search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
staging: rtl8188eu: rename HalSetBrateCfg() - style
[linux/fpc-iii.git] / drivers / net / ethernet / intel / ixgbe / ixgbe_ipsec.c
blobda4322e4daed5de4fb44f06d8cdb488bc41f6432
1 // SPDX-License-Identifier: GPL-2.0
2 /* Copyright(c) 2017 Oracle and/or its affiliates. All rights reserved. */
3
4 #include "ixgbe.h"
5 #include <net/xfrm.h>
6 #include <crypto/aead.h>
7
8 /**
9 * ixgbe_ipsec_set_tx_sa - set the Tx SA registers
10 * @hw: hw specific details
11 * @idx: register index to write
12 * @key: key byte array
13 * @salt: salt bytes
14 **/
15 static void ixgbe_ipsec_set_tx_sa(struct ixgbe_hw *hw, u16 idx,
16 u32 key[], u32 salt)
17 {
18 u32 reg;
19 int i;
20
21 for (i = 0; i < 4; i++)
22 IXGBE_WRITE_REG(hw, IXGBE_IPSTXKEY(i),
23 (__force u32)cpu_to_be32(key[3 - i]));
24 IXGBE_WRITE_REG(hw, IXGBE_IPSTXSALT, (__force u32)cpu_to_be32(salt));
25 IXGBE_WRITE_FLUSH(hw);
26
27 reg = IXGBE_READ_REG(hw, IXGBE_IPSTXIDX);
28 reg &= IXGBE_RXTXIDX_IPS_EN;
29 reg |= idx << IXGBE_RXTXIDX_IDX_SHIFT | IXGBE_RXTXIDX_WRITE;
30 IXGBE_WRITE_REG(hw, IXGBE_IPSTXIDX, reg);
31 IXGBE_WRITE_FLUSH(hw);
32 }
33
34 /**
35 * ixgbe_ipsec_set_rx_item - set an Rx table item
36 * @hw: hw specific details
37 * @idx: register index to write
38 * @tbl: table selector
39 *
40 * Trigger the device to store into a particular Rx table the
41 * data that has already been loaded into the input register
42 **/
43 static void ixgbe_ipsec_set_rx_item(struct ixgbe_hw *hw, u16 idx,
44 enum ixgbe_ipsec_tbl_sel tbl)
45 {
46 u32 reg;
47
48 reg = IXGBE_READ_REG(hw, IXGBE_IPSRXIDX);
49 reg &= IXGBE_RXTXIDX_IPS_EN;
50 reg |= tbl << IXGBE_RXIDX_TBL_SHIFT |
51 idx << IXGBE_RXTXIDX_IDX_SHIFT |
52 IXGBE_RXTXIDX_WRITE;
53 IXGBE_WRITE_REG(hw, IXGBE_IPSRXIDX, reg);
54 IXGBE_WRITE_FLUSH(hw);
55 }
56
57 /**
58 * ixgbe_ipsec_set_rx_sa - set up the register bits to save SA info
59 * @hw: hw specific details
60 * @idx: register index to write
61 * @spi: security parameter index
62 * @key: key byte array
63 * @salt: salt bytes
64 * @mode: rx decrypt control bits
65 * @ip_idx: index into IP table for related IP address
66 **/
67 static void ixgbe_ipsec_set_rx_sa(struct ixgbe_hw *hw, u16 idx, __be32 spi,
68 u32 key[], u32 salt, u32 mode, u32 ip_idx)
69 {
70 int i;
71
72 /* store the SPI (in bigendian) and IPidx */
73 IXGBE_WRITE_REG(hw, IXGBE_IPSRXSPI,
74 (__force u32)cpu_to_le32((__force u32)spi));
75 IXGBE_WRITE_REG(hw, IXGBE_IPSRXIPIDX, ip_idx);
76 IXGBE_WRITE_FLUSH(hw);
77
78 ixgbe_ipsec_set_rx_item(hw, idx, ips_rx_spi_tbl);
79
80 /* store the key, salt, and mode */
81 for (i = 0; i < 4; i++)
82 IXGBE_WRITE_REG(hw, IXGBE_IPSRXKEY(i),
83 (__force u32)cpu_to_be32(key[3 - i]));
84 IXGBE_WRITE_REG(hw, IXGBE_IPSRXSALT, (__force u32)cpu_to_be32(salt));
85 IXGBE_WRITE_REG(hw, IXGBE_IPSRXMOD, mode);
86 IXGBE_WRITE_FLUSH(hw);
87
88 ixgbe_ipsec_set_rx_item(hw, idx, ips_rx_key_tbl);
89 }
90
91 /**
92 * ixgbe_ipsec_set_rx_ip - set up the register bits to save SA IP addr info
93 * @hw: hw specific details
94 * @idx: register index to write
95 * @addr: IP address byte array
96 **/
97 static void ixgbe_ipsec_set_rx_ip(struct ixgbe_hw *hw, u16 idx, __be32 addr[])
98 {
99 int i;
100
101 /* store the ip address */
102 for (i = 0; i < 4; i++)
103 IXGBE_WRITE_REG(hw, IXGBE_IPSRXIPADDR(i),
104 (__force u32)cpu_to_le32((__force u32)addr[i]));
105 IXGBE_WRITE_FLUSH(hw);
106
107 ixgbe_ipsec_set_rx_item(hw, idx, ips_rx_ip_tbl);
108 }
109
110 /**
111 * ixgbe_ipsec_clear_hw_tables - because some tables don't get cleared on reset
112 * @adapter: board private structure
113 **/
