1 /* SPDX-License-Identifier: BSD-3-Clause */
2 /* Copyright (c) 2021, Intel Corporation
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions are met:
8 * 1. Redistributions of source code must retain the above copyright notice,
9 * this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the Intel Corporation nor the names of its
16 * contributors may be used to endorse or promote products derived from
17 * this software without specific prior written permission.
19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
23 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
24 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29 * POSSIBILITY OF SUCH DAMAGE.
33 #ifndef _VIRTCHNL_INLINE_IPSEC_H_
34 #define _VIRTCHNL_INLINE_IPSEC_H_
36 #define VIRTCHNL_IPSEC_MAX_CRYPTO_CAP_NUM 3
37 #define VIRTCHNL_IPSEC_MAX_ALGO_CAP_NUM 16
38 #define VIRTCHNL_IPSEC_MAX_TX_DESC_NUM 128
39 #define VIRTCHNL_IPSEC_MAX_CRYPTO_ITEM_NUMBER 2
40 #define VIRTCHNL_IPSEC_MAX_KEY_LEN 128
41 #define VIRTCHNL_IPSEC_MAX_SA_DESTROY_NUM 8
42 #define VIRTCHNL_IPSEC_SA_DESTROY 0
43 #define VIRTCHNL_IPSEC_BROADCAST_VFID 0xFFFFFFFF
44 #define VIRTCHNL_IPSEC_INVALID_REQ_ID 0xFFFF
45 #define VIRTCHNL_IPSEC_INVALID_SA_CFG_RESP 0xFFFFFFFF
46 #define VIRTCHNL_IPSEC_INVALID_SP_CFG_RESP 0xFFFFFFFF
49 #define VIRTCHNL_AUTH 1
50 #define VIRTCHNL_CIPHER 2
51 #define VIRTCHNL_AEAD 3
55 #define VIRTCHNL_HASH_NO_ALG 0 /* NULL algorithm */
56 #define VIRTCHNL_AES_CBC_MAC 1 /* AES-CBC-MAC algorithm */
57 #define VIRTCHNL_AES_CMAC 2 /* AES CMAC algorithm */
58 #define VIRTCHNL_AES_GMAC 3 /* AES GMAC algorithm */
59 #define VIRTCHNL_AES_XCBC_MAC 4 /* AES XCBC algorithm */
60 #define VIRTCHNL_MD5_HMAC 5 /* HMAC using MD5 algorithm */
61 #define VIRTCHNL_SHA1_HMAC 6 /* HMAC using 128 bit SHA algorithm */
62 #define VIRTCHNL_SHA224_HMAC 7 /* HMAC using 224 bit SHA algorithm */
63 #define VIRTCHNL_SHA256_HMAC 8 /* HMAC using 256 bit SHA algorithm */
64 #define VIRTCHNL_SHA384_HMAC 9 /* HMAC using 384 bit SHA algorithm */
65 #define VIRTCHNL_SHA512_HMAC 10 /* HMAC using 512 bit SHA algorithm */
66 #define VIRTCHNL_SHA3_224_HMAC 11 /* HMAC using 224 bit SHA3 algorithm */
67 #define VIRTCHNL_SHA3_256_HMAC 12 /* HMAC using 256 bit SHA3 algorithm */
68 #define VIRTCHNL_SHA3_384_HMAC 13 /* HMAC using 384 bit SHA3 algorithm */
69 #define VIRTCHNL_SHA3_512_HMAC 14 /* HMAC using 512 bit SHA3 algorithm */
70 /* Cipher Algorithm */
71 #define VIRTCHNL_CIPHER_NO_ALG 15 /* NULL algorithm */
72 #define VIRTCHNL_3DES_CBC 16 /* Triple DES algorithm in CBC mode */
73 #define VIRTCHNL_AES_CBC 17 /* AES algorithm in CBC mode */
74 #define VIRTCHNL_AES_CTR 18 /* AES algorithm in Counter mode */
76 #define VIRTCHNL_AES_CCM 19 /* AES algorithm in CCM mode */
77 #define VIRTCHNL_AES_GCM 20 /* AES algorithm in GCM mode */
78 #define VIRTCHNL_CHACHA20_POLY1305 21 /* algorithm of ChaCha20-Poly1305 */
81 #define VIRTCHNL_PROTO_ESP 1
82 #define VIRTCHNL_PROTO_AH 2
83 #define VIRTCHNL_PROTO_RSVD1 3
86 #define VIRTCHNL_SA_MODE_TRANSPORT 1
87 #define VIRTCHNL_SA_MODE_TUNNEL 2
