1 /* SPDX-License-Identifier: BSD-3-Clause
2 * Copyright(C) 2021 Marvell.
5 #include <cryptodev_pmd.h>
7 #include <rte_security.h>
8 #include <rte_security_driver.h>
10 #include "cnxk_cryptodev.h"
11 #include "cnxk_cryptodev_ops.h"
12 #include "cnxk_ipsec.h"
13 #include "cnxk_security.h"
14 #include "cn9k_ipsec.h"
19 cn9k_cpt_enq_sa_write(struct cn9k_ipsec_sa *sa, struct cnxk_cpt_qp *qp,
20 uint8_t opcode, size_t ctx_len)
22 struct roc_cpt *roc_cpt = qp->lf.roc_cpt;
23 uint64_t lmtline = qp->lmtline.lmt_base;
24 uint64_t io_addr = qp->lmtline.io_addr;
25 uint64_t lmt_status, time_out;
26 struct cpt_cn9k_res_s *res;
27 struct cpt_inst_s inst;
31 if (unlikely(rte_mempool_get(qp->meta_info.pool, (void **)&mdata) < 0))
34 res = (struct cpt_cn9k_res_s *)RTE_PTR_ALIGN(mdata, 16);
35 res->compcode = CPT_COMP_NOT_DONE;
37 inst.w4.s.opcode_major = opcode;
38 inst.w4.s.opcode_minor = ctx_len >> 3;
41 inst.w4.s.dlen = ctx_len;
42 inst.dptr = rte_mempool_virt2iova(sa);
44 inst.w7.s.cptr = rte_mempool_virt2iova(sa);
45 inst.w7.s.egrp = roc_cpt->eng_grp[CPT_ENG_TYPE_IE];
50 inst.res_addr = rte_mempool_virt2iova(res);
55 /* Copy CPT command to LMTLINE */
56 roc_lmt_mov((void *)lmtline, &inst, 2);
57 lmt_status = roc_lmt_submit_ldeor(io_addr);
58 } while (lmt_status == 0);
60 time_out = rte_get_timer_cycles() +
61 DEFAULT_COMMAND_TIMEOUT * rte_get_timer_hz();
63 while (res->compcode == CPT_COMP_NOT_DONE) {
64 if (rte_get_timer_cycles() > time_out) {
65 rte_mempool_put(qp->meta_info.pool, mdata);
66 plt_err("Request timed out");
72 if (unlikely(res->compcode != CPT_COMP_GOOD)) {
75 case CPT_COMP_INSTERR:
76 plt_err("Request failed with instruction error");
79 plt_err("Request failed with DMA fault");
82 plt_err("Request failed with hardware error");
85 plt_err("Request failed with unknown hardware "
86 "completion code : 0x%x",
93 if (unlikely(res->uc_compcode != ROC_IE_ON_UCC_SUCCESS)) {
94 ret = res->uc_compcode;
96 case ROC_IE_ON_AUTH_UNSUPPORTED:
97 plt_err("Invalid auth type");
99 case ROC_IE_ON_ENCRYPT_UNSUPPORTED:
100 plt_err("Invalid encrypt type");
103 plt_err("Request failed with unknown microcode "
104 "completion code : 0x%x",
111 rte_mempool_put(qp->meta_info.pool, mdata);
116 ipsec_sa_ctl_set(struct rte_security_ipsec_xform *ipsec,
117 struct rte_crypto_sym_xform *crypto_xform,
118 struct roc_ie_on_sa_ctl *ctl)
120 struct rte_crypto_sym_xform *cipher_xform, *auth_xform;
123 if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
124 ctl->direction = ROC_IE_SA_DIR_OUTBOUND;
125 cipher_xform = crypto_xform;
126 auth_xform = crypto_xform->next;
127 } else if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
128 ctl->direction = ROC_IE_SA_DIR_INBOUND;
129 auth_xform = crypto_xform;
130 cipher_xform = crypto_xform->next;
135 if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
136 if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4)
137 ctl->outer_ip_ver = ROC_IE_SA_IP_VERSION_4;
138 else if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6)
