LXR dpdk/examples/ipsec-secgw/ipsec.h

   1/* SPDX-License-Identifier: BSD-3-Clause
   2 * Copyright(c) 2016-2017 Intel Corporation
   3 */
   4
   5#ifndef __IPSEC_H__
   6#define __IPSEC_H__
   7
   8#include <stdint.h>
   9
  10#include <rte_byteorder.h>
  11#include <rte_crypto.h>
  12#include <rte_security.h>
  13#include <rte_flow.h>
  14#include <rte_ipsec.h>
  15
  16#include "ipsec-secgw.h"
  17
  18#define RTE_LOGTYPE_IPSEC_ESP   RTE_LOGTYPE_USER2
  19#define RTE_LOGTYPE_IPSEC_IPIP  RTE_LOGTYPE_USER3
  20
  21#define MAX_INFLIGHT 128
  22#define MAX_QP_PER_LCORE 256
  23
  24#define MAX_DIGEST_SIZE 32 /* Bytes -- 256 bits */
  25
  26#define IPSEC_OFFLOAD_ESN_SOFTLIMIT 0xffffff00
  27
  28#define IV_OFFSET               (sizeof(struct rte_crypto_op) + \
  29                                sizeof(struct rte_crypto_sym_op))
  30
  31#define DEFAULT_MAX_CATEGORIES  1
  32
  33#define INVALID_SPI (0)
  34
  35#define DISCARD INVALID_SPI
  36#define BYPASS  UINT32_MAX
  37
  38#define IPSEC_XFORM_MAX 2
  39
  40#define IP6_VERSION (6)
  41
  42struct rte_crypto_xform;
  43struct ipsec_xform;
  44struct rte_mbuf;
  45
  46struct ipsec_sa;
  47/*
  48 * Keeps number of configured SA's for each address family:
  49 */
  50struct ipsec_sa_cnt {
  51        uint32_t        nb_v4;
  52        uint32_t        nb_v6;
  53};
  54
  55typedef int32_t (*ipsec_xform_fn)(struct rte_mbuf *m, struct ipsec_sa *sa,
  56                struct rte_crypto_op *cop);
  57
  58struct ip_addr {
  59        union {
  60                uint32_t ip4;
  61                union {
  62                        uint64_t ip6[2];
  63                        uint8_t ip6_b[16];
  64                } ip6;
  65        } ip;
  66};
  67
  68#define MAX_KEY_SIZE            36
  69
  70/*
  71 * application wide SA parameters
  72 */
  73struct app_sa_prm {
  74        uint32_t enable; /* use librte_ipsec API for ipsec pkt processing */
  75        uint32_t window_size; /* replay window size */
  76        uint32_t enable_esn;  /* enable/disable ESN support */
  77        uint32_t cache_sz;      /* per lcore SA cache size */
  78        uint64_t flags;       /* rte_ipsec_sa_prm.flags */
  79};
  80
  81extern struct app_sa_prm app_sa_prm;
  82
  83struct flow_info {
  84        struct rte_flow *rx_def_flow;
  85};
  86
  87extern struct flow_info flow_info_tbl[RTE_MAX_ETHPORTS];
  88
  89enum {
  90        IPSEC_SESSION_PRIMARY = 0,
  91        IPSEC_SESSION_FALLBACK = 1,
  92        IPSEC_SESSION_MAX
  93};
  94
  95#define IPSEC_SA_OFFLOAD_FALLBACK_FLAG (1)
  96
  97static inline struct ipsec_sa *
  98ipsec_mask_saptr(void *ptr)
  99{
 100        uintptr_t i = (uintptr_t)ptr;
 101        static const uintptr_t mask = IPSEC_SA_OFFLOAD_FALLBACK_FLAG;
 102
 103        i &= ~mask;
 104
 105        return (struct ipsec_sa *)i;
 106}
 107
 108struct ipsec_sa {
 109        struct rte_ipsec_session sessions[IPSEC_SESSION_MAX];
 110        uint32_t spi;
