From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id DB92CA0C56; Wed, 8 Sep 2021 10:39:30 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 6D9EE41225; Wed, 8 Sep 2021 10:37:22 +0200 (CEST) Received: from smtpbgeu1.qq.com (smtpbgeu1.qq.com [52.59.177.22]) by mails.dpdk.org (Postfix) with ESMTP id 32C7941168 for ; Wed, 8 Sep 2021 10:37:21 +0200 (CEST) X-QQ-mid: bizesmtp47t1631090236tp0q4dgg Received: from wxdbg.localdomain.com (unknown [183.129.236.74]) by esmtp6.qq.com (ESMTP) with id ; Wed, 08 Sep 2021 16:37:16 +0800 (CST) X-QQ-SSF: 01400000002000E0G000B00A0000000 X-QQ-FEAT: 3Pj5YKO7Ewu9isuqTZ/8/HOR6whuuhgzBD7mH+m8bXq+r3oRh8DLEMMJe/9eO 6QHASUGPJa1krnYx7j2kRhWefd94oEM2gThL9sQOQ+xqFzZy+dSpISWFoNca4LFd1KkmOZX 9ST2hzOqHjWN7kIFAUH24WsmBomKyKWQkcpo8qomcvM48fGNTlyCm/3ZvVkujqJKkj3wBak +fhzmd+mszHlz6agkp9ySWzw23Vs2vw+aeQXzXk1mKPtKrn4TjKjc7bucLozVYYLBoYhz/k qUFd7Hp6FpBAwHtPpksX5pnWdj2Gl0PCwQif6SwHv4bRTxPLPnYjHDxdWnT9qfoqhZvnTlN +mv4KjjZhAjl0XufJ5lqPdIQKmGklKQ/wMRKqcf X-QQ-GoodBg: 2 From: Jiawen Wu To: dev@dpdk.org Cc: Jiawen Wu Date: Wed, 8 Sep 2021 16:37:55 +0800 Message-Id: <20210908083758.312055-30-jiawenwu@trustnetic.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210908083758.312055-1-jiawenwu@trustnetic.com> References: <20210908083758.312055-1-jiawenwu@trustnetic.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-QQ-SENDSIZE: 520 Feedback-ID: bizesmtp:trustnetic.com:qybgforeign:qybgforeign5 X-QQ-Bgrelay: 1 Subject: [dpdk-dev] [PATCH 29/32] net/ngbe: create and destroy security session X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Support to configure a security session, add create and destroy operations for a security session. Signed-off-by: Jiawen Wu --- drivers/net/ngbe/ngbe_ethdev.h | 8 + drivers/net/ngbe/ngbe_ipsec.c | 377 +++++++++++++++++++++++++++++++++ drivers/net/ngbe/ngbe_ipsec.h | 78 +++++++ 3 files changed, 463 insertions(+) create mode 100644 drivers/net/ngbe/ngbe_ipsec.h diff --git a/drivers/net/ngbe/ngbe_ethdev.h b/drivers/net/ngbe/ngbe_ethdev.h index 9eda024d65..e8ce01e1f4 100644 --- a/drivers/net/ngbe/ngbe_ethdev.h +++ b/drivers/net/ngbe/ngbe_ethdev.h @@ -7,6 +7,9 @@ #define _NGBE_ETHDEV_H_ #include "ngbe_ptypes.h" +#ifdef RTE_LIB_SECURITY +#include "ngbe_ipsec.h" +#endif #include #include #include @@ -107,6 +110,9 @@ struct ngbe_adapter { struct ngbe_hwstrip hwstrip; struct ngbe_vf_info *vfdata; struct ngbe_uta_info uta_info; +#ifdef RTE_LIB_SECURITY + struct ngbe_ipsec ipsec; +#endif bool rx_bulk_alloc_allowed; struct rte_timecounter systime_tc; struct rte_timecounter rx_tstamp_tc; @@ -160,6 +166,8 @@ ngbe_dev_intr(struct rte_eth_dev *dev) #define