ipsec.c 17 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684
  1. // SPDX-License-Identifier: GPL-2.0
  2. /* Copyright(c) 2018 Oracle and/or its affiliates. All rights reserved. */
  3. #include "ixgbevf.h"
  4. #include <net/xfrm.h>
  5. #include <crypto/aead.h>
  6. #define IXGBE_IPSEC_KEY_BITS 160
  7. static const char aes_gcm_name[] = "rfc4106(gcm(aes))";
  8. /**
  9. * ixgbevf_ipsec_set_pf_sa - ask the PF to set up an SA
  10. * @adapter: board private structure
  11. * @xs: xfrm info to be sent to the PF
  12. *
  13. * Returns: positive offload handle from the PF, or negative error code
  14. **/
  15. static int ixgbevf_ipsec_set_pf_sa(struct ixgbevf_adapter *adapter,
  16. struct xfrm_state *xs)
  17. {
  18. u32 msgbuf[IXGBE_VFMAILBOX_SIZE] = { 0 };
  19. struct ixgbe_hw *hw = &adapter->hw;
  20. struct sa_mbx_msg *sam;
  21. int ret;
  22. /* send the important bits to the PF */
  23. sam = (struct sa_mbx_msg *)(&msgbuf[1]);
  24. sam->dir = xs->xso.dir;
  25. sam->spi = xs->id.spi;
  26. sam->proto = xs->id.proto;
  27. sam->family = xs->props.family;
  28. if (xs->props.family == AF_INET6)
  29. memcpy(sam->addr, &xs->id.daddr.a6, sizeof(xs->id.daddr.a6));
  30. else
  31. memcpy(sam->addr, &xs->id.daddr.a4, sizeof(xs->id.daddr.a4));
  32. memcpy(sam->key, xs->aead->alg_key, sizeof(sam->key));
  33. msgbuf[0] = IXGBE_VF_IPSEC_ADD;
  34. spin_lock_bh(&adapter->mbx_lock);
  35. ret = ixgbevf_write_mbx(hw, msgbuf, IXGBE_VFMAILBOX_SIZE);
  36. if (ret)
  37. goto out;
  38. ret = ixgbevf_poll_mbx(hw, msgbuf, 2);
  39. if (ret)
  40. goto out;
  41. ret = (int)msgbuf[1];
  42. if (msgbuf[0] & IXGBE_VT_MSGTYPE_FAILURE && ret >= 0)
  43. ret = -1;
  44. out:
  45. spin_unlock_bh(&adapter->mbx_lock);
  46. return ret;
  47. }
  48. /**
  49. * ixgbevf_ipsec_del_pf_sa - ask the PF to delete an SA
  50. * @adapter: board private structure
  51. * @pfsa: sa index returned from PF when created, -1 for all
  52. *
  53. * Returns: 0 on success, or negative error code
  54. **/
  55. static int ixgbevf_ipsec_del_pf_sa(struct ixgbevf_adapter *adapter, int pfsa)
  56. {
  57. struct ixgbe_hw *hw = &adapter->hw;
  58. u32 msgbuf[2];
  59. int err;
  60. memset(msgbuf, 0, sizeof(msgbuf));
  61. msgbuf[0] = IXGBE_VF_IPSEC_DEL;
  62. msgbuf[1] = (u32)pfsa;
  63. spin_lock_bh(&adapter->mbx_lock);
  64. err = ixgbevf_write_mbx(hw, msgbuf, 2);
  65. if (err)
  66. goto out;
  67. err = ixgbevf_poll_mbx(hw, msgbuf, 2);
  68. if (err)
  69. goto out;
  70. out:
  71. spin_unlock_bh(&adapter->mbx_lock);
  72. return err;
  73. }
  74. /**
  75. * ixgbevf_ipsec_restore - restore the IPsec HW settings after a reset
  76. * @adapter: board private structure
  77. *
  78. * Reload the HW tables from the SW tables after they've been bashed
  79. * by a chip reset. While we're here, make sure any stale VF data is
  80. * removed, since we go through reset when num_vfs changes.
