xref: /linux/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h (revision 79790b6818e96c58fe2bffee1b418c16e64e7b80) 
1  /*
2   * Copyright (c) 2017 Mellanox Technologies. All rights reserved.
3   *
4   * This software is available to you under a choice of one of two
5   * licenses.  You may choose to be licensed under the terms of the GNU
6   * General Public License (GPL) Version 2, available from the file
7   * COPYING in the main directory of this source tree, or the
8   * OpenIB.org BSD license below:
9   *
10   *     Redistribution and use in source and binary forms, with or
11   *     without modification, are permitted provided that the following
12   *     conditions are met:
13   *
14   *      - Redistributions of source code must retain the above
15   *        copyright notice, this list of conditions and the following
16   *        disclaimer.
17   *
18   *      - Redistributions in binary form must reproduce the above
19   *        copyright notice, this list of conditions and the following
20   *        disclaimer in the documentation and/or other materials
21   *        provided with the distribution.
22   *
23   * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
24   * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
25   * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
26   * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
27   * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
28   * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
29   * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
30   * SOFTWARE.
31   *
32   */
33  
34  #ifndef __MLX5E_IPSEC_H__
35  #define __MLX5E_IPSEC_H__
36  
37  #include <linux/mlx5/device.h>
38  #include <net/xfrm.h>
39  #include <linux/idr.h>
40  #include "lib/aso.h"
41  #include "lib/devcom.h"
42  
43  #define MLX5E_IPSEC_SADB_RX_BITS 10
44  #define MLX5E_IPSEC_ESN_SCOPE_MID 0x80000000L
45  
46  struct aes_gcm_keymat {
47  	u64   seq_iv;
48  
49  	u32   salt;
50  	u32   icv_len;
51  
52  	u32   key_len;
53  	u32   aes_key[256 / 32];
54  };
55  
56  struct upspec {
57  	u16 dport;
58  	u16 dport_mask;
59  	u16 sport;
60  	u16 sport_mask;
61  	u8 proto;
62  };
63  
64  struct mlx5_ipsec_lft {
65  	u64 hard_packet_limit;
66  	u64 soft_packet_limit;
67  	u64 numb_rounds_hard;
68  	u64 numb_rounds_soft;
69  };
70  
71  struct mlx5_replay_esn {
72  	u32 replay_window;
73  	u32 esn;
74  	u32 esn_msb;
75  	u8 overlap : 1;
76  	u8 trigger : 1;
77  };
78  
79  struct mlx5_accel_esp_xfrm_attrs {
80  	u32   spi;
81  	u32   mode;
82  	struct aes_gcm_keymat aes_gcm;
83  
84  	union {
85  		__be32 a4;
86  		__be32 a6[4];
87  	} saddr;
88  
89  	union {
90  		__be32 a4;
91  		__be32 a6[4];
92  	} daddr;
93  
94  	struct upspec upspec;
95  	u8 dir : 2;
96  	u8 type : 2;
97  	u8 drop : 1;
98  	u8 encap : 1;
99  	u8 family;
100  	struct mlx5_replay_esn replay_esn;
101  	u32 authsize;
102  	u32 reqid;
