drivers/crypto/octeontx2/otx2_ipsec_po.h

   1 /* SPDX-License-Identifier: BSD-3-Clause
   2  * Copyright(C) 2020 Marvell International Ltd.
   3  */
   4
   5 #ifndef __OTX2_IPSEC_PO_H__
   6 #define __OTX2_IPSEC_PO_H__
   7
   8 #include <rte_crypto_sym.h>
   9 #include <rte_ip.h>
  10 #include <rte_security.h>
  11
  12 #define OTX2_IPSEC_PO_AES_GCM_INB_CTX_LEN    0x09
  13
  14 #define OTX2_IPSEC_PO_WRITE_IPSEC_OUTB     0x20
  15 #define OTX2_IPSEC_PO_WRITE_IPSEC_INB      0x21
  16 #define OTX2_IPSEC_PO_PROCESS_IPSEC_OUTB   0x23
  17 #define OTX2_IPSEC_PO_PROCESS_IPSEC_INB    0x24
  18
  19 #define OTX2_IPSEC_PO_INB_RPTR_HDR         0x8
  20
  21 enum otx2_ipsec_po_comp_e {
  22         OTX2_IPSEC_PO_CC_SUCCESS = 0x00,
  23         OTX2_IPSEC_PO_CC_AUTH_UNSUPPORTED = 0xB0,
  24         OTX2_IPSEC_PO_CC_ENCRYPT_UNSUPPORTED = 0xB1,
  25 };
  26
  27 enum {
  28         OTX2_IPSEC_PO_SA_DIRECTION_INBOUND = 0,
  29         OTX2_IPSEC_PO_SA_DIRECTION_OUTBOUND = 1,
  30 };
  31
  32 enum {
  33         OTX2_IPSEC_PO_SA_IP_VERSION_4 = 0,
  34         OTX2_IPSEC_PO_SA_IP_VERSION_6 = 1,
  35 };
  36
  37 enum {
  38         OTX2_IPSEC_PO_SA_MODE_TRANSPORT = 0,
  39         OTX2_IPSEC_PO_SA_MODE_TUNNEL = 1,
  40 };
  41
  42 enum {
  43         OTX2_IPSEC_PO_SA_PROTOCOL_AH = 0,
  44         OTX2_IPSEC_PO_SA_PROTOCOL_ESP = 1,
  45 };
  46
  47 enum {
  48         OTX2_IPSEC_PO_SA_AES_KEY_LEN_128 = 1,
  49         OTX2_IPSEC_PO_SA_AES_KEY_LEN_192 = 2,
  50         OTX2_IPSEC_PO_SA_AES_KEY_LEN_256 = 3,
  51 };
  52
  53 enum {
  54         OTX2_IPSEC_PO_SA_ENC_NULL = 0,
  55         OTX2_IPSEC_PO_SA_ENC_DES_CBC = 1,
  56         OTX2_IPSEC_PO_SA_ENC_3DES_CBC = 2,
  57         OTX2_IPSEC_PO_SA_ENC_AES_CBC = 3,
  58         OTX2_IPSEC_PO_SA_ENC_AES_CTR = 4,
  59         OTX2_IPSEC_PO_SA_ENC_AES_GCM = 5,
  60         OTX2_IPSEC_PO_SA_ENC_AES_CCM = 6,
  61 };
  62
  63 enum {
  64         OTX2_IPSEC_PO_SA_AUTH_NULL = 0,
  65         OTX2_IPSEC_PO_SA_AUTH_MD5 = 1,
  66         OTX2_IPSEC_PO_SA_AUTH_SHA1 = 2,
  67         OTX2_IPSEC_PO_SA_AUTH_SHA2_224 = 3,
  68         OTX2_IPSEC_PO_SA_AUTH_SHA2_256 = 4,
  69         OTX2_IPSEC_PO_SA_AUTH_SHA2_384 = 5,
  70         OTX2_IPSEC_PO_SA_AUTH_SHA2_512 = 6,
  71         OTX2_IPSEC_PO_SA_AUTH_AES_GMAC = 7,
  72         OTX2_IPSEC_PO_SA_AUTH_AES_XCBC_128 = 8,
  73 };
  74
  75 enum {
  76         OTX2_IPSEC_PO_SA_FRAG_POST = 0,
  77         OTX2_IPSEC_PO_SA_FRAG_PRE = 1,
  78 };
  79
  80 enum {
  81         OTX2_IPSEC_PO_SA_ENCAP_NONE = 0,
  82         OTX2_IPSEC_PO_SA_ENCAP_UDP = 1,
  83 };
  84
  85 struct otx2_ipsec_po_out_hdr {
  86         uint32_t ip_id;
  87         uint32_t seq;
  88         uint8_t iv[16];
  89 };
  90
  91 union otx2_ipsec_po_bit_perfect_iv {
  92         uint8_t aes_iv[16];
  93         uint8_t des_iv[8];
  94         struct {
  95                 uint8_t nonce[4];
  96                 uint8_t iv[8];
  97                 uint8_t counter[4];
  98         } gcm;
  99 };
 100
 101 struct otx2_ipsec_po_traffic_selector {
 102         rte_be16_t src_port[2];
 103         rte_be16_t dst_port[2];
 104         RTE_STD_C11
 105         union {
 106                 struct {
 107                         rte_be32_t src_addr[2];
 108                         rte_be32_t dst_addr[2];
 109                 } ipv4;
 110                 struct {
 111                         uint8_t src_addr[32];
 112                         uint8_t dst_addr[32];
 113                 } ipv6;
 114         };
 115 };
 116
 117 struct otx2_ipsec_po_sa_ctl {
 118         rte_be32_t spi          : 32;
 119         uint64_t exp_proto_inter_frag : 8;
 120         uint64_t rsvd_42_40   : 3;
 121         uint64_t esn_en       : 1;
 122         uint64_t rsvd_45_44   : 2;
 123         uint64_t encap_type   : 2;
 124         uint64_t enc_type     : 3;
 125         uint64_t rsvd_48      : 1;
 126         uint64_t auth_type    : 4;
 127         uint64_t valid        : 1;
 128         uint64_t direction    : 1;
 129         uint64_t outer_ip_ver : 1;
 130         uint64_t inner_ip_ver : 1;
