/* SPDX-License-Identifier: BSD-3-Clause */
/* Copyright (c) 2023, Intel Corporation
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Intel Corporation nor the names of its
* contributors may be used to endorse or promote products derived from
* this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef _VIRTCHNL_INLINE_IPSEC_H_
#define _VIRTCHNL_INLINE_IPSEC_H_
#define VIRTCHNL_IPSEC_MAX_CRYPTO_CAP_NUM 3
#define VIRTCHNL_IPSEC_MAX_ALGO_CAP_NUM 16
#define VIRTCHNL_IPSEC_MAX_TX_DESC_NUM 128
#define VIRTCHNL_IPSEC_MAX_CRYPTO_ITEM_NUMBER 2
#define VIRTCHNL_IPSEC_MAX_KEY_LEN 128
#define VIRTCHNL_IPSEC_MAX_SA_DESTROY_NUM 8
#define VIRTCHNL_IPSEC_SA_DESTROY 0
#define VIRTCHNL_IPSEC_BROADCAST_VFID 0xFFFFFFFF
#define VIRTCHNL_IPSEC_INVALID_REQ_ID 0xFFFF
#define VIRTCHNL_IPSEC_INVALID_SA_CFG_RESP 0xFFFFFFFF
#define VIRTCHNL_IPSEC_INVALID_SP_CFG_RESP 0xFFFFFFFF
/* crypto type */
#define VIRTCHNL_AUTH 1
#define VIRTCHNL_CIPHER 2
#define VIRTCHNL_AEAD 3
/* caps enabled */
#define VIRTCHNL_IPSEC_ESN_ENA BIT(0)
#define VIRTCHNL_IPSEC_UDP_ENCAP_ENA BIT(1)
#define VIRTCHNL_IPSEC_SA_INDEX_SW_ENA BIT(2)
#define VIRTCHNL_IPSEC_AUDIT_ENA BIT(3)
#define VIRTCHNL_IPSEC_BYTE_LIMIT_ENA BIT(4)
#define VIRTCHNL_IPSEC_DROP_ON_AUTH_FAIL_ENA BIT(5)
#define VIRTCHNL_IPSEC_ARW_CHECK_ENA BIT(6)
#define VIRTCHNL_IPSEC_24BIT_SPI_ENA BIT(7)
/* algorithm type */
/* Hash Algorithm */
#define VIRTCHNL_HASH_NO_ALG 0 /* NULL algorithm */
#define VIRTCHNL_AES_CBC_MAC 1 /* AES-CBC-MAC algorithm */
#define VIRTCHNL_AES_CMAC 2 /* AES CMAC algorithm */
#define VIRTCHNL_AES_GMAC 3 /* AES GMAC algorithm */
#define VIRTCHNL_AES_XCBC_MAC 4 /* AES XCBC algorithm */
#define VIRTCHNL_MD5_HMAC 5 /* HMAC using MD5 algorithm */
#define VIRTCHNL_SHA1_HMAC 6 /* HMAC using 128 bit SHA algorithm */
#define VIRTCHNL_SHA224_HMAC 7 /* HMAC using 224 bit SHA algorithm */
#define VIRTCHNL_SHA256_HMAC 8 /* HMAC using 256 bit SHA algorithm */
#define VIRTCHNL_SHA384_HMAC 9 /* HMAC using 384 bit SHA algorithm */
#define VIRTCHNL_SHA512_HMAC 10 /* HMAC using 512 bit SHA algorithm */
#define VIRTCHNL_SHA3_224_HMAC 11 /* HMAC using 224 bit SHA3 algorithm */
#define VIRTCHNL_SHA3_256_HMAC 12 /* HMAC using 256 bit SHA3 algorithm */
#define VIRTCHNL_SHA3_384_HMAC 13 /* HMAC using 384 bit SHA3 algorithm */
#define VIRTCHNL_SHA3_512_HMAC 14 /* HMAC using 512 bit SHA3 algorithm */
