drivers/crypto/octeontx2/otx2_ipsec_po.h

   1 /* SPDX-License-Identifier: BSD-3-Clause
   2  * Copyright(C) 2020 Marvell International Ltd.
   3  */
   4
   5 #ifndef __OTX2_IPSEC_PO_H__
   6 #define __OTX2_IPSEC_PO_H__
   7
   8 #include <rte_crypto_sym.h>
   9 #include <rte_ip.h>
  10 #include <rte_security.h>
  11
  12 #define OTX2_IPSEC_PO_AES_GCM_INB_CTX_LEN    0x09
  13
  14 #define OTX2_IPSEC_PO_PER_PKT_IV  BIT(11)
  15
  16 #define OTX2_IPSEC_PO_WRITE_IPSEC_OUTB     0x20
  17 #define OTX2_IPSEC_PO_WRITE_IPSEC_INB      0x21
  18 #define OTX2_IPSEC_PO_PROCESS_IPSEC_OUTB   0x23
  19 #define OTX2_IPSEC_PO_PROCESS_IPSEC_INB    0x24
  20
  21 #define OTX2_IPSEC_PO_INB_RPTR_HDR         0x8
  22
  23 enum otx2_ipsec_po_comp_e {
  24         OTX2_IPSEC_PO_CC_SUCCESS = 0x00,
  25         OTX2_IPSEC_PO_CC_AUTH_UNSUPPORTED = 0xB0,
  26         OTX2_IPSEC_PO_CC_ENCRYPT_UNSUPPORTED = 0xB1,
  27 };
  28
  29 enum {
  30         OTX2_IPSEC_PO_SA_DIRECTION_INBOUND = 0,
  31         OTX2_IPSEC_PO_SA_DIRECTION_OUTBOUND = 1,
  32 };
  33
  34 enum {
  35         OTX2_IPSEC_PO_SA_IP_VERSION_4 = 0,
  36         OTX2_IPSEC_PO_SA_IP_VERSION_6 = 1,
  37 };
  38
  39 enum {
  40         OTX2_IPSEC_PO_SA_MODE_TRANSPORT = 0,
  41         OTX2_IPSEC_PO_SA_MODE_TUNNEL = 1,
  42 };
  43
  44 enum {
  45         OTX2_IPSEC_PO_SA_PROTOCOL_AH = 0,
  46         OTX2_IPSEC_PO_SA_PROTOCOL_ESP = 1,
  47 };
  48
  49 enum {
  50         OTX2_IPSEC_PO_SA_AES_KEY_LEN_128 = 1,
  51         OTX2_IPSEC_PO_SA_AES_KEY_LEN_192 = 2,
  52         OTX2_IPSEC_PO_SA_AES_KEY_LEN_256 = 3,
  53 };
  54
  55 enum {
  56         OTX2_IPSEC_PO_SA_ENC_NULL = 0,
  57         OTX2_IPSEC_PO_SA_ENC_DES_CBC = 1,
  58         OTX2_IPSEC_PO_SA_ENC_3DES_CBC = 2,
  59         OTX2_IPSEC_PO_SA_ENC_AES_CBC = 3,
  60         OTX2_IPSEC_PO_SA_ENC_AES_CTR = 4,
  61         OTX2_IPSEC_PO_SA_ENC_AES_GCM = 5,
  62         OTX2_IPSEC_PO_SA_ENC_AES_CCM = 6,
  63 };
  64
  65 enum {
  66         OTX2_IPSEC_PO_SA_AUTH_NULL = 0,
  67         OTX2_IPSEC_PO_SA_AUTH_MD5 = 1,
  68         OTX2_IPSEC_PO_SA_AUTH_SHA1 = 2,
  69         OTX2_IPSEC_PO_SA_AUTH_SHA2_224 = 3,
  70         OTX2_IPSEC_PO_SA_AUTH_SHA2_256 = 4,
  71         OTX2_IPSEC_PO_SA_AUTH_SHA2_384 = 5,
  72         OTX2_IPSEC_PO_SA_AUTH_SHA2_512 = 6,
  73         OTX2_IPSEC_PO_SA_AUTH_AES_GMAC = 7,
  74         OTX2_IPSEC_PO_SA_AUTH_AES_XCBC_128 = 8,
  75 };
  76
  77 enum {
  78         OTX2_IPSEC_PO_SA_FRAG_POST = 0,
  79         OTX2_IPSEC_PO_SA_FRAG_PRE = 1,
  80 };
  81
  82 enum {
  83         OTX2_IPSEC_PO_SA_ENCAP_NONE = 0,
  84         OTX2_IPSEC_PO_SA_ENCAP_UDP = 1,
  85 };
  86
  87 struct otx2_ipsec_po_out_hdr {
  88         uint32_t ip_id;
  89         uint32_t seq;
  90         uint8_t iv[16];
  91 };
  92
  93 union otx2_ipsec_po_bit_perfect_iv {
  94         uint8_t aes_iv[16];
  95         uint8_t des_iv[8];
  96         struct {
  97                 uint8_t nonce[4];
  98                 uint8_t iv[8];
  99                 uint8_t counter[4];
 100         } gcm;
 101 };
 102
 103 struct otx2_ipsec_po_traffic_selector {
 104         rte_be16_t src_port[2];
 105         rte_be16_t dst_port[2];
 106         RTE_STD_C11
 107         union {
 108                 struct {
 109                         rte_be32_t src_addr[2];
 110                         rte_be32_t dst_addr[2];
 111                 } ipv4;
 112                 struct {
 113                         uint8_t src_addr[32];
 114                         uint8_t dst_addr[32];
 115                 } ipv6;
 116         };
 117 };
 118
 119 struct otx2_ipsec_po_sa_ctl {
 120         rte_be32_t spi          : 32;
 121         uint64_t exp_proto_inter_frag : 8;
 122         uint64_t rsvd_42_40   : 3;
 123         uint64_t esn_en       : 1;
 124         uint64_t rsvd_45_44   : 2;
 125         uint64_t encap_type   : 2;
 126         uint64_t enc_type     : 3;
 127         uint64_t rsvd_48      : 1;
 128         uint64_t auth_type    : 4;
 129         uint64_t valid        : 1;
