1 /* SPDX-License-Identifier: BSD-3-Clause
2 * Copyright (C) 2020 Marvell International Ltd.
3 */
4
5 #include <rte_cryptodev.h>
6 #include <rte_esp.h>
7 #include <rte_ethdev.h>
8 #include <rte_eventdev.h>
9 #include <rte_ip.h>
10 #include <rte_malloc.h>
11 #include <rte_memzone.h>
12 #include <rte_security.h>
13 #include <rte_security_driver.h>
14 #include <rte_udp.h>
15
16 #include "otx2_common.h"
17 #include "otx2_cryptodev_qp.h"
18 #include "otx2_ethdev.h"
19 #include "otx2_ethdev_sec.h"
20 #include "otx2_ipsec_fp.h"
21 #include "otx2_sec_idev.h"
22 #include "otx2_security.h"
23
24 struct eth_sec_tag_const {
25 RTE_STD_C11
26 union {
27 struct {
28 uint32_t rsvd_11_0 : 12;
29 uint32_t port : 8;
30 uint32_t event_type : 4;
31 uint32_t rsvd_31_24 : 8;
32 };
33 uint32_t u32;
34 };
35 };
36
37 static struct rte_cryptodev_capabilities otx2_eth_sec_crypto_caps[] = {
38 { /* AES GCM */
39 .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
40 {.sym = {
41 .xform_type = RTE_CRYPTO_SYM_XFORM_AEAD,
42 {.aead = {
43 .algo = RTE_CRYPTO_AEAD_AES_GCM,
44 .block_size = 16,
45 .key_size = {
46 .min = 16,
47 .max = 32,
48 .increment = 8
49 },
50 .digest_size = {
51 .min = 16,
52 .max = 16,
53 .increment = 0
54 },
55 .aad_size = {
56 .min = 8,
57 .max = 12,
58 .increment = 4
59 },
60 .iv_size = {
61 .min = 12,
62 .max = 12,
63 .increment = 0
64 }
65 }, }
66 }, }
67 },
68 { /* AES CBC */
69 .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
70 {.sym = {
71 .xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER,
72 {.cipher = {
73 .algo = RTE_CRYPTO_CIPHER_AES_CBC,
74 .block_size = 16,
75 .key_size = {
76 .min = 16,
77 .max = 32,
78 .increment = 8
79 },
80 .iv_size = {
81 .min = 16,
82 .max = 16,
83 .increment = 0
84 }
85 }, }
86 }, }
87 },
88 { /* SHA1 HMAC */
89 .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
90 {.sym = {
91 .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
92 {.auth = {
93 .algo = RTE_CRYPTO_AUTH_SHA1_HMAC,
94 .block_size = 64,
95 .key_size = {
96 .min = 20,
97 .max = 64,
98 .increment = 1
99 },
100 .digest_size = {
101 .min = 12,
102 .max = 12,
103 .increment = 0
104 },
105 }, }
106 }, }
107 },
108 RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()
109 };
110
111 static const struct rte_security_capability otx2_eth_sec_capabilities[] = {
112 { /* IPsec Inline Protocol ESP Tunnel Ingress */
113 .action = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
114 .protocol = RTE_SECURITY_PROTOCOL_IPSEC,
115 .ipsec = {
116 .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
117 .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
118 .direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
119 .options = { 0 }
120 },
121 .crypto_capabilities = otx2_eth_sec_crypto_caps,
122 .ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA
123 },
124 { /* IPsec Inline Protocol ESP Tunnel Egress */
125 .action = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
126 .protocol = RTE_SECURITY_PROTOCOL_IPSEC,
127 .ipsec = {
128 .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP,
129 .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
130 .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