/* Cipher Algorithm */
#define VIRTCHNL_CIPHER_NO_ALG 15 /* NULL algorithm */
#define VIRTCHNL_3DES_CBC 16 /* Triple DES algorithm in CBC mode */
#define VIRTCHNL_AES_CBC 17 /* AES algorithm in CBC mode */
#define VIRTCHNL_AES_CTR 18 /* AES algorithm in Counter mode */
/* AEAD Algorithm */
#define VIRTCHNL_AES_CCM 19 /* AES algorithm in CCM mode */
#define VIRTCHNL_AES_GCM 20 /* AES algorithm in GCM mode */
#define VIRTCHNL_CHACHA20_POLY1305 21 /* algorithm of ChaCha20-Poly1305 */
/* protocol type */
#define VIRTCHNL_PROTO_ESP 1
#define VIRTCHNL_PROTO_AH 2
#define VIRTCHNL_PROTO_RSVD1 3
/* sa mode */
#define VIRTCHNL_SA_MODE_TRANSPORT 1
#define VIRTCHNL_SA_MODE_TUNNEL 2
#define VIRTCHNL_SA_MODE_TRAN_TUN 3
#define VIRTCHNL_SA_MODE_UNKNOWN 4
/* sa direction */
#define VIRTCHNL_DIR_INGRESS 1
#define VIRTCHNL_DIR_EGRESS 2
#define VIRTCHNL_DIR_INGRESS_EGRESS 3
/* sa termination */
#define VIRTCHNL_TERM_SOFTWARE 1
#define VIRTCHNL_TERM_HARDWARE 2
/* sa ip type */
#define VIRTCHNL_IPV4 1
#define VIRTCHNL_IPV6 2
/* for virtchnl_ipsec_resp */
enum inline_ipsec_resp {
INLINE_IPSEC_SUCCESS = 0,
INLINE_IPSEC_FAIL = -1,
INLINE_IPSEC_ERR_FIFO_FULL = -2,
INLINE_IPSEC_ERR_NOT_READY = -3,
INLINE_IPSEC_ERR_VF_DOWN = -4,
INLINE_IPSEC_ERR_INVALID_PARAMS = -5,
INLINE_IPSEC_ERR_NO_MEM = -6,
};
/* Detailed opcodes for DPDK and IPsec use */
enum inline_ipsec_ops {
INLINE_IPSEC_OP_GET_CAP = 0,
INLINE_IPSEC_OP_GET_STATUS = 1,
INLINE_IPSEC_OP_SA_CREATE = 2,
INLINE_IPSEC_OP_SA_UPDATE = 3,
INLINE_IPSEC_OP_SA_DESTROY = 4,
INLINE_IPSEC_OP_SP_CREATE = 5,
INLINE_IPSEC_OP_SP_DESTROY = 6,
INLINE_IPSEC_OP_SA_READ = 7,
INLINE_IPSEC_OP_EVENT = 8,
INLINE_IPSEC_OP_RESP = 9,
};
#pragma pack(1)
/* Not all valid, if certain field is invalid, set 1 for all bits */
struct virtchnl_algo_cap {
u32 algo_type;
u16 block_size;
u16 min_key_size;
u16 max_key_size;
u16 inc_key_size;
u16 min_iv_size;
u16 max_iv_size;
u16 inc_iv_size;
u16 min_digest_size;
u16 max_digest_size;
u16 inc_digest_size;
u16 min_aad_size;
u16 max_aad_size;
u16 inc_aad_size;
};
#pragma pack()
/* vf record the capability of crypto from the virtchnl */
struct virtchnl_sym_crypto_cap {
u8 crypto_type;
u8 algo_cap_num;
struct virtchnl_algo_cap algo_cap_list[VIRTCHNL_IPSEC_MAX_ALGO_CAP_NUM];
};
/* VIRTCHNL_OP_GET_IPSEC_CAP
* VF pass virtchnl_ipsec_cap to PF
* and PF return capability of ipsec from virtchnl.
