1 /*
2 * This file is part of the Chelsio T6 Crypto driver for Linux.
3 *
4 * Copyright (c) 2003-2017 Chelsio Communications, Inc. All rights reserved.
5 *
6 * This software is available to you under a choice of one of two
7 * licenses. You may choose to be licensed under the terms of the GNU
8 * General Public License (GPL) Version 2, available from the file
9 * COPYING in the main directory of this source tree, or the
10 * OpenIB.org BSD license below:
11 *
12 * Redistribution and use in source and binary forms, with or
13 * without modification, are permitted provided that the following
14 * conditions are met:
15 *
16 * - Redistributions of source code must retain the above
17 * copyright notice, this list of conditions and the following
18 * disclaimer.
19 *
20 * - Redistributions in binary form must reproduce the above
21 * copyright notice, this list of conditions and the following
22 * disclaimer in the documentation and/or other materials
23 * provided with the distribution.
24 *
25 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
26 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
27 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
28 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
29 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
30 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
31 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
32 * SOFTWARE.
33 *
34 * Written and Maintained by:
35 * Atul Gupta (atul.gupta@chelsio.com)
36 */
37
38 #define pr_fmt(fmt) "ch_ipsec: " fmt
39
40 #include <linux/kernel.h>
41 #include <linux/module.h>
42 #include <linux/skbuff.h>
43 #include <linux/rtnetlink.h>
44 #include <linux/highmem.h>
45 #include <linux/if_vlan.h>
46 #include <linux/ip.h>
47 #include <linux/netdevice.h>
48 #include <net/esp.h>
49 #include <net/xfrm.h>
50 #include <crypto/aes.h>
51 #include <crypto/hash.h>
52 #include <crypto/sha1.h>
53 #include <crypto/sha2.h>
54 #include <crypto/authenc.h>
55 #include <crypto/internal/aead.h>
56 #include <crypto/null.h>
57 #include <crypto/internal/skcipher.h>
58 #include <crypto/aead.h>
59 #include <crypto/scatterwalk.h>
60 #include <crypto/internal/hash.h>
61
62 #include "chcr_ipsec.h"
63
64 /*
65 * Max Tx descriptor space we allow for an Ethernet packet to be inlined
66 * into a WR.
67 */
68 #define MAX_IMM_TX_PKT_LEN 256
69 #define GCM_ESP_IV_SIZE 8
70
71 static LIST_HEAD(uld_ctx_list);
72 static DEFINE_MUTEX(dev_mutex);
73
74 static int ch_ipsec_uld_state_change(void *handle, enum cxgb4_state new_state);
75 static int ch_ipsec_xmit(struct sk_buff *skb, struct net_device *dev);
76 static void *ch_ipsec_uld_add(const struct cxgb4_lld_info *infop);
77 static void ch_ipsec_advance_esn_state(struct xfrm_state *x);
78 static void ch_ipsec_xfrm_free_state(struct xfrm_state *x);
79 static void ch_ipsec_xfrm_del_state(struct xfrm_state *x);
80 static int ch_ipsec_xfrm_add_state(struct xfrm_state *x,
81 struct netlink_ext_ack *extack);
82
83 static const struct xfrmdev_ops ch_ipsec_xfrmdev_ops = {
84 .xdo_dev_state_add = ch_ipsec_xfrm_add_state,
85 .xdo_dev_state_delete = ch_ipsec_xfrm_del_state,
86 .xdo_dev_state_free = ch_ipsec_xfrm_free_state,
87 .xdo_dev_state_advance_esn = ch_ipsec_advance_esn_state,
88 };
