1 // SPDX-License-Identifier: GPL-2.0 2 /* Copyright(c) 2018 Oracle and/or its affiliates. All rights reserved. */ 3 4 #include <crypto/aead.h> 5 #include <linux/debugfs.h> 6 #include <net/xfrm.h> 7 8 #include "netdevsim.h" 9 10 #define NSIM_IPSEC_AUTH_BITS 128 11 12 static ssize_t nsim_dbg_netdev_ops_read(struct file *filp, 13 char __user *buffer, 14 size_t count, loff_t *ppos) 15 { 16 struct netdevsim *ns = filp->private_data; 17 struct nsim_ipsec *ipsec = &ns->ipsec; 18 size_t bufsize; 19 char *buf, *p; 20 int len; 21 int i; 22 23 /* the buffer needed is 24 * (num SAs * 3 lines each * ~60 bytes per line) + one more line 25 */ 26 bufsize = (ipsec->count * 4 * 60) + 60; 27 buf = kzalloc(bufsize, GFP_KERNEL); 28 if (!buf) 29 return -ENOMEM; 30 31 p = buf; 32 p += scnprintf(p, bufsize - (p - buf), 33 "SA count=%u tx=%u\n", 34 ipsec->count, ipsec->tx); 35 36 for (i = 0; i < NSIM_IPSEC_MAX_SA_COUNT; i++) { 37 struct nsim_sa *sap = &ipsec->sa[i]; 38 39 if (!sap->used) 40 continue; 41 42 if (sap->xs->props.family == AF_INET6) 43 p += scnprintf(p, bufsize - (p - buf), 44 "sa[%i] %cx ipaddr=%pI6c\n", 45 i, (sap->rx ? 'r' : 't'), &sap->ipaddr); 46 else 47 p += scnprintf(p, bufsize - (p - buf), 48 "sa[%i] %cx ipaddr=%pI4\n", 49 i, (sap->rx ? 'r' : 't'), &sap->ipaddr[3]); 50 p += scnprintf(p, bufsize - (p - buf), 51 "sa[%i] spi=0x%08x proto=0x%x salt=0x%08x crypt=%d\n", 52 i, be32_to_cpu(sap->xs->id.spi), 53 sap->xs->id.proto, sap->salt, sap->crypt); 54 p += scnprintf(p, bufsize - (p - buf), 55 "sa[%i] key=0x%08x %08x %08x %08x\n", 56 i, sap->key[0], sap->key[1], 57 sap->key[2], sap->key[3]); 58 } 59 60 len = simple_read_from_buffer(buffer, count, ppos, buf, p - buf); 61 62 kfree(buf); 63 return len; 64 } 65 66 static const struct file_operations ipsec_dbg_fops = { 67 .owner = THIS_MODULE, 68 .open = simple_open, 69 .read = nsim_dbg_netdev_ops_read, 70 }; 71 72 static int nsim_ipsec_find_empty_idx(struct nsim_ipsec *ipsec) 73 { 74 u32 i; 75 76 if (ipsec->count == NSIM_IPSEC_MAX_SA_COUNT) 77 return -ENOSPC; 78 79 /* search sa table */ 80 for (i = 0; i < NSIM_IPSEC_MAX_SA_COUNT; i++) { 81 if (!ipsec->sa[i].used) 82 return i; 83 } 84 85 return -ENOSPC; 86 } 87 88 static int nsim_ipsec_parse_proto_keys(struct net_device *dev, 89 struct xfrm_state *xs, 90 u32 *mykey, u32 *mysalt) 91 { 92 const char aes_gcm_name[] = "rfc4106(gcm(aes))"; 93 unsigned char *key_data; 94 char *alg_name = NULL; 95 int key_len; 96 97 if (!xs->aead) { 98 netdev_err(dev, "Unsupported IPsec algorithm\n"); 99 return -EINVAL; 100 } 101 102 if (xs->aead->alg_icv_len != NSIM_IPSEC_AUTH_BITS) { 103 netdev_err(dev, "IPsec offload requires %d bit authentication\n", 104 NSIM_IPSEC_AUTH_BITS); 105 return -EINVAL; 106 } 107 108 key_data = &xs->aead->alg_key[0]; 109 key_len = xs->aead->alg_key_len; 110 alg_name = xs->aead->alg_name; 111 112 if (strcmp(alg_name, aes_gcm_name)) { 113 netdev_err(dev, "Unsupported IPsec algorithm - please use %s\n", 114 aes_gcm_name); 115 return -EINVAL; 116 } 117 118 /* 160 accounts for 16 byte key and 4 byte salt */ 119 if (key_len > NSIM_IPSEC_AUTH_BITS) { 120 *mysalt = ((u32 *)key_data)[4]; 121 } else if (key_len == NSIM_IPSEC_AUTH_BITS) { 122 *mysalt = 0; 123 } else { 124 netdev_err(dev, "IPsec hw offload only supports 128 bit keys with optional 32 bit salt\n"); 125 return -EINVAL; 126 } 127 memcpy(mykey, key_data, 16); 128 129 return 0; 130 } 131 132 static int nsim_ipsec_add_sa(struct net_device *dev, 133 struct xfrm_state *xs, 134 struct netlink_ext_ack *extack) 135 { 136 struct nsim_ipsec *ipsec; 137 struct netdevsim *ns; 138 struct nsim_sa sa; 139 u16 sa_idx; 140 int ret; 141 142 ns = netdev_priv(dev); 143 ipsec = &ns->ipsec; 144 145 if (xs->id.proto != IPPROTO_ESP && xs->id.proto != IPPROTO_AH) { 146 NL_SET_ERR_MSG_MOD(extack, "Unsupported protocol for ipsec offload"); 147 return -EINVAL; 148 } 149 150 if (xs->calg) { 151 