]>
Commit | Line | Data |
---|---|---|
9f95a23c TL |
1 | /* SPDX-License-Identifier: BSD-3-Clause |
2 | * Copyright(c) 2016-2017 Intel Corporation | |
7c673cae FG |
3 | */ |
4 | ||
5 | #ifndef __IPSEC_H__ | |
6 | #define __IPSEC_H__ | |
7 | ||
8 | #include <stdint.h> | |
9 | ||
10 | #include <rte_byteorder.h> | |
11 | #include <rte_crypto.h> | |
9f95a23c TL |
12 | #include <rte_security.h> |
13 | #include <rte_flow.h> | |
14 | #include <rte_ipsec.h> | |
7c673cae FG |
15 | |
16 | #define RTE_LOGTYPE_IPSEC RTE_LOGTYPE_USER1 | |
17 | #define RTE_LOGTYPE_IPSEC_ESP RTE_LOGTYPE_USER2 | |
18 | #define RTE_LOGTYPE_IPSEC_IPIP RTE_LOGTYPE_USER3 | |
19 | ||
20 | #define MAX_PKT_BURST 32 | |
9f95a23c | 21 | #define MAX_INFLIGHT 128 |
7c673cae FG |
22 | #define MAX_QP_PER_LCORE 256 |
23 | ||
24 | #define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */ | |
25 | ||
9f95a23c TL |
26 | #define IPSEC_OFFLOAD_ESN_SOFTLIMIT 0xffffff00 |
27 | ||
28 | #define IV_OFFSET (sizeof(struct rte_crypto_op) + \ | |
29 | sizeof(struct rte_crypto_sym_op)) | |
30 | ||
7c673cae FG |
31 | #define uint32_t_to_char(ip, a, b, c, d) do {\ |
32 | *a = (uint8_t)(ip >> 24 & 0xff);\ | |
33 | *b = (uint8_t)(ip >> 16 & 0xff);\ | |
34 | *c = (uint8_t)(ip >> 8 & 0xff);\ | |
35 | *d = (uint8_t)(ip & 0xff);\ | |
36 | } while (0) | |
37 | ||
38 | #define DEFAULT_MAX_CATEGORIES 1 | |
39 | ||
40 | #define IPSEC_SA_MAX_ENTRIES (128) /* must be power of 2, max 2 power 30 */ | |
41 | #define SPI2IDX(spi) (spi & (IPSEC_SA_MAX_ENTRIES - 1)) | |
42 | #define INVALID_SPI (0) | |
43 | ||
9f95a23c TL |
44 | #define DISCARD INVALID_SPI |
45 | #define BYPASS UINT32_MAX | |
7c673cae FG |
46 | |
47 | #define IPSEC_XFORM_MAX 2 | |
48 | ||
49 | #define IP6_VERSION (6) | |
50 | ||
51 | struct rte_crypto_xform; | |
52 | struct ipsec_xform; | |
7c673cae FG |
53 | struct rte_mbuf; |
54 | ||
55 | struct ipsec_sa; | |
56 | ||
57 | typedef int32_t (*ipsec_xform_fn)(struct rte_mbuf *m, struct ipsec_sa *sa, | |
58 | struct rte_crypto_op *cop); | |
59 | ||
60 | struct ip_addr { | |
61 | union { | |
62 | uint32_t ip4; | |
63 | union { | |
64 | uint64_t ip6[2]; | |
65 | uint8_t ip6_b[16]; | |
66 | } ip6; | |
67 | } ip; | |
68 | }; | |
69 | ||
11fdf7f2 | 70 | #define MAX_KEY_SIZE 32 |
7c673cae | 71 | |
9f95a23c TL |
72 | /* |
73 | * application wide SA parameters | |
74 | */ | |
75 | struct app_sa_prm { | |
76 | uint32_t enable; /* use librte_ipsec API for ipsec pkt processing */ | |
77 | uint32_t window_size; /* replay window size */ | |
78 | uint32_t enable_esn; /* enable/disable ESN support */ | |
79 | uint64_t flags; /* rte_ipsec_sa_prm.flags */ | |
80 | }; | |
81 | ||
82 | extern struct app_sa_prm app_sa_prm; | |
83 | ||
7c673cae | 84 | struct ipsec_sa { |
9f95a23c | 85 | struct rte_ipsec_session ips; /* one session per sa for now */ |
7c673cae FG |
86 | uint32_t spi; |
87 | uint32_t cdev_id_qp; | |
88 | uint64_t seq; | |
89 | uint32_t salt; | |
9f95a23c TL |
90 | union { |
91 | struct rte_cryptodev_sym_session *crypto_session; | |
92 | struct rte_security_session *sec_session; | |
93 | }; | |
7c673cae FG |
94 | enum rte_crypto_cipher_algorithm cipher_algo; |
95 | enum rte_crypto_auth_algorithm auth_algo; | |
9f95a23c | 96 | enum rte_crypto_aead_algorithm aead_algo; |
7c673cae FG |
97 | uint16_t digest_len; |
98 | uint16_t iv_len; | |
99 | uint16_t block_size; | |
100 | uint16_t flags; | |
101 | #define IP4_TUNNEL (1 << 0) | |
102 | #define IP6_TUNNEL (1 << 1) | |
103 | #define TRANSPORT (1 << 2) | |
