1 /* 2 * Copyright (c) 2017 Mellanox Technologies. All rights reserved. 3 * 4 * This software is available to you under a choice of one of two 5 * licenses. You may choose to be licensed under the terms of the GNU 6 * General Public License (GPL) Version 2, available from the file 7 * COPYING in the main directory of this source tree, or the 8 * OpenIB.org BSD license below: 9 * 10 * Redistribution and use in source and binary forms, with or 11 * without modification, are permitted provided that the following 12 * conditions are met: 13 * 14 * - Redistributions of source code must retain the above 15 * copyright notice, this list of conditions and the following 16 * disclaimer. 17 * 18 * - Redistributions in binary form must reproduce the above 19 * copyright notice, this list of conditions and the following 20 * disclaimer in the documentation and/or other materials 21 * provided with the distribution. 22 * 23 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 24 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 25 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 26 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS 27 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN 28 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 29 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 30 * SOFTWARE. 31 * 32 */ 33 34 #ifndef __MLX5E_IPSEC_H__ 35 #define __MLX5E_IPSEC_H__ 36 37 #include <linux/mlx5/device.h> 38 #include <net/xfrm.h> 39 #include <linux/idr.h> 40 #include "lib/aso.h" 41 42 #define MLX5E_IPSEC_SADB_RX_BITS 10 43 #define MLX5E_IPSEC_ESN_SCOPE_MID 0x80000000L 44 45 struct aes_gcm_keymat { 46 u64 seq_iv; 47 48 u32 salt; 49 u32 icv_len; 50 51 u32 key_len; 52 u32 aes_key[256 / 32]; 53 }; 54 55 struct upspec { 56 u16 dport; 57 u16 dport_mask; 58 u16 sport; 59 u16 sport_mask; 60 u8 proto; 61 }; 62 63 struct mlx5_ipsec_lft { 64 u64 hard_packet_limit; 65 u64 soft_packet_limit; 66 u64 numb_rounds_hard; 67 u64 numb_rounds_soft; 68 }; 69 70 struct mlx5_replay_esn { 71 u32 replay_window; 72 u32 esn; 73 u32 esn_msb; 74 u8 overlap : 1; 75 u8 trigger : 1; 76 }; 77 78 struct mlx5_accel_esp_xfrm_attrs { 79 u32 spi; 80 u32 mode; 81 struct aes_gcm_keymat aes_gcm; 82 83 union { 84 __be32 a4; 85 __be32 a6[4]; 86 } saddr; 87 88 union { 89 __be32 a4; 90 __be32 a6[4]; 91 } daddr; 92 93 struct upspec upspec; 94 u8 dir : 2; 95 u8 type : 2; 96 u8 drop : 1; 97 u8 family; 98 struct mlx5_replay_esn replay_esn; 99 u32 authsize; 100 u32 reqid; 101 struct mlx5_ipsec_lft lft; 102 u8 smac[ETH_ALEN]; 103 u8 dmac[ETH_ALEN]; 104 }; 105 106 enum mlx5_ipsec_cap { 107 MLX5_IPSEC_CAP_CRYPTO = 1 << 0, 108 MLX5_IPSEC_CAP_ESN = 1 << 1, 109 MLX5_IPSEC_CAP_PACKET_OFFLOAD = 1 << 2, 110 MLX5_IPSEC_CAP_ROCE = 1 << 3, 111 MLX5_IPSEC_CAP_PRIO = 1 << 4, 112 