1 /* SPDX-License-Identifier: BSD-3-Clause 2 * Copyright(C) 2021 Marvell. 3 */ 4 5 #include <rte_cryptodev.h> 6 #include <rte_security.h> 7 #include <rte_security_driver.h> 8 9 #include <cn9k_ethdev.h> 10 #include <cnxk_security.h> 11 12 static struct rte_cryptodev_capabilities cn9k_eth_sec_crypto_caps[] = { 13 { /* AES GCM */ 14 .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC, 15 {.sym = { 16 .xform_type = RTE_CRYPTO_SYM_XFORM_AEAD, 17 {.aead = { 18 .algo = RTE_CRYPTO_AEAD_AES_GCM, 19 .block_size = 16, 20 .key_size = { 21 .min = 16, 22 .max = 32, 23 .increment = 8 24 }, 25 .digest_size = { 26 .min = 16, 27 .max = 16, 28 .increment = 0 29 }, 30 .aad_size = { 31 .min = 8, 32 .max = 12, 33 .increment = 4 34 }, 35 .iv_size = { 36 .min = 12, 37 .max = 12, 38 .increment = 0 39 } 40 }, } 41 }, } 42 }, 43 { /* AES CBC */ 44 .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC, 45 {.sym = { 46 .xform_type = RTE_CRYPTO_SYM_XFORM_CIPHER, 47 {.cipher = { 48 .algo = RTE_CRYPTO_CIPHER_AES_CBC, 49 .block_size = 16, 50 .key_size = { 51 .min = 16, 52 .max = 32, 53 .increment = 8 54 }, 55 .iv_size = { 56 .min = 16, 57 .max = 16, 58 .increment = 0 59 } 60 }, } 61 }, } 62 }, 63 { /* SHA1 HMAC */ 64 .op = RTE_CRYPTO_OP_TYPE_SYMMETRIC, 65 {.sym = { 66 .xform_type = RTE_CRYPTO_SYM_XFORM_AUTH, 67 {.auth = { 68 .algo = RTE_CRYPTO_AUTH_SHA1_HMAC, 69 .block_size = 64, 70 .key_size = { 71 .min = 20, 72 .max = 64, 73 .increment = 1 74 }, 75 .digest_size = { 76 .min = 12, 77 .max = 12, 78 .increment = 0 79 }, 80 }, } 81 }, } 82 }, 83 RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST() 84 }; 85 86 static const struct rte_security_capability cn9k_eth_sec_capabilities[] = { 87 { /* IPsec Inline Protocol ESP Tunnel Ingress */ 88 .action = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL, 89 .protocol = RTE_SECURITY_PROTOCOL_IPSEC, 90 .ipsec = { 91 .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, 92 .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, 93 .direction = RTE_SECURITY_IPSEC_SA_DIR_INGRESS, 94 .options = { 0 } 95 }, 96 .crypto_capabilities = cn9k_eth_sec_crypto_caps, 97 .ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA 98 }, 99 { /* IPsec Inline Protocol ESP Tunnel Egress */ 100 .action = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL, 101 .protocol = RTE_SECURITY_PROTOCOL_IPSEC, 102 .ipsec = { 103 .proto = RTE_SECURITY_IPSEC_SA_PROTO_ESP, 104 .mode = RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, 105 .direction = RTE_SECURITY_IPSEC_SA_DIR_EGRESS, 106 .options = { 0 } 107 }, 108 .crypto_capabilities = cn9k_eth_sec_crypto_caps, 109 .ol_flags = RTE_SECURITY_TX_OLOAD_NEED_MDATA 110 }, 111 { 112 .action = RTE_SECURITY_ACTION_TYPE_NONE 113 } 114 }; 115 116 static inline int 117 ar_window_init(struct