114 static void ixgbe_ipsec_clear_hw_tables(struct ixgbe_adapter *adapter)
115 {
116 struct ixgbe_ipsec *ipsec = adapter->ipsec;
117 struct ixgbe_hw *hw = &adapter->hw;
118 u32 buf[4] = {0, 0, 0, 0};
119 u16 idx;
120
121 /* disable Rx and Tx SA lookup */
122 IXGBE_WRITE_REG(hw, IXGBE_IPSRXIDX, 0);
123 IXGBE_WRITE_REG(hw, IXGBE_IPSTXIDX, 0);
124
125 /* scrub the tables - split the loops for the max of the IP table */
126 for (idx = 0; idx < IXGBE_IPSEC_MAX_RX_IP_COUNT; idx++) {
127 ixgbe_ipsec_set_tx_sa(hw, idx, buf, 0);
128 ixgbe_ipsec_set_rx_sa(hw, idx, 0, buf, 0, 0, 0);
129 ixgbe_ipsec_set_rx_ip(hw, idx, (__be32 *)buf);
130 }
131 for (; idx < IXGBE_IPSEC_MAX_SA_COUNT; idx++) {
132 ixgbe_ipsec_set_tx_sa(hw, idx, buf, 0);
133 ixgbe_ipsec_set_rx_sa(hw, idx, 0, buf, 0, 0, 0);
134 }
135
136 ipsec->num_rx_sa = 0;
137 ipsec->num_tx_sa = 0;
138 }
139
140 /**
141 * ixgbe_ipsec_stop_data
142 * @adapter: board private structure
143 **/
144 static void ixgbe_ipsec_stop_data(struct ixgbe_adapter *adapter)
145 {
146 struct ixgbe_hw *hw = &adapter->hw;
147 bool link = adapter->link_up;
148 u32 t_rdy, r_rdy;
149 u32 limit;
150 u32 reg;
151
152 /* halt data paths */
153 reg = IXGBE_READ_REG(hw, IXGBE_SECTXCTRL);
154 reg |= IXGBE_SECTXCTRL_TX_DIS;
155 IXGBE_WRITE_REG(hw, IXGBE_SECTXCTRL, reg);
156
157 reg = IXGBE_READ_REG(hw, IXGBE_SECRXCTRL);
158 reg |= IXGBE_SECRXCTRL_RX_DIS;
159 IXGBE_WRITE_REG(hw, IXGBE_SECRXCTRL, reg);
160
161 /* If both Tx and Rx are ready there are no packets
162 * that we need to flush so the loopback configuration
163 * below is not necessary.
164 */
165 t_rdy = IXGBE_READ_REG(hw, IXGBE_SECTXSTAT) &
166 IXGBE_SECTXSTAT_SECTX_RDY;
167 r_rdy = IXGBE_READ_REG(hw, IXGBE_SECRXSTAT) &
168 IXGBE_SECRXSTAT_SECRX_RDY;
169 if (t_rdy && r_rdy)
170 return;
171
172 /* If the tx fifo doesn't have link, but still has data,
173 * we can't clear the tx sec block. Set the MAC loopback
174 * before block clear
175 */
176 if (!link) {
177 reg = IXGBE_READ_REG(hw, IXGBE_MACC);
178 reg |= IXGBE_MACC_FLU;
179 IXGBE_WRITE_REG(hw, IXGBE_MACC, reg);
180
181 reg = IXGBE_READ_REG(hw, IXGBE_HLREG0);
182 reg |= IXGBE_HLREG0_LPBK;
183 IXGBE_WRITE_REG(hw, IXGBE_HLREG0, reg);
184
185 IXGBE_WRITE_FLUSH(hw);
186 mdelay(3);
187 }
188
189 /* wait for the paths to empty */
190 limit = 20;
191 do {
192 mdelay(10);
193 t_rdy = IXGBE_READ_REG(hw, IXGBE_SECTXSTAT) &
194 IXGBE_SECTXSTAT_SECTX_RDY;
195 r_rdy = IXGBE_READ_REG(hw, IXGBE_SECRXSTAT) &
196 IXGBE_SECRXSTAT_SECRX_RDY;
197 } while (!(t_rdy && r_rdy) && limit--);
198
199 /* undo loopback if we played with it earlier */
200 if (!link) {
201 reg = IXGBE_READ_REG(hw, IXGBE_MACC);
202 reg &= ~IXGBE_MACC_FLU;
203 IXGBE_WRITE_REG(hw, IXGBE_MACC, reg);
204
205 reg = IXGBE_READ_REG(hw, IXGBE_HLREG0);
206 reg &= ~IXGBE_HLREG0_LPBK;
207 IXGBE_WRITE_REG(hw, IXGBE_HLREG0, reg);
208
209 IXGBE_WRITE_FLUSH(hw);
210 }
211 }
212
213 /**
214 * ixgbe_ipsec_stop_engine
215 * @adapter: board private structure
216 **/
217 static void ixgbe_ipsec_stop_engine(struct ixgbe_adapter *adapter)
218 {
219 struct ixgbe_hw *hw = &adapter->hw;
220 u32 reg;
221
222 ixgbe_ipsec_stop_data(adapter);
223
224 /* disable Rx and Tx SA lookup */
225 IXGBE_WRITE_REG(hw, IXGBE_IPSTXIDX, 0);
226 IXGBE_WRITE_REG(hw, IXGBE_IPSRXIDX, 0);
227
228 /* disable the Rx and Tx engines and full packet store-n-forward */
229 reg = IXGBE_READ_REG(hw, IXGBE_SECTXCTRL);
230 reg |= IXGBE_SECTXCTRL_SECTX_DIS;
231 reg &= ~IXGBE_SECTXCTRL_STORE_FORWARD;
232 IXGBE_WRITE_REG(hw, IXGBE_SECTXCTRL, reg);
233
234 reg = IXGBE_READ_REG(hw, IXGBE_SECRXCTRL);
235 reg |= IXGBE_SECRXCTRL_SECRX_DIS;
236 IXGBE_WRITE_REG(hw, IXGBE_SECRXCTRL, reg);
237