  81. **/
  82. void ixgbevf_ipsec_restore(struct ixgbevf_adapter *adapter)
  83. {
  84. struct ixgbevf_ipsec *ipsec = adapter->ipsec;
  85. struct net_device *netdev = adapter->netdev;
  86. int i;
  87. if (!(adapter->netdev->features & NETIF_F_HW_ESP))
  88. return;
  89. /* reload the Rx and Tx keys */
  90. for (i = 0; i < IXGBE_IPSEC_MAX_SA_COUNT; i++) {
  91. struct rx_sa *r = &ipsec->rx_tbl[i];
  92. struct tx_sa *t = &ipsec->tx_tbl[i];
  93. int ret;
  94. if (r->used) {
  95. ret = ixgbevf_ipsec_set_pf_sa(adapter, r->xs);
  96. if (ret < 0)
  97. netdev_err(netdev, "reload rx_tbl[%d] failed = %d\n",
  98. i, ret);
  99. }
  100. if (t->used) {
  101. ret = ixgbevf_ipsec_set_pf_sa(adapter, t->xs);
  102. if (ret < 0)
  103. netdev_err(netdev, "reload tx_tbl[%d] failed = %d\n",
  104. i, ret);
  105. }
  106. }
  107. }
  108. /**
  109. * ixgbevf_ipsec_find_empty_idx - find the first unused security parameter index
  110. * @ipsec: pointer to IPsec struct
  111. * @rxtable: true if we need to look in the Rx table
  112. *
  113. * Returns the first unused index in either the Rx or Tx SA table
  114. **/
  115. static
  116. int ixgbevf_ipsec_find_empty_idx(struct ixgbevf_ipsec *ipsec, bool rxtable)
  117. {
  118. u32 i;
  119. if (rxtable) {
  120. if (ipsec->num_rx_sa == IXGBE_IPSEC_MAX_SA_COUNT)
  121. return -ENOSPC;
  122. /* search rx sa table */
  123. for (i = 0; i < IXGBE_IPSEC_MAX_SA_COUNT; i++) {
  124. if (!ipsec->rx_tbl[i].used)
  125. return i;
  126. }
  127. } else {
  128. if (ipsec->num_tx_sa == IXGBE_IPSEC_MAX_SA_COUNT)
  129. return -ENOSPC;
  130. /* search tx sa table */
  131. for (i = 0; i < IXGBE_IPSEC_MAX_SA_COUNT; i++) {
  132. if (!ipsec->tx_tbl[i].used)
  133. return i;
  134. }
  135. }
  136. return -ENOSPC;
  137. }
  138. /**
  139. * ixgbevf_ipsec_find_rx_state - find the state that matches
  140. * @ipsec: pointer to IPsec struct
  141. * @daddr: inbound address to match
  142. * @proto: protocol to match
  143. * @spi: SPI to match
  144. * @ip4: true if using an IPv4 address
  145. *
  146. * Returns a pointer to the matching SA state information
  147. **/
  148. static
  149. struct xfrm_state *ixgbevf_ipsec_find_rx_state(struct ixgbevf_ipsec *ipsec,
  150. __be32 *daddr, u8 proto,
  151. __be32 spi, bool ip4)
  152. {
  153. struct xfrm_state *ret = NULL;
  154. struct rx_sa *rsa;
  155. rcu_read_lock();
  156. hash_for_each_possible_rcu(ipsec->rx_sa_list, rsa, hlist,
  157. (__force u32)spi) {
  158. if (spi == rsa->xs->id.spi &&
  159. ((ip4 && *daddr == rsa->xs->id.daddr.a4) ||
  160. (!ip4 && !memcmp(daddr, &rsa->xs->id.daddr.a6,
  161. sizeof(rsa->xs->id.daddr.a6)))) &&
  162. proto == rsa->xs->id.proto) {
  163. ret = rsa->xs;
  164. xfrm_state_hold(ret);
  165. break;
  166. }
  167. }
  168. rcu_read_unlock();
  169. return ret;
  170. }
  171. /**
  172. * ixgbevf_ipsec_parse_proto_keys - find the key and salt based on the protocol
  173. * @dev: pointer to net device to program
  174. * @xs: pointer to xfrm_state struct
  175. * @mykey: pointer to key array to populate
  176. * @mysalt: pointer to salt value to populate
  177. *
  178. * This copies the protocol keys and salt to our own data tables. The
  179. * 82599 family only supports the one algorithm.