89
90 static struct cxgb4_uld_info ch_ipsec_uld_info = {
91 .name = CHIPSEC_DRV_MODULE_NAME,
92 .add = ch_ipsec_uld_add,
93 .state_change = ch_ipsec_uld_state_change,
94 .tx_handler = ch_ipsec_xmit,
95 .xfrmdev_ops = &ch_ipsec_xfrmdev_ops,
96 };
97
ch_ipsec_uld_add(const struct cxgb4_lld_info * infop)98 static void *ch_ipsec_uld_add(const struct cxgb4_lld_info *infop)
99 {
100 struct ipsec_uld_ctx *u_ctx;
101
102 pr_info_once("%s - version %s\n", CHIPSEC_DRV_DESC,
103 CHIPSEC_DRV_VERSION);
104 u_ctx = kzalloc(sizeof(*u_ctx), GFP_KERNEL);
105 if (!u_ctx) {
106 u_ctx = ERR_PTR(-ENOMEM);
107 goto out;
108 }
109 u_ctx->lldi = *infop;
110 out:
111 return u_ctx;
112 }
113
ch_ipsec_uld_state_change(void * handle,enum cxgb4_state new_state)114 static int ch_ipsec_uld_state_change(void *handle, enum cxgb4_state new_state)
115 {
116 struct ipsec_uld_ctx *u_ctx = handle;
117
118 pr_debug("new_state %u\n", new_state);
119 switch (new_state) {
120 case CXGB4_STATE_UP:
121 pr_info("%s: Up\n", pci_name(u_ctx->lldi.pdev));
122 mutex_lock(&dev_mutex);
123 list_add_tail(&u_ctx->entry, &uld_ctx_list);
124 mutex_unlock(&dev_mutex);
125 break;
126 case CXGB4_STATE_START_RECOVERY:
127 case CXGB4_STATE_DOWN:
128 case CXGB4_STATE_DETACH:
129 pr_info("%s: Down\n", pci_name(u_ctx->lldi.pdev));
130 list_del(&u_ctx->entry);
131 break;
132 default:
133 break;
134 }
135
136 return 0;
137 }
138
ch_ipsec_setauthsize(struct xfrm_state * x,struct ipsec_sa_entry * sa_entry)139 static int ch_ipsec_setauthsize(struct xfrm_state *x,
140 struct ipsec_sa_entry *sa_entry)
141 {
142 int hmac_ctrl;
143 int authsize = x->aead->alg_icv_len / 8;
144
145 sa_entry->authsize = authsize;
146
147 switch (authsize) {
148 case ICV_8:
149 hmac_ctrl = CHCR_SCMD_HMAC_CTRL_DIV2;
150 break;
151 case ICV_12:
152 hmac_ctrl = CHCR_SCMD_HMAC_CTRL_IPSEC_96BIT;
153 break;
154 case ICV_16:
155 hmac_ctrl = CHCR_SCMD_HMAC_CTRL_NO_TRUNC;
156 break;
157 default:
158 return -EINVAL;
159 }
160 return hmac_ctrl;
161 }
162
ch_ipsec_setkey(struct xfrm_state * x,struct ipsec_sa_entry * sa_entry)163 static int ch_ipsec_setkey(struct xfrm_state *x,
164 struct ipsec_sa_entry *sa_entry)
165 {
166 int keylen = (x->aead->alg_key_len + 7) / 8;
167 unsigned char *key = x->aead->alg_key;
168 int ck_size, key_ctx_size = 0;
169 unsigned char ghash_h[AEAD_H_SIZE];
170 struct crypto_aes_ctx aes;
171 int ret = 0;
172
173 if (keylen > 3) {
174 keylen -= 4; /* nonce/salt is present in the last 4 bytes */
175 memcpy(sa_entry->salt, key + keylen, 4);
176 }
177
178 if (keylen == AES_KEYSIZE_128) {
179 ck_size = CHCR_KEYCTX_CIPHER_KEY_SIZE_128;
180 } else if (keylen == AES_KEYSIZE_192) {
181 ck_size = CHCR_KEYCTX_CIPHER_KEY_SIZE_192;
182 } else if (keylen == AES_KEYSIZE_256) {
183 ck_size = CHCR_KEYCTX_CIPHER_KEY_SIZE_256;
184 } else {
185 pr_err("GCM: Invalid key length %d\n", keylen);
186 ret = -EINVAL;
187 goto out;
188 }
189
190 memcpy(sa_entry->key, key, keylen);
191 sa_entry->enckey_len = keylen;
192 key_ctx_size = sizeof(struct _key_ctx) +
193 ((DIV_ROUND_UP(keylen, 16)) << 4) +
194 AEAD_H_SIZE;
195
196 sa_entry->key_ctx_hdr = FILL_KEY_CTX_HDR(ck_size,
197 CHCR_KEYCTX_MAC_KEY_SIZE_128,
198 0, 0,
199 key_ctx_size >> 4);
200
201 /* Calculate the H = CIPH(K, 0 repeated 16 times).