238 /* restore the "tx security buffer almost full threshold" to 0x250 */
239 IXGBE_WRITE_REG(hw, IXGBE_SECTXBUFFAF, 0x250);
240
241 /* Set minimum IFG between packets back to the default 0x1 */
242 reg = IXGBE_READ_REG(hw, IXGBE_SECTXMINIFG);
243 reg = (reg & 0xfffffff0) | 0x1;
244 IXGBE_WRITE_REG(hw, IXGBE_SECTXMINIFG, reg);
245
246 /* final set for normal (no ipsec offload) processing */
247 IXGBE_WRITE_REG(hw, IXGBE_SECTXCTRL, IXGBE_SECTXCTRL_SECTX_DIS);
248 IXGBE_WRITE_REG(hw, IXGBE_SECRXCTRL, IXGBE_SECRXCTRL_SECRX_DIS);
249
250 IXGBE_WRITE_FLUSH(hw);
251 }
252
253 /**
254 * ixgbe_ipsec_start_engine
255 * @adapter: board private structure
256 *
257 * NOTE: this increases power consumption whether being used or not
258 **/
259 static void ixgbe_ipsec_start_engine(struct ixgbe_adapter *adapter)
260 {
261 struct ixgbe_hw *hw = &adapter->hw;
262 u32 reg;
263
264 ixgbe_ipsec_stop_data(adapter);
265
266 /* Set minimum IFG between packets to 3 */
267 reg = IXGBE_READ_REG(hw, IXGBE_SECTXMINIFG);
268 reg = (reg & 0xfffffff0) | 0x3;
269 IXGBE_WRITE_REG(hw, IXGBE_SECTXMINIFG, reg);
270
271 /* Set "tx security buffer almost full threshold" to 0x15 so that the
272 * almost full indication is generated only after buffer contains at
273 * least an entire jumbo packet.
274 */
275 reg = IXGBE_READ_REG(hw, IXGBE_SECTXBUFFAF);
276 reg = (reg & 0xfffffc00) | 0x15;
277 IXGBE_WRITE_REG(hw, IXGBE_SECTXBUFFAF, reg);
278
279 /* restart the data paths by clearing the DISABLE bits */
280 IXGBE_WRITE_REG(hw, IXGBE_SECRXCTRL, 0);
281 IXGBE_WRITE_REG(hw, IXGBE_SECTXCTRL, IXGBE_SECTXCTRL_STORE_FORWARD);
282
283 /* enable Rx and Tx SA lookup */
284 IXGBE_WRITE_REG(hw, IXGBE_IPSTXIDX, IXGBE_RXTXIDX_IPS_EN);
285 IXGBE_WRITE_REG(hw, IXGBE_IPSRXIDX, IXGBE_RXTXIDX_IPS_EN);
286
287 IXGBE_WRITE_FLUSH(hw);
288 }
289
290 /**
291 * ixgbe_ipsec_restore - restore the ipsec HW settings after a reset
292 * @adapter: board private structure
293 **/
294 void ixgbe_ipsec_restore(struct ixgbe_adapter *adapter)
295 {
296 struct ixgbe_ipsec *ipsec = adapter->ipsec;
297 struct ixgbe_hw *hw = &adapter->hw;
298 int i;
299
300 if (!(adapter->flags2 & IXGBE_FLAG2_IPSEC_ENABLED))
301 return;
302
303 /* clean up and restart the engine */
304 ixgbe_ipsec_stop_engine(adapter);
305 ixgbe_ipsec_clear_hw_tables(adapter);
306 ixgbe_ipsec_start_engine(adapter);
307
308 /* reload the IP addrs */
309 for (i = 0; i < IXGBE_IPSEC_MAX_RX_IP_COUNT; i++) {
310 struct rx_ip_sa *ipsa = &ipsec->ip_tbl[i];
311
312 if (ipsa->used)
313 ixgbe_ipsec_set_rx_ip(hw, i, ipsa->ipaddr);
314 }
315
316 /* reload the Rx and Tx keys */
317 for (i = 0; i < IXGBE_IPSEC_MAX_SA_COUNT; i++) {
318 struct rx_sa *rsa = &ipsec->rx_tbl[i];
319 struct tx_sa *tsa = &ipsec->tx_tbl[i];
320
321 if (rsa->used)
322 ixgbe_ipsec_set_rx_sa(hw, i, rsa->xs->id.spi,
323 rsa->key, rsa->salt,
324 rsa->mode, rsa->iptbl_ind);
325
326 if (tsa->used)
327 ixgbe_ipsec_set_tx_sa(hw, i, tsa->key, tsa->salt);
328 }
329 }
330
331 /**
332 * ixgbe_ipsec_find_empty_idx - find the first unused security parameter index
333 * @ipsec: pointer to ipsec struct
334 * @rxtable: true if we need to look in the Rx table
335 *
336 * Returns the first unused index in either the Rx or Tx SA table
337 **/
338 static int ixgbe_ipsec_find_empty_idx(struct ixgbe_ipsec *ipsec, bool rxtable)
339 {
340 u32 i;
341
342 if (rxtable) {
343 if (ipsec->num_rx_sa == IXGBE_IPSEC_MAX_SA_COUNT)
344 return -ENOSPC;
345
346 /* search rx sa table */
347 for (i = 0; i < IXGBE_IPSEC_MAX_SA_COUNT; i++) {
348 if (!ipsec->rx_tbl[i].used)
349 return i;
350 }
351 } else {
352 if (ipsec->num_tx_sa == IXGBE_IPSEC_MAX_SA_COUNT)
353 return -ENOSPC;
