ipsec.h source code [linux/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h]

1	/*
2	* Copyright (c) 2017 Mellanox Technologies. All rights reserved.
3	*
4	* This software is available to you under a choice of one of two
5	* licenses. You may choose to be licensed under the terms of the GNU
6	* General Public License (GPL) Version 2, available from the file
7	* COPYING in the main directory of this source tree, or the
8	* OpenIB.org BSD license below:
9	*
10	* Redistribution and use in source and binary forms, with or
11	* without modification, are permitted provided that the following
12	* conditions are met:
13	*
14	* - Redistributions of source code must retain the above
15	* copyright notice, this list of conditions and the following
16	* disclaimer.
17	*
18	* - Redistributions in binary form must reproduce the above
19	* copyright notice, this list of conditions and the following
20	* disclaimer in the documentation and/or other materials
21	* provided with the distribution.
22	*
23	* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
24	* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
25	* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
26	* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
27	* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
28	* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
29	* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
30	* SOFTWARE.
31	*
32	*/
33
34	#ifndef __MLX5E_IPSEC_H__
35	#define __MLX5E_IPSEC_H__
36
37	#include <linux/mlx5/device.h>
38	#include <net/xfrm.h>
39	#include <linux/idr.h>
40	#include "lib/aso.h"
41	#include "lib/devcom.h"
42
43	#define MLX5E_IPSEC_SADB_RX_BITS 10
44	#define MLX5E_IPSEC_ESN_SCOPE_MID 0x80000000L
45
46	struct aes_gcm_keymat {
47	u64 seq_iv;
48
49	u32 salt;
50	u32 icv_len;
51
52	u32 key_len;
53	u32 aes_key[`256` / `32`];
54	};
55
56	struct upspec {
57	u16 dport;
58	u16 dport_mask;
59	u16 sport;
60	u16 sport_mask;
61	u8 proto;
62	};
63
64	struct mlx5_ipsec_lft {
65	u64 hard_packet_limit;
66	u64 soft_packet_limit;
67	u64 numb_rounds_hard;
68	u64 numb_rounds_soft;
69	};
70
71	struct mlx5_replay_esn {
72	u32 replay_window;
73	u32 esn;
74	u32 esn_msb;
75	u8 overlap : `1`;
76	u8 trigger : `1`;
77	};
78
79	struct mlx5e_ipsec_addr {
80	union {
81	__be32 a4;
82	__be32 a6[`4`];
83	} saddr;
84	union {
85	__be32 m4;
86	__be32 m6[`4`];
87	} smask;
88	union {
89	__be32 a4;
90	__be32 a6[`4`];
91	} daddr;
92	union {
93	__be32 m4;
94	__be32 m6[`4`];
95	} dmask;
96	u8 family;
97	};
98
99	struct mlx5_accel_esp_xfrm_attrs {
100	u32 spi;
101	u32 mode;
102	struct aes_gcm_keymat aes_gcm;
103	struct mlx5e_ipsec_addr addrs;
104	struct upspec upspec;
105	u8 dir : `2`;
106	u8 type : `2`;
107	u8 drop : `1`;
108	u8 encap : `1`;