104 | struct ip_addr src; | |
105 | struct ip_addr dst; | |
106 | uint8_t cipher_key[MAX_KEY_SIZE]; | |
107 | uint16_t cipher_key_len; | |
108 | uint8_t auth_key[MAX_KEY_SIZE]; | |
109 | uint16_t auth_key_len; | |
110 | uint16_t aad_len; | |
9f95a23c TL |
111 | union { |
112 | struct rte_crypto_sym_xform *xforms; | |
113 | struct rte_security_ipsec_xform *sec_xform; | |
114 | }; | |
115 | enum rte_security_session_action_type type; | |
116 | enum rte_security_ipsec_sa_direction direction; | |
117 | uint16_t portid; | |
118 | struct rte_security_ctx *security_ctx; | |
119 | uint32_t ol_flags; | |
120 | ||
121 | #define MAX_RTE_FLOW_PATTERN (4) | |
122 | #define MAX_RTE_FLOW_ACTIONS (3) | |
123 | struct rte_flow_item pattern[MAX_RTE_FLOW_PATTERN]; | |
124 | struct rte_flow_action action[MAX_RTE_FLOW_ACTIONS]; | |
125 | struct rte_flow_attr attr; | |
126 | union { | |
127 | struct rte_flow_item_ipv4 ipv4_spec; | |
128 | struct rte_flow_item_ipv6 ipv6_spec; | |
129 | }; | |
130 | struct rte_flow_item_esp esp_spec; | |
131 | struct rte_flow *flow; | |
132 | struct rte_security_session_conf sess_conf; | |
7c673cae FG |
133 | } __rte_cache_aligned; |
134 | ||
135 | struct ipsec_mbuf_metadata { | |
7c673cae FG |
136 | struct ipsec_sa *sa; |
137 | struct rte_crypto_op cop; | |
138 | struct rte_crypto_sym_op sym_cop; | |
9f95a23c | 139 | uint8_t buf[32]; |
7c673cae FG |
140 | } __rte_cache_aligned; |
141 | ||
142 | struct cdev_qp { | |
143 | uint16_t id; | |
144 | uint16_t qp; | |
145 | uint16_t in_flight; | |
146 | uint16_t len; | |
147 | struct rte_crypto_op *buf[MAX_PKT_BURST] __rte_aligned(sizeof(void *)); | |
148 | }; | |
149 | ||
150 | struct ipsec_ctx { | |
151 | struct rte_hash *cdev_map; | |
152 | struct sp_ctx *sp4_ctx; | |
153 | struct sp_ctx *sp6_ctx; | |
154 | struct sa_ctx *sa_ctx; | |
155 | uint16_t nb_qps; | |
156 | uint16_t last_qp; | |
157 | struct cdev_qp tbl[MAX_QP_PER_LCORE]; | |
9f95a23c TL |
158 | struct rte_mempool *session_pool; |
159 | struct rte_mempool *session_priv_pool; | |
160 | struct rte_mbuf *ol_pkts[MAX_PKT_BURST] __rte_aligned(sizeof(void *)); | |
161 | uint16_t ol_pkts_cnt; | |
162 | uint64_t ipv4_offloads; | |
163 | uint64_t ipv6_offloads; | |
7c673cae FG |
164 | }; |
165 | ||
166 | struct cdev_key { | |
167 | uint16_t lcore_id; | |
168 | uint8_t cipher_algo; | |
169 | uint8_t auth_algo; | |
9f95a23c | 170 | uint8_t aead_algo; |
7c673cae FG |
171 | }; |
172 | ||
173 | struct socket_ctx { | |
174 | struct sa_ctx *sa_in; | |
175 | struct sa_ctx *sa_out; | |
176 | struct sp_ctx *sp_ip4_in; | |
177 | struct sp_ctx *sp_ip4_out; | |
178 | struct sp_ctx *sp_ip6_in; | |
179 | struct sp_ctx *sp_ip6_out; | |
180 | struct rt_ctx *rt_ip4; | |
181 | struct rt_ctx *rt_ip6; | |
182 | struct rte_mempool *mbuf_pool; | |
9f95a23c TL |
183 | struct rte_mempool *session_pool; |
184 | struct rte_mempool *session_priv_pool; | |
7c673cae FG |
185 | }; |
186 | ||
187 | struct cnt_blk { | |
188 | uint32_t salt; | |
189 | uint64_t iv; | |
190 | uint32_t cnt; | |
191 | } __attribute__((packed)); | |
192 | ||
9f95a23c TL |
193 | struct traffic_type { |
194 | const uint8_t *data[MAX_PKT_BURST * 2]; | |
195 | struct rte_mbuf *pkts[MAX_PKT_BURST * 2]; | |
196 | struct ipsec_sa *saptr[MAX_PKT_BURST * 2]; | |
197 | uint32_t res[MAX_PKT_BURST * 2]; | |
198 | uint32_t num; | |
199 | }; | |
200 | ||
201 | struct ipsec_traffic { | |
202 | struct traffic_type ipsec; | |
203 | struct traffic_type ip4; | |
204 | struct traffic_type ip6; | |
205 | }; | |
206 | ||
