xref: /openbmc/linux/drivers/net/netdevsim/ipsec.c (revision 40d3b219)
1 // SPDX-License-Identifier: GPL-2.0
2 /* Copyright(c) 2018 Oracle and/or its affiliates. All rights reserved. */
3 
4 #include <crypto/aead.h>
5 #include <linux/debugfs.h>
6 #include <net/xfrm.h>
7 
8 #include "netdevsim.h"
9 
10 #define NSIM_IPSEC_AUTH_BITS	128
11 
12 static ssize_t nsim_dbg_netdev_ops_read(struct file *filp,
13 					char __user *buffer,
14 					size_t count, loff_t *ppos)
15 {
16 	struct netdevsim *ns = filp->private_data;
17 	struct nsim_ipsec *ipsec = &ns->ipsec;
18 	size_t bufsize;
19 	char *buf, *p;
20 	int len;
21 	int i;
22 
23 	/* the buffer needed is
24 	 * (num SAs * 3 lines each * ~60 bytes per line) + one more line
25 	 */
26 	bufsize = (ipsec->count * 4 * 60) + 60;
27 	buf = kzalloc(bufsize, GFP_KERNEL);
28 	if (!buf)
29 		return -ENOMEM;
30 
31 	p = buf;
32 	p += scnprintf(p, bufsize - (p - buf),
33 		       "SA count=%u tx=%u\n",
34 		       ipsec->count, ipsec->tx);
35 
36 	for (i = 0; i < NSIM_IPSEC_MAX_SA_COUNT; i++) {
37 		struct nsim_sa *sap = &ipsec->sa[i];
38 
39 		if (!sap->used)
40 			continue;
41 
42 		p += scnprintf(p, bufsize - (p - buf),
43 			       "sa[%i] %cx ipaddr=0x%08x %08x %08x %08x\n",
44 			       i, (sap->rx ? 'r' : 't'), sap->ipaddr[0],
45 			       sap->ipaddr[1], sap->ipaddr[2], sap->ipaddr[3]);
46 		p += scnprintf(p, bufsize - (p - buf),
47 			       "sa[%i]    spi=0x%08x proto=0x%x salt=0x%08x crypt=%d\n",
48 			       i, be32_to_cpu(sap->xs->id.spi),
49 			       sap->xs->id.proto, sap->salt, sap->crypt);
50 		p += scnprintf(p, bufsize - (p - buf),
51 			       "sa[%i]    key=0x%08x %08x %08x %08x\n",
52 			       i, sap->key[0], sap->key[1],
53 			       sap->key[2], sap->key[3]);
54 	}
55 
56 	len = simple_read_from_buffer(buffer, count, ppos, buf, p - buf);
57 
58 	kfree(buf);
59 	return len;
60 }
61 
62 static const struct file_operations ipsec_dbg_fops = {
63 	.owner = THIS_MODULE,
64 	.open = simple_open,
65 	.read = nsim_dbg_netdev_ops_read,
66 };
67 
68 static int nsim_ipsec_find_empty_idx(struct nsim_ipsec *ipsec)
69 {
70 	u32 i;
71 
72 	if (ipsec->count == NSIM_IPSEC_MAX_SA_COUNT)
73 		return -ENOSPC;
74 
75 	/* search sa table */
76 	for (i = 0; i < NSIM_IPSEC_MAX_SA_COUNT; i++) {
77 		if (!ipsec->sa[i].used)
78 			return i;
79 	}
80 
81 	return -ENOSPC;
82 }
83 
84 static int nsim_ipsec_parse_proto_keys(struct xfrm_state *xs,
85 				       u32 *mykey, u32 *mysalt)
86 {
87 	const char aes_gcm_name[] = "rfc4106(gcm(aes))";
88 	struct net_device *dev = xs->xso.real_dev;
89 	unsigned char *key_data;
90 	char *alg_name = NULL;
91 	int key_len;
92 
93 	if (!xs->aead) {
94 		netdev_err(dev, "Unsupported IPsec algorithm\n");
95 		return -EINVAL;
96 	}
97 
98 	if (xs->aead->alg_icv_len != NSIM_IPSEC_AUTH_BITS) {
99 		netdev_err(dev, "IPsec offload requires %d bit authentication\n",