202 * It will go in key context
203 */
204 ret = aes_expandkey(&aes, key, keylen);
205 if (ret) {
206 sa_entry->enckey_len = 0;
207 goto out;
208 }
209 memset(ghash_h, 0, AEAD_H_SIZE);
210 aes_encrypt(&aes, ghash_h, ghash_h);
211 memzero_explicit(&aes, sizeof(aes));
212
213 memcpy(sa_entry->key + (DIV_ROUND_UP(sa_entry->enckey_len, 16) *
214 16), ghash_h, AEAD_H_SIZE);
215 sa_entry->kctx_len = ((DIV_ROUND_UP(sa_entry->enckey_len, 16)) << 4) +
216 AEAD_H_SIZE;
217 out:
218 return ret;
219 }
220
221 /*
222 * ch_ipsec_xfrm_add_state
223 * returns 0 on success, negative error if failed to send message to FPGA
224 * positive error if FPGA returned a bad response
225 */
ch_ipsec_xfrm_add_state(struct xfrm_state * x,struct netlink_ext_ack * extack)226 static int ch_ipsec_xfrm_add_state(struct xfrm_state *x,
227 struct netlink_ext_ack *extack)
228 {
229 struct ipsec_sa_entry *sa_entry;
230 int res = 0;
231
232 if (x->props.aalgo != SADB_AALG_NONE) {
233 NL_SET_ERR_MSG_MOD(extack, "Cannot offload authenticated xfrm states");
234 return -EINVAL;
235 }
236 if (x->props.calgo != SADB_X_CALG_NONE) {
237 NL_SET_ERR_MSG_MOD(extack, "Cannot offload compressed xfrm states");
238 return -EINVAL;
239 }
240 if (x->props.family != AF_INET &&
241 x->props.family != AF_INET6) {
242 NL_SET_ERR_MSG_MOD(extack, "Only IPv4/6 xfrm state offloaded");
243 return -EINVAL;
244 }
245 if (x->props.mode != XFRM_MODE_TRANSPORT &&
246 x->props.mode != XFRM_MODE_TUNNEL) {
247 NL_SET_ERR_MSG_MOD(extack, "Only transport and tunnel xfrm offload");
248 return -EINVAL;
249 }
250 if (x->id.proto != IPPROTO_ESP) {
251 NL_SET_ERR_MSG_MOD(extack, "Only ESP xfrm state offloaded");
252 return -EINVAL;
253 }
254 if (x->encap) {
255 NL_SET_ERR_MSG_MOD(extack, "Encapsulated xfrm state not offloaded");
256 return -EINVAL;
257 }
258 if (!x->aead) {
259 NL_SET_ERR_MSG_MOD(extack, "Cannot offload xfrm states without aead");
260 return -EINVAL;
261 }
262 if (x->aead->alg_icv_len != 128 &&
263 x->aead->alg_icv_len != 96) {
264 NL_SET_ERR_MSG_MOD(extack, "Cannot offload xfrm states with AEAD ICV length other than 96b & 128b");
265 return -EINVAL;
266 }
267 if ((x->aead->alg_key_len != 128 + 32) &&
268 (x->aead->alg_key_len != 256 + 32)) {
269 NL_SET_ERR_MSG_MOD(extack, "cannot offload xfrm states with AEAD key length other than 128/256 bit");
270 return -EINVAL;
271 }
272 if (x->tfcpad) {
273 NL_SET_ERR_MSG_MOD(extack, "Cannot offload xfrm states with tfc padding");
274 return -EINVAL;
275 }
276 if (!x->geniv) {
277 NL_SET_ERR_MSG_MOD(extack, "Cannot offload xfrm states without geniv");
278 return -EINVAL;
279 }
280 if (strcmp(x->geniv, "seqiv")) {
281 NL_SET_ERR_MSG_MOD(extack, "Cannot offload xfrm states with geniv other than seqiv");
282 return -EINVAL;
283 }
284 if (x->xso.type != XFRM_DEV_OFFLOAD_CRYPTO) {
285 NL_SET_ERR_MSG_MOD(extack, "Unsupported xfrm offload");
286 return -EINVAL;
287 }
288
289 sa_entry = kzalloc(sizeof(*sa_entry), GFP_KERNEL);
290 if (!sa_entry) {
