1bcd59ec6STejasree Kondoj /* SPDX-License-Identifier: BSD-3-Clause 2bcd59ec6STejasree Kondoj * Copyright(C) 2021 Marvell. 3bcd59ec6STejasree Kondoj */ 4bcd59ec6STejasree Kondoj #ifndef __CNXK_IPSEC_H__ 5bcd59ec6STejasree Kondoj #define __CNXK_IPSEC_H__ 6bcd59ec6STejasree Kondoj 7bcd59ec6STejasree Kondoj #include <rte_security.h> 8bcd59ec6STejasree Kondoj #include <rte_security_driver.h> 9bcd59ec6STejasree Kondoj 10*fdbec406SAnoob Joseph #include "roc_cpt.h" 11*fdbec406SAnoob Joseph #include "roc_ie_on.h" 12*fdbec406SAnoob Joseph #include "roc_ie_ot.h" 13bcd59ec6STejasree Kondoj 14bcd59ec6STejasree Kondoj extern struct rte_security_ops cnxk_sec_ops; 15bcd59ec6STejasree Kondoj 16bcd59ec6STejasree Kondoj struct cnxk_cpt_inst_tmpl { 17bcd59ec6STejasree Kondoj uint64_t w2; 18bcd59ec6STejasree Kondoj uint64_t w4; 19bcd59ec6STejasree Kondoj uint64_t w7; 20bcd59ec6STejasree Kondoj }; 21bcd59ec6STejasree Kondoj 22e997823dSArchana Muniganti static inline int ipsec_xform_cipher_verify(struct rte_crypto_sym_xform * crypto_xform)23e997823dSArchana Munigantiipsec_xform_cipher_verify(struct rte_crypto_sym_xform *crypto_xform) 24e997823dSArchana Muniganti { 257f4977e8SAnoob Joseph if (crypto_xform->cipher.algo == RTE_CRYPTO_CIPHER_NULL) 267f4977e8SAnoob Joseph return 0; 277f4977e8SAnoob Joseph 28379bc7f4SVidya Sagar Velumuri if (crypto_xform->cipher.algo == RTE_CRYPTO_CIPHER_DES_CBC && 29379bc7f4SVidya Sagar Velumuri crypto_xform->cipher.key.length == 8) 30379bc7f4SVidya Sagar Velumuri return 0; 31379bc7f4SVidya Sagar Velumuri 32538bf100STejasree Kondoj if (crypto_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC || 33538bf100STejasree Kondoj crypto_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CTR) { 34e997823dSArchana Muniganti switch (crypto_xform->cipher.key.length) { 35e997823dSArchana Muniganti case 16: 36e997823dSArchana Muniganti case 24: 37e997823dSArchana Muniganti case 32: 38e997823dSArchana Muniganti break; 39e997823dSArchana Muniganti default: 40e997823dSArchana Muniganti return -ENOTSUP; 41e997823dSArchana Muniganti } 42e997823dSArchana Muniganti return 0; 43e997823dSArchana Muniganti } 44e997823dSArchana Muniganti 454ec50088SVamsi Attunuru if (crypto_xform->cipher.algo == RTE_CRYPTO_CIPHER_3DES_CBC && 464ec50088SVamsi Attunuru crypto_xform->cipher.key.length == 24) 474ec50088SVamsi Attunuru return 0; 484ec50088SVamsi Attunuru 49e997823dSArchana Muniganti return -ENOTSUP; 50e997823dSArchana Muniganti } 51e997823dSArchana Muniganti 52e997823dSArchana Muniganti static inline int ipsec_xform_auth_verify(struct rte_crypto_sym_xform * crypto_xform)53e997823dSArchana Munigantiipsec_xform_auth_verify(struct rte_crypto_sym_xform *crypto_xform) 54e997823dSArchana Muniganti { 55e997823dSArchana Muniganti uint16_t keylen = crypto_xform->auth.key.length; 56e997823dSArchana Muniganti 57fd1d6c95SAnoob Joseph if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_NULL) 58fd1d6c95SAnoob Joseph return 0; 59fd1d6c95SAnoob Joseph 60379bc7f4SVidya Sagar Velumuri if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_MD5_HMAC) { 61379bc7f4SVidya Sagar Velumuri if (keylen == 16) 62379bc7f4SVidya Sagar Velumuri return 0; 63379bc7f4SVidya Sagar Velumuri } 64379bc7f4SVidya Sagar Velumuri 65e997823dSArchana Muniganti if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC) { 66e997823dSArchana Muniganti if (keylen >= 20 && keylen <= 64) 67e997823dSArchana Muniganti return 0; 686dc3f45fSTejasree Kondoj } else if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA256_HMAC) { 69e997823dSArchana Muniganti if (keylen >= 32 && keylen <= 64) 70e997823dSArchana Muniganti return 0; 7109e5c772STejasree Kondoj } else if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA384_HMAC) { 7209e5c772STejasree Kondoj if (keylen == 48) 7309e5c772STejasree Kondoj return 