1
2
3
4
5#ifndef __IPSEC_H__
6#define __IPSEC_H__
7
8#include <stdint.h>
9
10#include <rte_byteorder.h>
11#include <rte_crypto.h>
12#include <rte_security.h>
13#include <rte_flow.h>
14#include <rte_ipsec.h>
15
16#include "ipsec-secgw.h"
17
18#define RTE_LOGTYPE_IPSEC_ESP RTE_LOGTYPE_USER2
19#define RTE_LOGTYPE_IPSEC_IPIP RTE_LOGTYPE_USER3
20
21#define MAX_INFLIGHT 128
22#define MAX_QP_PER_LCORE 256
23
24#define MAX_DIGEST_SIZE 32
25
26#define IPSEC_OFFLOAD_ESN_SOFTLIMIT 0xffffff00
27
28#define IV_OFFSET (sizeof(struct rte_crypto_op) + \
29 sizeof(struct rte_crypto_sym_op))
30
31#define DEFAULT_MAX_CATEGORIES 1
32
33#define INVALID_SPI (0)
34
35#define DISCARD INVALID_SPI
36#define BYPASS UINT32_MAX
37
38#define IPSEC_XFORM_MAX 2
39
40#define IP6_VERSION (6)
41
42struct rte_crypto_xform;
43struct ipsec_xform;
44struct rte_mbuf;
45
46struct ipsec_sa;
47
48
49
50struct ipsec_sa_cnt {
51 uint32_t nb_v4;
52 uint32_t nb_v6;
53};
54
55typedef int32_t (*ipsec_xform_fn)(struct rte_mbuf *m, struct ipsec_sa *sa,
56 struct rte_crypto_op *cop);
57
58struct ip_addr {
59 union {
60 uint32_t ip4;
61 union {
62 uint64_t ip6[2];
63 uint8_t ip6_b[16];
64 } ip6;
65 } ip;
66};
67
68#define MAX_KEY_SIZE 36
69
70
71
72
73struct app_sa_prm {
74 uint32_t enable;
75 uint32_t window_size;
76 uint32_t enable_esn;
77 uint32_t cache_sz;
78 uint64_t flags;
79};
80
81extern struct app_sa_prm app_sa_prm;
82
83struct flow_info {
84 struct rte_flow *rx_def_flow;
85};
86
87extern struct flow_info flow_info_tbl[RTE_MAX_ETHPORTS];
88
89enum {
90 IPSEC_SESSION_PRIMARY = 0,
91 IPSEC_SESSION_FALLBACK = 1,
92 IPSEC_SESSION_MAX
93};
94
95#define IPSEC_SA_OFFLOAD_FALLBACK_FLAG (1)
96
97static inline struct ipsec_sa *
98ipsec_mask_saptr(void *ptr)
99{
100 uintptr_t i = (uintptr_t)ptr;
101 static const uintptr_t mask = IPSEC_SA_OFFLOAD_FALLBACK_FLAG;
102
103 i &= ~mask;
104
105 return (struct ipsec_sa *)i;
106}
107
108struct ipsec_sa {
109 struct rte_ipsec_session sessions[IPSEC_SESSION_MAX];
110 uint32_t spi;
111 uint32_t cdev_id_qp;
112 uint64_t seq;
113 uint32_t salt;
114 uint32_t fallback_sessions;
115 enum rte_crypto_cipher_algorithm cipher_algo;
116 enum rte_crypto_auth_algorithm auth_algo;
117 enum rte_crypto_aead_algorithm aead_algo;
118 uint16_t digest_len;
119 uint16_t iv_len;
120 uint16_t block_size;
121 uint16_t flags;
122#define IP4_TUNNEL (1 << 0)
123#define IP6_TUNNEL (1 << 1)
124#define TRANSPORT (1 << 2)
125#define IP4_TRANSPORT (1 << 3)
126#define IP6_TRANSPORT (1 << 4)
127 struct ip_addr src;
128 struct ip_addr dst;
129 uint8_t cipher_key[MAX_KEY_SIZE];
130 uint16_t cipher_key_len;
131 uint8_t auth_key[MAX_KEY_SIZE];
132 uint16_t auth_key_len;
133 uint16_t aad_len;
134 union {
135 struct rte_crypto_sym_xform *xforms;
136 struct rte_security_ipsec_xform *sec_xform;
137 };
138 enum rte_security_ipsec_sa_direction direction;
139 uint16_t portid;
140 uint8_t fdir_qid;
141 uint8_t fdir_flag;
142
143#define MAX_RTE_FLOW_PATTERN (4)
144#define MAX_RTE_FLOW_ACTIONS (3)
145 struct rte_flow_item pattern[MAX_RTE_FLOW_PATTERN];
146 struct rte_flow_action action[MAX_RTE_FLOW_ACTIONS];
147 struct rte_flow_attr attr;