291 res = -ENOMEM;
292 goto out;
293 }
294
295 sa_entry->hmac_ctrl = ch_ipsec_setauthsize(x, sa_entry);
296 if (x->props.flags & XFRM_STATE_ESN)
297 sa_entry->esn = 1;
298 ch_ipsec_setkey(x, sa_entry);
299 x->xso.offload_handle = (unsigned long)sa_entry;
300 try_module_get(THIS_MODULE);
301 out:
302 return res;
303 }
304
ch_ipsec_xfrm_del_state(struct xfrm_state * x)305 static void ch_ipsec_xfrm_del_state(struct xfrm_state *x)
306 {
307 /* do nothing */
308 if (!x->xso.offload_handle)
309 return;
310 }
311
ch_ipsec_xfrm_free_state(struct xfrm_state * x)312 static void ch_ipsec_xfrm_free_state(struct xfrm_state *x)
313 {
314 struct ipsec_sa_entry *sa_entry;
315
316 if (!x->xso.offload_handle)
317 return;
318
319 sa_entry = (struct ipsec_sa_entry *)x->xso.offload_handle;
320 kfree(sa_entry);
321 module_put(THIS_MODULE);
322 }
323
ch_ipsec_advance_esn_state(struct xfrm_state * x)324 static void ch_ipsec_advance_esn_state(struct xfrm_state *x)
325 {
326 /* do nothing */
327 if (!x->xso.offload_handle)
328 return;
329 }
330
is_eth_imm(const struct sk_buff * skb,struct ipsec_sa_entry * sa_entry)331 static int is_eth_imm(const struct sk_buff *skb,
332 struct ipsec_sa_entry *sa_entry)
333 {
334 unsigned int kctx_len;
335 int hdrlen;
336
337 kctx_len = sa_entry->kctx_len;
338 hdrlen = sizeof(struct fw_ulptx_wr) +
339 sizeof(struct chcr_ipsec_req) + kctx_len;
340
341 hdrlen += sizeof(struct cpl_tx_pkt);
342 if (sa_entry->esn)
343 hdrlen += (DIV_ROUND_UP(sizeof(struct chcr_ipsec_aadiv), 16)
344 << 4);
345 if (skb->len <= MAX_IMM_TX_PKT_LEN - hdrlen)
346 return hdrlen;
347 return 0;
348 }
349
calc_tx_sec_flits(const struct sk_buff * skb,struct ipsec_sa_entry * sa_entry,bool * immediate)350 static unsigned int calc_tx_sec_flits(const struct sk_buff *skb,
351 struct ipsec_sa_entry *sa_entry,
352 bool *immediate)
353 {
354 unsigned int kctx_len;
355 unsigned int flits;
356 int aadivlen;
357 int hdrlen;
358
359 kctx_len = sa_entry->kctx_len;
360 hdrlen = is_eth_imm(skb, sa_entry);
361 aadivlen = sa_entry->esn ? DIV_ROUND_UP(sizeof(struct chcr_ipsec_aadiv),
362 16) : 0;
363 aadivlen <<= 4;
364
365 /* If the skb is small enough, we can pump it out as a work request
366 * with only immediate data. In that case we just have to have the
367 * TX Packet header plus the skb data in the Work Request.
368 */
369
370 if (hdrlen) {
371 *immediate = true;
372 return DIV_ROUND_UP(skb->len + hdrlen, sizeof(__be64));
373 }
374
375 flits = sgl_len(skb_shinfo(skb)->nr_frags + 1);
376
377 /* Otherwise, we're going to have to construct a Scatter gather list
378 * of the skb body and fragments. We also include the flits necessary
379 * for the TX Packet Work Request and CPL. We always have a firmware
380 * Write Header (incorporated as part of the cpl_tx_pkt_lso and
381 * cpl_tx_pkt structures), followed by either a TX Packet Write CPL
382 * message or, if we're doing a Large Send Offload, an LSO CPL message
383 * with an embedded TX Packet Write CPL message.