109	struct mlx5_replay_esn replay_esn;
110	u32 authsize;
111	u32 reqid;
112	struct mlx5_ipsec_lft lft;
113	union {
114	u8 smac[ETH_ALEN];
115	__be16 sport;
116	};
117	union {
118	u8 dmac[ETH_ALEN];
119	__be16 dport;
120	};
121	};
122
123	enum mlx5_ipsec_cap {
124	MLX5_IPSEC_CAP_CRYPTO = `1` << `0`,
125	MLX5_IPSEC_CAP_ESN = `1` << `1`,
126	MLX5_IPSEC_CAP_PACKET_OFFLOAD = `1` << `2`,
127	MLX5_IPSEC_CAP_ROCE = `1` << `3`,
128	MLX5_IPSEC_CAP_PRIO = `1` << `4`,
129	MLX5_IPSEC_CAP_TUNNEL = `1` << `5`,
130	MLX5_IPSEC_CAP_ESPINUDP = `1` << `6`,
131	};
132
133	struct mlx5e_priv;
134
135	struct mlx5e_ipsec_hw_stats {
136	u64 ipsec_rx_pkts;
137	u64 ipsec_rx_bytes;
138	u64 ipsec_rx_drop_pkts;
139	u64 ipsec_rx_drop_bytes;
140	u64 ipsec_rx_drop_mismatch_sa_sel;
141	u64 ipsec_tx_pkts;
142	u64 ipsec_tx_bytes;
143	u64 ipsec_tx_drop_pkts;
144	u64 ipsec_tx_drop_bytes;
145	};
146
147	struct mlx5e_ipsec_sw_stats {
148	atomic64_t ipsec_rx_drop_sp_alloc;
149	atomic64_t ipsec_rx_drop_sadb_miss;
150	atomic64_t ipsec_tx_drop_bundle;
151	atomic64_t ipsec_tx_drop_no_state;
152	atomic64_t ipsec_tx_drop_not_ip;
153	atomic64_t ipsec_tx_drop_trailer;
154	};
155
156	struct mlx5e_ipsec_fc;
157	struct mlx5e_ipsec_tx;
158
159	struct mlx5e_ipsec_work {
160	struct work_struct work;
161	struct mlx5e_ipsec_sa_entry *sa_entry;
162	void *data;
163	};
164
165	struct mlx5e_ipsec_netevent_data {
166	u8 addr[ETH_ALEN];
167	};
168
169	struct mlx5e_ipsec_dwork {
170	struct delayed_work dwork;
171	struct mlx5e_ipsec_sa_entry *sa_entry;
172	};
173
174	struct mlx5e_ipsec_aso {
175	u8 __aligned(`64`) ctx[MLX5_ST_SZ_BYTES(ipsec_aso)];
176	dma_addr_t dma_addr;
177	struct mlx5_aso *aso;
178	/ Protect ASO WQ access, as it is global to whole IPsec /
179	spinlock_t lock;
180	};
181
182	struct mlx5e_ipsec_rx_create_attr {
183	struct mlx5_flow_namespace *ns;
184	struct mlx5_ttc_table *ttc;
185	u32 family;
186	int prio;
187	int pol_level;
188	int pol_miss_level;
189	int sa_level;
190	int status_level;
191	enum mlx5_flow_namespace_type chains_ns;
192	};
193
194	struct mlx5e_ipsec_ft {
195	struct mutex mutex; / Protect changes to this struct /
196	struct mlx5_flow_table *pol;
197	struct mlx5_flow_table *sa;
198	struct mlx5_flow_table *sa_sel;
199	struct mlx5_flow_table *status;
200	u32 refcnt;
201	};
202
203	struct mlx5e_ipsec_drop {
204	struct mlx5_flow_handle *rule;
205	struct mlx5_fc *fc;
206	};
207
208	struct mlx5e_ipsec_rule {
209	struct mlx5_flow_handle *rule;
210	struct mlx5_flow_handle *status_pass;
211	struct mlx5_flow_handle *sa_sel;
212	struct mlx5_modify_hdr *modify_hdr;
213	struct mlx5_pkt_reformat *pkt_reformat;
214	struct mlx5_fc *fc;
215	struct mlx5e_ipsec_drop replay;
216	struct mlx5e_ipsec_drop auth;
217	struct mlx5e_ipsec_drop trailer;
