1 /* SPDX-License-Identifier: BSD-3-Clause
2 * Copyright(C) 2021 Marvell.
5 #include <rte_cryptodev.h>
6 #include <rte_eventdev.h>
7 #include <rte_security.h>
8 #include <rte_security_driver.h>
10 #include <cn10k_ethdev.h>
11 #include <cnxk_security.h>
14 static struct rte_cryptodev_capabilities cn10k_eth_sec_crypto_caps[] = {
16 .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
18 .xform_type = RTE_CRYPTO_SYM_XFORM_AEAD,
20 .algo = RTE_CRYPTO_AEAD_AES_GCM,
46 .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
48 .xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER,
50 .algo = RTE_CRYPTO_CIPHER_AES_CBC,
66 .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
68 .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
70 .algo = RTE_CRYPTO_AUTH_SHA1_HMAC,
85 RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
88 static const struct rte_security_capability cn10k_eth_sec_capabilities[] = {
89 { /* IPsec Inline Protocol ESP Tunnel Ingress */
90 .action = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
91 .protocol = RTE_SECURITY_PROTOCOL_IPSEC,
93 .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
94 .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
95 .direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
98 .crypto_capabilities = cn10k_eth_sec_crypto_caps,
99 .ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA
101 { /* IPsec Inline Protocol ESP Tunnel Egress */
102 .action = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
103 .protocol = RTE_SECURITY_PROTOCOL_IPSEC,
105 .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
106 .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
107 .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
110 .crypto_capabilities = cn10k_eth_sec_crypto_caps,
111 .ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA
113 { /* IPsec Inline Protocol ESP Transport Egress */
114 .action = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
115 .protocol = RTE_SECURITY_PROTOCOL_IPSEC,
117 .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
118 .mode = RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT,
119 .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
122 .crypto_capabilities = cn10k_eth_sec_crypto_caps,
123 .ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA
125 { /* IPsec Inline Protocol ESP Transport Ingress */
126 .action = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
127 .protocol = RTE_SECURITY_PROTOCOL_IPSEC,
129 .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
130 .mode = RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT,
131 .direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
134 .crypto_capabilities = cn10k_eth_sec_crypto_caps,
135 .ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA
138 .action = RTE_SECURITY_ACTION_TYPE_NONE
143 cnxk_pktmbuf_free_no_cache(struct rte_mbuf *mbuf)
145 struct rte_mbuf *next;
151 roc_npa_aura_op_free(mbuf->pool->pool_id, 1, (rte_iova_t)mbuf);
153 } while (mbuf != NULL);
157 cn10k_eth_sec_sso_work_cb(uint64_t *gw, void *args, uint32_t soft_exp_event)
159 struct rte_eth_event_ipsec_desc desc;
160 struct cn10k_sec_sess_priv sess_priv;
161 struct cn10k_outb_priv_data *priv;
162 struct roc_ot_ipsec_outb_sa *sa;
163 struct cpt_cn10k_res_s *res;
164 struct rte_eth_dev *eth_dev;
165 struct cnxk_eth_dev *dev;