139 ctl->outer_ip_ver = ROC_IE_SA_IP_VERSION_6;
144 ctl->inner_ip_ver = ctl->outer_ip_ver;
146 if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT)
147 ctl->ipsec_mode = ROC_IE_SA_MODE_TRANSPORT;
148 else if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
149 ctl->ipsec_mode = ROC_IE_SA_MODE_TUNNEL;
153 if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH)
154 ctl->ipsec_proto = ROC_IE_SA_PROTOCOL_AH;
155 else if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP)
156 ctl->ipsec_proto = ROC_IE_SA_PROTOCOL_ESP;
160 if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
161 if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
162 ctl->enc_type = ROC_IE_ON_SA_ENC_AES_GCM;
163 aes_key_len = crypto_xform->aead.key.length;
167 } else if (cipher_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
168 ctl->enc_type = ROC_IE_ON_SA_ENC_AES_CBC;
169 aes_key_len = cipher_xform->cipher.key.length;
174 switch (aes_key_len) {
176 ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_128;
179 ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_192;
182 ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_256;
188 if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_AEAD) {
189 switch (auth_xform->auth.algo) {
190 case RTE_CRYPTO_AUTH_NULL:
191 ctl->auth_type = ROC_IE_ON_SA_AUTH_NULL;
193 case RTE_CRYPTO_AUTH_MD5_HMAC:
194 ctl->auth_type = ROC_IE_ON_SA_AUTH_MD5;
196 case RTE_CRYPTO_AUTH_SHA1_HMAC:
197 ctl->auth_type = ROC_IE_ON_SA_AUTH_SHA1;
199 case RTE_CRYPTO_AUTH_SHA224_HMAC:
200 ctl->auth_type = ROC_IE_ON_SA_AUTH_SHA2_224;
202 case RTE_CRYPTO_AUTH_SHA256_HMAC:
203 ctl->auth_type = ROC_IE_ON_SA_AUTH_SHA2_256;
205 case RTE_CRYPTO_AUTH_SHA384_HMAC:
206 ctl->auth_type = ROC_IE_ON_SA_AUTH_SHA2_384;
208 case RTE_CRYPTO_AUTH_SHA512_HMAC:
209 ctl->auth_type = ROC_IE_ON_SA_AUTH_SHA2_512;
211 case RTE_CRYPTO_AUTH_AES_GMAC:
212 ctl->auth_type = ROC_IE_ON_SA_AUTH_AES_GMAC;
214 case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
215 ctl->auth_type = ROC_IE_ON_SA_AUTH_AES_XCBC_128;
222 if (ipsec->options.esn)
225 if (ipsec->options.udp_encap == 1)
226 ctl->encap_type = ROC_IE_ON_SA_ENCAP_UDP;
228 ctl->spi = rte_cpu_to_be_32(ipsec->spi);
238 fill_ipsec_common_sa(struct rte_security_ipsec_xform *ipsec,
239 struct rte_crypto_sym_xform *crypto_xform,
240 struct roc_ie_on_common_sa *common_sa)
242 struct rte_crypto_sym_xform *cipher_xform;
243 const uint8_t *cipher_key;
244 int cipher_key_len = 0;
247 if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
248 cipher_xform = crypto_xform->next;
250 cipher_xform = crypto_xform;
252 ret = ipsec_sa_ctl_set(ipsec, crypto_xform, &common_sa->ctl);
256 if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
257 if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM)
258 memcpy(common_sa->iv.gcm.nonce, &ipsec->salt, 4);
259 cipher_key = crypto_xform->aead.key.data;
260 cipher_key_len = crypto_xform->aead.key.length;
262 cipher_key = cipher_xform->cipher.key.data;
263 cipher_key_len = cipher_xform->cipher.key.length;
