1 /* SPDX-License-Identifier: BSD-3-Clause
2 * Copyright(c) 2016-2017 Intel Corporation
10 #include <rte_byteorder.h>
11 #include <rte_crypto.h>
12 #include <rte_ip_frag.h>
13 #include <rte_security.h>
15 #include <rte_ipsec.h>
17 #include "ipsec-secgw.h"
19 #define RTE_LOGTYPE_IPSEC_ESP RTE_LOGTYPE_USER2
20 #define RTE_LOGTYPE_IPSEC_IPIP RTE_LOGTYPE_USER3
22 #define MAX_INFLIGHT 128
23 #define MAX_QP_PER_LCORE 256
25 #define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */
27 #define IV_OFFSET (sizeof(struct rte_crypto_op) + \
28 sizeof(struct rte_crypto_sym_op))
30 #define DEFAULT_MAX_CATEGORIES 1
32 #define INVALID_SPI (0)
34 #define DISCARD INVALID_SPI
35 #define BYPASS UINT32_MAX
37 #define IPSEC_XFORM_MAX 2
39 #define IP6_VERSION (6)
41 #define SATP_OUT_IPV4(t) \
42 ((((t) & RTE_IPSEC_SATP_MODE_MASK) == RTE_IPSEC_SATP_MODE_TRANS && \
43 (((t) & RTE_IPSEC_SATP_IPV_MASK) == RTE_IPSEC_SATP_IPV4)) || \
44 ((t) & RTE_IPSEC_SATP_MODE_MASK) == RTE_IPSEC_SATP_MODE_TUNLV4)
46 struct rte_crypto_xform;
52 * Keeps number of configured SA's for each address family:
59 typedef int32_t (*ipsec_xform_fn)(struct rte_mbuf *m, struct ipsec_sa *sa,
60 struct rte_crypto_op *cop);
72 #define MAX_KEY_SIZE 64
74 * application wide SA parameters
77 uint32_t enable; /* use librte_ipsec API for ipsec pkt processing */
78 uint32_t window_size; /* replay window size */
79 uint32_t enable_esn; /* enable/disable ESN support */
80 uint32_t cache_sz; /* per lcore SA cache size */
81 uint32_t udp_encap; /* enable/disable UDP Encapsulation */
82 uint64_t flags; /* rte_ipsec_sa_prm.flags */
85 extern struct app_sa_prm app_sa_prm;
88 struct rte_flow *rx_def_flow;
91 extern struct flow_info flow_info_tbl[RTE_MAX_ETHPORTS];
94 IPSEC_SESSION_PRIMARY = 0,
95 IPSEC_SESSION_FALLBACK = 1,
99 #define IPSEC_SA_OFFLOAD_FALLBACK_FLAG (1)
101 static inline struct ipsec_sa *
102 ipsec_mask_saptr(void *ptr)
104 uintptr_t i = (uintptr_t)ptr;
105 static const uintptr_t mask = IPSEC_SA_OFFLOAD_FALLBACK_FLAG;
109 return (struct ipsec_sa *)i;
113 struct rte_ipsec_session sessions[IPSEC_SESSION_MAX];
115 struct cdev_qp *cqp[RTE_MAX_LCORE];
118 uint32_t fallback_sessions;
119 enum rte_crypto_cipher_algorithm cipher_algo;
120 enum rte_crypto_auth_algorithm auth_algo;
121 enum rte_crypto_aead_algorithm aead_algo;
126 #define IP4_TUNNEL (1 << 0)
127 #define IP6_TUNNEL (1 << 1)
128 #define TRANSPORT (1 << 2)
129 #define IP4_TRANSPORT (1 << 3)
130 #define IP6_TRANSPORT (1 << 4)
131 #define SA_TELEMETRY_ENABLE (1 << 5)
139 uint8_t cipher_key[MAX_KEY_SIZE];
140 uint16_t cipher_key_len;
141 uint8_t auth_key[MAX_KEY_SIZE];
142 uint16_t auth_key_len;
145 struct rte_crypto_sym_xform *xforms;
146 struct rte_security_ipsec_xform *sec_xform;
148 enum rte_security_ipsec_sa_direction direction;
156 #define MAX_RTE_FLOW_PATTERN (5)
157 #define MAX_RTE_FLOW_ACTIONS (3)
158 struct rte_flow_item pattern[MAX_RTE_FLOW_PATTERN];
159 struct rte_flow_action action[MAX_RTE_FLOW_ACTIONS];
160 struct rte_flow_attr attr;
162 struct rte_flow_item_ipv4 ipv4_spec;