 131         uint64_t ipsec_mode   : 1;
 132         uint64_t ipsec_proto  : 1;
 133         uint64_t aes_key_len  : 2;
 134 };
 135
 136 struct otx2_ipsec_po_in_sa {
 137         /* w0 */
 138         struct otx2_ipsec_po_sa_ctl ctl;
 139
 140         /* w1-w4 */
 141         uint8_t cipher_key[32];
 142
 143         /* w5-w6 */
 144         union otx2_ipsec_po_bit_perfect_iv iv;
 145
 146         /* w7 */
 147         uint32_t esn_hi;
 148         uint32_t esn_low;
 149
 150         /* w8 */
 151         uint8_t udp_encap[8];
 152
 153         /* w9-w33 */
 154         union {
 155                 struct {
 156                         uint8_t hmac_key[48];
 157                         struct otx2_ipsec_po_traffic_selector selector;
 158                 } aes_gcm;
 159                 struct {
 160                         uint8_t hmac_key[64];
 161                         uint8_t hmac_iv[64];
 162                         struct otx2_ipsec_po_traffic_selector selector;
 163                 } sha2;
 164         };
 165         union {
 166                 struct otx2_ipsec_replay *replay;
 167                 uint64_t replay64;
 168         };
 169         uint32_t replay_win_sz;
 170 };
 171
 172 struct otx2_ipsec_po_ip_template {
 173         RTE_STD_C11
 174         union {
 175                 struct {
 176                         struct rte_ipv4_hdr ipv4_hdr;
 177                         uint16_t udp_src;
 178                         uint16_t udp_dst;
 179                 } ip4;
 180                 struct {
 181                         struct rte_ipv6_hdr ipv6_hdr;
 182                         uint16_t udp_src;
 183                         uint16_t udp_dst;
 184                 } ip6;
 185         };
 186 };
 187
 188 struct otx2_ipsec_po_out_sa {
 189         /* w0 */
 190         struct otx2_ipsec_po_sa_ctl ctl;
 191
 192         /* w1-w4 */
 193         uint8_t cipher_key[32];
 194
 195         /* w5-w6 */
 196         union otx2_ipsec_po_bit_perfect_iv iv;
 197
 198         /* w7 */
 199         uint32_t esn_hi;
 200         uint32_t esn_low;
 201
 202         /* w8-w55 */
 203         union {
 204                 struct {
 205                         struct otx2_ipsec_po_ip_template template;
 206                 } aes_gcm;
 207                 struct {
 208                         uint8_t hmac_key[24];
 209                         uint8_t unused[24];
 210                         struct otx2_ipsec_po_ip_template template;
 211                 } sha1;
 212                 struct {
 213                         uint8_t hmac_key[64];
 214                         uint8_t hmac_iv[64];
 215                         struct otx2_ipsec_po_ip_template template;
 216                 } sha2;
 217         };
 218 };
 219
 220 static inline int
 221 ipsec_po_xform_cipher_verify(struct rte_crypto_sym_xform *xform)
 222 {
 223         if (xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
 224                 switch (xform->cipher.key.length) {
 225                 case 16:
 226                 case 24:
 227                 case 32:
 228                         break;
 229                 default:
 230                         return -ENOTSUP;
 231                 }
 232                 return 0;
 233         }
 234
 235         return -ENOTSUP;
 236 }
 237
 238 static inline int
 239 ipsec_po_xform_auth_verify(struct rte_crypto_sym_xform *xform)
 240 {
 241         uint16_t keylen = xform->auth.key.length;
 242
 243         if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
 244                 if (keylen >= 20 && keylen <= 64)
 245                         return 0;
 246         } else if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC) {
 247                 if (keylen >= 32 && keylen <= 64)
 248                         return 0;
 249         }
 250
 251         return -ENOTSUP;
 252 }
 253
 254 static inline int
 255 ipsec_po_xform_aead_verify(struct rte_security_ipsec_xform *ipsec,
 256                            struct rte_crypto_sym_xform *xform)
