examples/ipsec-secgw/ipsec.c

   1 /* SPDX-License-Identifier: BSD-3-Clause
   2  * Copyright(c) 2016-2020 Intel Corporation
   3  */
   4 #include <sys/types.h>
   5 #include <netinet/in.h>
   6 #include <netinet/ip.h>
   7
   8 #include <rte_branch_prediction.h>
   9 #include <rte_log.h>
  10 #include <rte_crypto.h>
  11 #include <rte_security.h>
  12 #include <rte_cryptodev.h>
  13 #include <rte_ipsec.h>
  14 #include <rte_ethdev.h>
  15 #include <rte_mbuf.h>
  16 #include <rte_hash.h>
  17
  18 #include "ipsec.h"
  19 #include "esp.h"
  20
  21 static inline void
  22 set_ipsec_conf(struct ipsec_sa *sa, struct rte_security_ipsec_xform *ipsec)
  23 {
  24         if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
  25                 struct rte_security_ipsec_tunnel_param *tunnel =
  26                                 &ipsec->tunnel;
  27                 if (IS_IP4_TUNNEL(sa->flags)) {
  28                         tunnel->type =
  29                                 RTE_SECURITY_IPSEC_TUNNEL_IPV4;
  30                         tunnel->ipv4.ttl = IPDEFTTL;
  31
  32                         memcpy((uint8_t *)&tunnel->ipv4.src_ip,
  33                                 (uint8_t *)&sa->src.ip.ip4, 4);
  34
  35                         memcpy((uint8_t *)&tunnel->ipv4.dst_ip,
  36                                 (uint8_t *)&sa->dst.ip.ip4, 4);
  37                 } else if (IS_IP6_TUNNEL(sa->flags)) {
  38                         tunnel->type =
  39                                 RTE_SECURITY_IPSEC_TUNNEL_IPV6;
  40                         tunnel->ipv6.hlimit = IPDEFTTL;
  41                         tunnel->ipv6.dscp = 0;
  42                         tunnel->ipv6.flabel = 0;
  43
  44                         memcpy((uint8_t *)&tunnel->ipv6.src_addr,
  45                                 (uint8_t *)&sa->src.ip.ip6.ip6_b, 16);
  46
  47                         memcpy((uint8_t *)&tunnel->ipv6.dst_addr,
  48                                 (uint8_t *)&sa->dst.ip.ip6.ip6_b, 16);
  49                 }
  50                 /* TODO support for Transport */
  51         }
  52         ipsec->replay_win_sz = app_sa_prm.window_size;
  53         ipsec->options.esn = app_sa_prm.enable_esn;
  54         ipsec->options.udp_encap = sa->udp_encap;
  55 }
  56
  57 int
  58 create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa,
  59                 struct rte_ipsec_session *ips)
  60 {
  61         struct rte_cryptodev_info cdev_info;
  62         unsigned long cdev_id_qp = 0;
  63         int32_t ret = 0;
  64         struct cdev_key key = { 0 };
  65
  66         key.lcore_id = (uint8_t)rte_lcore_id();
  67
  68         key.cipher_algo = (uint8_t)sa->cipher_algo;
  69         key.auth_algo = (uint8_t)sa->auth_algo;
  70         key.aead_algo = (uint8_t)sa->aead_algo;
  71
  72         ret = rte_hash_lookup_data(ipsec_ctx->cdev_map, &key,
  73                         (void **)&cdev_id_qp);
  74         if (ret < 0) {
  75                 RTE_LOG(ERR, IPSEC,
  76                                 "No cryptodev: core %u, cipher_algo %u, "
  77                                 "auth_algo %u, aead_algo %u\n",
  78                                 key.lcore_id,
  79                                 key.cipher_algo,
  80                                 key.auth_algo,
  81                                 key.aead_algo);
  82                 return -1;
  83         }
  84
  85         RTE_LOG_DP(DEBUG, IPSEC, "Create session for SA spi %u on cryptodev "
  86                         "%u qp %u\n", sa->spi,
  87                         ipsec_ctx->tbl[cdev_id_qp].id,
  88                         ipsec_ctx->tbl[cdev_id_qp].qp);
  89
  90         if (ips->type != RTE_SECURITY_ACTION_TYPE_NONE &&
  91                 ips->type != RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) {
  92                 struct rte_security_session_conf sess_conf = {
  93                         .action_type = ips->type,
  94                         .protocol = RTE_SECURITY_PROTOCOL_IPSEC,
  95                         {.ipsec = {
  96                                 .spi = sa->spi,
  97                                 .salt = sa->salt,
  98                                 .options = { 0 },
  99                                 .replay_win_sz = 0,
 100                                 .direction = sa->direction,
 101                                 .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
 102                                 .mode = (IS_TUNNEL(sa->flags)) ?
