1 /* SPDX-License-Identifier: BSD-3-Clause
2 * Copyright(C) 2020 Marvell International Ltd.
5 #ifndef __OTX2_IPSEC_FP_H__
6 #define __OTX2_IPSEC_FP_H__
8 #include <rte_crypto_sym.h>
9 #include <rte_security.h>
12 OTX2_IPSEC_FP_SA_DIRECTION_INBOUND = 0,
13 OTX2_IPSEC_FP_SA_DIRECTION_OUTBOUND = 1,
17 OTX2_IPSEC_FP_SA_IP_VERSION_4 = 0,
18 OTX2_IPSEC_FP_SA_IP_VERSION_6 = 1,
22 OTX2_IPSEC_FP_SA_MODE_TRANSPORT = 0,
23 OTX2_IPSEC_FP_SA_MODE_TUNNEL = 1,
27 OTX2_IPSEC_FP_SA_PROTOCOL_AH = 0,
28 OTX2_IPSEC_FP_SA_PROTOCOL_ESP = 1,
32 OTX2_IPSEC_FP_SA_AES_KEY_LEN_128 = 1,
33 OTX2_IPSEC_FP_SA_AES_KEY_LEN_192 = 2,
34 OTX2_IPSEC_FP_SA_AES_KEY_LEN_256 = 3,
38 OTX2_IPSEC_FP_SA_ENC_NULL = 0,
39 OTX2_IPSEC_FP_SA_ENC_DES_CBC = 1,
40 OTX2_IPSEC_FP_SA_ENC_3DES_CBC = 2,
41 OTX2_IPSEC_FP_SA_ENC_AES_CBC = 3,
42 OTX2_IPSEC_FP_SA_ENC_AES_CTR = 4,
43 OTX2_IPSEC_FP_SA_ENC_AES_GCM = 5,
44 OTX2_IPSEC_FP_SA_ENC_AES_CCM = 6,
48 OTX2_IPSEC_FP_SA_AUTH_NULL = 0,
49 OTX2_IPSEC_FP_SA_AUTH_MD5 = 1,
50 OTX2_IPSEC_FP_SA_AUTH_SHA1 = 2,
51 OTX2_IPSEC_FP_SA_AUTH_SHA2_224 = 3,
52 OTX2_IPSEC_FP_SA_AUTH_SHA2_256 = 4,
53 OTX2_IPSEC_FP_SA_AUTH_SHA2_384 = 5,
54 OTX2_IPSEC_FP_SA_AUTH_SHA2_512 = 6,
55 OTX2_IPSEC_FP_SA_AUTH_AES_GMAC = 7,
56 OTX2_IPSEC_FP_SA_AUTH_AES_XCBC_128 = 8,
60 OTX2_IPSEC_FP_SA_FRAG_POST = 0,
61 OTX2_IPSEC_FP_SA_FRAG_PRE = 1,
65 OTX2_IPSEC_FP_SA_ENCAP_NONE = 0,
66 OTX2_IPSEC_FP_SA_ENCAP_UDP = 1,
69 struct otx2_ipsec_fp_sa_ctl {
71 uint64_t exp_proto_inter_frag : 8;
72 uint64_t rsvd_42_40 : 3;
74 uint64_t rsvd_45_44 : 2;
75 uint64_t encap_type : 2;
76 uint64_t enc_type : 3;
78 uint64_t auth_type : 4;
80 uint64_t direction : 1;
81 uint64_t outer_ip_ver : 1;
82 uint64_t inner_ip_ver : 1;
83 uint64_t ipsec_mode : 1;
84 uint64_t ipsec_proto : 1;
85 uint64_t aes_key_len : 2;
88 struct otx2_ipsec_fp_out_sa {
90 struct otx2_ipsec_fp_sa_ctl ctl;
102 uint8_t cipher_key[32];
105 uint8_t hmac_key[48];
108 struct otx2_ipsec_fp_in_sa {
110 struct otx2_ipsec_fp_sa_ctl ctl;
113 uint8_t nonce[4]; /* Only for AES-GCM */
121 uint8_t cipher_key[32];
124 uint8_t hmac_key[48];
137 ipsec_fp_xform_cipher_verify(struct rte_crypto_sym_xform *xform)
139 if (xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
140 switch (xform->cipher.key.length) {
155 ipsec_fp_xform_auth_verify(struct rte_crypto_sym_xform *xform)
157 uint16_t keylen = xform->auth.key.length;
159 if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
160 if (keylen >= 20 && keylen <= 64)
168 ipsec_fp_xform_aead_verify(struct rte_security_ipsec_xform *ipsec,
169 struct rte_crypto_sym_xform *xform)
171 if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
172 xform->aead.op != RTE_CRYPTO_AEAD_OP_ENCRYPT)
175 if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
176 xform->aead.op != RTE_CRYPTO_AEAD_OP_DECRYPT)
179 if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
180 switch (xform->aead.key.length) {
195 ipsec_fp_xform_verify(struct rte_security_ipsec_xform *ipsec,
196 struct rte_crypto_sym_xform *xform)
198 struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
201 if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD)
202 return ipsec_fp_xform_aead_verify(ipsec, xform);
204 if (xform->next == NULL)
207 if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
209 if (xform->type != RTE_CRYPTO_SYM_XFORM_AUTH ||
210 xform->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER)
213 cipher_xform = xform->next;
