1 // SPDX-License-Identifier: GPL-2.0 2 /* Copyright(c) 2018 Oracle and/or its affiliates. All rights reserved. */ 3 4 #include <crypto/aead.h> 5 #include <linux/debugfs.h> 6 #include <net/xfrm.h> 7 8 #include "netdevsim.h" 9 10 #define NSIM_IPSEC_AUTH_BITS 128 11 12 static ssize_t nsim_dbg_netdev_ops_read(struct file *filp, 13 char __user *buffer, 14 size_t count, loff_t *ppos) 15 { 16 struct netdevsim *ns = filp->private_data; 17 struct nsim_ipsec *ipsec = &ns->ipsec; 18 size_t bufsize; 19 char *buf, *p; 20 int len; 21 int i; 22 23 /* the buffer needed is 24 * (num SAs * 3 lines each * ~60 bytes per line) + one more line 25 */ 26 bufsize = (ipsec->count * 4 * 60) + 60; 27 buf = kzalloc(bufsize, GFP_KERNEL); 28 if (!buf) 29 return -ENOMEM; 30 31 p = buf; 32 p += scnprintf(p, bufsize - (p - buf), 33 "SA count=%u tx=%u\n", 34 ipsec->count, ipsec->tx); 35 36 for (i = 0; i < NSIM_IPSEC_MAX_SA_COUNT; i++) { 37 struct nsim_sa *sap = &ipsec->sa[i]; 38 39 if (!sap->used) 40 continue; 41 42 p += scnprintf(p, bufsize - (p - buf), 43 "sa[%i] %cx ipaddr=0x%08x %08x %08x %08x\n", 44 i, (sap->rx ? 'r' : 't'), sap->ipaddr[0], 45 sap->ipaddr[1], sap->ipaddr[2], sap->ipaddr[3]); 46 p += scnprintf(p, bufsize - (p - buf), 47 "sa[%i] spi=0x%08x proto=0x%x salt=0x%08x crypt=%d\n", 48 i, be32_to_cpu(sap->xs->id.spi), 49 sap->xs->id.proto, sap->salt, sap->crypt); 50 p += scnprintf(p, bufsize - (p - buf), 51 "sa[%i] key=0x%08x %08x %08x %08x\n", 52 i, sap->key[0], sap->key[1], 53 sap->key[2], sap->key[3]); 54 } 55 56 len = simple_read_from_buffer(buffer, count, ppos, buf, p - buf); 57 58 kfree(buf); 59 return len; 60 } 61 62 static const struct file_operations ipsec_dbg_fops = { 63 .owner = THIS_MODULE, 64 .open = simple_open, 65 .read = nsim_dbg_netdev_ops_read, 66 }; 67 68 static int nsim_ipsec_find_empty_idx(struct nsim_ipsec *ipsec) 69 { 70 u32 i; 71 72 if (ipsec->count == NSIM_IPSEC_MAX_SA_COUNT) 73 return -ENOSPC; 74 75 /* search sa table */ 76 for (i = 0; i < NSIM_IPSEC_MAX_SA_COUNT; i++) { 77 if (!ipsec->sa[i].used) 78 return i; 79 } 80 81 return -ENOSPC; 82 } 83 84 static int nsim_ipsec_parse_proto_keys(struct xfrm_state *xs, 85 u32 *mykey, u32 *mysalt) 86 { 87 const char aes_gcm_name[] = "rfc4106(gcm(aes))"; 88 struct net_device *dev = xs->xso.real_dev; 89 unsigned char *key_data; 90 char *alg_name = NULL; 91 int key_len; 92 93 if (!xs->aead) { 94 netdev_err(dev, "Unsupported IPsec algorithm\n"); 95 return -EINVAL; 96 } 97 98 if (xs->aead->alg_icv_len != NSIM_IPSEC_AUTH_BITS) { 99 netdev_err(dev, "IPsec offload requires %d bit authentication\n", 100 NSIM_IPSEC_AUTH_BITS); 101 return -EINVAL; 102 } 103 104 key_data = &xs->aead->alg_key[0]; 105 key_len = xs->aead->alg_key_len; 106 alg_name = xs->aead->alg_name; 107 108 if (strcmp(alg_name, aes_gcm_name)) { 109 netdev_err(dev, "Unsupported IPsec algorithm - please use %s\n", 110 aes_gcm_name); 111 return -EINVAL; 112 } 113 114 /* 160 accounts for 16 byte key and 4 byte salt */ 115 if (key_len > NSIM_IPSEC_AUTH_BITS) { 116 *mysalt = ((u32 *)key_data)[4]; 117 } else if (key_len == NSIM_IPSEC_AUTH_BITS) { 118 *mysalt = 0; 119 } else { 120 netdev_err(dev, "IPsec hw offload only supports 128 bit keys with optional 32 bit salt\n"); 121 return -EINVAL; 122 } 123 memcpy(mykey, key_data, 16); 124 125 return 0; 126 } 127 128 static int nsim_ipsec_add_sa(struct xfrm_state *xs, 129 struct netlink_ext_ack *extack) 130 { 131 struct nsim_ipsec *ipsec; 132 struct net_device *dev; 133 struct netdevsim *ns; 134 struct nsim_sa sa; 135 u16 sa_idx; 136 int ret; 137 138 dev = xs->xso.real_dev; 139 ns = netdev_priv(dev); 140 ipsec = &ns->ipsec; 141 142 if (xs->id.proto != IPPROTO_ESP && xs->id.proto != IPPROTO_AH) { 143 netdev_err(dev, "Unsupported protocol 0x%04x for ipsec offload\n", 144 xs->id.proto); 145 return -EINVAL; 146 } 147 148 if (xs->calg) { 149 netdev_err(dev, "Compression offload not supported\n"); 150 return -EINVAL; 151 } 152 153 if (xs->xso.type != XFRM_DEV_OFFLOAD_CRYPTO) { 154 netdev_err(dev, "Unsupported ipsec offload type\n"); 155 return -EINVAL; 156 } 157 158 /* find the first unused index */ 159 ret = nsim_ipsec_find_empty_idx(ipsec); 160 if (ret < 0) { 161 netdev_err(dev, "No space for SA in Rx table!\n"); 162 return ret; 163 } 164 sa_idx = (u16)ret; 165 166 memset(&sa, 0, sizeof(sa)); 167 sa.used = true; 168 sa.xs = xs; 169 170 if (sa.xs->id.proto & IPPROTO_ESP) 171 sa.crypt = xs->ealg || xs->aead; 172 173 /* get the key and salt */ 174 ret = nsim_ipsec_parse_proto_keys(xs, sa.key, &sa.salt); 175 if (ret) { 176 netdev_err(dev, "Failed to get key data for SA table\n"); 177 return ret; 178 } 179 180 if (xs->xso.dir == XFRM_DEV_OFFLOAD_IN) { 181 sa.rx = true; 182 183 if (xs->props.family == AF_INET6) 184 memcpy(sa.ipaddr, &xs->id.daddr.a6, 16); 185 else 186 memcpy(&sa.ipaddr[3], &xs->id.daddr.a4, 4); 187 } 188 189 /* the preparations worked, so save the info */ 190 memcpy(&ipsec->sa[sa_idx], &sa, sizeof(sa)); 191 192 /* the XFRM stack doesn't like offload_handle == 0, 193 * so add a bitflag in case our array index is 0 194 */ 195 xs->xso.offload_handle = sa_idx | NSIM_IPSEC_VALID; 196 ipsec->count++; 197 198 return 0; 199 } 200 201 static void nsim_ipsec_del_sa(struct xfrm_state *xs) 202 { 203 struct netdevsim *ns = netdev_priv(xs->xso.real_dev); 204 struct nsim_ipsec *ipsec = &ns->ipsec; 205 u16 sa_idx; 206 207 sa_idx = xs->xso.offload_handle & ~NSIM_IPSEC_VALID; 208 if (!ipsec->sa[sa_idx].used) { 209 netdev_err(ns->netdev, "Invalid SA for delete sa_idx=%d\n", 210 sa_idx); 211 return; 212 } 213 214 memset(&ipsec->sa[sa_idx], 0, sizeof(struct nsim_sa)); 215 ipsec->count--; 216 } 217 218 static bool nsim_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs) 219 { 220 struct netdevsim *ns = netdev_priv(xs->xso.real_dev); 221 struct nsim_ipsec *ipsec = &ns->ipsec; 222 223 ipsec->ok++; 224 225 return true; 226 } 227 228 static const struct xfrmdev_ops nsim_xfrmdev_ops = { 229 .xdo_dev_state_add = nsim_ipsec_add_sa, 230 .xdo_dev_state_delete = nsim_ipsec_del_sa, 231 .xdo_dev_offload_ok = nsim_ipsec_offload_ok, 232 }; 233 234 bool nsim_ipsec_tx(struct netdevsim *ns, struct sk_buff *skb) 235 { 236 struct sec_path *sp = skb_sec_path(skb); 237 struct nsim_ipsec *ipsec = &ns->ipsec; 238 struct xfrm_state *xs; 239 struct nsim_sa *tsa; 240 u32 sa_idx; 241 242 /* do we even need to check this packet? */ 243 if (!sp) 244 return true; 245 246 if (unlikely(!sp->len)) { 247 netdev_err(ns->netdev, "no xfrm state len = %d\n", 248 sp->len); 249 return false; 250 } 251 252 xs = xfrm_input_state(skb); 253 if (unlikely(!xs)) { 254 netdev_err(ns->netdev, "no xfrm_input_state() xs = %p\n", xs); 255 return false; 256 } 257 258 sa_idx = xs->xso.offload_handle & ~NSIM_IPSEC_VALID; 259 if (unlikely(sa_idx >= NSIM_IPSEC_MAX_SA_COUNT)) { 260 netdev_err(ns->netdev, "bad sa_idx=%d max=%d\n", 261 sa_idx, NSIM_IPSEC_MAX_SA_COUNT); 262 return false; 263 } 264 265 tsa = &ipsec->sa[sa_idx]; 266 if (unlikely(!tsa->used)) { 267 netdev_err(ns->netdev, "unused sa_idx=%d\n", sa_idx); 268 return false; 269 } 270 271 if (xs->id.proto != IPPROTO_ESP && xs->id.proto != IPPROTO_AH) { 272 netdev_err(ns->netdev, "unexpected proto=%d\n", xs->id.proto); 273 return false; 274 } 275 276 ipsec->tx++; 277 278 return true; 279 } 280 281 void nsim_ipsec_init(struct netdevsim *ns) 282 { 283 ns->netdev->xfrmdev_ops = &nsim_xfrmdev_ops; 284 285 #define NSIM_ESP_FEATURES (NETIF_F_HW_ESP | \ 286 NETIF_F_HW_ESP_TX_CSUM | \ 287 NETIF_F_GSO_ESP) 288 289 ns->netdev->features |= NSIM_ESP_FEATURES; 290 ns->netdev->hw_enc_features |= NSIM_ESP_FEATURES; 291 292 ns->ipsec.pfile = debugfs_create_file("ipsec", 0400, 293 ns->nsim_dev_port->ddir, ns, 294 &ipsec_dbg_fops); 295 } 296 297 void nsim_ipsec_teardown(struct netdevsim *ns) 298 { 299 struct nsim_ipsec *ipsec = &ns->ipsec; 300 301 if (ipsec->count) 302 netdev_err(ns->netdev, "tearing down IPsec offload with %d SAs left\n", 303 ipsec->count); 304 debugfs_remove_recursive(ipsec->pfile); 305 } 306