384 */
385 flits += (sizeof(struct fw_ulptx_wr) +
386 sizeof(struct chcr_ipsec_req) +
387 kctx_len +
388 sizeof(struct cpl_tx_pkt_core) +
389 aadivlen) / sizeof(__be64);
390 return flits;
391 }
392
copy_esn_pktxt(struct sk_buff * skb,struct net_device * dev,void * pos,struct ipsec_sa_entry * sa_entry)393 static void *copy_esn_pktxt(struct sk_buff *skb,
394 struct net_device *dev,
395 void *pos,
396 struct ipsec_sa_entry *sa_entry)
397 {
398 struct chcr_ipsec_aadiv *aadiv;
399 struct ulptx_idata *sc_imm;
400 struct ip_esp_hdr *esphdr;
401 struct xfrm_offload *xo;
402 struct sge_eth_txq *q;
403 struct adapter *adap;
404 struct port_info *pi;
405 __be64 seqno;
406 u32 qidx;
407 u32 seqlo;
408 u8 *iv;
409 int eoq;
410 int len;
411
412 pi = netdev_priv(dev);
413 adap = pi->adapter;
414 qidx = skb->queue_mapping;
415 q = &adap->sge.ethtxq[qidx + pi->first_qset];
416
417 /* end of queue, reset pos to start of queue */
418 eoq = (void *)q->q.stat - pos;
419 if (!eoq)
420 pos = q->q.desc;
421
422 len = DIV_ROUND_UP(sizeof(struct chcr_ipsec_aadiv), 16) << 4;
423 memset(pos, 0, len);
424 aadiv = (struct chcr_ipsec_aadiv *)pos;
425 esphdr = (struct ip_esp_hdr *)skb_transport_header(skb);
426 iv = skb_transport_header(skb) + sizeof(struct ip_esp_hdr);
427 xo = xfrm_offload(skb);
428
429 aadiv->spi = (esphdr->spi);
430 seqlo = ntohl(esphdr->seq_no);
431 seqno = cpu_to_be64(seqlo + ((u64)xo->seq.hi << 32));
432 memcpy(aadiv->seq_no, &seqno, 8);
433 iv = skb_transport_header(skb) + sizeof(struct ip_esp_hdr);
434 memcpy(aadiv->iv, iv, 8);
435
436 if (is_eth_imm(skb, sa_entry) && !skb_is_nonlinear(skb)) {
437 sc_imm = (struct ulptx_idata *)(pos +
438 (DIV_ROUND_UP(sizeof(struct chcr_ipsec_aadiv),
439 sizeof(__be64)) << 3));
440 sc_imm->cmd_more = FILL_CMD_MORE(0);
441 sc_imm->len = cpu_to_be32(skb->len);
442 }
443 pos += len;
444 return pos;
445 }
446
copy_cpltx_pktxt(struct sk_buff * skb,struct net_device * dev,void * pos,struct ipsec_sa_entry * sa_entry)447 static void *copy_cpltx_pktxt(struct sk_buff *skb,
448 struct net_device *dev,
449 void *pos,
450 struct ipsec_sa_entry *sa_entry)
451 {
452 struct cpl_tx_pkt_core *cpl;
453 struct sge_eth_txq *q;
454 struct adapter *adap;
455 struct port_info *pi;
456 u32 ctrl0, qidx;
457 u64 cntrl = 0;
458 int left;
459
460 pi = netdev_priv(dev);
461 adap = pi->adapter;
462 qidx = skb->queue_mapping;
463 q = &adap->sge.ethtxq[qidx + pi->first_qset];
464
465 left = (void *)q->q.stat - pos;
466 if (!left)
467 pos = q->q.desc;
468
469 cpl = (struct cpl_tx_pkt_core *)pos;
470
471 cntrl = TXPKT_L4CSUM_DIS_F | TXPKT_IPCSUM_DIS_F;
472 ctrl0 = TXPKT_OPCODE_V(CPL_TX_PKT_XT) | TXPKT_INTF_V(pi->tx_chan) |
473 TXPKT_PF_V(adap->pf);
474 if (skb_vlan_tag_present(skb)) {
475 q->vlan_ins++;
476 cntrl |= TXPKT_VLAN_VLD_F | TXPKT_VLAN_V(skb_vlan_tag_get(skb));
477 }
478
479 cpl->ctrl0 = htonl(ctrl0);
480 cpl->pack = htons(0);
481 cpl->len = htons(skb->len);
482 cpl->ctrl1 = cpu_to_be64(cntrl);
483
484 pos += sizeof(struct cpl_tx_pkt_core);
485 /* Copy ESN info for HW */
486 if (sa_entry->esn)
487 pos = copy_esn_pktxt(skb, dev, pos, sa_entry);
488 return pos;
489 }
490
