1 /* SPDX-License-Identifier: BSD-3-Clause
2 * Copyright(C) 2020 Marvell International Ltd.
5 #ifndef __OTX2_IPSEC_PO_H__
6 #define __OTX2_IPSEC_PO_H__
8 #include <rte_crypto_sym.h>
10 #include <rte_security.h>
12 #define OTX2_IPSEC_PO_AES_GCM_INB_CTX_LEN 0x09
13 #define OTX2_IPSEC_PO_AES_GCM_OUTB_CTX_LEN 0x28
15 #define OTX2_IPSEC_PO_MAX_INB_CTX_LEN 0x22
16 #define OTX2_IPSEC_PO_MAX_OUTB_CTX_LEN 0x38
18 #define OTX2_IPSEC_PO_PER_PKT_IV BIT(11)
20 #define OTX2_IPSEC_PO_WRITE_IPSEC_OUTB 0x20
21 #define OTX2_IPSEC_PO_WRITE_IPSEC_INB 0x21
22 #define OTX2_IPSEC_PO_PROCESS_IPSEC_OUTB 0x23
23 #define OTX2_IPSEC_PO_PROCESS_IPSEC_INB 0x24
25 #define OTX2_IPSEC_PO_INB_RPTR_HDR 0x8
27 enum otx2_ipsec_po_comp_e {
28 OTX2_IPSEC_PO_CC_SUCCESS = 0x00,
29 OTX2_IPSEC_PO_CC_AUTH_UNSUPPORTED = 0xB0,
30 OTX2_IPSEC_PO_CC_ENCRYPT_UNSUPPORTED = 0xB1,
34 OTX2_IPSEC_PO_SA_DIRECTION_INBOUND = 0,
35 OTX2_IPSEC_PO_SA_DIRECTION_OUTBOUND = 1,
39 OTX2_IPSEC_PO_SA_IP_VERSION_4 = 0,
40 OTX2_IPSEC_PO_SA_IP_VERSION_6 = 1,
44 OTX2_IPSEC_PO_SA_MODE_TRANSPORT = 0,
45 OTX2_IPSEC_PO_SA_MODE_TUNNEL = 1,
49 OTX2_IPSEC_PO_SA_PROTOCOL_AH = 0,
50 OTX2_IPSEC_PO_SA_PROTOCOL_ESP = 1,
54 OTX2_IPSEC_PO_SA_AES_KEY_LEN_128 = 1,
55 OTX2_IPSEC_PO_SA_AES_KEY_LEN_192 = 2,
56 OTX2_IPSEC_PO_SA_AES_KEY_LEN_256 = 3,
60 OTX2_IPSEC_PO_SA_ENC_NULL = 0,
61 OTX2_IPSEC_PO_SA_ENC_DES_CBC = 1,
62 OTX2_IPSEC_PO_SA_ENC_3DES_CBC = 2,
63 OTX2_IPSEC_PO_SA_ENC_AES_CBC = 3,
64 OTX2_IPSEC_PO_SA_ENC_AES_CTR = 4,
65 OTX2_IPSEC_PO_SA_ENC_AES_GCM = 5,
66 OTX2_IPSEC_PO_SA_ENC_AES_CCM = 6,
70 OTX2_IPSEC_PO_SA_AUTH_NULL = 0,
71 OTX2_IPSEC_PO_SA_AUTH_MD5 = 1,
72 OTX2_IPSEC_PO_SA_AUTH_SHA1 = 2,
73 OTX2_IPSEC_PO_SA_AUTH_SHA2_224 = 3,
74 OTX2_IPSEC_PO_SA_AUTH_SHA2_256 = 4,
75 OTX2_IPSEC_PO_SA_AUTH_SHA2_384 = 5,
76 OTX2_IPSEC_PO_SA_AUTH_SHA2_512 = 6,
77 OTX2_IPSEC_PO_SA_AUTH_AES_GMAC = 7,
78 OTX2_IPSEC_PO_SA_AUTH_AES_XCBC_128 = 8,
82 OTX2_IPSEC_PO_SA_FRAG_POST = 0,
83 OTX2_IPSEC_PO_SA_FRAG_PRE = 1,
87 OTX2_IPSEC_PO_SA_ENCAP_NONE = 0,
88 OTX2_IPSEC_PO_SA_ENCAP_UDP = 1,
91 struct otx2_ipsec_po_out_hdr {
97 union otx2_ipsec_po_bit_perfect_iv {
107 struct otx2_ipsec_po_traffic_selector {
108 rte_be16_t src_port[2];
109 rte_be16_t dst_port[2];
113 rte_be32_t src_addr[2];
114 rte_be32_t dst_addr[2];
117 uint8_t src_addr[32];
118 uint8_t dst_addr[32];
123 struct otx2_ipsec_po_sa_ctl {
125 uint64_t exp_proto_inter_frag : 8;
126 uint64_t rsvd_42_40 : 3;
128 uint64_t rsvd_45_44 : 2;
129 uint64_t encap_type : 2;
130 uint64_t enc_type : 3;
131 uint64_t rsvd_48 : 1;
132 uint64_t auth_type : 4;
134 uint64_t direction : 1;
135 uint64_t outer_ip_ver : 1;
136 uint64_t inner_ip_ver : 1;
137 uint64_t ipsec_mode : 1;
138 uint64_t ipsec_proto : 1;
139 uint64_t aes_key_len : 2;
142 struct otx2_ipsec_po_in_sa {
144 struct otx2_ipsec_po_sa_ctl ctl;
147 uint8_t cipher_key[32];
150 union otx2_ipsec_po_bit_perfect_iv iv;
157 uint8_t udp_encap[8];
161 uint8_t hmac_key[48];
162 struct otx2_ipsec_po_traffic_selector selector;
165 struct otx2_ipsec_replay *replay;
168 uint32_t replay_win_sz;
171 struct otx2_ipsec_po_ip_template {
175 struct rte_ipv4_hdr ipv4_hdr;
176 struct rte_ipv6_hdr ipv6_hdr;
180 struct otx2_ipsec_po_out_sa {
182 struct otx2_ipsec_po_sa_ctl ctl;
185 uint8_t cipher_key[32];
188 union otx2_ipsec_po_bit_perfect_iv iv;
195 struct otx2_ipsec_po_ip_template template;
201 ipsec_po_xform_cipher_verify(struct rte_crypto_sym_xform *xform)
203 if (xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
204 switch (xform->cipher.key.length) {
219 ipsec_po_xform_auth_verify(struct rte_crypto_sym_xform *xform)
221 uint16_t keylen = xform->auth.key.length;
223 if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
224 if (keylen >= 20 && keylen <= 64)
232 ipsec_po_xform_aead_verify(struct rte_security_ipsec_xform *ipsec,
233 struct rte_crypto_sym_xform *xform)
235 if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
236 xform->aead.op != RTE_CRYPTO_AEAD_OP_ENCRYPT)
239 if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
240 xform->aead.op != RTE_CRYPTO_AEAD_OP_DECRYPT)
