1 /* SPDX-License-Identifier: BSD-3-Clause */
2 /* Copyright (c) 2021, Intel Corporation
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions are met:
7 *
8 * 1. Redistributions of source code must retain the above copyright notice,
9 * this list of conditions and the following disclaimer.
10 *
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 *
15 * 3. Neither the name of the Intel Corporation nor the names of its
16 * contributors may be used to endorse or promote products derived from
17 * this software without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
23 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
24 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29 * POSSIBILITY OF SUCH DAMAGE.
30 */
31 /*$FreeBSD$*/
32
33 #ifndef _VIRTCHNL_INLINE_IPSEC_H_
34 #define _VIRTCHNL_INLINE_IPSEC_H_
35
36 #define VIRTCHNL_IPSEC_MAX_CRYPTO_CAP_NUM 3
37 #define VIRTCHNL_IPSEC_MAX_ALGO_CAP_NUM 16
38 #define VIRTCHNL_IPSEC_MAX_TX_DESC_NUM 128
39 #define VIRTCHNL_IPSEC_MAX_CRYPTO_ITEM_NUMBER 2
40 #define VIRTCHNL_IPSEC_MAX_KEY_LEN 128
41 #define VIRTCHNL_IPSEC_MAX_SA_DESTROY_NUM 8
42 #define VIRTCHNL_IPSEC_SA_DESTROY 0
43 #define VIRTCHNL_IPSEC_BROADCAST_VFID 0xFFFFFFFF
44 #define VIRTCHNL_IPSEC_INVALID_REQ_ID 0xFFFF
45 #define VIRTCHNL_IPSEC_INVALID_SA_CFG_RESP 0xFFFFFFFF
46 #define VIRTCHNL_IPSEC_INVALID_SP_CFG_RESP 0xFFFFFFFF
47
48 /* crypto type */
49 #define VIRTCHNL_AUTH 1
50 #define VIRTCHNL_CIPHER 2
51 #define VIRTCHNL_AEAD 3
52
53 /* caps enabled */
54 #define VIRTCHNL_IPSEC_ESN_ENA BIT(0)
55 #define VIRTCHNL_IPSEC_UDP_ENCAP_ENA BIT(1)
56 #define VIRTCHNL_IPSEC_SA_INDEX_SW_ENA BIT(2)
57 #define VIRTCHNL_IPSEC_AUDIT_ENA BIT(3)
58 #define VIRTCHNL_IPSEC_BYTE_LIMIT_ENA BIT(4)
59 #define VIRTCHNL_IPSEC_DROP_ON_AUTH_FAIL_ENA BIT(5)
60 #define VIRTCHNL_IPSEC_ARW_CHECK_ENA BIT(6)
61 #define VIRTCHNL_IPSEC_24BIT_SPI_ENA BIT(7)
62
63 /* algorithm type */
64 /* Hash Algorithm */
65 #define VIRTCHNL_HASH_NO_ALG 0 /* NULL algorithm */
66 #define VIRTCHNL_AES_CBC_MAC 1 /* AES-CBC-MAC algorithm */
67 #define VIRTCHNL_AES_CMAC 2 /* AES CMAC algorithm */
68 #define VIRTCHNL_AES_GMAC 3 /* AES GMAC algorithm */
69 #define VIRTCHNL_AES_XCBC_MAC 4 /* AES XCBC algorithm */
70 #define VIRTCHNL_MD5_HMAC 5 /* HMAC using MD5 algorithm */
71 #define VIRTCHNL_SHA1_HMAC 6 /* HMAC using 128 bit SHA algorithm */
72 #define VIRTCHNL_SHA224_HMAC 7 /* HMAC using 224 bit SHA algorithm */
73 #define VIRTCHNL_SHA256_HMAC 8 /* HMAC using 256 bit SHA algorithm */
74 #define VIRTCHNL_SHA384_HMAC 9 /* HMAC using 384 bit SHA algorithm */
75 #define VIRTCHNL_SHA512_HMAC 10 /* HMAC using 512 bit SHA algorithm */
76 #define VIRTCHNL_SHA3_224_HMAC 11 /* HMAC using 224 bit SHA3 algorithm */
77 #define VIRTCHNL_SHA3_256_HMAC 12 /* HMAC using 256 bit SHA3 algorithm */
78 #define VIRTCHNL_SHA3_384_HMAC 13 /* HMAC using 384 bit SHA3 algorithm */