100 			   NSIM_IPSEC_AUTH_BITS);
101 		return -EINVAL;
102 	}
103 
104 	key_data = &xs->aead->alg_key[0];
105 	key_len = xs->aead->alg_key_len;
106 	alg_name = xs->aead->alg_name;
107 
108 	if (strcmp(alg_name, aes_gcm_name)) {
109 		netdev_err(dev, "Unsupported IPsec algorithm - please use %s\n",
110 			   aes_gcm_name);
111 		return -EINVAL;
112 	}
113 
114 	/* 160 accounts for 16 byte key and 4 byte salt */
115 	if (key_len > NSIM_IPSEC_AUTH_BITS) {
116 		*mysalt = ((u32 *)key_data)[4];
117 	} else if (key_len == NSIM_IPSEC_AUTH_BITS) {
118 		*mysalt = 0;
119 	} else {
120 		netdev_err(dev, "IPsec hw offload only supports 128 bit keys with optional 32 bit salt\n");
121 		return -EINVAL;
122 	}
123 	memcpy(mykey, key_data, 16);
124 
125 	return 0;
126 }
127 
128 static int nsim_ipsec_add_sa(struct xfrm_state *xs,
129 			     struct netlink_ext_ack *extack)
130 {
131 	struct nsim_ipsec *ipsec;
132 	struct net_device *dev;
133 	struct netdevsim *ns;
134 	struct nsim_sa sa;
135 	u16 sa_idx;
136 	int ret;
137 
138 	dev = xs->xso.real_dev;
139 	ns = netdev_priv(dev);
140 	ipsec = &ns->ipsec;
141 
142 	if (xs->id.proto != IPPROTO_ESP && xs->id.proto != IPPROTO_AH) {
143 		NL_SET_ERR_MSG_MOD(extack, "Unsupported protocol for ipsec offload");
144 		return -EINVAL;
145 	}
146 
147 	if (xs->calg) {
148 		NL_SET_ERR_MSG_MOD(extack, "Compression offload not supported");
149 		return -EINVAL;
150 	}
151 
152 	if (xs->xso.type != XFRM_DEV_OFFLOAD_CRYPTO) {
153 		NL_SET_ERR_MSG_MOD(extack, "Unsupported ipsec offload type");
154 		return -EINVAL;
155 	}
156 
157 	/* find the first unused index */
158 	ret = nsim_ipsec_find_empty_idx(ipsec);
159 	if (ret < 0) {
160 		NL_SET_ERR_MSG_MOD(extack, "No space for SA in Rx table!");
161 		return ret;
162 	}
163 	sa_idx = (u16)ret;
164 
165 	memset(&sa, 0, sizeof(sa));
166 	sa.used = true;
167 	sa.xs = xs;
168 
169 	if (sa.xs->id.proto & IPPROTO_ESP)
170 		sa.crypt = xs->ealg || xs->aead;
171 
172 	/* get the key and salt */
173 	ret = nsim_ipsec_parse_proto_keys(xs, sa.key, &sa.salt);
174 	if (ret) {
175 		NL_SET_ERR_MSG_MOD(extack, "Failed to get key data for SA table");
176 		return ret;
177 	}
178 
179 	if (xs->xso.dir == XFRM_DEV_OFFLOAD_IN)
180 		sa.rx = true;
181 
182 	if (xs->props.family == AF_INET6)
183 		memcpy(sa.ipaddr, &xs->id.daddr.a6, 16);
184 	else
185 		memcpy(&sa.ipaddr[3], &xs->id.daddr.a4, 4);
186 
187 	/* the preparations worked, so save the info */
188 	memcpy(&ipsec->sa[sa_idx], &sa, sizeof(sa));
189 
190 	/* the XFRM stack doesn't like offload_handle == 0,
191 	 * so add a bitflag in case our array index is 0
192 	 */
193 	xs->xso.offload_handle = sa_idx | NSIM_IPSEC_VALID;
194 	ipsec->count++;
195 
196 	return 0;
197 }
198 
199 static void nsim_ipsec_del_sa(struct xfrm_state *xs)
200 {
201 	struct netdevsim *ns = netdev_priv(xs->xso.real_dev);