 103                                         RTE_SECURITY_IPSEC_SA_MODE_TUNNEL :
 104                                         RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT,
 105                         } },
 106                         .crypto_xform = sa->xforms,
 107                         .userdata = NULL,
 108
 109                 };
 110
 111                 if (ips->type == RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) {
 112                         struct rte_security_ctx *ctx = (struct rte_security_ctx *)
 113                                                         rte_cryptodev_get_sec_ctx(
 114                                                         ipsec_ctx->tbl[cdev_id_qp].id);
 115
 116                         /* Set IPsec parameters in conf */
 117                         set_ipsec_conf(sa, &(sess_conf.ipsec));
 118
 119                         ips->security.ses = rte_security_session_create(ctx,
 120                                         &sess_conf, ipsec_ctx->session_pool,
 121                                         ipsec_ctx->session_priv_pool);
 122                         if (ips->security.ses == NULL) {
 123                                 RTE_LOG(ERR, IPSEC,
 124                                 "SEC Session init failed: err: %d\n", ret);
 125                                 return -1;
 126                         }
 127                 } else {
 128                         RTE_LOG(ERR, IPSEC, "Inline not supported\n");
 129                         return -1;
 130                 }
 131         } else {
 132                 if (ips->type == RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO) {
 133                         struct rte_cryptodev_info info;
 134                         uint16_t cdev_id;
 135
 136                         cdev_id = ipsec_ctx->tbl[cdev_id_qp].id;
 137                         rte_cryptodev_info_get(cdev_id, &info);
 138                         if (!(info.feature_flags &
 139                                 RTE_CRYPTODEV_FF_SYM_CPU_CRYPTO))
 140                                 return -ENOTSUP;
 141
 142                         ips->crypto.dev_id = cdev_id;
 143                 }
 144                 ips->crypto.ses = rte_cryptodev_sym_session_create(
 145                                 ipsec_ctx->session_pool);
 146                 rte_cryptodev_sym_session_init(ipsec_ctx->tbl[cdev_id_qp].id,
 147                                 ips->crypto.ses, sa->xforms,
 148                                 ipsec_ctx->session_priv_pool);
 149
 150                 rte_cryptodev_info_get(ipsec_ctx->tbl[cdev_id_qp].id,
 151                                 &cdev_info);
 152         }
 153
 154         sa->cdev_id_qp = cdev_id_qp;
 155
 156         return 0;
 157 }
 158
 159 int
 160 create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
 161                 struct rte_ipsec_session *ips)
 162 {
 163         int32_t ret = 0;
 164         struct rte_security_ctx *sec_ctx;
 165         struct rte_security_session_conf sess_conf = {
 166                 .action_type = ips->type,
 167                 .protocol = RTE_SECURITY_PROTOCOL_IPSEC,
 168                 {.ipsec = {
 169                         .spi = sa->spi,
 170                         .salt = sa->salt,
 171                         .options = { 0 },
 172                         .replay_win_sz = 0,
 173                         .direction = sa->direction,
 174                         .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP
 175                 } },
 176                 .crypto_xform = sa->xforms,
 177                 .userdata = NULL,
 178         };
 179
 180         if (IS_TRANSPORT(sa->flags)) {
 181                 sess_conf.ipsec.mode = RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT;
 182                 if (IS_IP4(sa->flags)) {
 183                         sess_conf.ipsec.tunnel.type =
 184                                 RTE_SECURITY_IPSEC_TUNNEL_IPV4;
 185
 186                         sess_conf.ipsec.tunnel.ipv4.src_ip.s_addr =
 187                                 sa->src.ip.ip4;
 188                         sess_conf.ipsec.tunnel.ipv4.dst_ip.s_addr =
 189                                 sa->dst.ip.ip4;
 190                 } else if (IS_IP6(sa->flags)) {
 191                         sess_conf.ipsec.tunnel.type =
 192                                 RTE_SECURITY_IPSEC_TUNNEL_IPV6;
 193
 194                         memcpy(sess_conf.ipsec.tunnel.ipv6.src_addr.s6_addr,
 195                                 sa->src.ip.ip6.ip6_b, 16);
 196                         memcpy(sess_conf.ipsec.tunnel.ipv6.dst_addr.s6_addr,
 197                                 sa->dst.ip.ip6.ip6_b, 16);
 198                 }
 199         } else if (IS_TUNNEL(sa->flags)) {
 200                 sess_conf.ipsec.mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL;
