LXR dpdk/drivers/common/iavf/virtchnl_inline

   1/* SPDX-License-Identifier: BSD-3-Clause
   2 * Copyright(c) 2001-2021 Intel Corporation
   3 */
   4
   5#ifndef _VIRTCHNL_INLINE_IPSEC_H_
   6#define _VIRTCHNL_INLINE_IPSEC_H_
   7
   8#define VIRTCHNL_IPSEC_MAX_CRYPTO_CAP_NUM       3
   9#define VIRTCHNL_IPSEC_MAX_ALGO_CAP_NUM         16
  10#define VIRTCHNL_IPSEC_MAX_TX_DESC_NUM          128
  11#define VIRTCHNL_IPSEC_MAX_CRYPTO_ITEM_NUMBER   2
  12#define VIRTCHNL_IPSEC_MAX_KEY_LEN              128
  13#define VIRTCHNL_IPSEC_MAX_SA_DESTROY_NUM       8
  14#define VIRTCHNL_IPSEC_SA_DESTROY               0
  15#define VIRTCHNL_IPSEC_BROADCAST_VFID           0xFFFFFFFF
  16#define VIRTCHNL_IPSEC_INVALID_REQ_ID           0xFFFF
  17#define VIRTCHNL_IPSEC_INVALID_SA_CFG_RESP      0xFFFFFFFF
  18#define VIRTCHNL_IPSEC_INVALID_SP_CFG_RESP      0xFFFFFFFF
  19
  20/* crypto type */
  21#define VIRTCHNL_AUTH           1
  22#define VIRTCHNL_CIPHER         2
  23#define VIRTCHNL_AEAD           3
  24
  25/* caps enabled */
  26#define VIRTCHNL_IPSEC_ESN_ENA                  BIT(0)
  27#define VIRTCHNL_IPSEC_UDP_ENCAP_ENA            BIT(1)
  28#define VIRTCHNL_IPSEC_SA_INDEX_SW_ENA          BIT(2)
  29#define VIRTCHNL_IPSEC_AUDIT_ENA                BIT(3)
  30#define VIRTCHNL_IPSEC_BYTE_LIMIT_ENA           BIT(4)
  31#define VIRTCHNL_IPSEC_DROP_ON_AUTH_FAIL_ENA    BIT(5)
  32#define VIRTCHNL_IPSEC_ARW_CHECK_ENA            BIT(6)
  33#define VIRTCHNL_IPSEC_24BIT_SPI_ENA            BIT(7)
  34
  35/* algorithm type */
  36/* Hash Algorithm */
  37#define VIRTCHNL_HASH_NO_ALG    0 /* NULL algorithm */
  38#define VIRTCHNL_AES_CBC_MAC    1 /* AES-CBC-MAC algorithm */
  39#define VIRTCHNL_AES_CMAC       2 /* AES CMAC algorithm */
  40#define VIRTCHNL_AES_GMAC       3 /* AES GMAC algorithm */
  41#define VIRTCHNL_AES_XCBC_MAC   4 /* AES XCBC algorithm */
  42#define VIRTCHNL_MD5_HMAC       5 /* HMAC using MD5 algorithm */
  43#define VIRTCHNL_SHA1_HMAC      6 /* HMAC using 128 bit SHA algorithm */
  44#define VIRTCHNL_SHA224_HMAC    7 /* HMAC using 224 bit SHA algorithm */
  45#define VIRTCHNL_SHA256_HMAC    8 /* HMAC using 256 bit SHA algorithm */
  46#define VIRTCHNL_SHA384_HMAC    9 /* HMAC using 384 bit SHA algorithm */
  47#define VIRTCHNL_SHA512_HMAC    10 /* HMAC using 512 bit SHA algorithm */
  48#define VIRTCHNL_SHA3_224_HMAC  11 /* HMAC using 224 bit SHA3 algorithm */
  49#define VIRTCHNL_SHA3_256_HMAC  12 /* HMAC using 256 bit SHA3 algorithm */
  50#define VIRTCHNL_SHA3_384_HMAC  13 /* HMAC using 384 bit SHA3 algorithm */
  51#define VIRTCHNL_SHA3_512_HMAC  14 /* HMAC using 512 bit SHA3 algorithm */
  52/* Cipher Algorithm */
  53#define VIRTCHNL_CIPHER_NO_ALG  15 /* NULL algorithm */
  54#define VIRTCHNL_3DES_CBC       16 /* Triple DES algorithm in CBC mode */
  55#define VIRTCHNL_AES_CBC        17 /* AES algorithm in CBC mode */
