1 /* SPDX-License-Identifier: BSD-3-Clause 2 * Copyright(c) 2001-2021 Intel Corporation 3 */ 4 5 #ifndef _VIRTCHNL_INLINE_IPSEC_H_ 6 #define _VIRTCHNL_INLINE_IPSEC_H_ 7 8 #define VIRTCHNL_IPSEC_MAX_CRYPTO_CAP_NUM 3 9 #define VIRTCHNL_IPSEC_MAX_ALGO_CAP_NUM 16 10 #define VIRTCHNL_IPSEC_MAX_TX_DESC_NUM 128 11 #define VIRTCHNL_IPSEC_MAX_CRYPTO_ITEM_NUMBER 2 12 #define VIRTCHNL_IPSEC_MAX_KEY_LEN 128 13 #define VIRTCHNL_IPSEC_MAX_SA_DESTROY_NUM 8 14 #define VIRTCHNL_IPSEC_SA_DESTROY 0 15 #define VIRTCHNL_IPSEC_BROADCAST_VFID 0xFFFFFFFF 16 #define VIRTCHNL_IPSEC_INVALID_REQ_ID 0xFFFF 17 #define VIRTCHNL_IPSEC_INVALID_SA_CFG_RESP 0xFFFFFFFF 18 #define VIRTCHNL_IPSEC_INVALID_SP_CFG_RESP 0xFFFFFFFF 19 20 /* crypto type */ 21 #define VIRTCHNL_AUTH 1 22 #define VIRTCHNL_CIPHER 2 23 #define VIRTCHNL_AEAD 3 24 25 /* caps enabled */ 26 #define VIRTCHNL_IPSEC_ESN_ENA BIT(0) 27 #define VIRTCHNL_IPSEC_UDP_ENCAP_ENA BIT(1) 28 #define VIRTCHNL_IPSEC_SA_INDEX_SW_ENA BIT(2) 29 #define VIRTCHNL_IPSEC_AUDIT_ENA BIT(3) 30 #define VIRTCHNL_IPSEC_BYTE_LIMIT_ENA BIT(4) 31 #define VIRTCHNL_IPSEC_DROP_ON_AUTH_FAIL_ENA BIT(5) 32 #define VIRTCHNL_IPSEC_ARW_CHECK_ENA BIT(6) 33 #define VIRTCHNL_IPSEC_24BIT_SPI_ENA BIT(7) 34 35 /* algorithm type */ 36 /* Hash Algorithm */ 37 #define VIRTCHNL_HASH_NO_ALG 0 /* NULL algorithm */ 38 #define VIRTCHNL_AES_CBC_MAC 1 /* AES-CBC-MAC algorithm */ 39 #define VIRTCHNL_AES_CMAC 2 /* AES CMAC algorithm */ 40 #define VIRTCHNL_AES_GMAC 3 /* AES GMAC algorithm */ 41 #define VIRTCHNL_AES_XCBC_MAC 4 /* AES XCBC algorithm */ 42 #define VIRTCHNL_MD5_HMAC 5 /* HMAC using MD5 algorithm */ 43 #define VIRTCHNL_SHA1_HMAC 6 /* HMAC using 128 bit SHA algorithm */ 44 #define VIRTCHNL_SHA224_HMAC 7 /* HMAC using 224 bit SHA algorithm */ 45 #define VIRTCHNL_SHA256_HMAC 8 /* HMAC using 256 bit SHA algorithm */ 46 #define VIRTCHNL_SHA384_HMAC 9 /* HMAC using 384 bit SHA algorithm */ 47 #define VIRTCHNL_SHA512_HMAC 10 /* HMAC using 512 bit SHA algorithm */ 48 #define VIRTCHNL_SHA3_224_HMAC 11 /* HMAC using 224 bit SHA3 algorithm */ 49 #define VIRTCHNL_SHA3_256_HMAC 12 /* HMAC using 256 bit SHA3 algorithm */ 50 #define VIRTCHNL_SHA3_384_HMAC 13 /* HMAC using 384 bit SHA3 algorithm */ 51 #define VIRTCHNL_SHA3_512_HMAC 14 /* HMAC using 512 bit SHA3 algorithm */ 52 /* Cipher Algorithm */ 53 #define VIRTCHNL_CIPHER_NO_ALG 15 /* NULL algorithm */ 54 #define VIRTCHNL_3DES_CBC 16 /* Triple DES algorithm in CBC mode */ 55 #define VIRTCHNL_AES_CBC 17 /* AES algorithm in CBC mode */ 56 #define VIRTCHNL_AES_CTR 18 /* AES algorithm in Counter mode */ 57 /* AEAD Algorithm */ 58 #define VIRTCHNL_AES_CCM 19 /* AES algorithm in CCM mode */ 59 #define VIRTCHNL_AES_GCM 20 /* AES algorithm in GCM mode */ 60 #define VIRTCHNL_CHACHA20_POLY1305 21 /* algorithm of ChaCha20-Poly1305 */ 61 62 /* protocol type */ 63 #define VIRTCHNL_PROTO_ESP 1 64 #define VIRTCHNL_PROTO_AH 2 65 #define VIRTCHNL_PROTO_RSVD1 3 66 67 /* sa mode */ 68 #define VIRTCHNL_SA_MODE_TRANSPORT 1 69 #define VIRTCHNL_SA_MODE_TUNNEL 2 70 #define VIRTCHNL_SA_MODE_TRAN_TUN 3 71 #define VIRTCHNL_SA_MODE_UNKNOWN 4 72 73 /* sa direction */ 74 #define VIRTCHNL_DIR_INGRESS 1 75 #define VIRTCHNL_DIR_EGRESS 2 76 #define VIRTCHNL_DIR_INGRESS_EGRESS 3 77 78 /* sa termination */ 79 #define VIRTCHNL_TERM_SOFTWARE 1 80 #define VIRTCHNL_TERM_HARDWARE 2 81 82 /* sa ip type */ 83 #define VIRTCHNL_IPV4 1 84 #define VIRTCHNL_IPV6 2 85 86 /* for virtchnl_ipsec_resp */ 87 enum inline_ipsec_resp { 88 INLINE_IPSEC_SUCCESS = 0, 89 INLINE_IPSEC_FAIL = -1, 90 INLINE_IPSEC_ERR_FIFO_FULL = -2, 91 INLINE_IPSEC_ERR_NOT_READY = -3, 92 INLINE_IPSEC_ERR_VF_DOWN = -4, 93 INLINE_IPSEC_ERR_INVALID_PARAMS = -5, 94 INLINE_IPSEC_ERR_NO_MEM = -6, 95 }; 96 97 /* Detailed opcodes for DPDK and IPsec use */ 98 enum inline_ipsec_ops { 99 INLINE_IPSEC_OP_GET_CAP = 0, 100 INLINE_IPSEC_OP_GET_STATUS = 1, 101 INLINE_IPSEC_OP_SA_CREATE = 2, 102 INLINE_IPSEC_OP_SA_UPDATE = 3, 103 INLINE_IPSEC_OP_SA_DESTROY = 4, 104 INLINE_IPSEC_OP_SP_CREATE = 5, 105 INLINE_IPSEC_OP_SP_DESTROY = 6, 106 INLINE_IPSEC_OP_SA_READ = 7, 107 INLINE_IPSEC_OP_EVENT = 8, 108 INLINE_IPSEC_OP_RESP = 9, 109 }; 110 111 /* Not all valid, if certain field is invalid, set 1 for all bits */ 112 struct __rte_packed_begin virtchnl_algo_cap { 113 u32 algo_type; 114 115 u16 block_size; 116 117 u16 min_key_size; 118 u16 max_key_size; 119 u16 inc_key_size; 120 121 u16 min_iv_size; 122 u16 max_iv_size; 123 u16 inc_iv_size; 124 125 u16 min_digest_size; 126 u16 max_digest_size; 127 u16 inc_digest_size; 128 129 u16 min_aad_size; 130 u16 max_aad_size; 131 u16 inc_aad_size; 132 } __rte_packed_end; 133 134 /* vf record the capability of crypto from the virtchnl */ 135 struct __rte_packed_begin virtchnl_sym_crypto_cap { 136 u8 crypto_type; 137 u8 algo_cap_num; 138 struct virtchnl_algo_cap algo_cap_list[VIRTCHNL_IPSEC_MAX_ALGO_CAP_NUM]; 139 } __rte_packed_end; 140 141 /* VIRTCHNL_OP_GET_IPSEC_CAP 142 * VF pass virtchnl_ipsec_cap to PF 143 * and PF return capability of ipsec from virtchnl. 