1 // SPDX-License-Identifier: GPL-2.0
2 /* Copyright(c) 2018 Oracle and/or its affiliates. All rights reserved. */
4 #include <crypto/aead.h>
5 #include <linux/debugfs.h>
10 #define NSIM_IPSEC_AUTH_BITS 128
12 static ssize_t nsim_dbg_netdev_ops_read(struct file *filp,
14 size_t count, loff_t *ppos)
16 struct netdevsim *ns = filp->private_data;
17 struct nsim_ipsec *ipsec = &ns->ipsec;
23 /* the buffer needed is
24 * (num SAs * 3 lines each * ~60 bytes per line) + one more line
26 bufsize = (ipsec->count * 4 * 60) + 60;
27 buf = kzalloc(bufsize, GFP_KERNEL);
32 p += scnprintf(p, bufsize - (p - buf),
33 "SA count=%u tx=%u\n",
34 ipsec->count, ipsec->tx);
36 for (i = 0; i < NSIM_IPSEC_MAX_SA_COUNT; i++) {
37 struct nsim_sa *sap = &ipsec->sa[i];
42 p += scnprintf(p, bufsize - (p - buf),
43 "sa[%i] %cx ipaddr=0x%08x %08x %08x %08x\n",
44 i, (sap->rx ? 'r' : 't'), sap->ipaddr[0],
45 sap->ipaddr[1], sap->ipaddr[2], sap->ipaddr[3]);
46 p += scnprintf(p, bufsize - (p - buf),
47 "sa[%i] spi=0x%08x proto=0x%x salt=0x%08x crypt=%d\n",
48 i, be32_to_cpu(sap->xs->id.spi),
49 sap->xs->id.proto, sap->salt, sap->crypt);
50 p += scnprintf(p, bufsize - (p - buf),
51 "sa[%i] key=0x%08x %08x %08x %08x\n",
52 i, sap->key[0], sap->key[1],
53 sap->key[2], sap->key[3]);
56 len = simple_read_from_buffer(buffer, count, ppos, buf, p - buf);
62 static const struct file_operations ipsec_dbg_fops = {
65 .read = nsim_dbg_netdev_ops_read,
68 static int nsim_ipsec_find_empty_idx(struct nsim_ipsec *ipsec)
72 if (ipsec->count == NSIM_IPSEC_MAX_SA_COUNT)
76 for (i = 0; i < NSIM_IPSEC_MAX_SA_COUNT; i++) {
77 if (!ipsec->sa[i].used)
84 static int nsim_ipsec_parse_proto_keys(struct xfrm_state *xs,
85 u32 *mykey, u32 *mysalt)
87 const char aes_gcm_name[] = "rfc4106(gcm(aes))";
88 struct net_device *dev = xs->xso.real_dev;
89 unsigned char *key_data;
90 char *alg_name = NULL;
94 netdev_err(dev, "Unsupported IPsec algorithm\n");
98 if (xs->aead->alg_icv_len != NSIM_IPSEC_AUTH_BITS) {
99 netdev_err(dev, "IPsec offload requires %d bit authentication\n",
100 NSIM_IPSEC_AUTH_BITS);
104 key_data = &xs->aead->alg_key[0];
105 key_len = xs->aead->alg_key_len;
106 alg_name = xs->aead->alg_name;
108 if (strcmp(alg_name, aes_gcm_name)) {
109 netdev_err(dev, "Unsupported IPsec algorithm - please use %s\n",
114 /* 160 accounts for 16 byte key and 4 byte salt */
115 if (key_len > NSIM_IPSEC_AUTH_BITS) {
116 *mysalt = ((u32 *)key_data)[4];
117 } else if (key_len == NSIM_IPSEC_AUTH_BITS) {
120 netdev_err(dev, "IPsec hw offload only supports 128 bit keys with optional 32 bit salt\n");
123 memcpy(mykey, key_data, 16);
128 static int nsim_ipsec_add_sa(struct xfrm_state *xs)
130 struct nsim_ipsec *ipsec;
131 struct net_device *dev;
132 struct netdevsim *ns;
137 dev = xs->xso.real_dev;
138 ns = netdev_priv(dev);
141 if (xs->id.proto != IPPROTO_ESP && xs->id.proto != IPPROTO_AH) {
142 netdev_err(dev, "Unsupported protocol 0x%04x for ipsec offload\n",
148 netdev_err(dev, "Compression offload not supported\n");
152 if (xs->xso.type != XFRM_DEV_OFFLOAD_CRYPTO) {
153 netdev_err(dev, "Unsupported ipsec offload type\n");