131 .options = { 0 }
132 },
133 .crypto_capabilities = otx2_eth_sec_crypto_caps,
134 .ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA
135 },
136 {
137 .action = RTE_SECURITY_ACTION_TYPE_NONE
138 }
139 };
140
141 static void
lookup_mem_sa_tbl_clear(struct rte_eth_dev * eth_dev)142 lookup_mem_sa_tbl_clear(struct rte_eth_dev *eth_dev)
143 {
144 static const char name[] = OTX2_NIX_FASTPATH_LOOKUP_MEM;
145 uint16_t port = eth_dev->data->port_id;
146 const struct rte_memzone *mz;
147 uint64_t **sa_tbl;
148 uint8_t *mem;
149
150 mz = rte_memzone_lookup(name);
151 if (mz == NULL)
152 return;
153
154 mem = mz->addr;
155
156 sa_tbl = (uint64_t **)RTE_PTR_ADD(mem, OTX2_NIX_SA_TBL_START);
157 if (sa_tbl[port] == NULL)
158 return;
159
160 rte_free(sa_tbl[port]);
161 sa_tbl[port] = NULL;
162 }
163
164 static int
lookup_mem_sa_index_update(struct rte_eth_dev * eth_dev,int spi,void * sa)165 lookup_mem_sa_index_update(struct rte_eth_dev *eth_dev, int spi, void *sa)
166 {
167 static const char name[] = OTX2_NIX_FASTPATH_LOOKUP_MEM;
168 struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
169 uint16_t port = eth_dev->data->port_id;
170 const struct rte_memzone *mz;
171 uint64_t **sa_tbl;
172 uint8_t *mem;
173
174 mz = rte_memzone_lookup(name);
175 if (mz == NULL) {
176 otx2_err("Could not find fastpath lookup table");
177 return -EINVAL;
178 }
179
180 mem = mz->addr;
181
182 sa_tbl = (uint64_t **)RTE_PTR_ADD(mem, OTX2_NIX_SA_TBL_START);
183
184 if (sa_tbl[port] == NULL) {
185 sa_tbl[port] = rte_malloc(NULL, dev->ipsec_in_max_spi *
186 sizeof(uint64_t), 0);
187 }
188
189 sa_tbl[port][spi] = (uint64_t)sa;
190
191 return 0;
192 }
193
194 static inline void
in_sa_mz_name_get(char * name,int size,uint16_t port)195 in_sa_mz_name_get(char *name, int size, uint16_t port)
196 {
197 snprintf(name, size, "otx2_ipsec_in_sadb_%u", port);
198 }
199
200 static struct otx2_ipsec_fp_in_sa *
in_sa_get(uint16_t port,int sa_index)201 in_sa_get(uint16_t port, int sa_index)
202 {
203 char name[RTE_MEMZONE_NAMESIZE];
204 struct otx2_ipsec_fp_in_sa *sa;
205 const struct rte_memzone *mz;
206
207 in_sa_mz_name_get(name, RTE_MEMZONE_NAMESIZE, port);
208 mz = rte_memzone_lookup(name);
209 if (mz == NULL) {
210 otx2_err("Could not get the memzone reserved for IN SA DB");
211 return NULL;
212 }
213
214 sa = mz->addr;
215
216 return sa + sa_index;
217 }
218
219 static int
ipsec_sa_const_set(struct rte_security_ipsec_xform * ipsec,struct rte_crypto_sym_xform * xform,struct otx2_sec_session_ipsec_ip * sess)220 ipsec_sa_const_set(struct rte_security_ipsec_xform *ipsec,
221 struct rte_crypto_sym_xform *xform,
222 struct otx2_sec_session_ipsec_ip *sess)
223 {
224 struct rte_crypto_sym_xform *cipher_xform, *auth_xform;
225
226 sess->partial_len = sizeof(struct rte_ipv4_hdr);
227
228 if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_ESP) {
229 sess->partial_len += sizeof(struct rte_esp_hdr);
230 sess->roundup_len = sizeof(struct rte_esp_tail);
231 } else if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH) {
232 sess->partial_len += OTX2_SEC_AH_HDR_LEN;
233 } else {
234 return -EINVAL;
235 }
236
237 if (ipsec->options.udp_encap)
