154713740SChang Miao /* SPDX-License-Identifier: BSD-3-Clause 254713740SChang Miao * Copyright (c) 2023 Corigine Systems, Inc. 354713740SChang Miao * All rights reserved. 454713740SChang Miao */ 554713740SChang Miao 654713740SChang Miao #ifndef __NFP_IPSEC_H__ 754713740SChang Miao #define __NFP_IPSEC_H__ 854713740SChang Miao 954713740SChang Miao #include <rte_security.h> 1054713740SChang Miao 1154713740SChang Miao #define NFP_NET_IPSEC_MAX_SA_CNT (16 * 1024) 1254713740SChang Miao 1354713740SChang Miao struct ipsec_aesgcm { /**< AES-GCM-ESP fields */ 1454713740SChang Miao uint32_t salt; /**< Initialized with SA */ 1554713740SChang Miao uint32_t iv[2]; /**< Firmware use only */ 1654713740SChang Miao uint32_t cntrl; 1754713740SChang Miao uint32_t zeros[4]; /**< Init to 0 with SA */ 1854713740SChang Miao uint32_t len_auth[2]; /**< Firmware use only */ 1954713740SChang Miao uint32_t len_cipher[2]; 2054713740SChang Miao uint32_t spare[4]; 2154713740SChang Miao }; 2254713740SChang Miao 2354713740SChang Miao struct sa_ctrl_word { 2454713740SChang Miao uint32_t hash :4; /**< From nfp_ipsec_hash_type */ 2554713740SChang Miao uint32_t cimode :4; /**< From nfp_ipsec_cipher_mode */ 2654713740SChang Miao uint32_t cipher :4; /**< From nfp_ipsec_cipher */ 2754713740SChang Miao uint32_t mode :2; /**< From nfp_ipsec_mode */ 2854713740SChang Miao uint32_t proto :2; /**< From nfp_ipsec_prot */ 2954713740SChang Miao uint32_t spare :1; /**< Should be 0 */ 3054713740SChang Miao uint32_t ena_arw:1; /**< Anti-Replay Window */ 3154713740SChang Miao uint32_t ext_seq:1; /**< 64-bit Sequence Num */ 3254713740SChang Miao uint32_t ext_arw:1; /**< 64b Anti-Replay Window */ 3354713740SChang Miao uint32_t spare1 :9; /**< Must be set to 0 */ 3454713740SChang Miao uint32_t encap_dsbl:1; /**< Encap/decap disable */ 3554713740SChang Miao uint32_t gen_seq:1; /**< Firmware Generate Seq #'s */ 3654713740SChang Miao uint32_t spare2 :1; /**< Must be set to 0 */ 3754713740SChang Miao }; 3854713740SChang Miao 3954713740SChang Miao struct ipsec_add_sa { 4054713740SChang Miao uint32_t cipher_key[8]; /**< Cipher Key */ 4154713740SChang Miao union { 4254713740SChang Miao uint32_t auth_key[16]; /**< Authentication Key */ 4354713740SChang Miao struct ipsec_aesgcm aesgcm_fields; 4454713740SChang Miao }; 4554713740SChang Miao struct sa_ctrl_word ctrl_word; 4654713740SChang Miao uint32_t spi; /**< SPI Value */ 4754713740SChang Miao uint16_t pmtu_limit; /**< PMTU Limit */ 4854713740SChang Miao uint32_t spare :1; 4954713740SChang Miao uint32_t frag_check :1; /**< Stateful fragment checking flag */ 5054713740SChang Miao uint32_t bypass_DSCP:1; /**< Bypass DSCP Flag */ 5154713740SChang Miao uint32_t df_ctrl :2; /**< DF Control bits */ 5254713740SChang Miao uint32_t ipv6 :1; /**< Outbound IPv6 addr format */ 5354713740SChang Miao uint32_t udp_enable :1; /**< Add/Remove UDP header for NAT */ 5454713740SChang Miao uint32_t tfc_enable :1; /**< Traffic Flw Confidentiality */ 5554713740SChang Miao uint8_t spare1; 5654713740SChang Miao uint32_t soft_byte_cnt; /**< Soft lifetime byte count */ 5754713740SChang Miao uint32_t hard_byte_cnt; /**< Hard lifetime byte count */ 587e13f2dcSShihong Wang uint32_t src_ip[4]; /**< Src IP addr */ 