  180. **/
  181. static int ixgbevf_ipsec_parse_proto_keys(struct net_device *dev,
  182. struct xfrm_state *xs,
  183. u32 *mykey, u32 *mysalt)
  184. {
  185. unsigned char *key_data;
  186. char *alg_name = NULL;
  187. int key_len;
  188. if (!xs->aead) {
  189. netdev_err(dev, "Unsupported IPsec algorithm\n");
  190. return -EINVAL;
  191. }
  192. if (xs->aead->alg_icv_len != IXGBE_IPSEC_AUTH_BITS) {
  193. netdev_err(dev, "IPsec offload requires %d bit authentication\n",
  194. IXGBE_IPSEC_AUTH_BITS);
  195. return -EINVAL;
  196. }
  197. key_data = &xs->aead->alg_key[0];
  198. key_len = xs->aead->alg_key_len;
  199. alg_name = xs->aead->alg_name;
  200. if (strcmp(alg_name, aes_gcm_name)) {
  201. netdev_err(dev, "Unsupported IPsec algorithm - please use %s\n",
  202. aes_gcm_name);
  203. return -EINVAL;
  204. }
  205. /* The key bytes come down in a big endian array of bytes, so
  206. * we don't need to do any byte swapping.
  207. * 160 accounts for 16 byte key and 4 byte salt
  208. */
  209. if (key_len > IXGBE_IPSEC_KEY_BITS) {
  210. *mysalt = ((u32 *)key_data)[4];
  211. } else if (key_len == IXGBE_IPSEC_KEY_BITS) {
  212. *mysalt = 0;
  213. } else {
  214. netdev_err(dev, "IPsec hw offload only supports keys up to 128 bits with a 32 bit salt\n");
  215. return -EINVAL;
  216. }
  217. memcpy(mykey, key_data, 16);
  218. return 0;
  219. }
  220. /**
  221. * ixgbevf_ipsec_add_sa - program device with a security association
  222. * @dev: pointer to net device to program
  223. * @xs: pointer to transformer state struct
  224. * @extack: extack point to fill failure reason
  225. **/
  226. static int ixgbevf_ipsec_add_sa(struct net_device *dev,
  227. struct xfrm_state *xs,
  228. struct netlink_ext_ack *extack)
  229. {
  230. struct ixgbevf_adapter *adapter;
  231. struct ixgbevf_ipsec *ipsec;
  232. u16 sa_idx;
  233. int ret;
  234. adapter = netdev_priv(dev);
  235. ipsec = adapter->ipsec;
  236. if (!(adapter->pf_features & IXGBEVF_PF_SUP_IPSEC))
  237. return -EOPNOTSUPP;
  238. if (xs->id.proto != IPPROTO_ESP && xs->id.proto != IPPROTO_AH) {
  239. NL_SET_ERR_MSG_MOD(extack, "Unsupported protocol for IPsec offload");
  240. return -EINVAL;
  241. }
  242. if (xs->props.mode != XFRM_MODE_TRANSPORT) {
  243. NL_SET_ERR_MSG_MOD(extack, "Unsupported mode for ipsec offload");
  244. return -EINVAL;
  245. }
  246. if (xs->xso.type != XFRM_DEV_OFFLOAD_CRYPTO) {
  247. NL_SET_ERR_MSG_MOD(extack, "Unsupported ipsec offload type");
  248. return -EINVAL;
  249. }
  250. if (xs->xso.dir == XFRM_DEV_OFFLOAD_IN) {
  251. struct rx_sa rsa;
  252. if (xs->calg) {
  253. NL_SET_ERR_MSG_MOD(extack, "Compression offload not supported");
  254. return -EINVAL;
  255. }
  256. /* find the first unused index */
  257. ret = ixgbevf_ipsec_find_empty_idx(ipsec, true);
  258. if (ret < 0) {
  259. NL_SET_ERR_MSG_MOD(extack, "No space for SA in Rx table!");
  260. return ret;
  261. }
  262. sa_idx = (u16)ret;
  263. memset(&rsa, 0, sizeof(rsa));
  264. rsa.used = true;
