1 // SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
92 		struct nfp_ipsec_aesgcm { /* AES-GCM-ESP fields */
135 	unsigned int offset = nn->tlv_caps.mbox_off + NFP_NET_CFG_MBOX_SIMPLE_VAL;  in nfp_net_ipsec_cfg()
136 	struct nfp_ipsec_cfg_mssg *msg = (struct nfp_ipsec_cfg_mssg *)entry->msg;  in nfp_net_ipsec_cfg()
143 	msg_size = ARRAY_SIZE(msg->raw);  in nfp_net_ipsec_cfg()
145 		nn_writel(nn, offset + 4 * i, msg->raw[i]);  in nfp_net_ipsec_cfg()
147 	ret = nfp_net_mbox_reconfig(nn, entry->cmd);  in nfp_net_ipsec_cfg()
155 		msg->raw[i] = nn_readl(nn, offset + 4 * i);  in nfp_net_ipsec_cfg()
159 	switch (msg->rsp) {  in nfp_net_ipsec_cfg()
163 		return -EINVAL;  in nfp_net_ipsec_cfg()
165 		return -EEXIST;  in nfp_net_ipsec_cfg()
169 		return -EIO;  in nfp_net_ipsec_cfg()
171 		return -EINVAL;  in nfp_net_ipsec_cfg()
175 static int set_aes_keylen(struct nfp_ipsec_cfg_add_sa *cfg, int alg, int keylen)  in set_aes_keylen()  argument
181 		cfg->ctrl_word.cipher = aes_gmac ? NFP_IPSEC_CIPHER_AES128_NULL :  in set_aes_keylen()
185 		cfg->ctrl_word.cipher = aes_gmac ? NFP_IPSEC_CIPHER_AES192_NULL :  in set_aes_keylen()
189 		cfg->ctrl_word.cipher = aes_gmac ? NFP_IPSEC_CIPHER_AES256_NULL :  in set_aes_keylen()
193 		return -EINVAL;  in set_aes_keylen()
199 static void set_md5hmac(struct nfp_ipsec_cfg_add_sa *cfg, int *trunc_len)  in set_md5hmac()  argument
203 		cfg->ctrl_word.hash = NFP_IPSEC_HASH_MD5_96;  in set_md5hmac()
206 		cfg->ctrl_word.hash = NFP_IPSEC_HASH_MD5_128;  in set_md5hmac()
213 static void set_sha1hmac(struct nfp_ipsec_cfg_add_sa *cfg, int *trunc_len)  in set_sha1hmac()  argument
217 		cfg->ctrl_word.hash = NFP_IPSEC_HASH_SHA1_96;  in set_sha1hmac()
220 		cfg->ctrl_word.hash = NFP_IPSEC_HASH_SHA1_80;  in set_sha1hmac()
227 static void set_sha2_256hmac(struct nfp_ipsec_cfg_add_sa *cfg, int *trunc_len)  in set_sha2_256hmac()  argument
231 		cfg->ctrl_word.hash = NFP_IPSEC_HASH_SHA256_96;  in set_sha2_256hmac()
234 		cfg->ctrl_word.hash = NFP_IPSEC_HASH_SHA256_128;  in set_sha2_256hmac()
241 static void set_sha2_384hmac(struct nfp_ipsec_cfg_add_sa *cfg, int *trunc_len)  in set_sha2_384hmac()  argument
245 		cfg->ctrl_word.hash = NFP_IPSEC_HASH_SHA384_96;  in set_sha2_384hmac()
248 		cfg->ctrl_word.hash = NFP_IPSEC_HASH_SHA384_192;  in set_sha2_384hmac()
255 static void set_sha2_512hmac(struct nfp_ipsec_cfg_add_sa *cfg, int *trunc_len)  in set_sha2_512hmac()  argument
259 		cfg->ctrl_word.hash = NFP_IPSEC_HASH_SHA512_96;  in set_sha2_512hmac()
262 		cfg->ctrl_word.hash = NFP_IPSEC_HASH_SHA512_256;  in set_sha2_512hmac()
272 	struct net_device *netdev = x->xso.real_dev;  in nfp_net_xfrm_add_state()
275 	struct nfp_ipsec_cfg_add_sa *cfg;  in nfp_net_xfrm_add_state()  local
280 	cfg = &msg.cfg_add_sa;  in nfp_net_xfrm_add_state()
283 	switch (x->props.mode) {  in nfp_net_xfrm_add_state()
285 		cfg->ctrl_word.mode = NFP_IPSEC_PROTMODE_TUNNEL;  in nfp_net_xfrm_add_state()
288 		cfg->ctrl_word.mode = NFP_IPSEC_PROTMODE_TRANSPORT;  in nfp_net_xfrm_add_state()