  56#define VIRTCHNL_AES_CTR        18 /* AES algorithm in Counter mode */
  57/* AEAD Algorithm */
  58#define VIRTCHNL_AES_CCM        19 /* AES algorithm in CCM mode */
  59#define VIRTCHNL_AES_GCM        20 /* AES algorithm in GCM mode */
  60#define VIRTCHNL_CHACHA20_POLY1305 21 /* algorithm of ChaCha20-Poly1305 */
  61
  62/* protocol type */
  63#define VIRTCHNL_PROTO_ESP      1
  64#define VIRTCHNL_PROTO_AH       2
  65#define VIRTCHNL_PROTO_RSVD1    3
  66
  67/* sa mode */
  68#define VIRTCHNL_SA_MODE_TRANSPORT      1
  69#define VIRTCHNL_SA_MODE_TUNNEL         2
  70#define VIRTCHNL_SA_MODE_TRAN_TUN       3
  71#define VIRTCHNL_SA_MODE_UNKNOWN        4
  72
  73/* sa direction */
  74#define VIRTCHNL_DIR_INGRESS            1
  75#define VIRTCHNL_DIR_EGRESS             2
  76#define VIRTCHNL_DIR_INGRESS_EGRESS     3
  77
  78/* sa termination */
  79#define VIRTCHNL_TERM_SOFTWARE  1
  80#define VIRTCHNL_TERM_HARDWARE  2
  81
  82/* sa ip type */
  83#define VIRTCHNL_IPV4   1
  84#define VIRTCHNL_IPV6   2
  85
  86/* for virtchnl_ipsec_resp */
  87enum inline_ipsec_resp {
  88        INLINE_IPSEC_SUCCESS = 0,
  89        INLINE_IPSEC_FAIL = -1,
  90        INLINE_IPSEC_ERR_FIFO_FULL = -2,
  91        INLINE_IPSEC_ERR_NOT_READY = -3,
  92        INLINE_IPSEC_ERR_VF_DOWN = -4,
  93        INLINE_IPSEC_ERR_INVALID_PARAMS = -5,
  94        INLINE_IPSEC_ERR_NO_MEM = -6,
  95};
  96
  97/* Detailed opcodes for DPDK and IPsec use */
  98enum inline_ipsec_ops {
  99        INLINE_IPSEC_OP_GET_CAP = 0,
 100        INLINE_IPSEC_OP_GET_STATUS = 1,
 101        INLINE_IPSEC_OP_SA_CREATE = 2,
 102        INLINE_IPSEC_OP_SA_UPDATE = 3,
 103        INLINE_IPSEC_OP_SA_DESTROY = 4,
 104        INLINE_IPSEC_OP_SP_CREATE = 5,
 105        INLINE_IPSEC_OP_SP_DESTROY = 6,
 106        INLINE_IPSEC_OP_SA_READ = 7,
 107        INLINE_IPSEC_OP_EVENT = 8,
 108        INLINE_IPSEC_OP_RESP = 9,
 109};
 110
 111/* Not all valid, if certain field is invalid, set 1 for all bits */
 112struct virtchnl_algo_cap  {
 113        u32 algo_type;
 114
 115        u16 block_size;
 116
 117        u16 min_key_size;
 118        u16 max_key_size;
 119        u16 inc_key_size;
 120
 121        u16 min_iv_size;
 122        u16 max_iv_size;
 123        u16 inc_iv_size;
 124
 125        u16 min_digest_size;
 126        u16 max_digest_size;
 127        u16 inc_digest_size;
 128
 129        u16 min_aad_size;
 130        u16 max_aad_size;
 131        u16 inc_aad_size;
 132} __rte_packed;
 133
 134/* vf record the capability of crypto from the virtchnl */
 135struct virtchnl_sym_crypto_cap {
 136        u8 crypto_type;
 137        u8 algo_cap_num;
 138        struct virtchnl_algo_cap algo_cap_list[VIRTCHNL_IPSEC_MAX_ALGO_CAP_NUM];
 139} __rte_packed;
 140
 141/* VIRTCHNL_OP_GET_IPSEC_CAP
 142 * VF pass virtchnl_ipsec_cap to PF
 143 * and PF return capability of ipsec from virtchnl.