148 union {
149 struct rte_flow_item_ipv4 ipv4_spec;
150 struct rte_flow_item_ipv6 ipv6_spec;
151 };
152 struct rte_flow_item_esp esp_spec;
153 struct rte_flow *flow;
154 struct rte_security_session_conf sess_conf;
155} __rte_cache_aligned;
156
157struct ipsec_xf {
158 struct rte_crypto_sym_xform a;
159 struct rte_crypto_sym_xform b;
160};
161
162struct ipsec_sad {
163 struct rte_ipsec_sad *sad_v4;
164 struct rte_ipsec_sad *sad_v6;
165};
166
167struct sa_ctx {
168 void *satbl;
169 struct ipsec_sad sad;
170 struct ipsec_xf *xf;
171 uint32_t nb_sa;
172 struct ipsec_sa sa[];
173};
174
175struct ipsec_mbuf_metadata {
176 struct ipsec_sa *sa;
177 struct rte_crypto_op cop;
178 struct rte_crypto_sym_op sym_cop;
179 uint8_t buf[32];
180} __rte_cache_aligned;
181
182#define IS_TRANSPORT(flags) ((flags) & TRANSPORT)
183
184#define IS_TUNNEL(flags) ((flags) & (IP4_TUNNEL | IP6_TUNNEL))
185
186#define IS_IP4(flags) ((flags) & (IP4_TUNNEL | IP4_TRANSPORT))
187
188#define IS_IP6(flags) ((flags) & (IP6_TUNNEL | IP6_TRANSPORT))
189
190#define IS_IP4_TUNNEL(flags) ((flags) & IP4_TUNNEL)
191
192#define IS_IP6_TUNNEL(flags) ((flags) & IP6_TUNNEL)
193
194
195
196
197
198#define WITHOUT_TRANSPORT_VERSION(flags) \
199 ((flags) & (IP4_TUNNEL | \
200 IP6_TUNNEL | \
201 TRANSPORT))
202
203struct cdev_qp {
204 uint16_t id;
205 uint16_t qp;
206 uint16_t in_flight;
207 uint16_t len;
208 struct rte_crypto_op *buf[MAX_PKT_BURST] __rte_aligned(sizeof(void *));
209};
210
211struct ipsec_ctx {
212 struct rte_hash *cdev_map;
213 struct sp_ctx *sp4_ctx;
214 struct sp_ctx *sp6_ctx;
215 struct sa_ctx *sa_ctx;
216 uint16_t nb_qps;
217 uint16_t last_qp;
218 struct cdev_qp tbl[MAX_QP_PER_LCORE];
219 struct rte_mempool *session_pool;
220 struct rte_mempool *session_priv_pool;
221 struct rte_mbuf *ol_pkts[MAX_PKT_BURST] __rte_aligned(sizeof(void *));
222 uint16_t ol_pkts_cnt;
223 uint64_t ipv4_offloads;
224 uint64_t ipv6_offloads;
225};
226
227struct cdev_key {
228 uint16_t lcore_id;
229 uint8_t cipher_algo;
230 uint8_t auth_algo;
231 uint8_t aead_algo;
232};
233
234struct socket_ctx {
235 struct sa_ctx *sa_in;
236 struct sa_ctx *sa_out;
237 struct sp_ctx *sp_ip4_in;
238 struct sp_ctx *sp_ip4_out;
239 struct sp_ctx *sp_ip6_in;
240 struct sp_ctx *sp_ip6_out;
241 struct rt_ctx *rt_ip4;
242 struct rt_ctx *rt_ip6;
243 struct rte_mempool *mbuf_pool;
244 struct rte_mempool *mbuf_pool_indir;
245 struct rte_mempool *session_pool;
246 struct rte_mempool *session_priv_pool;
247};
248
249struct cnt_blk {
250 uint32_t salt;
251 uint64_t iv;
252 uint32_t cnt;
253} __rte_packed;
254
255
256extern struct socket_ctx socket_ctx[NB_SOCKETS];
257
258void
259ipsec_poll_mode_worker(void);
260
261int
262ipsec_launch_one_lcore(void *args);
263
264extern struct ipsec_sa *sa_out;
265extern uint32_t nb_sa_out;
266
267extern struct ipsec_sa *sa_in;
268extern uint32_t nb_sa_in;
269
270uint16_t
271ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
272 uint16_t nb_pkts, uint16_t len);
273
274uint16_t
275ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
276 uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len);