144 */ 145 struct __rte_packed_begin virtchnl_ipsec_cap { 146 /* max number of SA per VF */ 147 u16 max_sa_num; 148 149 /* IPsec SA Protocol - value ref VIRTCHNL_PROTO_XXX */ 150 u8 virtchnl_protocol_type; 151 152 /* IPsec SA Mode - value ref VIRTCHNL_SA_MODE_XXX */ 153 u8 virtchnl_sa_mode; 154 155 /* IPSec SA Direction - value ref VIRTCHNL_DIR_XXX */ 156 u8 virtchnl_direction; 157 158 /* termination mode - value ref VIRTCHNL_TERM_XXX */ 159 u8 termination_mode; 160 161 /* number of supported crypto capability */ 162 u8 crypto_cap_num; 163 164 /* descriptor ID */ 165 u16 desc_id; 166 167 /* capabilities enabled - value ref VIRTCHNL_IPSEC_XXX_ENA */ 168 u32 caps_enabled; 169 170 /* crypto capabilities */ 171 struct virtchnl_sym_crypto_cap cap[VIRTCHNL_IPSEC_MAX_CRYPTO_CAP_NUM]; 172 } __rte_packed_end; 173 174 /* configuration of crypto function */ 175 struct __rte_packed_begin virtchnl_ipsec_crypto_cfg_item { 176 u8 crypto_type; 177 178 u32 algo_type; 179 180 /* Length of valid IV data. */ 181 u16 iv_len; 182 183 /* Length of digest */ 184 u16 digest_len; 185 186 /* SA salt */ 187 u32 salt; 188 189 /* The length of the symmetric key */ 190 u16 key_len; 191 192 /* key data buffer */ 193 u8 key_data[VIRTCHNL_IPSEC_MAX_KEY_LEN]; 194 } __rte_packed_end; 195 196 struct virtchnl_ipsec_sym_crypto_cfg { 197 struct virtchnl_ipsec_crypto_cfg_item 198 items[VIRTCHNL_IPSEC_MAX_CRYPTO_ITEM_NUMBER]; 199 }; 200 201 /* VIRTCHNL_OP_IPSEC_SA_CREATE 202 * VF send this SA configuration to PF using virtchnl; 203 * PF create SA as configuration and PF driver will return 204 * an unique index (sa_idx) for the created SA. 205 */ 206 struct __rte_packed_begin virtchnl_ipsec_sa_cfg { 207 /* IPsec SA Protocol - AH/ESP */ 208 u8 virtchnl_protocol_type; 209 210 /* termination mode - value ref VIRTCHNL_TERM_XXX */ 211 u8 virtchnl_termination; 212 213 /* type of outer IP - IPv4/IPv6 */ 214 u8 virtchnl_ip_type; 215 216 /* type of esn - !0:enable/0:disable */ 217 u8 esn_enabled; 218 219 /* udp encap - !0:enable/0:disable */ 220 u8 udp_encap_enabled; 221 222 /* IPSec SA Direction - value ref VIRTCHNL_DIR_XXX */ 223 u8 virtchnl_direction; 224 225 /* reserved */ 226 u8 reserved1; 227 228 /* SA security parameter index */ 229 u32 spi; 230 231 /* outer src ip address */ 232 u8 src_addr[16]; 233 234 /* outer dst ip address */ 235 u8 dst_addr[16]; 236 237 /* SPD reference. Used to link an SA with its policy. 238 * PF drivers may ignore this field. 239 */ 240 u16 spd_ref; 241 242 /* high 32 bits of esn */ 243 u32 esn_hi; 244 245 /* low 32 bits of esn */ 246 u32 esn_low; 247 248 /* When enabled, sa_index must be valid */ 249 u8 sa_index_en; 250 251 /* SA index when sa_index_en is true */ 252 u32 sa_index; 253 254 /* auditing mode - enable/disable */ 255 u8 audit_en; 256 257 /* lifetime byte limit - enable/disable 258 * When enabled, byte_limit_hard and byte_limit_soft 259 * must be valid. 