  265. rsa.xs = xs;
  266. if (rsa.xs->id.proto & IPPROTO_ESP)
  267. rsa.decrypt = xs->ealg || xs->aead;
  268. /* get the key and salt */
  269. ret = ixgbevf_ipsec_parse_proto_keys(dev, xs, rsa.key,
  270. &rsa.salt);
  271. if (ret) {
  272. NL_SET_ERR_MSG_MOD(extack, "Failed to get key data for Rx SA table");
  273. return ret;
  274. }
  275. /* get ip for rx sa table */
  276. if (xs->props.family == AF_INET6)
  277. memcpy(rsa.ipaddr, &xs->id.daddr.a6, 16);
  278. else
  279. memcpy(&rsa.ipaddr[3], &xs->id.daddr.a4, 4);
  280. rsa.mode = IXGBE_RXMOD_VALID;
  281. if (rsa.xs->id.proto & IPPROTO_ESP)
  282. rsa.mode |= IXGBE_RXMOD_PROTO_ESP;
  283. if (rsa.decrypt)
  284. rsa.mode |= IXGBE_RXMOD_DECRYPT;
  285. if (rsa.xs->props.family == AF_INET6)
  286. rsa.mode |= IXGBE_RXMOD_IPV6;
  287. ret = ixgbevf_ipsec_set_pf_sa(adapter, xs);
  288. if (ret < 0)
  289. return ret;
  290. rsa.pfsa = ret;
  291. /* the preparations worked, so save the info */
  292. memcpy(&ipsec->rx_tbl[sa_idx], &rsa, sizeof(rsa));
  293. xs->xso.offload_handle = sa_idx + IXGBE_IPSEC_BASE_RX_INDEX;
  294. ipsec->num_rx_sa++;
  295. /* hash the new entry for faster search in Rx path */
  296. hash_add_rcu(ipsec->rx_sa_list, &ipsec->rx_tbl[sa_idx].hlist,
  297. (__force u32)rsa.xs->id.spi);
  298. } else {
  299. struct tx_sa tsa;
  300. /* find the first unused index */
  301. ret = ixgbevf_ipsec_find_empty_idx(ipsec, false);
  302. if (ret < 0) {
  303. NL_SET_ERR_MSG_MOD(extack, "No space for SA in Tx table");
  304. return ret;
  305. }
  306. sa_idx = (u16)ret;
  307. memset(&tsa, 0, sizeof(tsa));
  308. tsa.used = true;
  309. tsa.xs = xs;
  310. if (xs->id.proto & IPPROTO_ESP)
  311. tsa.encrypt = xs->ealg || xs->aead;
  312. ret = ixgbevf_ipsec_parse_proto_keys(dev, xs, tsa.key,
  313. &tsa.salt);
  314. if (ret) {
  315. NL_SET_ERR_MSG_MOD(extack, "Failed to get key data for Tx SA table");
  316. memset(&tsa, 0, sizeof(tsa));
  317. return ret;
  318. }
  319. ret = ixgbevf_ipsec_set_pf_sa(adapter, xs);
  320. if (ret < 0)
  321. return ret;
  322. tsa.pfsa = ret;
  323. /* the preparations worked, so save the info */
  324. memcpy(&ipsec->tx_tbl[sa_idx], &tsa, sizeof(tsa));
  325. xs->xso.offload_handle = sa_idx + IXGBE_IPSEC_BASE_TX_INDEX;
  326. ipsec->num_tx_sa++;
  327. }
  328. return 0;
  329. }
  330. /**
  331. * ixgbevf_ipsec_del_sa - clear out this specific SA
  332. * @dev: pointer to net device to program
  333. * @xs: pointer to transformer state struct
  334. **/
  335. static void ixgbevf_ipsec_del_sa(struct net_device *dev,
  336. struct xfrm_state *xs)
  337. {
  338. struct ixgbevf_adapter *adapter;
  339. struct ixgbevf_ipsec *ipsec;
  340. u16 sa_idx;
  341. adapter = netdev_priv(dev);
  342. ipsec = adapter->ipsec;
  343. if (!(adapter->pf_features & IXGBEVF_PF_SUP_IPSEC))
  344. return;
  345. if (xs->xso.dir == XFRM_DEV_OFFLOAD_IN) {
  346. sa_idx = xs->xso.offload_handle - IXGBE_IPSEC_BASE_RX_INDEX;
  347. if (!ipsec->rx_tbl[sa_idx].used) {