277
278uint16_t
279ipsec_inbound_cqp_dequeue(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
280 uint16_t len);
281
282uint16_t
283ipsec_outbound_cqp_dequeue(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
284 uint16_t len);
285
286void
287ipsec_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf);
288
289void
290ipsec_cqp_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf);
291
292static inline uint16_t
293ipsec_metadata_size(void)
294{
295 return sizeof(struct ipsec_mbuf_metadata);
296}
297
298static inline struct ipsec_mbuf_metadata *
299get_priv(struct rte_mbuf *m)
300{
301 return rte_mbuf_to_priv(m);
302}
303
304static inline void *
305get_cnt_blk(struct rte_mbuf *m)
306{
307 struct ipsec_mbuf_metadata *priv = get_priv(m);
308
309 return &priv->buf[0];
310}
311
312static inline void *
313get_aad(struct rte_mbuf *m)
314{
315 struct ipsec_mbuf_metadata *priv = get_priv(m);
316
317 return &priv->buf[16];
318}
319
320static inline void *
321get_sym_cop(struct rte_crypto_op *cop)
322{
323 return (cop + 1);
324}
325
326static inline struct rte_ipsec_session *
327ipsec_get_primary_session(struct ipsec_sa *sa)
328{
329 return &sa->sessions[IPSEC_SESSION_PRIMARY];
330}
331
332static inline struct rte_ipsec_session *
333ipsec_get_fallback_session(struct ipsec_sa *sa)
334{
335 return &sa->sessions[IPSEC_SESSION_FALLBACK];
336}
337
338static inline enum rte_security_session_action_type
339ipsec_get_action_type(struct ipsec_sa *sa)
340{
341 struct rte_ipsec_session *ips;
342 ips = ipsec_get_primary_session(sa);
343 return ips->type;
344}
345
346int
347inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx);
348
349void
350inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[],
351 void *sa[], uint16_t nb_pkts);
352
353void
354outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[],
355 void *sa[], uint16_t nb_pkts);
356
357void
358sp4_init(struct socket_ctx *ctx, int32_t socket_id);
359
360void
361sp6_init(struct socket_ctx *ctx, int32_t socket_id);
362
363
364
365
366
367
368int
369sp4_spi_present(uint32_t spi, int inbound, struct ip_addr ip_addr[2],
370 uint32_t mask[2]);
371int
372sp6_spi_present(uint32_t spi, int inbound, struct ip_addr ip_addr[2],
373 uint32_t mask[2]);
374
375
376
377
378
379
380int
381sa_spi_present(struct sa_ctx *sa_ctx, uint32_t spi, int inbound);
382
383void
384sa_init(struct socket_ctx *ctx, int32_t socket_id);
385
386void
387rt_init(struct socket_ctx *ctx, int32_t socket_id);
388
389int
390sa_check_offloads(uint16_t port_id, uint64_t *rx_offloads,
391 uint64_t *tx_offloads);
392
393int
394add_dst_ethaddr(uint16_t port, const struct rte_ether_addr *addr);
395
396void
397enqueue_cop_burst(struct cdev_qp *cqp);
398
399int
400create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa,
401 struct rte_ipsec_session *ips);
402
403int
404create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
405 struct rte_ipsec_session *ips);
406int
407check_flow_params(uint16_t fdir_portid, uint8_t fdir_qid);
408
409int
410create_ipsec_esp_flow(struct ipsec_sa *sa);
411
412uint32_t
413get_nb_crypto_sessions(void);
414
415#endif
416