218	};
219
220	struct mlx5e_ipsec_miss {
221	struct mlx5_flow_group *group;
222	struct mlx5_flow_handle *rule;
223	struct mlx5_fc *fc;
224	};
225
226	struct mlx5e_ipsec_tx_create_attr {
227	int prio;
228	int pol_level;
229	int sa_level;
230	int cnt_level;
231	enum mlx5_flow_namespace_type chains_ns;
232	};
233
234	struct mlx5e_ipsec_mpv_work {
235	int event;
236	struct work_struct work;
237	struct mlx5e_priv *slave_priv;
238	struct mlx5e_priv *master_priv;
239	};
240
241	struct mlx5e_ipsec {
242	struct mlx5_core_dev *mdev;
243	struct xarray sadb;
244	struct mlx5e_ipsec_sw_stats sw_stats;
245	struct mlx5e_ipsec_hw_stats hw_stats;
246	struct workqueue_struct *wq;
247	struct completion comp;
248	struct mlx5e_flow_steering *fs;
249	struct mlx5e_ipsec_rx *rx_ipv4;
250	struct mlx5e_ipsec_rx *rx_ipv6;
251	struct mlx5e_ipsec_rx *rx_esw;
252	struct mlx5e_ipsec_tx *tx;
253	struct mlx5e_ipsec_tx *tx_esw;
254	struct mlx5e_ipsec_aso *aso;
255	struct notifier_block nb;
256	struct notifier_block netevent_nb;
257	struct mlx5_ipsec_fs *roce;
258	u8 is_uplink_rep: `1`;
259	struct mlx5e_ipsec_mpv_work mpv_work;
260	struct xarray ipsec_obj_id_map;
261	};
262
263	struct mlx5e_ipsec_esn_state {
264	u32 esn;
265	u32 esn_msb;
266	u8 overlap: `1`;
267	};
268
269	struct mlx5e_ipsec_limits {
270	u64 round;
271	u8 soft_limit_hit : `1`;
272	u8 fix_limit : `1`;
273	};
274
275	struct mlx5e_ipsec_sa_entry {
276	struct mlx5e_ipsec_esn_state esn_state;
277	struct xfrm_state *x;
278	struct net_device *dev;
279	struct mlx5e_ipsec *ipsec;
280	struct mlx5_accel_esp_xfrm_attrs attrs;
281	void (set_iv_op)(struct* sk_buff skb, struct* xfrm_state *x,
282	struct xfrm_offload *xo);
283	u32 ipsec_obj_id;
284	u32 enc_key_id;
285	struct mlx5e_ipsec_rule ipsec_rule;
286	struct mlx5e_ipsec_work *work;
287	struct mlx5e_ipsec_dwork *dwork;
288	struct mlx5e_ipsec_limits limits;
289	u32 rx_mapped_id;
290	};
291
292	struct mlx5_accel_pol_xfrm_attrs {
293	struct mlx5e_ipsec_addr addrs;
294	struct upspec upspec;
295	u8 action;
296	u8 type : `2`;
297	u8 dir : `2`;
298	u32 reqid;
299	u32 prio;
300	};
301
302	struct mlx5e_ipsec_pol_entry {
303	struct xfrm_policy *x;
304	struct mlx5e_ipsec *ipsec;
305	struct mlx5e_ipsec_rule ipsec_rule;
306	struct mlx5_accel_pol_xfrm_attrs attrs;
307	};
308
309	#ifdef CONFIG_MLX5_EN_IPSEC
310
311	void mlx5e_ipsec_init(struct mlx5e_priv *priv);
312	void mlx5e_ipsec_cleanup(struct mlx5e_priv *priv);
313	void mlx5e_ipsec_build_netdev(struct mlx5e_priv *priv);
314
315	void mlx5e_accel_ipsec_fs_cleanup(struct mlx5e_ipsec *ipsec);
316	int mlx5e_accel_ipsec_fs_init(struct mlx5e_ipsec ipsec, struct* mlx5_devcom_comp_dev **devcom);
317	int mlx5e_accel_ipsec_fs_add_rule(struct mlx5e_ipsec_sa_entry *sa_entry);