243 if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
244 switch (xform->aead.key.length) {
259 ipsec_po_xform_verify(struct rte_security_ipsec_xform *ipsec,
260 struct rte_crypto_sym_xform *xform)
262 struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
265 if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD)
266 return ipsec_po_xform_aead_verify(ipsec, xform);
268 if (xform->next == NULL)
271 if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
273 if (xform->type != RTE_CRYPTO_SYM_XFORM_AUTH ||
274 xform->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER)
277 cipher_xform = xform->next;
280 if (xform->type != RTE_CRYPTO_SYM_XFORM_CIPHER ||
281 xform->next->type != RTE_CRYPTO_SYM_XFORM_AUTH)
283 cipher_xform = xform;
284 auth_xform = xform->next;
287 ret = ipsec_po_xform_cipher_verify(cipher_xform);
291 ret = ipsec_po_xform_auth_verify(auth_xform);
299 ipsec_po_sa_ctl_set(struct rte_security_ipsec_xform *ipsec,
300 struct rte_crypto_sym_xform *xform,
301 struct otx2_ipsec_po_sa_ctl *ctl)
303 struct rte_crypto_sym_xform *cipher_xform, *auth_xform;
306 if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
307 ctl->direction = OTX2_IPSEC_PO_SA_DIRECTION_OUTBOUND;
308 cipher_xform = xform;
309 auth_xform = xform->next;
310 } else if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
311 ctl->direction = OTX2_IPSEC_PO_SA_DIRECTION_INBOUND;
313 cipher_xform = xform->next;
318 if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
319 if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4)
320 ctl->outer_ip_ver = OTX2_IPSEC_PO_SA_IP_VERSION_4;
321 else if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6)
322 ctl->outer_ip_ver = OTX2_IPSEC_PO_SA_IP_VERSION_6;
327 ctl->inner_ip_ver = ctl->outer_ip_ver;
329 if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT)
330 ctl->ipsec_mode = OTX2_IPSEC_PO_SA_MODE_TRANSPORT;
331 else if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
332 ctl->ipsec_mode = OTX2_IPSEC_PO_SA_MODE_TUNNEL;
336 if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH)
337 ctl->ipsec_proto = OTX2_IPSEC_PO_SA_PROTOCOL_AH;
338 else if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP)
339 ctl->ipsec_proto = OTX2_IPSEC_PO_SA_PROTOCOL_ESP;
343 if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
344 if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
345 ctl->enc_type = OTX2_IPSEC_PO_SA_ENC_AES_GCM;
346 aes_key_len = xform->aead.key.length;
350 } else if (cipher_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
351 ctl->enc_type = OTX2_IPSEC_PO_SA_ENC_AES_CCM;
352 aes_key_len = xform->cipher.key.length;
358 switch (aes_key_len) {
360 ctl->aes_key_len = OTX2_IPSEC_PO_SA_AES_KEY_LEN_128;
363 ctl->aes_key_len = OTX2_IPSEC_PO_SA_AES_KEY_LEN_192;
366 ctl->aes_key_len = OTX2_IPSEC_PO_SA_AES_KEY_LEN_256;
372 if (xform->type != RTE_CRYPTO_SYM_XFORM_AEAD) {
373 switch (auth_xform->auth.algo) {
374 case RTE_CRYPTO_AUTH_NULL:
375 ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_NULL;
377 case RTE_CRYPTO_AUTH_MD5_HMAC:
378 ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_MD5;
380 case RTE_CRYPTO_AUTH_SHA1_HMAC:
381 ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_SHA1;
383 case RTE_CRYPTO_AUTH_SHA224_HMAC:
384 ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_SHA2_224;
386 case RTE_CRYPTO_AUTH_SHA256_HMAC:
387 ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_SHA2_256;
389 case RTE_CRYPTO_AUTH_SHA384_HMAC:
390 ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_SHA2_384;
392 case RTE_CRYPTO_AUTH_SHA512_HMAC:
393 ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_SHA2_512;
395 case RTE_CRYPTO_AUTH_AES_GMAC:
396 ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_AES_GMAC;
398 case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
399 ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_AES_XCBC_128;
406 if (ipsec->options.esn)
409 if (ipsec->options.udp_encap == 1)
410 ctl->encap_type = OTX2_IPSEC_PO_SA_ENCAP_UDP;
412 ctl->spi = rte_cpu_to_be_32(ipsec->spi);
418 #endif /* __OTX2_IPSEC_PO_H__ */