163 struct rte_flow_item_ipv6 ipv6_spec;
165 struct rte_flow_item_udp udp_spec;
166 struct rte_flow_item_esp esp_spec;
167 struct rte_flow *flow;
168 struct rte_security_session_conf sess_conf;
169 } __rte_cache_aligned;
172 struct rte_crypto_sym_xform a;
173 struct rte_crypto_sym_xform b;
177 struct rte_ipsec_sad *sad_v4;
178 struct rte_ipsec_sad *sad_v6;
182 void *satbl; /* pointer to array of rte_ipsec_sa objects*/
183 struct ipsec_sad sad;
186 struct ipsec_sa sa[];
189 struct ipsec_mbuf_metadata {
191 struct rte_crypto_op cop;
192 struct rte_crypto_sym_op sym_cop;
194 } __rte_cache_aligned;
196 #define IS_TRANSPORT(flags) ((flags) & TRANSPORT)
198 #define IS_TUNNEL(flags) ((flags) & (IP4_TUNNEL | IP6_TUNNEL))
200 #define IS_IP4(flags) ((flags) & (IP4_TUNNEL | IP4_TRANSPORT))
202 #define IS_IP6(flags) ((flags) & (IP6_TUNNEL | IP6_TRANSPORT))
204 #define IS_IP4_TUNNEL(flags) ((flags) & IP4_TUNNEL)
206 #define IS_IP6_TUNNEL(flags) ((flags) & IP6_TUNNEL)
209 * Macro for getting ipsec_sa flags statuses without version of protocol
210 * used for transport (IP4_TRANSPORT and IP6_TRANSPORT flags).
212 #define WITHOUT_TRANSPORT_VERSION(flags) \
213 ((flags) & (IP4_TUNNEL | \
222 struct rte_crypto_op *buf[MAX_PKT_BURST] __rte_aligned(sizeof(void *));
226 struct rte_hash *cdev_map;
227 struct sp_ctx *sp4_ctx;
228 struct sp_ctx *sp6_ctx;
229 struct sa_ctx *sa_ctx;
232 struct cdev_qp tbl[MAX_QP_PER_LCORE];
233 struct rte_mbuf *ol_pkts[MAX_PKT_BURST] __rte_aligned(sizeof(void *));
234 uint16_t ol_pkts_cnt;
235 uint64_t ipv4_offloads;
236 uint64_t ipv6_offloads;
248 struct sa_ctx *sa_in;
249 struct sa_ctx *sa_out;
250 struct sp_ctx *sp_ip4_in;
251 struct sp_ctx *sp_ip4_out;
252 struct sp_ctx *sp_ip6_in;
253 struct sp_ctx *sp_ip6_out;
254 struct rt_ctx *rt_ip4;
255 struct rt_ctx *rt_ip6;
256 struct rte_mempool *mbuf_pool[RTE_MAX_ETHPORTS];
257 struct rte_mempool *mbuf_pool_indir;
258 struct rte_mempool *session_pool;
259 struct rte_mempool *session_priv_pool;
268 struct lcore_rx_queue {
271 struct rte_security_ctx *sec_ctx;
272 } __rte_cache_aligned;
276 struct rte_mbuf *m_table[MAX_PKT_BURST] __rte_aligned(sizeof(void *));
280 uint16_t nb_rx_queue;
281 struct lcore_rx_queue rx_queue_list[MAX_RX_QUEUE_PER_LCORE];
282 uint16_t tx_queue_id[RTE_MAX_ETHPORTS];
283 struct buffer tx_mbufs[RTE_MAX_ETHPORTS];
284 struct ipsec_ctx inbound;
285 struct ipsec_ctx outbound;
286 struct rt_ctx *rt4_ctx;
287 struct rt_ctx *rt6_ctx;
289 struct rte_ip_frag_tbl *tbl;
290 struct rte_mempool *pool_indir;
291 struct rte_ip_frag_death_row dr;
293 } __rte_cache_aligned;
295 extern struct lcore_conf lcore_conf[RTE_MAX_LCORE];
298 extern struct socket_ctx socket_ctx[NB_SOCKETS];
301 ipsec_poll_mode_worker(void);
304 ipsec_launch_one_lcore(void *args);
306 extern struct ipsec_sa *sa_out;
307 extern uint32_t nb_sa_out;
309 extern struct ipsec_sa *sa_in;
310 extern uint32_t nb_sa_in;
313 ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
314 uint16_t nb_pkts, uint16_t len);