238 sess->partial_len += sizeof(struct rte_udp_hdr);
239
240 if (xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
241 if (xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM) {
242 sess->partial_len += OTX2_SEC_AES_GCM_IV_LEN;
243 sess->partial_len += OTX2_SEC_AES_GCM_MAC_LEN;
244 sess->roundup_byte = OTX2_SEC_AES_GCM_ROUNDUP_BYTE_LEN;
245 }
246 return 0;
247 }
248
249 if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_EGRESS) {
250 cipher_xform = xform;
251 auth_xform = xform->next;
252 } else if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) {
253 auth_xform = xform;
254 cipher_xform = xform->next;
255 } else {
256 return -EINVAL;
257 }
258 if (cipher_xform->cipher.algo == RTE_CRYPTO_CIPHER_AES_CBC) {
259 sess->partial_len += OTX2_SEC_AES_CBC_IV_LEN;
260 sess->roundup_byte = OTX2_SEC_AES_CBC_ROUNDUP_BYTE_LEN;
261 } else {
262 return -EINVAL;
263 }
264
265 if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_SHA1_HMAC)
266 sess->partial_len += OTX2_SEC_SHA1_HMAC_LEN;
267 else
268 return -EINVAL;
269
270 return 0;
271 }
272
273 static int
hmac_init(struct otx2_ipsec_fp_sa_ctl * ctl,struct otx2_cpt_qp * qp,const uint8_t * auth_key,int len,uint8_t * hmac_key)274 hmac_init(struct otx2_ipsec_fp_sa_ctl *ctl, struct otx2_cpt_qp *qp,
275 const uint8_t *auth_key, int len, uint8_t *hmac_key)
276 {
277 struct inst_data {
278 struct otx2_cpt_res cpt_res;
279 uint8_t buffer[64];
280 } *md;
281
282 volatile struct otx2_cpt_res *res;
283 uint64_t timeout, lmt_status;
284 struct otx2_cpt_inst_s inst;
285 rte_iova_t md_iova;
286 int ret;
287
288 memset(&inst, 0, sizeof(struct otx2_cpt_inst_s));
289
290 md = rte_zmalloc(NULL, sizeof(struct inst_data), OTX2_CPT_RES_ALIGN);
291 if (md == NULL)
292 return -ENOMEM;
293
294 memcpy(md->buffer, auth_key, len);
295
296 md_iova = rte_malloc_virt2iova(md);
297 if (md_iova == RTE_BAD_IOVA) {
298 ret = -EINVAL;
299 goto free_md;
300 }
301
302 inst.res_addr = md_iova + offsetof(struct inst_data, cpt_res);
303 inst.opcode = OTX2_CPT_OP_WRITE_HMAC_IPAD_OPAD;
304 inst.param2 = ctl->auth_type;
305 inst.dlen = len;
306 inst.dptr = md_iova + offsetof(struct inst_data, buffer);
307 inst.rptr = inst.dptr;
308 inst.egrp = OTX2_CPT_EGRP_INLINE_IPSEC;
309
310 md->cpt_res.compcode = 0;
311 md->cpt_res.uc_compcode = 0xff;
312
313 timeout = rte_get_timer_cycles() + 5 * rte_get_timer_hz();
314
315 rte_io_wmb();
316
317 do {
318 otx2_lmt_mov(qp->lmtline, &inst, 2);
319 lmt_status = otx2_lmt_submit(qp->lf_nq_reg);
320 } while (lmt_status == 0);
321
322 res = (volatile struct otx2_cpt_res *)&md->cpt_res;
323
324 /* Wait until instruction completes or times out */
325 while (res->uc_compcode == 0xff) {
326 if (rte_get_timer_cycles() > timeout)
327 break;
328 }
329
330 if (res->u16[0] != OTX2_SEC_COMP_GOOD) {
331 ret = -EIO;
332 goto free_md;
333 }
334
335 /* Retrieve the ipad and opad from rptr */
336 memcpy(hmac_key, md->buffer, 48);
337
338 ret = 0;
339
340 free_md:
341 rte_free(md);
342 return ret;
343 }
344
345 static int
eth_sec_ipsec_out_sess_create(struct rte_eth_dev * eth_dev,struct rte_security_ipsec_xform * ipsec,struct rte_crypto_sym_xform * crypto_xform,struct rte_security_session * sec_sess)346 eth_sec_ipsec_out_sess_create(struct rte_eth_dev *eth_dev,
