->ip6);
356 ip6 = (struct rte_ipv6_hdr *)&template->ip6.ipv6_hdr;
357 if (ipsec->options.udp_encap) {
358 ip6->proto = IPPROTO_UDP;
359 template->ip6.udp_src = rte_be_to_cpu_16(4500);
360 template->ip6.udp_dst = rte_be_to_cpu_16(4500);
362 ip6->proto = (ipsec->proto ==
363 RTE_SECURITY_IPSEC_SA_PROTO_ESP) ?
368 rte_cpu_to_be_32(0x60000000 |
369 ((ipsec->tunnel.ipv6.dscp
370 << RTE_IPV6_HDR_TC_SHIFT) &
371 RTE_IPV6_HDR_TC_MASK) |
372 ((ipsec->tunnel.ipv6.flabel
373 << RTE_IPV6_HDR_FL_SHIFT) &
374 RTE_IPV6_HDR_FL_MASK));
375 ip6->hop_limits = ipsec->tunnel.ipv6.hlimit;
376 memcpy(&ip6->src_addr, &ipsec->tunnel.ipv6.src_addr,
377 sizeof(struct in6_addr));
378 memcpy(&ip6->dst_addr, &ipsec->tunnel.ipv6.dst_addr,
379 sizeof(struct in6_addr));
382 ctx_len += sizeof(template->ip4);
384 ctx_len += RTE_ALIGN_CEIL(ctx_len, 8);
386 if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
387 sa->cipher_iv_off = crypto_xform->aead.iv.offset;
388 sa->cipher_iv_len = crypto_xform->aead.iv.length;
390 sa->cipher_iv_off = crypto_xform->cipher.iv.offset;
391 sa->cipher_iv_len = crypto_xform->cipher.iv.length;
393 auth_key = auth_xform->auth.key.data;
394 auth_key_len = auth_xform->auth.key.length;
396 if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC)
397 memcpy(out_sa->sha1.hmac_key, auth_key, auth_key_len);
398 else if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC)
399 memcpy(out_sa->sha2.hmac_key, auth_key, auth_key_len);
402 inst_tmpl = &sa->inst;
405 w4.s.opcode_major = ROC_IE_ON_MAJOR_OP_PROCESS_OUTBOUND_IPSEC;
406 w4.s.opcode_minor = ctx_len >> 3;
407 w4.s.param1 = ROC_IE_ON_PER_PKT_IV;
408 inst_tmpl->w4 = w4.u64;
411 w7.s.egrp = ROC_CPT_DFLT_ENG_GRP_SE;
412 w7.s.cptr = rte_mempool_virt2iova(out_sa);
413 inst_tmpl->w7 = w7.u64;
415 return cn9k_cpt_enq_sa_write(
416 sa, qp, ROC_IE_ON_MAJOR_OP_WRITE_IPSEC_OUTBOUND, ctx_len);
420 cn9k_ipsec_inb_sa_create(struct cnxk_cpt_qp *qp,
421 struct rte_security_ipsec_xform *ipsec,
422 struct rte_crypto_sym_xform *crypto_xform,
423 struct rte_security_session *sec_sess)
425 struct rte_crypto_sym_xform *auth_xform = crypto_xform;
426 struct cnxk_cpt_inst_tmpl *inst_tmpl;
427 struct roc_ie_on_inb_sa *in_sa;
428 struct cn9k_sec_session *sess;
429 struct cn9k_ipsec_sa *sa;
430 const uint8_t *auth_key;
431 union cpt_inst_w4 w4;
432 union cpt_inst_w7 w7;
433 int auth_key_len = 0;
437 sess = get_sec_session_private_data(sec_sess);
441 memset(sa, 0, sizeof(struct cn9k_ipsec_sa));
443 sa->dir = RTE_SECURITY_IPSEC_SA_DIR_INGRESS;
445 ret = fill_ipsec_common_sa(ipsec, crypto_xform, &in_sa->common_sa);
449 if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
450 ctx_len = offsetof(struct roc_ie_on_inb_sa,
451 sha1_or_gcm.hmac_key[0]);
453 auth_key = auth_xform->auth.key.data;
454 auth_key_len = auth_xform->auth.key.length;
456 if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
457 memcpy(in_sa->sha1_or_gcm.hmac_key, auth_key,
459 ctx_len = offsetof(struct roc_ie_on_inb_sa,
460 sha1_or_gcm.selector);
461 } else if (auth_xform->auth.algo ==
