1 /* 2 * Copyright (c) 2017 Mellanox Technologies. All rights reserved. 3 * 4 * This software is available to you under a choice of one of two 5 * licenses. You may choose to be licensed under the terms of the GNU 6 * General Public License (GPL) Version 2, available from the file 7 * COPYING in the main directory of this source tree, or the 8 * OpenIB.org BSD license below: 9 * 10 * Redistribution and use in source and binary forms, with or 11 * without modification, are permitted provided that the following 12 * conditions are met: 13 * 14 * - Redistributions of source code must retain the above 15 * copyright notice, this list of conditions and the following 16 * disclaimer. 17 * 18 * - Redistributions in binary form must reproduce the above 19 * copyright notice, this list of conditions and the following 20 * disclaimer in the documentation and/or other materials 21 * provided with the distribution. 22 * 23 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 24 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 25 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 26 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS 27 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN 28 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 29 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 30 * SOFTWARE. 31 * 32 */ 33 34 #ifndef __MLX5E_IPSEC_H__ 35 #define __MLX5E_IPSEC_H__ 36 37 #ifdef CONFIG_MLX5_EN_IPSEC 38 39 #include <linux/mlx5/device.h> 40 #include <net/xfrm.h> 41 #include <linux/idr.h> 42 43 #define MLX5E_IPSEC_SADB_RX_BITS 10 44 #define MLX5E_IPSEC_ESN_SCOPE_MID 0x80000000L 45 46 enum mlx5_accel_esp_flags { 47 MLX5_ACCEL_ESP_FLAGS_TUNNEL = 0, /* Default */ 48 MLX5_ACCEL_ESP_FLAGS_TRANSPORT = 1UL << 0, 49 MLX5_ACCEL_ESP_FLAGS_ESN_TRIGGERED = 1UL << 1, 50 MLX5_ACCEL_ESP_FLAGS_ESN_STATE_OVERLAP = 1UL << 2, 51 }; 52 53 enum mlx5_accel_esp_action { 54 MLX5_ACCEL_ESP_ACTION_DECRYPT, 55 MLX5_ACCEL_ESP_ACTION_ENCRYPT, 56 }; 57 58 struct aes_gcm_keymat { 59 u64 seq_iv; 60 61 u32 salt; 62 u32 icv_len; 63 64 u32 key_len; 65 u32 aes_key[256 / 32]; 66 }; 67 68 struct mlx5_accel_esp_xfrm_attrs { 69 enum mlx5_accel_esp_action action; 70 u32 esn; 71 u32 spi; 72 u32 flags; 73 struct aes_gcm_keymat aes_gcm; 74 75 union { 76 __be32 a4; 77 __be32 a6[4]; 78 } saddr; 79 80 union { 81 __be32 a4; 82 __be32 a6[4]; 83 } daddr; 84 85 u8 is_ipv6; 86 }; 87 88 enum mlx5_ipsec_cap { 89 MLX5_IPSEC_CAP_CRYPTO = 1 << 0, 90 MLX5_IPSEC_CAP_ESN = 1 << 1, 91 }; 92 93 struct mlx5e_priv; 94 95 struct mlx5e_ipsec_sw_stats { 96 atomic64_t ipsec_rx_drop_sp_alloc; 97 atomic64_t ipsec_rx_drop_sadb_miss; 98 atomic64_t ipsec_rx_drop_syndrome; 99 atomic64_t ipsec_tx_drop_bundle; 100 atomic64_t ipsec_tx_drop_no_state; 101 atomic64_t ipsec_tx_drop_not_ip; 102 atomic64_t ipsec_tx_drop_trailer; 