/* SPDX-License-Identifier: BSD-3-Clause * Copyright(C) 2021 Marvell. */ #include #include "cnxk_security.h" #include "roc_api.h" static void ipsec_hmac_opad_ipad_gen(struct rte_crypto_sym_xform *auth_xform, uint8_t *hmac_opad_ipad) { const uint8_t *key = auth_xform->auth.key.data; uint32_t length = auth_xform->auth.key.length; uint8_t opad[128] = {[0 ... 127] = 0x5c}; uint8_t ipad[128] = {[0 ... 127] = 0x36}; uint32_t i; /* HMAC OPAD and IPAD */ for (i = 0; i < 127 && i < length; i++) { opad[i] = opad[i] ^ key[i]; ipad[i] = ipad[i] ^ key[i]; } /* Precompute hash of HMAC OPAD and IPAD to avoid * per packet computation */ switch (auth_xform->auth.algo) { case RTE_CRYPTO_AUTH_MD5_HMAC: roc_hash_md5_gen(opad, (uint32_t *)&hmac_opad_ipad[0]); roc_hash_md5_gen(ipad, (uint32_t *)&hmac_opad_ipad[24]); break; case RTE_CRYPTO_AUTH_SHA1_HMAC: roc_hash_sha1_gen(opad, (uint32_t *)&hmac_opad_ipad[0]); roc_hash_sha1_gen(ipad, (uint32_t *)&hmac_opad_ipad[24]); break; case RTE_CRYPTO_AUTH_SHA256_HMAC: roc_hash_sha256_gen(opad, (uint32_t *)&hmac_opad_ipad[0]); roc_hash_sha256_gen(ipad, (uint32_t *)&hmac_opad_ipad[64]); break; case RTE_CRYPTO_AUTH_SHA384_HMAC: roc_hash_sha512_gen(opad, (uint64_t *)&hmac_opad_ipad[0], 384); roc_hash_sha512_gen(ipad, (uint64_t *)&hmac_opad_ipad[64], 384); break; case RTE_CRYPTO_AUTH_SHA512_HMAC: roc_hash_sha512_gen(opad, (uint64_t *)&hmac_opad_ipad[0], 512); roc_hash_sha512_gen(ipad, (uint64_t *)&hmac_opad_ipad[64], 512); break; default: break; } } static int ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2, uint8_t *cipher_key, uint8_t *salt_key, uint8_t *hmac_opad_ipad, struct rte_security_ipsec_xform *ipsec_xfrm, struct rte_crypto_sym_xform *crypto_xfrm) { struct rte_crypto_sym_xform *auth_xfrm, *cipher_xfrm; const uint8_t *key = NULL; uint8_t ccm_flag = 0; uint32_t *tmp_salt; uint64_t *tmp_key; int i, length = 0; /* Set direction */ if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) w2->s.dir = ROC_IE_SA_DIR_OUTBOUND; else w2->s.dir = ROC_IE_SA_DIR_INBOUND; if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AUTH) { auth_xfrm = crypto_xfrm; cipher_xfrm = crypto_xfrm->next; } else { cipher_xfrm = crypto_xfrm; auth_xfrm = crypto_xfrm->next; } /* Set protocol - ESP vs AH */ switch (ipsec_xfrm->proto) { case RTE_SECURITY_IPSEC_SA_PROTO_ESP: w2->s.protocol = ROC_IE_SA_PROTOCOL_ESP; break; case RTE_SECURITY_IPSEC_SA_PROTO_AH: w2->s.protocol = ROC_IE_SA_PROTOCOL_AH; break; default: return -EINVAL; } /* Set mode - transport vs tunnel */ switch (ipsec_xfrm->mode) { case RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT: w2->s.mode = ROC_IE_SA_MODE_TRANSPORT; break; case RTE_SECURITY_IPSEC_SA_MODE_TUNNEL: w2->s.mode = ROC_IE_SA_MODE_TUNNEL; break; default: return -EINVAL; } /* Set encryption algorithm */ if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) { key = crypto_xfrm->aead.key.data; length = crypto_xfrm->aead.key.length; switch (crypto_xfrm->aead.algo) { case RTE_CRYPTO_AEAD_AES_GCM: w2->s.enc_type = ROC_IE_OT_SA_ENC_AES_GCM; w2->s.auth_type = ROC_IE_OT_SA_AUTH_NULL; memcpy(salt_key, &ipsec_xfrm->salt, 4); tmp_salt = (uint32_t *)salt_key; *tmp_salt = rte_be_to_cpu_32(*tmp_salt); break; case RTE_CRYPTO_AEAD_AES_CCM: w2->s.enc_type = ROC_IE_OT_SA_ENC_AES_CCM; w2->s.auth_type = ROC_IE_OT_SA_AUTH_NULL; ccm_flag = 0x07 & ~ROC_CPT_AES_CCM_CTR_LEN; *salt_key = ccm_flag; memcpy(PLT_PTR_ADD(salt_key, 1), &ipsec_xfrm->salt, 3); tmp_salt = (uint32_t *)salt_key; *tmp_salt = rte_be_to_cpu_32(*tmp_salt); break; default: return -ENOTSUP; } } else { if (cipher_xfrm != NULL) { switch (cipher_xfrm->cipher.algo) { case RTE_CRYPTO_CIPHER_NULL: w2->s.enc_type = ROC_IE_OT_SA_ENC_NULL; break; case RTE_CRYPTO_CIPHER_AES_CBC: w2->s.enc_type = ROC_IE_OT_SA_ENC_AES_CBC; break; case RTE_CRYPTO_CIPHER_AES_CTR: w2->s.enc_type = ROC_IE_OT_SA_ENC_AES_CTR; break; case RTE_CRYPTO_CIPHER_3DES_CBC: w2->s.enc_type = ROC_IE_OT_SA_ENC_3DES_CBC; break; default: return -ENOTSUP; } key = cipher_xfrm->cipher.key.data; length = cipher_xfrm->cipher.key.length; } switch (auth_xfrm->auth.algo) { case RTE_CRYPTO_AUTH_NULL: w2->s.auth_type = ROC_IE_OT_SA_AUTH_NULL; break; case RTE_CRYPTO_AUTH_SHA1_HMAC: w2->s.auth_type = ROC_IE_OT_SA_AUTH_SHA1; break; case RTE_CRYPTO_AUTH_SHA256_HMAC: w2->s.auth_type = ROC_IE_OT_SA_AUTH_SHA2_256; break; case RTE_CRYPTO_AUTH_SHA384_HMAC: w2->s.auth_type = ROC_IE_OT_SA_AUTH_SHA2_384; break; case RTE_CRYPTO_AUTH_SHA512_HMAC: w2->s.auth_type = ROC_IE_OT_SA_AUTH_SHA2_512; break; case RTE_CRYPTO_AUTH_AES_XCBC_MAC: w2->s.auth_type = ROC_IE_OT_SA_AUTH_AES_XCBC_128; break; case RTE_CRYPTO_AUTH_AES_GMAC: w2->s.auth_type = ROC_IE_OT_SA_AUTH_AES_GMAC; key = auth_xfrm->auth.key.data; length = auth_xfrm->auth.key.length; memcpy(salt_key, &ipsec_xfrm->salt, 4); tmp_salt = (uint32_t *)salt_key; *tmp_salt = rte_be_to_cpu_32(*tmp_salt); break; default: return -ENOTSUP; } if (auth_xfrm->auth.algo == RTE_CRYPTO_AUTH_AES_XCBC_MAC) { const uint8_t *auth_key = auth_xfrm->auth.key.data; roc_aes_xcbc_key_derive(auth_key, hmac_opad_ipad); } else { ipsec_hmac_opad_ipad_gen(auth_xfrm, hmac_opad_ipad); } tmp_key = (uint64_t *)hmac_opad_ipad; for (i = 0; i < (int)(ROC_CTX_MAX_OPAD_IPAD_LEN / sizeof(uint64_t)); i++) tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]); } /* Set encapsulation type */ if (ipsec_xfrm->options.udp_encap) w2->s.encap_type = ROC_IE_OT_SA_ENCAP_UDP; w2->s.spi = ipsec_xfrm->spi; if (key != NULL && length != 0) { /* Copy encryption key */ memcpy(cipher_key, key, length); tmp_key = (uint64_t *)cipher_key; for (i = 0; i < (int)(ROC_CTX_MAX_CKEY_LEN / sizeof(uint64_t)); i++) tmp_key[i] = rte_be_to_cpu_64(tmp_key[i]); } /* Set AES key length */ if (w2->s.enc_type == ROC_IE_OT_SA_ENC_AES_CBC || w2->s.enc_type == ROC_IE_OT_SA_ENC_AES_CCM || w2->s.enc_type == ROC_IE_OT_SA_ENC_AES_CTR || w2->s.enc_type == ROC_IE_OT_SA_ENC_AES_GCM || w2->s.enc_type == ROC_IE_OT_SA_ENC_AES_CCM || w2->s.auth_type == ROC_IE_OT_SA_AUTH_AES_GMAC) { switch (length) { case ROC_CPT_AES128_KEY_LEN: w2->s.aes_key_len = ROC_IE_SA_AES_KEY_LEN_128; break; case ROC_CPT_AES192_KEY_LEN: w2->s.aes_key_len = ROC_IE_SA_AES_KEY_LEN_192; break; case ROC_CPT_AES256_KEY_LEN: w2->s.aes_key_len = ROC_IE_SA_AES_KEY_LEN_256; break; default: plt_err("Invalid AES key length"); return -EINVAL; } } if (ipsec_xfrm->life.packets_soft_limit != 0 || ipsec_xfrm->life.packets_hard_limit != 0) { if (ipsec_xfrm->life.bytes_soft_limit != 0 || ipsec_xfrm->life.bytes_hard_limit != 0) { plt_err("Expiry tracking with both packets & bytes is not supported"); return -EINVAL; } w2->s.life_unit = ROC_IE_OT_SA_LIFE_UNIT_PKTS; } if (ipsec_xfrm->life.bytes_soft_limit != 0 || ipsec_xfrm->life.bytes_hard_limit != 0) { if (ipsec_xfrm->life.packets_soft_limit != 0 || ipsec_xfrm->life.packets_hard_limit != 0) { plt_err("Expiry tracking with both packets & bytes is not supported"); return -EINVAL; } w2->s.life_unit = ROC_IE_OT_SA_LIFE_UNIT_OCTETS; } return 0; } static size_t ot_ipsec_inb_ctx_size(struct roc_ot_ipsec_inb_sa *sa) { size_t size; /* Variable based on Anti-replay Window */ size = offsetof(struct roc_ot_ipsec_inb_sa, ctx) + offsetof(struct roc_ot_ipsec_inb_ctx_update_reg, ar_winbits); if (sa->w0.s.ar_win) size += (1 << (sa->w0.s.ar_win - 1)) * sizeof(uint64_t); return size; } static void ot_ipsec_update_ipv6_addr_endianness(uint64_t *addr) { *addr = rte_be_to_cpu_64(*addr); addr++; *addr = rte_be_to_cpu_64(*addr); } static int ot_ipsec_inb_tunnel_hdr_fill(struct roc_ot_ipsec_inb_sa *sa, struct rte_security_ipsec_xform *ipsec_xfrm) { struct rte_security_ipsec_tunnel_param *tunnel; if (ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) return 0; if (ipsec_xfrm->options.tunnel_hdr_verify == 0) return 0; tunnel = &ipsec_xfrm->tunnel; switch (tunnel->type) { case RTE_SECURITY_IPSEC_TUNNEL_IPV4: sa->w2.s.outer_ip_ver = ROC_IE_SA_IP_VERSION_4; memcpy(&sa->outer_hdr.ipv4.src_addr, &tunnel->ipv4.src_ip, sizeof(struct in_addr)); memcpy(&sa->outer_hdr.ipv4.dst_addr, &tunnel->ipv4.dst_ip, sizeof(struct in_addr)); /* IP Source and Dest are in LE/CPU endian */ sa->outer_hdr.ipv4.src_addr = rte_be_to_cpu_32(sa->outer_hdr.ipv4.src_addr); sa->outer_hdr.ipv4.dst_addr = rte_be_to_cpu_32(sa->outer_hdr.ipv4.dst_addr); break; case RTE_SECURITY_IPSEC_TUNNEL_IPV6: sa->w2.s.outer_ip_ver = ROC_IE_SA_IP_VERSION_6; memcpy(&sa->outer_hdr.ipv6.src_addr, &tunnel->ipv6.src_addr, sizeof(struct in6_addr)); memcpy(&sa->outer_hdr.ipv6.dst_addr, &tunnel->ipv6.dst_addr, sizeof(struct in6_addr)); /* IP Source and Dest are in LE/CPU endian */ ot_ipsec_update_ipv6_addr_endianness((uint64_t *)&sa->outer_hdr.ipv6.src_addr); ot_ipsec_update_ipv6_addr_endianness((uint64_t *)&sa->outer_hdr.ipv6.dst_addr); break; default: return -EINVAL; } switch (ipsec_xfrm->options.tunnel_hdr_verify) { case RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR: sa->w2.s.ip_hdr_verify = ROC_IE_OT_SA_IP_HDR_VERIFY_DST_ADDR; break; case RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR: sa->w2.s.ip_hdr_verify = ROC_IE_OT_SA_IP_HDR_VERIFY_SRC_DST_ADDR; break; default: return -ENOTSUP; } return 0; } int cnxk_ot_ipsec_inb_sa_fill(struct