103  	struct mlx5_ipsec_lft lft;
104  	union {
105  		u8 smac[ETH_ALEN];
106  		__be16 sport;
107  	};
108  	union {
109  		u8 dmac[ETH_ALEN];
110  		__be16 dport;
111  	};
112  };
113  
114  enum mlx5_ipsec_cap {
115  	MLX5_IPSEC_CAP_CRYPTO		= 1 << 0,
116  	MLX5_IPSEC_CAP_ESN		= 1 << 1,
117  	MLX5_IPSEC_CAP_PACKET_OFFLOAD	= 1 << 2,
118  	MLX5_IPSEC_CAP_ROCE             = 1 << 3,
119  	MLX5_IPSEC_CAP_PRIO             = 1 << 4,
120  	MLX5_IPSEC_CAP_TUNNEL           = 1 << 5,
121  	MLX5_IPSEC_CAP_ESPINUDP         = 1 << 6,
122  };
123  
124  struct mlx5e_priv;
125  
126  struct mlx5e_ipsec_hw_stats {
127  	u64 ipsec_rx_pkts;
128  	u64 ipsec_rx_bytes;
129  	u64 ipsec_rx_drop_pkts;
130  	u64 ipsec_rx_drop_bytes;
131  	u64 ipsec_tx_pkts;
132  	u64 ipsec_tx_bytes;
133  	u64 ipsec_tx_drop_pkts;
134  	u64 ipsec_tx_drop_bytes;
135  };
136  
137  struct mlx5e_ipsec_sw_stats {
138  	atomic64_t ipsec_rx_drop_sp_alloc;
139  	atomic64_t ipsec_rx_drop_sadb_miss;
140  	atomic64_t ipsec_tx_drop_bundle;
141  	atomic64_t ipsec_tx_drop_no_state;
142  	atomic64_t ipsec_tx_drop_not_ip;
143  	atomic64_t ipsec_tx_drop_trailer;
144  };
145  
146  struct mlx5e_ipsec_fc;
147  struct mlx5e_ipsec_tx;
148  
149  struct mlx5e_ipsec_work {
150  	struct work_struct work;
151  	struct mlx5e_ipsec_sa_entry *sa_entry;
152  	void *data;
153  };
154  
155  struct mlx5e_ipsec_netevent_data {
156  	u8 addr[ETH_ALEN];
157  };
158  
159  struct mlx5e_ipsec_dwork {
160  	struct delayed_work dwork;
161  	struct mlx5e_ipsec_sa_entry *sa_entry;
162  };
163  
164  struct mlx5e_ipsec_aso {
165  	u8 __aligned(64) ctx[MLX5_ST_SZ_BYTES(ipsec_aso)];
166  	dma_addr_t dma_addr;
167  	struct mlx5_aso *aso;
168  	/* Protect ASO WQ access, as it is global to whole IPsec */
169  	spinlock_t lock;
170  };
171  
172  struct mlx5e_ipsec_rx_create_attr {
173  	struct mlx5_flow_namespace *ns;
174  	struct mlx5_ttc_table *ttc;
175  	u32 family;
176  	int prio;
177  	int pol_level;
178  	int sa_level;
179  	int status_level;
180  	enum mlx5_flow_namespace_type chains_ns;
181  };
182  
183  struct mlx5e_ipsec_ft {
184  	struct mutex mutex; /* Protect changes to this struct */
185  	struct mlx5_flow_table *pol;
186  	struct mlx5_flow_table *sa;
187  	struct mlx5_flow_table *status;
188  	u32 refcnt;
189  };
190  
191  struct mlx5e_ipsec_drop {
192  	struct mlx5_flow_handle *rule;
193  	struct mlx5_fc *fc;
194  };
195  
196  struct mlx5e_ipsec_rule {
197  	struct mlx5_flow_handle *rule;
198  	struct mlx5_modify_hdr *modify_hdr;
199  	struct mlx5_pkt_reformat *pkt_reformat;
200  	struct mlx5_fc *fc;
201  	struct mlx5e_ipsec_drop replay;
202  	struct mlx5e_ipsec_drop auth;
203  	struct mlx5e_ipsec_drop trailer;
204  };
205  
206  struct mlx5e_ipsec_miss {
207  	struct mlx5_flow_group *group;
208  	struct mlx5_flow_handle *rule;
209  };
210  
211  struct mlx5e_ipsec_tx_create_attr {
212  	int prio;
213  	int pol_level;
214  	int sa_level;
215  	int cnt_level;