NGBE_DEV_UTA_INFO(dev) \ (&((struct ngbe_adapter *)(dev)->data->dev_private)->uta_info) +#define NGBE_DEV_IPSEC(dev) \ + (&((struct ngbe_adapter *)(dev)->data->dev_private)->ipsec) /* * Rx/Tx function prototypes diff --git a/drivers/net/ngbe/ngbe_ipsec.c b/drivers/net/ngbe/ngbe_ipsec.c index 5f8b0bab29..80151d45dc 100644 --- a/drivers/net/ngbe/ngbe_ipsec.c +++ b/drivers/net/ngbe/ngbe_ipsec.c @@ -9,6 +9,381 @@ #include "base/ngbe.h" #include "ngbe_ethdev.h" +#include "ngbe_ipsec.h" + +#define CMP_IP(a, b) (\ + (a).ipv6[0] == (b).ipv6[0] && \ + (a).ipv6[1] == (b).ipv6[1] && \ + (a).ipv6[2] == (b).ipv6[2] && \ + (a).ipv6[3] == (b).ipv6[3]) + +static int +ngbe_crypto_add_sa(struct ngbe_crypto_session *ic_session) +{ + struct rte_eth_dev *dev = ic_session->dev; + struct ngbe_hw *hw = ngbe_dev_hw(dev); + struct ngbe_ipsec *priv = NGBE_DEV_IPSEC(dev); + uint32_t reg_val; + int sa_index = -1; + + if (ic_session->op == NGBE_OP_AUTHENTICATED_DECRYPTION) { + int i, ip_index = -1; + uint8_t *key; + + /* Find a match in the IP table*/ + for (i = 0; i < IPSEC_MAX_RX_IP_COUNT; i++) { + if (CMP_IP(priv->rx_ip_tbl[i].ip, + ic_session->dst_ip)) { + ip_index = i; + break; + } + } + /* If no match, find a free entry in the IP table*/ + if (ip_index < 0) { + for (i = 0; i < IPSEC_MAX_RX_IP_COUNT; i++) { + if (priv->rx_ip_tbl[i].ref_count == 0) { + ip_index = i; + break; + } + } + } + + /* Fail if no match and no free entries*/ + if (ip_index < 0) { + PMD_DRV_LOG(ERR, + "No free entry left in the Rx IP table\n"); + return -1; + } + + /* Find a free entry in the SA table*/ + for (i = 0; i < IPSEC_MAX_SA_COUNT; i++) { + if (priv->rx_sa_tbl[i].used == 0) { + sa_index = i; + break; + } + } + /* Fail if no free entries*/ + if (sa_index < 0) { + PMD_DRV_LOG(ERR, + "No free entry left in the Rx SA table\n"); + return -1; + } + + priv->rx_ip_tbl[ip_index].ip.ipv6[0] = + ic_session->dst_ip.ipv6[0]; + priv->rx_ip_tbl[ip_index].ip.ipv6[1] = + ic_session->dst_ip.ipv6[1]; + priv->rx_ip_tbl[ip_index].ip.ipv6[2] = + ic_session->dst_ip.ipv6[2]; + priv->rx_ip_tbl[ip_index].ip.ipv6[3] = + ic_session->dst_ip.ipv6[3]; + priv->rx_ip_tbl[ip_index].ref_count++; + + priv->rx_sa_tbl[sa_index].spi = ic_session->spi; + priv->rx_sa_tbl[sa_index].ip_index = ip_index; + priv->rx_sa_tbl[sa_index].mode = IPSRXMOD_VALID; + if (ic_session->op == NGBE_OP_AUTHENTICATED_DECRYPTION) + priv->rx_sa_tbl[sa_index].mode |= + (IPSRXMOD_PROTO | IPSRXMOD_DECRYPT); + if (ic_session->dst_ip.type == IPv6) { + priv->rx_sa_tbl[sa_index].mode |= IPSRXMOD_IPV6; + priv->rx_ip_tbl[ip_index].ip.type = IPv6; + } else if (ic_session->dst_ip.type == IPv4) { + priv->rx_ip_tbl[ip_index].ip.type = IPv4; + } + priv->rx_sa_tbl[sa_index].used = 1; + + /* write IP table entry*/ + reg_val = NGBE_IPSRXIDX_ENA | NGBE_IPSRXIDX_WRITE | + NGBE_IPSRXIDX_TB_IP | (ip_index << 3); + if (priv->rx_ip_tbl[ip_index].ip.type == IPv4) { + uint32_t ipv4 = priv->rx_ip_tbl[ip_index].ip.ipv4; + wr32(hw, NGBE_IPSRXADDR(0), rte_cpu_to_be_32(ipv4)); + wr32(hw, NGBE_IPSRXADDR(1), 0); + wr32(hw, NGBE_IPSRXADDR(2), 0); + wr32(hw, NGBE_IPSRXADDR(3), 0); + } else { + wr32(hw, NGBE_IPSRXADDR(0), + priv->rx_ip_tbl[ip_index].ip.ipv6[0]); + wr32(hw, NGBE_IPSRXADDR(1), + priv->rx_ip_tbl[ip_index].ip.ipv6[1]); + wr32(hw, NGBE_IPSRXADDR(2), + priv->rx_ip_tbl[ip_index].ip.ipv6[2]); + wr32(hw, NGBE_IPSRXADDR(3), + priv->rx_ip_tbl[ip_index].ip.ipv6[3]); + } + wr32w(hw, NGBE_IPSRXIDX, reg_val, NGBE_IPSRXIDX_WRITE, 1000); + + /* write SPI table entry*/ + reg_val = NGBE_IPSRXIDX_ENA | NGBE_IPSRXIDX_WRITE | + NGBE_IPSRXIDX_TB_SPI | (sa_index << 3); + wr32(hw, NGBE_IPSRXSPI, + priv->rx_sa_tbl[sa_index].spi); + wr32(hw, NGBE_IPSRXADDRIDX, + priv->rx_sa_tbl[sa_index].ip_index); + wr32w(hw, NGBE_IPSRXIDX, reg_val, NGBE_IPSRXIDX_WRITE, 1000); + + /* write Key table entry*/ + key = malloc(ic_session->key_len); + if (!key) + return -ENOMEM; + + memcpy(key, ic_session->key, ic_session->key_len); + + reg_val = NGBE_IPSRXIDX_ENA | NGBE_IPSRXIDX_WRITE | + NGBE_IPSRXIDX_TB_KEY | (sa_index << 3); + wr32(hw, NGBE_IPSRXKEY(0), + rte_cpu_to_be_32(*(uint32_t *)&key[12])); + wr32(hw, NGBE_IPSRXKEY(1), + rte_cpu_to_be_32(*(uint32_t *)&key[8])); + wr32(hw, NGBE_IPSRXKEY(2), + rte_cpu_to_be_32(*(uint32_t *)&key[4])); + wr32(hw, NGBE_IPSRXKEY(3), + rte_cpu_to_be_32(*(uint32_t *)&key[0])); + wr32(hw, NGBE_IPSRXSALT, + rte_cpu_to_be_32(ic_session->salt)); + wr32(hw, NGBE_IPSRXMODE, + priv->rx_sa_tbl[sa_index].mode); + wr32w(hw, NGBE_IPSRXIDX, reg_val, NGBE_IPSRXIDX_WRITE, 1000); + + free(key); + } else { /* sess->dir == RTE_CRYPTO_OUTBOUND */ + uint8_t *key; + int i; + + /* Find a free entry in the SA table*/ + for (i = 0; i < IPSEC_MAX_SA_COUNT; i++) { + if (priv->tx_sa_tbl[i].used == 0) { + sa_index = i; + break; + } + } + /* Fail if no free entries*/ + if (sa_index < 0) { + PMD_DRV_LOG(ERR, + "No free entry left in the Tx SA table\n"); + return -1; + } + + priv->tx_sa_tbl[sa_index].spi = + rte_cpu_to_be_32(ic_session->spi); + priv->tx_sa_tbl[i].used = 1; + ic_session->sa_index = sa_index; + + key = malloc(ic_session->key_len); + if (!key) + return -ENOMEM; + + memcpy(key, ic_session->key, ic_session->key_len); + + /* write Key table entry*/ + reg_val = NGBE_IPSRXIDX_ENA | + NGBE_IPSRXIDX_WRITE | (sa_index << 