roc_ot_ipsec_inb_sa *sa, struct rte_security_ipsec_xform *ipsec_xfrm, struct rte_crypto_sym_xform *crypto_xfrm, bool is_inline) { union roc_ot_ipsec_sa_word2 w2; uint32_t replay_win_sz; size_t offset; int rc; /* Initialize the SA */ roc_ot_ipsec_inb_sa_init(sa, is_inline); w2.u64 = 0; rc = ot_ipsec_sa_common_param_fill(&w2, sa->cipher_key, sa->w8.s.salt, sa->hmac_opad_ipad, ipsec_xfrm, crypto_xfrm); if (rc) return rc; /* Updata common word2 data */ sa->w2.u64 = w2.u64; /* Only support power-of-two window sizes supported */ replay_win_sz = ipsec_xfrm->replay_win_sz; if (replay_win_sz) { if (!rte_is_power_of_2(replay_win_sz) || replay_win_sz > ROC_AR_WIN_SIZE_MAX) return -ENOTSUP; sa->w0.s.ar_win = rte_log2_u32(replay_win_sz) - 5; } rc = ot_ipsec_inb_tunnel_hdr_fill(sa, ipsec_xfrm); if (rc) return rc; /* Default options for pkt_out and pkt_fmt are with * second pass meta and no defrag. */ sa->w0.s.pkt_format = ROC_IE_OT_SA_PKT_FMT_META; sa->w0.s.pkt_output = ROC_IE_OT_SA_PKT_OUTPUT_NO_FRAG; sa->w0.s.pkind = ROC_IE_OT_CPT_PKIND; if (ipsec_xfrm->options.ip_reassembly_en) sa->w0.s.pkt_output = ROC_IE_OT_SA_PKT_OUTPUT_HW_BASED_DEFRAG; /* ESN */ sa->w2.s.esn_en = !!ipsec_xfrm->options.esn; if (ipsec_xfrm->options.udp_encap) { sa->w10.s.udp_src_port = 4500; sa->w10.s.udp_dst_port = 4500; } if (ipsec_xfrm->options.udp_ports_verify) sa->w2.s.udp_ports_verify = 1; offset = offsetof(struct roc_ot_ipsec_inb_sa, ctx); /* Word offset for HW managed SA field */ sa->w0.s.hw_ctx_off = offset / 8; /* Context push size for inbound spans up to hw_ctx including * ar_base field, in 8b units */ sa->w0.s.ctx_push_size = sa->w0.s.hw_ctx_off + 1; /* Entire context size in 128B units */ sa->w0.s.ctx_size = (PLT_ALIGN_CEIL(ot_ipsec_inb_ctx_size(sa), ROC_CTX_UNIT_128B) / ROC_CTX_UNIT_128B) - 1; /** * CPT MC triggers expiry when counter value changes from 2 to 1. To * mitigate this behaviour add 1 to the life counter values provided. */ if (ipsec_xfrm->life.bytes_soft_limit) { sa->ctx.soft_life = ipsec_xfrm->life.bytes_soft_limit + 1; sa->w0.s.soft_life_dec = 1; } if (ipsec_xfrm->life.packets_soft_limit) { sa->ctx.soft_life = ipsec_xfrm->life.packets_soft_limit + 1; sa->w0.s.soft_life_dec = 1; } if (ipsec_xfrm->life.bytes_hard_limit) { sa->ctx.hard_life = ipsec_xfrm->life.bytes_hard_limit + 1; sa->w0.s.hard_life_dec = 1; } if (ipsec_xfrm->life.packets_hard_limit) { sa->ctx.hard_life = ipsec_xfrm->life.packets_hard_limit + 1; sa->w0.s.hard_life_dec = 1; } rte_wmb(); /* Enable SA */ sa->w2.s.valid = 1; return 0; } int cnxk_ot_ipsec_outb_sa_fill(struct roc_ot_ipsec_outb_sa *sa, struct rte_security_ipsec_xform *ipsec_xfrm, struct rte_crypto_sym_xform *crypto_xfrm) { struct rte_security_ipsec_tunnel_param *tunnel = &ipsec_xfrm->tunnel; union roc_ot_ipsec_sa_word2 w2; size_t offset; int rc; /* Initialize the SA */ roc_ot_ipsec_outb_sa_init(sa); w2.u64 = 0; rc = ot_ipsec_sa_common_param_fill(&w2, sa->cipher_key, sa->iv.s.salt, sa->hmac_opad_ipad, ipsec_xfrm, crypto_xfrm); if (rc) return rc; /* Update common word2 data */ sa->w2.u64 = w2.u64; if (ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) goto skip_tunnel_info; /* Tunnel header info */ switch (tunnel->type) { case RTE_SECURITY_IPSEC_TUNNEL_IPV4: sa->w2.s.outer_ip_ver = ROC_IE_SA_IP_VERSION_4; memcpy(&sa->outer_hdr.ipv4.src_addr, &tunnel->ipv4.src_ip, sizeof(struct in_addr)); memcpy(&sa->outer_hdr.ipv4.dst_addr, &tunnel->ipv4.dst_ip, sizeof(struct in_addr)); /* IP Source and Dest seems to be in LE/CPU endian */ sa->outer_hdr.ipv4.src_addr = rte_be_to_cpu_32(sa->outer_hdr.ipv4.src_addr); sa->outer_hdr.ipv4.dst_addr = rte_be_to_cpu_32(sa->outer_hdr.ipv4.dst_addr); /* Outer header DF bit source */ if (!ipsec_xfrm->options.copy_df) { sa->w2.s.ipv4_df_src_or_ipv6_flw_lbl_src = ROC_IE_OT_SA_COPY_FROM_SA; sa->w10.s.ipv4_df_or_ipv6_flw_lbl = tunnel->ipv4.df; } else { sa->w2.s.ipv4_df_src_or_ipv6_flw_lbl_src = ROC_IE_OT_SA_COPY_FROM_INNER_IP_HDR; } /* Outer header DSCP source */ if (!ipsec_xfrm->options.copy_dscp) { sa->w2.s.dscp_src = ROC_IE_OT_SA_COPY_FROM_SA; sa->w10.s.dscp = tunnel->ipv4.dscp; } else { sa->w2.s.dscp_src = ROC_IE_OT_SA_COPY_FROM_INNER_IP_HDR; } break; case RTE_SECURITY_IPSEC_TUNNEL_IPV6: sa->w2.s.outer_ip_ver = ROC_IE_SA_IP_VERSION_6; memcpy(&sa->outer_hdr.ipv6.src_addr, &tunnel->ipv6.src_addr, sizeof(struct in6_addr)); memcpy(&sa->outer_hdr.ipv6.dst_addr, &tunnel->ipv6.dst_addr, sizeof(struct in6_addr)); /* IP Source and Dest are in LE/CPU endian */ ot_ipsec_update_ipv6_addr_endianness((uint64_t *)&sa->outer_hdr.ipv6.src_addr); ot_ipsec_update_ipv6_addr_endianness((uint64_t *)&sa->outer_hdr.ipv6.dst_addr); /* Outer header flow label source */ if (!ipsec_xfrm->options.copy_flabel) { sa->w2.s.ipv4_df_src_or_ipv6_flw_lbl_src = ROC_IE_OT_SA_COPY_FROM_SA; sa->w10.s.ipv4_df_or_ipv6_flw_lbl = tunnel->ipv6.flabel; } else { sa->w2.s.ipv4_df_src_or_ipv6_flw_lbl_src = ROC_IE_OT_SA_COPY_FROM_INNER_IP_HDR; } /* Outer header DSCP source */ if (!ipsec_xfrm->options.copy_dscp) { sa->w2.s.dscp_src = ROC_IE_OT_SA_COPY_FROM_SA; sa->w10.s.dscp = tunnel->ipv6.dscp; } else { sa->w2.s.dscp_src = ROC_IE_OT_SA_COPY_FROM_INNER_IP_HDR; } break; default: return -EINVAL; } skip_tunnel_info: /* ESN */ sa->w0.s.esn_en = !!ipsec_xfrm->options.esn; if (ipsec_xfrm->esn.value) sa->ctx.esn_val = ipsec_xfrm->esn.value - 1; if (ipsec_xfrm->options.udp_encap) { sa->w10.s.udp_src_port = 4500; sa->w10.s.udp_dst_port = 4500; } offset = offsetof(struct roc_ot_ipsec_outb_sa, ctx); /* Word offset for HW managed SA field */ sa->w0.s.hw_ctx_off = offset / 8; /* Context push size is up to err ctl in HW ctx */ sa->w0.s.ctx_push_size = sa->w0.s.hw_ctx_off + 1; /* Entire context size in 128B units */ offset = sizeof(struct roc_ot_ipsec_outb_sa); sa->w0.s.ctx_size = (PLT_ALIGN_CEIL(offset, ROC_CTX_UNIT_128B) / ROC_CTX_UNIT_128B) - 1; /* IPID gen */ sa->w2.s.ipid_gen = 1; /** * CPT MC triggers expiry when counter value changes from 2 to 1. To * mitigate this behaviour add 1 to the life counter values provided. */ if (ipsec_xfrm->life.bytes_soft_limit) { sa->ctx.soft_life = ipsec_xfrm->life.bytes_soft_limit + 1; sa->w0.s.soft_life_dec = 1; } if (ipsec_xfrm->life.packets_soft_limit) { sa->ctx.soft_life = ipsec_xfrm->life.packets_soft_limit + 1; sa->w0.s.soft_life_dec = 1; } if (ipsec_xfrm->life.bytes_hard_limit) { sa->ctx.hard_life = ipsec_xfrm->life.bytes_hard_limit + 1; sa->w0.s.hard_life_dec = 1; } if (ipsec_xfrm->life.packets_hard_limit) { sa->ctx.hard_life = ipsec_xfrm->life.packets_hard_limit + 1; sa->w0.s.hard_life_dec = 1; } /* There are two words of CPT_CTX_HW_S for ucode to skip */ sa->w0.s.ctx_hdr_size = 1; sa->w0.s.aop_valid = 1; rte_wmb(); /* Enable SA */ sa->w2.s.valid = 1; return 0; } bool cnxk_ot_ipsec_inb_sa_valid(struct roc_ot_ipsec_inb_sa *sa) { return !!sa->w2.s.valid; } bool cnxk_ot_ipsec_outb_sa_valid(struct roc_ot_ipsec_outb_sa *sa) { return !!sa->w2.s.valid; } static inline int ipsec_xfrm_verify(struct rte_security_ipsec_xform *ipsec_xfrm, struct rte_crypto_sym_xform *crypto_xfrm) { if (crypto_xfrm->next == NULL) return -EINVAL; if (ipsec_xfrm->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) { if (crypto_xfrm->type != RTE_CRYPTO_SYM_XFORM_AUTH || crypto_xfrm->next->type != RTE_CRYPTO_SYM_XFORM_CIPHER) return -EINVAL; } else { if (crypto_xfrm->type != RTE_CRYPTO_SYM_XFORM_CIPHER || crypto_xfrm->next->type != RTE_CRYPTO_SYM_XFORM_AUTH) return -EINVAL; } return 0; } static int onf_ipsec_sa_common_param_fill(struct roc_ie_onf_sa_ctl *ctl, uint8_t *salt, uint8_t *cipher_key, uint8_t *hmac_opad_ipad, struct rte_security_ipsec_xform *ipsec_xfrm, struct rte_crypto_sym_xform *crypto_xfrm) { struct rte_crypto_sym_xform *auth_xfrm, *cipher_xfrm; int rc, length, auth_key_len; const uint8_t *key = NULL; uint8_t ccm_flag = 0; /* Set direction */ switch (ipsec_xfrm->direction) { case RTE_SECURITY_IPSEC_SA_DIR_INGRESS: ctl->direction = ROC_IE_SA_DIR_INBOUND; auth_xfrm = crypto_xfrm; cipher_xfrm = crypto_xfrm->next; break; case RTE_SECURITY_IPSEC_SA_DIR_EGRESS: ctl->direction = ROC_IE_SA_DIR_OUTBOUND; cipher_xfrm = crypto_xfrm; auth_xfrm = crypto_xfrm->next; break; default: return -EINVAL; } /* Set protocol - ESP vs AH */ switch (ipsec_xfrm->proto) { case RTE_SECURITY_IPSEC_SA_PROTO_ESP: ctl->ipsec_proto = ROC_IE_SA_PROTOCOL_ESP; break; case RTE_SECURITY_IPSEC_SA_PROTO_AH: return -ENOTSUP; default: return -EINVAL; } /* Set mode - transport vs tunnel */ switch (ipsec_xfrm->mode) { case RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT: ctl->ipsec_mode = ROC_IE_SA_MODE_TRANSPORT; break; case RTE_SECURITY_IPSEC_SA_MODE_TUNNEL: ctl->ipsec_mode = ROC_IE_SA_MODE_TUNNEL; break; default: return -EINVAL; } /* Set encryption algorithm */ if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) { length = crypto_xfrm->aead.key.length; switch (crypto_xfrm->aead.algo) { case RTE_CRYPTO_AEAD_AES_GCM: ctl->enc_type = ROC_IE_ON_SA_ENC_AES_GCM; ctl->auth_type = ROC_IE_ON_SA_AUTH_NULL; memcpy(salt, &ipsec_xfrm->salt, 4); key = crypto_xfrm->aead.key.data; break; case RTE_CRYPTO_AEAD_AES_CCM: ctl->enc_type = ROC_IE_ON_SA_ENC_AES_CCM; ctl->auth_type = ROC_IE_ON_SA_AUTH_NULL; ccm_flag = 0x07 & ~ROC_CPT_AES_CCM_CTR_LEN; *salt = ccm_flag; memcpy(PLT_PTR_ADD(salt, 1), &ipsec_xfrm->salt, 3); key = crypto_xfrm->aead.key.data; break; default: return -ENOTSUP; } } else { rc = ipsec_xfrm_verify(ipsec_xfrm, crypto_xfrm); if (rc) return rc; switch (cipher_xfrm->cipher.algo) { case RTE_CRYPTO_CIPHER_AES_CBC: ctl->enc_type = ROC_IE_ON_SA_ENC_AES_CBC; break; case RTE_CRYPTO_CIPHER_AES_CTR: ctl->enc_type = ROC_IE_ON_SA_ENC_AES_CTR; break; default: return -ENOTSUP; } switch (auth_xfrm->auth.algo) { case RTE_CRYPTO_AUTH_SHA1_HMAC: ctl->auth_type = ROC_IE_ON_SA_AUTH_SHA1; break; default: return -ENOTSUP; } auth_key_len = auth_xfrm->auth.key.length; if (auth_key_len < 20 || auth_key_len > 64) return -ENOTSUP; key = cipher_xfrm->cipher.key.data; length = cipher_xfrm->cipher.key.length; ipsec_hmac_opad_ipad_gen(auth_xfrm, hmac_opad_ipad); } switch (length) { case ROC_CPT_AES128_KEY_LEN: ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_128; break; case ROC_CPT_AES192_KEY_LEN: ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_192; break; case ROC_CPT_AES256_KEY_LEN: ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_256; break; default: return -EINVAL; } memcpy(cipher_key, key, length); if (ipsec_xfrm->options.esn) ctl->esn_en = 1; ctl->spi = rte_cpu_to_be_32(ipsec_xfrm->spi); return 0; } int cnxk_onf_ipsec_inb_sa_fill(struct roc_onf_ipsec_inb_sa *sa, struct rte_security_ipsec_xform *ipsec_xfrm, struct rte_crypto_sym_xform *crypto_xfrm) { struct roc_ie_onf_sa_ctl *ctl = &sa->ctl; int rc; rc = onf_ipsec_sa_common_param_fill(ctl, sa->nonce, sa->cipher_key, sa->hmac_key, ipsec_xfrm, crypto_xfrm); if (rc) return rc; rte_wmb(); /* Enable SA */ ctl->valid = 1; return 0; } int cnxk_onf_ipsec_outb_sa_fill(struct roc_onf_ipsec_outb_sa *sa, struct rte_security_ipsec_xform *ipsec_xfrm, struct rte_crypto_sym_xform *crypto_xfrm) { struct rte_security_ipsec_tunnel_param *tunnel = &ipsec_xfrm->tunnel; struct roc_ie_onf_sa_ctl *ctl = &sa->ctl; int rc; /* Fill common params */ rc = onf_ipsec_sa_common_param_fill(ctl, sa->nonce, sa->cipher_key, sa->hmac_key, ipsec_xfrm, crypto_xfrm); if (rc) return rc; if (ipsec_xfrm->mode != RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) goto skip_tunnel_info; /* Tunnel header info */ switch (tunnel->type) { case RTE_SECURITY_IPSEC_TUNNEL_IPV4: memcpy(&sa->ip_src, &tunnel->ipv4.src_ip, sizeof(struct in_addr)); memcpy(&sa->ip_dst, &tunnel->ipv4.dst_ip, sizeof(struct in_addr)); break; case RTE_SECURITY_IPSEC_TUNNEL_IPV6: return -ENOTSUP; default: return -EINVAL; } /* Update udp encap ports */ if (ipsec_xfrm->options.udp_encap == 1) { sa->udp_src = 4500; sa->udp_dst = 4500; } skip_tunnel_info: rte_wmb(); /* Enable SA */ ctl->valid = 1; return 0; } bool cnxk_onf_ipsec_inb_sa_valid(struct roc_onf_ipsec_inb_sa *sa) { return !!sa->ctl.valid; } bool cnxk_onf_ipsec_outb_sa_valid(struct roc_onf_ipsec_outb_sa *sa) { return !!sa->ctl.valid; } uint8_t cnxk_ipsec_ivlen_get(enum rte_crypto_cipher_algorithm c_algo, enum rte_crypto_auth_algorithm a_algo, enum rte_crypto_aead_algorithm aead_algo) { uint8_t ivlen = 0; if ((aead_algo == RTE_CRYPTO_AEAD_AES_GCM) || (aead_algo == RTE_CRYPTO_AEAD_AES_CCM)) ivlen = 8; switch (c_algo) { case RTE_CRYPTO_CIPHER_AES_CTR: ivlen = 8; break; case RTE_CRYPTO_CIPHER_DES_CBC: case RTE_CRYPTO_CIPHER_3DES_CBC: ivlen = ROC_CPT_DES_BLOCK_LENGTH; break; case RTE_CRYPTO_CIPHER_AES_CBC: ivlen = ROC_CPT_AES_BLOCK_LENGTH; break; default: break; } switch (a_algo) { case RTE_CRYPTO_AUTH_AES_GMAC: ivlen = 8; break; default: break; } return ivlen; } uint8_t cnxk_ipsec_icvlen_get(enum rte_crypto_cipher_algorithm c_algo, enum rte_crypto_auth_algorithm a_algo, enum rte_crypto_aead_algorithm aead_algo) { uint8_t icv = 0; (void)c_algo; switch (a_algo) { case RTE_CRYPTO_AUTH_NULL: icv = 0; break; case RTE_CRYPTO_AUTH_MD5_HMAC: case RTE_CRYPTO_AUTH_SHA1_HMAC: icv = 12; break; case RTE_CRYPTO_AUTH_SHA256_HMAC: case RTE_CRYPTO_AUTH_AES_GMAC: icv = 16; break; case RTE_CRYPTO_AUTH_SHA384_HMAC: icv = 24; break; case RTE_CRYPTO_AUTH_SHA512_HMAC: icv = 32; break; case RTE_CRYPTO_AUTH_AES_XCBC_MAC: icv = 12; break; default: break; } switch (aead_algo) { case RTE_CRYPTO_AEAD_AES_GCM: case RTE_CRYPTO_AEAD_AES_CCM: icv = 16; break; default: break; } return icv; } uint8_t cnxk_ipsec_outb_roundup_byte(enum rte_crypto_cipher_algorithm c_algo, enum rte_crypto_aead_algorithm aead_algo) { uint8_t roundup_byte = 4; if ((aead_algo == RTE_CRYPTO_AEAD_AES_GCM) || (aead_algo == RTE_CRYPTO_AEAD_AES_CCM)) return roundup_byte; switch (c_algo) { case RTE_CRYPTO_CIPHER_AES_CTR: roundup_byte = 4; break; case RTE_CRYPTO_CIPHER_AES_CBC: roundup_byte = 16; break; case RTE_CRYPTO_CIPHER_DES_CBC: case RTE_CRYPTO_CIPHER_3DES_CBC: roundup_byte = 8; break; case RTE_CRYPTO_CIPHER_NULL: roundup_byte = 4; break; default: break; } return roundup_byte; } int cnxk_ipsec_outb_rlens_get(struct cnxk_ipsec_outb_rlens *rlens, struct rte_security_ipsec_xform *ipsec_xfrm, struct rte_crypto_sym_xform *crypto_xfrm) { struct rte_security_ipsec_tunnel_param *tunnel = &ipsec_xfrm->tunnel; enum rte_crypto_cipher_algorithm c_algo = RTE_CRYPTO_CIPHER_NULL; enum rte_crypto_auth_algorithm a_algo = RTE_CRYPTO_AUTH_NULL; enum rte_crypto_aead_algorithm aead_algo = 0; uint16_t partial_len = 0; uint8_t roundup_byte = 0; int8_t roundup_len = 0; memset(rlens, 0, sizeof(struct cnxk_ipsec_outb_rlens)); /* Get Cipher and Auth algo */ if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_AEAD) { aead_algo = crypto_xfrm->aead.algo; } else { if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_CIPHER) c_algo = crypto_xfrm->cipher.algo; else a_algo = crypto_xfrm->auth.algo; if (crypto_xfrm->next) { if (crypto_xfrm->next->type == RTE_CRYPTO_SYM_XFORM_CIPHER) c_algo = crypto_xfrm->next->cipher.algo; else a_algo = crypto_xfrm->next->auth.algo; } } if (ipsec_xfrm->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP) { partial_len = ROC_CPT_ESP_HDR_LEN; roundup_len = ROC_CPT_ESP_TRL_LEN; } else { partial_len = ROC_CPT_AH_HDR_LEN; } if (ipsec_xfrm->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) { if (tunnel->type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) partial_len += ROC_CPT_TUNNEL_IPV4_HDR_LEN; else partial_len += ROC_CPT_TUNNEL_IPV6_HDR_LEN; } partial_len += cnxk_ipsec_ivlen_get(c_algo, a_algo, aead_algo); partial_len += cnxk_ipsec_icvlen_get(c_algo, a_algo, aead_algo); roundup_byte = cnxk_ipsec_outb_roundup_byte(c_algo, aead_algo); if (ipsec_xfrm->options.udp_encap) partial_len += sizeof(struct rte_udp_hdr); rlens->partial_len = partial_len; rlens->roundup_len = roundup_len; rlens->roundup_byte = roundup_byte; rlens->max_extended_len = partial_len + roundup_len + roundup_byte; return 0; } static inline int on_ipsec_sa_ctl_set(struct rte_security_ipsec_xform *ipsec, struct rte_crypto_sym_xform *crypto_xform, struct roc_ie_on_sa_ctl *ctl) { struct rte_crypto_sym_xform *cipher_xform, *auth_xform; int aes_key_len = 0; if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AUTH) { auth_xform = crypto_xform; cipher_xform = crypto_xform->next; } else { cipher_xform = crypto_xform; auth_xform = crypto_xform->next; } if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) ctl->direction = ROC_IE_SA_DIR_OUTBOUND; else ctl->direction = ROC_IE_SA_DIR_INBOUND; if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) { if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) ctl->outer_ip_ver = ROC_IE_SA_IP_VERSION_4; else if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6) ctl->outer_ip_ver = ROC_IE_SA_IP_VERSION_6; else return -EINVAL; } if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT) { ctl->ipsec_mode = ROC_IE_SA_MODE_TRANSPORT; ctl->outer_ip_ver = ROC_IE_SA_IP_VERSION_4; } else if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) ctl->ipsec_mode = ROC_IE_SA_MODE_TUNNEL; else return -EINVAL; if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH) ctl->ipsec_proto = ROC_IE_SA_PROTOCOL_AH; else if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP) ctl->ipsec_proto = ROC_IE_SA_PROTOCOL_ESP; else return -EINVAL; if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) { switch (crypto_xform->aead.algo) { case RTE_CRYPTO_AEAD_AES_GCM: ctl->enc_type = ROC_IE_ON_SA_ENC_AES_GCM; aes_key_len = crypto_xform->aead.key.length; break; case RTE_CRYPTO_AEAD_AES_CCM: ctl->enc_type = ROC_IE_ON_SA_ENC_AES_CCM; aes_key_len = crypto_xform->aead.key.length; break; default: plt_err("Unsupported AEAD algorithm"); return -ENOTSUP; } } else { if (cipher_xform != NULL) { switch (cipher_xform->cipher.algo) { case RTE_CRYPTO_CIPHER_NULL: ctl->enc_type = ROC_IE_ON_SA_ENC_NULL; break; case RTE_CRYPTO_CIPHER_DES_CBC: ctl->enc_type = ROC_IE_ON_SA_ENC_DES_CBC; break; case RTE_CRYPTO_CIPHER_3DES_CBC: ctl->enc_type = ROC_IE_ON_SA_ENC_3DES_CBC; break; case RTE_CRYPTO_CIPHER_AES_CBC: ctl->enc_type = ROC_IE_ON_SA_ENC_AES_CBC; aes_key_len = cipher_xform->cipher.key.length; break; case RTE_CRYPTO_CIPHER_AES_CTR: ctl->enc_type = ROC_IE_ON_SA_ENC_AES_CTR; aes_key_len = cipher_xform->cipher.key.length; break; default: plt_err("Unsupported cipher