216  	enum mlx5_flow_namespace_type chains_ns;
217  };
218  
219  struct mlx5e_ipsec_mpv_work {
220  	int event;
221  	struct work_struct work;
222  	struct mlx5e_priv *slave_priv;
223  	struct mlx5e_priv *master_priv;
224  };
225  
226  struct mlx5e_ipsec {
227  	struct mlx5_core_dev *mdev;
228  	struct xarray sadb;
229  	struct mlx5e_ipsec_sw_stats sw_stats;
230  	struct mlx5e_ipsec_hw_stats hw_stats;
231  	struct workqueue_struct *wq;
232  	struct completion comp;
233  	struct mlx5e_flow_steering *fs;
234  	struct mlx5e_ipsec_rx *rx_ipv4;
235  	struct mlx5e_ipsec_rx *rx_ipv6;
236  	struct mlx5e_ipsec_rx *rx_esw;
237  	struct mlx5e_ipsec_tx *tx;
238  	struct mlx5e_ipsec_tx *tx_esw;
239  	struct mlx5e_ipsec_aso *aso;
240  	struct notifier_block nb;
241  	struct notifier_block netevent_nb;
242  	struct mlx5_ipsec_fs *roce;
243  	u8 is_uplink_rep: 1;
244  	struct mlx5e_ipsec_mpv_work mpv_work;
245  	struct xarray ipsec_obj_id_map;
246  };
247  
248  struct mlx5e_ipsec_esn_state {
249  	u32 esn;
250  	u32 esn_msb;
251  	u8 overlap: 1;
252  };
253  
254  struct mlx5e_ipsec_limits {
255  	u64 round;
256  	u8 soft_limit_hit : 1;
257  	u8 fix_limit : 1;
258  };
259  
260  struct mlx5e_ipsec_sa_entry {
261  	struct mlx5e_ipsec_esn_state esn_state;
262  	struct xfrm_state *x;
263  	struct mlx5e_ipsec *ipsec;
264  	struct mlx5_accel_esp_xfrm_attrs attrs;
265  	void (*set_iv_op)(struct sk_buff *skb, struct xfrm_state *x,
266  			  struct xfrm_offload *xo);
267  	u32 ipsec_obj_id;
268  	u32 enc_key_id;
269  	struct mlx5e_ipsec_rule ipsec_rule;
270  	struct mlx5e_ipsec_work *work;
271  	struct mlx5e_ipsec_dwork *dwork;
272  	struct mlx5e_ipsec_limits limits;
273  	u32 rx_mapped_id;
274  };
275  
276  struct mlx5_accel_pol_xfrm_attrs {
277  	union {
278  		__be32 a4;
279  		__be32 a6[4];
280  	} saddr;
281  
282  	union {
283  		__be32 a4;
284  		__be32 a6[4];
285  	} daddr;
286  
287  	struct upspec upspec;
288  	u8 family;
289  	u8 action;
290  	u8 type : 2;
291  	u8 dir : 2;
292  	u32 reqid;
293  	u32 prio;
294  };
295  
296  struct mlx5e_ipsec_pol_entry {
297  	struct xfrm_policy *x;
298  	struct mlx5e_ipsec *ipsec;
299  	struct mlx5e_ipsec_rule ipsec_rule;
300  	struct mlx5_accel_pol_xfrm_attrs attrs;
301  };
302  
303  #ifdef CONFIG_MLX5_EN_IPSEC
304  
305  void mlx5e_ipsec_init(struct mlx5e_priv *priv);
306  void mlx5e_ipsec_cleanup(struct mlx5e_priv *priv);
307  void mlx5e_ipsec_build_netdev(struct mlx5e_priv *priv);
308  
309  void mlx5e_accel_ipsec_fs_cleanup(struct mlx5e_ipsec *ipsec);
310  int mlx5e_accel_ipsec_fs_init(struct mlx5e_ipsec *ipsec, struct mlx5_devcom_comp_dev **devcom);
311  int mlx5e_accel_ipsec_fs_add_rule(struct mlx5e_ipsec_sa_entry *sa_entry);
312  void mlx5e_accel_ipsec_fs_del_rule(struct mlx5e_ipsec_sa_entry *sa_entry);
313  int mlx5e_accel_ipsec_fs_add_pol(struct mlx5e_ipsec_pol_entry *pol_entry);
314  void mlx5e_accel_ipsec_fs_del_pol(struct mlx5e_ipsec_pol_entry *pol_entry);