  348. netdev_err(dev, "Invalid Rx SA selected sa_idx=%d offload_handle=%lu\n",
  349. sa_idx, xs->xso.offload_handle);
  350. return;
  351. }
  352. ixgbevf_ipsec_del_pf_sa(adapter, ipsec->rx_tbl[sa_idx].pfsa);
  353. hash_del_rcu(&ipsec->rx_tbl[sa_idx].hlist);
  354. memset(&ipsec->rx_tbl[sa_idx], 0, sizeof(struct rx_sa));
  355. ipsec->num_rx_sa--;
  356. } else {
  357. sa_idx = xs->xso.offload_handle - IXGBE_IPSEC_BASE_TX_INDEX;
  358. if (!ipsec->tx_tbl[sa_idx].used) {
  359. netdev_err(dev, "Invalid Tx SA selected sa_idx=%d offload_handle=%lu\n",
  360. sa_idx, xs->xso.offload_handle);
  361. return;
  362. }
  363. ixgbevf_ipsec_del_pf_sa(adapter, ipsec->tx_tbl[sa_idx].pfsa);
  364. memset(&ipsec->tx_tbl[sa_idx], 0, sizeof(struct tx_sa));
  365. ipsec->num_tx_sa--;
  366. }
  367. }
  368. static const struct xfrmdev_ops ixgbevf_xfrmdev_ops = {
  369. .xdo_dev_state_add = ixgbevf_ipsec_add_sa,
  370. .xdo_dev_state_delete = ixgbevf_ipsec_del_sa,
  371. };
  372. /**
  373. * ixgbevf_ipsec_tx - setup Tx flags for IPsec offload
  374. * @tx_ring: outgoing context
  375. * @first: current data packet
  376. * @itd: ipsec Tx data for later use in building context descriptor
  377. **/
  378. int ixgbevf_ipsec_tx(struct ixgbevf_ring *tx_ring,
  379. struct ixgbevf_tx_buffer *first,
  380. struct ixgbevf_ipsec_tx_data *itd)
  381. {
  382. struct ixgbevf_adapter *adapter = netdev_priv(tx_ring->netdev);
  383. struct ixgbevf_ipsec *ipsec = adapter->ipsec;
  384. struct xfrm_state *xs;
  385. struct sec_path *sp;
  386. struct tx_sa *tsa;
  387. u16 sa_idx;
  388. sp = skb_sec_path(first->skb);
  389. if (unlikely(!sp->len)) {
  390. netdev_err(tx_ring->netdev, "%s: no xfrm state len = %d\n",
  391. __func__, sp->len);
  392. return 0;
  393. }
  394. xs = xfrm_input_state(first->skb);
  395. if (unlikely(!xs)) {
  396. netdev_err(tx_ring->netdev, "%s: no xfrm_input_state() xs = %p\n",
  397. __func__, xs);
  398. return 0;
  399. }
  400. sa_idx = xs->xso.offload_handle - IXGBE_IPSEC_BASE_TX_INDEX;
  401. if (unlikely(sa_idx >= IXGBE_IPSEC_MAX_SA_COUNT)) {
  402. netdev_err(tx_ring->netdev, "%s: bad sa_idx=%d handle=%lu\n",
  403. __func__, sa_idx, xs->xso.offload_handle);
  404. return 0;
  405. }
  406. tsa = &ipsec->tx_tbl[sa_idx];
  407. if (unlikely(!tsa->used)) {
  408. netdev_err(tx_ring->netdev, "%s: unused sa_idx=%d\n",
  409. __func__, sa_idx);
  410. return 0;
  411. }
  412. itd->pfsa = tsa->pfsa - IXGBE_IPSEC_BASE_TX_INDEX;
  413. first->tx_flags |= IXGBE_TX_FLAGS_IPSEC | IXGBE_TX_FLAGS_CSUM;
  414. if (xs->id.proto == IPPROTO_ESP) {
  415. itd->flags |= IXGBE_ADVTXD_TUCMD_IPSEC_TYPE_ESP |
  416. IXGBE_ADVTXD_TUCMD_L4T_TCP;
  417. if (first->protocol == htons(ETH_P_IP))
  418. itd->flags |= IXGBE_ADVTXD_TUCMD_IPV4;
  419. /* The actual trailer length is authlen (16 bytes) plus
  420. * 2 bytes for the proto and the padlen values, plus
  421. * padlen bytes of padding. This ends up not the same
  422. * as the static value found in xs->props.trailer_len (21).