 111        uint32_t cdev_id_qp;
 112        uint64_t seq;
 113        uint32_t salt;
 114        uint32_t fallback_sessions;
 115        enum rte_crypto_cipher_algorithm cipher_algo;
 116        enum rte_crypto_auth_algorithm auth_algo;
 117        enum rte_crypto_aead_algorithm aead_algo;
 118        uint16_t digest_len;
 119        uint16_t iv_len;
 120        uint16_t block_size;
 121        uint16_t flags;
 122#define IP4_TUNNEL (1 << 0)
 123#define IP6_TUNNEL (1 << 1)
 124#define TRANSPORT  (1 << 2)
 125#define IP4_TRANSPORT (1 << 3)
 126#define IP6_TRANSPORT (1 << 4)
 127        struct ip_addr src;
 128        struct ip_addr dst;
 129        uint8_t cipher_key[MAX_KEY_SIZE];
 130        uint16_t cipher_key_len;
 131        uint8_t auth_key[MAX_KEY_SIZE];
 132        uint16_t auth_key_len;
 133        uint16_t aad_len;
 134        union {
 135                struct rte_crypto_sym_xform *xforms;
 136                struct rte_security_ipsec_xform *sec_xform;
 137        };
 138        enum rte_security_ipsec_sa_direction direction;
 139        uint16_t portid;
 140        uint8_t fdir_qid;
 141        uint8_t fdir_flag;
 142
 143#define MAX_RTE_FLOW_PATTERN (4)
 144#define MAX_RTE_FLOW_ACTIONS (3)
 145        struct rte_flow_item pattern[MAX_RTE_FLOW_PATTERN];
 146        struct rte_flow_action action[MAX_RTE_FLOW_ACTIONS];
 147        struct rte_flow_attr attr;
 148        union {
 149                struct rte_flow_item_ipv4 ipv4_spec;
 150                struct rte_flow_item_ipv6 ipv6_spec;
 151        };
 152        struct rte_flow_item_esp esp_spec;
 153        struct rte_flow *flow;
 154        struct rte_security_session_conf sess_conf;
 155} __rte_cache_aligned;
 156
 157struct ipsec_xf {
 158        struct rte_crypto_sym_xform a;
 159        struct rte_crypto_sym_xform b;
 160};
 161
 162struct ipsec_sad {
 163        struct rte_ipsec_sad *sad_v4;
 164        struct rte_ipsec_sad *sad_v6;
 165};
 166
 167struct sa_ctx {
 168        void *satbl; /* pointer to array of rte_ipsec_sa objects*/
 169        struct ipsec_sad sad;
 170        struct ipsec_xf *xf;
 171        uint32_t nb_sa;
 172        struct ipsec_sa sa[];
 173};
 174
 175struct ipsec_mbuf_metadata {
 176        struct ipsec_sa *sa;
 177        struct rte_crypto_op cop;
 178        struct rte_crypto_sym_op sym_cop;
 179        uint8_t buf[32];
 180} __rte_cache_aligned;
 181
 182#define IS_TRANSPORT(flags) ((flags) & TRANSPORT)
 183
 184#define IS_TUNNEL(flags) ((flags) & (IP4_TUNNEL | IP6_TUNNEL))
 185
 186#define IS_IP4(flags) ((flags) & (IP4_TUNNEL | IP4_TRANSPORT))
 187
 188#define IS_IP6(flags) ((flags) & (IP6_TUNNEL | IP6_TRANSPORT))
 189
 190#define IS_IP4_TUNNEL(flags) ((flags) & IP4_TUNNEL)
 191
 192#define IS_IP6_TUNNEL(flags) ((flags) & IP6_TUNNEL)
 193
 194/*
 195 * Macro for getting ipsec_sa flags statuses without version of protocol
 196 * used for transport (IP4_TRANSPORT and IP6_TRANSPORT flags).