315  void mlx5e_accel_ipsec_fs_modify(struct mlx5e_ipsec_sa_entry *sa_entry);
316  bool mlx5e_ipsec_fs_tunnel_enabled(struct mlx5e_ipsec_sa_entry *sa_entry);
317  
318  int mlx5_ipsec_create_sa_ctx(struct mlx5e_ipsec_sa_entry *sa_entry);
319  void mlx5_ipsec_free_sa_ctx(struct mlx5e_ipsec_sa_entry *sa_entry);
320  
321  u32 mlx5_ipsec_device_caps(struct mlx5_core_dev *mdev);
322  
323  void mlx5_accel_esp_modify_xfrm(struct mlx5e_ipsec_sa_entry *sa_entry,
324  				const struct mlx5_accel_esp_xfrm_attrs *attrs);
325  
326  int mlx5e_ipsec_aso_init(struct mlx5e_ipsec *ipsec);
327  void mlx5e_ipsec_aso_cleanup(struct mlx5e_ipsec *ipsec);
328  
329  int mlx5e_ipsec_aso_query(struct mlx5e_ipsec_sa_entry *sa_entry,
330  			  struct mlx5_wqe_aso_ctrl_seg *data);
331  void mlx5e_accel_ipsec_fs_read_stats(struct mlx5e_priv *priv,
332  				     void *ipsec_stats);
333  
334  void mlx5e_ipsec_build_accel_xfrm_attrs(struct mlx5e_ipsec_sa_entry *sa_entry,
335  					struct mlx5_accel_esp_xfrm_attrs *attrs);
336  void mlx5e_ipsec_handle_mpv_event(int event, struct mlx5e_priv *slave_priv,
337  				  struct mlx5e_priv *master_priv);
338  void mlx5e_ipsec_send_event(struct mlx5e_priv *priv, int event);
339  
340  static inline struct mlx5_core_dev *
mlx5e_ipsec_sa2dev(struct mlx5e_ipsec_sa_entry * sa_entry)341  mlx5e_ipsec_sa2dev(struct mlx5e_ipsec_sa_entry *sa_entry)
342  {
343  	return sa_entry->ipsec->mdev;
344  }
345  
346  static inline struct mlx5_core_dev *
mlx5e_ipsec_pol2dev(struct mlx5e_ipsec_pol_entry * pol_entry)347  mlx5e_ipsec_pol2dev(struct mlx5e_ipsec_pol_entry *pol_entry)
348  {
349  	return pol_entry->ipsec->mdev;
350  }
351  
addr6_all_zero(__be32 * addr6)352  static inline bool addr6_all_zero(__be32 *addr6)
353  {
354  	static const __be32 zaddr6[4] = {};
355  
356  	return !memcmp(addr6, zaddr6, sizeof(zaddr6));
357  }
358  #else
mlx5e_ipsec_init(struct mlx5e_priv * priv)359  static inline void mlx5e_ipsec_init(struct mlx5e_priv *priv)
360  {
361  }
362  
mlx5e_ipsec_cleanup(struct mlx5e_priv * priv)363  static inline void mlx5e_ipsec_cleanup(struct mlx5e_priv *priv)
364  {
365  }
366  
mlx5e_ipsec_build_netdev(struct mlx5e_priv * priv)367  static inline void mlx5e_ipsec_build_netdev(struct mlx5e_priv *priv)
368  {
369  }
370  
mlx5_ipsec_device_caps(struct mlx5_core_dev * mdev)371  static inline u32 mlx5_ipsec_device_caps(struct mlx5_core_dev *mdev)
372  {
373  	return 0;
374  }
375  
mlx5e_ipsec_handle_mpv_event(int event,struct mlx5e_priv * slave_priv,struct mlx5e_priv * master_priv)376  static inline void mlx5e_ipsec_handle_mpv_event(int event, struct mlx5e_priv *slave_priv,
377  						struct mlx5e_priv *master_priv)
378  {
379  }
380  
mlx5e_ipsec_send_event(struct mlx5e_priv * priv,int event)381  static inline void mlx5e_ipsec_send_event(struct mlx5e_priv *priv, int event)
382  {
383  }
384  #endif
385  
386  #endif	/* __MLX5E_IPSEC_H__ */
387