xref: /dpdk/drivers/net/nfp/nfp_ipsec.h (revision 27595cd83053b2d39634a159d6709b3ce3cdf3b0)
1 /* SPDX-License-Identifier: BSD-3-Clause
2  * Copyright (c) 2023 Corigine Systems, Inc.
3  * All rights reserved.
4  */
5 
6 #ifndef __NFP_IPSEC_H__
7 #define __NFP_IPSEC_H__
8 
9 #include <rte_security.h>
10 
11 #define NFP_NET_IPSEC_MAX_SA_CNT       (16 * 1024)
12 
13 struct ipsec_aesgcm {            /**< AES-GCM-ESP fields */
14 	uint32_t salt;           /**< Initialized with SA */
15 	uint32_t iv[2];          /**< Firmware use only */
16 	uint32_t cntrl;
17 	uint32_t zeros[4];       /**< Init to 0 with SA */
18 	uint32_t len_auth[2];    /**< Firmware use only */
19 	uint32_t len_cipher[2];
20 	uint32_t spare[4];
21 };
22 
23 struct sa_ctrl_word {
24 	uint32_t hash   :4;      /**< From nfp_ipsec_hash_type */
25 	uint32_t cimode :4;      /**< From nfp_ipsec_cipher_mode */
26 	uint32_t cipher :4;      /**< From nfp_ipsec_cipher */
27 	uint32_t mode   :2;      /**< From nfp_ipsec_mode */
28 	uint32_t proto  :2;      /**< From nfp_ipsec_prot */
29 	uint32_t spare  :1;      /**< Should be 0 */
30 	uint32_t ena_arw:1;      /**< Anti-Replay Window */
31 	uint32_t ext_seq:1;      /**< 64-bit Sequence Num */
32 	uint32_t ext_arw:1;      /**< 64b Anti-Replay Window */
33 	uint32_t spare1 :9;      /**< Must be set to 0 */
34 	uint32_t encap_dsbl:1;   /**< Encap/decap disable */
35 	uint32_t gen_seq:1;      /**< Firmware Generate Seq #'s */
36 	uint32_t spare2 :1;      /**< Must be set to 0 */
37 };
38 
39 struct ipsec_add_sa {
40 	uint32_t cipher_key[8];           /**< Cipher Key */
41 	union {
42 		uint32_t auth_key[16];    /**< Authentication Key */
43 		struct ipsec_aesgcm aesgcm_fields;
44 	};
45 	struct sa_ctrl_word ctrl_word;
46 	uint32_t spi;                     /**< SPI Value */
47 	uint16_t pmtu_limit;              /**< PMTU Limit */
48 	uint32_t spare      :1;
49 	uint32_t frag_check :1;           /**< Stateful fragment checking flag */
50 	uint32_t bypass_DSCP:1;           /**< Bypass DSCP Flag */
51 	uint32_t df_ctrl    :2;           /**< DF Control bits */
52 	uint32_t ipv6       :1;           /**< Outbound IPv6 addr format */
53 	uint32_t udp_enable :1;           /**< Add/Remove UDP header for NAT */
54 	uint32_t tfc_enable :1;           /**< Traffic Flw Confidentiality */
55 	uint8_t spare1;
56 	uint32_t soft_byte_cnt;           /**< Soft lifetime byte count */
57 	uint32_t hard_byte_cnt;           /**< Hard lifetime byte count */
58 	uint32_t src_ip[4];               /**< Src IP addr */
59 	uint32_t dst_ip[4];               /**< Dst IP addr */
60 	uint16_t natt_dst_port;           /**< NAT-T UDP Header dst port */
61 	uint16_t natt_src_port;           /**< NAT-T UDP Header src port */
62 	uint32_t soft_lifetime_limit;     /**< Soft lifetime time limit */
63 	uint32_t hard_lifetime_limit;     /**< Hard lifetime time limit */
64 	uint32_t sa_time_lo;              /**< SA creation time lower 32bits, Ucode fills this in */
65 	uint32_t sa_time_hi;              /**< SA creation time high 32bits, Ucode fills this in */
66 	uint16_t spare2;
67 	uint16_t tfc_padding;             /**< Traffic Flow Confidential Pad */
68 };
69 
70 struct ipsec_inv_sa {
71 	uint32_t spare;
72 };
73 
74 struct ipsec_discard_stats {
75 	uint32_t discards_auth;                  /**< Auth failures */
76 	uint32_t discards_unsupported;           /**< Unsupported crypto mode */
77 	uint32_t discards_alignment;             /**< Alignment error */
78 	uint32_t discards_hard_bytelimit;        /**< Hard byte Count limit */
79 	uint32_t discards_seq_num_wrap;          /**< Sequ Number wrap */
80 	uint32_t discards_pmtu_exceeded;         /**< PMTU Limit exceeded */