MLX5_IPSEC_CAP_TUNNEL = 1 << 5, 113 }; 114 115 struct mlx5e_priv; 116 117 struct mlx5e_ipsec_hw_stats { 118 u64 ipsec_rx_pkts; 119 u64 ipsec_rx_bytes; 120 u64 ipsec_rx_drop_pkts; 121 u64 ipsec_rx_drop_bytes; 122 u64 ipsec_tx_pkts; 123 u64 ipsec_tx_bytes; 124 u64 ipsec_tx_drop_pkts; 125 u64 ipsec_tx_drop_bytes; 126 }; 127 128 struct mlx5e_ipsec_sw_stats { 129 atomic64_t ipsec_rx_drop_sp_alloc; 130 atomic64_t ipsec_rx_drop_sadb_miss; 131 atomic64_t ipsec_rx_drop_syndrome; 132 atomic64_t ipsec_tx_drop_bundle; 133 atomic64_t ipsec_tx_drop_no_state; 134 atomic64_t ipsec_tx_drop_not_ip; 135 atomic64_t ipsec_tx_drop_trailer; 136 }; 137 138 struct mlx5e_ipsec_rx; 139 struct mlx5e_ipsec_tx; 140 141 struct mlx5e_ipsec_work { 142 struct work_struct work; 143 struct mlx5e_ipsec_sa_entry *sa_entry; 144 void *data; 145 }; 146 147 struct mlx5e_ipsec_netevent_data { 148 u8 addr[ETH_ALEN]; 149 }; 150 151 struct mlx5e_ipsec_dwork { 152 struct delayed_work dwork; 153 struct mlx5e_ipsec_sa_entry *sa_entry; 154 }; 155 156 struct mlx5e_ipsec_aso { 157 u8 __aligned(64) ctx[MLX5_ST_SZ_BYTES(ipsec_aso)]; 158 dma_addr_t dma_addr; 159 struct mlx5_aso *aso; 160 /* Protect ASO WQ access, as it is global to whole IPsec */ 161 spinlock_t lock; 162 }; 163 164 struct mlx5e_ipsec { 165 struct mlx5_core_dev *mdev; 166 struct xarray sadb; 167 struct mlx5e_ipsec_sw_stats sw_stats; 168 struct mlx5e_ipsec_hw_stats hw_stats; 169 struct workqueue_struct *wq; 170 struct mlx5e_flow_steering *fs; 171 struct mlx5e_ipsec_rx *rx_ipv4; 172 struct mlx5e_ipsec_rx *rx_ipv6; 173 struct mlx5e_ipsec_tx *tx; 174 struct mlx5e_ipsec_aso *aso; 175 struct notifier_block nb; 176 struct notifier_block netevent_nb; 177 struct mlx5_ipsec_fs *roce; 178 }; 179 180 struct mlx5e_ipsec_esn_state { 181 u32 esn; 182 u32 esn_msb; 183 u8 overlap: 1; 184 }; 185 186 struct mlx5e_ipsec_rule { 187 struct mlx5_flow_handle *rule; 188 struct mlx5_modify_hdr *modify_hdr; 189 struct mlx5_pkt_reformat *pkt_reformat; 190 struct mlx5_fc *fc; 191 }; 192 193 struct mlx5e_ipsec_limits { 194 u64 round; 195 u8 soft_limit_hit : 1; 196 u8 fix_limit : 1; 197 }; 198 199 struct mlx5e_ipsec_sa_entry { 200 struct mlx5e_ipsec_esn_state esn_state; 201 struct xfrm_state *x; 202 struct mlx5e_ipsec *ipsec; 203 struct mlx5_accel_esp_xfrm_attrs attrs; 204 void (*set_iv_op)(struct sk_buff *skb, struct xfrm_state *x, 205 struct xfrm_offload *xo); 206 u32 ipsec_obj_id; 207 u32 enc_key_id; 208 struct mlx5e_ipsec_rule ipsec_rule; 209 struct mlx5e_ipsec_work *work; 210 struct mlx5e_ipsec_dwork *dwork; 211 struct mlx5e_ipsec_limits limits; 212 }; 213 214 struct mlx5_accel_pol_xfrm_attrs { 215 union { 216 __be32 a4; 217 __be32 a6[4]; 218 } saddr; 219 220 union { 221 __be32 a4; 222 __be32 a6[4]; 223 } daddr; 224 225 struct upspec upspec; 226 