0; 7409e5c772STejasree Kondoj } else if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA512_HMAC) { 7509e5c772STejasree Kondoj if (keylen == 64) 7609e5c772STejasree Kondoj return 0; 77e85982abSArchana Muniganti } else if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) { 78e85982abSArchana Muniganti if (keylen >= 16 && keylen <= 32) 79e85982abSArchana Muniganti return 0; 80e997823dSArchana Muniganti } 81e997823dSArchana Muniganti 827f4977e8SAnoob Joseph if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_AES_XCBC_MAC && 837f4977e8SAnoob Joseph keylen == ROC_CPT_AES_XCBC_KEY_LENGTH) 847f4977e8SAnoob Joseph return 0; 857f4977e8SAnoob Joseph 86e997823dSArchana Muniganti return -ENOTSUP; 87e997823dSArchana Muniganti } 88e997823dSArchana Muniganti 89e997823dSArchana Muniganti static inline int ipsec_xform_aead_verify(struct rte_security_ipsec_xform * ipsec_xform,struct rte_crypto_sym_xform * crypto_xform)90e997823dSArchana Munigantiipsec_xform_aead_verify(struct rte_security_ipsec_xform *ipsec_xform, 91e997823dSArchana Muniganti struct rte_crypto_sym_xform *crypto_xform) 92e997823dSArchana Muniganti { 93e997823dSArchana Muniganti if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS && 94e997823dSArchana Muniganti crypto_xform->aead.op != RTE_CRYPTO_AEAD_OP_ENCRYPT) 95e997823dSArchana Muniganti return -EINVAL; 96e997823dSArchana Muniganti 97e997823dSArchana Muniganti if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS && 98e997823dSArchana Muniganti crypto_xform->aead.op != RTE_CRYPTO_AEAD_OP_DECRYPT) 99e997823dSArchana Muniganti return -EINVAL; 100e997823dSArchana Muniganti 101246dea7eSArchana Muniganti if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM || 102246dea7eSArchana Muniganti crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_CCM) { 103e997823dSArchana Muniganti switch (crypto_xform->aead.key.length) { 104e997823dSArchana Muniganti case 16: 105e997823dSArchana Muniganti case 24: 106e997823dSArchana Muniganti case 32: 107e997823dSArchana Muniganti break; 108e997823dSArchana Muniganti default: 109e997823dSArchana Muniganti return -EINVAL; 110e997823dSArchana Muniganti } 111e997823dSArchana Muniganti return 0; 112e997823dSArchana Muniganti } 113e997823dSArchana Muniganti 114e997823dSArchana Muniganti return -ENOTSUP; 115e997823dSArchana Muniganti } 116e997823dSArchana Muniganti 117e997823dSArchana Muniganti static inline int cnxk_ipsec_xform_verify(struct rte_security_ipsec_xform * ipsec_xform,struct rte_crypto_sym_xform * crypto_xform)118e997823dSArchana Muniganticnxk_ipsec_xform_verify(struct rte_security_ipsec_xform *ipsec_xform, 119e997823dSArchana Muniganti struct rte_crypto_sym_xform *crypto_xform) 120e997823dSArchana Muniganti { 121e997823dSArchana Muniganti struct rte_crypto_sym_xform *auth_xform, *cipher_xform; 122e997823dSArchana Muniganti int ret; 123e997823dSArchana Muniganti 124e997823dSArchana Muniganti if ((ipsec_xform->direction != RTE_SECURITY_IPSEC_SA_DIR_INGRESS) && 125e997823dSArchana Muniganti (ipsec_xform->direction != RTE_SECURITY_IPSEC_SA_DIR_EGRESS)) 126e997823dSArchana Muniganti return -EINVAL; 127e997823dSArchana Muniganti 128e997823dSArchana Muniganti if ((ipsec_xform->proto != RTE_SECURITY_IPSEC_SA_PROTO_ESP) && 129e997823dSArchana Muniganti (ipsec_xform->proto != RTE_SECURITY_IPSEC_SA_PROTO_AH)) 130e997823dSArchana Muniganti return -EINVAL; 131e997823dSArchana Muniganti 132e997823dSArchana Muniganti if ((ipsec_xform->mode != RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) && 133e997823dSArchana Muniganti (ipsec_xform->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL)) 134e997823dSArchana Muniganti return -EINVAL; 135e997823dSArchana Muniganti 136d9bf3a41STejasree Kondoj if ((ipsec_xform->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) && 137d9bf3a41STejasree