[ceph.git] / ceph / src / seastar / dpdk / examples / ipsec-secgw / ipsec.h

/* SPDX-License-Identifier: BSD-3-Clause
 * Copyright(c) 2016-2017 Intel Corporation
 */

#ifndef __IPSEC_H__
#define __IPSEC_H__

#include <stdint.h>

#include <rte_byteorder.h>
#include <rte_crypto.h>
#include <rte_security.h>
#include <rte_flow.h>
#include <rte_ipsec.h>

#define RTE_LOGTYPE_IPSEC       RTE_LOGTYPE_USER1
#define RTE_LOGTYPE_IPSEC_ESP   RTE_LOGTYPE_USER2
#define RTE_LOGTYPE_IPSEC_IPIP  RTE_LOGTYPE_USER3

#define MAX_PKT_BURST 32
#define MAX_INFLIGHT 128
#define MAX_QP_PER_LCORE 256

#define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */

#define IPSEC_OFFLOAD_ESN_SOFTLIMIT 0xffffff00

#define IV_OFFSET		(sizeof(struct rte_crypto_op) + \
				sizeof(struct rte_crypto_sym_op))

#define uint32_t_to_char(ip, a, b, c, d) do {\
		*a = (uint8_t)(ip >> 24 & 0xff);\
		*b = (uint8_t)(ip >> 16 & 0xff);\
		*c = (uint8_t)(ip >> 8 & 0xff);\
		*d = (uint8_t)(ip & 0xff);\
	} while (0)

#define DEFAULT_MAX_CATEGORIES	1

#define IPSEC_SA_MAX_ENTRIES (128) /* must be power of 2, max 2 power 30 */
#define SPI2IDX(spi) (spi & (IPSEC_SA_MAX_ENTRIES - 1))
#define INVALID_SPI (0)

#define DISCARD	INVALID_SPI
#define BYPASS	UINT32_MAX

#define IPSEC_XFORM_MAX 2

#define IP6_VERSION (6)

struct rte_crypto_xform;
struct ipsec_xform;
struct rte_mbuf;

struct ipsec_sa;

typedef int32_t (*ipsec_xform_fn)(struct rte_mbuf *m, struct ipsec_sa *sa,
		struct rte_crypto_op *cop);

struct ip_addr {
	union {
		uint32_t ip4;
		union {
			uint64_t ip6[2];
			uint8_t ip6_b[16];
		} ip6;
	} ip;
};

#define MAX_KEY_SIZE		32

/*
 * application wide SA parameters
 */
struct app_sa_prm {
	uint32_t enable; /* use librte_ipsec API for ipsec pkt processing */
	uint32_t window_size; /* replay window size */
	uint32_t enable_esn;  /* enable/disable ESN support */
	uint64_t flags;       /* rte_ipsec_sa_prm.flags */
};

extern struct app_sa_prm app_sa_prm;

struct ipsec_sa {
	struct rte_ipsec_session ips; /* one session per sa for now */
	uint32_t spi;
	uint32_t cdev_id_qp;
	uint64_t seq;
	uint32_t salt;
	union {
		struct rte_cryptodev_sym_session *crypto_session;
		struct rte_security_session *sec_session;
	};
	enum rte_crypto_cipher_algorithm cipher_algo;
	enum rte_crypto_auth_algorithm auth_algo;
	enum rte_crypto_aead_algorithm aead_algo;
	uint16_t digest_len;
	uint16_t iv_len;
	uint16_t block_size;
	uint16_t flags;
#define IP4_TUNNEL (1 << 0)
#define IP6_TUNNEL (1 << 1)
#define TRANSPORT  (1 << 2)
	struct ip_addr src;
	struct ip_addr dst;
	uint8_t cipher_key[MAX_KEY_SIZE];
	uint16_t cipher_key_len;
	uint8_t auth_key[MAX_KEY_SIZE];
	uint16_t auth_key_len;
	uint16_t aad_len;
	union {
		struct rte_crypto_sym_xform *xforms;
		struct rte_security_ipsec_xform *sec_xform;
	};
	enum rte_security_session_action_type type;
	enum rte_security_ipsec_sa_direction direction;
	uint16_t portid;
	struct rte_security_ctx *security_ctx;
	uint32_t ol_flags;