algorithm"); return -ENOTSUP; } } switch (auth_xform->auth.algo) { case RTE_CRYPTO_AUTH_NULL: ctl->auth_type = ROC_IE_ON_SA_AUTH_NULL; break; case RTE_CRYPTO_AUTH_MD5_HMAC: ctl->auth_type = ROC_IE_ON_SA_AUTH_MD5; break; case RTE_CRYPTO_AUTH_SHA1_HMAC: ctl->auth_type = ROC_IE_ON_SA_AUTH_SHA1; break; case RTE_CRYPTO_AUTH_SHA224_HMAC: ctl->auth_type = ROC_IE_ON_SA_AUTH_SHA2_224; break; case RTE_CRYPTO_AUTH_SHA256_HMAC: ctl->auth_type = ROC_IE_ON_SA_AUTH_SHA2_256; break; case RTE_CRYPTO_AUTH_SHA384_HMAC: ctl->auth_type = ROC_IE_ON_SA_AUTH_SHA2_384; break; case RTE_CRYPTO_AUTH_SHA512_HMAC: ctl->auth_type = ROC_IE_ON_SA_AUTH_SHA2_512; break; case RTE_CRYPTO_AUTH_AES_GMAC: ctl->auth_type = ROC_IE_ON_SA_AUTH_AES_GMAC; aes_key_len = auth_xform->auth.key.length; break; case RTE_CRYPTO_AUTH_AES_XCBC_MAC: ctl->auth_type = ROC_IE_ON_SA_AUTH_AES_XCBC_128; break; default: plt_err("Unsupported auth algorithm"); return -ENOTSUP; } } /* Set AES key length */ if (ctl->enc_type == ROC_IE_ON_SA_ENC_AES_CBC || ctl->enc_type == ROC_IE_ON_SA_ENC_AES_CCM || ctl->enc_type == ROC_IE_ON_SA_ENC_AES_CTR || ctl->enc_type == ROC_IE_ON_SA_ENC_AES_GCM || ctl->enc_type == ROC_IE_ON_SA_ENC_AES_CCM || ctl->auth_type == ROC_IE_ON_SA_AUTH_AES_GMAC) { switch (aes_key_len) { case 16: ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_128; break; case 24: ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_192; break; case 32: ctl->aes_key_len = ROC_IE_SA_AES_KEY_LEN_256; break; default: plt_err("Invalid AES key length"); return -EINVAL; } } if (ipsec->options.esn) ctl->esn_en = 1; if (ipsec->options.udp_encap == 1) ctl->encap_type = ROC_IE_ON_SA_ENCAP_UDP; ctl->copy_df = ipsec->options.copy_df; ctl->spi = rte_cpu_to_be_32(ipsec->spi); rte_io_wmb(); ctl->valid = 1; return 0; } static inline int on_fill_ipsec_common_sa(struct rte_security_ipsec_xform *ipsec, struct rte_crypto_sym_xform *crypto_xform, struct roc_ie_on_common_sa *common_sa) { struct rte_crypto_sym_xform *cipher_xform, *auth_xform; const uint8_t *cipher_key; int cipher_key_len = 0; uint8_t ccm_flag = 0; int ret; ret = on_ipsec_sa_ctl_set(ipsec, crypto_xform, &common_sa->ctl); if (ret) return ret; if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AUTH) { auth_xform = crypto_xform; cipher_xform = crypto_xform->next; } else { cipher_xform = crypto_xform; auth_xform = crypto_xform->next; } if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) { if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) memcpy(common_sa->iv.gcm.nonce, &ipsec->salt, 4); else if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_CCM) { ccm_flag = 0x07 & ~ROC_CPT_AES_CCM_CTR_LEN; *common_sa->iv.gcm.nonce = ccm_flag; memcpy(PLT_PTR_ADD(common_sa->iv.gcm.nonce, 1), &ipsec->salt, 3); } cipher_key = crypto_xform->aead.key.data; cipher_key_len = crypto_xform->aead.key.length; } else { if (cipher_xform) { cipher_key = cipher_xform->cipher.key.data; cipher_key_len = cipher_xform->cipher.key.length; } if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) { memcpy(common_sa->iv.gcm.nonce, &ipsec->salt, 4); cipher_key = auth_xform->auth.key.data; cipher_key_len = auth_xform->auth.key.length; } } if (cipher_key_len != 0) memcpy(common_sa->cipher_key, cipher_key, cipher_key_len); return 0; } int cnxk_on_ipsec_outb_sa_create(struct rte_security_ipsec_xform *ipsec, struct rte_crypto_sym_xform *crypto_xform, struct roc_ie_on_outb_sa *out_sa) { struct roc_ie_on_ip_template *template = NULL; struct rte_crypto_sym_xform *auth_xform; struct roc_ie_on_sa_ctl *ctl; struct rte_ipv6_hdr *ip6; struct rte_ipv4_hdr *ip4; uint16_t sport, dport; size_t ctx_len; int ret; ctl = &out_sa->common_sa.ctl; if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AUTH) auth_xform = crypto_xform; else auth_xform = crypto_xform->next; ret = on_fill_ipsec_common_sa(ipsec, crypto_xform, &out_sa->common_sa); if (ret) return ret; if (ctl->enc_type == ROC_IE_ON_SA_ENC_AES_GCM || ctl->enc_type == ROC_IE_ON_SA_ENC_AES_CCM || ctl->auth_type == ROC_IE_ON_SA_AUTH_NULL || ctl->auth_type == ROC_IE_ON_SA_AUTH_AES_GMAC) { template = &out_sa->aes_gcm.template; ctx_len = offsetof(struct roc_ie_on_outb_sa, aes_gcm.template); } else { switch (ctl->auth_type) { case ROC_IE_ON_SA_AUTH_MD5: case ROC_IE_ON_SA_AUTH_SHA1: template = &out_sa->sha1.template; ctx_len = offsetof(struct roc_ie_on_outb_sa, sha1.template); break; case ROC_IE_ON_SA_AUTH_SHA2_256: case ROC_IE_ON_SA_AUTH_SHA2_384: case ROC_IE_ON_SA_AUTH_SHA2_512: template = &out_sa->sha2.template; ctx_len = offsetof(struct roc_ie_on_outb_sa, sha2.template); break; case