79 #define VIRTCHNL_SHA3_512_HMAC 14 /* HMAC using 512 bit SHA3 algorithm */
80 /* Cipher Algorithm */
81 #define VIRTCHNL_CIPHER_NO_ALG 15 /* NULL algorithm */
82 #define VIRTCHNL_3DES_CBC 16 /* Triple DES algorithm in CBC mode */
83 #define VIRTCHNL_AES_CBC 17 /* AES algorithm in CBC mode */
84 #define VIRTCHNL_AES_CTR 18 /* AES algorithm in Counter mode */
85 /* AEAD Algorithm */
86 #define VIRTCHNL_AES_CCM 19 /* AES algorithm in CCM mode */
87 #define VIRTCHNL_AES_GCM 20 /* AES algorithm in GCM mode */
88 #define VIRTCHNL_CHACHA20_POLY1305 21 /* algorithm of ChaCha20-Poly1305 */
89
90 /* protocol type */
91 #define VIRTCHNL_PROTO_ESP 1
92 #define VIRTCHNL_PROTO_AH 2
93 #define VIRTCHNL_PROTO_RSVD1 3
94
95 /* sa mode */
96 #define VIRTCHNL_SA_MODE_TRANSPORT 1
97 #define VIRTCHNL_SA_MODE_TUNNEL 2
98 #define VIRTCHNL_SA_MODE_TRAN_TUN 3
99 #define VIRTCHNL_SA_MODE_UNKNOWN 4
100
101 /* sa direction */
102 #define VIRTCHNL_DIR_INGRESS 1
103 #define VIRTCHNL_DIR_EGRESS 2
104 #define VIRTCHNL_DIR_INGRESS_EGRESS 3
105
106 /* sa termination */
107 #define VIRTCHNL_TERM_SOFTWARE 1
108 #define VIRTCHNL_TERM_HARDWARE 2
109
110 /* sa ip type */
111 #define VIRTCHNL_IPV4 1
112 #define VIRTCHNL_IPV6 2
113
114 /* for virtchnl_ipsec_resp */
115 enum inline_ipsec_resp {
116 INLINE_IPSEC_SUCCESS = 0,
117 INLINE_IPSEC_FAIL = -1,
118 INLINE_IPSEC_ERR_FIFO_FULL = -2,
119 INLINE_IPSEC_ERR_NOT_READY = -3,
120 INLINE_IPSEC_ERR_VF_DOWN = -4,
121 INLINE_IPSEC_ERR_INVALID_PARAMS = -5,
122 INLINE_IPSEC_ERR_NO_MEM = -6,
123 };
124
125 /* Detailed opcodes for DPDK and IPsec use */
126 enum inline_ipsec_ops {
127 INLINE_IPSEC_OP_GET_CAP = 0,
128 INLINE_IPSEC_OP_GET_STATUS = 1,
129 INLINE_IPSEC_OP_SA_CREATE = 2,
130 INLINE_IPSEC_OP_SA_UPDATE = 3,
131 INLINE_IPSEC_OP_SA_DESTROY = 4,
132 INLINE_IPSEC_OP_SP_CREATE = 5,
133 INLINE_IPSEC_OP_SP_DESTROY = 6,
134 INLINE_IPSEC_OP_SA_READ = 7,
135 INLINE_IPSEC_OP_EVENT = 8,
136 INLINE_IPSEC_OP_RESP = 9,
137 };
138
139 #pragma pack(1)
140 /* Not all valid, if certain field is invalid, set 1 for all bits */
141 struct virtchnl_algo_cap {
142 u32 algo_type;
143
144 u16 block_size;
145
146 u16 min_key_size;
147 u16 max_key_size;
148 u16 inc_key_size;
149
150 u16 min_iv_size;
151 u16 max_iv_size;
152 u16 inc_iv_size;
153
154 u16 min_digest_size;
155 u16 max_digest_size;
156 u16 inc_digest_size;
157
158 u16 min_aad_size;
159 u16 max_aad_size;
160 u16 inc_aad_size;
161 };
162 #pragma pack()
163
164 /* vf record the capability of crypto from the virtchnl */
165 struct virtchnl_sym_crypto_cap {
166 u8 crypto_type;
167 u8 algo_cap_num;
168 struct virtchnl_algo_cap algo_cap_list[VIRTCHNL_IPSEC_MAX_ALGO_CAP_NUM];
169 };
170
171 /* VIRTCHNL_OP_GET_IPSEC_CAP
172 * VF pass virtchnl_ipsec_cap to PF
173 * and PF return capability of ipsec from virtchnl.