*/
#pragma pack(1)
struct virtchnl_ipsec_cap {
/* max number of SA per VF */
u16 max_sa_num;
/* IPsec SA Protocol - value ref VIRTCHNL_PROTO_XXX */
u8 virtchnl_protocol_type;
/* IPsec SA Mode - value ref VIRTCHNL_SA_MODE_XXX */
u8 virtchnl_sa_mode;
/* IPSec SA Direction - value ref VIRTCHNL_DIR_XXX */
u8 virtchnl_direction;
/* termination mode - value ref VIRTCHNL_TERM_XXX */
u8 termination_mode;
/* number of supported crypto capability */
u8 crypto_cap_num;
/* descriptor ID */
u16 desc_id;
/* capabilities enabled - value ref VIRTCHNL_IPSEC_XXX_ENA */
u32 caps_enabled;
/* crypto capabilities */
struct virtchnl_sym_crypto_cap cap[VIRTCHNL_IPSEC_MAX_CRYPTO_CAP_NUM];
};
/* configuration of crypto function */
struct virtchnl_ipsec_crypto_cfg_item {
u8 crypto_type;
u32 algo_type;
/* Length of valid IV data. */
u16 iv_len;
/* Length of digest */
u16 digest_len;
/* SA salt */
u32 salt;
/* The length of the symmetric key */
u16 key_len;
/* key data buffer */
u8 key_data[VIRTCHNL_IPSEC_MAX_KEY_LEN];
};
#pragma pack()
struct virtchnl_ipsec_sym_crypto_cfg {
struct virtchnl_ipsec_crypto_cfg_item
items[VIRTCHNL_IPSEC_MAX_CRYPTO_ITEM_NUMBER];
};
#pragma pack(1)
/* VIRTCHNL_OP_IPSEC_SA_CREATE
* VF send this SA configuration to PF using virtchnl;
* PF create SA as configuration and PF driver will return
* an unique index (sa_idx) for the created SA.
*/
struct virtchnl_ipsec_sa_cfg {
/* IPsec SA Protocol - AH/ESP */
u8 virtchnl_protocol_type;
/* termination mode - value ref VIRTCHNL_TERM_XXX */
u8 virtchnl_termination;
/* type of outer IP - IPv4/IPv6 */
u8 virtchnl_ip_type;
/* type of esn - !0:enable/0:disable */
u8 esn_enabled;
/* udp encap - !0:enable/0:disable */
u8 udp_encap_enabled;
/* IPSec SA Direction - value ref VIRTCHNL_DIR_XXX */
u8 virtchnl_direction;
/* reserved */
u8 reserved1;
/* SA security parameter index */
u32 spi;
/* outer src ip address */
u8 src_addr[16];
/* outer dst ip address */
u8 dst_addr[16];
/* SPD reference. Used to link an SA with its policy.
* PF drivers may ignore this field.
*/
u16 spd_ref;
/* high 32 bits of esn */
u32 esn_hi;
/* low 32 bits of esn */
u32 esn_low;
/* When enabled, sa_index must be valid */
u8 sa_index_en;
/* SA index when sa_index_en is true */
u32 sa_index;
/* auditing mode - enable/disable */
u8 audit_en;
/* lifetime byte limit - enable/disable
* When enabled, byte_limit_hard and byte_limit_soft
* must be valid.
*/
u8 byte_limit_en;
/* hard byte limit count */
u64 byte_limit_hard;
/* soft byte limit count */
u64 byte_limit_soft;
/* drop on authentication failure - enable/disable */
u8 drop_on_auth_fail_en;
/* anti-reply window check - enable/disable
* When enabled, arw_size must be valid.
*/
u8 arw_check_en;
/* size of arw window, offset by 1. Setting to 0
* represents ARW window size of 1. Setting to 127
* represents ARW window size of 128
*/
u8 arw_size;
/* no ip offload mode - enable/disable
* When enabled, ip type and address must not be valid.
*/
u8 no_ip_offload_en;
/* SA Domain. Used to logical separate an SADB into groups.
