xref: /dpdk/drivers/net/nfp/nfp_ipsec.h (revision 2df20a1d345a5fc0a1b6dc0317d11fc7b1fda7e7) 
1 /* SPDX-License-Identifier: BSD-3-Clause
2  * Copyright (c) 2023 Corigine Systems, Inc.
3  * All rights reserved.
4  */
5 
6 #ifndef __NFP_IPSEC_H__
7 #define __NFP_IPSEC_H__
8 
9 #include <rte_security.h>
10 
11 #define NFP_NET_IPSEC_MAX_SA_CNT       (16 * 1024)
12 
13 struct ipsec_aesgcm {            /**< AES-GCM-ESP fields */
14 	uint32_t salt;           /**< Initialized with SA */
15 	uint32_t iv[2];          /**< Firmware use only */
16 	uint32_t cntrl;
17 	uint32_t zeros[4];       /**< Init to 0 with SA */
18 	uint32_t len_auth[2];    /**< Firmware use only */
19 	uint32_t len_cipher[2];
20 	uint32_t spare[4];
21 };
22 
23 struct sa_ctrl_word {
24 	uint32_t hash   :4;      /**< From nfp_ipsec_hash_type */
25 	uint32_t cimode :4;      /**< From nfp_ipsec_cipher_mode */
26 	uint32_t cipher :4;      /**< From nfp_ipsec_cipher */
27 	uint32_t mode   :2;      /**< From nfp_ipsec_mode */
28 	uint32_t proto  :2;      /**< From nfp_ipsec_prot */
29 	uint32_t spare  :1;      /**< Should be 0 */
30 	uint32_t ena_arw:1;      /**< Anti-Replay Window */
31 	uint32_t ext_seq:1;      /**< 64-bit Sequence Num */
32 	uint32_t ext_arw:1;      /**< 64b Anti-Replay Window */
33 	uint32_t spare1 :9;      /**< Must be set to 0 */
34 	uint32_t encap_dsbl:1;   /**< Encap/decap disable */
35 	uint32_t gen_seq:1;      /**< Firmware Generate Seq #'s */
36 	uint32_t spare2 :1;      /**< Must be set to 0 */
37 };
38 
39 union nfp_ip_addr {
40 	struct in6_addr v6;
41 	struct in_addr v4;
42 };
43 
44 struct ipsec_add_sa {
45 	uint32_t cipher_key[8];           /**< Cipher Key */
46 	union {
47 		uint32_t auth_key[16];    /**< Authentication Key */
48 		struct ipsec_aesgcm aesgcm_fields;
49 	};
50 	struct sa_ctrl_word ctrl_word;
51 	uint32_t spi;                     /**< SPI Value */
52 	uint16_t pmtu_limit;              /**< PMTU Limit */
53 	uint32_t spare      :1;
54 	uint32_t frag_check :1;           /**< Stateful fragment checking flag */
55 	uint32_t bypass_DSCP:1;           /**< Bypass DSCP Flag */
56 	uint32_t df_ctrl    :2;           /**< DF Control bits */
57 	uint32_t ipv6       :1;           /**< Outbound IPv6 addr format */
58 	uint32_t udp_enable :1;           /**< Add/Remove UDP header for NAT */
59 	uint32_t tfc_enable :1;           /**< Traffic Flw Confidentiality */
60 	uint8_t spare1;
61 	uint32_t soft_byte_cnt;           /**< Soft lifetime byte count */
62 	uint32_t hard_byte_cnt;           /**< Hard lifetime byte count */
63 	union nfp_ip_addr src_ip;         /**< Src IP addr */
64 	union nfp_ip_addr dst_ip;         /**< Dst IP addr */
65 	uint16_t natt_dst_port;           /**< NAT-T UDP Header dst port */
66 	uint16_t natt_src_port;           /**< NAT-T UDP Header src port */
67 	uint32_t soft_lifetime_limit;     /**< Soft lifetime time limit */
68 	uint32_t hard_lifetime_limit;     /**< Hard lifetime time limit */
69 	uint32_t sa_time_lo;              /**< SA creation time lower 32bits, Ucode fills this in */
70 	uint32_t sa_time_hi;              /**< SA creation time high 32bits, Ucode fills this in */
71 	uint16_t spare2;
72 	uint16_t tfc_padding;             /**< Traffic Flow Confidential Pad */
73 };
74 
75 struct ipsec_inv_sa {
76 	uint32_t spare;
77 };
78 
79 struct ipsec_discard_stats {
80 	uint32_t discards_auth;                  /**< Auth failures */
81 	uint32_t discards_unsupported;           /**< Unsupported crypto mode */
82 	uint32_t discards_alignment;             /**< Alignment error */
83 	uint32_t discards_hard_bytelimit;        /**< Hard byte Count limit */
84 	uint32_t discards_seq_num_wrap;          /**< Sequ Number wrap */
85 	uint32_t discards_pmtu_exceeded;         /**< PMTU Limit exceeded */
86 	uint32_t discards_arw_old_seq;           /**< Anti-Replay seq small */
87 	uint32_t discards_arw_replay;            /**< Anti-Replay seq rcvd */