Kondoj (ipsec_xform->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV4) && 138e997823dSArchana Muniganti (ipsec_xform->tunnel.type != RTE_SECURITY_IPSEC_TUNNEL_IPV6)) 139e997823dSArchana Muniganti return -EINVAL; 140e997823dSArchana Muniganti 141e997823dSArchana Muniganti if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) 142e997823dSArchana Muniganti return ipsec_xform_aead_verify(ipsec_xform, crypto_xform); 143e997823dSArchana Muniganti 144b4409f2bSArchana Muniganti if (ipsec_xform->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH) { 145b4409f2bSArchana Muniganti if (ipsec_xform->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) { 146b4409f2bSArchana Muniganti /* Ingress */ 147b4409f2bSArchana Muniganti auth_xform = crypto_xform; 148b4409f2bSArchana Muniganti cipher_xform = crypto_xform->next; 149b4409f2bSArchana Muniganti 150b4409f2bSArchana Muniganti if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_AUTH) 151b4409f2bSArchana Muniganti return -EINVAL; 152b4409f2bSArchana Muniganti 153b4409f2bSArchana Muniganti if ((cipher_xform != NULL) && ((cipher_xform->type != 154b4409f2bSArchana Muniganti RTE_CRYPTO_SYM_XFORM_CIPHER) || 155b4409f2bSArchana Muniganti (cipher_xform->cipher.algo != 156b4409f2bSArchana Muniganti RTE_CRYPTO_CIPHER_NULL))) 157b4409f2bSArchana Muniganti return -EINVAL; 158b4409f2bSArchana Muniganti } else { 159b4409f2bSArchana Muniganti /* Egress */ 160b4409f2bSArchana Muniganti if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER) { 161b4409f2bSArchana Muniganti cipher_xform = crypto_xform; 162b4409f2bSArchana Muniganti auth_xform = crypto_xform->next; 163b4409f2bSArchana Muniganti 164b4409f2bSArchana Muniganti if (auth_xform == NULL || 165b4409f2bSArchana Muniganti cipher_xform->cipher.algo != 166b4409f2bSArchana Muniganti RTE_CRYPTO_CIPHER_NULL) 167b4409f2bSArchana Muniganti return -EINVAL; 168b4409f2bSArchana Muniganti } else if (crypto_xform->type == 169b4409f2bSArchana Muniganti RTE_CRYPTO_SYM_XFORM_AUTH) 170b4409f2bSArchana Muniganti auth_xform = crypto_xform; 171b4409f2bSArchana Muniganti else 172b4409f2bSArchana Muniganti return -EINVAL; 173b4409f2bSArchana Muniganti } 174b4409f2bSArchana Muniganti } else { 175e997823dSArchana Muniganti if (crypto_xform->next == NULL) 176e997823dSArchana Muniganti return -EINVAL; 177e997823dSArchana Muniganti 178b4409f2bSArchana Muniganti if (ipsec_xform->direction == 179b4409f2bSArchana Muniganti RTE_SECURITY_IPSEC_SA_DIR_INGRESS) { 180e997823dSArchana Muniganti /* Ingress */ 181e997823dSArchana Muniganti if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_AUTH || 182b4409f2bSArchana Muniganti crypto_xform->next->type != 183b4409f2bSArchana Muniganti RTE_CRYPTO_SYM_XFORM_CIPHER) 184e997823dSArchana Muniganti return -EINVAL; 185e997823dSArchana Muniganti auth_xform = crypto_xform; 186e997823dSArchana Muniganti cipher_xform = crypto_xform->next; 187e997823dSArchana Muniganti } else { 188e997823dSArchana Muniganti /* Egress */ 189e997823dSArchana Muniganti if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_CIPHER || 190b4409f2bSArchana Muniganti crypto_xform->next->type != 191b4409f2bSArchana Muniganti RTE_CRYPTO_SYM_XFORM_AUTH) 192e997823dSArchana Muniganti return -EINVAL; 193e997823dSArchana Muniganti cipher_xform = crypto_xform; 194e997823dSArchana Muniganti auth_xform = crypto_xform->next; 195e997823dSArchana Muniganti } 196e997823dSArchana Muniganti 197e997823dSArchana Muniganti ret = ipsec_xform_cipher_verify(cipher_xform); 198e997823dSArchana Muniganti if (ret) 199e997823dSArchana Muniganti return ret; 200b4409f2bSArchana Muniganti } 201e997823dSArchana Muniganti 202e997823dSArchana Muniganti return ipsec_xform_auth_verify(auth_xform); 203e997823dSArchana Muniganti } 204bcd59ec6STejasree Kondoj #endif /* __CNXK_IPSEC_H__ */ 205