copy_key_cpltx_pktxt(struct sk_buff * skb,struct net_device * dev,void * pos,struct ipsec_sa_entry * sa_entry)491 static void *copy_key_cpltx_pktxt(struct sk_buff *skb,
492 struct net_device *dev,
493 void *pos,
494 struct ipsec_sa_entry *sa_entry)
495 {
496 struct _key_ctx *key_ctx;
497 int left, eoq, key_len;
498 struct sge_eth_txq *q;
499 struct adapter *adap;
500 struct port_info *pi;
501 unsigned int qidx;
502
503 pi = netdev_priv(dev);
504 adap = pi->adapter;
505 qidx = skb->queue_mapping;
506 q = &adap->sge.ethtxq[qidx + pi->first_qset];
507 key_len = sa_entry->kctx_len;
508
509 /* end of queue, reset pos to start of queue */
510 eoq = (void *)q->q.stat - pos;
511 left = eoq;
512 if (!eoq) {
513 pos = q->q.desc;
514 left = 64 * q->q.size;
515 }
516
517 /* Copy the Key context header */
518 key_ctx = (struct _key_ctx *)pos;
519 key_ctx->ctx_hdr = sa_entry->key_ctx_hdr;
520 memcpy(key_ctx->salt, sa_entry->salt, MAX_SALT);
521 pos += sizeof(struct _key_ctx);
522 left -= sizeof(struct _key_ctx);
523
524 if (likely(key_len <= left)) {
525 memcpy(key_ctx->key, sa_entry->key, key_len);
526 pos += key_len;
527 } else {
528 memcpy(pos, sa_entry->key, left);
529 memcpy(q->q.desc, sa_entry->key + left,
530 key_len - left);
531 pos = (u8 *)q->q.desc + (key_len - left);
532 }
533 /* Copy CPL TX PKT XT */
534 pos = copy_cpltx_pktxt(skb, dev, pos, sa_entry);
535
536 return pos;
537 }
538
ch_ipsec_crypto_wreq(struct sk_buff * skb,struct net_device * dev,void * pos,int credits,struct ipsec_sa_entry * sa_entry)539 static void *ch_ipsec_crypto_wreq(struct sk_buff *skb,
540 struct net_device *dev,
541 void *pos,
542 int credits,
543 struct ipsec_sa_entry *sa_entry)
544 {
545 struct port_info *pi = netdev_priv(dev);
546 struct adapter *adap = pi->adapter;
547 unsigned int ivsize = GCM_ESP_IV_SIZE;
548 struct chcr_ipsec_wr *wr;
549 bool immediate = false;
550 u16 immdatalen = 0;
551 unsigned int flits;
552 u32 ivinoffset;
553 u32 aadstart;
554 u32 aadstop;
555 u32 ciphstart;
556 u16 sc_more = 0;
557 u32 ivdrop = 0;
558 u32 esnlen = 0;
559 u32 wr_mid;
560 u16 ndesc;
561 int qidx = skb_get_queue_mapping(skb);
562 struct sge_eth_txq *q = &adap->sge.ethtxq[qidx + pi->first_qset];
563 unsigned int kctx_len = sa_entry->kctx_len;
564 int qid = q->q.cntxt_id;
565
566 atomic_inc(&adap->ch_ipsec_stats.ipsec_cnt);
567
568 flits = calc_tx_sec_flits(skb, sa_entry, &immediate);
569 ndesc = DIV_ROUND_UP(flits, 2);
570 if (sa_entry->esn)
571 ivdrop = 1;
572
573 if (immediate)
574 immdatalen = skb->len;
575
576 if (sa_entry->esn) {
577 esnlen = sizeof(struct chcr_ipsec_aadiv);
578 if (!skb_is_nonlinear(skb))
579 sc_more = 1;
580 }
581
582 /* WR Header */
583 wr = (struct chcr_ipsec_wr *)pos;
584 wr->wreq.op_to_compl = htonl(FW_WR_OP_V(FW_ULPTX_WR));
585 wr_mid = FW_CRYPTO_LOOKASIDE_WR_LEN16_V(ndesc);
586
587 if (unlikely(credits < ETHTXQ_STOP_THRES)) {
588 netif_tx_stop_queue(q->txq);
589 q->q.stops++;
590 if (!q->dbqt)
591 wr_mid |= FW_WR_EQUEQ_F | FW_WR_EQUIQ_F;
592 }
593 wr_mid |= FW_ULPTX_WR_DATA_F;
594 wr->wreq.flowid_len16 = htonl(wr_mid);
595
596 /* ULPTX */
597 wr->req.ulptx.cmd_dest = FILL_ULPTX_CMD_DEST(pi->port_id, qid);