354
355 /* search tx sa table */
356 for (i = 0; i < IXGBE_IPSEC_MAX_SA_COUNT; i++) {
357 if (!ipsec->tx_tbl[i].used)
358 return i;
359 }
360 }
361
362 return -ENOSPC;
363 }
364
365 /**
366 * ixgbe_ipsec_find_rx_state - find the state that matches
367 * @ipsec: pointer to ipsec struct
368 * @daddr: inbound address to match
369 * @proto: protocol to match
370 * @spi: SPI to match
371 * @ip4: true if using an ipv4 address
372 *
373 * Returns a pointer to the matching SA state information
374 **/
375 static struct xfrm_state *ixgbe_ipsec_find_rx_state(struct ixgbe_ipsec *ipsec,
376 __be32 *daddr, u8 proto,
377 __be32 spi, bool ip4)
378 {
379 struct rx_sa *rsa;
380 struct xfrm_state *ret = NULL;
381
382 rcu_read_lock();
383 hash_for_each_possible_rcu(ipsec->rx_sa_list, rsa, hlist,
384 (__force u32)spi) {
385 if (spi == rsa->xs->id.spi &&
386 ((ip4 && *daddr == rsa->xs->id.daddr.a4) ||
387 (!ip4 && !memcmp(daddr, &rsa->xs->id.daddr.a6,
388 sizeof(rsa->xs->id.daddr.a6)))) &&
389 proto == rsa->xs->id.proto) {
390 ret = rsa->xs;
391 xfrm_state_hold(ret);
392 break;
393 }
394 }
395 rcu_read_unlock();
396 return ret;
397 }
398
399 /**
400 * ixgbe_ipsec_parse_proto_keys - find the key and salt based on the protocol
401 * @xs: pointer to xfrm_state struct
402 * @mykey: pointer to key array to populate
403 * @mysalt: pointer to salt value to populate
404 *
405 * This copies the protocol keys and salt to our own data tables. The
406 * 82599 family only supports the one algorithm.
407 **/
408 static int ixgbe_ipsec_parse_proto_keys(struct xfrm_state *xs,
409 u32 *mykey, u32 *mysalt)
410 {
411 struct net_device *dev = xs->xso.dev;
412 unsigned char *key_data;
413 char *alg_name = NULL;
414 const char aes_gcm_name[] = "rfc4106(gcm(aes))";
415 int key_len;
416
417 if (!xs->aead) {
418 netdev_err(dev, "Unsupported IPsec algorithm\n");
419 return -EINVAL;
420 }
421
422 if (xs->aead->alg_icv_len != IXGBE_IPSEC_AUTH_BITS) {
423 netdev_err(dev, "IPsec offload requires %d bit authentication\n",
424 IXGBE_IPSEC_AUTH_BITS);
425 return -EINVAL;
426 }
427
428 key_data = &xs->aead->alg_key[0];
429 key_len = xs->aead->alg_key_len;
430 alg_name = xs->aead->alg_name;
431
432 if (strcmp(alg_name, aes_gcm_name)) {
433 netdev_err(dev, "Unsupported IPsec algorithm - please use %s\n",
434 aes_gcm_name);
435 return -EINVAL;
436 }
437
438 /* The key bytes come down in a bigendian array of bytes, so
439 * we don't need to do any byteswapping.
440 * 160 accounts for 16 byte key and 4 byte salt
441 */
442 if (key_len == 160) {
443 *mysalt = ((u32 *)key_data)[4];
444 } else if (key_len != 128) {
445 netdev_err(dev, "IPsec hw offload only supports keys up to 128 bits with a 32 bit salt\n");
446 return -EINVAL;
447 } else {
448 netdev_info(dev, "IPsec hw offload parameters missing 32 bit salt value\n");
449 *mysalt = 0;
450 }
451 memcpy(mykey, key_data, 16);
452
453 return 0;
454 }
455
456 /**
457 * ixgbe_ipsec_check_mgmt_ip - make sure there is no clash with mgmt IP filters
458 * @xs: pointer to transformer state struct
459 **/
460 static int ixgbe_ipsec_check_mgmt_ip(struct xfrm_state *xs)
461 {
462 struct net_device *dev = xs->xso.dev;
463 struct ixgbe_adapter *adapter = netdev_priv(dev);
464 struct ixgbe_hw *hw = &adapter->hw;
465 u32 mfval, manc, reg;
466 int num_filters = 4;
467 bool manc_ipv4;
468 u32 bmcipval;
469 int i, j;
470
471 #define MANC_EN_IPV4_FILTER BIT(24)
472 #define MFVAL_IPV4_FILTER_SHIFT 16
473 #define MFVAL_IPV6_FILTER_SHIFT 24
474 #define MIPAF_ARR(_m, _n) (IXGBE_MIPAF + ((_m) * 0x10) + ((_n) * 4))
475
476 #define IXGBE_BMCIP(_n) (0x5050 + ((_n) * 4))
477 #define IXGBE_BMCIPVAL 0x5060