 144 */
 145struct virtchnl_ipsec_cap {
 146        /* max number of SA per VF */
 147        u16 max_sa_num;
 148
 149        /* IPsec SA Protocol - value ref VIRTCHNL_PROTO_XXX */
 150        u8 virtchnl_protocol_type;
 151
 152        /* IPsec SA Mode - value ref VIRTCHNL_SA_MODE_XXX */
 153        u8 virtchnl_sa_mode;
 154
 155        /* IPSec SA Direction - value ref VIRTCHNL_DIR_XXX */
 156        u8 virtchnl_direction;
 157
 158        /* termination mode - value ref VIRTCHNL_TERM_XXX */
 159        u8 termination_mode;
 160
 161        /* number of supported crypto capability */
 162        u8 crypto_cap_num;
 163
 164        /* descriptor ID */
 165        u16 desc_id;
 166
 167        /* capabilities enabled - value ref VIRTCHNL_IPSEC_XXX_ENA */
 168        u32 caps_enabled;
 169
 170        /* crypto capabilities */
 171        struct virtchnl_sym_crypto_cap cap[VIRTCHNL_IPSEC_MAX_CRYPTO_CAP_NUM];
 172} __rte_packed;
 173
 174/* configuration of crypto function */
 175struct virtchnl_ipsec_crypto_cfg_item {
 176        u8 crypto_type;
 177
 178        u32 algo_type;
 179
 180        /* Length of valid IV data. */
 181        u16 iv_len;
 182
 183        /* Length of digest */
 184        u16 digest_len;
 185
 186        /* SA salt */
 187        u32 salt;
 188
 189        /* The length of the symmetric key */
 190        u16 key_len;
 191
 192        /* key data buffer */
 193        u8 key_data[VIRTCHNL_IPSEC_MAX_KEY_LEN];
 194} __rte_packed;
 195
 196struct virtchnl_ipsec_sym_crypto_cfg {
 197        struct virtchnl_ipsec_crypto_cfg_item
 198                items[VIRTCHNL_IPSEC_MAX_CRYPTO_ITEM_NUMBER];
 199};
 200
 201/* VIRTCHNL_OP_IPSEC_SA_CREATE
 202 * VF send this SA configuration to PF using virtchnl;
 203 * PF create SA as configuration and PF driver will return
 204 * an unique index (sa_idx) for the created SA.
 205 */
 206struct virtchnl_ipsec_sa_cfg {
 207        /* IPsec SA Protocol - AH/ESP */
 208        u8 virtchnl_protocol_type;
 209
 210        /* termination mode - value ref VIRTCHNL_TERM_XXX */
 211        u8 virtchnl_termination;
 212
 213        /* type of outer IP - IPv4/IPv6 */
 214        u8 virtchnl_ip_type;
 215
 216        /* type of esn - !0:enable/0:disable */
 217        u8 esn_enabled;
 218
 219        /* udp encap - !0:enable/0:disable */
 220        u8 udp_encap_enabled;
 221
 222        /* IPSec SA Direction - value ref VIRTCHNL_DIR_XXX */
 223        u8 virtchnl_direction;
 224
 225        /* reserved */
 226        u8 reserved1;
 227
 228        /* SA security parameter index */
 229        u32 spi;
 230
 231        /* outer src ip address */
 232        u8 src_addr[16];
 233
 234        /* outer dst ip address */
 235        u8 dst_addr[16];
 236
 237        /* SPD reference. Used to link an SA with its policy.