260 */ 261 u8 byte_limit_en; 262 263 /* hard byte limit count */ 264 u64 byte_limit_hard; 265 266 /* soft byte limit count */ 267 u64 byte_limit_soft; 268 269 /* drop on authentication failure - enable/disable */ 270 u8 drop_on_auth_fail_en; 271 272 /* anti-reply window check - enable/disable 273 * When enabled, arw_size must be valid. 274 */ 275 u8 arw_check_en; 276 277 /* size of arw window, offset by 1. Setting to 0 278 * represents ARW window size of 1. Setting to 127 279 * represents ARW window size of 128 280 */ 281 u8 arw_size; 282 283 /* no ip offload mode - enable/disable 284 * When enabled, ip type and address must not be valid. 285 */ 286 u8 no_ip_offload_en; 287 288 /* SA Domain. Used to logical separate an SADB into groups. 289 * PF drivers supporting a single group ignore this field. 290 */ 291 u16 sa_domain; 292 293 /* crypto configuration */ 294 struct virtchnl_ipsec_sym_crypto_cfg crypto_cfg; 295 } __rte_packed_end; 296 297 /* VIRTCHNL_OP_IPSEC_SA_UPDATE 298 * VF send configuration of index of SA to PF 299 * PF will update SA according to configuration 300 */ 301 struct __rte_packed_begin virtchnl_ipsec_sa_update { 302 u32 sa_index; /* SA to update */ 303 u32 esn_hi; /* high 32 bits of esn */ 304 u32 esn_low; /* low 32 bits of esn */ 305 } __rte_packed_end; 306 307 /* VIRTCHNL_OP_IPSEC_SA_DESTROY 308 * VF send configuration of index of SA to PF 309 * PF will destroy SA according to configuration 310 * flag bitmap indicate all SA or just selected SA will 311 * be destroyed 312 */ 313 struct __rte_packed_begin virtchnl_ipsec_sa_destroy { 314 /* All zero bitmap indicates all SA will be destroyed. 315 * Non-zero bitmap indicates the selected SA in 316 * array sa_index will be destroyed. 317 */ 318 u8 flag; 319 320 /* selected SA index */ 321 u32 sa_index[VIRTCHNL_IPSEC_MAX_SA_DESTROY_NUM]; 322 } __rte_packed_end; 323 324 /* VIRTCHNL_OP_IPSEC_SA_READ 325 * VF send this SA configuration to PF using virtchnl; 326 * PF read SA and will return configuration for the created SA. 327 */ 328 struct __rte_packed_begin virtchnl_ipsec_sa_read { 329 /* SA valid - invalid/valid */ 330 u8 valid; 331 332 /* SA active - inactive/active */ 333 u8 active; 334 335 /* SA SN rollover - not_rollover/rollover */ 336 u8 sn_rollover; 337 338 /* IPsec SA Protocol - AH/ESP */ 339 u8 virtchnl_protocol_type; 340 341 /* termination mode - value ref VIRTCHNL_TERM_XXX */ 342 u8 virtchnl_termination; 343 344 /* auditing mode - enable/disable */ 345 u8 audit_en; 346 347 /* lifetime byte limit - enable/disable 348 * When set to limit, byte_limit_hard and byte_limit_soft 349 * must be valid. 