 201
 202                 if (IS_IP4(sa->flags)) {
 203                         sess_conf.ipsec.tunnel.type =
 204                                 RTE_SECURITY_IPSEC_TUNNEL_IPV4;
 205
 206                         sess_conf.ipsec.tunnel.ipv4.src_ip.s_addr =
 207                                 sa->src.ip.ip4;
 208                         sess_conf.ipsec.tunnel.ipv4.dst_ip.s_addr =
 209                                 sa->dst.ip.ip4;
 210                 } else if (IS_IP6(sa->flags)) {
 211                         sess_conf.ipsec.tunnel.type =
 212                                 RTE_SECURITY_IPSEC_TUNNEL_IPV6;
 213
 214                         memcpy(sess_conf.ipsec.tunnel.ipv6.src_addr.s6_addr,
 215                                 sa->src.ip.ip6.ip6_b, 16);
 216                         memcpy(sess_conf.ipsec.tunnel.ipv6.dst_addr.s6_addr,
 217                                 sa->dst.ip.ip6.ip6_b, 16);
 218                 } else {
 219                         RTE_LOG(ERR, IPSEC, "invalid tunnel type\n");
 220                         return -1;
 221                 }
 222         }
 223
 224         if (sa->udp_encap) {
 225                 sess_conf.ipsec.options.udp_encap = 1;
 226                 sess_conf.ipsec.udp.sport = htons(sa->udp.sport);
 227                 sess_conf.ipsec.udp.dport = htons(sa->udp.dport);
 228         }
 229
 230         RTE_LOG_DP(DEBUG, IPSEC, "Create session for SA spi %u on port %u\n",
 231                 sa->spi, sa->portid);
 232
 233         if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO) {
 234                 struct rte_flow_error err;
 235                 const struct rte_security_capability *sec_cap;
 236                 int ret = 0;
 237
 238                 sec_ctx = (struct rte_security_ctx *)
 239                                         rte_eth_dev_get_sec_ctx(
 240                                         sa->portid);
 241                 if (sec_ctx == NULL) {
 242                         RTE_LOG(ERR, IPSEC,
 243                                 " rte_eth_dev_get_sec_ctx failed\n");
 244                         return -1;
 245                 }
 246
 247                 ips->security.ses = rte_security_session_create(sec_ctx,
 248                                 &sess_conf, skt_ctx->session_pool,
 249                                 skt_ctx->session_priv_pool);
 250                 if (ips->security.ses == NULL) {
 251                         RTE_LOG(ERR, IPSEC,
 252                                 "SEC Session init failed: err: %d\n", ret);
 253                         return -1;
 254                 }
 255
 256                 sec_cap = rte_security_capabilities_get(sec_ctx);
 257
 258                 /* iterate until ESP tunnel*/
 259                 while (sec_cap->action != RTE_SECURITY_ACTION_TYPE_NONE) {
 260                         if (sec_cap->action == ips->type &&
 261                             sec_cap->protocol ==
 262                                 RTE_SECURITY_PROTOCOL_IPSEC &&
 263                             sec_cap->ipsec.mode ==
 264                                 RTE_SECURITY_IPSEC_SA_MODE_TUNNEL &&
 265                             sec_cap->ipsec.direction == sa->direction)
 266                                 break;
 267                         sec_cap++;
 268                 }
 269
 270                 if (sec_cap->action == RTE_SECURITY_ACTION_TYPE_NONE) {
 271                         RTE_LOG(ERR, IPSEC,
 272                                 "No suitable security capability found\n");
 273                         return -1;
 274                 }
 275
 276                 ips->security.ol_flags = sec_cap->ol_flags;
 277                 ips->security.ctx = sec_ctx;
 278                 sa->pattern[0].type = RTE_FLOW_ITEM_TYPE_ETH;
 279
 280                 if (IS_IP6(sa->flags)) {
 281                         sa->pattern[1].mask = &rte_flow_item_ipv6_mask;
 282                         sa->pattern[1].type = RTE_FLOW_ITEM_TYPE_IPV6;
 283                         sa->pattern[1].spec = &sa->ipv6_spec;
 284
 285                         memcpy(sa->ipv6_spec.hdr.dst_addr,
 286                                 sa->dst.ip.ip6.ip6_b, 16);
 287                         memcpy(sa->ipv6_spec.hdr.src_addr,
 288                                sa->src.ip.ip6.ip6_b, 16);
 289                 } else if (IS_IP4(sa->flags)) {
 290                         sa->pattern[1].mask = &rte_flow_item_ipv4_mask;
 291                         sa->pattern[1].type = RTE_FLOW_ITEM_TYPE_IPV4;
 292                         sa->pattern[1].spec = &sa->ipv4_spec;
 293
 294                         sa->ipv4_spec.hdr.dst_addr = sa->dst.ip.ip4;
 295                         sa->ipv4_spec.hdr.src_addr = sa->src.ip.ip4;
 296                 }
 297
 298                 sa->esp_spec.hdr.spi = rte_cpu_to_be_32(sa->spi);
 299