 238         * PF drivers may ignore this field.
 239         */
 240        u16 spd_ref;
 241
 242        /* high 32 bits of esn */
 243        u32 esn_hi;
 244
 245        /* low 32 bits of esn */
 246        u32 esn_low;
 247
 248        /* When enabled, sa_index must be valid */
 249        u8 sa_index_en;
 250
 251        /* SA index when sa_index_en is true */
 252        u32 sa_index;
 253
 254        /* auditing mode - enable/disable */
 255        u8 audit_en;
 256
 257        /* lifetime byte limit - enable/disable
 258         * When enabled, byte_limit_hard and byte_limit_soft
 259         * must be valid.
 260         */
 261        u8 byte_limit_en;
 262
 263        /* hard byte limit count */
 264        u64 byte_limit_hard;
 265
 266        /* soft byte limit count */
 267        u64 byte_limit_soft;
 268
 269        /* drop on authentication failure - enable/disable */
 270        u8 drop_on_auth_fail_en;
 271
 272        /* anti-reply window check - enable/disable
 273         * When enabled, arw_size must be valid.
 274         */
 275        u8 arw_check_en;
 276
 277        /* size of arw window, offset by 1. Setting to 0
 278         * represents ARW window size of 1. Setting to 127
 279         * represents ARW window size of 128
 280         */
 281        u8 arw_size;
 282
 283        /* no ip offload mode - enable/disable
 284         * When enabled, ip type and address must not be valid.
 285         */
 286        u8 no_ip_offload_en;
 287
 288        /* SA Domain. Used to logical separate an SADB into groups.
 289         * PF drivers supporting a single group ignore this field.
 290         */
 291        u16 sa_domain;
 292
 293        /* crypto configuration */
 294        struct virtchnl_ipsec_sym_crypto_cfg crypto_cfg;
 295} __rte_packed;
 296
 297/* VIRTCHNL_OP_IPSEC_SA_UPDATE
 298 * VF send configuration of index of SA to PF
 299 * PF will update SA according to configuration
 300 */
 301struct virtchnl_ipsec_sa_update {
 302        u32 sa_index; /* SA to update */
 303        u32 esn_hi; /* high 32 bits of esn */
 304        u32 esn_low; /* low 32 bits of esn */
 305} __rte_packed;
 306
 307/* VIRTCHNL_OP_IPSEC_SA_DESTROY
 308 * VF send configuration of index of SA to PF
 309 * PF will destroy SA according to configuration
 310 * flag bitmap indicate all SA or just selected SA will
 311 * be destroyed
 312 */
 313struct virtchnl_ipsec_sa_destroy {
 314        /* All zero bitmap indicates all SA will be destroyed.
 315         * Non-zero bitmap indicates the selected SA in
 316         * array sa_index will be destroyed.
 317         */
 318        u8 flag;
 319
 320        /* selected SA index */
 321        u32 sa_index[VIRTCHNL_IPSEC_MAX_SA_DESTROY_NUM];
 322} __rte_packed;
 323
 324/* VIRTCHNL_OP_IPSEC_SA_READ
 325 * VF send this SA configuration to PF using virtchnl;
 326 * PF read SA and will return configuration for the created SA.
 327 */
 328struct virtchnl_ipsec_sa_read {
 329        /* SA valid - invalid/valid */
 330        u8 valid;
 331
 332        /* SA active - inactive/active */
 333        u8 active;
 334
 335        /* SA SN rollover - not_rollover/rollover */
 336        u8 sn_rollover;
 337
 338        /* IPsec SA Protocol - AH/ESP */
 339        u8 virtchnl_protocol_type;
 340
 341        /* termination mode - value ref VIRTCHNL_TERM_XXX */
 342        u8 virtchnl_termination;
 343
 344        /* auditing mode - enable/disable */
 345        u8 audit_en;
 346
 347        /* lifetime byte limit - enable/disable
 348         * When set to limit, byte_limit_hard and byte_limit_soft
 349         * must be valid.