#define MAX_RTE_FLOW_PATTERN (4)
#define MAX_RTE_FLOW_ACTIONS (3)
	struct rte_flow_item pattern[MAX_RTE_FLOW_PATTERN];
	struct rte_flow_action action[MAX_RTE_FLOW_ACTIONS];
	struct rte_flow_attr attr;
	union {
		struct rte_flow_item_ipv4 ipv4_spec;
		struct rte_flow_item_ipv6 ipv6_spec;
	};
	struct rte_flow_item_esp esp_spec;
	struct rte_flow *flow;
	struct rte_security_session_conf sess_conf;
} __rte_cache_aligned;

struct ipsec_mbuf_metadata {
	struct ipsec_sa *sa;
	struct rte_crypto_op cop;
	struct rte_crypto_sym_op sym_cop;
	uint8_t buf[32];
} __rte_cache_aligned;

struct cdev_qp {
	uint16_t id;
	uint16_t qp;
	uint16_t in_flight;
	uint16_t len;
	struct rte_crypto_op *buf[MAX_PKT_BURST] __rte_aligned(sizeof(void *));
};

struct ipsec_ctx {
	struct rte_hash *cdev_map;
	struct sp_ctx *sp4_ctx;
	struct sp_ctx *sp6_ctx;
	struct sa_ctx *sa_ctx;
	uint16_t nb_qps;
	uint16_t last_qp;
	struct cdev_qp tbl[MAX_QP_PER_LCORE];
	struct rte_mempool *session_pool;
	struct rte_mempool *session_priv_pool;
	struct rte_mbuf *ol_pkts[MAX_PKT_BURST] __rte_aligned(sizeof(void *));
	uint16_t ol_pkts_cnt;
	uint64_t ipv4_offloads;
	uint64_t ipv6_offloads;
};

struct cdev_key {
	uint16_t lcore_id;
	uint8_t cipher_algo;
	uint8_t auth_algo;
	uint8_t aead_algo;
};

struct socket_ctx {
	struct sa_ctx *sa_in;
	struct sa_ctx *sa_out;
	struct sp_ctx *sp_ip4_in;
	struct sp_ctx *sp_ip4_out;
	struct sp_ctx *sp_ip6_in;
	struct sp_ctx *sp_ip6_out;
	struct rt_ctx *rt_ip4;
	struct rt_ctx *rt_ip6;
	struct rte_mempool *mbuf_pool;
	struct rte_mempool *session_pool;
	struct rte_mempool *session_priv_pool;
};

struct cnt_blk {
	uint32_t salt;
	uint64_t iv;
	uint32_t cnt;
} __attribute__((packed));

struct traffic_type {
	const uint8_t *data[MAX_PKT_BURST * 2];
	struct rte_mbuf *pkts[MAX_PKT_BURST * 2];
	struct ipsec_sa *saptr[MAX_PKT_BURST * 2];
	uint32_t res[MAX_PKT_BURST * 2];
	uint32_t num;
};

struct ipsec_traffic {
	struct traffic_type ipsec;
	struct traffic_type ip4;
	struct traffic_type ip6;
};

uint16_t
ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
		uint16_t nb_pkts, uint16_t len);

uint16_t
ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
		uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len);

uint16_t
ipsec_inbound_cqp_dequeue(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
		uint16_t len);

uint16_t
ipsec_outbound_cqp_dequeue(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
		uint16_t len);

void
ipsec_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf);

void
ipsec_cqp_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf);

static inline uint16_t
ipsec_metadata_size(void)
{
	return sizeof(struct ipsec_mbuf_metadata);
}

static inline struct ipsec_mbuf_metadata *
get_priv(struct rte_mbuf *m)
{
	return rte_mbuf_to_priv(m);
}

static inline void *
get_cnt_blk(struct rte_mbuf *m)
{
	struct ipsec_mbuf_metadata *priv = get_priv(m);

	return &priv->buf[0];
}

static inline void *
get_aad(struct rte_mbuf *m)
{
	struct ipsec_mbuf_metadata *priv = get_priv(m);

	return &priv->buf[16];
}

static inline void *
get_sym_cop(struct rte_crypto_op *cop)
{
	return (cop + 1);
}

int
inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx);

void
inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[],
		struct ipsec_sa *sa[], uint16_t nb_pkts);

void
outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[],
		struct ipsec_sa *sa[], uint16_t nb_pkts);

void
sp4_init(struct socket_ctx *ctx, int32_t socket_id);

void
sp6_init(struct socket_ctx *ctx, int32_t socket_id);

/*
 * Search through SP rules for given SPI.
 * Returns first rule index if found(greater or equal then zero),
 * or -ENOENT otherwise.
 */
int
sp4_spi_present(uint32_t spi, int inbound);
int
sp6_spi_present(uint32_t spi, int inbound);