 300                 if (sa->udp_encap) {
 301
 302                         sa->udp_spec.hdr.dst_port =
 303                                         rte_cpu_to_be_16(sa->udp.dport);
 304                         sa->udp_spec.hdr.src_port =
 305                                         rte_cpu_to_be_16(sa->udp.sport);
 306
 307                         sa->pattern[2].mask = &rte_flow_item_udp_mask;
 308                         sa->pattern[2].type = RTE_FLOW_ITEM_TYPE_UDP;
 309                         sa->pattern[2].spec = &sa->udp_spec;
 310
 311                         sa->pattern[3].type = RTE_FLOW_ITEM_TYPE_ESP;
 312                         sa->pattern[3].spec = &sa->esp_spec;
 313                         sa->pattern[3].mask = &rte_flow_item_esp_mask;
 314
 315                         sa->pattern[4].type = RTE_FLOW_ITEM_TYPE_END;
 316                 } else {
 317                         sa->pattern[2].type = RTE_FLOW_ITEM_TYPE_ESP;
 318                         sa->pattern[2].spec = &sa->esp_spec;
 319                         sa->pattern[2].mask = &rte_flow_item_esp_mask;
 320
 321                         sa->pattern[3].type = RTE_FLOW_ITEM_TYPE_END;
 322                 }
 323
 324                 sa->action[0].type = RTE_FLOW_ACTION_TYPE_SECURITY;
 325                 sa->action[0].conf = ips->security.ses;
 326
 327                 sa->action[1].type = RTE_FLOW_ACTION_TYPE_END;
 328
 329                 sa->attr.egress = (sa->direction ==
 330                                 RTE_SECURITY_IPSEC_SA_DIR_EGRESS);
 331                 sa->attr.ingress = (sa->direction ==
 332                                 RTE_SECURITY_IPSEC_SA_DIR_INGRESS);
 333                 if (sa->attr.ingress) {
 334                         uint8_t rss_key[64];
 335                         struct rte_eth_rss_conf rss_conf = {
 336                                 .rss_key = rss_key,
 337                                 .rss_key_len = sizeof(rss_key),
 338                         };
 339                         struct rte_eth_dev_info dev_info;
 340                         uint16_t queue[RTE_MAX_QUEUES_PER_PORT];
 341                         struct rte_flow_action_rss action_rss;
 342                         unsigned int i;
 343                         unsigned int j;
 344
 345                         /* Don't create flow if default flow is created */
 346                         if (flow_info_tbl[sa->portid].rx_def_flow)
 347                                 return 0;
 348
 349                         ret = rte_eth_dev_info_get(sa->portid, &dev_info);
 350                         if (ret != 0) {
 351                                 RTE_LOG(ERR, IPSEC,
 352                                         "Error during getting device (port %u) info: %s\n",
 353                                         sa->portid, strerror(-ret));
 354                                 return ret;
 355                         }
 356
 357                         sa->action[2].type = RTE_FLOW_ACTION_TYPE_END;
 358                         /* Try RSS. */
 359                         sa->action[1].type = RTE_FLOW_ACTION_TYPE_RSS;
 360                         sa->action[1].conf = &action_rss;
 361                         ret = rte_eth_dev_rss_hash_conf_get(sa->portid,
 362                                         &rss_conf);
 363                         if (ret != 0) {
 364                                 RTE_LOG(ERR, IPSEC,
 365                                         "rte_eth_dev_rss_hash_conf_get:ret=%d\n",
 366                                         ret);
 367                                 return -1;
 368                         }
 369                         for (i = 0, j = 0; i < dev_info.nb_rx_queues; ++i)
 370                                 queue[j++] = i;
 371
 372                         action_rss = (struct rte_flow_action_rss){
 373                                         .types = rss_conf.rss_hf,
 374                                         .key_len = rss_conf.rss_key_len,
 375                                         .queue_num = j,
 376                                         .key = rss_key,
 377                                         .queue = queue,
 378                         };
 379                         ret = rte_flow_validate(sa->portid, &sa->attr,
 380                                                 sa->pattern, sa->action,
 381                                                 &err);
 382                         if (!ret)
 383                                 goto flow_create;
 384                         /* Try Queue. */
 385                         sa->action[1].type = RTE_FLOW_ACTION_TYPE_QUEUE;
 386                         sa->action[1].conf =
 387                                 &(struct rte_flow_action_queue){
 388                                 .index = 0,
 389                         };