174 */
175 #pragma pack(1)
176 struct virtchnl_ipsec_cap {
177 /* max number of SA per VF */
178 u16 max_sa_num;
179
180 /* IPsec SA Protocol - value ref VIRTCHNL_PROTO_XXX */
181 u8 virtchnl_protocol_type;
182
183 /* IPsec SA Mode - value ref VIRTCHNL_SA_MODE_XXX */
184 u8 virtchnl_sa_mode;
185
186 /* IPSec SA Direction - value ref VIRTCHNL_DIR_XXX */
187 u8 virtchnl_direction;
188
189 /* termination mode - value ref VIRTCHNL_TERM_XXX */
190 u8 termination_mode;
191
192 /* number of supported crypto capability */
193 u8 crypto_cap_num;
194
195 /* descriptor ID */
196 u16 desc_id;
197
198 /* capabilities enabled - value ref VIRTCHNL_IPSEC_XXX_ENA */
199 u32 caps_enabled;
200
201 /* crypto capabilities */
202 struct virtchnl_sym_crypto_cap cap[VIRTCHNL_IPSEC_MAX_CRYPTO_CAP_NUM];
203 };
204
205 /* configuration of crypto function */
206 struct virtchnl_ipsec_crypto_cfg_item {
207 u8 crypto_type;
208
209 u32 algo_type;
210
211 /* Length of valid IV data. */
212 u16 iv_len;
213
214 /* Length of digest */
215 u16 digest_len;
216
217 /* SA salt */
218 u32 salt;
219
220 /* The length of the symmetric key */
221 u16 key_len;
222
223 /* key data buffer */
224 u8 key_data[VIRTCHNL_IPSEC_MAX_KEY_LEN];
225 };
226 #pragma pack()
227
228 struct virtchnl_ipsec_sym_crypto_cfg {
229 struct virtchnl_ipsec_crypto_cfg_item
230 items[VIRTCHNL_IPSEC_MAX_CRYPTO_ITEM_NUMBER];
231 };
232
233 #pragma pack(1)
234 /* VIRTCHNL_OP_IPSEC_SA_CREATE
235 * VF send this SA configuration to PF using virtchnl;
236 * PF create SA as configuration and PF driver will return
237 * an unique index (sa_idx) for the created SA.
238 */
239 struct virtchnl_ipsec_sa_cfg {
240 /* IPsec SA Protocol - AH/ESP */
241 u8 virtchnl_protocol_type;
242
243 /* termination mode - value ref VIRTCHNL_TERM_XXX */
244 u8 virtchnl_termination;
245
246 /* type of outer IP - IPv4/IPv6 */
247 u8 virtchnl_ip_type;
248
249 /* type of esn - !0:enable/0:disable */
250 u8 esn_enabled;
251
252 /* udp encap - !0:enable/0:disable */
253 u8 udp_encap_enabled;
254
255 /* IPSec SA Direction - value ref VIRTCHNL_DIR_XXX */
256 u8 virtchnl_direction;
257
258 /* reserved */
259 u8 reserved1;
260
261 /* SA security parameter index */
262 u32 spi;
263
264 /* outer src ip address */
265 u8 src_addr[16];
266
267 /* outer dst ip address */
268 u8 dst_addr[16];
269
270 /* SPD reference. Used to link an SA with its policy.
271 * PF drivers may ignore this field.
272 */
273 u16 spd_ref;
274
275 /* high 32 bits of esn */
276 u32 esn_hi;
277
278 /* low 32 bits of esn */
279 u32 esn_low;
280
281 /* When enabled, sa_index must be valid */
282 u8 sa_index_en;
283
284 /* SA index when sa_index_en is true */
285 u32 sa_index;
286
287 /* auditing mode - enable/disable */
288 u8 audit_en;
289
290 /* lifetime byte limit - enable/disable
291 * When enabled, byte_limit_hard and byte_limit_soft
292 * must be valid.
293 */
294 u8 byte_limit_en;
295
296 /* hard byte limit count */
297 u64 byte_limit_hard;
298
299 /* soft byte limit count */
300 u64 byte_limit_soft;
301
302 /* drop on authentication failure - enable/disable */
303 u8 drop_on_auth_fail_en;
304
305 /* anti-reply window check - enable/disable
306 * When enabled, arw_size must be valid.
307 */
308 u8 arw_check_en;
309
310 /* size of arw window, offset by 1. Setting to 0
311 * represents ARW window size of 1. Setting to 127
312 * represents ARW window size of 128
313 */
314 u8 arw_size;
315
316 /* no ip offload mode - enable/disable
317 * When enabled, ip type and address must not be valid.
318 */
319 u8 no_ip_offload_en;
320
321 /* SA Domain. Used to logical separate an SADB into groups.