/*
 * Search through SA entries for given SPI.
 * Returns first entry index if found(greater or equal then zero),
 * or -ENOENT otherwise.
 */
int
sa_spi_present(uint32_t spi, int inbound);

void
sa_init(struct socket_ctx *ctx, int32_t socket_id);

void
rt_init(struct socket_ctx *ctx, int32_t socket_id);

int
sa_check_offloads(uint16_t port_id, uint64_t *rx_offloads,
		uint64_t *tx_offloads);

int
add_dst_ethaddr(uint16_t port, const struct ether_addr *addr);

void
enqueue_cop_burst(struct cdev_qp *cqp);

int
create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa);

#endif /* __IPSEC_H__ */
Commit	Line	Data
9f95a23c TL	1	/* SPDX-License-Identifier: BSD-3-Clause
9f95a23c TL	2	* Copyright(c) 2016-2017 Intel Corporation
7c673cae FG	3	*/
	4
	5	#ifndef __IPSEC_H__
	6	#define __IPSEC_H__
	7
	8	#include <stdint.h>
	9
	10	#include <rte_byteorder.h>
	11	#include <rte_crypto.h>
9f95a23c TL	12	#include <rte_security.h>
	13	#include <rte_flow.h>
	14	#include <rte_ipsec.h>
7c673cae FG	15
	16	#define RTE_LOGTYPE_IPSEC RTE_LOGTYPE_USER1
	17	#define RTE_LOGTYPE_IPSEC_ESP RTE_LOGTYPE_USER2
	18	#define RTE_LOGTYPE_IPSEC_IPIP RTE_LOGTYPE_USER3
	19
	20	#define MAX_PKT_BURST 32
9f95a23c	21	#define MAX_INFLIGHT 128
7c673cae FG	22	#define MAX_QP_PER_LCORE 256
	23
	24	#define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */
	25
9f95a23c TL	26	#define IPSEC_OFFLOAD_ESN_SOFTLIMIT 0xffffff00
	27
	28	#define IV_OFFSET (sizeof(struct rte_crypto_op) + \
	29	sizeof(struct rte_crypto_sym_op))
	30
7c673cae FG	31	#define uint32_t_to_char(ip, a, b, c, d) do {\
	32	*a = (uint8_t)(ip >> 24 & 0xff);\
	33	*b = (uint8_t)(ip >> 16 & 0xff);\
	34	*c = (uint8_t)(ip >> 8 & 0xff);\
	35	*d = (uint8_t)(ip & 0xff);\
	36	} while (0)
	37
	38	#define DEFAULT_MAX_CATEGORIES 1
	39
	40	#define IPSEC_SA_MAX_ENTRIES (128) /* must be power of 2, max 2 power 30 */
	41	#define SPI2IDX(spi) (spi & (IPSEC_SA_MAX_ENTRIES - 1))
	42	#define INVALID_SPI (0)
	43
9f95a23c TL	44	#define DISCARD INVALID_SPI
9f95a23c TL	45	#define BYPASS UINT32_MAX
7c673cae FG	46
	47	#define IPSEC_XFORM_MAX 2
	48
	49	#define IP6_VERSION (6)
	50
	51	struct rte_crypto_xform;
	52	struct ipsec_xform;
7c673cae FG	53	struct rte_mbuf;
	54
	55	struct ipsec_sa;
	56
	57	typedef int32_t (ipsec_xform_fn)(struct rte_mbuf m, struct ipsec_sa *sa,
	58	struct rte_crypto_op *cop);
	59
	60	struct ip_addr {
	61	union {
	62	uint32_t ip4;
	63	union {
	64	uint64_t ip6[2];
	65	uint8_t ip6_b[16];
	66	} ip6;
	67	} ip;
	68	};
	69
11fdf7f2	70	#define MAX_KEY_SIZE 32
7c673cae	71
9f95a23c TL	72	/*
	73	* application wide SA parameters
	74	*/
	75	struct app_sa_prm {
	76	uint32_t enable; /* use librte_ipsec API for ipsec pkt processing */
	77	uint32_t window_size; /* replay window size */
	78	uint32_t enable_esn; /* enable/disable ESN support */
	79	uint64_t flags; /* rte_ipsec_sa_prm.flags */
	80	};
	81
	82	extern struct app_sa_prm app_sa_prm;
	83
7c673cae	84	struct ipsec_sa {
9f95a23c	85	struct rte_ipsec_session ips; /* one session per sa for now */
7c673cae FG	86	uint32_t spi;
	87	uint32_t cdev_id_qp;
	88	uint64_t seq;
	89	uint32_t salt;
9f95a23c TL	90	union {
	91	struct rte_cryptodev_sym_session *crypto_session;
	92	struct rte_security_session *sec_session;