 197 */
 198#define WITHOUT_TRANSPORT_VERSION(flags) \
 199                ((flags) & (IP4_TUNNEL | \
 200                        IP6_TUNNEL | \
 201                        TRANSPORT))
 202
 203struct cdev_qp {
 204        uint16_t id;
 205        uint16_t qp;
 206        uint16_t in_flight;
 207        uint16_t len;
 208        struct rte_crypto_op *buf[MAX_PKT_BURST] __rte_aligned(sizeof(void *));
 209};
 210
 211struct ipsec_ctx {
 212        struct rte_hash *cdev_map;
 213        struct sp_ctx *sp4_ctx;
 214        struct sp_ctx *sp6_ctx;
 215        struct sa_ctx *sa_ctx;
 216        uint16_t nb_qps;
 217        uint16_t last_qp;
 218        struct cdev_qp tbl[MAX_QP_PER_LCORE];
 219        struct rte_mempool *session_pool;
 220        struct rte_mempool *session_priv_pool;
 221        struct rte_mbuf *ol_pkts[MAX_PKT_BURST] __rte_aligned(sizeof(void *));
 222        uint16_t ol_pkts_cnt;
 223        uint64_t ipv4_offloads;
 224        uint64_t ipv6_offloads;
 225};
 226
 227struct cdev_key {
 228        uint16_t lcore_id;
 229        uint8_t cipher_algo;
 230        uint8_t auth_algo;
 231        uint8_t aead_algo;
 232};
 233
 234struct socket_ctx {
 235        struct sa_ctx *sa_in;
 236        struct sa_ctx *sa_out;
 237        struct sp_ctx *sp_ip4_in;
 238        struct sp_ctx *sp_ip4_out;
 239        struct sp_ctx *sp_ip6_in;
 240        struct sp_ctx *sp_ip6_out;
 241        struct rt_ctx *rt_ip4;
 242        struct rt_ctx *rt_ip6;
 243        struct rte_mempool *mbuf_pool;
 244        struct rte_mempool *mbuf_pool_indir;
 245        struct rte_mempool *session_pool;
 246        struct rte_mempool *session_priv_pool;
 247};
 248
 249struct cnt_blk {
 250        uint32_t salt;
 251        uint64_t iv;
 252        uint32_t cnt;
 253} __rte_packed;
 254
 255/* Socket ctx */
 256extern struct socket_ctx socket_ctx[NB_SOCKETS];
 257
 258void
 259ipsec_poll_mode_worker(void);
 260
 261int
 262ipsec_launch_one_lcore(void *args);
 263
 264extern struct ipsec_sa *sa_out;
 265extern uint32_t nb_sa_out;
 266
 267extern struct ipsec_sa *sa_in;
 268extern uint32_t nb_sa_in;
 269
 270uint16_t
 271ipsec_inbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
 272                uint16_t nb_pkts, uint16_t len);
 273
 274uint16_t
 275ipsec_outbound(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
 276                uint32_t sa_idx[], uint16_t nb_pkts, uint16_t len);
 277
 278uint16_t
 279ipsec_inbound_cqp_dequeue(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
 280                uint16_t len);
 281
 282uint16_t
 283ipsec_outbound_cqp_dequeue(struct ipsec_ctx *ctx, struct rte_mbuf *pkts[],
 284                uint16_t len);
 285
 286void
 287ipsec_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf);
 288
 289void
 290ipsec_cqp_process(struct ipsec_ctx *ctx, struct ipsec_traffic *trf);
 291
 292static inline uint16_t
 293ipsec_metadata_size(void)
 294{
 295        return sizeof(struct ipsec_mbuf_metadata);
 296}
 297
 298static inline struct ipsec_mbuf_metadata *
 299get_priv(struct rte_mbuf *m)
 300{
 301        return rte_mbuf_to_priv(m);
 302}
 303