166 static uint64_t warn_cnt;
167 uint16_t dlen_adj, rlen;
168 struct rte_mbuf *mbuf;
175 switch ((gw[0] >> 28) & 0xF) {
176 case RTE_EVENT_TYPE_ETHDEV:
177 /* Event from inbound inline dev due to IPSEC packet bad L4 */
178 mbuf = (struct rte_mbuf *)(gw[1] - sizeof(struct rte_mbuf));
179 plt_nix_dbg("Received mbuf %p from inline dev inbound", mbuf);
180 cnxk_pktmbuf_free_no_cache(mbuf);
182 case RTE_EVENT_TYPE_CPU:
183 /* Check for subtype */
184 if (((gw[0] >> 20) & 0xFF) == CNXK_ETHDEV_SEC_OUTB_EV_SUB) {
185 /* Event from outbound inline error */
186 mbuf = (struct rte_mbuf *)gw[1];
191 if (soft_exp_event & 0x1) {
192 sa = (struct roc_ot_ipsec_outb_sa *)args;
193 priv = roc_nix_inl_ot_ipsec_outb_sa_sw_rsvd(sa);
194 desc.metadata = (uint64_t)priv->userdata;
195 desc.subtype = RTE_ETH_EVENT_IPSEC_SA_TIME_EXPIRY;
196 eth_dev = &rte_eth_devices[soft_exp_event >> 8];
197 rte_eth_dev_callback_process(eth_dev,
198 RTE_ETH_EVENT_IPSEC, &desc);
200 plt_err("Unknown event gw[0] = 0x%016lx, gw[1] = 0x%016lx",
206 /* Get ethdev port from tag */
208 eth_dev = &rte_eth_devices[port];
209 dev = cnxk_eth_pmd_priv(eth_dev);
211 sess_priv.u64 = *rte_security_dynfield(mbuf);
212 /* Calculate dlen adj */
213 dlen_adj = mbuf->pkt_len - mbuf->l2_len;
214 rlen = (dlen_adj + sess_priv.roundup_len) +
215 (sess_priv.roundup_byte - 1);
216 rlen &= ~(uint64_t)(sess_priv.roundup_byte - 1);
217 rlen += sess_priv.partial_len;
218 dlen_adj = rlen - dlen_adj;
220 /* Find the res area residing on next cacheline after end of data */
221 nixtx = rte_pktmbuf_mtod(mbuf, uintptr_t) + mbuf->pkt_len + dlen_adj;
223 nixtx = (nixtx - 1) & ~(BIT_ULL(7) - 1);
224 res = (struct cpt_cn10k_res_s *)nixtx;
226 plt_nix_dbg("Outbound error, mbuf %p, sa_index %u, compcode %x uc %x",
227 mbuf, sess_priv.sa_idx, res->compcode, res->uc_compcode);
229 sess_priv.u64 = *rte_security_dynfield(mbuf);
231 sa_base = dev->outb.sa_base;
232 sa = roc_nix_inl_ot_ipsec_outb_sa(sa_base, sess_priv.sa_idx);
233 priv = roc_nix_inl_ot_ipsec_outb_sa_sw_rsvd(sa);
235 memset(&desc, 0, sizeof(desc));
237 switch (res->uc_compcode) {
238 case ROC_IE_OT_UCC_ERR_SA_OVERFLOW:
239 desc.subtype = RTE_ETH_EVENT_IPSEC_ESN_OVERFLOW;
241 case ROC_IE_OT_UCC_ERR_PKT_IP:
243 if (warn_cnt % 10000 == 0)
244 plt_warn("Outbound error, bad ip pkt, mbuf %p,"
245 " sa_index %u (total warnings %" PRIu64 ")",
246 mbuf, sess_priv.sa_idx, warn_cnt);
247 desc.subtype = RTE_ETH_EVENT_IPSEC_UNKNOWN;
251 if (warn_cnt % 10000 == 0)
252 plt_warn("Outbound error, mbuf %p, sa_index %u,"
253 " compcode %x uc %x,"
254 " (total warnings %" PRIu64 ")",
255 mbuf, sess_priv.sa_idx, res->compcode,
256 res->uc_compcode, warn_cnt);
257 desc.subtype = RTE_ETH_EVENT_IPSEC_UNKNOWN;
261 desc.metadata = (uint64_t)priv->userdata;
262 rte_eth_dev_callback_process(eth_dev, RTE_ETH_EVENT_IPSEC, &desc);
263 cnxk_pktmbuf_free_no_cache(mbuf);
267 outb_dbg_iv_update(struct roc_ot_ipsec_outb_sa *outb_sa, const char *__iv_str)
269 uint8_t *iv_dbg = outb_sa->iv.iv_dbg;
270 char *iv_str = strdup(__iv_str);
271 char *iv_b = NULL, len = 16;
278 if (outb_sa->w2.s.enc_type == ROC_IE_OT_SA_ENC_AES_GCM ||
279 outb_sa->w2.s.enc_type == ROC_IE_OT_SA_ENC_AES_CTR ||
280 outb_sa->w2.s.enc_type == ROC_IE_OT_SA_ENC_AES_CCM ||
281 outb_sa->w2.s.auth_type == ROC_IE_OT_SA_AUTH_AES_GMAC) {