 390                         ret = rte_flow_validate(sa->portid, &sa->attr,
 391                                                 sa->pattern, sa->action,
 392                                                 &err);
 393                         /* Try End. */
 394                         sa->action[1].type = RTE_FLOW_ACTION_TYPE_END;
 395                         sa->action[1].conf = NULL;
 396                         ret = rte_flow_validate(sa->portid, &sa->attr,
 397                                                 sa->pattern, sa->action,
 398                                                 &err);
 399                         if (ret)
 400                                 goto flow_create_failure;
 401                 } else if (sa->attr.egress &&
 402                                 (ips->security.ol_flags &
 403                                         RTE_SECURITY_TX_HW_TRAILER_OFFLOAD)) {
 404                         sa->action[1].type =
 405                                         RTE_FLOW_ACTION_TYPE_PASSTHRU;
 406                         sa->action[2].type =
 407                                         RTE_FLOW_ACTION_TYPE_END;
 408                 }
 409 flow_create:
 410                 sa->flow = rte_flow_create(sa->portid,
 411                                 &sa->attr, sa->pattern, sa->action, &err);
 412                 if (sa->flow == NULL) {
 413 flow_create_failure:
 414                         RTE_LOG(ERR, IPSEC,
 415                                 "Failed to create ipsec flow msg: %s\n",
 416                                 err.message);
 417                         return -1;
 418                 }
 419         } else if (ips->type == RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) {
 420                 const struct rte_security_capability *sec_cap;
 421
 422                 sec_ctx = (struct rte_security_ctx *)
 423                                 rte_eth_dev_get_sec_ctx(sa->portid);
 424
 425                 if (sec_ctx == NULL) {
 426                         RTE_LOG(ERR, IPSEC,
 427                                 "Ethernet device doesn't have security features registered\n");
 428                         return -1;
 429                 }
 430
 431                 /* Set IPsec parameters in conf */
 432                 set_ipsec_conf(sa, &(sess_conf.ipsec));
 433
 434                 /* Save SA as userdata for the security session. When
 435                  * the packet is received, this userdata will be
 436                  * retrieved using the metadata from the packet.
 437                  *
 438                  * The PMD is expected to set similar metadata for other
 439                  * operations, like rte_eth_event, which are tied to
 440                  * security session. In such cases, the userdata could
 441                  * be obtained to uniquely identify the security
 442                  * parameters denoted.
 443                  */
 444
 445                 sess_conf.userdata = (void *) sa;
 446
 447                 ips->security.ses = rte_security_session_create(sec_ctx,
 448                                         &sess_conf, skt_ctx->session_pool,
 449                                         skt_ctx->session_priv_pool);
 450                 if (ips->security.ses == NULL) {
 451                         RTE_LOG(ERR, IPSEC,
 452                                 "SEC Session init failed: err: %d\n", ret);
 453                         return -1;
 454                 }
 455
 456                 sec_cap = rte_security_capabilities_get(sec_ctx);
 457                 if (sec_cap == NULL) {
 458                         RTE_LOG(ERR, IPSEC,
 459                                 "No capabilities registered\n");
 460                         return -1;
 461                 }
 462
 463                 /* iterate until ESP tunnel*/
 464                 while (sec_cap->action !=
 465                                 RTE_SECURITY_ACTION_TYPE_NONE) {
 466                         if (sec_cap->action == ips->type &&
 467                             sec_cap->protocol ==
 468                                 RTE_SECURITY_PROTOCOL_IPSEC &&
 469                             sec_cap->ipsec.mode ==
 470                                 sess_conf.ipsec.mode &&
 471                             sec_cap->ipsec.direction == sa->direction)
 472                                 break;
 473                         sec_cap++;
 474                 }
 475
 476                 if (sec_cap->action == RTE_SECURITY_ACTION_TYPE_NONE) {
 477                         RTE_LOG(ERR, IPSEC,
 478                                 "No suitable security capability found\n");
 479                         return -1;
 480                 }
 481
 482                 ips->security.ol_flags = sec_cap->ol_flags;
 483                 ips->security.ctx = sec_ctx;
 484         }
 485
 486         return 0;
 487 }
 488