 304static inline void *
 305get_cnt_blk(struct rte_mbuf *m)
 306{
 307        struct ipsec_mbuf_metadata *priv = get_priv(m);
 308
 309        return &priv->buf[0];
 310}
 311
 312static inline void *
 313get_aad(struct rte_mbuf *m)
 314{
 315        struct ipsec_mbuf_metadata *priv = get_priv(m);
 316
 317        return &priv->buf[16];
 318}
 319
 320static inline void *
 321get_sym_cop(struct rte_crypto_op *cop)
 322{
 323        return (cop + 1);
 324}
 325
 326static inline struct rte_ipsec_session *
 327ipsec_get_primary_session(struct ipsec_sa *sa)
 328{
 329        return &sa->sessions[IPSEC_SESSION_PRIMARY];
 330}
 331
 332static inline struct rte_ipsec_session *
 333ipsec_get_fallback_session(struct ipsec_sa *sa)
 334{
 335        return &sa->sessions[IPSEC_SESSION_FALLBACK];
 336}
 337
 338static inline enum rte_security_session_action_type
 339ipsec_get_action_type(struct ipsec_sa *sa)
 340{
 341        struct rte_ipsec_session *ips;
 342        ips = ipsec_get_primary_session(sa);
 343        return ips->type;
 344}
 345
 346int
 347inbound_sa_check(struct sa_ctx *sa_ctx, struct rte_mbuf *m, uint32_t sa_idx);
 348
 349void
 350inbound_sa_lookup(struct sa_ctx *sa_ctx, struct rte_mbuf *pkts[],
 351                void *sa[], uint16_t nb_pkts);
 352
 353void
 354outbound_sa_lookup(struct sa_ctx *sa_ctx, uint32_t sa_idx[],
 355                void *sa[], uint16_t nb_pkts);
 356
 357void
 358sp4_init(struct socket_ctx *ctx, int32_t socket_id);
 359
 360void
 361sp6_init(struct socket_ctx *ctx, int32_t socket_id);
 362
 363/*
 364 * Search through SP rules for given SPI.
 365 * Returns first rule index if found(greater or equal then zero),
 366 * or -ENOENT otherwise.
 367 */
 368int
 369sp4_spi_present(uint32_t spi, int inbound, struct ip_addr ip_addr[2],
 370                        uint32_t mask[2]);
 371int
 372sp6_spi_present(uint32_t spi, int inbound, struct ip_addr ip_addr[2],
 373                        uint32_t mask[2]);
 374
 375/*
 376 * Search through SA entries for given SPI.
 377 * Returns first entry index if found(greater or equal then zero),
 378 * or -ENOENT otherwise.
 379 */
 380int
 381sa_spi_present(struct sa_ctx *sa_ctx, uint32_t spi, int inbound);
 382
 383void
 384sa_init(struct socket_ctx *ctx, int32_t socket_id);
 385
 386void
 387rt_init(struct socket_ctx *ctx, int32_t socket_id);
 388
 389int
 390sa_check_offloads(uint16_t port_id, uint64_t *rx_offloads,
 391                uint64_t *tx_offloads);
 392
 393int
 394add_dst_ethaddr(uint16_t port, const struct rte_ether_addr *addr);
 395
 396void
 397enqueue_cop_burst(struct cdev_qp *cqp);
 398
 399int
 400create_lookaside_session(struct ipsec_ctx *ipsec_ctx, struct ipsec_sa *sa,
 401                struct rte_ipsec_session *ips);
 402
 403int
 404create_inline_session(struct socket_ctx *skt_ctx, struct ipsec_sa *sa,
 405                struct rte_ipsec_session *ips);
 406int
 407check_flow_params(uint16_t fdir_portid, uint8_t fdir_qid);
 408
 409int
 410create_ipsec_esp_flow(struct ipsec_sa *sa);
 411
 412uint32_t
 413get_nb_crypto_sessions(void);
 414
 415#endif /* __IPSEC_H__ */
 416