292 		return -EINVAL;  in nfp_net_xfrm_add_state()
295 	switch (x->id.proto) {  in nfp_net_xfrm_add_state()
297 		cfg->ctrl_word.proto = NFP_IPSEC_PROTOCOL_ESP;  in nfp_net_xfrm_add_state()
300 		cfg->ctrl_word.proto = NFP_IPSEC_PROTOCOL_AH;  in nfp_net_xfrm_add_state()
304 		return -EINVAL;  in nfp_net_xfrm_add_state()
307 	if (x->props.flags & XFRM_STATE_ESN) {  in nfp_net_xfrm_add_state()
309 		return -EINVAL;  in nfp_net_xfrm_add_state()
312 	if (x->xso.type != XFRM_DEV_OFFLOAD_CRYPTO) {  in nfp_net_xfrm_add_state()
314 		return -EINVAL;  in nfp_net_xfrm_add_state()
317 	cfg->spi = ntohl(x->id.spi);  in nfp_net_xfrm_add_state()
320 	if (x->aalg)  in nfp_net_xfrm_add_state()
321 		trunc_len = x->aalg->alg_trunc_len;  in nfp_net_xfrm_add_state()
325 	switch (x->props.aalgo) {  in nfp_net_xfrm_add_state()
327 		if (x->aead) {  in nfp_net_xfrm_add_state()
328 			trunc_len = -1;  in nfp_net_xfrm_add_state()
331 			return -EINVAL;  in nfp_net_xfrm_add_state()
335 		cfg->ctrl_word.hash = NFP_IPSEC_HASH_NONE;  in nfp_net_xfrm_add_state()
336 		trunc_len = -1;  in nfp_net_xfrm_add_state()
339 		if (nn->pdev->device == PCI_DEVICE_ID_NFP3800) {  in nfp_net_xfrm_add_state()
341 			return -EINVAL;  in nfp_net_xfrm_add_state()
343 		set_md5hmac(cfg, &trunc_len);  in nfp_net_xfrm_add_state()
346 		set_sha1hmac(cfg, &trunc_len);  in nfp_net_xfrm_add_state()
349 		set_sha2_256hmac(cfg, &trunc_len);  in nfp_net_xfrm_add_state()
352 		set_sha2_384hmac(cfg, &trunc_len);  in nfp_net_xfrm_add_state()
355 		set_sha2_512hmac(cfg, &trunc_len);  in nfp_net_xfrm_add_state()
359 		return -EINVAL;  in nfp_net_xfrm_add_state()
364 		return -EINVAL;  in nfp_net_xfrm_add_state()
367 	if (x->aalg) {  in nfp_net_xfrm_add_state()
368 		key_len = DIV_ROUND_UP(x->aalg->alg_key_len, BITS_PER_BYTE);  in nfp_net_xfrm_add_state()
369 		if (key_len > sizeof(cfg->auth_key)) {  in nfp_net_xfrm_add_state()
370 			NL_SET_ERR_MSG_MOD(extack, "Insufficient space for offloaded auth key");  in nfp_net_xfrm_add_state()
371 			return -EINVAL;  in nfp_net_xfrm_add_state()
373 		for (i = 0; i < key_len / sizeof(cfg->auth_key[0]) ; i++)  in nfp_net_xfrm_add_state()
374 			cfg->auth_key[i] = get_unaligned_be32(x->aalg->alg_key +  in nfp_net_xfrm_add_state()
375 							      sizeof(cfg->auth_key[0]) * i);  in nfp_net_xfrm_add_state()
379 	switch (x->props.ealgo) {  in nfp_net_xfrm_add_state()
385 		if (x->aead && !strcmp(x->aead->alg_name, "rfc7539esp(chacha20,poly1305)")) {  in nfp_net_xfrm_add_state()
386 			if (nn->pdev->device != PCI_DEVICE_ID_NFP3800) {  in nfp_net_xfrm_add_state()
389 				return -EINVAL;  in nfp_net_xfrm_add_state()
391 			if (x->aead->alg_icv_len != 128) {  in nfp_net_xfrm_add_state()
394 				return -EINVAL;  in nfp_net_xfrm_add_state()
397 			/* Aead->alg_key_len includes 32-bit salt */  in nfp_net_xfrm_add_state()
398 			if (x->aead->alg_key_len - 32 != 256) {  in nfp_net_xfrm_add_state()
400 				return -EINVAL;  in nfp_net_xfrm_add_state()
404 			cfg->ctrl_word.hash = NFP_IPSEC_HASH_POLY1305_128;  in nfp_net_xfrm_add_state()