317 ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
318 uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len);
321 ipsec_inbound_cqp_dequeue(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
325 ipsec_outbound_cqp_dequeue(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
329 ipsec_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf);
332 ipsec_cqp_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf);
334 static inline uint16_t
335 ipsec_metadata_size(void)
337 return sizeof(struct ipsec_mbuf_metadata);
340 static inline struct ipsec_mbuf_metadata *
341 get_priv(struct rte_mbuf *m)
343 return rte_mbuf_to_priv(m);
347 get_cnt_blk(struct rte_mbuf *m)
349 struct ipsec_mbuf_metadata *priv = get_priv(m);
351 return &priv->buf[0];
355 get_aad(struct rte_mbuf *m)
357 struct ipsec_mbuf_metadata *priv = get_priv(m);
359 return &priv->buf[16];
363 get_sym_cop(struct rte_crypto_op *cop)
368 static inline struct rte_ipsec_session *
369 ipsec_get_primary_session(struct ipsec_sa *sa)
371 return &sa->sessions[IPSEC_SESSION_PRIMARY];
374 static inline struct rte_ipsec_session *
375 ipsec_get_fallback_session(struct ipsec_sa *sa)
377 return &sa->sessions[IPSEC_SESSION_FALLBACK];
380 static inline enum rte_security_session_action_type
381 ipsec_get_action_type(struct ipsec_sa *sa)
383 struct rte_ipsec_session *ips;
384 ips = ipsec_get_primary_session(sa);
389 inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx);
392 inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[],
393 void *sa[], uint16_t nb_pkts);
396 outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[],
397 void *sa[], uint16_t nb_pkts);
400 sp4_init(struct socket_ctx *ctx, int32_t socket_id);
403 sp6_init(struct socket_ctx *ctx, int32_t socket_id);
406 * Search through SP rules for given SPI.
407 * Returns first rule index if found(greater or equal then zero),
408 * or -ENOENT otherwise.
411 sp4_spi_present(uint32_t spi, int inbound, struct ip_addr ip_addr[2],
414 sp6_spi_present(uint32_t spi, int inbound, struct ip_addr ip_addr[2],
418 * Search through SA entries for given SPI.
419 * Returns first entry index if found(greater or equal then zero),
420 * or -ENOENT otherwise.
423 sa_spi_present(struct sa_ctx *sa_ctx, uint32_t spi, int inbound);
426 sa_init(struct socket_ctx *ctx, int32_t socket_id,
427 struct lcore_conf *lcore_conf);
430 rt_init(struct socket_ctx *ctx, int32_t socket_id);
433 sa_check_offloads(uint16_t port_id, uint64_t *rx_offloads,
434 uint64_t *tx_offloads);
437 add_dst_ethaddr(uint16_t port, const struct rte_ether_addr *addr);
440 enqueue_cop_burst(struct cdev_qp *cqp);
443 create_lookaside_session(struct ipsec_ctx *ipsec_ctx[],
444 struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
445 struct rte_ipsec_session *ips);
448 create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
449 struct rte_ipsec_session *ips);
451 check_flow_params(uint16_t fdir_portid, uint8_t fdir_qid);
454 create_ipsec_esp_flow(struct ipsec_sa *sa);
457 get_nb_crypto_sessions(void);
459 #endif /* __IPSEC_H__ */