 350         */
 351        u8 byte_limit_en;
 352
 353        /* hard byte limit count */
 354        u64 byte_limit_hard;
 355
 356        /* soft byte limit count */
 357        u64 byte_limit_soft;
 358
 359        /* drop on authentication failure - enable/disable */
 360        u8 drop_on_auth_fail_en;
 361
 362        /* anti-replay window check - enable/disable
 363         * When set to check, arw_size, arw_top, and arw must be valid
 364         */
 365        u8 arw_check_en;
 366
 367        /* size of arw window, offset by 1. Setting to 0
 368         * represents ARW window size of 1. Setting to 127
 369         * represents ARW window size of 128
 370         */
 371        u8 arw_size;
 372
 373        /* reserved */
 374        u8 reserved1;
 375
 376        /* top of anti-replay-window */
 377        u64 arw_top;
 378
 379        /* anti-replay-window */
 380        u8 arw[16];
 381
 382        /* packets processed  */
 383        u64 packets_processed;
 384
 385        /* bytes processed  */
 386        u64 bytes_processed;
 387
 388        /* packets dropped  */
 389        u32 packets_dropped;
 390
 391        /* authentication failures */
 392        u32 auth_fails;
 393
 394        /* ARW check failures */
 395        u32 arw_fails;
 396
 397        /* type of esn - enable/disable */
 398        u8 esn;
 399
 400        /* IPSec SA Direction - value ref VIRTCHNL_DIR_XXX */
 401        u8 virtchnl_direction;
 402
 403        /* SA security parameter index */
 404        u32 spi;
 405
 406        /* SA salt */
 407        u32 salt;
 408
 409        /* high 32 bits of esn */
 410        u32 esn_hi;
 411
 412        /* low 32 bits of esn */
 413        u32 esn_low;
 414
 415        /* SA Domain. Used to logical separate an SADB into groups.
 416         * PF drivers supporting a single group ignore this field.
 417         */
 418        u16 sa_domain;
 419
 420        /* SPD reference. Used to link an SA with its policy.
 421         * PF drivers may ignore this field.
 422         */
 423        u16 spd_ref;
 424
 425        /* crypto configuration. Salt and keys are set to 0 */
 426        struct virtchnl_ipsec_sym_crypto_cfg crypto_cfg;
 427} __rte_packed;
 428
 429
 430#define VIRTCHNL_IPSEC_INBOUND_SPD_TBL_IPV4     (0)
 431#define VIRTCHNL_IPSEC_INBOUND_SPD_TBL_IPV6     (1)
 432
 433/* Add allowlist entry in IES */
 434struct virtchnl_ipsec_sp_cfg {
 435        u32 spi;
 436        u32 dip[4];
 437
 438        /* Drop frame if true or redirect to QAT if false. */
 439        u8 drop;
 440
 441        /* Congestion domain. For future use. */
 442        u8 cgd;
 443
 444        /* 0 for IPv4 table, 1 for IPv6 table. */
 445        u8 table_id;
 446
 447        /* Set TC (congestion domain) if true. For future use. */
 448        u8 set_tc;
 449
 450        /* 0 for NAT-T unsupported, 1 for NAT-T supported */
 451        u8 is_udp;
 452
 453        /* reserved */
 454        u8 reserved;
 455
 456        /* NAT-T UDP port number. Only valid in case NAT-T supported */
 457        u16 udp_port;
 458} __rte_packed;
 459
 460
 461/* Delete allowlist entry in IES */
 462struct virtchnl_ipsec_sp_destroy {
 463        /* 0 for IPv4 table, 1 for IPv6 table. */
 464        u8 table_id;
 465        u32 rule_id;
 466} __rte_packed;
 467
 468/* Response from IES to allowlist operations */