81 	uint32_t discards_arw_old_seq;           /**< Anti-Replay seq small */
82 	uint32_t discards_arw_replay;            /**< Anti-Replay seq rcvd */
83 	uint32_t discards_ctrl_word;             /**< Bad SA Control word */
84 	uint32_t discards_ip_hdr_len;            /**< Hdr offset from too high */
85 	uint32_t discards_eop_buf;               /**< No EOP buffer */
86 	uint32_t ipv4_id_counter;                /**< IPv4 ID field counter */
87 	uint32_t discards_isl_fail;              /**< Inbound SPD Lookup failure */
88 	uint32_t discards_ext_unfound;           /**< Ext header end */
89 	uint32_t discards_max_ext_hdrs;          /**< Max ext header */
90 	uint32_t discards_non_ext_hdrs;          /**< Non-extension headers */
91 	uint32_t discards_ext_hdr_too_big;       /**< Ext header chain */
92 	uint32_t discards_hard_timelimit;        /**< Time Limit  */
93 };
94 
95 struct ipsec_get_sa_stats {
96 	uint32_t seq_lo;                         /**< Sequence Number (low 32bits) */
97 	uint32_t seq_high;                       /**< Sequence Number (high 32bits) */
98 	uint32_t arw_counter_lo;                 /**< Anti-replay wndw cntr */
99 	uint32_t arw_counter_high;               /**< Anti-replay wndw cntr */
100 	uint32_t arw_bitmap_lo;                  /**< Anti-replay wndw bitmap */
101 	uint32_t arw_bitmap_high;                /**< Anti-replay wndw bitmap */
102 	uint32_t spare:1;
103 	uint32_t soft_byte_exceeded :1;          /**< Soft lifetime byte cnt exceeded */
104 	uint32_t hard_byte_exceeded :1;          /**< Hard lifetime byte cnt exceeded */
105 	uint32_t soft_time_exceeded :1;          /**< Soft lifetime time limit exceeded */
106 	uint32_t hard_time_exceeded :1;          /**< Hard lifetime time limit exceeded */
107 	uint32_t spare1:27;
108 	uint32_t lifetime_byte_count;
109 	uint32_t pkt_count;
110 	struct ipsec_discard_stats sa_discard_stats;
111 };
112 
113 struct ipsec_get_seq {
114 	uint32_t seq_nums;      /**< Sequence numbers to allocate */
115 	uint32_t seq_num_low;   /**< Return start seq num 31:00 */
116 	uint32_t seq_num_hi;    /**< Return start seq num 63:32 */
117 };
118 
119 struct nfp_ipsec_msg {
120 	union {
121 		struct {
122 			/** NFP IPsec SA cmd message codes */
123 			uint16_t cmd;
124 			/** NFP IPsec SA response message */
125 			uint16_t rsp;
126 			/** NFP IPsec SA index in driver SA table */
127 			uint16_t sa_idx;
128 			/** Reserved */
129 			uint16_t spare;
130 			union {
131 				/** IPsec configure message for add SA */
132 				struct ipsec_add_sa cfg_add_sa;
133 				/** IPsec configure message for del SA */
134 				struct ipsec_inv_sa cfg_inv_sa;
135 				/** IPsec configure message for get SA stats */
136 				struct ipsec_get_sa_stats cfg_get_stats;
137 				/** IPsec configure message for get SA seq numbers */
138 				struct ipsec_get_seq cfg_get_seq;
139 			};
140 		};
141 		uint32_t raw[64];
142 	};
143 };
144 
145 struct __rte_cache_aligned nfp_ipsec_session {
146 	/** Opaque user defined data */
147 	void *user_data;
148 	/** NFP sa_entries database parameter index */
149 	uint32_t sa_index;
150 	/** Point to physical ports ethernet device */
151 	struct rte_eth_dev *dev;
152 	/** SA related NPF configuration data */
153 	struct ipsec_add_sa msg;
154 	/** Security association configuration data */
155 	struct rte_security_ipsec_xform ipsec;
156 	/** Security session action type */
157 	enum rte_security_session_action_type action;
158 };
159 
160 struct nfp_net_ipsec_data {
161 	int pkt_dynfield_offset;
162 	uint32_t sa_free_cnt;
163 	struct nfp_ipsec_session *sa_entries[NFP_NET_IPSEC_MAX_SA_CNT];
164 };
165 
166 int nfp_ipsec_init(struct rte_eth_dev *dev);
167 void nfp_ipsec_uninit(struct rte_eth_dev *dev);
168 
169 #endif /* __NFP_IPSEC_H__ */
170