322 * PF drivers supporting a single group ignore this field.
323 */
324 u16 sa_domain;
325
326 /* crypto configuration */
327 struct virtchnl_ipsec_sym_crypto_cfg crypto_cfg;
328 };
329 #pragma pack()
330
331 /* VIRTCHNL_OP_IPSEC_SA_UPDATE
332 * VF send configuration of index of SA to PF
333 * PF will update SA according to configuration
334 */
335 struct virtchnl_ipsec_sa_update {
336 u32 sa_index; /* SA to update */
337 u32 esn_hi; /* high 32 bits of esn */
338 u32 esn_low; /* low 32 bits of esn */
339 };
340
341 #pragma pack(1)
342 /* VIRTCHNL_OP_IPSEC_SA_DESTROY
343 * VF send configuration of index of SA to PF
344 * PF will destroy SA according to configuration
345 * flag bitmap indicate all SA or just selected SA will
346 * be destroyed
347 */
348 struct virtchnl_ipsec_sa_destroy {
349 /* All zero bitmap indicates all SA will be destroyed.
350 * Non-zero bitmap indicates the selected SA in
351 * array sa_index will be destroyed.
352 */
353 u8 flag;
354
355 /* selected SA index */
356 u32 sa_index[VIRTCHNL_IPSEC_MAX_SA_DESTROY_NUM];
357 };
358
359 /* VIRTCHNL_OP_IPSEC_SA_READ
360 * VF send this SA configuration to PF using virtchnl;
361 * PF read SA and will return configuration for the created SA.
362 */
363 struct virtchnl_ipsec_sa_read {
364 /* SA valid - invalid/valid */
365 u8 valid;
366
367 /* SA active - inactive/active */
368 u8 active;
369
370 /* SA SN rollover - not_rollover/rollover */
371 u8 sn_rollover;
372
373 /* IPsec SA Protocol - AH/ESP */
374 u8 virtchnl_protocol_type;
375
376 /* termination mode - value ref VIRTCHNL_TERM_XXX */
377 u8 virtchnl_termination;
378
379 /* auditing mode - enable/disable */
380 u8 audit_en;
381
382 /* lifetime byte limit - enable/disable
383 * When set to limit, byte_limit_hard and byte_limit_soft
384 * must be valid.
385 */
386 u8 byte_limit_en;
387
388 /* hard byte limit count */
389 u64 byte_limit_hard;
390
391 /* soft byte limit count */
392 u64 byte_limit_soft;
393
394 /* drop on authentication failure - enable/disable */
395 u8 drop_on_auth_fail_en;
396
397 /* anti-replay window check - enable/disable
398 * When set to check, arw_size, arw_top, and arw must be valid
399 */
400 u8 arw_check_en;
401
402 /* size of arw window, offset by 1. Setting to 0
403 * represents ARW window size of 1. Setting to 127
404 * represents ARW window size of 128
405 */
406 u8 arw_size;
407
408 /* reserved */
409 u8 reserved1;
410
411 /* top of anti-replay-window */
412 u64 arw_top;
413
414 /* anti-replay-window */
415 u8 arw[16];
416
417 /* packets processed */
418 u64 packets_processed;
419
420 /* bytes processed */
421 u64 bytes_processed;
422
423 /* packets dropped */
424 u32 packets_dropped;
425
426 /* authentication failures */
427 u32 auth_fails;
428
429 /* ARW check failures */
430 u32 arw_fails;
431
432 /* type of esn - enable/disable */
433 u8 esn;
434
435 /* IPSec SA Direction - value ref VIRTCHNL_DIR_XXX */
436 u8 virtchnl_direction;
437
438 /* SA security parameter index */
439 u32 spi;
440
441 /* SA salt */
442 u32 salt;
443
444 /* high 32 bits of esn */
445 u32 esn_hi;
446
447 /* low 32 bits of esn */
448 u32 esn_low;
449
450 /* SA Domain. Used to logical separate an SADB into groups.
451 * PF drivers supporting a single group ignore this field.
452 */
453 u16 sa_domain;
454
455 /* SPD reference. Used to link an SA with its policy.
456 * PF drivers may ignore this field.