597e13f2dcSShihong Wang uint32_t dst_ip[4]; /**< Dst IP addr */ 6054713740SChang Miao uint16_t natt_dst_port; /**< NAT-T UDP Header dst port */ 6154713740SChang Miao uint16_t natt_src_port; /**< NAT-T UDP Header src port */ 6254713740SChang Miao uint32_t soft_lifetime_limit; /**< Soft lifetime time limit */ 6354713740SChang Miao uint32_t hard_lifetime_limit; /**< Hard lifetime time limit */ 6454713740SChang Miao uint32_t sa_time_lo; /**< SA creation time lower 32bits, Ucode fills this in */ 6554713740SChang Miao uint32_t sa_time_hi; /**< SA creation time high 32bits, Ucode fills this in */ 6654713740SChang Miao uint16_t spare2; 6754713740SChang Miao uint16_t tfc_padding; /**< Traffic Flow Confidential Pad */ 6854713740SChang Miao }; 6954713740SChang Miao 7054713740SChang Miao struct ipsec_inv_sa { 7154713740SChang Miao uint32_t spare; 7254713740SChang Miao }; 7354713740SChang Miao 7454713740SChang Miao struct ipsec_discard_stats { 7554713740SChang Miao uint32_t discards_auth; /**< Auth failures */ 7654713740SChang Miao uint32_t discards_unsupported; /**< Unsupported crypto mode */ 7754713740SChang Miao uint32_t discards_alignment; /**< Alignment error */ 7854713740SChang Miao uint32_t discards_hard_bytelimit; /**< Hard byte Count limit */ 7954713740SChang Miao uint32_t discards_seq_num_wrap; /**< Sequ Number wrap */ 8054713740SChang Miao uint32_t discards_pmtu_exceeded; /**< PMTU Limit exceeded */ 8154713740SChang Miao uint32_t discards_arw_old_seq; /**< Anti-Replay seq small */ 8254713740SChang Miao uint32_t discards_arw_replay; /**< Anti-Replay seq rcvd */ 8354713740SChang Miao uint32_t discards_ctrl_word; /**< Bad SA Control word */ 8454713740SChang Miao uint32_t discards_ip_hdr_len; /**< Hdr offset from too high */ 8554713740SChang Miao uint32_t discards_eop_buf; /**< No EOP buffer */ 8654713740SChang Miao uint32_t ipv4_id_counter; /**< IPv4 ID field counter */ 8754713740SChang Miao uint32_t discards_isl_fail; /**< Inbound SPD Lookup failure */ 8854713740SChang Miao uint32_t discards_ext_unfound; /**< Ext header end */ 8954713740SChang Miao uint32_t discards_max_ext_hdrs; /**< Max ext header */ 9054713740SChang Miao uint32_t discards_non_ext_hdrs; /**< Non-extension headers */ 9154713740SChang Miao uint32_t discards_ext_hdr_too_big; /**< Ext header chain */ 9254713740SChang Miao uint32_t discards_hard_timelimit; /**< Time Limit */ 9354713740SChang Miao }; 9454713740SChang Miao 9554713740SChang Miao struct ipsec_get_sa_stats { 9654713740SChang Miao uint32_t seq_lo; /**< Sequence Number (low 32bits) */ 9754713740SChang Miao uint32_t seq_high; /**< Sequence Number (high 32bits) */ 9854713740SChang Miao uint32_t arw_counter_lo; /**< Anti-replay wndw cntr */ 9954713740SChang Miao uint32_t arw_counter_high; /**< Anti-replay wndw cntr */ 10054713740SChang Miao uint32_t arw_bitmap_lo; /**< Anti-replay wndw bitmap */ 10154713740SChang Miao uint32_t arw_bitmap_high; /**< Anti-replay wndw bitmap */ 10254713740SChang Miao uint32_t spare:1; 10354713740SChang Miao uint32_t soft_byte_exceeded :1; /**< Soft lifetime byte cnt exceeded */ 10454713740SChang Miao uint32_t hard_byte_exceeded :1; /**< Hard lifetime byte cnt exceeded */ 10554713740SChang Miao uint32_t soft_time_exceeded :1; /**< Soft