 130         uint64_t direction    : 1;
 131         uint64_t outer_ip_ver : 1;
 132         uint64_t inner_ip_ver : 1;
 133         uint64_t ipsec_mode   : 1;
 134         uint64_t ipsec_proto  : 1;
 135         uint64_t aes_key_len  : 2;
 136 };
 137
 138 struct otx2_ipsec_po_in_sa {
 139         /* w0 */
 140         struct otx2_ipsec_po_sa_ctl ctl;
 141
 142         /* w1-w4 */
 143         uint8_t cipher_key[32];
 144
 145         /* w5-w6 */
 146         union otx2_ipsec_po_bit_perfect_iv iv;
 147
 148         /* w7 */
 149         uint32_t esn_hi;
 150         uint32_t esn_low;
 151
 152         /* w8 */
 153         uint8_t udp_encap[8];
 154
 155         /* w9-w33 */
 156         union {
 157                 struct {
 158                         uint8_t hmac_key[48];
 159                         struct otx2_ipsec_po_traffic_selector selector;
 160                 } aes_gcm;
 161                 struct {
 162                         uint8_t hmac_key[64];
 163                         uint8_t hmac_iv[64];
 164                         struct otx2_ipsec_po_traffic_selector selector;
 165                 } sha2;
 166         };
 167         union {
 168                 struct otx2_ipsec_replay *replay;
 169                 uint64_t replay64;
 170         };
 171         uint32_t replay_win_sz;
 172 };
 173
 174 struct otx2_ipsec_po_ip_template {
 175         RTE_STD_C11
 176         union {
 177                 struct {
 178                         struct rte_ipv4_hdr ipv4_hdr;
 179                         uint16_t udp_src;
 180                         uint16_t udp_dst;
 181                 } ip4;
 182                 struct {
 183                         struct rte_ipv6_hdr ipv6_hdr;
 184                         uint16_t udp_src;
 185                         uint16_t udp_dst;
 186                 } ip6;
 187         };
 188 };
 189
 190 struct otx2_ipsec_po_out_sa {
 191         /* w0 */
 192         struct otx2_ipsec_po_sa_ctl ctl;
 193
 194         /* w1-w4 */
 195         uint8_t cipher_key[32];
 196
 197         /* w5-w6 */
 198         union otx2_ipsec_po_bit_perfect_iv iv;
 199
 200         /* w7 */
 201         uint32_t esn_hi;
 202         uint32_t esn_low;
 203
 204         /* w8-w55 */
 205         union {
 206                 uint8_t raw[384];
 207                 struct {
 208                         struct otx2_ipsec_po_ip_template template;
 209                 } aes_gcm;
 210                 struct {
 211                         uint8_t hmac_key[24];
 212                         uint8_t unused[24];
 213                         struct otx2_ipsec_po_ip_template template;
 214                 } sha1;
 215                 struct {
 216                         uint8_t hmac_key[64];
 217                         uint8_t hmac_iv[64];
 218                         struct otx2_ipsec_po_ip_template template;
 219                 } sha2;
 220         };
 221 };
 222
 223 static inline int
 224 ipsec_po_xform_cipher_verify(struct rte_crypto_sym_xform *xform)
 225 {
 226         if (xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
 227                 switch (xform->cipher.key.length) {
 228                 case 16:
 229                 case 24:
 230                 case 32:
 231                         break;
 232                 default:
 233                         return -ENOTSUP;
 234                 }
 235                 return 0;
 236         }
 237
 238         return -ENOTSUP;
 239 }
 240
 241 static inline int
 242 ipsec_po_xform_auth_verify(struct rte_crypto_sym_xform *xform)
 243 {
 244         uint16_t keylen = xform->auth.key.length;
 245
 246         if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) {
 247                 if (keylen >= 20 && keylen <= 64)
 248                         return 0;
 249         } else if (xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC) {
 250                 if (keylen >= 32 && keylen <= 64)
 251                         return 0;
 252         }
 253
 254         return -ENOTSUP;
