1 /* SPDX-License-Identifier: BSD-3-Clause
2 * Copyright(C) 2020 Marvell International Ltd.
5 #ifndef __OTX2_IPSEC_FP_H__
6 #define __OTX2_IPSEC_FP_H__
8 #include <rte_crypto_sym.h>
9 #include <rte_security.h>
11 /* Macros for anti replay and ESN */
12 #define OTX2_IPSEC_MAX_REPLAY_WIN_SZ 1024
14 struct otx2_ipsec_fp_res_hdr {
22 OTX2_IPSEC_FP_SA_DIRECTION_INBOUND = 0,
23 OTX2_IPSEC_FP_SA_DIRECTION_OUTBOUND = 1,
27 OTX2_IPSEC_FP_SA_IP_VERSION_4 = 0,
28 OTX2_IPSEC_FP_SA_IP_VERSION_6 = 1,
32 OTX2_IPSEC_FP_SA_MODE_TRANSPORT = 0,
33 OTX2_IPSEC_FP_SA_MODE_TUNNEL = 1,
37 OTX2_IPSEC_FP_SA_PROTOCOL_AH = 0,
38 OTX2_IPSEC_FP_SA_PROTOCOL_ESP = 1,
42 OTX2_IPSEC_FP_SA_AES_KEY_LEN_128 = 1,
43 OTX2_IPSEC_FP_SA_AES_KEY_LEN_192 = 2,
44 OTX2_IPSEC_FP_SA_AES_KEY_LEN_256 = 3,
48 OTX2_IPSEC_FP_SA_ENC_NULL = 0,
49 OTX2_IPSEC_FP_SA_ENC_DES_CBC = 1,
50 OTX2_IPSEC_FP_SA_ENC_3DES_CBC = 2,
51 OTX2_IPSEC_FP_SA_ENC_AES_CBC = 3,
52 OTX2_IPSEC_FP_SA_ENC_AES_CTR = 4,
53 OTX2_IPSEC_FP_SA_ENC_AES_GCM = 5,
54 OTX2_IPSEC_FP_SA_ENC_AES_CCM = 6,
58 OTX2_IPSEC_FP_SA_AUTH_NULL = 0,
59 OTX2_IPSEC_FP_SA_AUTH_MD5 = 1,
60 OTX2_IPSEC_FP_SA_AUTH_SHA1 = 2,
61 OTX2_IPSEC_FP_SA_AUTH_SHA2_224 = 3,
62 OTX2_IPSEC_FP_SA_AUTH_SHA2_256 = 4,
63 OTX2_IPSEC_FP_SA_AUTH_SHA2_384 = 5,
64 OTX2_IPSEC_FP_SA_AUTH_SHA2_512 = 6,
65 OTX2_IPSEC_FP_SA_AUTH_AES_GMAC = 7,
66 OTX2_IPSEC_FP_SA_AUTH_AES_XCBC_128 = 8,
70 OTX2_IPSEC_FP_SA_FRAG_POST = 0,
71 OTX2_IPSEC_FP_SA_FRAG_PRE = 1,
75 OTX2_IPSEC_FP_SA_ENCAP_NONE = 0,
76 OTX2_IPSEC_FP_SA_ENCAP_UDP = 1,
79 struct otx2_ipsec_fp_sa_ctl {
81 uint64_t exp_proto_inter_frag : 8;
82 uint64_t rsvd_42_40 : 3;
84 uint64_t rsvd_45_44 : 2;
85 uint64_t encap_type : 2;
86 uint64_t enc_type : 3;
88 uint64_t auth_type : 4;
90 uint64_t direction : 1;
91 uint64_t outer_ip_ver : 1;
92 uint64_t inner_ip_ver : 1;
93 uint64_t ipsec_mode : 1;
94 uint64_t ipsec_proto : 1;
95 uint64_t aes_key_len : 2;
98 struct otx2_ipsec_fp_out_sa {
100 struct otx2_ipsec_fp_sa_ctl ctl;
112 uint8_t cipher_key[32];
115 uint8_t hmac_key[48];
118 struct otx2_ipsec_replay {
122 uint64_t base; /**< base of the anti-replay window */
123 uint64_t window[17]; /**< anti-replay window */
126 struct otx2_ipsec_fp_in_sa {
128 struct otx2_ipsec_fp_sa_ctl ctl;
131 uint8_t nonce[4]; /* Only for AES-GCM */
139 uint8_t cipher_key[32];
142 uint8_t hmac_key[48];
150 struct otx2_ipsec_replay *replay;
153 uint32_t replay_win_sz;
159 ipsec_fp_xform_cipher_verify(struct rte_crypto_sym_xform *xform)
161 if (xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
162 switch (xform->cipher.key.length) {
177 ipsec_fp_xform_auth_verify(struct rte_crypto_sym_xform *xform)
179 uint16_t keylen = xform->auth.key.length;
181 if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
182 if (keylen >= 20 && keylen <= 64)
190 ipsec_fp_xform_aead_verify(struct rte_security_ipsec_xform *ipsec,
191 struct rte_crypto_sym_xform *xform)
193 if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
194 xform->aead.op != RTE_CRYPTO_AEAD_OP_ENCRYPT)
197 if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
198 xform->aead.op != RTE_CRYPTO_AEAD_OP_DECRYPT)
201 if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
202 switch (xform->aead.key.length) {
217 ipsec_fp_xform_verify(struct rte_security_ipsec_xform *ipsec,
218 struct rte_crypto_sym_xform *xform)
220 struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
223 if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD)
224 return ipsec_fp_xform_aead_verify(ipsec, xform);
226 if (xform->next == NULL)
229 if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