103 }; 104 105 struct mlx5e_accel_fs_esp; 106 struct mlx5e_ipsec_tx; 107 108 struct mlx5e_ipsec { 109 struct mlx5_core_dev *mdev; 110 DECLARE_HASHTABLE(sadb_rx, MLX5E_IPSEC_SADB_RX_BITS); 111 spinlock_t sadb_rx_lock; /* Protects sadb_rx */ 112 struct mlx5e_ipsec_sw_stats sw_stats; 113 struct workqueue_struct *wq; 114 struct mlx5e_accel_fs_esp *rx_fs; 115 struct mlx5e_ipsec_tx *tx_fs; 116 }; 117 118 struct mlx5e_ipsec_esn_state { 119 u32 esn; 120 u8 trigger: 1; 121 u8 overlap: 1; 122 }; 123 124 struct mlx5e_ipsec_rule { 125 struct mlx5_flow_handle *rule; 126 struct mlx5_modify_hdr *set_modify_hdr; 127 }; 128 129 struct mlx5e_ipsec_modify_state_work { 130 struct work_struct work; 131 struct mlx5_accel_esp_xfrm_attrs attrs; 132 }; 133 134 struct mlx5e_ipsec_sa_entry { 135 struct hlist_node hlist; /* Item in SADB_RX hashtable */ 136 struct mlx5e_ipsec_esn_state esn_state; 137 unsigned int handle; /* Handle in SADB_RX */ 138 struct xfrm_state *x; 139 struct mlx5e_ipsec *ipsec; 140 struct mlx5_accel_esp_xfrm_attrs attrs; 141 void (*set_iv_op)(struct sk_buff *skb, struct xfrm_state *x, 142 struct xfrm_offload *xo); 143 u32 ipsec_obj_id; 144 u32 enc_key_id; 145 struct mlx5e_ipsec_rule ipsec_rule; 146 struct mlx5e_ipsec_modify_state_work modify_work; 147 }; 148 149 int mlx5e_ipsec_init(struct mlx5e_priv *priv); 150 void mlx5e_ipsec_cleanup(struct mlx5e_priv *priv); 151 void mlx5e_ipsec_build_netdev(struct mlx5e_priv *priv); 152 153 struct xfrm_state *mlx5e_ipsec_sadb_rx_lookup(struct mlx5e_ipsec *dev, 154 unsigned int handle); 155 156 void mlx5e_accel_ipsec_fs_cleanup(struct mlx5e_ipsec *ipsec); 157 int mlx5e_accel_ipsec_fs_init(struct mlx5e_ipsec *ipsec); 158 int mlx5e_accel_ipsec_fs_add_rule(struct mlx5e_priv *priv, 159 struct mlx5e_ipsec_sa_entry *sa_entry); 160 void mlx5e_accel_ipsec_fs_del_rule(struct mlx5e_priv *priv, 161 struct mlx5e_ipsec_sa_entry *sa_entry); 162 163 int mlx5_ipsec_create_sa_ctx(struct mlx5e_ipsec_sa_entry *sa_entry); 164 void mlx5_ipsec_free_sa_ctx(struct mlx5e_ipsec_sa_entry *sa_entry); 165 166 u32 mlx5_ipsec_device_caps(struct mlx5_core_dev *mdev); 167 168 void mlx5_accel_esp_modify_xfrm(struct mlx5e_ipsec_sa_entry *sa_entry, 169 const struct mlx5_accel_esp_xfrm_attrs *attrs); 170 171 static inline struct mlx5_core_dev * 172 mlx5e_ipsec_sa2dev(struct mlx5e_ipsec_sa_entry *sa_entry) 173 { 174 return sa_entry->ipsec->mdev; 175 } 176 #else 177 static inline int mlx5e_ipsec_init(struct mlx5e_priv *priv) 178 { 179 return 0; 180 } 181 182 static inline void mlx5e_ipsec_cleanup(struct mlx5e_priv *priv) 183 { 184 } 185 186 static inline void mlx5e_ipsec_build_netdev(struct mlx5e_priv *priv) 187 { 188 } 189 190 static inline u32 mlx5_ipsec_device_caps(struct mlx5_core_dev *mdev) 191 { 192 return 0; 193 } 194 #endif 195 196 #endif /* __MLX5E_IPSEC_H__ */ 197