202 	struct nsim_ipsec *ipsec = &ns->ipsec;
203 	u16 sa_idx;
204 
205 	sa_idx = xs->xso.offload_handle & ~NSIM_IPSEC_VALID;
206 	if (!ipsec->sa[sa_idx].used) {
207 		netdev_err(ns->netdev, "Invalid SA for delete sa_idx=%d\n",
208 			   sa_idx);
209 		return;
210 	}
211 
212 	memset(&ipsec->sa[sa_idx], 0, sizeof(struct nsim_sa));
213 	ipsec->count--;
214 }
215 
216 static bool nsim_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs)
217 {
218 	struct netdevsim *ns = netdev_priv(xs->xso.real_dev);
219 	struct nsim_ipsec *ipsec = &ns->ipsec;
220 
221 	ipsec->ok++;
222 
223 	return true;
224 }
225 
226 static const struct xfrmdev_ops nsim_xfrmdev_ops = {
227 	.xdo_dev_state_add	= nsim_ipsec_add_sa,
228 	.xdo_dev_state_delete	= nsim_ipsec_del_sa,
229 	.xdo_dev_offload_ok	= nsim_ipsec_offload_ok,
230 };
231 
232 bool nsim_ipsec_tx(struct netdevsim *ns, struct sk_buff *skb)
233 {
234 	struct sec_path *sp = skb_sec_path(skb);
235 	struct nsim_ipsec *ipsec = &ns->ipsec;
236 	struct xfrm_state *xs;
237 	struct nsim_sa *tsa;
238 	u32 sa_idx;
239 
240 	/* do we even need to check this packet? */
241 	if (!sp)
242 		return true;
243 
244 	if (unlikely(!sp->len)) {
245 		netdev_err(ns->netdev, "no xfrm state len = %d\n",
246 			   sp->len);
247 		return false;
248 	}
249 
250 	xs = xfrm_input_state(skb);
251 	if (unlikely(!xs)) {
252 		netdev_err(ns->netdev, "no xfrm_input_state() xs = %p\n", xs);
253 		return false;
254 	}
255 
256 	sa_idx = xs->xso.offload_handle & ~NSIM_IPSEC_VALID;
257 	if (unlikely(sa_idx >= NSIM_IPSEC_MAX_SA_COUNT)) {
258 		netdev_err(ns->netdev, "bad sa_idx=%d max=%d\n",
259 			   sa_idx, NSIM_IPSEC_MAX_SA_COUNT);
260 		return false;
261 	}
262 
263 	tsa = &ipsec->sa[sa_idx];
264 	if (unlikely(!tsa->used)) {
265 		netdev_err(ns->netdev, "unused sa_idx=%d\n", sa_idx);
266 		return false;
267 	}
268 
269 	if (xs->id.proto != IPPROTO_ESP && xs->id.proto != IPPROTO_AH) {
270 		netdev_err(ns->netdev, "unexpected proto=%d\n", xs->id.proto);
271 		return false;
272 	}
273 
274 	ipsec->tx++;
275 
276 	return true;
277 }
278 
279 void nsim_ipsec_init(struct netdevsim *ns)
280 {
281 	ns->netdev->xfrmdev_ops = &nsim_xfrmdev_ops;
282 
283 #define NSIM_ESP_FEATURES	(NETIF_F_HW_ESP | \
284 				 NETIF_F_HW_ESP_TX_CSUM | \
285 				 NETIF_F_GSO_ESP)
286 
287 	ns->netdev->features |= NSIM_ESP_FEATURES;
288 	ns->netdev->hw_enc_features |= NSIM_ESP_FEATURES;
289 
290 	ns->ipsec.pfile = debugfs_create_file("ipsec", 0400,
291 					      ns->nsim_dev_port->ddir, ns,
292 					      &ipsec_dbg_fops);
293 }
294 
295 void nsim_ipsec_teardown(struct netdevsim *ns)
296 {
297 	struct nsim_ipsec *ipsec = &ns->ipsec;
298 
299 	if (ipsec->count)
300 		netdev_err(ns->netdev, "tearing down IPsec offload with %d SAs left\n",
301 			   ipsec->count);
302 	debugfs_remove_recursive(ipsec->pfile);
303 }
304