lifetime time limit exceeded */ 10654713740SChang Miao uint32_t hard_time_exceeded :1; /**< Hard lifetime time limit exceeded */ 10754713740SChang Miao uint32_t spare1:27; 10854713740SChang Miao uint32_t lifetime_byte_count; 10954713740SChang Miao uint32_t pkt_count; 11054713740SChang Miao struct ipsec_discard_stats sa_discard_stats; 11154713740SChang Miao }; 11254713740SChang Miao 11354713740SChang Miao struct ipsec_get_seq { 11454713740SChang Miao uint32_t seq_nums; /**< Sequence numbers to allocate */ 11554713740SChang Miao uint32_t seq_num_low; /**< Return start seq num 31:00 */ 11654713740SChang Miao uint32_t seq_num_hi; /**< Return start seq num 63:32 */ 11754713740SChang Miao }; 11854713740SChang Miao 11954713740SChang Miao struct nfp_ipsec_msg { 12054713740SChang Miao union { 12154713740SChang Miao struct { 12254713740SChang Miao /** NFP IPsec SA cmd message codes */ 12354713740SChang Miao uint16_t cmd; 12454713740SChang Miao /** NFP IPsec SA response message */ 12554713740SChang Miao uint16_t rsp; 12654713740SChang Miao /** NFP IPsec SA index in driver SA table */ 12754713740SChang Miao uint16_t sa_idx; 12854713740SChang Miao /** Reserved */ 12954713740SChang Miao uint16_t spare; 13054713740SChang Miao union { 13154713740SChang Miao /** IPsec configure message for add SA */ 13254713740SChang Miao struct ipsec_add_sa cfg_add_sa; 13354713740SChang Miao /** IPsec configure message for del SA */ 13454713740SChang Miao struct ipsec_inv_sa cfg_inv_sa; 13554713740SChang Miao /** IPsec configure message for get SA stats */ 13654713740SChang Miao struct ipsec_get_sa_stats cfg_get_stats; 13754713740SChang Miao /** IPsec configure message for get SA seq numbers */ 13854713740SChang Miao struct ipsec_get_seq cfg_get_seq; 13954713740SChang Miao }; 14054713740SChang Miao }; 14154713740SChang Miao uint32_t raw[64]; 14254713740SChang Miao }; 14354713740SChang Miao }; 14454713740SChang Miao 145*27595cd8STyler Retzlaff struct __rte_cache_aligned nfp_ipsec_session { 14654713740SChang Miao /** Opaque user defined data */ 14754713740SChang Miao void *user_data; 14854713740SChang Miao /** NFP sa_entries database parameter index */ 14954713740SChang Miao uint32_t sa_index; 15054713740SChang Miao /** Point to physical ports ethernet device */ 15154713740SChang Miao struct rte_eth_dev *dev; 15254713740SChang Miao /** SA related NPF configuration data */ 15354713740SChang Miao struct ipsec_add_sa msg; 15454713740SChang Miao /** Security association configuration data */ 15554713740SChang Miao struct rte_security_ipsec_xform ipsec; 15654713740SChang Miao /** Security session action type */ 15754713740SChang Miao enum rte_security_session_action_type action; 158*27595cd8STyler Retzlaff }; 15954713740SChang Miao 16054713740SChang Miao struct nfp_net_ipsec_data { 16154713740SChang Miao int pkt_dynfield_offset; 16254713740SChang Miao uint32_t sa_free_cnt; 16354713740SChang Miao struct nfp_ipsec_session *sa_entries[NFP_NET_IPSEC_MAX_SA_CNT]; 16454713740SChang Miao }; 16554713740SChang Miao 16654713740SChang Miao int nfp_ipsec_init(struct rte_eth_dev *dev); 16754713740SChang Miao void nfp_ipsec_uninit(struct rte_eth_dev *dev); 16854713740SChang Miao 16954713740SChang Miao #endif /* __NFP_IPSEC_H__ */ 170