 257 {
 258         if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
 259             xform->aead.op != RTE_CRYPTO_AEAD_OP_ENCRYPT)
 260                 return -EINVAL;
 261
 262         if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
 263             xform->aead.op != RTE_CRYPTO_AEAD_OP_DECRYPT)
 264                 return -EINVAL;
 265
 266         if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
 267                 switch (xform->aead.key.length) {
 268                 case 16:
 269                 case 24:
 270                 case 32:
 271                         break;
 272                 default:
 273                         return -EINVAL;
 274                 }
 275                 return 0;
 276         }
 277
 278         return -ENOTSUP;
 279 }
 280
 281 static inline int
 282 ipsec_po_xform_verify(struct rte_security_ipsec_xform *ipsec,
 283                       struct rte_crypto_sym_xform *xform)
 284 {
 285         struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
 286         int ret;
 287
 288         if (ipsec->life.bytes_hard_limit != 0 ||
 289             ipsec->life.bytes_soft_limit != 0 ||
 290             ipsec->life.packets_hard_limit != 0 ||
 291             ipsec->life.packets_soft_limit != 0)
 292                 return -ENOTSUP;
 293
 294         if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD)
 295                 return ipsec_po_xform_aead_verify(ipsec, xform);
 296
 297         if (xform->next == NULL)
 298                 return -EINVAL;
 299
 300         if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
 301                 /* Ingress */
 302                 if (xform->type != RTE_CRYPTO_SYM_XFORM_AUTH ||
 303                     xform->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER)
 304                         return -EINVAL;
 305                 auth_xform = xform;
 306                 cipher_xform = xform->next;
 307         } else {
 308                 /* Egress */
 309                 if (xform->type != RTE_CRYPTO_SYM_XFORM_CIPHER ||
 310                     xform->next->type != RTE_CRYPTO_SYM_XFORM_AUTH)
 311                         return -EINVAL;
 312                 cipher_xform = xform;
 313                 auth_xform = xform->next;
 314         }
 315
 316         ret = ipsec_po_xform_cipher_verify(cipher_xform);
 317         if (ret)
 318                 return ret;
 319
 320         ret = ipsec_po_xform_auth_verify(auth_xform);
 321         if (ret)
 322                 return ret;
 323
 324         return 0;
 325 }
 326
 327 static inline int
 328 ipsec_po_sa_ctl_set(struct rte_security_ipsec_xform *ipsec,
 329                     struct rte_crypto_sym_xform *xform,
 330                     struct otx2_ipsec_po_sa_ctl *ctl)
 331 {
 332         struct rte_crypto_sym_xform *cipher_xform, *auth_xform;
 333         int aes_key_len;
 334
 335         if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
 336                 ctl->direction = OTX2_IPSEC_PO_SA_DIRECTION_OUTBOUND;
 337                 cipher_xform = xform;
 338                 auth_xform = xform->next;
 339         } else if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
 340                 ctl->direction = OTX2_IPSEC_PO_SA_DIRECTION_INBOUND;
 341                 auth_xform = xform;
 342                 cipher_xform = xform->next;
 343         } else {
 344                 return -EINVAL;
 345         }
 346
 347         if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
 348                 if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4)
 349                         ctl->outer_ip_ver = OTX2_IPSEC_PO_SA_IP_VERSION_4;
 350                 else if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6)
 351                         ctl->outer_ip_ver = OTX2_IPSEC_PO_SA_IP_VERSION_6;
 352                 else
 353                         return -EINVAL;
 354         }
 355
 356         ctl->inner_ip_ver = ctl->outer_ip_ver;
 357
 358         if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT)
