1 /* SPDX-License-Identifier: BSD-3-Clause
2 * Copyright(C) 2020 Marvell International Ltd.
5 #ifndef __OTX2_IPSEC_FP_H__
6 #define __OTX2_IPSEC_FP_H__
8 #include <rte_crypto_sym.h>
9 #include <rte_security.h>
11 /* Macros for anti replay and ESN */
12 #define OTX2_IPSEC_MAX_REPLAY_WIN_SZ 1024
13 #define OTX2_IPSEC_SAINDEX_SZ 4
14 #define OTX2_IPSEC_SEQNO_LO 4
16 #define OTX2_IPSEC_SEQNO_LO_INDEX (RTE_ETHER_HDR_LEN + \
17 OTX2_IPSEC_SAINDEX_SZ)
19 #define OTX2_IPSEC_SEQNO_HI_INDEX (OTX2_IPSEC_SEQNO_LO_INDEX + \
23 OTX2_IPSEC_FP_SA_DIRECTION_INBOUND = 0,
24 OTX2_IPSEC_FP_SA_DIRECTION_OUTBOUND = 1,
28 OTX2_IPSEC_FP_SA_IP_VERSION_4 = 0,
29 OTX2_IPSEC_FP_SA_IP_VERSION_6 = 1,
33 OTX2_IPSEC_FP_SA_MODE_TRANSPORT = 0,
34 OTX2_IPSEC_FP_SA_MODE_TUNNEL = 1,
38 OTX2_IPSEC_FP_SA_PROTOCOL_AH = 0,
39 OTX2_IPSEC_FP_SA_PROTOCOL_ESP = 1,
43 OTX2_IPSEC_FP_SA_AES_KEY_LEN_128 = 1,
44 OTX2_IPSEC_FP_SA_AES_KEY_LEN_192 = 2,
45 OTX2_IPSEC_FP_SA_AES_KEY_LEN_256 = 3,
49 OTX2_IPSEC_FP_SA_ENC_NULL = 0,
50 OTX2_IPSEC_FP_SA_ENC_DES_CBC = 1,
51 OTX2_IPSEC_FP_SA_ENC_3DES_CBC = 2,
52 OTX2_IPSEC_FP_SA_ENC_AES_CBC = 3,
53 OTX2_IPSEC_FP_SA_ENC_AES_CTR = 4,
54 OTX2_IPSEC_FP_SA_ENC_AES_GCM = 5,
55 OTX2_IPSEC_FP_SA_ENC_AES_CCM = 6,
59 OTX2_IPSEC_FP_SA_AUTH_NULL = 0,
60 OTX2_IPSEC_FP_SA_AUTH_MD5 = 1,
61 OTX2_IPSEC_FP_SA_AUTH_SHA1 = 2,
62 OTX2_IPSEC_FP_SA_AUTH_SHA2_224 = 3,
63 OTX2_IPSEC_FP_SA_AUTH_SHA2_256 = 4,
64 OTX2_IPSEC_FP_SA_AUTH_SHA2_384 = 5,
65 OTX2_IPSEC_FP_SA_AUTH_SHA2_512 = 6,
66 OTX2_IPSEC_FP_SA_AUTH_AES_GMAC = 7,
67 OTX2_IPSEC_FP_SA_AUTH_AES_XCBC_128 = 8,
71 OTX2_IPSEC_FP_SA_FRAG_POST = 0,
72 OTX2_IPSEC_FP_SA_FRAG_PRE = 1,
76 OTX2_IPSEC_FP_SA_ENCAP_NONE = 0,
77 OTX2_IPSEC_FP_SA_ENCAP_UDP = 1,
80 struct otx2_ipsec_fp_sa_ctl {
82 uint64_t exp_proto_inter_frag : 8;
83 uint64_t rsvd_42_40 : 3;
85 uint64_t rsvd_45_44 : 2;
86 uint64_t encap_type : 2;
87 uint64_t enc_type : 3;
89 uint64_t auth_type : 4;
91 uint64_t direction : 1;
92 uint64_t outer_ip_ver : 1;
93 uint64_t inner_ip_ver : 1;
94 uint64_t ipsec_mode : 1;
95 uint64_t ipsec_proto : 1;
96 uint64_t aes_key_len : 2;
99 struct otx2_ipsec_fp_out_sa {
101 struct otx2_ipsec_fp_sa_ctl ctl;
113 uint8_t cipher_key[32];
116 uint8_t hmac_key[48];
119 struct otx2_ipsec_replay {
123 uint64_t base; /**< base of the anti-replay window */
124 uint64_t window[17]; /**< anti-replay window */
127 struct otx2_ipsec_fp_in_sa {
129 struct otx2_ipsec_fp_sa_ctl ctl;
132 uint8_t nonce[4]; /* Only for AES-GCM */
140 uint8_t cipher_key[32];
143 uint8_t hmac_key[48];
151 struct otx2_ipsec_replay *replay;
154 uint32_t replay_win_sz;
160 ipsec_fp_xform_cipher_verify(struct rte_crypto_sym_xform *xform)
162 if (xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
163 switch (xform->cipher.key.length) {
178 ipsec_fp_xform_auth_verify(struct rte_crypto_sym_xform *xform)
180 uint16_t keylen = xform->auth.key.length;
182 if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
183 if (keylen >= 20 && keylen <= 64)
191 ipsec_fp_xform_aead_verify(struct rte_security_ipsec_xform *ipsec,
192 struct rte_crypto_sym_xform *xform)
194 if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
195 xform->aead.op != RTE_CRYPTO_AEAD_OP_ENCRYPT)
198 if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
199 xform->aead.op != RTE_CRYPTO_AEAD_OP_DECRYPT)
202 if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
203 switch (xform->aead.key.length) {
218 ipsec_fp_xform_verify(struct rte_security_ipsec_xform *ipsec,
219 struct rte_crypto_sym_xform *xform)
221 struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
224 if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD)
