1 /* SPDX-License-Identifier: BSD-3-Clause 2 * Copyright (c) 2023 Corigine Systems, Inc. 3 * All rights reserved. 4 */ 5 6 #ifndef __NFP_IPSEC_H__ 7 #define __NFP_IPSEC_H__ 8 9 #include <rte_security.h> 10 11 #define NFP_NET_IPSEC_MAX_SA_CNT (16 * 1024) 12 13 struct ipsec_aesgcm { /**< AES-GCM-ESP fields */ 14 uint32_t salt; /**< Initialized with SA */ 15 uint32_t iv[2]; /**< Firmware use only */ 16 uint32_t cntrl; 17 uint32_t zeros[4]; /**< Init to 0 with SA */ 18 uint32_t len_auth[2]; /**< Firmware use only */ 19 uint32_t len_cipher[2]; 20 uint32_t spare[4]; 21 }; 22 23 struct sa_ctrl_word { 24 uint32_t hash :4; /**< From nfp_ipsec_hash_type */ 25 uint32_t cimode :4; /**< From nfp_ipsec_cipher_mode */ 26 uint32_t cipher :4; /**< From nfp_ipsec_cipher */ 27 uint32_t mode :2; /**< From nfp_ipsec_mode */ 28 uint32_t proto :2; /**< From nfp_ipsec_prot */ 29 uint32_t spare :1; /**< Should be 0 */ 30 uint32_t ena_arw:1; /**< Anti-Replay Window */ 31 uint32_t ext_seq:1; /**< 64-bit Sequence Num */ 32 uint32_t ext_arw:1; /**< 64b Anti-Replay Window */ 33 uint32_t spare1 :9; /**< Must be set to 0 */ 34 uint32_t encap_dsbl:1; /**< Encap/decap disable */ 35 uint32_t gen_seq:1; /**< Firmware Generate Seq #'s */ 36 uint32_t spare2 :1; /**< Must be set to 0 */ 37 }; 38 39 struct ipsec_add_sa { 40 uint32_t cipher_key[8]; /**< Cipher Key */ 41 union { 42 uint32_t auth_key[16]; /**< Authentication Key */ 43 struct ipsec_aesgcm aesgcm_fields; 44 }; 45 struct sa_ctrl_word ctrl_word; 46 uint32_t spi; /**< SPI Value */ 47 uint16_t pmtu_limit; /**< PMTU Limit */ 48 uint32_t spare :1; 49 uint32_t frag_check :1; /**< Stateful fragment checking flag */ 50 uint32_t bypass_DSCP:1; /**< Bypass DSCP Flag */ 51 uint32_t df_ctrl :2; /**< DF Control bits */ 52 uint32_t ipv6 :1; /**< Outbound IPv6 addr format */ 53 uint32_t udp_enable :1; /**< Add/Remove UDP header for NAT */ 54 uint32_t tfc_enable :1; /**< Traffic Flw Confidentiality */ 55 uint8_t spare1; 56 uint32_t soft_byte_cnt; /**< Soft lifetime byte count */ 57 uint32_t hard_byte_cnt; /**< Hard lifetime byte count */ 58 uint32_t src_ip[4]; /**< Src IP addr */ 59 uint32_t dst_ip[4]; /**< Dst IP addr */ 60 uint16_t natt_dst_port; /**< NAT-T UDP Header dst port */ 61 uint16_t natt_src_port; /**< NAT-T UDP Header src port */ 62 uint32_t soft_lifetime_limit; /**< Soft lifetime time limit */ 63 uint32_t hard_lifetime_limit; /**< Hard lifetime time limit */ 64 uint32_t sa_time_lo; /**< SA creation time lower 32bits, Ucode fills this in */ 65 uint32_t sa_time_hi; /**< SA creation time high 32bits, Ucode fills this in */ 66 uint16_t spare2; 67 uint16_t tfc_padding; /**< Traffic Flow Confidential Pad */ 68 }; 69 70 struct ipsec_inv_sa { 71 uint32_t spare; 72 }; 73 74 struct ipsec_discard_stats { 75 uint32_t discards_auth; /**< Auth failures */ 76 uint32_t discards_unsupported; /**< Unsupported crypto mode */ 77 uint32_t discards_alignment; /**< Alignment error */ 78 uint32_t discards_hard_bytelimit; /**< Hard byte Count limit */ 79 uint32_t discards_seq_num_wrap; /**< Sequ Number wrap */ 80 uint32_t discards_pmtu_exceeded; /**< PMTU Limit exceeded */ 81 uint32_t discards_arw_old_seq; /**< Anti-Replay seq small */ 82 uint32_t discards_arw_replay; /**< Anti-Replay seq