	93	};
7c673cae FG	94	enum rte_crypto_cipher_algorithm cipher_algo;
7c673cae FG	95	enum rte_crypto_auth_algorithm auth_algo;
9f95a23c	96	enum rte_crypto_aead_algorithm aead_algo;
7c673cae FG	97	uint16_t digest_len;
	98	uint16_t iv_len;
	99	uint16_t block_size;
	100	uint16_t flags;
	101	#define IP4_TUNNEL (1 << 0)
	102	#define IP6_TUNNEL (1 << 1)
	103	#define TRANSPORT (1 << 2)
	104	struct ip_addr src;
	105	struct ip_addr dst;
	106	uint8_t cipher_key[MAX_KEY_SIZE];
	107	uint16_t cipher_key_len;
	108	uint8_t auth_key[MAX_KEY_SIZE];
	109	uint16_t auth_key_len;
	110	uint16_t aad_len;
9f95a23c TL	111	union {
	112	struct rte_crypto_sym_xform *xforms;
	113	struct rte_security_ipsec_xform *sec_xform;
	114	};
	115	enum rte_security_session_action_type type;
	116	enum rte_security_ipsec_sa_direction direction;
	117	uint16_t portid;
	118	struct rte_security_ctx *security_ctx;
	119	uint32_t ol_flags;
	120
	121	#define MAX_RTE_FLOW_PATTERN (4)
	122	#define MAX_RTE_FLOW_ACTIONS (3)
	123	struct rte_flow_item pattern[MAX_RTE_FLOW_PATTERN];
	124	struct rte_flow_action action[MAX_RTE_FLOW_ACTIONS];
	125	struct rte_flow_attr attr;
	126	union {
	127	struct rte_flow_item_ipv4 ipv4_spec;
	128	struct rte_flow_item_ipv6 ipv6_spec;
	129	};
	130	struct rte_flow_item_esp esp_spec;
	131	struct rte_flow *flow;
	132	struct rte_security_session_conf sess_conf;
7c673cae FG	133	} __rte_cache_aligned;
	134
	135	struct ipsec_mbuf_metadata {
7c673cae FG	136	struct ipsec_sa *sa;
	137	struct rte_crypto_op cop;
	138	struct rte_crypto_sym_op sym_cop;
9f95a23c	139	uint8_t buf[32];
7c673cae FG	140	} __rte_cache_aligned;
	141
	142	struct cdev_qp {
	143	uint16_t id;
	144	uint16_t qp;
	145	uint16_t in_flight;
	146	uint16_t len;
	147	struct rte_crypto_op buf[MAX_PKT_BURST] __rte_aligned(sizeof(void ));
	148	};
	149
	150	struct ipsec_ctx {
	151	struct rte_hash *cdev_map;
	152	struct sp_ctx *sp4_ctx;
	153	struct sp_ctx *sp6_ctx;
	154	struct sa_ctx *sa_ctx;
	155	uint16_t nb_qps;
	156	uint16_t last_qp;
	157	struct cdev_qp tbl[MAX_QP_PER_LCORE];
9f95a23c TL	158	struct rte_mempool *session_pool;
	159	struct rte_mempool *session_priv_pool;
	160	struct rte_mbuf ol_pkts[MAX_PKT_BURST] __rte_aligned(sizeof(void ));
	161	uint16_t ol_pkts_cnt;
	162	uint64_t ipv4_offloads;
	163	uint64_t ipv6_offloads;
7c673cae FG	164	};
	165
	166	struct cdev_key {
	167	uint16_t lcore_id;
	168	uint8_t cipher_algo;
	169	uint8_t auth_algo;
9f95a23c	170	uint8_t aead_algo;
7c673cae FG	171	};
	172
	173	struct socket_ctx {
	174	struct sa_ctx *sa_in;
	175	struct sa_ctx *sa_out;
	176	struct sp_ctx *sp_ip4_in;
	177	struct sp_ctx *sp_ip4_out;
	178	struct sp_ctx *sp_ip6_in;
	179	struct sp_ctx *sp_ip6_out;
	180	struct rt_ctx *rt_ip4;
	181	struct rt_ctx *rt_ip6;
	182	struct rte_mempool *mbuf_pool;
9f95a23c TL	183	struct rte_mempool *session_pool;
9f95a23c TL	184	struct rte_mempool *session_priv_pool;
7c673cae FG	185	};
	186
	187	struct cnt_blk {
	188	uint32_t salt;
	189	uint64_t iv;
	190	uint32_t cnt;
	191	} __attribute__((packed));
	192
9f95a23c TL	193	struct traffic_type {
	194	const uint8_t data[MAX_PKT_BURST 2];
	195	struct rte_mbuf pkts[MAX_PKT_BURST 2];
	196	struct ipsec_sa saptr[MAX_PKT_BURST 2];
