1 // SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
35 	off = nn->tlv_caps.crypto_enable_off + round_down(opcode / 8, 4);  in nfp_net_crypto_set_op()
54 		nn->ktls_tx_conn_cnt += add;  in __nfp_net_tls_conn_cnt_changed()
55 		cnt = nn->ktls_tx_conn_cnt;  in __nfp_net_tls_conn_cnt_changed()
56 		nn->dp.ktls_tx = !!nn->ktls_tx_conn_cnt;  in __nfp_net_tls_conn_cnt_changed()
59 		nn->ktls_rx_conn_cnt += add;  in __nfp_net_tls_conn_cnt_changed()
60 		cnt = nn->ktls_rx_conn_cnt;  in __nfp_net_tls_conn_cnt_changed()
63 	/* Care only about 0 -> 1 and 1 -> 0 transitions */  in __nfp_net_tls_conn_cnt_changed()
77 	/* Use the BAR lock to protect the connection counts */  in nfp_net_tls_conn_cnt_changed()
83 			__nfp_net_tls_conn_cnt_changed(nn, -add, direction);  in nfp_net_tls_conn_cnt_changed()
99 	return nfp_net_tls_conn_cnt_changed(nn, -1, direction);  in nfp_net_tls_conn_remove()
121 		nn_dp_warn(&nn->dp, "failed to %s TLS: %d\n", name, err);  in nfp_net_tls_communicate_simple()
125 	reply = (void *)skb->data;  in nfp_net_tls_communicate_simple()
126 	err = -be32_to_cpu(reply->error);  in nfp_net_tls_communicate_simple()
128 		nn_dp_warn(&nn->dp, "failed to %s TLS, fw replied: %d\n",  in nfp_net_tls_communicate_simple()
144 	req = (void *)skb->data;  in nfp_net_tls_del_fw()
145 	req->ep_id = 0;  in nfp_net_tls_del_fw()
146 	memcpy(req->handle, fw_handle, sizeof(req->handle));  in nfp_net_tls_del_fw()
155 	front->ipver_vlan = cpu_to_be16(FIELD_PREP(NFP_NET_TLS_IPVER, ipver) |  in nfp_net_tls_set_ipver_vlan()
167 	id = atomic64_inc_return(&nn->ktls_conn_id_gen);  in nfp_net_tls_assign_conn_id()
168 	len = front->key_len - NFP_NET_TLS_NON_ADDR_KEY_LEN;  in nfp_net_tls_assign_conn_id()
170 	memcpy(front->l3_addrs, &id, sizeof(id));  in nfp_net_tls_assign_conn_id()
171 	memset(front->l3_addrs + sizeof(id), 0, len - sizeof(id));  in nfp_net_tls_assign_conn_id()
180 	req->front.key_len += sizeof(__be32) * 2;  in nfp_net_tls_set_ipv4()
183 		nfp_net_tls_assign_conn_id(nn, &req->front);  in nfp_net_tls_set_ipv4()
185 		req->src_ip = inet->inet_daddr;  in nfp_net_tls_set_ipv4()
186 		req->dst_ip = inet->inet_saddr;  in nfp_net_tls_set_ipv4()
189 	return &req->back;  in nfp_net_tls_set_ipv4()
199 	req->front.key_len += sizeof(struct in6_addr) * 2;  in nfp_net_tls_set_ipv6()
202 		nfp_net_tls_assign_conn_id(nn, &req->front);  in nfp_net_tls_set_ipv6()
204 		memcpy(req->src_ip, &sk->sk_v6_daddr, sizeof(req->src_ip));  in nfp_net_tls_set_ipv6()
205 		memcpy(req->dst_ip, &np->saddr, sizeof(req->dst_ip));  in nfp_net_tls_set_ipv6()
209 	return &req->back;  in nfp_net_tls_set_ipv6()
214 		   struct nfp_crypto_req_add_back *back, struct sock *sk,  in nfp_net_tls_set_l4()  argument
219 	front->l4_proto = IPPROTO_TCP;  in nfp_net_tls_set_l4()
222 		back->src_port = 0;  in nfp_net_tls_set_l4()
223 		back->dst_port = 0;  in nfp_net_tls_set_l4()
225 		back->src_port = inet->inet_dport;  in nfp_net_tls_set_l4()
226 		back->dst_port = inet->inet_sport;  in nfp_net_tls_set_l4()
260 	return nn->tlv_caps.crypto_ops & BIT(bit);  in nfp_net_cipher_supported()
273 	struct nfp_crypto_req_add_back *back;  in nfp_net_tls_add()  local
286 	if (!nfp_net_cipher_supported(nn, crypto_info->cipher_type, direction))  in nfp_net_tls_add()