478 #define BMCIP_V4 0x2
479 #define BMCIP_V6 0x3
480 #define BMCIP_MASK 0x3
481
482 manc = IXGBE_READ_REG(hw, IXGBE_MANC);
483 manc_ipv4 = !!(manc & MANC_EN_IPV4_FILTER);
484 mfval = IXGBE_READ_REG(hw, IXGBE_MFVAL);
485 bmcipval = IXGBE_READ_REG(hw, IXGBE_BMCIPVAL);
486
487 if (xs->props.family == AF_INET) {
488 /* are there any IPv4 filters to check? */
489 if (manc_ipv4) {
490 /* the 4 ipv4 filters are all in MIPAF(3, i) */
491 for (i = 0; i < num_filters; i++) {
492 if (!(mfval & BIT(MFVAL_IPV4_FILTER_SHIFT + i)))
493 continue;
494
495 reg = IXGBE_READ_REG(hw, MIPAF_ARR(3, i));
496 if (reg == xs->id.daddr.a4)
497 return 1;
498 }
499 }
500
501 if ((bmcipval & BMCIP_MASK) == BMCIP_V4) {
502 reg = IXGBE_READ_REG(hw, IXGBE_BMCIP(3));
503 if (reg == xs->id.daddr.a4)
504 return 1;
505 }
506
507 } else {
508 /* if there are ipv4 filters, they are in the last ipv6 slot */
509 if (manc_ipv4)
510 num_filters = 3;
511
512 for (i = 0; i < num_filters; i++) {
513 if (!(mfval & BIT(MFVAL_IPV6_FILTER_SHIFT + i)))
514 continue;
515
516 for (j = 0; j < 4; j++) {
517 reg = IXGBE_READ_REG(hw, MIPAF_ARR(i, j));
518 if (reg != xs->id.daddr.a6[j])
519 break;
520 }
521 if (j == 4) /* did we match all 4 words? */
522 return 1;
523 }
524
525 if ((bmcipval & BMCIP_MASK) == BMCIP_V6) {
526 for (j = 0; j < 4; j++) {
527 reg = IXGBE_READ_REG(hw, IXGBE_BMCIP(j));
528 if (reg != xs->id.daddr.a6[j])
529 break;
530 }
531 if (j == 4) /* did we match all 4 words? */
532 return 1;
533 }
534 }
535
536 return 0;
537 }
538
539 /**
540 * ixgbe_ipsec_add_sa - program device with a security association
541 * @xs: pointer to transformer state struct
542 **/
543 static int ixgbe_ipsec_add_sa(struct xfrm_state *xs)
544 {
545 struct net_device *dev = xs->xso.dev;
546 struct ixgbe_adapter *adapter = netdev_priv(dev);
547 struct ixgbe_ipsec *ipsec = adapter->ipsec;
548 struct ixgbe_hw *hw = &adapter->hw;
549 int checked, match, first;
550 u16 sa_idx;
551 int ret;
552 int i;
553
554 if (xs->id.proto != IPPROTO_ESP && xs->id.proto != IPPROTO_AH) {
555 netdev_err(dev, "Unsupported protocol 0x%04x for ipsec offload\n",
556 xs->id.proto);
557 return -EINVAL;
558 }
559
560 if (ixgbe_ipsec_check_mgmt_ip(xs)) {
561 netdev_err(dev, "IPsec IP addr clash with mgmt filters\n");
562 return -EINVAL;
563 }
564
565 if (xs->xso.flags & XFRM_OFFLOAD_INBOUND) {
566 struct rx_sa rsa;
567
568 if (xs->calg) {
569 netdev_err(dev, "Compression offload not supported\n");
570 return -EINVAL;
571 }
572
573 /* find the first unused index */
574 ret = ixgbe_ipsec_find_empty_idx(ipsec, true);
575 if (ret < 0) {
576 netdev_err(dev, "No space for SA in Rx table!\n");
577 return ret;
578 }
579 sa_idx = (u16)ret;
580
581 memset(&rsa, 0, sizeof(rsa));
582 rsa.used = true;
583 rsa.xs = xs;
584
585 if (rsa.xs->id.proto & IPPROTO_ESP)
586 rsa.decrypt = xs->ealg || xs->aead;
587
588 /* get the key and salt */
589 ret = ixgbe_ipsec_parse_proto_keys(xs, rsa.key, &rsa.salt);
590 if (ret) {
591 netdev_err(dev, "Failed to get key data for Rx SA table\n");
592 return ret;
593 }
594
595 /* get ip for rx sa table */
596 if (xs->props.family == AF_INET6)
597 memcpy(rsa.ipaddr, &xs->id.daddr.a6, 16);
598 else
599 memcpy(&rsa.ipaddr[3], &xs->id.daddr.a4, 4);
600
601 /* The HW does not have a 1:1 mapping from keys to IP addrs, so
602 * check for a matching IP addr entry in the table. If the addr
603 * already exists, use it; else find an unused slot and add the
604 * addr. If one does not exist and there are no unused table
605 * entries, fail the request.
606 */
607
608 /* Find an existing match or first not used, and stop looking
609 * after we've checked all we know we have.