157 /* find the first unused index */
158 ret = nsim_ipsec_find_empty_idx(ipsec);
160 netdev_err(dev, "No space for SA in Rx table!\n");
165 memset(&sa, 0, sizeof(sa));
169 if (sa.xs->id.proto & IPPROTO_ESP)
170 sa.crypt = xs->ealg || xs->aead;
172 /* get the key and salt */
173 ret = nsim_ipsec_parse_proto_keys(xs, sa.key, &sa.salt);
175 netdev_err(dev, "Failed to get key data for SA table\n");
179 if (xs->xso.dir == XFRM_DEV_OFFLOAD_IN) {
182 if (xs->props.family == AF_INET6)
183 memcpy(sa.ipaddr, &xs->id.daddr.a6, 16);
185 memcpy(&sa.ipaddr[3], &xs->id.daddr.a4, 4);
188 /* the preparations worked, so save the info */
189 memcpy(&ipsec->sa[sa_idx], &sa, sizeof(sa));
191 /* the XFRM stack doesn't like offload_handle == 0,
192 * so add a bitflag in case our array index is 0
194 xs->xso.offload_handle = sa_idx | NSIM_IPSEC_VALID;
200 static void nsim_ipsec_del_sa(struct xfrm_state *xs)
202 struct netdevsim *ns = netdev_priv(xs->xso.real_dev);
203 struct nsim_ipsec *ipsec = &ns->ipsec;
206 sa_idx = xs->xso.offload_handle & ~NSIM_IPSEC_VALID;
207 if (!ipsec->sa[sa_idx].used) {
208 netdev_err(ns->netdev, "Invalid SA for delete sa_idx=%d\n",
213 memset(&ipsec->sa[sa_idx], 0, sizeof(struct nsim_sa));
217 static bool nsim_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs)
219 struct netdevsim *ns = netdev_priv(xs->xso.real_dev);
220 struct nsim_ipsec *ipsec = &ns->ipsec;
227 static const struct xfrmdev_ops nsim_xfrmdev_ops = {
228 .xdo_dev_state_add = nsim_ipsec_add_sa,
229 .xdo_dev_state_delete = nsim_ipsec_del_sa,
230 .xdo_dev_offload_ok = nsim_ipsec_offload_ok,
233 bool nsim_ipsec_tx(struct netdevsim *ns, struct sk_buff *skb)
235 struct sec_path *sp = skb_sec_path(skb);
236 struct nsim_ipsec *ipsec = &ns->ipsec;
237 struct xfrm_state *xs;
241 /* do we even need to check this packet? */
245 if (unlikely(!sp->len)) {
246 netdev_err(ns->netdev, "no xfrm state len = %d\n",
251 xs = xfrm_input_state(skb);
253 netdev_err(ns->netdev, "no xfrm_input_state() xs = %p\n", xs);
257 sa_idx = xs->xso.offload_handle & ~NSIM_IPSEC_VALID;
258 if (unlikely(sa_idx >= NSIM_IPSEC_MAX_SA_COUNT)) {
259 netdev_err(ns->netdev, "bad sa_idx=%d max=%d\n",
260 sa_idx, NSIM_IPSEC_MAX_SA_COUNT);
264 tsa = &ipsec->sa[sa_idx];
265 if (unlikely(!tsa->used)) {
266 netdev_err(ns->netdev, "unused sa_idx=%d\n", sa_idx);
270 if (xs->id.proto != IPPROTO_ESP && xs->id.proto != IPPROTO_AH) {
271 netdev_err(ns->netdev, "unexpected proto=%d\n", xs->id.proto);
280 void nsim_ipsec_init(struct netdevsim *ns)
282 ns->netdev->xfrmdev_ops = &nsim_xfrmdev_ops;
284 #define NSIM_ESP_FEATURES (NETIF_F_HW_ESP | \
285 NETIF_F_HW_ESP_TX_CSUM | \
288 ns->netdev->features |= NSIM_ESP_FEATURES;
289 ns->netdev->hw_enc_features |= NSIM_ESP_FEATURES;
291 ns->ipsec.pfile = debugfs_create_file("ipsec", 0400,
292 ns->nsim_dev_port->ddir, ns,
296 void nsim_ipsec_teardown(struct netdevsim *ns)
298 struct nsim_ipsec *ipsec = &ns->ipsec;
301 netdev_err(ns->netdev, "tearing down IPsec offload with %d SAs left\n",
303 debugfs_remove_recursive(ipsec->pfile);
projects / linux.git / blob