457 */
458 u16 spd_ref;
459
460 /* crypto configuration. Salt and keys are set to 0 */
461 struct virtchnl_ipsec_sym_crypto_cfg crypto_cfg;
462 };
463 #pragma pack()
464
465 /* Add allowlist entry in IES */
466 struct virtchnl_ipsec_sp_cfg {
467 u32 spi;
468 u32 dip[4];
469
470 /* Drop frame if true or redirect to QAT if false. */
471 u8 drop;
472
473 /* Congestion domain. For future use. */
474 u8 cgd;
475
476 /* 0 for IPv4 table, 1 for IPv6 table. */
477 u8 table_id;
478
479 /* Set TC (congestion domain) if true. For future use. */
480 u8 set_tc;
481 };
482
483 #pragma pack(1)
484 /* Delete allowlist entry in IES */
485 struct virtchnl_ipsec_sp_destroy {
486 /* 0 for IPv4 table, 1 for IPv6 table. */
487 u8 table_id;
488 u32 rule_id;
489 };
490 #pragma pack()
491
492 /* Response from IES to allowlist operations */
493 struct virtchnl_ipsec_sp_cfg_resp {
494 u32 rule_id;
495 };
496
497 struct virtchnl_ipsec_sa_cfg_resp {
498 u32 sa_handle;
499 };
500
501 #define INLINE_IPSEC_EVENT_RESET 0x1
502 #define INLINE_IPSEC_EVENT_CRYPTO_ON 0x2
503 #define INLINE_IPSEC_EVENT_CRYPTO_OFF 0x4
504
505 struct virtchnl_ipsec_event {
506 u32 ipsec_event_data;
507 };
508
509 #define INLINE_IPSEC_STATUS_AVAILABLE 0x1
510 #define INLINE_IPSEC_STATUS_UNAVAILABLE 0x2
511
512 struct virtchnl_ipsec_status {
513 u32 status;
514 };
515
516 struct virtchnl_ipsec_resp {
517 u32 resp;
518 };
519
520 /* Internal message descriptor for VF <-> IPsec communication */
521 struct inline_ipsec_msg {
522 u16 ipsec_opcode;
523 u16 req_id;
524
525 union {
526 /* IPsec request */
527 struct virtchnl_ipsec_sa_cfg sa_cfg[0];
528 struct virtchnl_ipsec_sp_cfg sp_cfg[0];
529 struct virtchnl_ipsec_sa_update sa_update[0];
530 struct virtchnl_ipsec_sa_destroy sa_destroy[0];
531 struct virtchnl_ipsec_sp_destroy sp_destroy[0];
532
533 /* IPsec response */
534 struct virtchnl_ipsec_sa_cfg_resp sa_cfg_resp[0];
535 struct virtchnl_ipsec_sp_cfg_resp sp_cfg_resp[0];
536 struct virtchnl_ipsec_cap ipsec_cap[0];
537 struct virtchnl_ipsec_status ipsec_status[0];
538 /* response to del_sa, del_sp, update_sa */
539 struct virtchnl_ipsec_resp ipsec_resp[0];
540
541 /* IPsec event (no req_id is required) */
542 struct virtchnl_ipsec_event event[0];
543
544 /* Reserved */
545 struct virtchnl_ipsec_sa_read sa_read[0];
546 } ipsec_data;
547 };
548
virtchnl_inline_ipsec_val_msg_len(u16 opcode)549 static inline u16 virtchnl_inline_ipsec_val_msg_len(u16 opcode)
550 {
551 u16 valid_len = sizeof(struct inline_ipsec_msg);
552
553 switch (opcode) {
554 case INLINE_IPSEC_OP_GET_CAP:
555 case INLINE_IPSEC_OP_GET_STATUS:
556 break;
557 case INLINE_IPSEC_OP_SA_CREATE:
558 valid_len += sizeof(struct virtchnl_ipsec_sa_cfg);
559 break;
560 case INLINE_IPSEC_OP_SP_CREATE:
561 valid_len += sizeof(struct virtchnl_ipsec_sp_cfg);
562 break;
563 case INLINE_IPSEC_OP_SA_UPDATE:
564 valid_len += sizeof(struct virtchnl_ipsec_sa_update);
565 break;
566 case INLINE_IPSEC_OP_SA_DESTROY:
567 valid_len += sizeof(struct virtchnl_ipsec_sa_destroy);
568 break;
569 case INLINE_IPSEC_OP_SP_DESTROY:
570 valid_len += sizeof(struct virtchnl_ipsec_sp_destroy);
571 break;
572 /* Only for msg length caculation of response to VF in case of
573 * inline ipsec failure.
574 */
575 case INLINE_IPSEC_OP_RESP:
576 valid_len += sizeof(struct virtchnl_ipsec_resp);
577 break;
578 default:
579 valid_len = 0;
580 break;
581 }
582
583 return valid_len;
584 }
585
586 #endif /* _VIRTCHNL_INLINE_IPSEC_H_ */
587