 489 int
 490 create_ipsec_esp_flow(struct ipsec_sa *sa)
 491 {
 492         int ret = 0;
 493         struct rte_flow_error err;
 494         if (sa->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
 495                 RTE_LOG(ERR, IPSEC,
 496                         "No Flow director rule for Egress traffic\n");
 497                 return -1;
 498         }
 499         if (sa->flags == TRANSPORT) {
 500                 RTE_LOG(ERR, IPSEC,
 501                         "No Flow director rule for transport mode\n");
 502                 return -1;
 503         }
 504         sa->action[0].type = RTE_FLOW_ACTION_TYPE_QUEUE;
 505         sa->pattern[0].type = RTE_FLOW_ITEM_TYPE_ETH;
 506         sa->action[0].conf = &(struct rte_flow_action_queue) {
 507                                 .index = sa->fdir_qid,
 508         };
 509         sa->attr.egress = 0;
 510         sa->attr.ingress = 1;
 511         if (IS_IP6(sa->flags)) {
 512                 sa->pattern[1].mask = &rte_flow_item_ipv6_mask;
 513                 sa->pattern[1].type = RTE_FLOW_ITEM_TYPE_IPV6;
 514                 sa->pattern[1].spec = &sa->ipv6_spec;
 515                 memcpy(sa->ipv6_spec.hdr.dst_addr,
 516                         sa->dst.ip.ip6.ip6_b, sizeof(sa->dst.ip.ip6.ip6_b));
 517                 memcpy(sa->ipv6_spec.hdr.src_addr,
 518                         sa->src.ip.ip6.ip6_b, sizeof(sa->src.ip.ip6.ip6_b));
 519                 sa->pattern[2].type = RTE_FLOW_ITEM_TYPE_ESP;
 520                 sa->pattern[2].spec = &sa->esp_spec;
 521                 sa->pattern[2].mask = &rte_flow_item_esp_mask;
 522                 sa->esp_spec.hdr.spi = rte_cpu_to_be_32(sa->spi);
 523                 sa->pattern[3].type = RTE_FLOW_ITEM_TYPE_END;
 524         } else if (IS_IP4(sa->flags)) {
 525                 sa->pattern[1].mask = &rte_flow_item_ipv4_mask;
 526                 sa->pattern[1].type = RTE_FLOW_ITEM_TYPE_IPV4;
 527                 sa->pattern[1].spec = &sa->ipv4_spec;
 528                 sa->ipv4_spec.hdr.dst_addr = sa->dst.ip.ip4;
 529                 sa->ipv4_spec.hdr.src_addr = sa->src.ip.ip4;
 530                 sa->pattern[2].type = RTE_FLOW_ITEM_TYPE_ESP;
 531                 sa->pattern[2].spec = &sa->esp_spec;
 532                 sa->pattern[2].mask = &rte_flow_item_esp_mask;
 533                 sa->esp_spec.hdr.spi = rte_cpu_to_be_32(sa->spi);
 534                 sa->pattern[3].type = RTE_FLOW_ITEM_TYPE_END;
 535         }
 536         sa->action[1].type = RTE_FLOW_ACTION_TYPE_END;
 537
 538         ret = rte_flow_validate(sa->portid, &sa->attr, sa->pattern, sa->action,
 539                                 &err);
 540         if (ret < 0) {
 541                 RTE_LOG(ERR, IPSEC, "Flow validation failed %s\n", err.message);
 542                 return ret;
 543         }
 544
 545         sa->flow = rte_flow_create(sa->portid, &sa->attr, sa->pattern,
 546                                         sa->action, &err);
 547         if (!sa->flow) {
 548                 RTE_LOG(ERR, IPSEC, "Flow creation failed %s\n", err.message);
 549                 return -1;
 550         }
 551
 552         return 0;
 553 }
 554
 555 /*
 556  * queue crypto-ops into PMD queue.
 557  */
 558 void
 559 enqueue_cop_burst(struct cdev_qp *cqp)
 560 {
 561         uint32_t i, len, ret;
 562
 563         len = cqp->len;
 564         ret = rte_cryptodev_enqueue_burst(cqp->id, cqp->qp, cqp->buf, len);
 565         if (ret < len) {
 566                 RTE_LOG_DP(DEBUG, IPSEC, "Cryptodev %u queue %u:"
 567                         " enqueued %u crypto ops out of %u\n",
 568                         cqp->id, cqp->qp, ret, len);
 569                         /* drop packets that we fail to enqueue */
 570                         for (i = ret; i < len; i++)
 571                                 free_pkts(&cqp->buf[i]->sym->m_src, 1);
 572         }
 573         cqp->in_flight += ret;
 574         cqp->len = 0;
 575 }
 576
 577 static inline void
 578 enqueue_cop(struct cdev_qp *cqp, struct rte_crypto_op *cop)
 579 {
 580         cqp->buf[cqp->len++] = cop;
 581
 582         if (cqp->len == MAX_PKT_BURST)
 583                 enqueue_cop_burst(cqp);
 584 }
 585
 586 static inline void
 587 ipsec_enqueue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx,
 588                 struct rte_mbuf *pkts[], void *sas[],
 589                 uint16_t nb_pkts)
 590 {
 591         int32_t ret = 0, i;
 592         struct ipsec_mbuf_metadata *priv;
 593         struct rte_crypto_sym_op *sym_cop;
 594         struct ipsec_sa *sa;
 595         struct rte_ipsec_session *ips;
 596
 597         for (i = 0; i < nb_pkts; i++) {
 598                 if (unlikely(sas[i] == NULL)) {
 599                         free_pkts(&pkts[i], 1);
 600                         continue;
 601                 }
 602
 603                 rte_prefetch0(sas[i]);