405 			cfg->ctrl_word.cipher = NFP_IPSEC_CIPHER_CHACHA20;  in nfp_net_xfrm_add_state()
410 		cfg->ctrl_word.cimode = NFP_IPSEC_CIMODE_CBC;  in nfp_net_xfrm_add_state()
411 		cfg->ctrl_word.cipher = NFP_IPSEC_CIPHER_NULL;  in nfp_net_xfrm_add_state()
414 		if (nn->pdev->device == PCI_DEVICE_ID_NFP3800) {  in nfp_net_xfrm_add_state()
416 			return -EINVAL;  in nfp_net_xfrm_add_state()
418 		cfg->ctrl_word.cimode = NFP_IPSEC_CIMODE_CBC;  in nfp_net_xfrm_add_state()
419 		cfg->ctrl_word.cipher = NFP_IPSEC_CIPHER_3DES;  in nfp_net_xfrm_add_state()
423 		if (!x->aead) {  in nfp_net_xfrm_add_state()
425 			return -EINVAL;  in nfp_net_xfrm_add_state()
428 		if (x->aead->alg_icv_len != 128) {  in nfp_net_xfrm_add_state()
430 			return -EINVAL;  in nfp_net_xfrm_add_state()
432 		cfg->ctrl_word.cimode = NFP_IPSEC_CIMODE_CTR;  in nfp_net_xfrm_add_state()
433 		cfg->ctrl_word.hash = NFP_IPSEC_HASH_GF128_128;  in nfp_net_xfrm_add_state()
435 		/* Aead->alg_key_len includes 32-bit salt */  in nfp_net_xfrm_add_state()
436 		if (set_aes_keylen(cfg, x->props.ealgo, x->aead->alg_key_len - 32)) {  in nfp_net_xfrm_add_state()
438 			return -EINVAL;  in nfp_net_xfrm_add_state()
442 		cfg->ctrl_word.cimode = NFP_IPSEC_CIMODE_CBC;  in nfp_net_xfrm_add_state()
443 		if (!x->ealg) {  in nfp_net_xfrm_add_state()
445 			return -EINVAL;  in nfp_net_xfrm_add_state()
447 		if (set_aes_keylen(cfg, x->props.ealgo, x->ealg->alg_key_len) < 0) {  in nfp_net_xfrm_add_state()
449 			return -EINVAL;  in nfp_net_xfrm_add_state()
454 		return -EINVAL;  in nfp_net_xfrm_add_state()
457 	if (x->aead) {  in nfp_net_xfrm_add_state()
461 		key_len = DIV_ROUND_UP(x->aead->alg_key_len, BITS_PER_BYTE);  in nfp_net_xfrm_add_state()
462 		key_len -= salt_len;  in nfp_net_xfrm_add_state()
464 		if (key_len > sizeof(cfg->ciph_key)) {  in nfp_net_xfrm_add_state()
465 			NL_SET_ERR_MSG_MOD(extack, "aead: Insufficient space for offloaded key");  in nfp_net_xfrm_add_state()
466 			return -EINVAL;  in nfp_net_xfrm_add_state()
473 		if (!strcmp(x->aead->alg_name, "rfc7539esp(chacha20,poly1305)"))  in nfp_net_xfrm_add_state()
474 			key_offset = key_len / sizeof(cfg->ciph_key[0]) >> 1;  in nfp_net_xfrm_add_state()
476 		for (i = 0; i < key_len / sizeof(cfg->ciph_key[0]); i++) {  in nfp_net_xfrm_add_state()
477 			int index = (i + key_offset) % (key_len / sizeof(cfg->ciph_key[0]));  in nfp_net_xfrm_add_state()
479 			cfg->ciph_key[index] = get_unaligned_be32(x->aead->alg_key +  in nfp_net_xfrm_add_state()
480 								  sizeof(cfg->ciph_key[0]) * i);  in nfp_net_xfrm_add_state()
484 		cfg->aesgcm_fields.salt = get_unaligned_be32(x->aead->alg_key + key_len);  in nfp_net_xfrm_add_state()
487 	if (x->ealg) {  in nfp_net_xfrm_add_state()
488 		key_len = DIV_ROUND_UP(x->ealg->alg_key_len, BITS_PER_BYTE);  in nfp_net_xfrm_add_state()
490 		if (key_len > sizeof(cfg->ciph_key)) {  in nfp_net_xfrm_add_state()
491 			NL_SET_ERR_MSG_MOD(extack, "ealg: Insufficient space for offloaded key");  in nfp_net_xfrm_add_state()
492 			return -EINVAL;  in nfp_net_xfrm_add_state()