216 if (xform->type != RTE_CRYPTO_SYM_XFORM_CIPHER ||
217 xform->next->type != RTE_CRYPTO_SYM_XFORM_AUTH)
219 cipher_xform = xform;
220 auth_xform = xform->next;
223 ret = ipsec_fp_xform_cipher_verify(cipher_xform);
227 ret = ipsec_fp_xform_auth_verify(auth_xform);
235 ipsec_fp_sa_ctl_set(struct rte_security_ipsec_xform *ipsec,
236 struct rte_crypto_sym_xform *xform,
237 struct otx2_ipsec_fp_sa_ctl *ctl)
239 struct rte_crypto_sym_xform *cipher_xform, *auth_xform;
242 if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
243 ctl->direction = OTX2_IPSEC_FP_SA_DIRECTION_OUTBOUND;
244 cipher_xform = xform;
245 auth_xform = xform->next;
246 } else if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
247 ctl->direction = OTX2_IPSEC_FP_SA_DIRECTION_INBOUND;
249 cipher_xform = xform->next;
254 if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
255 if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4)
256 ctl->outer_ip_ver = OTX2_IPSEC_FP_SA_IP_VERSION_4;
257 else if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6)
258 ctl->outer_ip_ver = OTX2_IPSEC_FP_SA_IP_VERSION_6;
263 ctl->inner_ip_ver = OTX2_IPSEC_FP_SA_IP_VERSION_4;
265 if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT)
266 ctl->ipsec_mode = OTX2_IPSEC_FP_SA_MODE_TRANSPORT;
267 else if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
268 ctl->ipsec_mode = OTX2_IPSEC_FP_SA_MODE_TUNNEL;
272 if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH)
273 ctl->ipsec_proto = OTX2_IPSEC_FP_SA_PROTOCOL_AH;
274 else if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP)
275 ctl->ipsec_proto = OTX2_IPSEC_FP_SA_PROTOCOL_ESP;
279 if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
280 if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
281 ctl->enc_type = OTX2_IPSEC_FP_SA_ENC_AES_GCM;
282 aes_key_len = xform->aead.key.length;
286 } else if (cipher_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
287 ctl->enc_type = OTX2_IPSEC_FP_SA_ENC_AES_CBC;
288 aes_key_len = cipher_xform->cipher.key.length;
293 switch (aes_key_len) {
295 ctl->aes_key_len = OTX2_IPSEC_FP_SA_AES_KEY_LEN_128;
298 ctl->aes_key_len = OTX2_IPSEC_FP_SA_AES_KEY_LEN_192;
301 ctl->aes_key_len = OTX2_IPSEC_FP_SA_AES_KEY_LEN_256;
307 if (xform->type != RTE_CRYPTO_SYM_XFORM_AEAD) {
308 switch (auth_xform->auth.algo) {
309 case RTE_CRYPTO_AUTH_NULL:
310 ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_NULL;
312 case RTE_CRYPTO_AUTH_MD5_HMAC:
313 ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_MD5;
315 case RTE_CRYPTO_AUTH_SHA1_HMAC:
316 ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_SHA1;
318 case RTE_CRYPTO_AUTH_SHA224_HMAC:
319 ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_SHA2_224;
321 case RTE_CRYPTO_AUTH_SHA256_HMAC:
322 ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_SHA2_256;
324 case RTE_CRYPTO_AUTH_SHA384_HMAC:
325 ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_SHA2_384;
327 case RTE_CRYPTO_AUTH_SHA512_HMAC:
328 ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_SHA2_512;
330 case RTE_CRYPTO_AUTH_AES_GMAC:
331 ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_AES_GMAC;
333 case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
334 ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_AES_XCBC_128;
341 if (ipsec->options.esn == 1)
344 ctl->spi = rte_cpu_to_be_32(ipsec->spi);
350 #endif /* __OTX2_IPSEC_FP_H__ */