* PF drivers supporting a single group ignore this field.
*/
u16 sa_domain;
/* crypto configuration */
struct virtchnl_ipsec_sym_crypto_cfg crypto_cfg;
};
#pragma pack()
/* VIRTCHNL_OP_IPSEC_SA_UPDATE
* VF send configuration of index of SA to PF
* PF will update SA according to configuration
*/
struct virtchnl_ipsec_sa_update {
u32 sa_index; /* SA to update */
u32 esn_hi; /* high 32 bits of esn */
u32 esn_low; /* low 32 bits of esn */
};
#pragma pack(1)
/* VIRTCHNL_OP_IPSEC_SA_DESTROY
* VF send configuration of index of SA to PF
* PF will destroy SA according to configuration
* flag bitmap indicate all SA or just selected SA will
* be destroyed
*/
struct virtchnl_ipsec_sa_destroy {
/* All zero bitmap indicates all SA will be destroyed.
* Non-zero bitmap indicates the selected SA in
* array sa_index will be destroyed.
*/
u8 flag;
/* selected SA index */
u32 sa_index[VIRTCHNL_IPSEC_MAX_SA_DESTROY_NUM];
};
/* VIRTCHNL_OP_IPSEC_SA_READ
* VF send this SA configuration to PF using virtchnl;
* PF read SA and will return configuration for the created SA.
*/
struct virtchnl_ipsec_sa_read {
/* SA valid - invalid/valid */
u8 valid;
/* SA active - inactive/active */
u8 active;
/* SA SN rollover - not_rollover/rollover */
u8 sn_rollover;
/* IPsec SA Protocol - AH/ESP */
u8 virtchnl_protocol_type;
/* termination mode - value ref VIRTCHNL_TERM_XXX */
u8 virtchnl_termination;
/* auditing mode - enable/disable */
u8 audit_en;
/* lifetime byte limit - enable/disable
* When set to limit, byte_limit_hard and byte_limit_soft
* must be valid.
*/
u8 byte_limit_en;
/* hard byte limit count */
u64 byte_limit_hard;
/* soft byte limit count */
u64 byte_limit_soft;
/* drop on authentication failure - enable/disable */
u8 drop_on_auth_fail_en;
/* anti-replay window check - enable/disable
* When set to check, arw_size, arw_top, and arw must be valid
*/
u8 arw_check_en;
/* size of arw window, offset by 1. Setting to 0
* represents ARW window size of 1. Setting to 127
* represents ARW window size of 128
*/
u8 arw_size;
/* reserved */
u8 reserved1;
/* top of anti-replay-window */
u64 arw_top;
/* anti-replay-window */
u8 arw[16];
/* packets processed */
u64 packets_processed;
/* bytes processed */
u64 bytes_processed;
/* packets dropped */
u32 packets_dropped;
/* authentication failures */
u32 auth_fails;
/* ARW check failures */
u32 arw_fails;
/* type of esn - enable/disable */
u8 esn;
/* IPSec SA Direction - value ref VIRTCHNL_DIR_XXX */
u8 virtchnl_direction;
/* SA security parameter index */
u32 spi;
/* SA salt */
u32 salt;
/* high 32 bits of esn */
u32 esn_hi;
/* low 32 bits of esn */
u32 esn_low;
/* SA Domain. Used to logical separate an SADB into groups.
* PF drivers supporting a single group ignore this field.
*/
u16 sa_domain;
/* SPD reference. Used to link an SA with its policy.
* PF drivers may ignore this field.