282 memset(outb_sa->iv.s.iv_dbg1, 0, sizeof(outb_sa->iv.s.iv_dbg1));
283 memset(outb_sa->iv.s.iv_dbg2, 0, sizeof(outb_sa->iv.s.iv_dbg2));
285 iv_dbg = outb_sa->iv.s.iv_dbg1;
286 for (i = 0; i < 4; i++) {
287 iv_b = strtok_r(i ? NULL : iv_str, ",", &save);
290 iv_dbg[i] = strtoul(iv_b, NULL, 0);
292 *(uint32_t *)iv_dbg = rte_be_to_cpu_32(*(uint32_t *)iv_dbg);
294 iv_dbg = outb_sa->iv.s.iv_dbg2;
295 for (i = 0; i < 4; i++) {
296 iv_b = strtok_r(NULL, ",", &save);
299 iv_dbg[i] = strtoul(iv_b, NULL, 0);
301 *(uint32_t *)iv_dbg = rte_be_to_cpu_32(*(uint32_t *)iv_dbg);
304 iv_dbg = outb_sa->iv.iv_dbg;
305 memset(iv_dbg, 0, sizeof(outb_sa->iv.iv_dbg));
307 for (i = 0; i < len; i++) {
308 iv_b = strtok_r(i ? NULL : iv_str, ",", &save);
311 iv_dbg[i] = strtoul(iv_b, NULL, 0);
313 *(uint64_t *)iv_dbg = rte_be_to_cpu_64(*(uint64_t *)iv_dbg);
314 *(uint64_t *)&iv_dbg[8] =
315 rte_be_to_cpu_64(*(uint64_t *)&iv_dbg[8]);
318 /* Update source of IV */
319 outb_sa->w2.s.iv_src = ROC_IE_OT_SA_IV_SRC_FROM_SA;
324 cn10k_eth_sec_outb_sa_misc_fill(struct roc_nix *roc_nix,
325 struct roc_ot_ipsec_outb_sa *sa, void *sa_cptr,
326 struct rte_security_ipsec_xform *ipsec_xfrm,
329 uint64_t *ring_base, ring_addr;
331 if (ipsec_xfrm->life.bytes_soft_limit |
332 ipsec_xfrm->life.packets_soft_limit) {
333 ring_base = roc_nix_inl_outb_ring_base_get(roc_nix);
334 if (ring_base == NULL)
337 ring_addr = ring_base[sa_idx >>
338 ROC_NIX_SOFT_EXP_ERR_RING_MAX_ENTRY_LOG2];
339 sa->ctx.err_ctl.s.mode = ROC_IE_OT_ERR_CTL_MODE_RING;
340 sa->ctx.err_ctl.s.address = ring_addr >> 3;
341 sa->w0.s.ctx_id = ((uintptr_t)sa_cptr >> 51) & 0x1ff;
348 cn10k_eth_sec_session_create(void *device,
349 struct rte_security_session_conf *conf,
350 struct rte_security_session *sess,
351 struct rte_mempool *mempool)
353 struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
354 struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
355 struct rte_security_ipsec_xform *ipsec;
356 struct cn10k_sec_sess_priv sess_priv;
357 struct rte_crypto_sym_xform *crypto;
358 struct cnxk_eth_sec_sess *eth_sec;
359 struct roc_nix *nix = &dev->nix;
360 bool inbound, inl_dev;
361 rte_spinlock_t *lock;
362 char tbuf[128] = {0};
365 if (conf->action_type != RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL)
368 if (conf->protocol != RTE_SECURITY_PROTOCOL_IPSEC)
371 if (rte_security_dynfield_register() < 0)
374 if (conf->ipsec.options.ip_reassembly_en &&
375 dev->reass_dynfield_off < 0) {
376 if (rte_eth_ip_reassembly_dynfield_register(&dev->reass_dynfield_off,
377 &dev->reass_dynflag_bit) < 0)
381 ipsec = &conf->ipsec;
382 crypto = conf->crypto_xform;
383 inbound = !!(ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS);
384 inl_dev = !!dev->inb.inl_dev;
386 /* Search if a session already exits */
387 if (cnxk_eth_sec_sess_get_by_spi(dev, ipsec->spi, inbound)) {
388 plt_err("%s SA with SPI %u already in use",
389 inbound ? "Inbound" : "Outbound", ipsec->spi);
393 if (rte_mempool_get(mempool, (void **)ð_sec)) {
394 plt_err("Could not allocate security session private data");
398 memset(eth_sec, 0, sizeof(struct cnxk_eth_sec_sess));
401 lock = inbound ? &dev->inb.lock : &dev->outb.lock;
402 rte_spinlock_lock(lock);
404 /* Acquire lock on inline dev for inbound */
405 if (inbound && inl_dev)
406 roc_nix_inl_dev_lock();