225 return ipsec_fp_xform_aead_verify(ipsec, xform);
227 if (xform->next == NULL)
230 if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
232 if (xform->type != RTE_CRYPTO_SYM_XFORM_AUTH ||
233 xform->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER)
236 cipher_xform = xform->next;
239 if (xform->type != RTE_CRYPTO_SYM_XFORM_CIPHER ||
240 xform->next->type != RTE_CRYPTO_SYM_XFORM_AUTH)
242 cipher_xform = xform;
243 auth_xform = xform->next;
246 ret = ipsec_fp_xform_cipher_verify(cipher_xform);
250 ret = ipsec_fp_xform_auth_verify(auth_xform);
258 ipsec_fp_sa_ctl_set(struct rte_security_ipsec_xform *ipsec,
259 struct rte_crypto_sym_xform *xform,
260 struct otx2_ipsec_fp_sa_ctl *ctl)
262 struct rte_crypto_sym_xform *cipher_xform, *auth_xform;
265 if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
266 ctl->direction = OTX2_IPSEC_FP_SA_DIRECTION_OUTBOUND;
267 cipher_xform = xform;
268 auth_xform = xform->next;
269 } else if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
270 ctl->direction = OTX2_IPSEC_FP_SA_DIRECTION_INBOUND;
272 cipher_xform = xform->next;
277 if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
278 if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4)
279 ctl->outer_ip_ver = OTX2_IPSEC_FP_SA_IP_VERSION_4;
280 else if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6)
281 ctl->outer_ip_ver = OTX2_IPSEC_FP_SA_IP_VERSION_6;
286 ctl->inner_ip_ver = OTX2_IPSEC_FP_SA_IP_VERSION_4;
288 if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT)
289 ctl->ipsec_mode = OTX2_IPSEC_FP_SA_MODE_TRANSPORT;
290 else if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
291 ctl->ipsec_mode = OTX2_IPSEC_FP_SA_MODE_TUNNEL;
295 if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH)
296 ctl->ipsec_proto = OTX2_IPSEC_FP_SA_PROTOCOL_AH;
297 else if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP)
298 ctl->ipsec_proto = OTX2_IPSEC_FP_SA_PROTOCOL_ESP;
302 if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
303 if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
304 ctl->enc_type = OTX2_IPSEC_FP_SA_ENC_AES_GCM;
305 aes_key_len = xform->aead.key.length;
309 } else if (cipher_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
310 ctl->enc_type = OTX2_IPSEC_FP_SA_ENC_AES_CBC;
311 aes_key_len = cipher_xform->cipher.key.length;
316 switch (aes_key_len) {
318 ctl->aes_key_len = OTX2_IPSEC_FP_SA_AES_KEY_LEN_128;
321 ctl->aes_key_len = OTX2_IPSEC_FP_SA_AES_KEY_LEN_192;
324 ctl->aes_key_len = OTX2_IPSEC_FP_SA_AES_KEY_LEN_256;
330 if (xform->type != RTE_CRYPTO_SYM_XFORM_AEAD) {
331 switch (auth_xform->auth.algo) {
332 case RTE_CRYPTO_AUTH_NULL:
333 ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_NULL;
335 case RTE_CRYPTO_AUTH_MD5_HMAC:
336 ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_MD5;
338 case RTE_CRYPTO_AUTH_SHA1_HMAC:
339 ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_SHA1;
341 case RTE_CRYPTO_AUTH_SHA224_HMAC:
342 ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_SHA2_224;
344 case RTE_CRYPTO_AUTH_SHA256_HMAC:
345 ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_SHA2_256;
347 case RTE_CRYPTO_AUTH_SHA384_HMAC:
348 ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_SHA2_384;
350 case RTE_CRYPTO_AUTH_SHA512_HMAC:
351 ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_SHA2_512;
353 case RTE_CRYPTO_AUTH_AES_GMAC:
354 ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_AES_GMAC;
356 case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
357 ctl->auth_type = OTX2_IPSEC_FP_SA_AUTH_AES_XCBC_128;
364 if (ipsec->options.esn == 1)
367 ctl->spi = rte_cpu_to_be_32(ipsec->spi);
373 #endif /* __OTX2_IPSEC_FP_H__ */