cn9k_inb_priv_data *inb_priv) 118 { 119 if (inb_priv->replay_win_sz > CNXK_ON_AR_WIN_SIZE_MAX) { 120 plt_err("Replay window size:%u is not supported", 121 inb_priv->replay_win_sz); 122 return -ENOTSUP; 123 } 124 125 rte_spinlock_init(&inb_priv->ar.lock); 126 /* 127 * Set window bottom to 1, base and top to size of 128 * window 129 */ 130 inb_priv->ar.winb = 1; 131 inb_priv->ar.wint = inb_priv->replay_win_sz; 132 inb_priv->ar.base = inb_priv->replay_win_sz; 133 134 return 0; 135 } 136 137 static int 138 cn9k_eth_sec_session_create(void *device, 139 struct rte_security_session_conf *conf, 140 struct rte_security_session *sess, 141 struct rte_mempool *mempool) 142 { 143 struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device; 144 struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev); 145 struct rte_security_ipsec_xform *ipsec; 146 struct cn9k_sec_sess_priv sess_priv; 147 struct rte_crypto_sym_xform *crypto; 148 struct cnxk_eth_sec_sess *eth_sec; 149 struct roc_nix *nix = &dev->nix; 150 rte_spinlock_t *lock; 151 char tbuf[128] = {0}; 152 bool inbound; 153 int rc = 0; 154 155 if (conf->action_type != RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL) 156 return -ENOTSUP; 157 158 if (conf->protocol != RTE_SECURITY_PROTOCOL_IPSEC) 159 return -ENOTSUP; 160 161 if (rte_security_dynfield_register() < 0) 162 return -ENOTSUP; 163 164 ipsec = &conf->ipsec; 165 crypto = conf->crypto_xform; 166 inbound = !!(ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS); 167 168 /* Search if a session already exists */ 169 if (cnxk_eth_sec_sess_get_by_spi(dev, ipsec->spi, inbound)) { 170 plt_err("%s SA with SPI %u already in use", 171 inbound ? "Inbound" : "Outbound", ipsec->spi); 172 return -EEXIST; 173 } 174 175 if (rte_mempool_get(mempool, (void **)ð_sec)) { 176 plt_err("Could not allocate security session private data"); 177 return -ENOMEM; 178 } 179 180 lock = inbound ? &dev->inb.lock : &dev->outb.lock; 181 rte_spinlock_lock(lock); 182 183 memset(eth_sec, 0, sizeof(struct cnxk_eth_sec_sess)); 184 sess_priv.u64 = 0; 185 186 if (inbound) { 187 struct cn9k_inb_priv_data *inb_priv; 188 struct roc_onf_ipsec_inb_sa *inb_sa; 189 uint32_t spi_mask; 190 191 PLT_STATIC_ASSERT(sizeof(struct cn9k_inb_priv_data) < 192 ROC_NIX_INL_ONF_IPSEC_INB_SW_RSVD); 193 194 spi_mask = roc_nix_inl_inb_spi_range(nix, false, NULL, NULL); 195 196 /* Get Inbound SA from NIX_RX_IPSEC_SA_BASE. Assume no inline 197 * device always for CN9K. 198 */ 199 inb_sa = (struct roc_onf_ipsec_inb_sa *) 200 roc_nix_inl_inb_sa_get(nix, false, ipsec->spi); 201 if (!inb_sa) { 202 snprintf(tbuf, sizeof(tbuf), 203 "Failed to create ingress sa"); 204 rc = -EFAULT; 205 goto mempool_put; 206 } 207 208 /* Check if SA is already in use */ 209 if (inb_sa->ctl.valid) { 210 