266 if (cipher_key_len != 0)
267 memcpy(common_sa->cipher_key, cipher_key, cipher_key_len);
275 cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
276 struct rte_security_ipsec_xform *ipsec,
277 struct rte_crypto_sym_xform *crypto_xform,
278 struct rte_security_session *sec_sess)
280 struct rte_crypto_sym_xform *auth_xform = crypto_xform->next;
281 struct roc_ie_on_ip_template *template = NULL;
282 struct roc_cpt *roc_cpt = qp->lf.roc_cpt;
283 union roc_on_ipsec_outb_param1 param1;
284 struct cnxk_cpt_inst_tmpl *inst_tmpl;
285 struct roc_ie_on_outb_sa *out_sa;
286 struct cn9k_sec_session *sess;
287 struct roc_ie_on_sa_ctl *ctl;
288 struct cn9k_ipsec_sa *sa;
289 struct rte_ipv6_hdr *ip6;
290 struct rte_ipv4_hdr *ip4;
291 const uint8_t *auth_key;
292 union cpt_inst_w4 w4;
293 union cpt_inst_w7 w7;
294 int auth_key_len = 0;
298 sess = get_sec_session_private_data(sec_sess);
300 out_sa = &sa->out_sa;
301 ctl = &out_sa->common_sa.ctl;
303 memset(sa, 0, sizeof(struct cn9k_ipsec_sa));
305 /* Initialize lookaside IPsec private data */
306 sa->dir = RTE_SECURITY_IPSEC_SA_DIR_EGRESS;
307 /* Start ip id from 1 */
312 ret = fill_ipsec_common_sa(ipsec, crypto_xform, &out_sa->common_sa);
316 ret = cnxk_ipsec_outb_rlens_get(&sa->rlens, ipsec, crypto_xform);
320 if (ctl->enc_type == ROC_IE_ON_SA_ENC_AES_GCM ||
321 ctl->auth_type == ROC_IE_ON_SA_AUTH_NULL) {
322 template = &out_sa->aes_gcm.template;
323 ctx_len = offsetof(struct roc_ie_on_outb_sa, aes_gcm.template);
325 switch (ctl->auth_type) {
326 case ROC_IE_ON_SA_AUTH_SHA1:
327 template = &out_sa->sha1.template;
328 ctx_len = offsetof(struct roc_ie_on_outb_sa,
331 case ROC_IE_ON_SA_AUTH_SHA2_256:
332 case ROC_IE_ON_SA_AUTH_SHA2_384:
333 case ROC_IE_ON_SA_AUTH_SHA2_512:
334 template = &out_sa->sha2.template;
335 ctx_len = offsetof(struct roc_ie_on_outb_sa,
343 ip4 = (struct rte_ipv4_hdr *)&template->ip4.ipv4_hdr;
344 if (ipsec->options.udp_encap) {
345 ip4->next_proto_id = IPPROTO_UDP;
346 template->ip4.udp_src = rte_be_to_cpu_16(4500);
347 template->ip4.udp_dst = rte_be_to_cpu_16(4500);
349 ip4->next_proto_id = IPPROTO_ESP;
352 if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
353 if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
354 ctx_len += sizeof(template->ip4);
356 ip4->version_ihl = RTE_IPV4_VHL_DEF;
357 ip4->time_to_live = ipsec->tunnel.ipv4.ttl;
358 ip4->type_of_service |= (ipsec->tunnel.ipv4.dscp << 2);
359 if (ipsec->tunnel.ipv4.df)
360 ip4->fragment_offset = BIT(14);
361 memcpy(&ip4->src_addr, &ipsec->tunnel.ipv4.src_ip,
362 sizeof(struct in_addr));
363 memcpy(&ip4->dst_addr, &ipsec->tunnel.ipv4.dst_ip,
364 sizeof(struct in_addr));
365 } else if (ipsec->tunnel.type ==
366 RTE_SECURITY_IPSEC_TUNNEL_IPV6) {
367 ctx_len += sizeof(template->ip6);
369 ip6 = (struct rte_ipv6_hdr *)&template->ip6.ipv6_hdr;
370 if (ipsec->options.udp_encap) {
371 ip6->proto = IPPROTO_UDP;
372 template->ip6.udp_src = rte_be_to_cpu_16(4500);
373 template->ip6.udp_dst = rte_be_to_cpu_16(4500);