 604                 rte_prefetch0(pkts[i]);
 605
 606                 priv = get_priv(pkts[i]);
 607                 sa = ipsec_mask_saptr(sas[i]);
 608                 priv->sa = sa;
 609                 ips = ipsec_get_primary_session(sa);
 610
 611                 switch (ips->type) {
 612                 case RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL:
 613                         priv->cop.type = RTE_CRYPTO_OP_TYPE_SYMMETRIC;
 614                         priv->cop.status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
 615
 616                         rte_prefetch0(&priv->sym_cop);
 617
 618                         if ((unlikely(ips->security.ses == NULL)) &&
 619                                 create_lookaside_session(ipsec_ctx, sa, ips)) {
 620                                 free_pkts(&pkts[i], 1);
 621                                 continue;
 622                         }
 623
 624                         if (unlikely((pkts[i]->packet_type &
 625                                         (RTE_PTYPE_TUNNEL_MASK |
 626                                         RTE_PTYPE_L4_MASK)) ==
 627                                         MBUF_PTYPE_TUNNEL_ESP_IN_UDP &&
 628                                         sa->udp_encap != 1)) {
 629                                 free_pkts(&pkts[i], 1);
 630                                 continue;
 631                         }
 632
 633                         sym_cop = get_sym_cop(&priv->cop);
 634                         sym_cop->m_src = pkts[i];
 635
 636                         rte_security_attach_session(&priv->cop,
 637                                 ips->security.ses);
 638                         break;
 639
 640                 case RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO:
 641                         RTE_LOG(ERR, IPSEC, "CPU crypto is not supported by the"
 642                                         " legacy mode.");
 643                         free_pkts(&pkts[i], 1);
 644                         continue;
 645
 646                 case RTE_SECURITY_ACTION_TYPE_NONE:
 647
 648                         priv->cop.type = RTE_CRYPTO_OP_TYPE_SYMMETRIC;
 649                         priv->cop.status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
 650
 651                         rte_prefetch0(&priv->sym_cop);
 652
 653                         if ((unlikely(ips->crypto.ses == NULL)) &&
 654                                 create_lookaside_session(ipsec_ctx, sa, ips)) {
 655                                 free_pkts(&pkts[i], 1);
 656                                 continue;
 657                         }
 658
 659                         rte_crypto_op_attach_sym_session(&priv->cop,
 660                                         ips->crypto.ses);
 661
 662                         ret = xform_func(pkts[i], sa, &priv->cop);
 663                         if (unlikely(ret)) {
 664                                 free_pkts(&pkts[i], 1);
 665                                 continue;
 666                         }
 667                         break;
 668                 case RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL:
 669                         RTE_ASSERT(ips->security.ses != NULL);
 670                         ipsec_ctx->ol_pkts[ipsec_ctx->ol_pkts_cnt++] = pkts[i];
 671                         if (ips->security.ol_flags &
 672                                 RTE_SECURITY_TX_OLOAD_NEED_MDATA)
 673                                 rte_security_set_pkt_metadata(
 674                                         ips->security.ctx, ips->security.ses,
 675                                         pkts[i], NULL);
 676                         continue;
 677                 case RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO:
 678                         RTE_ASSERT(ips->security.ses != NULL);
 679                         priv->cop.type = RTE_CRYPTO_OP_TYPE_SYMMETRIC;
 680                         priv->cop.status = RTE_CRYPTO_OP_STATUS_NOT_PROCESSED;
 681
 682                         rte_prefetch0(&priv->sym_cop);
 683                         rte_security_attach_session(&priv->cop,
 684                                         ips->security.ses);
 685
 686                         ret = xform_func(pkts[i], sa, &priv->cop);
 687                         if (unlikely(ret)) {
 688                                 free_pkts(&pkts[i], 1);
 689                                 continue;
 690                         }
 691
 692                         ipsec_ctx->ol_pkts[ipsec_ctx->ol_pkts_cnt++] = pkts[i];
 693                         if (ips->security.ol_flags &
 694                                 RTE_SECURITY_TX_OLOAD_NEED_MDATA)
 695                                 rte_security_set_pkt_metadata(
 696                                         ips->security.ctx, ips->security.ses,