*/
u16 spd_ref;
/* crypto configuration. Salt and keys are set to 0 */
struct virtchnl_ipsec_sym_crypto_cfg crypto_cfg;
};
#pragma pack()
/* Add allowlist entry in IES */
struct virtchnl_ipsec_sp_cfg {
u32 spi;
u32 dip[4];
/* Drop frame if true or redirect to QAT if false. */
u8 drop;
/* Congestion domain. For future use. */
u8 cgd;
/* 0 for IPv4 table, 1 for IPv6 table. */
u8 table_id;
/* Set TC (congestion domain) if true. For future use. */
u8 set_tc;
/* 0 for NAT-T unsupported, 1 for NAT-T supported */
u8 is_udp;
/* reserved */
u8 reserved;
/* NAT-T UDP port number. Only valid in case NAT-T supported */
u16 udp_port;
};
#pragma pack(1)
/* Delete allowlist entry in IES */
struct virtchnl_ipsec_sp_destroy {
/* 0 for IPv4 table, 1 for IPv6 table. */
u8 table_id;
u32 rule_id;
};
#pragma pack()
/* Response from IES to allowlist operations */
struct virtchnl_ipsec_sp_cfg_resp {
u32 rule_id;
};
struct virtchnl_ipsec_sa_cfg_resp {
u32 sa_handle;
};
#define INLINE_IPSEC_EVENT_RESET 0x1
#define INLINE_IPSEC_EVENT_CRYPTO_ON 0x2
#define INLINE_IPSEC_EVENT_CRYPTO_OFF 0x4
struct virtchnl_ipsec_event {
u32 ipsec_event_data;
};
#define INLINE_IPSEC_STATUS_AVAILABLE 0x1
#define INLINE_IPSEC_STATUS_UNAVAILABLE 0x2
struct virtchnl_ipsec_status {
u32 status;
};
struct virtchnl_ipsec_resp {
u32 resp;
};
/* Internal message descriptor for VF <-> IPsec communication */
struct inline_ipsec_msg {
u16 ipsec_opcode;
u16 req_id;
union {
/* IPsec request */
struct virtchnl_ipsec_sa_cfg sa_cfg[0];
struct virtchnl_ipsec_sp_cfg sp_cfg[0];
struct virtchnl_ipsec_sa_update sa_update[0];
struct virtchnl_ipsec_sa_destroy sa_destroy[0];
struct virtchnl_ipsec_sp_destroy sp_destroy[0];
/* IPsec response */
struct virtchnl_ipsec_sa_cfg_resp sa_cfg_resp[0];
struct virtchnl_ipsec_sp_cfg_resp sp_cfg_resp[0];
struct virtchnl_ipsec_cap ipsec_cap[0];
struct virtchnl_ipsec_status ipsec_status[0];
/* response to del_sa, del_sp, update_sa */
struct virtchnl_ipsec_resp ipsec_resp[0];
/* IPsec event (no req_id is required) */
struct virtchnl_ipsec_event event[0];
/* Reserved */
struct virtchnl_ipsec_sa_read sa_read[0];
} ipsec_data;
};
static inline u16 virtchnl_inline_ipsec_val_msg_len(u16 opcode)
{
u16 valid_len = sizeof(struct inline_ipsec_msg);
switch (opcode) {
case INLINE_IPSEC_OP_GET_CAP:
case INLINE_IPSEC_OP_GET_STATUS:
break;
case INLINE_IPSEC_OP_SA_CREATE:
valid_len += sizeof(struct virtchnl_ipsec_sa_cfg);
break;
case INLINE_IPSEC_OP_SP_CREATE:
valid_len += sizeof(struct virtchnl_ipsec_sp_cfg);
break;
case INLINE_IPSEC_OP_SA_UPDATE:
valid_len += sizeof(struct virtchnl_ipsec_sa_update);
break;
case INLINE_IPSEC_OP_SA_DESTROY:
valid_len += sizeof(struct virtchnl_ipsec_sa_destroy);
break;
case INLINE_IPSEC_OP_SP_DESTROY:
valid_len += sizeof(struct virtchnl_ipsec_sp_destroy);
break;
/* Only for msg length caculation of response to VF in case of
* inline ipsec failure.
*/
case INLINE_IPSEC_OP_RESP:
valid_len += sizeof(struct virtchnl_ipsec_resp);
break;
default:
valid_len = 0;
break;
}
return valid_len;
}
#endif /* _VIRTCHNL_INLINE_IPSEC_H_ */