3); + wr32(hw, NGBE_IPSTXKEY(0), + rte_cpu_to_be_32(*(uint32_t *)&key[12])); + wr32(hw, NGBE_IPSTXKEY(1), + rte_cpu_to_be_32(*(uint32_t *)&key[8])); + wr32(hw, NGBE_IPSTXKEY(2), + rte_cpu_to_be_32(*(uint32_t *)&key[4])); + wr32(hw, NGBE_IPSTXKEY(3), + rte_cpu_to_be_32(*(uint32_t *)&key[0])); + wr32(hw, NGBE_IPSTXSALT, + rte_cpu_to_be_32(ic_session->salt)); + wr32w(hw, NGBE_IPSTXIDX, reg_val, NGBE_IPSTXIDX_WRITE, 1000); + + free(key); + } + + return 0; +} + +static int +ngbe_crypto_remove_sa(struct rte_eth_dev *dev, + struct ngbe_crypto_session *ic_session) +{ + struct ngbe_hw *hw = ngbe_dev_hw(dev); + struct ngbe_ipsec *priv = NGBE_DEV_IPSEC(dev); + uint32_t reg_val; + int sa_index = -1; + + if (ic_session->op == NGBE_OP_AUTHENTICATED_DECRYPTION) { + int i, ip_index = -1; + + /* Find a match in the IP table*/ + for (i = 0; i < IPSEC_MAX_RX_IP_COUNT; i++) { + if (CMP_IP(priv->rx_ip_tbl[i].ip, ic_session->dst_ip)) { + ip_index = i; + break; + } + } + + /* Fail if no match*/ + if (ip_index < 0) { + PMD_DRV_LOG(ERR, + "Entry not found in the Rx IP table\n"); + return -1; + } + + /* Find a free entry in the SA table*/ + for (i = 0; i < IPSEC_MAX_SA_COUNT; i++) { + if (priv->rx_sa_tbl[i].spi == + rte_cpu_to_be_32(ic_session->spi)) { + sa_index = i; + break; + } + } + /* Fail if no match*/ + if (sa_index < 0) { + PMD_DRV_LOG(ERR, + "Entry not found in the Rx SA table\n"); + return -1; + } + + /* Disable and clear Rx SPI and key table entryes*/ + reg_val = NGBE_IPSRXIDX_WRITE | + NGBE_IPSRXIDX_TB_SPI | (sa_index << 3); + wr32(hw, NGBE_IPSRXSPI, 0); + wr32(hw, NGBE_IPSRXADDRIDX, 0); + wr32w(hw, NGBE_IPSRXIDX, reg_val, NGBE_IPSRXIDX_WRITE, 1000); + reg_val = NGBE_IPSRXIDX_WRITE | + NGBE_IPSRXIDX_TB_KEY | (sa_index << 3); + wr32(hw, NGBE_IPSRXKEY(0), 0); + wr32(hw, NGBE_IPSRXKEY(1), 0); + wr32(hw, NGBE_IPSRXKEY(2), 0); + wr32(hw, NGBE_IPSRXKEY(3), 0); + wr32(hw, NGBE_IPSRXSALT, 0); + wr32(hw, NGBE_IPSRXMODE, 0); + wr32w(hw, NGBE_IPSRXIDX, reg_val, NGBE_IPSRXIDX_WRITE, 1000); + priv->rx_sa_tbl[sa_index].used = 0; + + /* If last used then clear the IP table entry*/ + priv->rx_ip_tbl[ip_index].ref_count--; + if (priv->rx_ip_tbl[ip_index].ref_count == 0) { + reg_val = NGBE_IPSRXIDX_WRITE | NGBE_IPSRXIDX_TB_IP | + (ip_index << 3); + wr32(hw, NGBE_IPSRXADDR(0), 0); + wr32(hw, NGBE_IPSRXADDR(1), 0); + wr32(hw, NGBE_IPSRXADDR(2), 0); + wr32(hw, NGBE_IPSRXADDR(3), 0); + } + } else { /* session->dir == RTE_CRYPTO_OUTBOUND */ + int i; + + /* Find a match in the SA table*/ + for (i = 0; i < IPSEC_MAX_SA_COUNT; i++) { + if (priv->tx_sa_tbl[i].spi == + rte_cpu_to_be_32(ic_session->spi)) { + sa_index = i; + break; + } + } + /* Fail