snprintf(tbuf, sizeof(tbuf), 211 "Inbound SA with SPI %u already in use", 212 ipsec->spi); 213 rc = -EBUSY; 214 goto mempool_put; 215 } 216 217 memset(inb_sa, 0, sizeof(struct roc_onf_ipsec_inb_sa)); 218 219 /* Fill inbound sa params */ 220 rc = cnxk_onf_ipsec_inb_sa_fill(inb_sa, ipsec, crypto); 221 if (rc) { 222 snprintf(tbuf, sizeof(tbuf), 223 "Failed to init inbound sa, rc=%d", rc); 224 goto mempool_put; 225 } 226 227 inb_priv = roc_nix_inl_onf_ipsec_inb_sa_sw_rsvd(inb_sa); 228 /* Back pointer to get eth_sec */ 229 inb_priv->eth_sec = eth_sec; 230 231 /* Save userdata in inb private area */ 232 inb_priv->userdata = conf->userdata; 233 234 inb_priv->replay_win_sz = ipsec->replay_win_sz; 235 if (inb_priv->replay_win_sz) { 236 rc = ar_window_init(inb_priv); 237 if (rc) 238 goto mempool_put; 239 } 240 241 /* Prepare session priv */ 242 sess_priv.inb_sa = 1; 243 sess_priv.sa_idx = ipsec->spi & spi_mask; 244 245 /* Pointer from eth_sec -> inb_sa */ 246 eth_sec->sa = inb_sa; 247 eth_sec->sess = sess; 248 eth_sec->sa_idx = ipsec->spi & spi_mask; 249 eth_sec->spi = ipsec->spi; 250 eth_sec->inb = true; 251 252 TAILQ_INSERT_TAIL(&dev->inb.list, eth_sec, entry); 253 dev->inb.nb_sess++; 254 } else { 255 struct cn9k_outb_priv_data *outb_priv; 256 struct roc_onf_ipsec_outb_sa *outb_sa; 257 uintptr_t sa_base = dev->outb.sa_base; 258 struct cnxk_ipsec_outb_rlens *rlens; 259 uint32_t sa_idx; 260 261 PLT_STATIC_ASSERT(sizeof(struct cn9k_outb_priv_data) < 262 ROC_NIX_INL_ONF_IPSEC_OUTB_SW_RSVD); 263 264 /* Alloc an sa index */ 265 rc = cnxk_eth_outb_sa_idx_get(dev, &sa_idx); 266 if (rc) 267 goto mempool_put; 268 269 outb_sa = roc_nix_inl_onf_ipsec_outb_sa(sa_base, sa_idx); 270 outb_priv = roc_nix_inl_onf_ipsec_outb_sa_sw_rsvd(outb_sa); 271 rlens = &outb_priv->rlens; 272 273 memset(outb_sa, 0, sizeof(struct roc_onf_ipsec_outb_sa)); 274 275 /* Fill outbound sa params */ 276 rc = cnxk_onf_ipsec_outb_sa_fill(outb_sa, ipsec, crypto); 277 if (rc) { 278 snprintf(tbuf, sizeof(tbuf), 279 "Failed to init outbound sa, rc=%d", rc); 280 rc |= cnxk_eth_outb_sa_idx_put(dev, sa_idx); 281 goto mempool_put; 282 } 283 284 /* Save userdata */ 285 outb_priv->userdata = conf->userdata; 286 outb_priv->sa_idx = sa_idx; 287 outb_priv->eth_sec = eth_sec; 288 /* Start sequence number with 1 */ 289 outb_priv->seq = 1; 290 291 memcpy(&outb_priv->nonce, outb_sa->nonce, 4); 292 if (outb_sa->ctl.enc_type == ROC_IE_ON_SA_ENC_AES_GCM) 293 outb_priv->copy_salt = 1; 294 295 /* Save rlen info */ 296 cnxk_ipsec_outb_rlens_get(rlens, ipsec, crypto); 297 298 sess_priv.sa_idx = outb_priv->sa_idx; 299 sess_priv.roundup_byte = rlens->roundup_byte; 300 sess_priv.roundup_len = rlens->roundup_len; 301 sess_priv.partial_len = rlens->partial_len; 302 303 /* Pointer from eth_sec -> outb_sa */ 304 