375 ip6->proto = (ipsec->proto ==
376 RTE_SECURITY_IPSEC_SA_PROTO_ESP) ?
381 rte_cpu_to_be_32(0x60000000 |
382 ((ipsec->tunnel.ipv6.dscp
383 << RTE_IPV6_HDR_TC_SHIFT) &
384 RTE_IPV6_HDR_TC_MASK) |
385 ((ipsec->tunnel.ipv6.flabel
386 << RTE_IPV6_HDR_FL_SHIFT) &
387 RTE_IPV6_HDR_FL_MASK));
388 ip6->hop_limits = ipsec->tunnel.ipv6.hlimit;
389 memcpy(&ip6->src_addr, &ipsec->tunnel.ipv6.src_addr,
390 sizeof(struct in6_addr));
391 memcpy(&ip6->dst_addr, &ipsec->tunnel.ipv6.dst_addr,
392 sizeof(struct in6_addr));
395 ctx_len += sizeof(template->ip4);
397 ctx_len += RTE_ALIGN_CEIL(ctx_len, 8);
399 if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
400 sa->cipher_iv_off = crypto_xform->aead.iv.offset;
401 sa->cipher_iv_len = crypto_xform->aead.iv.length;
403 sa->cipher_iv_off = crypto_xform->cipher.iv.offset;
404 sa->cipher_iv_len = crypto_xform->cipher.iv.length;
406 auth_key = auth_xform->auth.key.data;
407 auth_key_len = auth_xform->auth.key.length;
409 switch (auth_xform->auth.algo) {
410 case RTE_CRYPTO_AUTH_NULL:
412 case RTE_CRYPTO_AUTH_SHA1_HMAC:
413 memcpy(out_sa->sha1.hmac_key, auth_key, auth_key_len);
415 case RTE_CRYPTO_AUTH_SHA256_HMAC:
416 case RTE_CRYPTO_AUTH_SHA384_HMAC:
417 case RTE_CRYPTO_AUTH_SHA512_HMAC:
418 memcpy(out_sa->sha2.hmac_key, auth_key, auth_key_len);
421 plt_err("Unsupported auth algorithm %u",
422 auth_xform->auth.algo);
427 inst_tmpl = &sa->inst;
430 w4.s.opcode_major = ROC_IE_ON_MAJOR_OP_PROCESS_OUTBOUND_IPSEC;
431 w4.s.opcode_minor = ctx_len >> 3;
435 param1.s.per_pkt_iv = 1;
436 w4.s.param1 = param1.u16;
438 inst_tmpl->w4 = w4.u64;
441 w7.s.egrp = roc_cpt->eng_grp[CPT_ENG_TYPE_IE];
442 w7.s.cptr = rte_mempool_virt2iova(out_sa);
443 inst_tmpl->w7 = w7.u64;
445 return cn9k_cpt_enq_sa_write(
446 sa, qp, ROC_IE_ON_MAJOR_OP_WRITE_IPSEC_OUTBOUND, ctx_len);
450 cn9k_ipsec_inb_sa_create(struct cnxk_cpt_qp *qp,
451 struct rte_security_ipsec_xform *ipsec,
452 struct rte_crypto_sym_xform *crypto_xform,
453 struct rte_security_session *sec_sess)
455 struct rte_crypto_sym_xform *auth_xform = crypto_xform;
456 struct roc_cpt *roc_cpt = qp->lf.roc_cpt;
457 union roc_on_ipsec_inb_param2 param2;
458 struct cnxk_cpt_inst_tmpl *inst_tmpl;
459 struct roc_ie_on_inb_sa *in_sa;
460 struct cn9k_sec_session *sess;
461 struct cn9k_ipsec_sa *sa;
462 const uint8_t *auth_key;
463 union cpt_inst_w4 w4;
464 union cpt_inst_w7 w7;
465 int auth_key_len = 0;
469 sess = get_sec_session_private_data(sec_sess);
473 memset(sa, 0, sizeof(struct cn9k_ipsec_sa));
475 sa->dir = RTE_SECURITY_IPSEC_SA_DIR_INGRESS;
476 sa->replay_win_sz = ipsec->replay_win_sz;
478 ret = fill_ipsec_common_sa(ipsec, crypto_xform, &in_sa->common_sa);
482 if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD ||
483 auth_xform->auth.algo == RTE_CRYPTO_AUTH_NULL) {
484 ctx_len = offsetof(struct roc_ie_on_inb_sa,
485 sha1_or_gcm.hmac_key[0]);
487 auth_key = auth_xform->auth.key.data;
488 auth_key_len = auth_xform->auth.key.length;
490 switch (auth_xform->auth.algo) {
491 case RTE_CRYPTO_AUTH_NULL:
493 case RTE_CRYPTO_AUTH_SHA1_HMAC:
494 memcpy(in_sa->sha1_or_gcm.hmac_key, auth_key,
496 ctx_len = offsetof(struct roc_ie_on_inb_sa,
497 sha1_or_gcm.selector);
499 case RTE_CRYPTO_AUTH_SHA256_HMAC:
500 case RTE_CRYPTO_AUTH_SHA384_HMAC:
501 case RTE_CRYPTO_AUTH_SHA512_HMAC:
502 memcpy(in_sa->sha2.hmac_key, auth_key, auth_key_len);
503 ctx_len = offsetof(struct roc_ie_on_inb_sa,