409 struct roc_ot_ipsec_inb_sa *inb_sa, *inb_sa_dptr;
410 struct cn10k_inb_priv_data *inb_priv;
414 PLT_STATIC_ASSERT(sizeof(struct cn10k_inb_priv_data) <
415 ROC_NIX_INL_OT_IPSEC_INB_SW_RSVD);
417 spi_mask = roc_nix_inl_inb_spi_range(nix, inl_dev, NULL, NULL);
419 /* Get Inbound SA from NIX_RX_IPSEC_SA_BASE */
420 sa = roc_nix_inl_inb_sa_get(nix, inl_dev, ipsec->spi);
421 if (!sa && dev->inb.inl_dev) {
422 snprintf(tbuf, sizeof(tbuf),
423 "Failed to create ingress sa, inline dev "
424 "not found or spi not in range");
428 snprintf(tbuf, sizeof(tbuf),
429 "Failed to create ingress sa");
434 inb_sa = (struct roc_ot_ipsec_inb_sa *)sa;
436 /* Check if SA is already in use */
437 if (inb_sa->w2.s.valid) {
438 snprintf(tbuf, sizeof(tbuf),
439 "Inbound SA with SPI %u already in use",
445 inb_sa_dptr = (struct roc_ot_ipsec_inb_sa *)dev->inb.sa_dptr;
446 memset(inb_sa_dptr, 0, sizeof(struct roc_ot_ipsec_inb_sa));
448 /* Fill inbound sa params */
449 rc = cnxk_ot_ipsec_inb_sa_fill(inb_sa_dptr, ipsec, crypto,
452 snprintf(tbuf, sizeof(tbuf),
453 "Failed to init inbound sa, rc=%d", rc);
457 inb_priv = roc_nix_inl_ot_ipsec_inb_sa_sw_rsvd(inb_sa);
458 /* Back pointer to get eth_sec */
459 inb_priv->eth_sec = eth_sec;
460 /* Save userdata in inb private area */
461 inb_priv->userdata = conf->userdata;
463 /* Save SA index/SPI in cookie for now */
464 inb_sa_dptr->w1.s.cookie =
465 rte_cpu_to_be_32(ipsec->spi & spi_mask);
467 /* Prepare session priv */
468 sess_priv.inb_sa = 1;
469 sess_priv.sa_idx = ipsec->spi & spi_mask;
471 /* Pointer from eth_sec -> inb_sa */
472 eth_sec->sa = inb_sa;
473 eth_sec->sess = sess;
474 eth_sec->sa_idx = ipsec->spi & spi_mask;
475 eth_sec->spi = ipsec->spi;
476 eth_sec->inl_dev = !!dev->inb.inl_dev;
479 TAILQ_INSERT_TAIL(&dev->inb.list, eth_sec, entry);
481 /* Sync session in context cache */
482 rc = roc_nix_inl_ctx_write(&dev->nix, inb_sa_dptr, eth_sec->sa,
484 sizeof(struct roc_ot_ipsec_inb_sa));
488 if (conf->ipsec.options.ip_reassembly_en) {
489 inb_priv->reass_dynfield_off = dev->reass_dynfield_off;
490 inb_priv->reass_dynflag_bit = dev->reass_dynflag_bit;
494 struct roc_ot_ipsec_outb_sa *outb_sa, *outb_sa_dptr;
495 struct cn10k_outb_priv_data *outb_priv;
496 struct cnxk_ipsec_outb_rlens *rlens;
497 uint64_t sa_base = dev->outb.sa_base;
501 PLT_STATIC_ASSERT(sizeof(struct cn10k_outb_priv_data) <
502 ROC_NIX_INL_OT_IPSEC_OUTB_SW_RSVD);
504 /* Alloc an sa index */
505 rc = cnxk_eth_outb_sa_idx_get(dev, &sa_idx);
509 outb_sa = roc_nix_inl_ot_ipsec_outb_sa(sa_base, sa_idx);
510 outb_priv = roc_nix_inl_ot_ipsec_outb_sa_sw_rsvd(outb_sa);
511 rlens = &outb_priv->rlens;
513 outb_sa_dptr = (struct roc_ot_ipsec_outb_sa *)dev->outb.sa_dptr;
514 memset(outb_sa_dptr, 0, sizeof(struct roc_ot_ipsec_outb_sa));
516 /* Fill outbound sa params */
517 rc = cnxk_ot_ipsec_outb_sa_fill(outb_sa_dptr, ipsec, crypto);
519 snprintf(tbuf, sizeof(tbuf),
520 "Failed to init outbound sa, rc=%d", rc);
521 rc |= cnxk_eth_outb_sa_idx_put(dev, sa_idx);
525 iv_str = getenv("CN10K_ETH_SEC_IV_OVR");
527 outb_dbg_iv_update(outb_sa_dptr, iv_str);
529 /* Fill outbound sa misc params */
530 rc = cn10k_eth_sec_outb_sa_misc_fill(&dev->nix, outb_sa_dptr,
531 outb_sa, ipsec, sa_idx);
533 snprintf(tbuf, sizeof(tbuf),
534 "Failed to init outb sa misc params, rc=%d",