610 */
611 checked = 0;
612 match = -1;
613 first = -1;
614 for (i = 0;
615 i < IXGBE_IPSEC_MAX_RX_IP_COUNT &&
616 (checked < ipsec->num_rx_sa || first < 0);
617 i++) {
618 if (ipsec->ip_tbl[i].used) {
619 if (!memcmp(ipsec->ip_tbl[i].ipaddr,
620 rsa.ipaddr, sizeof(rsa.ipaddr))) {
621 match = i;
622 break;
623 }
624 checked++;
625 } else if (first < 0) {
626 first = i; /* track the first empty seen */
627 }
628 }
629
630 if (ipsec->num_rx_sa == 0)
631 first = 0;
632
633 if (match >= 0) {
634 /* addrs are the same, we should use this one */
635 rsa.iptbl_ind = match;
636 ipsec->ip_tbl[match].ref_cnt++;
637
638 } else if (first >= 0) {
639 /* no matches, but here's an empty slot */
640 rsa.iptbl_ind = first;
641
642 memcpy(ipsec->ip_tbl[first].ipaddr,
643 rsa.ipaddr, sizeof(rsa.ipaddr));
644 ipsec->ip_tbl[first].ref_cnt = 1;
645 ipsec->ip_tbl[first].used = true;
646
647 ixgbe_ipsec_set_rx_ip(hw, rsa.iptbl_ind, rsa.ipaddr);
648
649 } else {
650 /* no match and no empty slot */
651 netdev_err(dev, "No space for SA in Rx IP SA table\n");
652 memset(&rsa, 0, sizeof(rsa));
653 return -ENOSPC;
654 }
655
656 rsa.mode = IXGBE_RXMOD_VALID;
657 if (rsa.xs->id.proto & IPPROTO_ESP)
658 rsa.mode |= IXGBE_RXMOD_PROTO_ESP;
659 if (rsa.decrypt)
660 rsa.mode |= IXGBE_RXMOD_DECRYPT;
661 if (rsa.xs->props.family == AF_INET6)
662 rsa.mode |= IXGBE_RXMOD_IPV6;
663
664 /* the preparations worked, so save the info */
665 memcpy(&ipsec->rx_tbl[sa_idx], &rsa, sizeof(rsa));
666
667 ixgbe_ipsec_set_rx_sa(hw, sa_idx, rsa.xs->id.spi, rsa.key,
668 rsa.salt, rsa.mode, rsa.iptbl_ind);
669 xs->xso.offload_handle = sa_idx + IXGBE_IPSEC_BASE_RX_INDEX;
670
671 ipsec->num_rx_sa++;
672
673 /* hash the new entry for faster search in Rx path */
674 hash_add_rcu(ipsec->rx_sa_list, &ipsec->rx_tbl[sa_idx].hlist,
675 (__force u32)rsa.xs->id.spi);
676 } else {
677 struct tx_sa tsa;
678
679 /* find the first unused index */
680 ret = ixgbe_ipsec_find_empty_idx(ipsec, false);
681 if (ret < 0) {
682 netdev_err(dev, "No space for SA in Tx table\n");
683 return ret;
684 }
685 sa_idx = (u16)ret;
686
687 memset(&tsa, 0, sizeof(tsa));
688 tsa.used = true;
689 tsa.xs = xs;
690
691 if (xs->id.proto & IPPROTO_ESP)
692 tsa.encrypt = xs->ealg || xs->aead;
693
694 ret = ixgbe_ipsec_parse_proto_keys(xs, tsa.key, &tsa.salt);
695 if (ret) {
696 netdev_err(dev, "Failed to get key data for Tx SA table\n");
697 memset(&tsa, 0, sizeof(tsa));
698 return ret;
699 }
700
701 /* the preparations worked, so save the info */
702 memcpy(&ipsec->tx_tbl[sa_idx], &tsa, sizeof(tsa));
703
704 ixgbe_ipsec_set_tx_sa(hw, sa_idx, tsa.key, tsa.salt);
705
706 xs->xso.offload_handle = sa_idx + IXGBE_IPSEC_BASE_TX_INDEX;
707
708 ipsec->num_tx_sa++;
709 }
710
711 /* enable the engine if not already warmed up */
712 if (!(adapter->flags2 & IXGBE_FLAG2_IPSEC_ENABLED)) {
713 ixgbe_ipsec_start_engine(adapter);
714 adapter->flags2 |= IXGBE_FLAG2_IPSEC_ENABLED;
715 }
716
717 return 0;
718 }
719
720 /**
721 * ixgbe_ipsec_del_sa - clear out this specific SA
722 * @xs: pointer to transformer state struct
723 **/
724 static void ixgbe_ipsec_del_sa(struct xfrm_state *xs)
725 {
726 struct net_device *dev = xs->xso.dev;
727 struct ixgbe_adapter *adapter = netdev_priv(dev);
728 struct ixgbe_ipsec *ipsec = adapter->ipsec;
729 struct ixgbe_hw *hw = &adapter->hw;
730 u32 zerobuf[4] = {0, 0, 0, 0};
731 u16 sa_idx;
732
733 if (xs->xso.flags & XFRM_OFFLOAD_INBOUND) {
734 struct rx_sa *rsa;
735 u8 ipi;
736
737 sa_idx = xs->xso.offload_handle - IXGBE_IPSEC_BASE_RX_INDEX;
738 rsa = &ipsec->rx_tbl[sa_idx];
739
740 if (!rsa->used) {
741 netdev_err(dev, "Invalid Rx SA selected sa_idx=%d offload_handle=%lu\n",
742 sa_idx, xs->xso.offload_handle);
743 return;
744 }
745
746 ixgbe_ipsec_set_rx_sa(hw, sa_idx, 0, zerobuf, 0, 0, 0);
747 hash_del_rcu(&rsa->hlist);
748
749 /* if the IP table entry is referenced by only this SA,
750 * i.e. ref_cnt is only 1, clear the IP table entry as well
751 */
752 ipi = rsa->iptbl_ind;
753 if (ipsec->ip_tbl[ipi].ref_cnt > 0) {
754 ipsec->ip_tbl[ipi].ref_cnt--;
755
756 if (!ipsec->ip_tbl[ipi].ref_cnt) {
757 memset(&ipsec->ip_tbl[ipi], 0,
758 sizeof(struct rx_ip_sa));
759 ixgbe_ipsec_set_rx_ip(hw, ipi,
760 (__force __be32 *)zerobuf);
761 }
762 }
763
764 memset(rsa, 0, sizeof(struct rx_sa));
765 ipsec->num_rx_sa--;
766 } else {
767 sa_idx = xs->xso.offload_handle - IXGBE_IPSEC_BASE_TX_INDEX;
768
769 if (!ipsec->tx_tbl[sa_idx].used) {
770 netdev_err(dev, "Invalid Tx SA selected sa_idx=%d offload_handle=%lu\n",
771 sa_idx, xs->xso.offload_handle);
772 return;
773 }
774
775 ixgbe_ipsec_set_tx_sa(hw, sa_idx, zerobuf, 0);
776 memset(&ipsec->tx_tbl[sa_idx], 0, sizeof(struct tx_sa));