598 wr->req.ulptx.len = htonl(ndesc - 1);
599
600 /* Sub-command */
601 wr->req.sc_imm.cmd_more = FILL_CMD_MORE(!immdatalen || sc_more);
602 wr->req.sc_imm.len = cpu_to_be32(sizeof(struct cpl_tx_sec_pdu) +
603 sizeof(wr->req.key_ctx) +
604 kctx_len +
605 sizeof(struct cpl_tx_pkt_core) +
606 esnlen +
607 (esnlen ? 0 : immdatalen));
608
609 /* CPL_SEC_PDU */
610 ivinoffset = sa_entry->esn ? (ESN_IV_INSERT_OFFSET + 1) :
611 (skb_transport_offset(skb) +
612 sizeof(struct ip_esp_hdr) + 1);
613 wr->req.sec_cpl.op_ivinsrtofst = htonl(
614 CPL_TX_SEC_PDU_OPCODE_V(CPL_TX_SEC_PDU) |
615 CPL_TX_SEC_PDU_CPLLEN_V(2) |
616 CPL_TX_SEC_PDU_PLACEHOLDER_V(1) |
617 CPL_TX_SEC_PDU_IVINSRTOFST_V(
618 ivinoffset));
619
620 wr->req.sec_cpl.pldlen = htonl(skb->len + esnlen);
621 aadstart = sa_entry->esn ? 1 : (skb_transport_offset(skb) + 1);
622 aadstop = sa_entry->esn ? ESN_IV_INSERT_OFFSET :
623 (skb_transport_offset(skb) +
624 sizeof(struct ip_esp_hdr));
625 ciphstart = skb_transport_offset(skb) + sizeof(struct ip_esp_hdr) +
626 GCM_ESP_IV_SIZE + 1;
627 ciphstart += sa_entry->esn ? esnlen : 0;
628
629 wr->req.sec_cpl.aadstart_cipherstop_hi = FILL_SEC_CPL_CIPHERSTOP_HI(
630 aadstart,
631 aadstop,
632 ciphstart, 0);
633
634 wr->req.sec_cpl.cipherstop_lo_authinsert =
635 FILL_SEC_CPL_AUTHINSERT(0, ciphstart,
636 sa_entry->authsize,
637 sa_entry->authsize);
638 wr->req.sec_cpl.seqno_numivs =
639 FILL_SEC_CPL_SCMD0_SEQNO(CHCR_ENCRYPT_OP, 1,
640 CHCR_SCMD_CIPHER_MODE_AES_GCM,
641 CHCR_SCMD_AUTH_MODE_GHASH,
642 sa_entry->hmac_ctrl,
643 ivsize >> 1);
644 wr->req.sec_cpl.ivgen_hdrlen = FILL_SEC_CPL_IVGEN_HDRLEN(0, 0, 1,
645 0, ivdrop, 0);
646
647 pos += sizeof(struct fw_ulptx_wr) +
648 sizeof(struct ulp_txpkt) +
649 sizeof(struct ulptx_idata) +
650 sizeof(struct cpl_tx_sec_pdu);
651
652 pos = copy_key_cpltx_pktxt(skb, dev, pos, sa_entry);
653
654 return pos;
655 }
656
657 /**
658 * flits_to_desc - returns the num of Tx descriptors for the given flits
659 * @n: the number of flits
660 *
661 * Returns the number of Tx descriptors needed for the supplied number
662 * of flits.
663 */
flits_to_desc(unsigned int n)664 static unsigned int flits_to_desc(unsigned int n)
665 {
666 WARN_ON(n > SGE_MAX_WR_LEN / 8);
667 return DIV_ROUND_UP(n, 8);
668 }
669
txq_avail(const struct sge_txq * q)670 static unsigned int txq_avail(const struct sge_txq *q)
671 {
672 return q->size - 1 - q->in_use;
673 }
674
eth_txq_stop(struct sge_eth_txq * q)675 static void eth_txq_stop(struct sge_eth_txq *q)
676 {
677 netif_tx_stop_queue(q->txq);
678 q->q.stops++;
679 }
680
txq_advance(struct sge_txq * q,unsigned int n)681 static void txq_advance(struct sge_txq *q, unsigned int n)
682 {
683 q->in_use += n;
684 q->pidx += n;
685 if (q->pidx >= q->size)
686 q->pidx -= q->size;
687 }
688
689 /*
690 * ch_ipsec_xmit called from ULD Tx handler
691 */
ch_ipsec_xmit(struct sk_buff * skb,struct net_device * dev)692 int ch_ipsec_xmit(struct sk_buff *skb, struct net_device *dev)
693 {
694 struct xfrm_state *x = xfrm_input_state(skb);
695 unsigned int last_desc, ndesc, flits = 0;
696 struct ipsec_sa_entry *sa_entry;
