From patchwork Tue Sep 26 02:49:53 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chaoyong He X-Patchwork-Id: 131903 X-Patchwork-Delegate: ferruh.yigit@amd.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 676414263C; Tue, 26 Sep 2023 04:51:05 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 8FD2B402EC; Tue, 26 Sep 2023 04:50:40 +0200 (CEST) Received: from NAM10-DM6-obe.outbound.protection.outlook.com (mail-dm6nam10on2114.outbound.protection.outlook.com [40.107.93.114]) by mails.dpdk.org (Postfix) with ESMTP id E6D69402E9 for ; Tue, 26 Sep 2023 04:50:38 +0200 (CEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AuDYpJg29rPJn3+SKxqWxew7xbDkrIf09KGaHsYeHl62ezAZk6WCXNGbdThCOX8PEJ/R7Jhkn3v4m2yM2YXEJeS62wVKvwGwl+RQdleTOVcFzLAydM2VZR+nHBd3yk3DdJfIVaWqADz/7A0WXUPSwpAk50hsxjQNJgpET4k58NVy2XkpzIjItvIthL5QwG63bbINX/Eos3iBSsmmzv4CXowJ9pYeFaS0vY2WmuNALnYEY8m2ZmhMx3Vw90UuqSe7opDeU1HezNsFxxp8HZXZeVfGNOtQraAg7yQBAUQm4nglifjws1gCZ2+n2Vc7OHWToPJC2wc9hnpTzrr3eRY3SA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=iWA2F7C7kusNhmHvK3b/XNRW457s2UoMuyHpERYS0Eo=; b=AAYe2EjReVhXeiSDc34KcolpalU/Fyuf8uMFXRMp33Mq/DZEpuVd+gPqoKg3URyAUHD4hAbs4SjUi+1bD4Zg8QH9ZlGU4+1X5OeBGFV8Asb+95lvmHCuaU09V/Wa4m7LnqzWKU0/XjvdORcEQhC893uz+VYghz6ONAU1qTvlxk8LnjLZHuYsPbrJ5a+MY5E5HCAnurYIOgK2VQIbrpoX4LI/Egc4R7z4357v6ON6B3ZUHmgtgMigtk7Bi/WUIrsbq8BmABavt0wY288NXesDbp1utfo64cWClqCriSxnD356lXgWO3EqK+G3OAGb0m5e714mt0hNt/HU0JPPF1RxeQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=corigine.com; dmarc=pass action=none header.from=corigine.com; dkim=pass header.d=corigine.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=corigine.onmicrosoft.com; s=selector2-corigine-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iWA2F7C7kusNhmHvK3b/XNRW457s2UoMuyHpERYS0Eo=; b=QHhhiJ6C68ucVDg/ZpPAzWfodZwySWxVGlqGjjBTvn0QebYZUZGDZIQbKnZuR6kgW285My+R4to9U1gsf6+JALoBBKUC7hv0Y2w1z2Zmp43g196SnmN73PqgtK/iLV9+aoXD6Wg/v1a4X0S02CY8ih8RcBpLIX/ScEga5vdPgsg= Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=corigine.com; Received: from PH0PR13MB5568.namprd13.prod.outlook.com (2603:10b6:510:12b::16) by SA3PR13MB6516.namprd13.prod.outlook.com (2603:10b6:806:39c::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6792.27; Tue, 26 Sep 2023 02:50:37 +0000 Received: from PH0PR13MB5568.namprd13.prod.outlook.com ([fe80::b070:92e1:931e:fee7]) by PH0PR13MB5568.namprd13.prod.outlook.com ([fe80::b070:92e1:931e:fee7%4]) with mapi id 15.20.6792.026; Tue, 26 Sep 2023 02:50:36 +0000 From: Chaoyong He To: dev@dpdk.org Cc: oss-drivers@corigine.com, Chang Miao , Shihong Wang , Chaoyong He Subject: [PATCH v2 04/10] net/nfp: initialize IPsec related content Date: Tue, 26 Sep 2023 10:49:53 +0800 Message-Id: <20230926024959.207098-5-chaoyong.he@corigine.com> X-Mailer: git-send-email 2.39.1 In-Reply-To: <20230926024959.207098-1-chaoyong.he@corigine.com> References: <20230925060644.1458598-1-chaoyong.he@corigine.com> <20230926024959.207098-1-chaoyong.he@corigine.com> X-ClientProxiedBy: BYAPR05CA0020.namprd05.prod.outlook.com (2603:10b6:a03:c0::33) To PH0PR13MB5568.namprd13.prod.outlook.com (2603:10b6:510:12b::16) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PH0PR13MB5568:EE_|SA3PR13MB6516:EE_ X-MS-Office365-Filtering-Correlation-Id: d92ad502-6c86-4784-e081-08dbbe3b5c6c X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: OE49wEevO2mpb+OB5m/1pU0A9FkPhlfM3YjrqL41zkbW1/qwwFUD35zsxEvhr1QfZCFrLeMGLxqojbqHx48RLRAOpTk2sD01PAAhrC9mRUL0RyssVe93c7yUgQoeQ0n4/evzM8/ptov2Dormbl4BzDypW9J0D1B+aV7QfdpgEEIVhUEZxIAGXpIeX1un0pjj7JBPuBtdKQhGBXgqZAXgm4EpRO7LDKjks8gq1tOAK78/qYt4LyMfAcBL8CoKA3+5yOMf7Tl6dkN8OyKtluFUszbXZaUT2Sto1r2cKiVq9fhJ9JJiLDhXEawofYXOvXO3xM5zb+mPy76bjLVT7F7lAzgOfq/xxp1mQEH/Cn2fM0kNTuRoiHCagQxfGbHVkrInb869ef1uDZ4Qb8gKCsoCWve/67X+Ywkln3SV8bFJZ6uPAc9pBX6Qq+ktm+IO09XGFUwO4jB58qll9wnAV11dyeU43w7fserhmLx4qOLpwIJV95aOivluij7OfjZWinWHHgtZVav0B9rQJx5m8H8Ir6rj3WWl4RXmknTxaY6K8hcIH+Qvq17OtjC9NQ/QGCEbACmADabu6PBJ839T3ZwGkHZvDaz2PktdJrlg+F/jtrVT7JzFkZfaBsVNAU0Pm1xU/EiqMXDRlwe5Rl6xYnAbtPqSDUAnam0AqIN6A1y+CH4= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH0PR13MB5568.namprd13.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(39830400003)(136003)(366004)(346002)(396003)(376002)(230922051799003)(1800799009)(451199024)(186009)(4326008)(83380400001)(2616005)(6486002)(6506007)(52116002)(478600001)(6666004)(86362001)(36756003)(38100700002)(1076003)(30864003)(26005)(66476007)(8936002)(66556008)(6916009)(6512007)(2906002)(38350700002)(66946007)(41300700001)(107886003)(316002)(44832011)(8676002)(5660300002)(54906003); DIR:OUT; SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: dT3l+a0X+N2X2Kpo4FDzAMEkqbIzbUzBwl54P+l85yC9vVm9jTCXjXTueIr6tBJpnL8FiWFyw+wYx6TW8BaiLEycqUSu+JyPRlHUI7zeOuCr01cr26fXqO38ymwKEHDdLs43ZUYdnE1iZ5Bb+8sMVzylzOJQZBMedBc6s+WrxOmT8aP2q9VSJmsMeBY1pclTUIVJIzleP80PyQwb7wOPG0VaTLuanijXXgb23xBTwaetXVkqydor/8Fx1AgbE2H2E13Ajt4f8/23RwiBbEGp8fu3Gwx/exwr/RjPx+wCBkwPWECnTJ21k3CRdhRHPR7jvi/OTygB2vH8gv+iS1I6ZnmUw4oUQohzC2JcUV6hEeElrtLWwsLfnhrYb2gmn20ZxdZQ26IbA9WMucQ5cdKSbdCUo0toWyTVCz+Xog5OuQv8mljtBZiKqaZJATg7B4jvX/vvruX5F24OQdyufSZlRyZ412wzRRZdKA3SoCq4UTnwX7Ndrn9qWgoyBZUR7STbg0iMGYbUGRkz2g9KXmbo+XuBw7ZvXIdvvPRvGjEvCmOPw02Mkl2k8UT2PLUyG7pzfHCh3njyAHoMJzIq/qRPHs9Fv67MoUNdLo/rfXnmJPkdAI6Yhhu4OwqD620Yf9qHVIiP8UK2X6fQM4L5QMmcXqVJJ+LI1DPVi0ydI3Mx5e8B4KkVGAbE56XshmK7p1d/PYDqU+RM0GdYnDVyoxutmgs7JwXpZsgJIOFwvZRx2kaSk65o/izCP9hs8KkFLx1IX/Pc13YOdSEWJ2cnJT8U8m2QWy/9wHZq/X4lM8oycsMqAirTt4UfjuFxfgWbH1qZmXrsjc9QrZYdW2g3Ky022pWewn3kPYJJa/PYEdRlkyr4C7BFQTtDJXY9d9le18d/0T+GAiOtRRp0duW4vqUUg7otS01tHHJ9YSlAjoub90ots6/Xs+6p4zw/mVMk6a1M4R0gyn64xHcYm8qospbAGkmzEHsrjXgROFNCYNgm9UosiJ0cZoIGhO7NAvVfRqBl20Dx0sEJ7ChZqpyvP+ljbL4F3NEi+3VtU1Pe9QJHvm9YPWDxIrr7Z3fPdN5I1zBDAyL8qZikQkYdgoullTYEJ9MMrNweN3Wz4AWXyrzFvp+9Z9F50a6M2cAyPEBF6oGd1GVEejgwIACf9GyHxUGJSm4Uk8PWSafwmirkgTHXyvJJqhSWqHuKM/OT8tYsHuG+VNnebOHpvQJhTyxXMkEXjdKYS6hDCQH6IaCENx8VDKAqB0RIidwbjF6+v+DIF1DsOEQRMS2TbtQEc/fJGQCDpq4+ejaSNrhWSoeLlKKJ69k96c7sr5sEQimRUU3fusbVsYdLciKqvpozCWVVHtDATA74JnqBZ0A7tU83eTnZqgWNiuc8gv3gMfvoJYVF5cERahlSgzirIwiCTIN6AcTAEBcggWt9IsGfqaOdC+QPrZth6UDEJZsuGDsQ/PreZ9BEW7wLeydlB1n2b+gVk3wgbgI0I/xo1XXQT0lIeIObavL0jCEOmopNJVM8utOh6IMCWQX4l4bH0a0MTAgFGlWN6x2NYxijzuAjABZPzjIYTApUQoO5DaEzNlBMJpZevhhsfYSOfzudJFSKeeKIBm5WIg== X-OriginatorOrg: corigine.com X-MS-Exchange-CrossTenant-Network-Message-Id: d92ad502-6c86-4784-e081-08dbbe3b5c6c X-MS-Exchange-CrossTenant-AuthSource: PH0PR13MB5568.namprd13.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Sep 2023 02:50:36.9463 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: fe128f2c-073b-4c20-818e-7246a585940c X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: GgtA5h0kVMj0Dar18MBBbtM1U7HC3JD/48EjinDVDdQqruiT55AlKVs9cUU7TnTYuRrewnJO9SgIodQHyiE0T55GSK9Cgcr16aFivy3Cd/Y= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA3PR13MB6516 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org From: Chang Miao If enable IPsec capability bit, driver need to Initialize IPsec. Set security context and security offload capabilities in datapath. Define private session and add SA array for each PF to save all SA data in driver. Add internal mbuf dynamic flag and field to save IPsec related data to dynamic mbuf field. Signed-off-by: Chang Miao Signed-off-by: Shihong Wang Reviewed-by: Chaoyong He --- drivers/net/nfp/meson.build | 3 +- drivers/net/nfp/nfp_common.c | 7 ++ drivers/net/nfp/nfp_common.h | 2 + drivers/net/nfp/nfp_ctrl.h | 3 + drivers/net/nfp/nfp_ethdev.c | 15 ++++ drivers/net/nfp/nfp_ipsec.c | 131 +++++++++++++++++++++++++++ drivers/net/nfp/nfp_ipsec.h | 169 +++++++++++++++++++++++++++++++++++ drivers/net/nfp/nfp_rxtx.h | 12 +++ 8 files changed, 341 insertions(+), 1 deletion(-) create mode 100644 drivers/net/nfp/nfp_ipsec.c create mode 100644 drivers/net/nfp/nfp_ipsec.h diff --git a/drivers/net/nfp/meson.build b/drivers/net/nfp/meson.build index e78bcb8b75..3912566134 100644 --- a/drivers/net/nfp/meson.build +++ b/drivers/net/nfp/meson.build @@ -33,8 +33,9 @@ sources = files( 'nfp_ethdev_vf.c', 'nfp_ethdev.c', 'nfp_flow.c', + 'nfp_ipsec.c', 'nfp_logs.c', 'nfp_mtr.c', ) -deps += ['hash'] +deps += ['hash', 'security'] diff --git a/drivers/net/nfp/nfp_common.c