777 ipsec->num_tx_sa--;
778 }
779
780 /* if there are no SAs left, stop the engine to save energy */
781 if (ipsec->num_rx_sa == 0 && ipsec->num_tx_sa == 0) {
782 adapter->flags2 &= ~IXGBE_FLAG2_IPSEC_ENABLED;
783 ixgbe_ipsec_stop_engine(adapter);
784 }
785 }
786
787 /**
788 * ixgbe_ipsec_offload_ok - can this packet use the xfrm hw offload
789 * @skb: current data packet
790 * @xs: pointer to transformer state struct
791 **/
792 static bool ixgbe_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs)
793 {
794 if (xs->props.family == AF_INET) {
795 /* Offload with IPv4 options is not supported yet */
796 if (ip_hdr(skb)->ihl != 5)
797 return false;
798 } else {
799 /* Offload with IPv6 extension headers is not support yet */
800 if (ipv6_ext_hdr(ipv6_hdr(skb)->nexthdr))
801 return false;
802 }
803
804 return true;
805 }
806
807 static const struct xfrmdev_ops ixgbe_xfrmdev_ops = {
808 .xdo_dev_state_add = ixgbe_ipsec_add_sa,
809 .xdo_dev_state_delete = ixgbe_ipsec_del_sa,
810 .xdo_dev_offload_ok = ixgbe_ipsec_offload_ok,
811 };
812
813 /**
814 * ixgbe_ipsec_tx - setup Tx flags for ipsec offload
815 * @tx_ring: outgoing context
816 * @first: current data packet
817 * @itd: ipsec Tx data for later use in building context descriptor
818 **/
819 int ixgbe_ipsec_tx(struct ixgbe_ring *tx_ring,
820 struct ixgbe_tx_buffer *first,
821 struct ixgbe_ipsec_tx_data *itd)
822 {
823 struct ixgbe_adapter *adapter = netdev_priv(tx_ring->netdev);
824 struct ixgbe_ipsec *ipsec = adapter->ipsec;
825 struct xfrm_state *xs;
826 struct tx_sa *tsa;
827
828 if (unlikely(!first->skb->sp->len)) {
829 netdev_err(tx_ring->netdev, "%s: no xfrm state len = %d\n",
830 __func__, first->skb->sp->len);
831 return 0;
832 }
833
834 xs = xfrm_input_state(first->skb);
835 if (unlikely(!xs)) {
836 netdev_err(tx_ring->netdev, "%s: no xfrm_input_state() xs = %p\n",
837 __func__, xs);
838 return 0;
839 }
840
841 itd->sa_idx = xs->xso.offload_handle - IXGBE_IPSEC_BASE_TX_INDEX;
842 if (unlikely(itd->sa_idx >= IXGBE_IPSEC_MAX_SA_COUNT)) {
843 netdev_err(tx_ring->netdev, "%s: bad sa_idx=%d handle=%lu\n",
844 __func__, itd->sa_idx, xs->xso.offload_handle);
845 return 0;
846 }
847
848 tsa = &ipsec->tx_tbl[itd->sa_idx];
849 if (unlikely(!tsa->used)) {
850 netdev_err(tx_ring->netdev, "%s: unused sa_idx=%d\n",
851 __func__, itd->sa_idx);
852 return 0;
853 }
854
855 first->tx_flags |= IXGBE_TX_FLAGS_IPSEC | IXGBE_TX_FLAGS_CC;
856
857 if (xs->id.proto == IPPROTO_ESP) {
858
859 itd->flags |= IXGBE_ADVTXD_TUCMD_IPSEC_TYPE_ESP |
860 IXGBE_ADVTXD_TUCMD_L4T_TCP;
861 if (first->protocol == htons(ETH_P_IP))
862 itd->flags |= IXGBE_ADVTXD_TUCMD_IPV4;
863
864 /* The actual trailer length is authlen (16 bytes) plus
865 * 2 bytes for the proto and the padlen values, plus
866 * padlen bytes of padding. This ends up not the same
867 * as the static value found in xs->props.trailer_len (21).
868 *
869 * ... but if we're doing GSO, don't bother as the stack
870 * doesn't add a trailer for those.
871 */
872 if (!skb_is_gso(first->skb)) {
873 /* The "correct" way to get the auth length would be
874 * to use
875 * authlen = crypto_aead_authsize(xs->data);
876 * but since we know we only have one size to worry
877 * about * we can let the compiler use the constant
878 * and save us a few CPU cycles.
879 */
880 const int authlen = IXGBE_IPSEC_AUTH_BITS / 8;
881 struct sk_buff *skb = first->skb;
882 u8 padlen;
883 int ret;
884
885 ret = skb_copy_bits(skb, skb->len - (authlen + 2),
886 &padlen, 1);
887 if (unlikely(ret))
888 return 0;
889 itd->trailer_len = authlen + 2 + padlen;
890 }
891 }
892 if (tsa->encrypt)
893 itd->flags |= IXGBE_ADVTXD_TUCMD_IPSEC_ENCRYPT_EN;
894
895 return 1;
896 }
897
898 /**
899 * ixgbe_ipsec_rx - decode ipsec bits from Rx descriptor
900 * @rx_ring: receiving ring
901 * @rx_desc: receive data descriptor
902 * @skb: current data packet
903 *
904 * Determine if there was an ipsec encapsulation noticed, and if so set up
905 * the resulting status for later in the receive stack.
906 **/
907 void ixgbe_ipsec_rx(struct ixgbe_ring *rx_ring,
908 union ixgbe_adv_rx_desc *rx_desc,
909 struct sk_buff *skb)
910 {
911 struct ixgbe_adapter *adapter = netdev_priv(rx_ring->netdev);
912 __le16 pkt_info = rx_desc->wb.lower.lo_dword.hs_rss.pkt_info;
913 __le16 ipsec_pkt_types = cpu_to_le16(IXGBE_RXDADV_PKTTYPE_IPSEC_AH |
914 IXGBE_RXDADV_PKTTYPE_IPSEC_ESP);
915 struct ixgbe_ipsec *ipsec = adapter->ipsec;
916 struct xfrm_offload *xo = NULL;
917 struct xfrm_state *xs = NULL;
918 struct ipv6hdr *ip6 = NULL;
919 struct iphdr *ip4 = NULL;
920 void *daddr;
921 __be32 spi;
922 u8 *c_hdr;
923 u8 proto;
924
925 /* Find the ip and crypto headers in the data.