 697                                         pkts[i], NULL);
 698                         continue;
 699                 }
 700
 701                 RTE_ASSERT(sa->cdev_id_qp < ipsec_ctx->nb_qps);
 702                 enqueue_cop(&ipsec_ctx->tbl[sa->cdev_id_qp], &priv->cop);
 703         }
 704 }
 705
 706 static inline int32_t
 707 ipsec_inline_dequeue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx,
 708               struct rte_mbuf *pkts[], uint16_t max_pkts)
 709 {
 710         int32_t nb_pkts, ret;
 711         struct ipsec_mbuf_metadata *priv;
 712         struct ipsec_sa *sa;
 713         struct rte_mbuf *pkt;
 714
 715         nb_pkts = 0;
 716         while (ipsec_ctx->ol_pkts_cnt > 0 && nb_pkts < max_pkts) {
 717                 pkt = ipsec_ctx->ol_pkts[--ipsec_ctx->ol_pkts_cnt];
 718                 rte_prefetch0(pkt);
 719                 priv = get_priv(pkt);
 720                 sa = priv->sa;
 721                 ret = xform_func(pkt, sa, &priv->cop);
 722                 if (unlikely(ret)) {
 723                         free_pkts(&pkt, 1);
 724                         continue;
 725                 }
 726                 pkts[nb_pkts++] = pkt;
 727         }
 728
 729         return nb_pkts;
 730 }
 731
 732 static inline int
 733 ipsec_dequeue(ipsec_xform_fn xform_func, struct ipsec_ctx *ipsec_ctx,
 734               struct rte_mbuf *pkts[], uint16_t max_pkts)
 735 {
 736         int32_t nb_pkts = 0, ret = 0, i, j, nb_cops;
 737         struct ipsec_mbuf_metadata *priv;
 738         struct rte_crypto_op *cops[max_pkts];
 739         struct ipsec_sa *sa;
 740         struct rte_mbuf *pkt;
 741
 742         for (i = 0; i < ipsec_ctx->nb_qps && nb_pkts < max_pkts; i++) {
 743                 struct cdev_qp *cqp;
 744
 745                 cqp = &ipsec_ctx->tbl[ipsec_ctx->last_qp++];
 746                 if (ipsec_ctx->last_qp == ipsec_ctx->nb_qps)
 747                         ipsec_ctx->last_qp %= ipsec_ctx->nb_qps;
 748
 749                 if (cqp->in_flight == 0)
 750                         continue;
 751
 752                 nb_cops = rte_cryptodev_dequeue_burst(cqp->id, cqp->qp,
 753                                 cops, max_pkts - nb_pkts);
 754
 755                 cqp->in_flight -= nb_cops;
 756
 757                 for (j = 0; j < nb_cops; j++) {
 758                         pkt = cops[j]->sym->m_src;
 759                         rte_prefetch0(pkt);
 760
 761                         priv = get_priv(pkt);
 762                         sa = priv->sa;
 763
 764                         RTE_ASSERT(sa != NULL);
 765
 766                         if (ipsec_get_action_type(sa) ==
 767                                 RTE_SECURITY_ACTION_TYPE_NONE) {
 768                                 ret = xform_func(pkt, sa, cops[j]);
 769                                 if (unlikely(ret)) {
 770                                         free_pkts(&pkt, 1);
 771                                         continue;
 772                                 }
 773                         } else if (ipsec_get_action_type(sa) ==
 774                                 RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL) {
 775                                 if (cops[j]->status) {
 776                                         free_pkts(&pkt, 1);
 777                                         continue;
 778                                 }
 779                         }
 780                         pkts[nb_pkts++] = pkt;
 781                 }
 782         }
 783
 784         /* return packets */
 785         return nb_pkts;
 786 }
 787
 788 uint16_t
 789 ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
 790                 uint16_t nb_pkts, uint16_t len)
 791 {
 792         void *sas[nb_pkts];
 793
 794         inbound_sa_lookup(ctx->sa_ctx, pkts, sas, nb_pkts);
 795
 796         ipsec_enqueue(esp_inbound, ctx, pkts, sas, nb_pkts);
 797
 798         return ipsec_inline_dequeue(esp_inbound_post, ctx, pkts, len);
 799 }
 800
 801 uint16_t
 802 ipsec_inbound_cqp_dequeue(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
 803                 uint16_t len)
 804 {
 805         return ipsec_dequeue(esp_inbound_post, ctx, pkts, len);
 806 }
 807
 808 uint16_t
 809 ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
 810                 uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len)
 811 {
 812         void *sas[nb_pkts];
 813
 814         outbound_sa_lookup(ctx->sa_ctx, sa_idx, sas, nb_pkts);
 815
 816         ipsec_enqueue(esp_outbound, ctx, pkts, sas, nb_pkts);
 817
 818         return ipsec_inline_dequeue(esp_outbound_post, ctx, pkts, len);
 819 }
 820
 821 uint16_t
 822 ipsec_outbound_cqp_dequeue(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
 823                 uint16_t len)
 824 {
 825         return ipsec_dequeue(esp_outbound_post, ctx, pkts, len);
 826 }