b/drivers/net/nfp/nfp_common.c index 31dab3ae9b..5683afc40a 100644 --- a/drivers/net/nfp/nfp_common.c +++ b/drivers/net/nfp/nfp_common.c @@ -1200,6 +1200,7 @@ nfp_net_tx_desc_limits(struct nfp_net_hw *hw, int nfp_net_infos_get(struct rte_eth_dev *dev, struct rte_eth_dev_info *dev_info) { + uint32_t cap_extend; uint16_t min_rx_desc; uint16_t max_rx_desc; uint16_t min_tx_desc; @@ -1256,6 +1257,12 @@ nfp_net_infos_get(struct rte_eth_dev *dev, struct rte_eth_dev_info *dev_info) if (hw->cap & NFP_NET_CFG_CTRL_GATHER) dev_info->tx_offload_capa |= RTE_ETH_TX_OFFLOAD_MULTI_SEGS; + cap_extend = nn_cfg_readl(hw, NFP_NET_CFG_CAP_WORD1); + if ((cap_extend & NFP_NET_CFG_CTRL_IPSEC) != 0) { + dev_info->tx_offload_capa |= RTE_ETH_TX_OFFLOAD_SECURITY; + dev_info->rx_offload_capa |= RTE_ETH_RX_OFFLOAD_SECURITY; + } + dev_info->default_rxconf = (struct rte_eth_rxconf) { .rx_thresh = { .pthresh = DEFAULT_RX_PTHRESH, diff --git a/drivers/net/nfp/nfp_common.h b/drivers/net/nfp/nfp_common.h index 64f0af94c1..b434b031cc 100644 --- a/drivers/net/nfp/nfp_common.h +++ b/drivers/net/nfp/nfp_common.h @@ -176,6 +176,8 @@ struct nfp_net_hw { uint8_t nfp_idx; struct nfp_net_tlv_caps tlv_caps; + + struct nfp_net_ipsec_data *ipsec_data; }; struct nfp_net_adapter { diff --git a/drivers/net/nfp/nfp_ctrl.h b/drivers/net/nfp/nfp_ctrl.h index d539846d02..361739a4b9 100644 --- a/drivers/net/nfp/nfp_ctrl.h +++ b/drivers/net/nfp/nfp_ctrl.h @@ -238,6 +238,9 @@ struct nfp_net_fw_ver { */ #define NFP_NET_CFG_CTRL_WORD1 0x0098 #define NFP_NET_CFG_CTRL_PKT_TYPE (0x1 << 0) +#define NFP_NET_CFG_CTRL_IPSEC (0x1 << 1) /**< IPsec offload */ +#define NFP_NET_CFG_CTRL_IPSEC_SM_LOOKUP (0x1 << 3) /**< SA short match lookup */ +#define NFP_NET_CFG_CTRL_IPSEC_LM_LOOKUP (0x1 << 4) /**< SA long match lookup */ #define NFP_NET_CFG_CAP_WORD1 0x00a4 diff --git a/drivers/net/nfp/nfp_ethdev.c b/drivers/net/nfp/nfp_ethdev.c index 7dc93f7c43..ebc5538291 100644 --- a/drivers/net/nfp/nfp_ethdev.c +++ b/drivers/net/nfp/nfp_ethdev.c @@ -18,6 +18,7 @@ #include "nfpcore/nfp6000_pcie.h" #include "nfp_cpp_bridge.h" +#include "nfp_ipsec.h" #include "nfp_logs.h" static int @@ -140,6 +141,10 @@ nfp_net_start(struct rte_eth_dev *dev) if ((cap_extend & NFP_NET_CFG_CTRL_PKT_TYPE) != 0) ctrl_extend = NFP_NET_CFG_CTRL_PKT_TYPE; + if ((cap_extend & NFP_NET_CFG_CTRL_IPSEC) != 0) + ctrl_extend |= NFP_NET_CFG_CTRL_IPSEC_SM_LOOKUP + | NFP_NET_CFG_CTRL_IPSEC_LM_LOOKUP; + update = NFP_NET_CFG_UPDATE_GEN; if (nfp_net_ext_reconfig(hw, ctrl_extend, update) < 0) return -EIO; @@ -278,6 +283,9 @@ nfp_net_close(struct rte_eth_dev *dev) nfp_net_close_rx_queue(dev); + /* Clear ipsec */ + nfp_ipsec_uninit(dev); + /* Cancel possible impending