rcvd */ 83 uint32_t discards_ctrl_word; /**< Bad SA Control word */ 84 uint32_t discards_ip_hdr_len; /**< Hdr offset from too high */ 85 uint32_t discards_eop_buf; /**< No EOP buffer */ 86 uint32_t ipv4_id_counter; /**< IPv4 ID field counter */ 87 uint32_t discards_isl_fail; /**< Inbound SPD Lookup failure */ 88 uint32_t discards_ext_unfound; /**< Ext header end */ 89 uint32_t discards_max_ext_hdrs; /**< Max ext header */ 90 uint32_t discards_non_ext_hdrs; /**< Non-extension headers */ 91 uint32_t discards_ext_hdr_too_big; /**< Ext header chain */ 92 uint32_t discards_hard_timelimit; /**< Time Limit */ 93 }; 94 95 struct ipsec_get_sa_stats { 96 uint32_t seq_lo; /**< Sequence Number (low 32bits) */ 97 uint32_t seq_high; /**< Sequence Number (high 32bits) */ 98 uint32_t arw_counter_lo; /**< Anti-replay wndw cntr */ 99 uint32_t arw_counter_high; /**< Anti-replay wndw cntr */ 100 uint32_t arw_bitmap_lo; /**< Anti-replay wndw bitmap */ 101 uint32_t arw_bitmap_high; /**< Anti-replay wndw bitmap */ 102 uint32_t spare:1; 103 uint32_t soft_byte_exceeded :1; /**< Soft lifetime byte cnt exceeded */ 104 uint32_t hard_byte_exceeded :1; /**< Hard lifetime byte cnt exceeded */ 105 uint32_t soft_time_exceeded :1; /**< Soft lifetime time limit exceeded */ 106 uint32_t hard_time_exceeded :1; /**< Hard lifetime time limit exceeded */ 107 uint32_t spare1:27; 108 uint32_t lifetime_byte_count; 109 uint32_t pkt_count; 110 struct ipsec_discard_stats sa_discard_stats; 111 }; 112 113 struct ipsec_get_seq { 114 uint32_t seq_nums; /**< Sequence numbers to allocate */ 115 uint32_t seq_num_low; /**< Return start seq num 31:00 */ 116 uint32_t seq_num_hi; /**< Return start seq num 63:32 */ 117 }; 118 119 struct nfp_ipsec_msg { 120 union { 121 struct { 122 /** NFP IPsec SA cmd message codes */ 123 uint16_t cmd; 124 /** NFP IPsec SA response message */ 125 uint16_t rsp; 126 /** NFP IPsec SA index in driver SA table */ 127 uint16_t sa_idx; 128 /** Reserved */ 129 uint16_t spare; 130 union { 131 /** IPsec configure message for add SA */ 132 struct ipsec_add_sa cfg_add_sa; 133 /** IPsec configure message for del SA */ 134 struct ipsec_inv_sa cfg_inv_sa; 135 /** IPsec configure message for get SA stats */ 136 struct ipsec_get_sa_stats cfg_get_stats; 137 /** IPsec configure message for get SA seq numbers */ 138 struct ipsec_get_seq cfg_get_seq; 139 }; 140 }; 141 uint32_t raw[64]; 142 }; 143 }; 144 145 struct __rte_cache_aligned nfp_ipsec_session { 146 /** Opaque user defined data */ 147 void *user_data; 148 /** NFP sa_entries database parameter index */ 149 uint32_t sa_index; 150 /** Point to physical ports ethernet device */ 151 struct rte_eth_dev *dev; 152 /** SA related NPF configuration data */ 153 struct ipsec_add_sa msg; 154 /** Security association configuration data */ 155 struct rte_security_ipsec_xform ipsec; 156 /** Security session action type */ 157 enum rte_security_session_action_type action; 158 }; 159 160 struct nfp_net_ipsec_data { 161 int pkt_dynfield_offset; 162 uint32_t sa_free_cnt; 163 struct nfp_ipsec_session *sa_entries[NFP_NET_IPSEC_MAX_SA_CNT]; 164 }; 165 166 int nfp_ipsec_init(struct rte_eth_dev *dev); 167 void nfp_ipsec_uninit(struct rte_eth_dev *dev); 168 169 #endif /* __NFP_IPSEC_H__ */ 170