 255 }
 256
 257 static inline int
 258 ipsec_po_xform_aead_verify(struct rte_security_ipsec_xform *ipsec,
 259                            struct rte_crypto_sym_xform *xform)
 260 {
 261         if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS &&
 262             xform->aead.op != RTE_CRYPTO_AEAD_OP_ENCRYPT)
 263                 return -EINVAL;
 264
 265         if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS &&
 266             xform->aead.op != RTE_CRYPTO_AEAD_OP_DECRYPT)
 267                 return -EINVAL;
 268
 269         if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
 270                 switch (xform->aead.key.length) {
 271                 case 16:
 272                 case 24:
 273                 case 32:
 274                         break;
 275                 default:
 276                         return -EINVAL;
 277                 }
 278                 return 0;
 279         }
 280
 281         return -ENOTSUP;
 282 }
 283
 284 static inline int
 285 ipsec_po_xform_verify(struct rte_security_ipsec_xform *ipsec,
 286                       struct rte_crypto_sym_xform *xform)
 287 {
 288         struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
 289         int ret;
 290
 291         if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD)
 292                 return ipsec_po_xform_aead_verify(ipsec, xform);
 293
 294         if (xform->next == NULL)
 295                 return -EINVAL;
 296
 297         if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
 298                 /* Ingress */
 299                 if (xform->type != RTE_CRYPTO_SYM_XFORM_AUTH ||
 300                     xform->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER)
 301                         return -EINVAL;
 302                 auth_xform = xform;
 303                 cipher_xform = xform->next;
 304         } else {
 305                 /* Egress */
 306                 if (xform->type != RTE_CRYPTO_SYM_XFORM_CIPHER ||
 307                     xform->next->type != RTE_CRYPTO_SYM_XFORM_AUTH)
 308                         return -EINVAL;
 309                 cipher_xform = xform;
 310                 auth_xform = xform->next;
 311         }
 312
 313         ret = ipsec_po_xform_cipher_verify(cipher_xform);
 314         if (ret)
 315                 return ret;
 316
 317         ret = ipsec_po_xform_auth_verify(auth_xform);
 318         if (ret)
 319                 return ret;
 320
 321         return 0;
 322 }
 323
 324 static inline int
 325 ipsec_po_sa_ctl_set(struct rte_security_ipsec_xform *ipsec,
 326                     struct rte_crypto_sym_xform *xform,
 327                     struct otx2_ipsec_po_sa_ctl *ctl)
 328 {
 329         struct rte_crypto_sym_xform *cipher_xform, *auth_xform;
 330         int aes_key_len;
 331
 332         if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
 333                 ctl->direction = OTX2_IPSEC_PO_SA_DIRECTION_OUTBOUND;
 334                 cipher_xform = xform;
 335                 auth_xform = xform->next;
 336         } else if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
 337                 ctl->direction = OTX2_IPSEC_PO_SA_DIRECTION_INBOUND;
 338                 auth_xform = xform;
 339                 cipher_xform = xform->next;
 340         } else {
 341                 return -EINVAL;
 342         }
 343
 344         if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
 345                 if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4)
 346                         ctl->outer_ip_ver = OTX2_IPSEC_PO_SA_IP_VERSION_4;
 347                 else if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6)
 348                         ctl->outer_ip_ver = OTX2_IPSEC_PO_SA_IP_VERSION_6;
 349                 else
 350                         return -EINVAL;
 351         }
 352
 353         ctl->inner_ip_ver = ctl->outer_ip_ver;
 354
 355         if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT)
