1 /* SPDX-License-Identifier: BSD-3-Clause 2 * Copyright(c) 2016-2017 Intel Corporation 3 */ 4 5 #ifndef __IPSEC_H__ 6 #define __IPSEC_H__ 7 8 #include <stdint.h> 9 10 #include <rte_byteorder.h> 11 #include <rte_crypto.h> 12 #include <rte_security.h> 13 #include <rte_flow.h> 14 #include <rte_ipsec.h> 15 16 #define RTE_LOGTYPE_IPSEC RTE_LOGTYPE_USER1 17 #define RTE_LOGTYPE_IPSEC_ESP RTE_LOGTYPE_USER2 18 #define RTE_LOGTYPE_IPSEC_IPIP RTE_LOGTYPE_USER3 19 20 #define MAX_PKT_BURST 32 21 #define MAX_INFLIGHT 128 22 #define MAX_QP_PER_LCORE 256 23 24 #define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */ 25 26 #define IPSEC_OFFLOAD_ESN_SOFTLIMIT 0xffffff00 27 28 #define IV_OFFSET (sizeof(struct rte_crypto_op) + \ 29 sizeof(struct rte_crypto_sym_op)) 30 31 #define uint32_t_to_char(ip, a, b, c, d) do {\ 32 *a = (uint8_t)(ip >> 24 & 0xff);\ 33 *b = (uint8_t)(ip >> 16 & 0xff);\ 34 *c = (uint8_t)(ip >> 8 & 0xff);\ 35 *d = (uint8_t)(ip & 0xff);\ 36 } while (0) 37 38 #define DEFAULT_MAX_CATEGORIES 1 39 40 #define IPSEC_SA_MAX_ENTRIES (128) /* must be power of 2, max 2 power 30 */ 41 #define SPI2IDX(spi) (spi & (IPSEC_SA_MAX_ENTRIES - 1)) 42 #define INVALID_SPI (0) 43 44 #define DISCARD (0x80000000) 45 #define BYPASS (0x40000000) 46 #define PROTECT_MASK (0x3fffffff) 47 #define PROTECT(sa_idx) (SPI2IDX(sa_idx) & PROTECT_MASK) /* SA idx 30 bits */ 48 49 #define IPSEC_XFORM_MAX 2 50 51 #define IP6_VERSION (6) 52 53 struct rte_crypto_xform; 54 struct ipsec_xform; 55 struct rte_mbuf; 56 57 struct ipsec_sa; 58 59 typedef int32_t (*ipsec_xform_fn)(struct rte_mbuf *m, struct ipsec_sa *sa, 60 struct rte_crypto_op *cop); 61 62 struct ip_addr { 63 union { 64 uint32_t ip4; 65 union { 66 uint64_t ip6[2]; 67 uint8_t ip6_b[16]; 68 } ip6; 69 } ip; 70 }; 71 72 #define MAX_KEY_SIZE 32 73 74 /* 75 * application wide SA parameters 76 */ 77 struct app_sa_prm { 78 uint32_t enable; /* use librte_ipsec API for ipsec pkt processing */ 79 uint32_t window_size; /* replay window size */ 80 uint32_t enable_esn; /* enable/disable ESN support */ 81 uint64_t flags; /* rte_ipsec_sa_prm.flags */ 82 }; 83 84 extern struct app_sa_prm app_sa_prm; 85 86 struct ipsec_sa { 87 struct rte_ipsec_session ips; /* one session per sa for now */ 88 uint32_t spi; 89 uint32_t cdev_id_qp; 90 uint64_t seq; 91 uint32_t salt; 92 union { 93 struct rte_cryptodev_sym_session *crypto_session; 94 struct rte_security_session *sec_session; 95 }; 96 enum rte_crypto_cipher_algorithm cipher_algo; 97 enum rte_crypto_auth_algorithm auth_algo; 98 enum rte_crypto_aead_algorithm aead_algo; 99 uint16_t digest_len; 100 uint16_t iv_len; 101 uint16_t block_size; 102 uint16_t flags; 103 #define IP4_TUNNEL (1 << 0) 104 #define IP6_TUNNEL (1 << 1) 105 #define TRANSPORT (1 << 2) 106 struct ip_addr src; 107 struct ip_addr dst; 108 uint8_t cipher_key[MAX_KEY_SIZE]; 109 uint16_t cipher_key_len; 110 uint8_t auth_key[MAX_KEY_SIZE]; 111 uint16_t auth_key_len; 112 uint16_t aad_len; 113 union { 114 struct rte_crypto_sym_xform *xforms; 115 struct rte_security_ipsec_xform *sec_xform; 116 }; 117 enum rte_security_session_action_type type; 118 enum rte_security_ipsec_sa_direction direction; 119 uint16_t portid; 120 struct rte_security_ctx *security_ctx; 121 uint32_t ol_flags; 122 123 #define MAX_RTE_FLOW_PATTERN (4) 124 #define MAX_RTE_FLOW_ACTIONS (3) 125 struct rte_flow_item pattern[MAX_RTE_FLOW_PATTERN]; 126 struct rte_flow_action action[MAX_RTE_FLOW_ACTIONS]; 127 struct rte_flow_attr attr; 128 union { 129 struct rte_flow_item_ipv4 ipv4_spec; 130 struct rte_flow_item_ipv6 ipv6_spec; 131 }; 132 struct rte_flow_item_esp esp_spec; 133 struct rte_flow *flow; 134 struct rte_security_session_conf sess_conf; 135 } __rte_cache_aligned; 136 137 struct ipsec_mbuf_metadata { 138 struct ipsec_sa *sa; 139 struct rte_crypto_op cop; 140 struct rte_crypto_sym_op sym_cop; 141 uint8_t buf[32]; 142 } __rte_cache_aligned; 143 144 struct cdev_qp { 145 uint16_t id; 146 uint16_t qp; 147 uint16_t in_flight; 148 uint16_t len; 149 struct rte_crypto_op *buf[MAX_PKT_BURST] __rte_aligned(sizeof(void *)); 150 }; 151 152 struct ipsec_ctx { 153 struct rte_hash *cdev_map; 154 struct sp_ctx *sp4_ctx; 155 struct sp_ctx *sp6_ctx; 156 struct sa_ctx *sa_ctx; 157 uint16_t nb_qps; 158 uint16_t last_qp; 159 struct cdev_qp tbl[MAX_QP_PER_LCORE]; 160 struct rte_mempool *session_pool; 161 struct rte_mempool *session_priv_pool; 162 struct rte_mbuf *ol_pkts[MAX_PKT_BURST] __rte_aligned(sizeof(void *)); 163 uint16_t ol_pkts_cnt; 164 uint64_t ipv4_offloads; 165 uint64_t ipv6_offloads; 166 }; 167 168 struct cdev_key { 169 uint16_t lcore_id; 170 uint8_t cipher_algo; 171 uint8_t auth_algo; 172 uint8_t aead_algo; 173 }; 174 175 struct socket_ctx { 176 struct sa_ctx *sa_in; 177 struct sa_ctx *sa_out; 178 struct sp_ctx *sp_ip4_in; 179 struct sp_ctx *sp_ip4_out; 180 struct sp_ctx *sp_ip6_in; 181 struct sp_ctx *sp_ip6_out; 182 struct rt_ctx *rt_ip4; 183 struct rt_ctx *rt_ip6; 184 struct rte_mempool *mbuf_pool; 185 struct rte_mempool *session_pool; 186 struct rte_mempool *session_priv_pool; 187 }; 188 189 struct cnt_blk { 190 uint32_t salt; 191 uint64_t iv; 192 uint32_t cnt; 193 } __attribute__((packed)); 194 195 struct traffic_type { 196 const uint8_t *data[MAX_PKT_BURST * 2]; 197 struct rte_mbuf *pkts[MAX_PKT_BURST * 2]; 198 struct ipsec_sa *saptr[MAX_PKT_BURST * 2]; 199 uint32_t res[MAX_PKT_BURST * 2]; 200 uint32_t num; 201 }; 202 203 struct ipsec_traffic { 204 struct traffic_type ipsec; 205 struct traffic_type ip4; 206 struct traffic_type ip6; 207 }; 208 209 uint16_t 210 ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], 211 uint16_t nb_pkts, uint16_t len); 212 213 uint16_t 214 ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], 215 uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len); 216 217 uint16_t 218 ipsec_inbound_cqp_dequeue(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], 219 uint16_t len); 220 221 uint16_t 222 ipsec_outbound_cqp_dequeue(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], 223 uint16_t len); 224 225 void 226 ipsec_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf); 227 228 void 229 ipsec_cqp_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf); 230 231 static inline uint16_t 232 ipsec_metadata_size(void) 233 { 234 return sizeof(struct ipsec_mbuf_metadata); 235 } 236 237 static inline struct ipsec_mbuf_metadata * 238 get_priv(struct rte_mbuf *m) 239 { 240 return rte_mbuf_to_priv(m); 241 } 242 243 static inline void * 244 get_cnt_blk(struct rte_mbuf *m) 245 { 246 struct ipsec_mbuf_metadata *priv = get_priv(m); 247 248 return &priv->buf[0]; 249 } 250 251 static inline void * 252 get_aad(struct rte_mbuf *m) 253 { 254 struct ipsec_mbuf_metadata *priv = get_priv(m); 255 256 return &priv->buf[16]; 257 } 258 259 static inline void * 260 get_sym_cop(struct rte_crypto_op *cop) 261 { 262 return (cop + 1); 263 } 264 265 int 266 inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx); 267 268 void 269 inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[], 270 struct ipsec_sa *sa[], uint16_t nb_pkts); 271 272 void 273 outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[], 274 struct ipsec_sa *sa[], uint16_t nb_pkts); 275 276 void 277 sp4_init(struct socket_ctx *ctx, int32_t socket_id); 278 279 void 280 sp6_init(struct socket_ctx *ctx, int32_t socket_id); 281 282 /* 283 * Search through SP rules for given SPI. 284 * Returns first rule index if found(greater or equal then zero), 285 * or -ENOENT otherwise. 286 */ 287 int 288 sp4_spi_present(uint32_t spi, int inbound); 289 int 290 sp6_spi_present(uint32_t spi, int inbound); 291 292 void 293 sa_init(struct socket_ctx *ctx, int32_t socket_id); 294 295 void 296 rt_init(struct socket_ctx *ctx, int32_t socket_id); 297 298 int 299 sa_check_offloads(uint16_t port_id, uint64_t *rx_offloads, 300 uint64_t *tx_offloads); 301 302 int 303 add_dst_ethaddr(uint16_t port, const struct ether_addr *addr); 304 305 void 306 enqueue_cop_burst(struct cdev_qp *cqp); 307 308 int 309 create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa); 310 311 #endif /* __IPSEC_H__ */ 312