88 #define VIRTCHNL_SA_MODE_TRAN_TUN 3
89 #define VIRTCHNL_SA_MODE_UNKNOWN 4
92 #define VIRTCHNL_DIR_INGRESS 1
93 #define VIRTCHNL_DIR_EGRESS 2
94 #define VIRTCHNL_DIR_INGRESS_EGRESS 3
97 #define VIRTCHNL_TERM_SOFTWARE 1
98 #define VIRTCHNL_TERM_HARDWARE 2
101 #define VIRTCHNL_IPV4 1
102 #define VIRTCHNL_IPV6 2
104 /* for virtchnl_ipsec_resp */
105 enum inline_ipsec_resp {
106 INLINE_IPSEC_SUCCESS = 0,
107 INLINE_IPSEC_FAIL = -1,
108 INLINE_IPSEC_ERR_FIFO_FULL = -2,
109 INLINE_IPSEC_ERR_NOT_READY = -3,
110 INLINE_IPSEC_ERR_VF_DOWN = -4,
111 INLINE_IPSEC_ERR_INVALID_PARAMS = -5,
112 INLINE_IPSEC_ERR_NO_MEM = -6,
115 /* Detailed opcodes for DPDK and IPsec use */
116 enum inline_ipsec_ops {
117 INLINE_IPSEC_OP_GET_CAP = 0,
118 INLINE_IPSEC_OP_GET_STATUS = 1,
119 INLINE_IPSEC_OP_SA_CREATE = 2,
120 INLINE_IPSEC_OP_SA_UPDATE = 3,
121 INLINE_IPSEC_OP_SA_DESTROY = 4,
122 INLINE_IPSEC_OP_SP_CREATE = 5,
123 INLINE_IPSEC_OP_SP_DESTROY = 6,
124 INLINE_IPSEC_OP_SA_READ = 7,
125 INLINE_IPSEC_OP_EVENT = 8,
126 INLINE_IPSEC_OP_RESP = 9,
130 /* Not all valid, if certain field is invalid, set 1 for all bits */
131 struct virtchnl_algo_cap {
154 /* vf record the capability of crypto from the virtchnl */
155 struct virtchnl_sym_crypto_cap {
158 struct virtchnl_algo_cap algo_cap_list[VIRTCHNL_IPSEC_MAX_ALGO_CAP_NUM];
161 /* VIRTCHNL_OP_GET_IPSEC_CAP
162 * VF pass virtchnl_ipsec_cap to PF
163 * and PF return capability of ipsec from virtchnl.
165 struct virtchnl_ipsec_cap {
166 /* max number of SA per VF */
169 /* IPsec SA Protocol - value ref VIRTCHNL_PROTO_XXX */
170 u8 virtchnl_protocol_type;
172 /* IPsec SA Mode - value ref VIRTCHNL_SA_MODE_XXX */
175 /* IPSec SA Direction - value ref VIRTCHNL_DIR_XXX */
176 u8 virtchnl_direction;
178 /* type of esn - !0:enable/0:disable */
181 /* type of udp_encap - !0:enable/0:disable */
182 u8 udp_encap_enabled;
184 /* termination mode - value ref VIRTCHNL_TERM_XXX */
187 /* SA index mode - !0:enable/0:disable */
188 u8 sa_index_sw_enabled;
190 /* auditing mode - !0:enable/0:disable */
193 /* lifetime byte limit - !0:enable/0:disable */
194 u8 byte_limit_enabled;
196 /* drop on authentication failure - !0:enable/0:disable */
197 u8 drop_on_auth_fail_enabled;
199 /* anti-replay window check - !0:enable/0:disable */
200 u8 arw_check_enabled;
202 /* number of supported crypto capability */
208 /* crypto capabilities */
209 struct virtchnl_sym_crypto_cap cap[VIRTCHNL_IPSEC_MAX_CRYPTO_CAP_NUM];
213 /* configuration of crypto function */
214 struct virtchnl_ipsec_crypto_cfg_item {
219 /* Length of valid IV data. */
222 /* Length of digest */
228 /* The length of the symmetric key */
231 /* key data buffer */
232 u8 key_data[VIRTCHNL_IPSEC_MAX_KEY_LEN];
236 struct virtchnl_ipsec_sym_crypto_cfg {
237 struct virtchnl_ipsec_crypto_cfg_item
238 items[VIRTCHNL_IPSEC_MAX_CRYPTO_ITEM_NUMBER];
242 /* VIRTCHNL_OP_IPSEC_SA_CREATE
243 * VF send this SA configuration to PF using virtchnl;
244 * PF create SA as configuration and PF driver will return
245 * an unique index (sa_idx) for the created SA.