287 		return -EOPNOTSUPP;  in nfp_net_tls_add()
289 	switch (sk->sk_family) {  in nfp_net_tls_add()
293 		    ipv6_addr_type(&sk->sk_v6_daddr) != IPV6_ADDR_MAPPED) {  in nfp_net_tls_add()
305 		return -EOPNOTSUPP;  in nfp_net_tls_add()
314 		err = -ENOMEM;  in nfp_net_tls_add()
318 	front = (void *)skb->data;  in nfp_net_tls_add()
319 	front->ep_id = 0;  in nfp_net_tls_add()
320 	front->key_len = NFP_NET_TLS_NON_ADDR_KEY_LEN;  in nfp_net_tls_add()
321 	front->opcode = nfp_tls_1_2_dir_to_opcode(direction);  in nfp_net_tls_add()
322 	memset(front->resv, 0, sizeof(front->resv));  in nfp_net_tls_add()
326 	req = (void *)skb->data;  in nfp_net_tls_add()
328 		back = nfp_net_tls_set_ipv6(nn, req, sk, direction);  in nfp_net_tls_add()
330 		back = nfp_net_tls_set_ipv4(nn, req, sk, direction);  in nfp_net_tls_add()
332 	nfp_net_tls_set_l4(front, back, sk, direction);  in nfp_net_tls_add()
334 	back->counter = 0;  in nfp_net_tls_add()
335 	back->tcp_seq = cpu_to_be32(start_offload_tcp_sn);  in nfp_net_tls_add()
338 	memcpy(back->key, tls_ci->key, TLS_CIPHER_AES_GCM_128_KEY_SIZE);  in nfp_net_tls_add()
339 	memset(&back->key[TLS_CIPHER_AES_GCM_128_KEY_SIZE / 4], 0,  in nfp_net_tls_add()
340 	       sizeof(back->key) - TLS_CIPHER_AES_GCM_128_KEY_SIZE);  in nfp_net_tls_add()
341 	memcpy(back->iv, tls_ci->iv, TLS_CIPHER_AES_GCM_128_IV_SIZE);  in nfp_net_tls_add()
342 	memcpy(&back->salt, tls_ci->salt, TLS_CIPHER_AES_GCM_128_SALT_SIZE);  in nfp_net_tls_add()
343 	memcpy(back->rec_no, tls_ci->rec_seq, sizeof(tls_ci->rec_seq));  in nfp_net_tls_add()
350 	reply = (void *)skb->data;  in nfp_net_tls_add()
355 	if (!WARN_ON_ONCE((u8 *)back < skb->head ||  in nfp_net_tls_add()
356 			  (u8 *)back > skb_end_pointer(skb)) &&  in nfp_net_tls_add()
357 	    !WARN_ON_ONCE((u8 *)&reply[1] > (u8 *)back))  in nfp_net_tls_add()
358 		memzero_explicit(back, sizeof(*back));  in nfp_net_tls_add()
362 		nn_dp_warn(&nn->dp, "failed to add TLS: %d (%d)\n",  in nfp_net_tls_add()
368 	err = -be32_to_cpu(reply->error);  in nfp_net_tls_add()
370 		if (err == -ENOSPC) {  in nfp_net_tls_add()
371 			if (!atomic_fetch_inc(&nn->ktls_no_space))  in nfp_net_tls_add()
374 			nn_dp_warn(&nn->dp,  in nfp_net_tls_add()
375 				   "failed to add TLS, FW replied: %d\n", err);  in nfp_net_tls_add()
380 	if (!reply->handle[0] && !reply->handle[1]) {  in nfp_net_tls_add()
381 		nn_dp_warn(&nn->dp, "FW returned NULL handle\n");  in nfp_net_tls_add()
382 		err = -EINVAL;  in nfp_net_tls_add()
387 	memcpy(ntls->fw_handle, reply->handle, sizeof(ntls->fw_handle));  in nfp_net_tls_add()
389 		ntls->next_seq = start_offload_tcp_sn;  in nfp_net_tls_add()
395 	if (!nn->tlv_caps.tls_resync_ss)  in nfp_net_tls_add()
401 	nfp_net_tls_del_fw(nn, reply->handle);  in nfp_net_tls_add()
419 	nfp_net_tls_del_fw(nn, ntls->fw_handle);  in nfp_net_tls_del()
437 		return -ENOMEM;  in nfp_net_tls_resync()
440 	req = (void *)skb->data;  in nfp_net_tls_resync()
441 	req->ep_id = 0;  in nfp_net_tls_resync()
442 	req->opcode = nfp_tls_1_2_dir_to_opcode(direction);  in nfp_net_tls_resync()
443 	memset(req->resv, 0, sizeof(req->resv));  in nfp_net_tls_resync()