347 struct rte_security_ipsec_xform *ipsec,
348 struct rte_crypto_sym_xform *crypto_xform,
349 struct rte_security_session *sec_sess)
350 {
351 struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
352 struct otx2_sec_session_ipsec_ip *sess;
353 uint16_t port = eth_dev->data->port_id;
354 int cipher_key_len, auth_key_len, ret;
355 const uint8_t *cipher_key, *auth_key;
356 struct otx2_ipsec_fp_sa_ctl *ctl;
357 struct otx2_ipsec_fp_out_sa *sa;
358 struct otx2_sec_session *priv;
359 struct otx2_cpt_inst_s inst;
360 struct otx2_cpt_qp *qp;
361
362 priv = get_sec_session_private_data(sec_sess);
363 priv->ipsec.dir = RTE_SECURITY_IPSEC_SA_DIR_EGRESS;
364 sess = &priv->ipsec.ip;
365
366 sa = &sess->out_sa;
367 ctl = &sa->ctl;
368 if (ctl->valid) {
369 otx2_err("SA already registered");
370 return -EINVAL;
371 }
372
373 memset(sess, 0, sizeof(struct otx2_sec_session_ipsec_ip));
374
375 sess->seq = 1;
376
377 ret = ipsec_sa_const_set(ipsec, crypto_xform, sess);
378 if (ret < 0)
379 return ret;
380
381 if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD)
382 memcpy(sa->nonce, &ipsec->salt, 4);
383
384 if (ipsec->options.udp_encap == 1) {
385 sa->udp_src = 4500;
386 sa->udp_dst = 4500;
387 }
388
389 if (ipsec->mode == RTE_SECURITY_IPSEC_SA_MODE_TUNNEL) {
390 /* Start ip id from 1 */
391 sess->ip_id = 1;
392
393 if (ipsec->tunnel.type == RTE_SECURITY_IPSEC_TUNNEL_IPV4) {
394 memcpy(&sa->ip_src, &ipsec->tunnel.ipv4.src_ip,
395 sizeof(struct in_addr));
396 memcpy(&sa->ip_dst, &ipsec->tunnel.ipv4.dst_ip,
397 sizeof(struct in_addr));
398 } else {
399 return -EINVAL;
400 }
401 } else {
402 return -EINVAL;
403 }
404
405 cipher_xform = crypto_xform;
406 auth_xform = crypto_xform->next;
407
408 cipher_key_len = 0;
409 auth_key_len = 0;
410 auth_key = NULL;
411
412 if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
413 cipher_key = crypto_xform->aead.key.data;
414 cipher_key_len = crypto_xform->aead.key.length;
415 } else {
416 cipher_key = cipher_xform->cipher.key.data;
417 cipher_key_len = cipher_xform->cipher.key.length;
418 auth_key = auth_xform->auth.key.data;
419 auth_key_len = auth_xform->auth.key.length;
420 }
421
422 if (cipher_key_len != 0)
423 memcpy(sa->cipher_key, cipher_key, cipher_key_len);
424 else
425 return -EINVAL;
426
427 /* Determine word 7 of CPT instruction */
428 inst.u64[7] = 0;
429 inst.egrp = OTX2_CPT_EGRP_INLINE_IPSEC;
430 inst.cptr = rte_mempool_virt2iova(sa);
431 sess->inst_w7 = inst.u64[7];
432
433 /* Get CPT QP to be used for this SA */
434 ret = otx2_sec_idev_tx_cpt_qp_get(port, &qp);
435 if (ret)
436 return ret;
437
438 sess->qp = qp;
439
440 sess->cpt_lmtline = qp->lmtline;
441 sess->cpt_nq_reg = qp->lf_nq_reg;
442
443 /* Populate control word */
444 ret = ipsec_fp_sa_ctl_set(ipsec, crypto_xform, ctl);
445 if (ret)
446 goto cpt_put;
447
448 if (auth_key_len && auth_key) {
449 ret = hmac_init(ctl, qp, auth_key, auth_key_len, sa->hmac_key);
450 if (ret)
451 goto cpt_put;
452 }
453
454 return 0;
455 cpt_put:
456 otx2_sec_idev_tx_cpt_qp_put(sess->qp);
457 return ret;
458 }