NL_SET_ERR_MSG_MOD(extack, "Compression offload not supported"); 152 return -EINVAL; 153 } 154 155 if (xs->xso.type != XFRM_DEV_OFFLOAD_CRYPTO) { 156 NL_SET_ERR_MSG_MOD(extack, "Unsupported ipsec offload type"); 157 return -EINVAL; 158 } 159 160 /* find the first unused index */ 161 ret = nsim_ipsec_find_empty_idx(ipsec); 162 if (ret < 0) { 163 NL_SET_ERR_MSG_MOD(extack, "No space for SA in Rx table!"); 164 return ret; 165 } 166 sa_idx = (u16)ret; 167 168 memset(&sa, 0, sizeof(sa)); 169 sa.used = true; 170 sa.xs = xs; 171 172 if (sa.xs->id.proto & IPPROTO_ESP) 173 sa.crypt = xs->ealg || xs->aead; 174 175 /* get the key and salt */ 176 ret = nsim_ipsec_parse_proto_keys(dev, xs, sa.key, &sa.salt); 177 if (ret) { 178 NL_SET_ERR_MSG_MOD(extack, "Failed to get key data for SA table"); 179 return ret; 180 } 181 182 if (xs->xso.dir == XFRM_DEV_OFFLOAD_IN) 183 sa.rx = true; 184 185 if (xs->props.family == AF_INET6) 186 memcpy(sa.ipaddr, &xs->id.daddr.a6, 16); 187 else 188 memcpy(&sa.ipaddr[3], &xs->id.daddr.a4, 4); 189 190 /* the preparations worked, so save the info */ 191 memcpy(&ipsec->sa[sa_idx], &sa, sizeof(sa)); 192 193 /* the XFRM stack doesn't like offload_handle == 0, 194 * so add a bitflag in case our array index is 0 195 */ 196 xs->xso.offload_handle = sa_idx | NSIM_IPSEC_VALID; 197 ipsec->count++; 198 199 return 0; 200 } 201 202 static void nsim_ipsec_del_sa(struct net_device *dev, struct xfrm_state *xs) 203 { 204 struct netdevsim *ns = netdev_priv(dev); 205 struct nsim_ipsec *ipsec = &ns->ipsec; 206 u16 sa_idx; 207 208 sa_idx = xs->xso.offload_handle & ~NSIM_IPSEC_VALID; 209 if (!ipsec->sa[sa_idx].used) { 210 netdev_err(ns->netdev, "Invalid SA for delete sa_idx=%d\n", 211 sa_idx); 212 return; 213 } 214 215 memset(&ipsec->sa[sa_idx], 0, sizeof(struct nsim_sa)); 216 ipsec->count--; 217 } 218 219 static const struct xfrmdev_ops nsim_xfrmdev_ops = { 220 .xdo_dev_state_add = nsim_ipsec_add_sa, 221 .xdo_dev_state_delete = nsim_ipsec_del_sa, 222 }; 223 224 bool nsim_ipsec_tx(struct netdevsim *ns, struct sk_buff *skb) 225 { 226 struct sec_path *sp = skb_sec_path(skb); 227 struct nsim_ipsec *ipsec = &ns->ipsec; 228 struct xfrm_state *xs; 229 struct nsim_sa *tsa; 230 u32 sa_idx; 231 232 /* do we even need to check this packet? */ 233 if (!sp) 234 return true; 235 236 if (unlikely(!sp->len)) { 237 netdev_err(ns->netdev, "no xfrm state len = %d\n", 238 sp->len); 239 return false; 240 } 241 242 xs = xfrm_input_state(skb); 243 if (unlikely(!xs)) { 244 netdev_err(ns->netdev, "no xfrm_input_state() xs = %p\n", xs); 245 return false; 246 } 247 248 sa_idx = xs->xso.offload_handle & ~NSIM_IPSEC_VALID; 249 if (unlikely(sa_idx >= NSIM_IPSEC_MAX_SA_COUNT)) { 250 netdev_err(ns->netdev, "bad sa_idx=%d max=%d\n", 251 sa_idx, NSIM_IPSEC_MAX_SA_COUNT); 252 return false; 253 } 254 255 tsa = &ipsec->sa[sa_idx]; 256 if (unlikely(!tsa->used)) { 257 netdev_err(ns->netdev, "unused sa_idx=%d\n", sa_idx); 258 return false; 259 } 260 261 if (xs->id.proto != IPPROTO_ESP && xs->id.proto != IPPROTO_AH) { 262 netdev_err(ns->netdev, "unexpected proto=%d\n", xs->id.proto); 263 return false; 264 } 265 266 ipsec->tx++; 267 268 return true; 269 } 270 271 void nsim_ipsec_init(struct netdevsim *ns) 272 { 273 ns->netdev->xfrmdev_ops = &nsim_xfrmdev_ops; 274 275 #define NSIM_ESP_FEATURES (NETIF_F_HW_ESP | \ 276 NETIF_F_HW_ESP_TX_CSUM | \ 277 NETIF_F_GSO_ESP) 278 279 ns->netdev->features |= NSIM_ESP_FEATURES; 280 ns->netdev->hw_enc_features |= NSIM_ESP_FEATURES; 281 282 ns->ipsec.pfile = debugfs_create_file("ipsec", 0400, 283 ns->nsim_dev_port->ddir, ns, 284 &ipsec_dbg_fops); 285 } 286 287 void nsim_ipsec_teardown(struct netdevsim *ns) 288 { 289 struct nsim_ipsec *ipsec = &ns->ipsec; 290 291 if (ipsec->count) 292 netdev_err(ns->netdev, "tearing down IPsec offload with %d SAs left\n", 293 ipsec->count); 294 debugfs_remove_recursive(ipsec->pfile); 295 } 296