  423. *
  424. * ... but if we're doing GSO, don't bother as the stack
  425. * doesn't add a trailer for those.
  426. */
  427. if (!skb_is_gso(first->skb)) {
  428. /* The "correct" way to get the auth length would be
  429. * to use
  430. * authlen = crypto_aead_authsize(xs->data);
  431. * but since we know we only have one size to worry
  432. * about * we can let the compiler use the constant
  433. * and save us a few CPU cycles.
  434. */
  435. const int authlen = IXGBE_IPSEC_AUTH_BITS / 8;
  436. struct sk_buff *skb = first->skb;
  437. u8 padlen;
  438. int ret;
  439. ret = skb_copy_bits(skb, skb->len - (authlen + 2),
  440. &padlen, 1);
  441. if (unlikely(ret))
  442. return 0;
  443. itd->trailer_len = authlen + 2 + padlen;
  444. }
  445. }
  446. if (tsa->encrypt)
  447. itd->flags |= IXGBE_ADVTXD_TUCMD_IPSEC_ENCRYPT_EN;
  448. return 1;
  449. }
  450. /**
  451. * ixgbevf_ipsec_rx - decode IPsec bits from Rx descriptor
  452. * @rx_ring: receiving ring
  453. * @rx_desc: receive data descriptor
  454. * @skb: current data packet
  455. *
  456. * Determine if there was an IPsec encapsulation noticed, and if so set up
  457. * the resulting status for later in the receive stack.
  458. **/
  459. void ixgbevf_ipsec_rx(struct ixgbevf_ring *rx_ring,
  460. union ixgbe_adv_rx_desc *rx_desc,
  461. struct sk_buff *skb)
  462. {
  463. struct ixgbevf_adapter *adapter = netdev_priv(rx_ring->netdev);
  464. __le16 pkt_info = rx_desc->wb.lower.lo_dword.hs_rss.pkt_info;
  465. __le16 ipsec_pkt_types = cpu_to_le16(IXGBE_RXDADV_PKTTYPE_IPSEC_AH |
  466. IXGBE_RXDADV_PKTTYPE_IPSEC_ESP);
  467. struct ixgbevf_ipsec *ipsec = adapter->ipsec;
  468. struct xfrm_offload *xo = NULL;
  469. struct xfrm_state *xs = NULL;
  470. struct ipv6hdr *ip6 = NULL;
  471. struct iphdr *ip4 = NULL;
  472. struct sec_path *sp;
  473. void *daddr;
  474. __be32 spi;
  475. u8 *c_hdr;
  476. u8 proto;
  477. /* Find the IP and crypto headers in the data.
  478. * We can assume no VLAN header in the way, b/c the
  479. * hw won't recognize the IPsec packet and anyway the
  480. * currently VLAN device doesn't support xfrm offload.