u8 family; 227 u8 action; 228 u8 type : 2; 229 u8 dir : 2; 230 u32 reqid; 231 u32 prio; 232 }; 233 234 struct mlx5e_ipsec_pol_entry { 235 struct xfrm_policy *x; 236 struct mlx5e_ipsec *ipsec; 237 struct mlx5e_ipsec_rule ipsec_rule; 238 struct mlx5_accel_pol_xfrm_attrs attrs; 239 }; 240 241 #ifdef CONFIG_MLX5_EN_IPSEC 242 243 void mlx5e_ipsec_init(struct mlx5e_priv *priv); 244 void mlx5e_ipsec_cleanup(struct mlx5e_priv *priv); 245 void mlx5e_ipsec_build_netdev(struct mlx5e_priv *priv); 246 247 void mlx5e_accel_ipsec_fs_cleanup(struct mlx5e_ipsec *ipsec); 248 int mlx5e_accel_ipsec_fs_init(struct mlx5e_ipsec *ipsec); 249 int mlx5e_accel_ipsec_fs_add_rule(struct mlx5e_ipsec_sa_entry *sa_entry); 250 void mlx5e_accel_ipsec_fs_del_rule(struct mlx5e_ipsec_sa_entry *sa_entry); 251 int mlx5e_accel_ipsec_fs_add_pol(struct mlx5e_ipsec_pol_entry *pol_entry); 252 void mlx5e_accel_ipsec_fs_del_pol(struct mlx5e_ipsec_pol_entry *pol_entry); 253 void mlx5e_accel_ipsec_fs_modify(struct mlx5e_ipsec_sa_entry *sa_entry); 254 bool mlx5e_ipsec_fs_tunnel_enabled(struct mlx5e_ipsec_sa_entry *sa_entry); 255 256 int mlx5_ipsec_create_sa_ctx(struct mlx5e_ipsec_sa_entry *sa_entry); 257 void mlx5_ipsec_free_sa_ctx(struct mlx5e_ipsec_sa_entry *sa_entry); 258 259 u32 mlx5_ipsec_device_caps(struct mlx5_core_dev *mdev); 260 261 void mlx5_accel_esp_modify_xfrm(struct mlx5e_ipsec_sa_entry *sa_entry, 262 const struct mlx5_accel_esp_xfrm_attrs *attrs); 263 264 int mlx5e_ipsec_aso_init(struct mlx5e_ipsec *ipsec); 265 void mlx5e_ipsec_aso_cleanup(struct mlx5e_ipsec *ipsec); 266 267 int mlx5e_ipsec_aso_query(struct mlx5e_ipsec_sa_entry *sa_entry, 268 struct mlx5_wqe_aso_ctrl_seg *data); 269 void mlx5e_accel_ipsec_fs_read_stats(struct mlx5e_priv *priv, 270 void *ipsec_stats); 271 272 void mlx5e_ipsec_build_accel_xfrm_attrs(struct mlx5e_ipsec_sa_entry *sa_entry, 273 struct mlx5_accel_esp_xfrm_attrs *attrs); 274 static inline struct mlx5_core_dev * 275 mlx5e_ipsec_sa2dev(struct mlx5e_ipsec_sa_entry *sa_entry) 276 { 277 return sa_entry->ipsec->mdev; 278 } 279 280 static inline struct mlx5_core_dev * 281 mlx5e_ipsec_pol2dev(struct mlx5e_ipsec_pol_entry *pol_entry) 282 { 283 return pol_entry->ipsec->mdev; 284 } 285 286 static inline bool addr6_all_zero(__be32 *addr6) 287 { 288 static const __be32 zaddr6[4] = {}; 289 290 return !memcmp(addr6, zaddr6, sizeof(zaddr6)); 291 } 292 #else 293 static inline void mlx5e_ipsec_init(struct mlx5e_priv *priv) 294 { 295 } 296 297 static inline void mlx5e_ipsec_cleanup(struct mlx5e_priv *priv) 298 { 299 } 300 301 static inline void mlx5e_ipsec_build_netdev(struct mlx5e_priv *priv) 302 { 303 } 304 305 static inline u32 mlx5_ipsec_device_caps(struct mlx5_core_dev *mdev) 306 { 307 return 0; 308 } 309 #endif 310 311 #endif /* __MLX5E_IPSEC_H__ */ 312