926 * We can assume no vlan header in the way, b/c the
927 * hw won't recognize the IPsec packet and anyway the
928 * currently vlan device doesn't support xfrm offload.
929 */
930 if (pkt_info & cpu_to_le16(IXGBE_RXDADV_PKTTYPE_IPV4)) {
931 ip4 = (struct iphdr *)(skb->data + ETH_HLEN);
932 daddr = &ip4->daddr;
933 c_hdr = (u8 *)ip4 + ip4->ihl * 4;
934 } else if (pkt_info & cpu_to_le16(IXGBE_RXDADV_PKTTYPE_IPV6)) {
935 ip6 = (struct ipv6hdr *)(skb->data + ETH_HLEN);
936 daddr = &ip6->daddr;
937 c_hdr = (u8 *)ip6 + sizeof(struct ipv6hdr);
938 } else {
939 return;
940 }
941
942 switch (pkt_info & ipsec_pkt_types) {
943 case cpu_to_le16(IXGBE_RXDADV_PKTTYPE_IPSEC_AH):
944 spi = ((struct ip_auth_hdr *)c_hdr)->spi;
945 proto = IPPROTO_AH;
946 break;
947 case cpu_to_le16(IXGBE_RXDADV_PKTTYPE_IPSEC_ESP):
948 spi = ((struct ip_esp_hdr *)c_hdr)->spi;
949 proto = IPPROTO_ESP;
950 break;
951 default:
952 return;
953 }
954
955 xs = ixgbe_ipsec_find_rx_state(ipsec, daddr, proto, spi, !!ip4);
956 if (unlikely(!xs))
957 return;
958
959 skb->sp = secpath_dup(skb->sp);
960 if (unlikely(!skb->sp))
961 return;
962
963 skb->sp->xvec[skb->sp->len++] = xs;
964 skb->sp->olen++;
965 xo = xfrm_offload(skb);
966 xo->flags = CRYPTO_DONE;
967 xo->status = CRYPTO_SUCCESS;
968
969 adapter->rx_ipsec++;
970 }
971
972 /**
973 * ixgbe_init_ipsec_offload - initialize security registers for IPSec operation
974 * @adapter: board private structure
975 **/
976 void ixgbe_init_ipsec_offload(struct ixgbe_adapter *adapter)
977 {
978 struct ixgbe_hw *hw = &adapter->hw;
979 struct ixgbe_ipsec *ipsec;
980 u32 t_dis, r_dis;
981 size_t size;
982
983 if (hw->mac.type == ixgbe_mac_82598EB)
984 return;
985
986 /* If there is no support for either Tx or Rx offload
987 * we should not be advertising support for IPsec.
988 */
989 t_dis = IXGBE_READ_REG(hw, IXGBE_SECTXSTAT) &
990 IXGBE_SECTXSTAT_SECTX_OFF_DIS;
991 r_dis = IXGBE_READ_REG(hw, IXGBE_SECRXSTAT) &
992 IXGBE_SECRXSTAT_SECRX_OFF_DIS;
993 if (t_dis || r_dis)
994 return;
995
996 ipsec = kzalloc(sizeof(*ipsec), GFP_KERNEL);
997 if (!ipsec)
998 goto err1;
999 hash_init(ipsec->rx_sa_list);
1000
1001 size = sizeof(struct rx_sa) * IXGBE_IPSEC_MAX_SA_COUNT;
1002 ipsec->rx_tbl = kzalloc(size, GFP_KERNEL);
1003 if (!ipsec->rx_tbl)
1004 goto err2;
1005
1006 size = sizeof(struct tx_sa) * IXGBE_IPSEC_MAX_SA_COUNT;
1007 ipsec->tx_tbl = kzalloc(size, GFP_KERNEL);
1008 if (!ipsec->tx_tbl)
1009 goto err2;
1010
1011 size = sizeof(struct rx_ip_sa) * IXGBE_IPSEC_MAX_RX_IP_COUNT;
1012 ipsec->ip_tbl = kzalloc(size, GFP_KERNEL);
1013 if (!ipsec->ip_tbl)
1014 goto err2;
1015
1016 ipsec->num_rx_sa = 0;
1017 ipsec->num_tx_sa = 0;
1018
1019 adapter->ipsec = ipsec;
1020 ixgbe_ipsec_stop_engine(adapter);
1021 ixgbe_ipsec_clear_hw_tables(adapter);
1022
1023 adapter->netdev->xfrmdev_ops = &ixgbe_xfrmdev_ops;
1024
1025 return;
1026
1027 err2:
1028 kfree(ipsec->ip_tbl);
1029 kfree(ipsec->rx_tbl);
1030 kfree(ipsec->tx_tbl);
1031 kfree(ipsec);
1032 err1:
1033 netdev_err(adapter->netdev, "Unable to allocate memory for SA tables");
1034 }
1035
1036 /**
1037 * ixgbe_stop_ipsec_offload - tear down the ipsec offload
1038 * @adapter: board private structure
1039 **/
1040 void ixgbe_stop_ipsec_offload(struct ixgbe_adapter *adapter)
1041 {
1042 struct ixgbe_ipsec *ipsec = adapter->ipsec;
1043
1044 adapter->ipsec = NULL;
1045 if (ipsec) {
1046 kfree(ipsec->ip_tbl);
1047 kfree(ipsec->rx_tbl);
1048 kfree(ipsec->tx_tbl);
1049 kfree(ipsec);
1050 }
1051 }
Linux with added FPC-III support