459
460 static int
eth_sec_ipsec_in_sess_create(struct rte_eth_dev * eth_dev,struct rte_security_ipsec_xform * ipsec,struct rte_crypto_sym_xform * crypto_xform,struct rte_security_session * sec_sess)461 eth_sec_ipsec_in_sess_create(struct rte_eth_dev *eth_dev,
462 struct rte_security_ipsec_xform *ipsec,
463 struct rte_crypto_sym_xform *crypto_xform,
464 struct rte_security_session *sec_sess)
465 {
466 struct rte_crypto_sym_xform *auth_xform, *cipher_xform;
467 struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
468 struct otx2_sec_session_ipsec_ip *sess;
469 uint16_t port = eth_dev->data->port_id;
470 int cipher_key_len, auth_key_len, ret;
471 const uint8_t *cipher_key, *auth_key;
472 struct otx2_ipsec_fp_sa_ctl *ctl;
473 struct otx2_ipsec_fp_in_sa *sa;
474 struct otx2_sec_session *priv;
475 struct otx2_cpt_qp *qp;
476
477 if (ipsec->spi >= dev->ipsec_in_max_spi) {
478 otx2_err("SPI exceeds max supported");
479 return -EINVAL;
480 }
481
482 sa = in_sa_get(port, ipsec->spi);
483 ctl = &sa->ctl;
484
485 priv = get_sec_session_private_data(sec_sess);
486 priv->ipsec.dir = RTE_SECURITY_IPSEC_SA_DIR_INGRESS;
487 sess = &priv->ipsec.ip;
488
489 if (ctl->valid) {
490 otx2_err("SA already registered");
491 return -EINVAL;
492 }
493
494 memset(sa, 0, sizeof(struct otx2_ipsec_fp_in_sa));
495
496 auth_xform = crypto_xform;
497 cipher_xform = crypto_xform->next;
498
499 cipher_key_len = 0;
500 auth_key_len = 0;
501 auth_key = NULL;
502
503 if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
504 if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM)
505 memcpy(sa->nonce, &ipsec->salt, 4);
506 cipher_key = crypto_xform->aead.key.data;
507 cipher_key_len = crypto_xform->aead.key.length;
508 } else {
509 cipher_key = cipher_xform->cipher.key.data;
510 cipher_key_len = cipher_xform->cipher.key.length;
511 auth_key = auth_xform->auth.key.data;
512 auth_key_len = auth_xform->auth.key.length;
513 }
514
515 if (cipher_key_len != 0)
516 memcpy(sa->cipher_key, cipher_key, cipher_key_len);
517 else
518 return -EINVAL;
519
520 sess->in_sa = sa;
521
522 sa->userdata = priv->userdata;
523
524 sa->replay_win_sz = ipsec->replay_win_sz;
525
526 if (lookup_mem_sa_index_update(eth_dev, ipsec->spi, sa))
527 return -EINVAL;
528
529 ret = ipsec_fp_sa_ctl_set(ipsec, crypto_xform, ctl);
530 if (ret)
531 return ret;
532
533 if (auth_key_len && auth_key) {
534 /* Get a queue pair for HMAC init */
535 ret = otx2_sec_idev_tx_cpt_qp_get(port, &qp);
536 if (ret)
537 return ret;
538 ret = hmac_init(ctl, qp, auth_key, auth_key_len, sa->hmac_key);
539 otx2_sec_idev_tx_cpt_qp_put(qp);
540 if (ret)
541 return ret;
542 }
543
544 if (sa->replay_win_sz) {
545 if (sa->replay_win_sz > OTX2_IPSEC_MAX_REPLAY_WIN_SZ) {
546 otx2_err("Replay window size is not supported");
547 return -ENOTSUP;
548 }
549 sa->replay = rte_zmalloc(NULL, sizeof(struct otx2_ipsec_replay),
550 0);
551 if (sa->replay == NULL)
552 return -ENOMEM;
553
554 rte_spinlock_init(&sa->replay->lock);
555 /*
556 * Set window bottom to 1, base and top to size of
557 * window
558 */
559 sa->replay->winb = 1;
560 sa->replay->wint = sa->replay_win_sz;
561 sa->replay->base = sa->replay_win_sz;