444 	memcpy(req->handle, ntls->fw_handle, sizeof(ntls->fw_handle));  in nfp_net_tls_resync()
445 	req->tcp_seq = cpu_to_be32(seq);  in nfp_net_tls_resync()
446 	memcpy(req->rec_no, rcd_sn, sizeof(req->rec_no));  in nfp_net_tls_resync()
453 		ntls->next_seq = seq;  in nfp_net_tls_resync()
455 		if (nn->tlv_caps.tls_resync_ss)  in nfp_net_tls_resync()
459 		atomic_inc(&nn->ktls_rx_resync_sent);  in nfp_net_tls_resync()
485 	iph = pkt + req->l3_offset;  in nfp_net_tls_rx_resync_req()
486 	ipv6h = pkt + req->l3_offset;  in nfp_net_tls_rx_resync_req()
487 	th = pkt + req->l4_offset;  in nfp_net_tls_rx_resync_req()
491 				 req->l3_offset, req->l4_offset, pkt_len);  in nfp_net_tls_rx_resync_req()
492 		err = -EINVAL;  in nfp_net_tls_rx_resync_req()
496 	switch (ipv6h->version) {  in nfp_net_tls_rx_resync_req()
498 		sk = inet_lookup_established(net, net->ipv4.tcp_death_row.hashinfo,  in nfp_net_tls_rx_resync_req()
499 					     iph->saddr, th->source, iph->daddr,  in nfp_net_tls_rx_resync_req()
500 					     th->dest, netdev->ifindex);  in nfp_net_tls_rx_resync_req()
504 		sk = __inet6_lookup_established(net, net->ipv4.tcp_death_row.hashinfo,  in nfp_net_tls_rx_resync_req()
505 						&ipv6h->saddr, th->source,  in nfp_net_tls_rx_resync_req()
506 						&ipv6h->daddr, ntohs(th->dest),  in nfp_net_tls_rx_resync_req()
507 						netdev->ifindex, 0);  in nfp_net_tls_rx_resync_req()
512 				 req->l3_offset, req->l4_offset, iph->version);  in nfp_net_tls_rx_resync_req()
513 		err = -EINVAL;  in nfp_net_tls_rx_resync_req()
521 	    sk->sk_shutdown & RCV_SHUTDOWN)  in nfp_net_tls_rx_resync_req()
526 	if (memchr_inv(&req->fw_handle, 0, sizeof(req->fw_handle)) &&  in nfp_net_tls_rx_resync_req()
527 	    memcmp(&req->fw_handle, &ntls->fw_handle, sizeof(ntls->fw_handle)))  in nfp_net_tls_rx_resync_req()
530 	/* copy to ensure alignment */  in nfp_net_tls_rx_resync_req()
531 	memcpy(&tcp_seq, &req->tcp_seq, sizeof(tcp_seq));  in nfp_net_tls_rx_resync_req()
533 	atomic_inc(&nn->ktls_rx_resync_req);  in nfp_net_tls_rx_resync_req()
541 	atomic_inc(&nn->ktls_rx_resync_ign);  in nfp_net_tls_rx_resync_req()
552 		return -ENOMEM;  in nfp_net_tls_reset()
554 	req = (void *)skb->data;  in nfp_net_tls_reset()
555 	req->ep_id = 0;  in nfp_net_tls_reset()
563 	struct net_device *netdev = nn->dp.netdev;  in nfp_net_tls_init()
566 	if (!(nn->tlv_caps.crypto_ops & NFP_NET_TLS_OPCODE_MASK))  in nfp_net_tls_init()
569 	if ((nn->tlv_caps.mbox_cmsg_types & NFP_NET_TLS_CCM_MBOX_OPS_MASK) !=  in nfp_net_tls_init()
574 		nn_warn(nn, "disabling TLS offload - mbox too small: %d\n",  in nfp_net_tls_init()
575 			nn->tlv_caps.mbox_len);  in nfp_net_tls_init()
584 	nn_writel(nn, nn->tlv_caps.crypto_enable_off, 0);  in nfp_net_tls_init()
590 	if (nn->tlv_caps.crypto_ops & NFP_NET_TLS_OPCODE_MASK_RX) {  in nfp_net_tls_init()
591 		netdev->hw_features |= NETIF_F_HW_TLS_RX;  in nfp_net_tls_init()
592 		netdev->features |= NETIF_F_HW_TLS_RX;  in nfp_net_tls_init()
594 	if (nn->tlv_caps.crypto_ops & NFP_NET_TLS_OPCODE_MASK_TX) {  in nfp_net_tls_init()
595 		netdev->hw_features |= NETIF_F_HW_TLS_TX;  in nfp_net_tls_init()
596 		netdev->features |= NETIF_F_HW_TLS_TX;  in nfp_net_tls_init()
599 	netdev->tlsdev_ops = &nfp_net_tls_ops;  in nfp_net_tls_init()