 356                 ctl->ipsec_mode = OTX2_IPSEC_PO_SA_MODE_TRANSPORT;
 357         else if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)
 358                 ctl->ipsec_mode = OTX2_IPSEC_PO_SA_MODE_TUNNEL;
 359         else
 360                 return -EINVAL;
 361
 362         if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH)
 363                 ctl->ipsec_proto = OTX2_IPSEC_PO_SA_PROTOCOL_AH;
 364         else if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP)
 365                 ctl->ipsec_proto = OTX2_IPSEC_PO_SA_PROTOCOL_ESP;
 366         else
 367                 return -EINVAL;
 368
 369         if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
 370                 if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
 371                         ctl->enc_type = OTX2_IPSEC_PO_SA_ENC_AES_GCM;
 372                         aes_key_len = xform->aead.key.length;
 373                 } else {
 374                         return -ENOTSUP;
 375                 }
 376         } else if (cipher_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
 377                 ctl->enc_type = OTX2_IPSEC_PO_SA_ENC_AES_CBC;
 378                 aes_key_len = cipher_xform->cipher.key.length;
 379         } else {
 380                 return -ENOTSUP;
 381         }
 382
 383
 384         switch (aes_key_len) {
 385         case 16:
 386                 ctl->aes_key_len = OTX2_IPSEC_PO_SA_AES_KEY_LEN_128;
 387                 break;
 388         case 24:
 389                 ctl->aes_key_len = OTX2_IPSEC_PO_SA_AES_KEY_LEN_192;
 390                 break;
 391         case 32:
 392                 ctl->aes_key_len = OTX2_IPSEC_PO_SA_AES_KEY_LEN_256;
 393                 break;
 394         default:
 395                 return -EINVAL;
 396         }
 397
 398         if (xform->type != RTE_CRYPTO_SYM_XFORM_AEAD) {
 399                 switch (auth_xform->auth.algo) {
 400                 case RTE_CRYPTO_AUTH_NULL:
 401                         ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_NULL;
 402                         break;
 403                 case RTE_CRYPTO_AUTH_MD5_HMAC:
 404                         ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_MD5;
 405                         break;
 406                 case RTE_CRYPTO_AUTH_SHA1_HMAC:
 407                         ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_SHA1;
 408                         break;
 409                 case RTE_CRYPTO_AUTH_SHA224_HMAC:
 410                         ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_SHA2_224;
 411                         break;
 412                 case RTE_CRYPTO_AUTH_SHA256_HMAC:
 413                         ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_SHA2_256;
 414                         break;
 415                 case RTE_CRYPTO_AUTH_SHA384_HMAC:
 416                         ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_SHA2_384;
 417                         break;
 418                 case RTE_CRYPTO_AUTH_SHA512_HMAC:
 419                         ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_SHA2_512;
 420                         break;
 421                 case RTE_CRYPTO_AUTH_AES_GMAC:
 422                         ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_AES_GMAC;
 423                         break;
 424                 case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
 425                         ctl->auth_type = OTX2_IPSEC_PO_SA_AUTH_AES_XCBC_128;
 426                         break;
 427                 default:
 428                         return -ENOTSUP;
 429                 }
 430         }
 431
 432         if (ipsec->options.esn)
 433                 ctl->esn_en = 1;
 434
 435         if (ipsec->options.udp_encap == 1)
 436                 ctl->encap_type = OTX2_IPSEC_PO_SA_ENCAP_UDP;
 437
 438         ctl->spi = rte_cpu_to_be_32(ipsec->spi);
 439         ctl->valid = 1;
 440
 441         return 0;
 442 }
 443
 444 #endif /* __OTX2_IPSEC_PO_H__ */