318	void mlx5e_accel_ipsec_fs_del_rule(struct mlx5e_ipsec_sa_entry *sa_entry);
319	int mlx5e_accel_ipsec_fs_add_pol(struct mlx5e_ipsec_pol_entry *pol_entry);
320	void mlx5e_accel_ipsec_fs_del_pol(struct mlx5e_ipsec_pol_entry *pol_entry);
321	void mlx5e_accel_ipsec_fs_modify(struct mlx5e_ipsec_sa_entry *sa_entry);
322	bool mlx5e_ipsec_fs_tunnel_allowed(struct mlx5e_ipsec_sa_entry *sa_entry);
323
324	int mlx5_ipsec_create_sa_ctx(struct mlx5e_ipsec_sa_entry *sa_entry);
325	void mlx5_ipsec_free_sa_ctx(struct mlx5e_ipsec_sa_entry *sa_entry);
326
327	u32 mlx5_ipsec_device_caps(struct mlx5_core_dev *mdev);
328
329	void mlx5_accel_esp_modify_xfrm(struct mlx5e_ipsec_sa_entry *sa_entry,
330	const struct mlx5_accel_esp_xfrm_attrs *attrs);
331
332	int mlx5e_ipsec_aso_init(struct mlx5e_ipsec *ipsec);
333	void mlx5e_ipsec_aso_cleanup(struct mlx5e_ipsec *ipsec);
334
335	int mlx5e_ipsec_aso_query(struct mlx5e_ipsec_sa_entry *sa_entry,
336	struct mlx5_wqe_aso_ctrl_seg *data);
337	void mlx5e_accel_ipsec_fs_read_stats(struct mlx5e_priv *priv,
338	void *ipsec_stats);
339
340	void mlx5e_ipsec_build_accel_xfrm_attrs(struct mlx5e_ipsec_sa_entry *sa_entry,
341	struct mlx5_accel_esp_xfrm_attrs *attrs);
342	void mlx5e_ipsec_handle_mpv_event(int event, struct mlx5e_priv *slave_priv,
343	struct mlx5e_priv *master_priv);
344	void mlx5e_ipsec_send_event(struct mlx5e_priv priv, int* event);
345	void mlx5e_ipsec_disable_events(struct mlx5e_priv *priv);
346
347	static inline struct mlx5_core_dev *
348	mlx5e_ipsec_sa2dev(struct mlx5e_ipsec_sa_entry *sa_entry)
349	{
350	return sa_entry->ipsec->mdev;
351	}
352
353	static inline struct mlx5_core_dev *
354	mlx5e_ipsec_pol2dev(struct mlx5e_ipsec_pol_entry *pol_entry)
355	{
356	return pol_entry->ipsec->mdev;
357	}
358
359	static inline bool addr6_all_zero(__be32 *addr6)
360	{
361	static const __be32 zaddr6[`4`] = {};
362
363	return !memcmp(p: addr6, q: zaddr6, size: sizeof(zaddr6));
364	}
365	#else
366	static inline void mlx5e_ipsec_init(struct mlx5e_priv *priv)
367	{
368	}
369
370	static inline void mlx5e_ipsec_cleanup(struct mlx5e_priv *priv)
371	{
372	}
373
374	static inline void mlx5e_ipsec_build_netdev(struct mlx5e_priv *priv)
375	{
376	}
377
378	static inline u32 mlx5_ipsec_device_caps(struct mlx5_core_dev *mdev)
379	{
380	return `0`;
381	}
382
383	static inline void mlx5e_ipsec_handle_mpv_event(int event, struct mlx5e_priv *slave_priv,
384	struct mlx5e_priv *master_priv)
385	{
386	}
387
388	static inline void mlx5e_ipsec_send_event(struct mlx5e_priv priv, int* event)
389	{
390	}
391
392	static inline void mlx5e_ipsec_disable_events(struct mlx5e_priv *priv)
393	{
394	}
395	#endif
396
397	#endif /* __MLX5E_IPSEC_H__ */
398

source code of linux/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.h