562 sa->esn_low = 0;
563 sa->esn_hi = 0;
564 }
565
566 return ret;
567 }
568
569 static int
eth_sec_ipsec_sess_create(struct rte_eth_dev * eth_dev,struct rte_security_ipsec_xform * ipsec,struct rte_crypto_sym_xform * crypto_xform,struct rte_security_session * sess)570 eth_sec_ipsec_sess_create(struct rte_eth_dev *eth_dev,
571 struct rte_security_ipsec_xform *ipsec,
572 struct rte_crypto_sym_xform *crypto_xform,
573 struct rte_security_session *sess)
574 {
575 int ret;
576
577 ret = ipsec_fp_xform_verify(ipsec, crypto_xform);
578 if (ret)
579 return ret;
580
581 if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
582 return eth_sec_ipsec_in_sess_create(eth_dev, ipsec,
583 crypto_xform, sess);
584 else
585 return eth_sec_ipsec_out_sess_create(eth_dev, ipsec,
586 crypto_xform, sess);
587 }
588
589 static int
otx2_eth_sec_session_create(void * device,struct rte_security_session_conf * conf,struct rte_security_session * sess,struct rte_mempool * mempool)590 otx2_eth_sec_session_create(void *device,
591 struct rte_security_session_conf *conf,
592 struct rte_security_session *sess,
593 struct rte_mempool *mempool)
594 {
595 struct otx2_sec_session *priv;
596 int ret;
597
598 if (conf->action_type != RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL)
599 return -ENOTSUP;
600
601 if (rte_mempool_get(mempool, (void **)&priv)) {
602 otx2_err("Could not allocate security session private data");
603 return -ENOMEM;
604 }
605
606 set_sec_session_private_data(sess, priv);
607
608 /*
609 * Save userdata provided by the application. For ingress packets, this
610 * could be used to identify the SA.
611 */
612 priv->userdata = conf->userdata;
613
614 if (conf->protocol == RTE_SECURITY_PROTOCOL_IPSEC)
615 ret = eth_sec_ipsec_sess_create(device, &conf->ipsec,
616 conf->crypto_xform,
617 sess);
618 else
619 ret = -ENOTSUP;
620
621 if (ret)
622 goto mempool_put;
623
624 return 0;
625
626 mempool_put:
627 rte_mempool_put(mempool, priv);
628 set_sec_session_private_data(sess, NULL);
629 return ret;
630 }
631
632 static void
otx2_eth_sec_free_anti_replay(struct otx2_ipsec_fp_in_sa * sa)633 otx2_eth_sec_free_anti_replay(struct otx2_ipsec_fp_in_sa *sa)
634 {
635 if (sa != NULL) {
636 if (sa->replay_win_sz && sa->replay)
637 rte_free(sa->replay);
638 }
639 }
640
641 static int
otx2_eth_sec_session_destroy(void * device __rte_unused,struct rte_security_session * sess)642 otx2_eth_sec_session_destroy(void *device __rte_unused,
643 struct rte_security_session *sess)
644 {
645 struct otx2_sec_session_ipsec_ip *sess_ip;
646 struct otx2_sec_session *priv;
647 struct rte_mempool *sess_mp;
648 int ret;
649
650 priv = get_sec_session_private_data(sess);
651 if (priv == NULL)
652 return -EINVAL;
653
654 sess_ip = &priv->ipsec.ip;
655
656 /* Release the anti replay window */
657 if (priv->ipsec.dir == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
658 otx2_eth_sec_free_anti_replay(sess_ip->in_sa);
659
660 /* Release CPT LF used for this session */
661 if (sess_ip->qp != NULL) {
662 ret = otx2_sec_idev_tx_cpt_qp_put(sess_ip->qp);
663 if (ret)
664 return ret;
665 }
666
667 sess_mp = rte_mempool_from_obj(priv);
668