 469struct virtchnl_ipsec_sp_cfg_resp {
 470        u32 rule_id;
 471};
 472
 473struct virtchnl_ipsec_sa_cfg_resp {
 474        u32 sa_handle;
 475};
 476
 477#define INLINE_IPSEC_EVENT_RESET        0x1
 478#define INLINE_IPSEC_EVENT_CRYPTO_ON    0x2
 479#define INLINE_IPSEC_EVENT_CRYPTO_OFF   0x4
 480
 481struct virtchnl_ipsec_event {
 482        u32 ipsec_event_data;
 483};
 484
 485#define INLINE_IPSEC_STATUS_AVAILABLE   0x1
 486#define INLINE_IPSEC_STATUS_UNAVAILABLE 0x2
 487
 488struct virtchnl_ipsec_status {
 489        u32 status;
 490};
 491
 492struct virtchnl_ipsec_resp {
 493        u32 resp;
 494};
 495
 496/* Internal message descriptor for VF <-> IPsec communication */
 497struct inline_ipsec_msg {
 498        u16 ipsec_opcode;
 499        u16 req_id;
 500
 501        union {
 502                /* IPsec request */
 503                struct virtchnl_ipsec_sa_cfg sa_cfg[0];
 504                struct virtchnl_ipsec_sp_cfg sp_cfg[0];
 505                struct virtchnl_ipsec_sa_update sa_update[0];
 506                struct virtchnl_ipsec_sa_destroy sa_destroy[0];
 507                struct virtchnl_ipsec_sp_destroy sp_destroy[0];
 508
 509                /* IPsec response */
 510                struct virtchnl_ipsec_sa_cfg_resp sa_cfg_resp[0];
 511                struct virtchnl_ipsec_sp_cfg_resp sp_cfg_resp[0];
 512                struct virtchnl_ipsec_cap ipsec_cap[0];
 513                struct virtchnl_ipsec_status ipsec_status[0];
 514                /* response to del_sa, del_sp, update_sa */
 515                struct virtchnl_ipsec_resp ipsec_resp[0];
 516
 517                /* IPsec event (no req_id is required) */
 518                struct virtchnl_ipsec_event event[0];
 519
 520                /* Reserved */
 521                struct virtchnl_ipsec_sa_read sa_read[0];
 522        } ipsec_data;
 523} __rte_packed;
 524
 525static inline u16 virtchnl_inline_ipsec_val_msg_len(u16 opcode)
 526{
 527        u16 valid_len = sizeof(struct inline_ipsec_msg);
 528
 529        switch (opcode) {
 530        case INLINE_IPSEC_OP_GET_CAP:
 531        case INLINE_IPSEC_OP_GET_STATUS:
 532                break;
 533        case INLINE_IPSEC_OP_SA_CREATE:
 534                valid_len += sizeof(struct virtchnl_ipsec_sa_cfg);
 535                break;
 536        case INLINE_IPSEC_OP_SP_CREATE:
 537                valid_len += sizeof(struct virtchnl_ipsec_sp_cfg);
 538                break;
 539        case INLINE_IPSEC_OP_SA_UPDATE:
 540                valid_len += sizeof(struct virtchnl_ipsec_sa_update);
 541                break;
 542        case INLINE_IPSEC_OP_SA_DESTROY:
 543                valid_len += sizeof(struct virtchnl_ipsec_sa_destroy);
 544                break;
 545        case INLINE_IPSEC_OP_SP_DESTROY:
 546                valid_len += sizeof(struct virtchnl_ipsec_sp_destroy);
 547                break;
 548        /* Only for msg length calculation of response to VF in case of
 549         * inline ipsec failure.
 550         */
 551        case INLINE_IPSEC_OP_RESP:
 552                valid_len += sizeof(struct virtchnl_ipsec_resp);
 553                break;
 554        default:
 555                valid_len = 0;
 556                break;
 557        }
 558
 559        return valid_len;
 560}
 561
 562#endif /* _VIRTCHNL_INLINE_IPSEC_H_ */
 563