247 struct virtchnl_ipsec_sa_cfg {
248 /* IPsec SA Protocol - AH/ESP */
249 u8 virtchnl_protocol_type;
251 /* termination mode - value ref VIRTCHNL_TERM_XXX */
252 u8 virtchnl_termination;
254 /* type of outer IP - IPv4/IPv6 */
257 /* type of esn - !0:enable/0:disable */
260 /* udp encap - !0:enable/0:disable */
261 u8 udp_encap_enabled;
263 /* IPSec SA Direction - value ref VIRTCHNL_DIR_XXX */
264 u8 virtchnl_direction;
269 /* SA security parameter index */
272 /* outer src ip address */
275 /* outer dst ip address */
278 /* SPD reference. Used to link an SA with its policy.
279 * PF drivers may ignore this field.
283 /* high 32 bits of esn */
286 /* low 32 bits of esn */
289 /* When enabled, sa_index must be valid */
292 /* SA index when sa_index_en is true */
295 /* auditing mode - enable/disable */
298 /* lifetime byte limit - enable/disable
299 * When enabled, byte_limit_hard and byte_limit_soft
304 /* hard byte limit count */
307 /* soft byte limit count */
310 /* drop on authentication failure - enable/disable */
311 u8 drop_on_auth_fail_en;
313 /* anti-reply window check - enable/disable
314 * When enabled, arw_size must be valid.
318 /* size of arw window, offset by 1. Setting to 0
319 * represents ARW window size of 1. Setting to 127
320 * represents ARW window size of 128
324 /* no ip offload mode - enable/disable
325 * When enabled, ip type and address must not be valid.
329 /* SA Domain. Used to logical separate an SADB into groups.
330 * PF drivers supporting a single group ignore this field.
334 /* crypto configuration */
335 struct virtchnl_ipsec_sym_crypto_cfg crypto_cfg;
339 /* VIRTCHNL_OP_IPSEC_SA_UPDATE
340 * VF send configuration of index of SA to PF
341 * PF will update SA according to configuration
343 struct virtchnl_ipsec_sa_update {
344 u32 sa_index; /* SA to update */
345 u32 esn_hi; /* high 32 bits of esn */
346 u32 esn_low; /* low 32 bits of esn */
350 /* VIRTCHNL_OP_IPSEC_SA_DESTROY
351 * VF send configuration of index of SA to PF
352 * PF will destroy SA according to configuration
353 * flag bitmap indicate all SA or just selected SA will
356 struct virtchnl_ipsec_sa_destroy {
357 /* All zero bitmap indicates all SA will be destroyed.
358 * Non-zero bitmap indicates the selected SA in
359 * array sa_index will be destroyed.
363 /* selected SA index */
364 u32 sa_index[VIRTCHNL_IPSEC_MAX_SA_DESTROY_NUM];
367 /* VIRTCHNL_OP_IPSEC_SA_READ
368 * VF send this SA configuration to PF using virtchnl;
369 * PF read SA and will return configuration for the created SA.
371 struct virtchnl_ipsec_sa_read {
372 /* SA valid - invalid/valid */
375 /* SA active - inactive/active */
378 /* SA SN rollover - not_rollover/rollover */
381 /* IPsec SA Protocol - AH/ESP */
382 u8 virtchnl_protocol_type;
384 /* termination mode - value ref VIRTCHNL_TERM_XXX */
385 u8 virtchnl_termination;
387 /* auditing mode - enable/disable */
390 /* lifetime byte limit - enable/disable
391 * When set to limit, byte_limit_hard and byte_limit_soft
396 /* hard byte limit count */
399 /* soft byte limit count */
402 /* drop on authentication failure - enable/disable */
403 u8 drop_on_auth_fail_en;
405 /* anti-replay window check - enable/disable
406 * When set to check, arw_size, arw_top, and arw must be valid
410 /* size of arw window, offset by 1. Setting to 0
411 * represents ARW window size of 1. Setting to 127
412 * represents ARW window size of 128
419 /* top of anti-replay-window */
422 /* anti-replay-window */
425 /* packets processed */
426 u64 packets_processed;
428 /* bytes processed */
431 /* packets dropped */
434 /* authentication failures */
437 /* ARW check failures */
440 /* type of esn - enable/disable */
443 /* IPSec SA Direction - value ref VIRTCHNL_DIR_XXX */
444 u8 virtchnl_direction;
446 /* SA security parameter index */
452 /* high 32 bits of esn */
455 /* low 32 bits of esn */
458 /* SA Domain. Used to logical separate an SADB into groups.