350 */ 351 u8 byte_limit_en; 352 353 /* hard byte limit count */ 354 u64 byte_limit_hard; 355 356 /* soft byte limit count */ 357 u64 byte_limit_soft; 358 359 /* drop on authentication failure - enable/disable */ 360 u8 drop_on_auth_fail_en; 361 362 /* anti-replay window check - enable/disable 363 * When set to check, arw_size, arw_top, and arw must be valid 364 */ 365 u8 arw_check_en; 366 367 /* size of arw window, offset by 1. Setting to 0 368 * represents ARW window size of 1. Setting to 127 369 * represents ARW window size of 128 370 */ 371 u8 arw_size; 372 373 /* reserved */ 374 u8 reserved1; 375 376 /* top of anti-replay-window */ 377 u64 arw_top; 378 379 /* anti-replay-window */ 380 u8 arw[16]; 381 382 /* packets processed */ 383 u64 packets_processed; 384 385 /* bytes processed */ 386 u64 bytes_processed; 387 388 /* packets dropped */ 389 u32 packets_dropped; 390 391 /* authentication failures */ 392 u32 auth_fails; 393 394 /* ARW check failures */ 395 u32 arw_fails; 396 397 /* type of esn - enable/disable */ 398 u8 esn; 399 400 /* IPSec SA Direction - value ref VIRTCHNL_DIR_XXX */ 401 u8 virtchnl_direction; 402 403 /* SA security parameter index */ 404 u32 spi; 405 406 /* SA salt */ 407 u32 salt; 408 409 /* high 32 bits of esn */ 410 u32 esn_hi; 411 412 /* low 32 bits of esn */ 413 u32 esn_low; 414 415 /* SA Domain. Used to logical separate an SADB into groups. 416 * PF drivers supporting a single group ignore this field. 417 */ 418 u16 sa_domain; 419 420 /* SPD reference. Used to link an SA with its policy. 421 * PF drivers may ignore this field. 422 */ 423 u16 spd_ref; 424 425 /* crypto configuration. Salt and keys are set to 0 */ 426 struct virtchnl_ipsec_sym_crypto_cfg crypto_cfg; 427 } __rte_packed_end; 428 429 430 #define VIRTCHNL_IPSEC_INBOUND_SPD_TBL_IPV4 (0) 431 #define VIRTCHNL_IPSEC_INBOUND_SPD_TBL_IPV6 (1) 432 433 /* Add allowlist entry in IES */ 434 struct __rte_packed_begin virtchnl_ipsec_sp_cfg { 435 u32 spi; 436 u32 dip[4]; 437 438 /* Drop frame if true or redirect to QAT if false. */ 439 u8 drop; 440 441 /* Congestion domain. For future use. */ 442 u8 cgd; 443 444 /* 0 for IPv4 table, 1 for IPv6 table. */ 445 u8 table_id; 446 447 /* Set TC (congestion domain) if true. For future use. */ 448 u8 set_tc; 449 450 /* 0 for NAT-T unsupported, 1 for NAT-T supported */ 451 u8 is_udp; 452 453 /* reserved */ 454 u8 reserved; 455 456 /* NAT-T UDP port number. Only valid in case NAT-T supported */ 457 u16 udp_port; 458 } __rte_packed_end; 459 460 461 /* Delete allowlist entry in IES */ 462 struct __rte_packed_begin virtchnl_ipsec_sp_destroy { 463 /* 0 for IPv4 table, 1 for IPv6 table. */ 464 u8 table_id; 465 u32 rule_id; 466 } __rte_packed_end; 467 468 /* Response from