	197	uint32_t res[MAX_PKT_BURST * 2];
	198	uint32_t num;
	199	};
	200
	201	struct ipsec_traffic {
	202	struct traffic_type ipsec;
	203	struct traffic_type ip4;
	204	struct traffic_type ip6;
	205	};
	206
7c673cae FG	207	uint16_t
	208	ipsec_inbound(struct ipsec_ctx ctx, struct rte_mbuf pkts[],
	209	uint16_t nb_pkts, uint16_t len);
	210
	211	uint16_t
	212	ipsec_outbound(struct ipsec_ctx ctx, struct rte_mbuf pkts[],
	213	uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len);
	214
9f95a23c TL	215	uint16_t
	216	ipsec_inbound_cqp_dequeue(struct ipsec_ctx ctx, struct rte_mbuf pkts[],
	217	uint16_t len);
	218
	219	uint16_t
	220	ipsec_outbound_cqp_dequeue(struct ipsec_ctx ctx, struct rte_mbuf pkts[],
	221	uint16_t len);
	222
	223	void
	224	ipsec_process(struct ipsec_ctx ctx, struct ipsec_traffic trf);
	225
	226	void
	227	ipsec_cqp_process(struct ipsec_ctx ctx, struct ipsec_traffic trf);
	228
7c673cae FG	229	static inline uint16_t
	230	ipsec_metadata_size(void)
	231	{
	232	return sizeof(struct ipsec_mbuf_metadata);
	233	}
	234
	235	static inline struct ipsec_mbuf_metadata *
	236	get_priv(struct rte_mbuf *m)
	237	{
9f95a23c	238	return rte_mbuf_to_priv(m);
7c673cae FG	239	}
	240
	241	static inline void *
	242	get_cnt_blk(struct rte_mbuf *m)
	243	{
	244	struct ipsec_mbuf_metadata *priv = get_priv(m);
	245
	246	return &priv->buf[0];
	247	}
	248
	249	static inline void *
	250	get_aad(struct rte_mbuf *m)
	251	{
	252	struct ipsec_mbuf_metadata *priv = get_priv(m);
	253
	254	return &priv->buf[16];
	255	}
	256
	257	static inline void *
	258	get_sym_cop(struct rte_crypto_op *cop)
	259	{
	260	return (cop + 1);
	261	}
	262
	263	int
	264	inbound_sa_check(struct sa_ctx sa_ctx, struct rte_mbuf m, uint32_t sa_idx);
	265
	266	void
	267	inbound_sa_lookup(struct sa_ctx sa_ctx, struct rte_mbuf pkts[],
	268	struct ipsec_sa *sa[], uint16_t nb_pkts);
	269
	270	void
	271	outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[],
	272	struct ipsec_sa *sa[], uint16_t nb_pkts);
	273
	274	void
	275	sp4_init(struct socket_ctx *ctx, int32_t socket_id);
	276
	277	void
	278	sp6_init(struct socket_ctx *ctx, int32_t socket_id);
	279
9f95a23c TL	280	/*
	281	* Search through SP rules for given SPI.
	282	* Returns first rule index if found(greater or equal then zero),
	283	* or -ENOENT otherwise.
	284	*/
	285	int
	286	sp4_spi_present(uint32_t spi, int inbound);
	287	int
	288	sp6_spi_present(uint32_t spi, int inbound);
	289
	290	/*
	291	* Search through SA entries for given SPI.
	292	* Returns first entry index if found(greater or equal then zero),
	293	* or -ENOENT otherwise.
	294	*/
	295	int
	296	sa_spi_present(uint32_t spi, int inbound);
	297
7c673cae FG	298	void
	299	sa_init(struct socket_ctx *ctx, int32_t socket_id);
	300
	301	void
	302	rt_init(struct socket_ctx *ctx, int32_t socket_id);
	303
9f95a23c TL	304	int
	305	sa_check_offloads(uint16_t port_id, uint64_t *rx_offloads,
	306	uint64_t *tx_offloads);
	307
	308	int
	309	add_dst_ethaddr(uint16_t port, const struct ether_addr *addr);
	310
	311	void
	312	enqueue_cop_burst(struct cdev_qp *cqp);
	313
	314	int
	315	create_session(struct ipsec_ctx ipsec_ctx, struct ipsec_sa sa);
	316
7c673cae	317	#endif /* __IPSEC_H__ */