459 * PF drivers supporting a single group ignore this field.
463 /* SPD reference. Used to link an SA with its policy.
464 * PF drivers may ignore this field.
468 /* crypto configuration. Salt and keys are set to 0 */
469 struct virtchnl_ipsec_sym_crypto_cfg crypto_cfg;
473 /* Add whitelist entry in IES */
474 struct virtchnl_ipsec_sp_cfg {
478 /* Drop frame if true or redirect to QAT if false. */
481 /* Congestion domain. For future use. */
484 /* 0 for IPv4 table, 1 for IPv6 table. */
487 /* Set TC (congestion domain) if true. For future use. */
492 /* Delete whitelist entry in IES */
493 struct virtchnl_ipsec_sp_destroy {
494 /* 0 for IPv4 table, 1 for IPv6 table. */
500 /* Response from IES to whitelist operations */
501 struct virtchnl_ipsec_sp_cfg_resp {
505 struct virtchnl_ipsec_sa_cfg_resp {
509 #define INLINE_IPSEC_EVENT_RESET 0x1
510 #define INLINE_IPSEC_EVENT_CRYPTO_ON 0x2
511 #define INLINE_IPSEC_EVENT_CRYPTO_OFF 0x4
513 struct virtchnl_ipsec_event {
514 u32 ipsec_event_data;
517 #define INLINE_IPSEC_STATUS_AVAILABLE 0x1
518 #define INLINE_IPSEC_STATUS_UNAVAILABLE 0x2
520 struct virtchnl_ipsec_status {
524 struct virtchnl_ipsec_resp {
528 /* Internal message descriptor for VF <-> IPsec communication */
529 struct inline_ipsec_msg {
535 struct virtchnl_ipsec_sa_cfg sa_cfg[0];
536 struct virtchnl_ipsec_sp_cfg sp_cfg[0];
537 struct virtchnl_ipsec_sa_update sa_update[0];
538 struct virtchnl_ipsec_sa_destroy sa_destroy[0];
539 struct virtchnl_ipsec_sp_destroy sp_destroy[0];
542 struct virtchnl_ipsec_sa_cfg_resp sa_cfg_resp[0];
543 struct virtchnl_ipsec_sp_cfg_resp sp_cfg_resp[0];
544 struct virtchnl_ipsec_cap ipsec_cap[0];
545 struct virtchnl_ipsec_status ipsec_status[0];
546 /* response to del_sa, del_sp, update_sa */
547 struct virtchnl_ipsec_resp ipsec_resp[0];
549 /* IPsec event (no req_id is required) */
550 struct virtchnl_ipsec_event event[0];
553 struct virtchnl_ipsec_sa_read sa_read[0];
557 static inline u16 virtchnl_inline_ipsec_val_msg_len(u16 opcode)
559 u16 valid_len = sizeof(struct inline_ipsec_msg);
562 case INLINE_IPSEC_OP_GET_CAP:
563 case INLINE_IPSEC_OP_GET_STATUS:
565 case INLINE_IPSEC_OP_SA_CREATE:
566 valid_len += sizeof(struct virtchnl_ipsec_sa_cfg);
568 case INLINE_IPSEC_OP_SP_CREATE:
569 valid_len += sizeof(struct virtchnl_ipsec_sp_cfg);
571 case INLINE_IPSEC_OP_SA_UPDATE:
572 valid_len += sizeof(struct virtchnl_ipsec_sa_update);
574 case INLINE_IPSEC_OP_SA_DESTROY:
575 valid_len += sizeof(struct virtchnl_ipsec_sa_destroy);
577 case INLINE_IPSEC_OP_SP_DESTROY:
578 valid_len += sizeof(struct virtchnl_ipsec_sp_destroy);
580 /* Only for msg length caculation of response to VF in case of
581 * inline ipsec failure.
583 case INLINE_IPSEC_OP_RESP:
584 valid_len += sizeof(struct virtchnl_ipsec_resp);
594 #endif /* _VIRTCHNL_INLINE_IPSEC_H_ */