536 rc |= cnxk_eth_outb_sa_idx_put(dev, sa_idx);
541 outb_priv->userdata = conf->userdata;
542 outb_priv->sa_idx = sa_idx;
543 outb_priv->eth_sec = eth_sec;
546 cnxk_ipsec_outb_rlens_get(rlens, ipsec, crypto);
548 /* Prepare session priv */
549 sess_priv.sa_idx = outb_priv->sa_idx;
550 sess_priv.roundup_byte = rlens->roundup_byte;
551 sess_priv.roundup_len = rlens->roundup_len;
552 sess_priv.partial_len = rlens->partial_len;
553 sess_priv.mode = outb_sa_dptr->w2.s.ipsec_mode;
554 sess_priv.outer_ip_ver = outb_sa_dptr->w2.s.outer_ip_ver;
556 /* Pointer from eth_sec -> outb_sa */
557 eth_sec->sa = outb_sa;
558 eth_sec->sess = sess;
559 eth_sec->sa_idx = sa_idx;
560 eth_sec->spi = ipsec->spi;
562 TAILQ_INSERT_TAIL(&dev->outb.list, eth_sec, entry);
564 /* Sync session in context cache */
565 rc = roc_nix_inl_ctx_write(&dev->nix, outb_sa_dptr, eth_sec->sa,
567 sizeof(struct roc_ot_ipsec_outb_sa));
571 if (inbound && inl_dev)
572 roc_nix_inl_dev_unlock();
573 rte_spinlock_unlock(lock);
575 plt_nix_dbg("Created %s session with spi=%u, sa_idx=%u inl_dev=%u",
576 inbound ? "inbound" : "outbound", eth_sec->spi,
577 eth_sec->sa_idx, eth_sec->inl_dev);
579 * Update fast path info in priv area.
581 set_sec_session_private_data(sess, (void *)sess_priv.u64);
585 if (inbound && inl_dev)
586 roc_nix_inl_dev_unlock();
587 rte_spinlock_unlock(lock);
589 rte_mempool_put(mempool, eth_sec);
596 cn10k_eth_sec_session_destroy(void *device, struct rte_security_session *sess)
598 struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device;
599 struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev);
600 struct cnxk_eth_sec_sess *eth_sec;
601 struct rte_mempool *mp;
602 rte_spinlock_t *lock;
605 eth_sec = cnxk_eth_sec_sess_get_by_sess(dev, sess);
609 lock = eth_sec->inb ? &dev->inb.lock : &dev->outb.lock;
610 rte_spinlock_lock(lock);
612 if (eth_sec->inl_dev)
613 roc_nix_inl_dev_lock();
617 sa_dptr = dev->inb.sa_dptr;
618 roc_ot_ipsec_inb_sa_init(sa_dptr, true);
620 roc_nix_inl_ctx_write(&dev->nix, sa_dptr, eth_sec->sa,
622 sizeof(struct roc_ot_ipsec_inb_sa));
623 TAILQ_REMOVE(&dev->inb.list, eth_sec, entry);
627 sa_dptr = dev->outb.sa_dptr;
628 roc_ot_ipsec_outb_sa_init(sa_dptr);
630 roc_nix_inl_ctx_write(&dev->nix, sa_dptr, eth_sec->sa,
632 sizeof(struct roc_ot_ipsec_outb_sa));
633 /* Release Outbound SA index */
634 cnxk_eth_outb_sa_idx_put(dev, eth_sec->sa_idx);
635 TAILQ_REMOVE(&dev->outb.list, eth_sec, entry);
638 if (eth_sec->inl_dev)
639 roc_nix_inl_dev_unlock();
641 rte_spinlock_unlock(lock);
643 plt_nix_dbg("Destroyed %s session with spi=%u, sa_idx=%u, inl_dev=%u",
644 eth_sec->inb ? "inbound" : "outbound", eth_sec->spi,
645 eth_sec->sa_idx, eth_sec->inl_dev);
647 /* Put eth_sec object back to pool */
648 mp = rte_mempool_from_obj(eth_sec);
649 set_sec_session_private_data(sess, NULL);
650 rte_mempool_put(mp, eth_sec);
654 static const struct rte_security_capability *
655 cn10k_eth_sec_capabilities_get(void *device __rte_unused)
657 return cn10k_eth_sec_capabilities;
661 cn10k_eth_sec_ops_override(void)
663 static int init_once;
669 /* Update platform specific ops */
670 cnxk_eth_sec_ops.session_create = cn10k_eth_sec_session_create;
671 cnxk_eth_sec_ops.session_destroy = cn10k_eth_sec_session_destroy;
672 cnxk_eth_sec_ops.capabilities_get = cn10k_eth_sec_capabilities_get;