7c673cae FG |
207 | uint16_t |
208 | ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], | |
209 | uint16_t nb_pkts, uint16_t len); | |
210 | ||
211 | uint16_t | |
212 | ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], | |
213 | uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len); | |
214 | ||
9f95a23c TL |
215 | uint16_t |
216 | ipsec_inbound_cqp_dequeue(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], | |
217 | uint16_t len); | |
218 | ||
219 | uint16_t | |
220 | ipsec_outbound_cqp_dequeue(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[], | |
221 | uint16_t len); | |
222 | ||
223 | void | |
224 | ipsec_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf); | |
225 | ||
226 | void | |
227 | ipsec_cqp_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf); | |
228 | ||
7c673cae FG |
229 | static inline uint16_t |
230 | ipsec_metadata_size(void) | |
231 | { | |
232 | return sizeof(struct ipsec_mbuf_metadata); | |
233 | } | |
234 | ||
235 | static inline struct ipsec_mbuf_metadata * | |
236 | get_priv(struct rte_mbuf *m) | |
237 | { | |
9f95a23c | 238 | return rte_mbuf_to_priv(m); |
7c673cae FG |
239 | } |
240 | ||
241 | static inline void * | |
242 | get_cnt_blk(struct rte_mbuf *m) | |
243 | { | |
244 | struct ipsec_mbuf_metadata *priv = get_priv(m); | |
245 | ||
246 | return &priv->buf[0]; | |
247 | } | |
248 | ||
249 | static inline void * | |
250 | get_aad(struct rte_mbuf *m) | |
251 | { | |
252 | struct ipsec_mbuf_metadata *priv = get_priv(m); | |
253 | ||
254 | return &priv->buf[16]; | |
255 | } | |
256 | ||
257 | static inline void * | |
258 | get_sym_cop(struct rte_crypto_op *cop) | |
259 | { | |
260 | return (cop + 1); | |
261 | } | |
262 | ||
263 | int | |
264 | inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx); | |
265 | ||
266 | void | |
267 | inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[], | |
268 | struct ipsec_sa *sa[], uint16_t nb_pkts); | |
269 | ||
270 | void | |
271 | outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[], | |
272 | struct ipsec_sa *sa[], uint16_t nb_pkts); | |
273 | ||
274 | void | |
275 | sp4_init(struct socket_ctx *ctx, int32_t socket_id); | |
276 | ||
277 | void | |
278 | sp6_init(struct socket_ctx *ctx, int32_t socket_id); | |
279 | ||
9f95a23c TL |
280 | /* |
281 | * Search through SP rules for given SPI. | |
282 | * Returns first rule index if found(greater or equal then zero), | |
283 | * or -ENOENT otherwise. | |
284 | */ | |
285 | int | |
286 | sp4_spi_present(uint32_t spi, int inbound); | |
287 | int | |
288 | sp6_spi_present(uint32_t spi, int inbound); | |
289 | ||
290 | /* | |
291 | * Search through SA entries for given SPI. | |
292 | * Returns first entry index if found(greater or equal then zero), | |
293 | * or -ENOENT otherwise. | |
294 | */ | |
295 | int | |
296 | sa_spi_present(uint32_t spi, int inbound); | |
297 | ||
7c673cae FG |
298 | void |
299 | sa_init(struct socket_ctx *ctx, int32_t socket_id); | |
300 | ||
301 | void | |
302 | rt_init(struct socket_ctx *ctx, int32_t socket_id); | |
303 | ||
9f95a23c TL |
304 | int |
305 | sa_check_offloads(uint16_t port_id, uint64_t *rx_offloads, | |
306 | uint64_t *tx_offloads); | |
307 | ||
308 | int | |
309 | add_dst_ethaddr(uint16_t port, const struct ether_addr *addr); | |
310 | ||
311 | void | |
312 | enqueue_cop_burst(struct cdev_qp *cqp); | |
313 | ||
314 | int | |
315 | create_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa); | |
316 | ||
7c673cae | 317 | #endif /* __IPSEC_H__ */ |