if no match entries*/ + if (sa_index < 0) { + PMD_DRV_LOG(ERR, + "Entry not found in the Tx SA table\n"); + return -1; + } + reg_val = NGBE_IPSRXIDX_WRITE | (sa_index << 3); + wr32(hw, NGBE_IPSTXKEY(0), 0); + wr32(hw, NGBE_IPSTXKEY(1), 0); + wr32(hw, NGBE_IPSTXKEY(2), 0); + wr32(hw, NGBE_IPSTXKEY(3), 0); + wr32(hw, NGBE_IPSTXSALT, 0); + wr32w(hw, NGBE_IPSTXIDX, reg_val, NGBE_IPSTXIDX_WRITE, 1000); + + priv->tx_sa_tbl[sa_index].used = 0; + } + + return 0; +} + +static int +ngbe_crypto_create_session(void *device, + struct rte_security_session_conf *conf, + struct rte_security_session *session, + struct rte_mempool *mempool) +{ + struct rte_eth_dev *eth_dev = (struct rte_eth_dev *)device; + struct ngbe_crypto_session *ic_session = NULL; + struct rte_crypto_aead_xform *aead_xform; + struct rte_eth_conf *dev_conf = ð_dev->data->dev_conf; + + if (rte_mempool_get(mempool, (void **)&ic_session)) { + PMD_DRV_LOG(ERR, "Cannot get object from ic_session mempool"); + return -ENOMEM; + } + + if (conf->crypto_xform->type != RTE_CRYPTO_SYM_XFORM_AEAD || + conf->crypto_xform->aead.algo != + RTE_CRYPTO_AEAD_AES_GCM) { + PMD_DRV_LOG(ERR, "Unsupported crypto transformation mode\n"); + rte_mempool_put(mempool, (void *)ic_session); + return -ENOTSUP; + } + aead_xform = &conf->crypto_xform->aead; + + if (conf->ipsec.direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS) { + if (dev_conf->rxmode.offloads & DEV_RX_OFFLOAD_SECURITY) { + ic_session->op = NGBE_OP_AUTHENTICATED_DECRYPTION; + } else { + PMD_DRV_LOG(ERR, "IPsec decryption not enabled\n"); + rte_mempool_put(mempool, (void *)ic_session); + return -ENOTSUP; + } + } else { + if (dev_conf->txmode.offloads & DEV_TX_OFFLOAD_SECURITY) { + ic_session->op = NGBE_OP_AUTHENTICATED_ENCRYPTION; + } else { + PMD_DRV_LOG(ERR, "IPsec encryption not enabled\n"); + rte_mempool_put(mempool, (void *)ic_session); + return -ENOTSUP; + } + } + + ic_session->key = aead_xform->key.data; + ic_session->key_len = aead_xform->key.length; + memcpy(&ic_session->salt, + &aead_xform->key.data[aead_xform->key.length], 4); + ic_session->spi = conf->ipsec.spi; + ic_session->dev = eth_dev; + + set_sec_session_private_data(session, ic_session); + + if (ic_session->op == NGBE_OP_AUTHENTICATED_ENCRYPTION) { + if (ngbe_crypto_add_sa(ic_session)) { + PMD_DRV_LOG(ERR, "Failed to add SA\n"); + rte_mempool_put(mempool, (void *)ic_session); + return -EPERM; + } + } + + return 0; +} + +static int +ngbe_crypto_remove_session(void *device, + struct rte_security_session *session) +{ + struct rte_eth_dev *eth_dev = device; + struct ngbe_crypto_session *ic_session = + (struct ngbe_crypto_session *) + get_sec_session_private_data(session); + struct rte_mempool *mempool = rte_mempool_from_obj(ic_session); + + if (eth_dev != ic_session->dev) { + PMD_DRV_LOG(ERR, "Session not bound to this device\n"); + return -ENODEV; + } + + if (ngbe_crypto_remove_sa(eth_dev, ic_session)) { + PMD_DRV_LOG(ERR, "Failed to remove session\n"); + return -EFAULT; + } + + rte_mempool_put(mempool, (void *)ic_session); + + return 0; +} static const struct rte_security_capability * ngbe_crypto_capabilities_get(void *device __rte_unused) @@ -137,6 +512,8 @@ ngbe_crypto_capabilities_get(void *device __rte_unused) } static struct rte_security_ops ngbe_security_ops = { + .session_create = ngbe_crypto_create_session, + .session_destroy = ngbe_crypto_remove_session, .capabilities_get = ngbe_crypto_capabilities_get }; diff --git a/drivers/net/ngbe/ngbe_ipsec.h b/drivers/net/ngbe/ngbe_ipsec.h new file mode 100644 index 0000000000..8442bb2157 --- /dev/null +++ b/drivers/net/ngbe/ngbe_ipsec.h @@ -0,0 +1,78 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright(c) 2018-2021 Beijing WangXun Technology Co., Ltd. + * Copyright(c) 2010-2017 Intel Corporation + */ + +#ifndef NGBE_IPSEC_H_ +#define NGBE_IPSEC_H_ + +#include +#include +#include + +#define IPSRXMOD_VALID 0x00000001 +#define IPSRXMOD_PROTO 0x00000004 +#define IPSRXMOD_DECRYPT 0x00000008 +#define IPSRXMOD_IPV6 0x00000010 + +#define IPSEC_MAX_RX_IP_COUNT 16 +#define IPSEC_MAX_SA_COUNT 16 + +enum ngbe_operation { + NGBE_OP_AUTHENTICATED_ENCRYPTION, + NGBE_OP_AUTHENTICATED_DECRYPTION +}; + +/** + * Generic IP address structure + * TODO: Find better location for this rte_net.h possibly. + **/ +struct ipaddr { + enum ipaddr_type { + IPv4, + IPv6 + } type; + /**< IP Address Type - IPv4/IPv6 */ + + union { + uint32_t ipv4; + uint32_t ipv6[4]; + }; +}; + +/** inline crypto private session structure */ +struct ngbe_crypto_session { + enum ngbe_operation op; + const uint8_t *key; + uint32_t key_len; + uint32_t salt; + uint32_t sa_index; + uint32_t spi; + struct ipaddr src_ip; + struct ipaddr dst_ip; + struct rte_eth_dev *dev; +} __rte_cache_aligned; + +struct ngbe_crypto_rx_ip_table { + struct ipaddr ip; + uint16_t ref_count; +}; +struct ngbe_crypto_rx_sa_table { + uint32_t spi; + uint32_t ip_index; + uint8_t mode; + uint8_t used; +}; + +struct ngbe_crypto_tx_sa_table { + uint32_t spi; + uint8_t used; +}; + +struct ngbe_ipsec { + struct ngbe_crypto_rx_ip_table rx_ip_tbl[IPSEC_MAX_RX_IP_COUNT]; + struct ngbe_crypto_rx_sa_table rx_sa_tbl[IPSEC_MAX_SA_COUNT]; + struct ngbe_crypto_tx_sa_table tx_sa_tbl[IPSEC_MAX_SA_COUNT]; +}; + +#endif /*NGBE_IPSEC_H_*/ -- 2.21.0.windows.1