LSC work here before releasing the port*/ rte_eal_alarm_cancel(nfp_net_dev_interrupt_delayed_handler, (void *)dev); @@ -555,6 +563,12 @@ nfp_net_init(struct rte_eth_dev *eth_dev) return err; } + err = nfp_ipsec_init(eth_dev); + if (err != 0) { + PMD_INIT_LOG(ERR, "Failed to init IPsec module"); + return err; + } + nfp_net_ethdev_ops_mount(hw, eth_dev); hw->eth_xstats_base = rte_malloc("rte_eth_xstat", sizeof(struct rte_eth_xstat) * @@ -867,6 +881,7 @@ nfp_init_app_fw_nic(struct nfp_pf_dev *pf_dev, if (app_fw_nic->ports[i] && app_fw_nic->ports[i]->eth_dev) { struct rte_eth_dev *tmp_dev; tmp_dev = app_fw_nic->ports[i]->eth_dev; + nfp_ipsec_uninit(tmp_dev); rte_eth_dev_release_port(tmp_dev); app_fw_nic->ports[i] = NULL; } diff --git a/drivers/net/nfp/nfp_ipsec.c b/drivers/net/nfp/nfp_ipsec.c new file mode 100644 index 0000000000..f16ce97703 --- /dev/null +++ b/drivers/net/nfp/nfp_ipsec.c @@ -0,0 +1,131 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright (c) 2023 Corigine Systems, Inc. + * All rights reserved. + */ + +#include "nfp_ipsec.h" + +#include +#include + +#include +#include + +#include "nfp_common.h" +#include "nfp_ctrl.h" +#include "nfp_logs.h" +#include "nfp_rxtx.h" + +static const struct rte_security_ops nfp_security_ops; + +static int +nfp_ipsec_ctx_create(struct rte_eth_dev *dev, + struct nfp_net_ipsec_data *data) +{ + struct rte_security_ctx *ctx; + static const struct rte_mbuf_dynfield pkt_md_dynfield = { + .name = "nfp_ipsec_crypto_pkt_metadata", + .size = sizeof(struct nfp_tx_ipsec_desc_msg), + .align = __alignof__(struct nfp_tx_ipsec_desc_msg), + }; + + ctx = rte_zmalloc("security_ctx", + sizeof(struct rte_security_ctx), 0); + if (ctx == NULL) { + PMD_INIT_LOG(ERR, "Failed to malloc security_ctx"); + return -ENOMEM; + } + + ctx->device = dev; + ctx->ops = &nfp_security_ops; + ctx->sess_cnt = 0; + dev->security_ctx = ctx; + + data->pkt_dynfield_offset = rte_mbuf_dynfield_register(&pkt_md_dynfield); + if (data->pkt_dynfield_offset < 0) { + PMD_INIT_LOG(ERR, "Failed to register mbuf esn_dynfield"); + return -ENOMEM; + } + + return 0; +} + +int +nfp_ipsec_init(struct rte_eth_dev *dev) +{ + int ret; + uint32_t cap_extend; + struct nfp_net_hw *hw; + struct nfp_net_ipsec_data *data; + + hw = NFP_NET_DEV_PRIVATE_TO_HW(dev->data->dev_private); + + cap_extend = nn_cfg_readl(hw, NFP_NET_CFG_CAP_WORD1); + if ((cap_extend & NFP_NET_CFG_CTRL_IPSEC) == 0) { + PMD_INIT_LOG(INFO, "Unsupported IPsec extend capability"); + return 0; + } + + data = rte_zmalloc("ipsec_data", sizeof(struct nfp_net_ipsec_data), 0); + if (data == NULL) { + PMD_INIT_LOG(ERR, "Failed to malloc ipsec_data"); + return -ENOMEM; + } + + data->pkt_dynfield_offset = -1; + data->sa_free_cnt = NFP_NET_IPSEC_MAX_SA_CNT; + hw->ipsec_data = data; + + ret = nfp_ipsec_ctx_create(dev, data); + if (ret != 0) { + PMD_INIT_LOG(ERR, "Failed to create IPsec ctx"); + goto ipsec_cleanup; + } + + return 0; + +ipsec_cleanup: + nfp_ipsec_uninit(dev); + + return ret; +} + +static void +nfp_ipsec_ctx_destroy(struct rte_eth_dev *dev) +{ + if (dev->security_ctx != NULL) + rte_free(dev->security_ctx); +} + +void +nfp_ipsec_uninit(struct rte_eth_dev *dev) +{ + uint16_t i; + uint32_t cap_extend; + struct nfp_net_hw *hw; + struct nfp_ipsec_session *priv_session; + + hw = NFP_NET_DEV_PRIVATE_TO_HW(dev->data->dev_private); + + cap_extend = nn_cfg_readl(hw, NFP_NET_CFG_CAP_WORD1); + if ((cap_extend & NFP_NET_CFG_CTRL_IPSEC) == 0) { + PMD_INIT_LOG(INFO, "Unsupported IPsec extend capability"); + return; + } + + nfp_ipsec_ctx_destroy(dev); + + if (hw->ipsec_data == NULL) { + PMD_INIT_LOG(INFO, "IPsec data is NULL!"); + return; + } + + for (i = 0; i < NFP_NET_IPSEC_MAX_SA_CNT; i++) { + priv_session = hw->ipsec_data->sa_entries[i]; + if (priv_session != NULL) + memset(priv_session, 0, sizeof(struct nfp_ipsec_session)); + } + + rte_free(hw->ipsec_data); +} + diff --git a/drivers/net/nfp/nfp_ipsec.h b/drivers/net/nfp/nfp_ipsec.h new file mode 100644 index 0000000000..531bc60c5a --- /dev/null +++ b/drivers/net/nfp/nfp_ipsec.h @@ -0,0 +1,169 @@ +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright (c) 2023 Corigine Systems, Inc. + * All rights reserved. + */ + +#ifndef __NFP_IPSEC_H__ +#define __NFP_IPSEC_H__ + +#include + +#define NFP_NET_IPSEC_MAX_SA_CNT (16 * 1024) + +struct ipsec_aesgcm { /**< AES-GCM-ESP fields */ + uint32_t salt; /**< Initialized with SA */ + uint32_t iv[2]; /**< Firmware use only */ + uint32_t cntrl; + uint32_t zeros[4]; /**< Init to 0 with SA */ + uint32_t len_auth[2]; /**< Firmware use only */ + uint32_t len_cipher[2]; + uint32_t spare[4]; +}; + +struct sa_ctrl_word { + uint32_t hash :4; /**< From nfp_ipsec_hash_type */ + uint32_t cimode :4; /**< From nfp_ipsec_cipher_mode */ + uint32_t cipher :4; /**< From nfp_ipsec_cipher */ + uint32_t mode :2; /**< From nfp_ipsec_mode */ + uint32_t proto :2; /**< From nfp_ipsec_prot */ + uint32_t spare :1; /**< Should be 0 */ + uint32_t ena_arw:1; /**< Anti-Replay Window */ + uint32_t ext_seq:1; /**< 64-bit Sequence Num */ + uint32_t ext_arw:1; /**< 64b Anti-Replay Window */ + uint32_t spare1 :9; /**< Must be set to 0 */ + uint32_t encap_dsbl:1; /**< Encap/decap disable */ + uint32_t gen_seq:1; /**< Firmware Generate Seq #'s */ + uint32_t spare2 :1; /**< Must be set to 0 */ +}; + +struct ipsec_add_sa { + uint32_t cipher_key[8]; /**< Cipher Key */ + union { + uint32_t auth_key[16]; /**< Authentication Key */ + struct ipsec_aesgcm aesgcm_fields; + }; + struct sa_ctrl_word ctrl_word; + uint32_t spi; /**< SPI Value */ + uint16_t pmtu_limit; /**< PMTU Limit */ + uint32_t spare :1; + uint32_t frag_check :1; /**< Stateful fragment checking flag */ + uint32_t bypass_DSCP:1; /**< Bypass DSCP Flag */ + uint32_t df_ctrl :2; /**< DF Control bits */ + uint32_t ipv6 :1; /**< Outbound IPv6 addr format */ + uint32_t udp_enable :1; /**< Add/Remove UDP header for NAT */ + uint32_t tfc_enable :1; /**< Traffic Flw Confidentiality */ + uint8_t spare1; + uint32_t soft_byte_cnt; /**< Soft lifetime byte count */ + uint32_t hard_byte_cnt; /**< Hard lifetime byte count */ + uint32_t src_ip[4]; /**< Src IP addr */ + uint32_t dst_ip[4]; /**< Dst IP addr */ + uint16_t natt_dst_port; /**< NAT-T UDP Header dst port */ + uint16_t natt_src_port; /**< NAT-T UDP Header src port */ + uint32_t soft_lifetime_limit; /**< Soft lifetime time limit */ + uint32_t hard_lifetime_limit; /**< Hard lifetime time limit */ + uint32_t sa_time_lo; /**< SA creation time lower 32bits, Ucode fills this in */ + uint32_t sa_time_hi; /**< SA creation time high 32bits, Ucode fills this in */ + uint16_t spare2; + uint16_t tfc_padding; /**< Traffic Flow Confidential Pad */ +}; + +struct ipsec_inv_sa { + uint32_t spare; +}; + +struct ipsec_discard_stats { + uint32_t discards_auth; /**< Auth failures */ + uint32_t discards_unsupported; /**< Unsupported crypto mode */ + uint32_t discards_alignment; /**< Alignment error */ + uint32_t discards_hard_bytelimit; /**< Hard byte Count limit */ + uint32_t discards_seq_num_wrap; /**< Sequ Number wrap */ + uint32_t discards_pmtu_exceeded; /**< PMTU Limit exceeded*/ + uint32_t discards_arw_old_seq; /**< Anti-Replay seq small */ + uint32_t discards_arw_replay; /**< Anti-Replay seq rcvd */ + uint32_t discards_ctrl_word; /**< Bad SA Control word */ + uint32_t discards_ip_hdr_len; /**< Hdr offset from too high */ + uint32_t discards_eop_buf; /**< No EOP buffer */ + uint32_t ipv4_id_counter; /**< IPv4 ID field counter */ + uint32_t discards_isl_fail; /**< Inbound SPD Lookup failure */ + uint32_t discards_ext_unfound; /**< Ext header end */ + uint32_t discards_max_ext_hdrs; /**< Max ext header */ + uint32_t discards_non_ext_hdrs; /**< Non-extension headers */ + uint32_t discards_ext_hdr_too_big; /**< Ext header chain */ + uint32_t discards_hard_timelimit; /**< Time Limit */ +}; + +struct ipsec_get_sa_stats { + uint32_t seq_lo; /**< Sequence Number (low 32bits) */ + uint32_t seq_high; /**< Sequence Number (high 32bits)*/ + uint32_t arw_counter_lo; /**< Anti-replay wndw cntr */ + uint32_t arw_counter_high; /**< Anti-replay wndw cntr */ + uint32_t arw_bitmap_lo; /**< Anti-replay wndw bitmap */ + uint32_t arw_bitmap_high; /**< Anti-replay wndw bitmap */ + uint32_t spare:1; + uint32_t soft_byte_exceeded :1; /**< Soft lifetime byte cnt exceeded*/ + uint32_t hard_byte_exceeded :1; /**< Hard lifetime byte cnt exceeded*/ + uint32_t soft_time_exceeded :1; /**< Soft lifetime time limit exceeded*/ + uint32_t hard_time_exceeded :1; /**< Hard lifetime time limit exceeded*/ + uint32_t spare1:27; + uint32_t lifetime_byte_count; + uint32_t pkt_count; + struct ipsec_discard_stats sa_discard_stats; +}; + +struct ipsec_get_seq { + uint32_t seq_nums; /**< Sequence numbers to allocate */ + uint32_t seq_num_low; /**< Return start seq num 31:00 */ + uint32_t seq_num_hi; /**< Return start seq num 63:32 */ +}; + +struct nfp_ipsec_msg { + union { + struct { + /** NFP IPsec SA cmd message codes */ + uint16_t cmd; + /** NFP IPsec SA response message */ + uint16_t rsp; + /** NFP IPsec SA index in driver SA table */ + uint16_t sa_idx; + /** Reserved */ + uint16_t spare; + union { + /** IPsec configure message for add SA */ + struct ipsec_add_sa cfg_add_sa; + /** IPsec configure message for del SA */ + struct ipsec_inv_sa cfg_inv_sa; + /** IPsec configure message for get SA stats */ + struct ipsec_get_sa_stats cfg_get_stats; + /** IPsec configure message for get SA seq numbers */ + struct ipsec_get_seq cfg_get_seq; + }; + }; + uint32_t raw[64]; + }; +}; + +struct nfp_ipsec_session { + /** Opaque user defined data */ + void *user_data; + /** NFP sa_entries database parameter index */ + uint32_t sa_index; + /** Point to physical ports ethernet device */ + struct rte_eth_dev *dev; + /** SA related NPF configuration data */ + struct ipsec_add_sa msg; + /** Security association configuration data */ + struct rte_security_ipsec_xform ipsec; + /** Security session action type */ + enum rte_security_session_action_type action; +} __rte_cache_aligned; + +struct nfp_net_ipsec_data { + int pkt_dynfield_offset; + uint32_t sa_free_cnt; + struct nfp_ipsec_session *sa_entries[NFP_NET_IPSEC_MAX_SA_CNT]; +}; + +int nfp_ipsec_init(struct rte_eth_dev *dev); +void nfp_ipsec_uninit(struct rte_eth_dev *dev); + +#endif /* __NFP_IPSEC_H__ */ diff --git a/drivers/net/nfp/nfp_rxtx.h b/drivers/net/nfp/nfp_rxtx.h index ddbf97e46c..4e8558074e 100644 --- a/drivers/net/nfp/nfp_rxtx.h +++ b/drivers/net/nfp/nfp_rxtx.h @@ -43,6 +43,18 @@ struct nfp_net_dp_buf { struct rte_mbuf *mbuf; }; +struct nfp_tx_ipsec_desc_msg { + uint32_t sa_idx; /**< SA index in driver table */ + uint32_t enc; /**< IPsec enable flag */ + union { + uint64_t value; + struct { + uint32_t low; + uint32_t hi; + }; + } esn; /**< Extended Sequence Number */ +}; + struct nfp_net_txq { /** Backpointer to nfp_net structure */ struct nfp_net_hw *hw;