507 plt_err("Unsupported auth algorithm %u",
508 auth_xform->auth.algo);
513 inst_tmpl = &sa->inst;
516 w4.s.opcode_major = ROC_IE_ON_MAJOR_OP_PROCESS_INBOUND_IPSEC;
517 w4.s.opcode_minor = ctx_len >> 3;
521 w4.s.param2 = param2.u16;
523 inst_tmpl->w4 = w4.u64;
526 w7.s.egrp = roc_cpt->eng_grp[CPT_ENG_TYPE_IE];
527 w7.s.cptr = rte_mempool_virt2iova(in_sa);
528 inst_tmpl->w7 = w7.u64;
530 if (sa->replay_win_sz) {
531 if (sa->replay_win_sz > CNXK_ON_AR_WIN_SIZE_MAX) {
532 plt_err("Replay window size:%u is not supported",
537 /* Set window bottom to 1, base and top to size of window */
539 sa->ar.wint = sa->replay_win_sz;
540 sa->ar.base = sa->replay_win_sz;
542 in_sa->common_sa.esn_low = 0;
543 in_sa->common_sa.esn_hi = 0;
546 return cn9k_cpt_enq_sa_write(
547 sa, qp, ROC_IE_ON_MAJOR_OP_WRITE_IPSEC_INBOUND, ctx_len);
551 cn9k_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec)
553 if (ipsec->life.bytes_hard_limit != 0 ||
554 ipsec->life.bytes_soft_limit != 0 ||
555 ipsec->life.packets_hard_limit != 0 ||
556 ipsec->life.packets_soft_limit != 0)
563 cn9k_ipsec_session_create(void *dev,
564 struct rte_security_ipsec_xform *ipsec_xform,
565 struct rte_crypto_sym_xform *crypto_xform,
566 struct rte_security_session *sess)
568 struct rte_cryptodev *crypto_dev = dev;
569 struct cnxk_cpt_qp *qp;
572 qp = crypto_dev->data->queue_pairs[0];
574 plt_err("CPT queue pairs need to be setup for creating security"
579 ret = cnxk_ipsec_xform_verify(ipsec_xform, crypto_xform);
583 ret = cn9k_ipsec_xform_verify(ipsec_xform);
587 if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
588 return cn9k_ipsec_inb_sa_create(qp, ipsec_xform, crypto_xform,
591 return cn9k_ipsec_outb_sa_create(qp, ipsec_xform, crypto_xform,
596 cn9k_sec_session_create(void *device, struct rte_security_session_conf *conf,
597 struct rte_security_session *sess,
598 struct rte_mempool *mempool)
600 struct cn9k_sec_session *priv;
603 if (conf->action_type != RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL)
606 if (rte_mempool_get(mempool, (void **)&priv)) {
607 plt_err("Could not allocate security session private data");
611 memset(priv, 0, sizeof(*priv));
613 set_sec_session_private_data(sess, priv);
615 if (conf->protocol != RTE_SECURITY_PROTOCOL_IPSEC) {
620 ret = cn9k_ipsec_session_create(device, &conf->ipsec,
621 conf->crypto_xform, sess);
628 rte_mempool_put(mempool, priv);
629 set_sec_session_private_data(sess, NULL);
634 cn9k_sec_session_destroy(void *device __rte_unused,
635 struct rte_security_session *sess)
637 struct roc_ie_on_outb_sa *out_sa;
638 struct cn9k_sec_session *priv;
639 struct rte_mempool *sess_mp;
640 struct roc_ie_on_sa_ctl *ctl;
641 struct cn9k_ipsec_sa *sa;
643 priv = get_sec_session_private_data(sess);
648 out_sa = &sa->out_sa;
650 ctl = &out_sa->common_sa.ctl;
655 sess_mp = rte_mempool_from_obj(priv);
657 memset(priv, 0, sizeof(*priv));
659 set_sec_session_private_data(sess, NULL);
660 rte_mempool_put(sess_mp, priv);
666 cn9k_sec_session_get_size(void *device __rte_unused)
668 return sizeof(struct cn9k_sec_session);
671 /* Update platform specific security ops */
673 cn9k_sec_ops_override(void)
675 /* Update platform specific ops */
676 cnxk_sec_ops.session_create = cn9k_sec_session_create;
677 cnxk_sec_ops.session_destroy = cn9k_sec_session_destroy;
678 cnxk_sec_ops.session_get_size = cn9k_sec_session_get_size;