88 	uint32_t discards_ctrl_word;             /**< Bad SA Control word */
89 	uint32_t discards_ip_hdr_len;            /**< Hdr offset from too high */
90 	uint32_t discards_eop_buf;               /**< No EOP buffer */
91 	uint32_t ipv4_id_counter;                /**< IPv4 ID field counter */
92 	uint32_t discards_isl_fail;              /**< Inbound SPD Lookup failure */
93 	uint32_t discards_ext_unfound;           /**< Ext header end */
94 	uint32_t discards_max_ext_hdrs;          /**< Max ext header */
95 	uint32_t discards_non_ext_hdrs;          /**< Non-extension headers */
96 	uint32_t discards_ext_hdr_too_big;       /**< Ext header chain */
97 	uint32_t discards_hard_timelimit;        /**< Time Limit  */
98 };
99 
100 struct ipsec_get_sa_stats {
101 	uint32_t seq_lo;                         /**< Sequence Number (low 32bits) */
102 	uint32_t seq_high;                       /**< Sequence Number (high 32bits) */
103 	uint32_t arw_counter_lo;                 /**< Anti-replay wndw cntr */
104 	uint32_t arw_counter_high;               /**< Anti-replay wndw cntr */
105 	uint32_t arw_bitmap_lo;                  /**< Anti-replay wndw bitmap */
106 	uint32_t arw_bitmap_high;                /**< Anti-replay wndw bitmap */
107 	uint32_t spare:1;
108 	uint32_t soft_byte_exceeded :1;          /**< Soft lifetime byte cnt exceeded */
109 	uint32_t hard_byte_exceeded :1;          /**< Hard lifetime byte cnt exceeded */
110 	uint32_t soft_time_exceeded :1;          /**< Soft lifetime time limit exceeded */
111 	uint32_t hard_time_exceeded :1;          /**< Hard lifetime time limit exceeded */
112 	uint32_t spare1:27;
113 	uint32_t lifetime_byte_count;
114 	uint32_t pkt_count;
115 	struct ipsec_discard_stats sa_discard_stats;
116 };
117 
118 struct ipsec_get_seq {
119 	uint32_t seq_nums;      /**< Sequence numbers to allocate */
120 	uint32_t seq_num_low;   /**< Return start seq num 31:00 */
121 	uint32_t seq_num_hi;    /**< Return start seq num 63:32 */
122 };
123 
124 struct nfp_ipsec_msg {
125 	union {
126 		struct {
127 			/** NFP IPsec SA cmd message codes */
128 			uint16_t cmd;
129 			/** NFP IPsec SA response message */
130 			uint16_t rsp;
131 			/** NFP IPsec SA index in driver SA table */
132 			uint16_t sa_idx;
133 			/** Reserved */
134 			uint16_t spare;
135 			union {
136 				/** IPsec configure message for add SA */
137 				struct ipsec_add_sa cfg_add_sa;
138 				/** IPsec configure message for del SA */
139 				struct ipsec_inv_sa cfg_inv_sa;
140 				/** IPsec configure message for get SA stats */
141 				struct ipsec_get_sa_stats cfg_get_stats;
142 				/** IPsec configure message for get SA seq numbers */
143 				struct ipsec_get_seq cfg_get_seq;
144 			};
145 		};
146 		uint32_t raw[64];
147 	};
148 };
149 
150 struct nfp_ipsec_session {
151 	/** Opaque user defined data */
152 	void *user_data;
153 	/** NFP sa_entries database parameter index */
154 	uint32_t sa_index;
155 	/** Point to physical ports ethernet device */
156 	struct rte_eth_dev *dev;
157 	/** SA related NPF configuration data */
158 	struct ipsec_add_sa msg;
159 	/** Security association configuration data */
160 	struct rte_security_ipsec_xform ipsec;
161 	/** Security session action type */
162 	enum rte_security_session_action_type action;
163 } __rte_cache_aligned;
164 
165 struct nfp_net_ipsec_data {
166 	int pkt_dynfield_offset;
167 	uint32_t sa_free_cnt;
168 	struct nfp_ipsec_session *sa_entries[NFP_NET_IPSEC_MAX_SA_CNT];
169 };
170 
171 enum nfp_ipsec_meta_layer {
172 	NFP_IPSEC_META_SAIDX,       /**< Order of SA index in metadata */
173 	NFP_IPSEC_META_SEQLOW,      /**< Order of Sequence Number (low 32bits) in metadata */
174 	NFP_IPSEC_META_SEQHI,       /**< Order of Sequence Number (high 32bits) in metadata */
175 };
176 
177 int nfp_ipsec_init(struct rte_eth_dev *dev);
178 void nfp_ipsec_uninit(struct rte_eth_dev *dev);
179 
180 #endif /* __NFP_IPSEC_H__ */
181