IES to allowlist operations */ 469 struct virtchnl_ipsec_sp_cfg_resp { 470 u32 rule_id; 471 }; 472 473 struct virtchnl_ipsec_sa_cfg_resp { 474 u32 sa_handle; 475 }; 476 477 #define INLINE_IPSEC_EVENT_RESET 0x1 478 #define INLINE_IPSEC_EVENT_CRYPTO_ON 0x2 479 #define INLINE_IPSEC_EVENT_CRYPTO_OFF 0x4 480 481 struct virtchnl_ipsec_event { 482 u32 ipsec_event_data; 483 }; 484 485 #define INLINE_IPSEC_STATUS_AVAILABLE 0x1 486 #define INLINE_IPSEC_STATUS_UNAVAILABLE 0x2 487 488 struct virtchnl_ipsec_status { 489 u32 status; 490 }; 491 492 struct virtchnl_ipsec_resp { 493 u32 resp; 494 }; 495 496 /* Internal message descriptor for VF <-> IPsec communication */ 497 struct __rte_packed_begin inline_ipsec_msg { 498 u16 ipsec_opcode; 499 u16 req_id; 500 501 union { 502 /* IPsec request */ 503 struct virtchnl_ipsec_sa_cfg sa_cfg[0]; 504 struct virtchnl_ipsec_sp_cfg sp_cfg[0]; 505 struct virtchnl_ipsec_sa_update sa_update[0]; 506 struct virtchnl_ipsec_sa_destroy sa_destroy[0]; 507 struct virtchnl_ipsec_sp_destroy sp_destroy[0]; 508 509 /* IPsec response */ 510 struct virtchnl_ipsec_sa_cfg_resp sa_cfg_resp[0]; 511 struct virtchnl_ipsec_sp_cfg_resp sp_cfg_resp[0]; 512 struct virtchnl_ipsec_cap ipsec_cap[0]; 513 struct virtchnl_ipsec_status ipsec_status[0]; 514 /* response to del_sa, del_sp, update_sa */ 515 struct virtchnl_ipsec_resp ipsec_resp[0]; 516 517 /* IPsec event (no req_id is required) */ 518 struct virtchnl_ipsec_event event[0]; 519 520 /* Reserved */ 521 struct virtchnl_ipsec_sa_read sa_read[0]; 522 } ipsec_data; 523 } __rte_packed_end; 524 525 static inline u16 virtchnl_inline_ipsec_val_msg_len(u16 opcode) 526 { 527 u16 valid_len = sizeof(struct inline_ipsec_msg); 528 529 switch (opcode) { 530 case INLINE_IPSEC_OP_GET_CAP: 531 case INLINE_IPSEC_OP_GET_STATUS: 532 break; 533 case INLINE_IPSEC_OP_SA_CREATE: 534 valid_len += sizeof(struct virtchnl_ipsec_sa_cfg); 535 break; 536 case INLINE_IPSEC_OP_SP_CREATE: 537 valid_len += sizeof(struct virtchnl_ipsec_sp_cfg); 538 break; 539 case INLINE_IPSEC_OP_SA_UPDATE: 540 valid_len += sizeof(struct virtchnl_ipsec_sa_update); 541 break; 542 case INLINE_IPSEC_OP_SA_DESTROY: 543 valid_len += sizeof(struct virtchnl_ipsec_sa_destroy); 544 break; 545 case INLINE_IPSEC_OP_SP_DESTROY: 546 valid_len += sizeof(struct virtchnl_ipsec_sp_destroy); 547 break; 548 /* Only for msg length calculation of response to VF in case of 549 * inline ipsec failure. 550 */ 551 case INLINE_IPSEC_OP_RESP: 552 valid_len += sizeof(struct virtchnl_ipsec_resp); 553 break; 554 default: 555 valid_len = 0; 556 break; 557 } 558 559 return valid_len; 560 } 561 562 #endif /* _VIRTCHNL_INLINE_IPSEC_H_ */ 563