669 set_sec_session_private_data(sess, NULL);
670 rte_mempool_put(sess_mp, priv);
671
672 return 0;
673 }
674
675 static unsigned int
otx2_eth_sec_session_get_size(void * device __rte_unused)676 otx2_eth_sec_session_get_size(void *device __rte_unused)
677 {
678 return sizeof(struct otx2_sec_session);
679 }
680
681 static int
otx2_eth_sec_set_pkt_mdata(void * device __rte_unused,struct rte_security_session * session,struct rte_mbuf * m,void * params __rte_unused)682 otx2_eth_sec_set_pkt_mdata(void *device __rte_unused,
683 struct rte_security_session *session,
684 struct rte_mbuf *m, void *params __rte_unused)
685 {
686 /* Set security session as the pkt metadata */
687 *rte_security_dynfield(m) = (rte_security_dynfield_t)session;
688
689 return 0;
690 }
691
692 static int
otx2_eth_sec_get_userdata(void * device __rte_unused,uint64_t md,void ** userdata)693 otx2_eth_sec_get_userdata(void *device __rte_unused, uint64_t md,
694 void **userdata)
695 {
696 /* Retrieve userdata */
697 *userdata = (void *)md;
698
699 return 0;
700 }
701
702 static const struct rte_security_capability *
otx2_eth_sec_capabilities_get(void * device __rte_unused)703 otx2_eth_sec_capabilities_get(void *device __rte_unused)
704 {
705 return otx2_eth_sec_capabilities;
706 }
707
708 static struct rte_security_ops otx2_eth_sec_ops = {
709 .session_create = otx2_eth_sec_session_create,
710 .session_destroy = otx2_eth_sec_session_destroy,
711 .session_get_size = otx2_eth_sec_session_get_size,
712 .set_pkt_metadata = otx2_eth_sec_set_pkt_mdata,
713 .get_userdata = otx2_eth_sec_get_userdata,
714 .capabilities_get = otx2_eth_sec_capabilities_get
715 };
716
717 int
otx2_eth_sec_ctx_create(struct rte_eth_dev * eth_dev)718 otx2_eth_sec_ctx_create(struct rte_eth_dev *eth_dev)
719 {
720 struct rte_security_ctx *ctx;
721 int ret;
722
723 ctx = rte_malloc("otx2_eth_sec_ctx",
724 sizeof(struct rte_security_ctx), 0);
725 if (ctx == NULL)
726 return -ENOMEM;
727
728 ret = otx2_sec_idev_cfg_init(eth_dev->data->port_id);
729 if (ret) {
730 rte_free(ctx);
731 return ret;
732 }
733
734 /* Populate ctx */
735
736 ctx->device = eth_dev;
737 ctx->ops = &otx2_eth_sec_ops;
738 ctx->sess_cnt = 0;
739
740 eth_dev->security_ctx = ctx;
741
742 return 0;
743 }
744
745 void
otx2_eth_sec_ctx_destroy(struct rte_eth_dev * eth_dev)746 otx2_eth_sec_ctx_destroy(struct rte_eth_dev *eth_dev)
747 {
748 rte_free(eth_dev->security_ctx);
749 }
750
751 static int
eth_sec_ipsec_cfg(struct rte_eth_dev * eth_dev,uint8_t tt)752 eth_sec_ipsec_cfg(struct rte_eth_dev *eth_dev, uint8_t tt)
753 {
754 struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
755 uint16_t port = eth_dev->data->port_id;
756 struct nix_inline_ipsec_lf_cfg *req;
757 struct otx2_mbox *mbox = dev->mbox;
758 struct eth_sec_tag_const tag_const;
759 char name[RTE_MEMZONE_NAMESIZE];
760 const struct rte_memzone *mz;
761
762 in_sa_mz_name_get(name, RTE_MEMZONE_NAMESIZE, port);
763 mz = rte_memzone_lookup(name);
764 if (mz == NULL)
765 return -EINVAL;
766
767 req = otx2_mbox_alloc_msg_nix_inline_ipsec_lf_cfg(mbox);
768 req->enable = 1;
769 req->sa_base_addr = mz->iova;
770
771 req->ipsec_cfg0.tt = tt;
772