231 if (xform->type != RTE_CRYPTO_SYM_XFORM_AUTH ||
232 xform->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER)
235 cipher_xform = xform->next;
238 if (xform->type != RTE_CRYPTO_SYM_XFORM_CIPHER ||
239 xform->next->type != RTE_CRYPTO_SYM_XFORM_AUTH)
241 cipher_xform = xform;
242 auth_xform = xform->next;
245 ret = ipsec_fp_xform_cipher_verify(cipher_xform);
249 ret = ipsec_fp_xform_auth_verify(auth_xform);
257 ipsec_fp_sa_ctl_set(struct rte_security_ipsec_xform *ipsec,
258 struct rte_crypto_sym_xform *xform,
259 struct otx2_ipsec_fp_sa_ctl *ctl)
261 struct rte_crypto_sym_xform *cipher_xform, *auth_xform;
264 if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
265 ctl->direction = OTX2_IPSEC_FP_SA_DIRECTION_OUTBOUND;
266 cipher_xform = xform;
267 auth_xform = xform->next;
268 } else if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
269 ctl->direction = OTX2_IPSEC_FP_SA_DIRECTION_INBOUND;
271 cipher_xform = xform->next;
276 if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
277 if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4)
278 ctl->outer_ip_ver = OTX2_IPSEC_FP_SA_IP_VERSION_4;
279 else if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6)
280 ctl->outer_ip_ver = OTX2_IPSEC_FP_SA_IP_VERSION_6;
285 ctl->inner_ip_ver = OTX2_IPSEC_FP_SA_IP_VERSION_4;
287 if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT)
288 ctl->ipsec_mode = OTX2_IPSEC_FP_SA_MODE_TRANSPORT;
289 else if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
290 ctl->ipsec_mode = OTX2_IPSEC_FP_SA_MODE_TUNNEL;
294 if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH)
295 ctl->ipsec_proto = OTX2_IPSEC_FP_SA_PROTOCOL_AH;
296 else if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP)
297 ctl->ipsec_proto = OTX2_IPSEC_FP_SA_PROTOCOL_ESP;
301 if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
302 if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
303 ctl->enc_type = OTX2_IPSEC_FP_SA_ENC_AES_GCM;
304 aes_key_len = xform->aead.key.length;
308 } else if (cipher_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
309 ctl->enc_type = OTX2_IPSEC_FP_SA_ENC_AES_CBC;
310 aes_key_len = cipher_xform->cipher.key.length;
315 switch (aes_key_len) {
317 ctl->aes_key_len = OTX2_IPSEC_FP_SA_AES_KEY_LEN_128;
320 ctl->aes_key_len = OTX2_IPSEC_FP_SA_AES_KEY_LEN_192;
323 ctl->aes_key_len = OTX2_IPSEC_FP_SA_AES_KEY_LEN_256;
329 if (xform->type != RTE_CRYPTO_SYM_XFORM_AEAD) {
330 switch (auth_xform->auth.algo) {
331 case RTE_CRYPTO_AUTH_NULL:
332 ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_NULL;
334 case RTE_CRYPTO_AUTH_MD5_HMAC:
335 ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_MD5;
337 case RTE_CRYPTO_AUTH_SHA1_HMAC:
338 ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_SHA1;
340 case RTE_CRYPTO_AUTH_SHA224_HMAC:
341 ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_SHA2_224;
343 case RTE_CRYPTO_AUTH_SHA256_HMAC:
344 ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_SHA2_256;
346 case RTE_CRYPTO_AUTH_SHA384_HMAC:
347 ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_SHA2_384;
349 case RTE_CRYPTO_AUTH_SHA512_HMAC:
350 ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_SHA2_512;
352 case RTE_CRYPTO_AUTH_AES_GMAC:
353 ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_AES_GMAC;
355 case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
356 ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_AES_XCBC_128;
363 if (ipsec->options.esn == 1)
366 ctl->spi = rte_cpu_to_be_32(ipsec->spi);
371 #endif /* __OTX2_IPSEC_FP_H__ */