  481. */
  482. if (pkt_info & cpu_to_le16(IXGBE_RXDADV_PKTTYPE_IPV4)) {
  483. ip4 = (struct iphdr *)(skb->data + ETH_HLEN);
  484. daddr = &ip4->daddr;
  485. c_hdr = (u8 *)ip4 + ip4->ihl * 4;
  486. } else if (pkt_info & cpu_to_le16(IXGBE_RXDADV_PKTTYPE_IPV6)) {
  487. ip6 = (struct ipv6hdr *)(skb->data + ETH_HLEN);
  488. daddr = &ip6->daddr;
  489. c_hdr = (u8 *)ip6 + sizeof(struct ipv6hdr);
  490. } else {
  491. return;
  492. }
  493. switch (pkt_info & ipsec_pkt_types) {
  494. case cpu_to_le16(IXGBE_RXDADV_PKTTYPE_IPSEC_AH):
  495. spi = ((struct ip_auth_hdr *)c_hdr)->spi;
  496. proto = IPPROTO_AH;
  497. break;
  498. case cpu_to_le16(IXGBE_RXDADV_PKTTYPE_IPSEC_ESP):
  499. spi = ((struct ip_esp_hdr *)c_hdr)->spi;
  500. proto = IPPROTO_ESP;
  501. break;
  502. default:
  503. return;
  504. }
  505. xs = ixgbevf_ipsec_find_rx_state(ipsec, daddr, proto, spi, !!ip4);
  506. if (unlikely(!xs))
  507. return;
  508. sp = secpath_set(skb);
  509. if (unlikely(!sp))
  510. return;
  511. sp->xvec[sp->len++] = xs;
  512. sp->olen++;
  513. xo = xfrm_offload(skb);
  514. xo->flags = CRYPTO_DONE;
  515. xo->status = CRYPTO_SUCCESS;
  516. adapter->rx_ipsec++;
  517. }
  518. /**
  519. * ixgbevf_init_ipsec_offload - initialize registers for IPsec operation
  520. * @adapter: board private structure
  521. **/
  522. void ixgbevf_init_ipsec_offload(struct ixgbevf_adapter *adapter)
  523. {
  524. struct ixgbevf_ipsec *ipsec;
  525. size_t size;
  526. switch (adapter->hw.api_version) {
  527. case ixgbe_mbox_api_17:
  528. if (!(adapter->pf_features & IXGBEVF_PF_SUP_IPSEC))
  529. return;
  530. break;
  531. case ixgbe_mbox_api_14:
  532. break;
  533. default:
  534. return;
  535. }
  536. ipsec = kzalloc_obj(*ipsec);
  537. if (!ipsec)
  538. goto err1;
  539. hash_init(ipsec->rx_sa_list);
  540. size = sizeof(struct rx_sa) * IXGBE_IPSEC_MAX_SA_COUNT;
  541. ipsec->rx_tbl = kzalloc(size, GFP_KERNEL);
  542. if (!ipsec->rx_tbl)
  543. goto err2;
  544. size = sizeof(struct tx_sa) * IXGBE_IPSEC_MAX_SA_COUNT;
  545. ipsec->tx_tbl = kzalloc(size, GFP_KERNEL);
  546. if (!ipsec->tx_tbl)
  547. goto err2;
  548. ipsec->num_rx_sa = 0;
  549. ipsec->num_tx_sa = 0;
  550. adapter->ipsec = ipsec;
  551. adapter->netdev->xfrmdev_ops = &ixgbevf_xfrmdev_ops;
  552. #define IXGBEVF_ESP_FEATURES (NETIF_F_HW_ESP | \
  553. NETIF_F_HW_ESP_TX_CSUM | \
  554. NETIF_F_GSO_ESP)
  555. adapter->netdev->features |= IXGBEVF_ESP_FEATURES;
  556. adapter->netdev->hw_enc_features |= IXGBEVF_ESP_FEATURES;
  557. return;
  558. err2:
  559. kfree(ipsec->rx_tbl);
  560. kfree(ipsec->tx_tbl);
  561. kfree(ipsec);
  562. err1:
  563. netdev_err(adapter->netdev, "Unable to allocate memory for SA tables");
  564. }
  565. /**
  566. * ixgbevf_stop_ipsec_offload - tear down the IPsec offload
  567. * @adapter: board private structure
  568. **/
  569. void ixgbevf_stop_ipsec_offload(struct ixgbevf_adapter *adapter)
  570. {
  571. struct ixgbevf_ipsec *ipsec = adapter->ipsec;
  572. adapter->ipsec = NULL;
  573. if (ipsec) {
  574. kfree(ipsec->rx_tbl);
  575. kfree(ipsec->tx_tbl);
  576. kfree(ipsec);
  577. }
  578. }