773 tag_const.u32 = 0;
774 tag_const.event_type = RTE_EVENT_TYPE_ETHDEV;
775 tag_const.port = port;
776 req->ipsec_cfg0.tag_const = tag_const.u32;
777
778 req->ipsec_cfg0.sa_pow2_size =
779 rte_log2_u32(sizeof(struct otx2_ipsec_fp_in_sa));
780 req->ipsec_cfg0.lenm1_max = NIX_MAX_FRS - 1;
781
782 req->ipsec_cfg1.sa_idx_w = rte_log2_u32(dev->ipsec_in_max_spi);
783 req->ipsec_cfg1.sa_idx_max = dev->ipsec_in_max_spi - 1;
784
785 return otx2_mbox_process(mbox);
786 }
787
788 int
otx2_eth_sec_update_tag_type(struct rte_eth_dev * eth_dev)789 otx2_eth_sec_update_tag_type(struct rte_eth_dev *eth_dev)
790 {
791 struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
792 struct otx2_mbox *mbox = dev->mbox;
793 struct nix_aq_enq_rsp *rsp;
794 struct nix_aq_enq_req *aq;
795 int ret;
796
797 aq = otx2_mbox_alloc_msg_nix_aq_enq(mbox);
798 aq->qidx = 0; /* Read RQ:0 context */
799 aq->ctype = NIX_AQ_CTYPE_RQ;
800 aq->op = NIX_AQ_INSTOP_READ;
801
802 ret = otx2_mbox_process_msg(mbox, (void *)&rsp);
803 if (ret < 0) {
804 otx2_err("Could not read RQ context");
805 return ret;
806 }
807
808 /* Update tag type */
809 ret = eth_sec_ipsec_cfg(eth_dev, rsp->rq.sso_tt);
810 if (ret < 0)
811 otx2_err("Could not update sec eth tag type");
812
813 return ret;
814 }
815
816 int
otx2_eth_sec_init(struct rte_eth_dev * eth_dev)817 otx2_eth_sec_init(struct rte_eth_dev *eth_dev)
818 {
819 const size_t sa_width = sizeof(struct otx2_ipsec_fp_in_sa);
820 struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
821 uint16_t port = eth_dev->data->port_id;
822 char name[RTE_MEMZONE_NAMESIZE];
823 const struct rte_memzone *mz;
824 int mz_sz, ret;
825 uint16_t nb_sa;
826
827 RTE_BUILD_BUG_ON(sa_width < 32 || sa_width > 512 ||
828 !RTE_IS_POWER_OF_2(sa_width));
829
830 if (!(dev->tx_offloads & DEV_TX_OFFLOAD_SECURITY) &&
831 !(dev->rx_offloads & DEV_RX_OFFLOAD_SECURITY))
832 return 0;
833
834 if (rte_security_dynfield_register() < 0)
835 return -rte_errno;
836
837 nb_sa = dev->ipsec_in_max_spi;
838 mz_sz = nb_sa * sa_width;
839 in_sa_mz_name_get(name, RTE_MEMZONE_NAMESIZE, port);
840 mz = rte_memzone_reserve_aligned(name, mz_sz, rte_socket_id(),
841 RTE_MEMZONE_IOVA_CONTIG, OTX2_ALIGN);
842
843 if (mz == NULL) {
844 otx2_err("Could not allocate inbound SA DB");
845 return -ENOMEM;
846 }
847
848 memset(mz->addr, 0, mz_sz);
849
850 ret = eth_sec_ipsec_cfg(eth_dev, SSO_TT_ORDERED);
851 if (ret < 0) {
852 otx2_err("Could not configure inline IPsec");
853 goto sec_fini;
854 }
855
856 return 0;
857
858 sec_fini:
859 otx2_err("Could not configure device for security");
860 otx2_eth_sec_fini(eth_dev);
861 return ret;
862 }
863
864 void
otx2_eth_sec_fini(struct rte_eth_dev * eth_dev)865 otx2_eth_sec_fini(struct rte_eth_dev *eth_dev)
866 {
867 struct otx2_eth_dev *dev = otx2_eth_pmd_priv(eth_dev);
868 uint16_t port = eth_dev->data->port_id;
869 char name[RTE_MEMZONE_NAMESIZE];
870
871 if (!(dev->tx_offloads & DEV_TX_OFFLOAD_SECURITY) &&
872 !(dev->rx_offloads & DEV_RX_OFFLOAD_SECURITY))
873 return;
874
875 lookup_mem_sa_tbl_clear(eth_dev);
876
877 in_sa_mz_name_get(name, RTE_MEMZONE_NAMESIZE, port);
878 rte_memzone_free(rte_memzone_lookup(name));
879 }
880