 359                 ctl->ipsec_mode = OTX2_IPSEC_PO_SA_MODE_TRANSPORT;
 360         else if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
 361                 ctl->ipsec_mode = OTX2_IPSEC_PO_SA_MODE_TUNNEL;
 362         else
 363                 return -EINVAL;
 364
 365         if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH)
 366                 ctl->ipsec_proto = OTX2_IPSEC_PO_SA_PROTOCOL_AH;
 367         else if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP)
 368                 ctl->ipsec_proto = OTX2_IPSEC_PO_SA_PROTOCOL_ESP;
 369         else
 370                 return -EINVAL;
 371
 372         if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
 373                 if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
 374                         ctl->enc_type = OTX2_IPSEC_PO_SA_ENC_AES_GCM;
 375                         aes_key_len = xform->aead.key.length;
 376                 } else {
 377                         return -ENOTSUP;
 378                 }
 379         } else if (cipher_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
 380                 ctl->enc_type = OTX2_IPSEC_PO_SA_ENC_AES_CBC;
 381                 aes_key_len = cipher_xform->cipher.key.length;
 382         } else {
 383                 return -ENOTSUP;
 384         }
 385
 386
 387         switch (aes_key_len) {
 388         case 16:
 389                 ctl->aes_key_len = OTX2_IPSEC_PO_SA_AES_KEY_LEN_128;
 390                 break;
 391         case 24:
 392                 ctl->aes_key_len = OTX2_IPSEC_PO_SA_AES_KEY_LEN_192;
 393                 break;
 394         case 32:
 395                 ctl->aes_key_len = OTX2_IPSEC_PO_SA_AES_KEY_LEN_256;
 396                 break;
 397         default:
 398                 return -EINVAL;
 399         }
 400
 401         if (xform->type != RTE_CRYPTO_SYM_XFORM_AEAD) {
 402                 switch (auth_xform->auth.algo) {
 403                 case RTE_CRYPTO_AUTH_NULL:
 404                         ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_NULL;
 405                         break;
 406                 case RTE_CRYPTO_AUTH_MD5_HMAC:
 407                         ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_MD5;
 408                         break;
 409                 case RTE_CRYPTO_AUTH_SHA1_HMAC:
 410                         ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_SHA1;
 411                         break;
 412                 case RTE_CRYPTO_AUTH_SHA224_HMAC:
 413                         ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_SHA2_224;
 414                         break;
 415                 case RTE_CRYPTO_AUTH_SHA256_HMAC:
 416                         ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_SHA2_256;
 417                         break;
 418                 case RTE_CRYPTO_AUTH_SHA384_HMAC:
 419                         ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_SHA2_384;
 420                         break;
 421                 case RTE_CRYPTO_AUTH_SHA512_HMAC:
 422                         ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_SHA2_512;
 423                         break;
 424                 case RTE_CRYPTO_AUTH_AES_GMAC:
 425                         ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_AES_GMAC;
 426                         break;
 427                 case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
 428                         ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_AES_XCBC_128;
 429                         break;
 430                 default:
 431                         return -ENOTSUP;
 432                 }
 433         }
 434
 435         if (ipsec->options.esn)
 436                 ctl->esn_en = 1;
 437
 438         if (ipsec->options.udp_encap == 1)
 439                 ctl->encap_type = OTX2_IPSEC_PO_SA_ENCAP_UDP;
 440
 441         ctl->spi = rte_cpu_to_be_32(ipsec->spi);
 442         ctl->valid = 1;
 443
 444         return 0;
 445 }
 446
 447 #endif /* __OTX2_IPSEC_PO_H__ */