ROC_IE_ON_SA_AUTH_AES_XCBC_128: template = &out_sa->aes_xcbc.template; ctx_len = offsetof(struct roc_ie_on_outb_sa, aes_xcbc.template); break; default: plt_err("Unsupported auth algorithm"); return -EINVAL; } } ip4 = (struct rte_ipv4_hdr *)&template->ip4.ipv4_hdr; sport = 4500; dport = 4500; /* If custom port values are provided, Overwrite default port values. */ if (ipsec->options.udp_encap) { if (ipsec->udp.sport) sport = ipsec->udp.sport; if (ipsec->udp.dport) dport = ipsec->udp.dport; ip4->next_proto_id = IPPROTO_UDP; template->ip4.udp_src = rte_be_to_cpu_16(sport); template->ip4.udp_dst = rte_be_to_cpu_16(dport); } else { if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH) ip4->next_proto_id = IPPROTO_AH; else ip4->next_proto_id = IPPROTO_ESP; } if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) { if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) { uint16_t frag_off = 0; ctx_len += sizeof(template->ip4); ip4->version_ihl = RTE_IPV4_VHL_DEF; ip4->time_to_live = ipsec->tunnel.ipv4.ttl ? ipsec->tunnel.ipv4.ttl : 0x40; ip4->type_of_service |= (ipsec->tunnel.ipv4.dscp << 2); if (ipsec->tunnel.ipv4.df) frag_off |= RTE_IPV4_HDR_DF_FLAG; ip4->fragment_offset = rte_cpu_to_be_16(frag_off); memcpy(&ip4->src_addr, &ipsec->tunnel.ipv4.src_ip, sizeof(struct in_addr)); memcpy(&ip4->dst_addr, &ipsec->tunnel.ipv4.dst_ip, sizeof(struct in_addr)); } else if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV6) { ctx_len += sizeof(template->ip6); ip6 = (struct rte_ipv6_hdr *)&template->ip6.ipv6_hdr; if (ipsec->options.udp_encap) { ip6->proto = IPPROTO_UDP; template->ip6.udp_src = rte_be_to_cpu_16(sport); template->ip6.udp_dst = rte_be_to_cpu_16(dport); } else { ip6->proto = (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP) ? IPPROTO_ESP : IPPROTO_AH; } ip6->vtc_flow = rte_cpu_to_be_32(0x60000000 | ((ipsec->tunnel.ipv6.dscp << RTE_IPV6_HDR_TC_SHIFT) & RTE_IPV6_HDR_TC_MASK) | ((ipsec->tunnel.ipv6.flabel << RTE_IPV6_HDR_FL_SHIFT) & RTE_IPV6_HDR_FL_MASK)); ip6->hop_limits = ipsec->tunnel.ipv6.hlimit ? ipsec->tunnel.ipv6.hlimit : 0x40; memcpy(&ip6->src_addr, &ipsec->tunnel.ipv6.src_addr, sizeof(struct in6_addr)); memcpy(&ip6->dst_addr, &ipsec->tunnel.ipv6.dst_addr, sizeof(struct in6_addr)); } } else ctx_len += sizeof(template->ip4); ctx_len += RTE_ALIGN_CEIL(ctx_len, 8); if (crypto_xform->type != RTE_CRYPTO_SYM_XFORM_AEAD) { uint8_t *hmac_opad_ipad = (uint8_t *)&out_sa->sha2; if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_AES_XCBC_MAC) { const uint8_t *auth_key = auth_xform->auth.key.data; roc_aes_xcbc_key_derive(auth_key, hmac_opad_ipad); } else if (auth_xform->auth.algo != RTE_CRYPTO_AUTH_NULL) { ipsec_hmac_opad_ipad_gen(auth_xform, hmac_opad_ipad); } } return ctx_len; } int cnxk_on_ipsec_inb_sa_create(struct rte_security_ipsec_xform *ipsec, struct rte_crypto_sym_xform *crypto_xform, struct roc_ie_on_inb_sa *in_sa) { struct rte_crypto_sym_xform *auth_xform = crypto_xform; const uint8_t *auth_key; int auth_key_len = 0; size_t ctx_len = 0; int ret; ret = on_fill_ipsec_common_sa(ipsec, crypto_xform, &in_sa->common_sa); if (ret) return ret; if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD || auth_xform->auth.algo == RTE_CRYPTO_AUTH_NULL || auth_xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) { ctx_len = offsetof(struct roc_ie_on_inb_sa, sha1_or_gcm.hmac_key[0]); } else { uint8_t *hmac_opad_ipad = (uint8_t *)&in_sa->sha2; auth_key = auth_xform->auth.key.data; auth_key_len = auth_xform->auth.key.length; switch (auth_xform->auth.algo) { case RTE_CRYPTO_AUTH_NULL: break; case RTE_CRYPTO_AUTH_MD5_HMAC: case RTE_CRYPTO_AUTH_SHA1_HMAC: memcpy(in_sa->sha1_or_gcm.hmac_key, auth_key, auth_key_len); ctx_len = offsetof(struct roc_ie_on_inb_sa, sha1_or_gcm.selector); break; case RTE_CRYPTO_AUTH_SHA256_HMAC: case RTE_CRYPTO_AUTH_SHA384_HMAC: case RTE_CRYPTO_AUTH_SHA512_HMAC: memcpy(in_sa->sha2.hmac_key, auth_key, auth_key_len); ctx_len = offsetof(struct roc_ie_on_inb_sa, sha2.selector); break; case RTE_CRYPTO_AUTH_AES_XCBC_MAC: memcpy(in_sa->aes_xcbc.key, auth_key, auth_key_len); ctx_len = offsetof(struct roc_ie_on_inb_sa, aes_xcbc.selector); break; default: plt_err("Unsupported auth algorithm %u", auth_xform->auth.algo); return -ENOTSUP; } if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_AES_XCBC_MAC) { const uint8_t *auth_key = auth_xform->auth.key.data; roc_aes_xcbc_key_derive(auth_key, hmac_opad_ipad); } else if (auth_xform->auth.algo != RTE_CRYPTO_AUTH_NULL) { ipsec_hmac_opad_ipad_gen(auth_xform, hmac_opad_ipad); } } return ctx_len; }