eth_sec->sa = outb_sa; 305 eth_sec->sess = sess; 306 eth_sec->sa_idx = sa_idx; 307 eth_sec->spi = ipsec->spi; 308 309 TAILQ_INSERT_TAIL(&dev->outb.list, eth_sec, entry); 310 dev->outb.nb_sess++; 311 } 312 313 /* Sync SA content */ 314 plt_atomic_thread_fence(__ATOMIC_ACQ_REL); 315 316 rte_spinlock_unlock(lock); 317 318 plt_nix_dbg("Created %s session with spi=%u, sa_idx=%u", 319 inbound ? "inbound" : "outbound", eth_sec->spi, 320 eth_sec->sa_idx); 321 /* 322 * Update fast path info in priv area. 323 */ 324 set_sec_session_private_data(sess, (void *)sess_priv.u64); 325 326 return 0; 327 mempool_put: 328 rte_spinlock_unlock(lock); 329 rte_mempool_put(mempool, eth_sec); 330 if (rc) 331 plt_err("%s", tbuf); 332 return rc; 333 } 334 335 static int 336 cn9k_eth_sec_session_destroy(void *device, struct rte_security_session *sess) 337 { 338 struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device; 339 struct cnxk_eth_dev *dev = cnxk_eth_pmd_priv(eth_dev); 340 struct roc_onf_ipsec_outb_sa *outb_sa; 341 struct roc_onf_ipsec_inb_sa *inb_sa; 342 struct cnxk_eth_sec_sess *eth_sec; 343 struct rte_mempool *mp; 344 rte_spinlock_t *lock; 345 346 eth_sec = cnxk_eth_sec_sess_get_by_sess(dev, sess); 347 if (!eth_sec) 348 return -ENOENT; 349 350 lock = eth_sec->inb ? &dev->inb.lock : &dev->outb.lock; 351 rte_spinlock_lock(lock); 352 353 if (eth_sec->inb) { 354 inb_sa = eth_sec->sa; 355 /* Disable SA */ 356 inb_sa->ctl.valid = 0; 357 358 TAILQ_REMOVE(&dev->inb.list, eth_sec, entry); 359 dev->inb.nb_sess--; 360 } else { 361 outb_sa = eth_sec->sa; 362 /* Disable SA */ 363 outb_sa->ctl.valid = 0; 364 365 /* Release Outbound SA index */ 366 cnxk_eth_outb_sa_idx_put(dev, eth_sec->sa_idx); 367 TAILQ_REMOVE(&dev->outb.list, eth_sec, entry); 368 dev->outb.nb_sess--; 369 } 370 371 /* Sync SA content */ 372 plt_atomic_thread_fence(__ATOMIC_ACQ_REL); 373 374 rte_spinlock_unlock(lock); 375 376 plt_nix_dbg("Destroyed %s session with spi=%u, sa_idx=%u", 377 eth_sec->inb ? "inbound" : "outbound", eth_sec->spi, 378 eth_sec->sa_idx); 379 380 /* Put eth_sec object back to pool */ 381 mp = rte_mempool_from_obj(eth_sec); 382 set_sec_session_private_data(sess, NULL); 383 rte_mempool_put(mp, eth_sec); 384 return 0; 385 } 386 387 static const struct rte_security_capability * 388 cn9k_eth_sec_capabilities_get(void *device __rte_unused) 389 { 390 return cn9k_eth_sec_capabilities; 391 } 392 393 void 394 cn9k_eth_sec_ops_override(void) 395 { 396 static int init_once; 397 398 if (init_once) 399 return; 400 init_once = 1; 401 402 /* Update platform specific ops */ 403 cnxk_eth_sec_ops.session_create = cn9k_eth_sec_session_create; 404 cnxk_eth_sec_ops.session_destroy = cn9k_eth_sec_session_destroy; 405 cnxk_eth_sec_ops.capabilities_get = cn9k_eth_sec_capabilities_get; 406 } 407