462 RTE_CRYPTO_AUTH_SHA256_HMAC) {
463 memcpy(in_sa->sha2.hmac_key, auth_key, auth_key_len);
464 ctx_len = offsetof(struct roc_ie_on_inb_sa,
469 inst_tmpl = &sa->inst;
472 w4.s.opcode_major = ROC_IE_ON_MAJOR_OP_PROCESS_INBOUND_IPSEC;
473 w4.s.opcode_minor = ctx_len >> 3;
474 inst_tmpl->w4 = w4.u64;
477 w7.s.egrp = ROC_CPT_DFLT_ENG_GRP_SE;
478 w7.s.cptr = rte_mempool_virt2iova(in_sa);
479 inst_tmpl->w7 = w7.u64;
481 return cn9k_cpt_enq_sa_write(
482 sa, qp, ROC_IE_ON_MAJOR_OP_WRITE_IPSEC_INBOUND, ctx_len);
486 cn9k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec)
488 if (ipsec->life.bytes_hard_limit != 0 ||
489 ipsec->life.bytes_soft_limit != 0 ||
490 ipsec->life.packets_hard_limit != 0 ||
491 ipsec->life.packets_soft_limit != 0)
498 cn9k_ipsec_session_create(void *dev,
499 struct rte_security_ipsec_xform *ipsec_xform,
500 struct rte_crypto_sym_xform *crypto_xform,
501 struct rte_security_session *sess)
503 struct rte_cryptodev *crypto_dev = dev;
504 struct cnxk_cpt_qp *qp;
507 qp = crypto_dev->data->queue_pairs[0];
509 plt_err("CPT queue pairs need to be setup for creating security"
514 ret = cnxk_ipsec_xform_verify(ipsec_xform, crypto_xform);
518 ret = cn9k_ipsec_xform_verify(ipsec_xform);
522 if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
523 return cn9k_ipsec_inb_sa_create(qp, ipsec_xform, crypto_xform,
526 return cn9k_ipsec_outb_sa_create(qp, ipsec_xform, crypto_xform,
531 cn9k_sec_session_create(void *device, struct rte_security_session_conf *conf,
532 struct rte_security_session *sess,
533 struct rte_mempool *mempool)
535 struct cn9k_sec_session *priv;
538 if (conf->action_type != RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL)
541 if (rte_mempool_get(mempool, (void **)&priv)) {
542 plt_err("Could not allocate security session private data");
546 memset(priv, 0, sizeof(*priv));
548 set_sec_session_private_data(sess, priv);
550 if (conf->protocol != RTE_SECURITY_PROTOCOL_IPSEC) {
555 ret = cn9k_ipsec_session_create(device, &conf->ipsec,
556 conf->crypto_xform, sess);
563 rte_mempool_put(mempool, priv);
564 set_sec_session_private_data(sess, NULL);
569 cn9k_sec_session_destroy(void *device __rte_unused,
570 struct rte_security_session *sess)
572 struct roc_ie_on_outb_sa *out_sa;
573 struct cn9k_sec_session *priv;
574 struct rte_mempool *sess_mp;
575 struct roc_ie_on_sa_ctl *ctl;
576 struct cn9k_ipsec_sa *sa;
578 priv = get_sec_session_private_data(sess);
583 out_sa = &sa->out_sa;
585 ctl = &out_sa->common_sa.ctl;
590 sess_mp = rte_mempool_from_obj(priv);
592 memset(priv, 0, sizeof(*priv));
594 set_sec_session_private_data(sess, NULL);
595 rte_mempool_put(sess_mp, priv);
601 cn9k_sec_session_get_size(void *device __rte_unused)
603 return sizeof(struct cn9k_sec_session);
606 /* Update platform specific security ops */
608 cn9k_sec_ops_override(void)
610 /* Update platform specific ops */
611 cnxk_sec_ops.session_create = cn9k_sec_session_create;
612 cnxk_sec_ops.session_destroy = cn9k_sec_session_destroy;
613 cnxk_sec_ops.session_get_size = cn9k_sec_session_get_size;