494 		for (i = 0; i < key_len / sizeof(cfg->ciph_key[0]) ; i++)  in nfp_net_xfrm_add_state()
495 			cfg->ciph_key[i] = get_unaligned_be32(x->ealg->alg_key +  in nfp_net_xfrm_add_state()
496 							      sizeof(cfg->ciph_key[0]) * i);  in nfp_net_xfrm_add_state()
500 	switch (x->props.family) {  in nfp_net_xfrm_add_state()
502 		cfg->ipv6 = 0;  in nfp_net_xfrm_add_state()
503 		cfg->src_ip[0] = ntohl(x->props.saddr.a4);  in nfp_net_xfrm_add_state()
504 		cfg->dst_ip[0] = ntohl(x->id.daddr.a4);  in nfp_net_xfrm_add_state()
507 		cfg->ipv6 = 1;  in nfp_net_xfrm_add_state()
509 			cfg->src_ip[i] = ntohl(x->props.saddr.a6[i]);  in nfp_net_xfrm_add_state()
510 			cfg->dst_ip[i] = ntohl(x->id.daddr.a6[i]);  in nfp_net_xfrm_add_state()
515 		return -EINVAL;  in nfp_net_xfrm_add_state()
519 	cfg->pmtu_limit = 0xffff;  in nfp_net_xfrm_add_state()
520 	cfg->ctrl_word.encap_dsbl = 1;  in nfp_net_xfrm_add_state()
523 	cfg->ctrl_word.dir = x->xso.dir;  in nfp_net_xfrm_add_state()
526 	err = xa_alloc(&nn->xa_ipsec, &saidx, x,  in nfp_net_xfrm_add_state()
527 		       XA_LIMIT(0, NFP_NET_IPSEC_MAX_SA_CNT - 1), GFP_KERNEL);  in nfp_net_xfrm_add_state()
539 		xa_erase(&nn->xa_ipsec, saidx);  in nfp_net_xfrm_add_state()
545 	x->xso.offload_handle = saidx + 1;  in nfp_net_xfrm_add_state()
553 		.sa_idx = x->xso.offload_handle - 1,  in nfp_net_xfrm_del_state()
555 	struct net_device *netdev = x->xso.real_dev;  in nfp_net_xfrm_del_state()
565 	xa_erase(&nn->xa_ipsec, x->xso.offload_handle - 1);  in nfp_net_xfrm_del_state()
570 	if (x->props.family == AF_INET)  in nfp_net_ipsec_offload_ok()
572 		return ip_hdr(skb)->ihl == 5;  in nfp_net_ipsec_offload_ok()
575 	return !(ipv6_ext_hdr(ipv6_hdr(skb)->nexthdr));  in nfp_net_ipsec_offload_ok()
586 	if (!(nn->cap_w1 & NFP_NET_CFG_CTRL_IPSEC))  in nfp_net_ipsec_init()
589 	xa_init_flags(&nn->xa_ipsec, XA_FLAGS_ALLOC);  in nfp_net_ipsec_init()
590 	nn->dp.netdev->xfrmdev_ops = &nfp_net_ipsec_xfrmdev_ops;  in nfp_net_ipsec_init()
595 	if (!(nn->cap_w1 & NFP_NET_CFG_CTRL_IPSEC))  in nfp_net_ipsec_clean()
598 	WARN_ON(!xa_empty(&nn->xa_ipsec));  in nfp_net_ipsec_clean()
599 	xa_destroy(&nn->xa_ipsec);  in nfp_net_ipsec_clean()
612 	offload_info->seq_hi = xo->seq.hi;  in nfp_net_ipsec_tx_prep()
613 	offload_info->seq_low = xo->seq.low;  in nfp_net_ipsec_tx_prep()
614 	offload_info->handle = x->xso.offload_handle;  in nfp_net_ipsec_tx_prep()
621 	struct net_device *netdev = skb->dev;  in nfp_net_ipsec_rx()
630 	saidx = meta->ipsec_saidx - 1;  in nfp_net_ipsec_rx()
632 		return -EINVAL;  in nfp_net_ipsec_rx()
636 		return -ENOMEM;  in nfp_net_ipsec_rx()
638 	xa_lock(&nn->xa_ipsec);  in nfp_net_ipsec_rx()
639 	x = xa_load(&nn->xa_ipsec, saidx);  in nfp_net_ipsec_rx()
640 	xa_unlock(&nn->xa_ipsec);  in nfp_net_ipsec_rx()
642 		return -EINVAL;  in nfp_net_ipsec_rx()
645 	sp->xvec[sp->len++] = x;  in nfp_net_ipsec_rx()
646 	sp->olen++;  in nfp_net_ipsec_rx()
648 	xo->flags = CRYPTO_DONE;  in nfp_net_ipsec_rx()
649 	xo->status = CRYPTO_SUCCESS;  in nfp_net_ipsec_rx()