697 u64 *pos, *end, *before, *sgl;
698 struct tx_sw_desc *sgl_sdesc;
699 int qidx, left, credits;
700 bool immediate = false;
701 struct sge_eth_txq *q;
702 struct adapter *adap;
703 struct port_info *pi;
704 struct sec_path *sp;
705
706 if (!x->xso.offload_handle)
707 return NETDEV_TX_BUSY;
708
709 sa_entry = (struct ipsec_sa_entry *)x->xso.offload_handle;
710
711 sp = skb_sec_path(skb);
712 if (sp->len != 1) {
713 out_free: dev_kfree_skb_any(skb);
714 return NETDEV_TX_OK;
715 }
716
717 pi = netdev_priv(dev);
718 adap = pi->adapter;
719 qidx = skb->queue_mapping;
720 q = &adap->sge.ethtxq[qidx + pi->first_qset];
721
722 cxgb4_reclaim_completed_tx(adap, &q->q, true);
723
724 flits = calc_tx_sec_flits(skb, sa_entry, &immediate);
725 ndesc = flits_to_desc(flits);
726 credits = txq_avail(&q->q) - ndesc;
727
728 if (unlikely(credits < 0)) {
729 eth_txq_stop(q);
730 dev_err(adap->pdev_dev,
731 "%s: Tx ring %u full while queue awake! cred:%d %d %d flits:%d\n",
732 dev->name, qidx, credits, ndesc, txq_avail(&q->q),
733 flits);
734 return NETDEV_TX_BUSY;
735 }
736
737 last_desc = q->q.pidx + ndesc - 1;
738 if (last_desc >= q->q.size)
739 last_desc -= q->q.size;
740 sgl_sdesc = &q->q.sdesc[last_desc];
741
742 if (!immediate &&
743 unlikely(cxgb4_map_skb(adap->pdev_dev, skb, sgl_sdesc->addr) < 0)) {
744 memset(sgl_sdesc->addr, 0, sizeof(sgl_sdesc->addr));
745 q->mapping_err++;
746 goto out_free;
747 }
748
749 pos = (u64 *)&q->q.desc[q->q.pidx];
750 before = (u64 *)pos;
751 end = (u64 *)pos + flits;
752 /* Setup IPSec CPL */
753 pos = (void *)ch_ipsec_crypto_wreq(skb, dev, (void *)pos,
754 credits, sa_entry);
755 if (before > (u64 *)pos) {
756 left = (u8 *)end - (u8 *)q->q.stat;
757 end = (void *)q->q.desc + left;
758 }
759 if (pos == (u64 *)q->q.stat) {
760 left = (u8 *)end - (u8 *)q->q.stat;
761 end = (void *)q->q.desc + left;
762 pos = (void *)q->q.desc;
763 }
764
765 sgl = (void *)pos;
766 if (immediate) {
767 cxgb4_inline_tx_skb(skb, &q->q, sgl);
768 dev_consume_skb_any(skb);
769 } else {
770 cxgb4_write_sgl(skb, &q->q, (void *)sgl, end,
771 0, sgl_sdesc->addr);
772 skb_orphan(skb);
773 sgl_sdesc->skb = skb;
774 }
775 txq_advance(&q->q, ndesc);
776
777 cxgb4_ring_tx_db(adap, &q->q, ndesc);
778 return NETDEV_TX_OK;
779 }
780
ch_ipsec_init(void)781 static int __init ch_ipsec_init(void)
782 {
783 cxgb4_register_uld(CXGB4_ULD_IPSEC, &ch_ipsec_uld_info);
784
785 return 0;
786 }
787
ch_ipsec_exit(void)788 static void __exit ch_ipsec_exit(void)
789 {
790 struct ipsec_uld_ctx *u_ctx, *tmp;
791 struct adapter *adap;
792
793 mutex_lock(&dev_mutex);
794 list_for_each_entry_safe(u_ctx, tmp, &uld_ctx_list, entry) {
795 adap = pci_get_drvdata(u_ctx->lldi.pdev);
796 atomic_set(&adap->ch_ipsec_stats.ipsec_cnt, 0);
797 list_del(&u_ctx->entry);
798 kfree(u_ctx);
799 }
800 mutex_unlock(&dev_mutex);
801 cxgb4_unregister_uld(CXGB4_ULD_IPSEC);
802 }
803
804 module_init(ch_ipsec_init);
805 module_exit(ch_ipsec_exit);
806
807 MODULE_DESCRIPTION("Crypto IPSEC for Chelsio Terminator cards.");
808 MODULE_LICENSE("GPL");
809 MODULE_AUTHOR("Chelsio Communications");
810 MODULE_VERSION(CHIPSEC_DRV_VERSION);
811
812