Loading...
1// SPDX-License-Identifier: GPL-2.0
2/* Copyright(c) 2018 Oracle and/or its affiliates. All rights reserved. */
3
4#include <crypto/aead.h>
5#include <linux/debugfs.h>
6#include <net/xfrm.h>
7
8#include "netdevsim.h"
9
10#define NSIM_IPSEC_AUTH_BITS 128
11
12static ssize_t nsim_dbg_netdev_ops_read(struct file *filp,
13 char __user *buffer,
14 size_t count, loff_t *ppos)
15{
16 struct netdevsim *ns = filp->private_data;
17 struct nsim_ipsec *ipsec = &ns->ipsec;
18 size_t bufsize;
19 char *buf, *p;
20 int len;
21 int i;
22
23 /* the buffer needed is
24 * (num SAs * 3 lines each * ~60 bytes per line) + one more line
25 */
26 bufsize = (ipsec->count * 4 * 60) + 60;
27 buf = kzalloc(bufsize, GFP_KERNEL);
28 if (!buf)
29 return -ENOMEM;
30
31 p = buf;
32 p += scnprintf(p, bufsize - (p - buf),
33 "SA count=%u tx=%u\n",
34 ipsec->count, ipsec->tx);
35
36 for (i = 0; i < NSIM_IPSEC_MAX_SA_COUNT; i++) {
37 struct nsim_sa *sap = &ipsec->sa[i];
38
39 if (!sap->used)
40 continue;
41
42 if (sap->xs->props.family == AF_INET6)
43 p += scnprintf(p, bufsize - (p - buf),
44 "sa[%i] %cx ipaddr=%pI6c\n",
45 i, (sap->rx ? 'r' : 't'), &sap->ipaddr);
46 else
47 p += scnprintf(p, bufsize - (p - buf),
48 "sa[%i] %cx ipaddr=%pI4\n",
49 i, (sap->rx ? 'r' : 't'), &sap->ipaddr[3]);
50 p += scnprintf(p, bufsize - (p - buf),
51 "sa[%i] spi=0x%08x proto=0x%x salt=0x%08x crypt=%d\n",
52 i, be32_to_cpu(sap->xs->id.spi),
53 sap->xs->id.proto, sap->salt, sap->crypt);
54 p += scnprintf(p, bufsize - (p - buf),
55 "sa[%i] key=0x%08x %08x %08x %08x\n",
56 i, sap->key[0], sap->key[1],
57 sap->key[2], sap->key[3]);
58 }
59
60 len = simple_read_from_buffer(buffer, count, ppos, buf, p - buf);
61
62 kfree(buf);
63 return len;
64}
65
66static const struct file_operations ipsec_dbg_fops = {
67 .owner = THIS_MODULE,
68 .open = simple_open,
69 .read = nsim_dbg_netdev_ops_read,
70};
71
72static int nsim_ipsec_find_empty_idx(struct nsim_ipsec *ipsec)
73{
74 u32 i;
75
76 if (ipsec->count == NSIM_IPSEC_MAX_SA_COUNT)
77 return -ENOSPC;
78
79 /* search sa table */
80 for (i = 0; i < NSIM_IPSEC_MAX_SA_COUNT; i++) {
81 if (!ipsec->sa[i].used)
82 return i;
83 }
84
85 return -ENOSPC;
86}
87
88static int nsim_ipsec_parse_proto_keys(struct xfrm_state *xs,
89 u32 *mykey, u32 *mysalt)
90{
91 const char aes_gcm_name[] = "rfc4106(gcm(aes))";
92 struct net_device *dev = xs->xso.real_dev;
93 unsigned char *key_data;
94 char *alg_name = NULL;
95 int key_len;
96
97 if (!xs->aead) {
98 netdev_err(dev, "Unsupported IPsec algorithm\n");
99 return -EINVAL;
100 }
101
102 if (xs->aead->alg_icv_len != NSIM_IPSEC_AUTH_BITS) {
103 netdev_err(dev, "IPsec offload requires %d bit authentication\n",
104 NSIM_IPSEC_AUTH_BITS);
105 return -EINVAL;
106 }
107
108 key_data = &xs->aead->alg_key[0];
109 key_len = xs->aead->alg_key_len;
110 alg_name = xs->aead->alg_name;
111
112 if (strcmp(alg_name, aes_gcm_name)) {
113 netdev_err(dev, "Unsupported IPsec algorithm - please use %s\n",
114 aes_gcm_name);
115 return -EINVAL;
116 }
117
118 /* 160 accounts for 16 byte key and 4 byte salt */
119 if (key_len > NSIM_IPSEC_AUTH_BITS) {
120 *mysalt = ((u32 *)key_data)[4];
121 } else if (key_len == NSIM_IPSEC_AUTH_BITS) {
122 *mysalt = 0;
123 } else {
124 netdev_err(dev, "IPsec hw offload only supports 128 bit keys with optional 32 bit salt\n");
125 return -EINVAL;
126 }
127 memcpy(mykey, key_data, 16);
128
129 return 0;
130}
131
132static int nsim_ipsec_add_sa(struct xfrm_state *xs,
133 struct netlink_ext_ack *extack)
134{
135 struct nsim_ipsec *ipsec;
136 struct net_device *dev;
137 struct netdevsim *ns;
138 struct nsim_sa sa;
139 u16 sa_idx;
140 int ret;
141
142 dev = xs->xso.real_dev;
143 ns = netdev_priv(dev);
144 ipsec = &ns->ipsec;
145
146 if (xs->id.proto != IPPROTO_ESP && xs->id.proto != IPPROTO_AH) {
147 NL_SET_ERR_MSG_MOD(extack, "Unsupported protocol for ipsec offload");
148 return -EINVAL;
149 }
150
151 if (xs->calg) {
152 NL_SET_ERR_MSG_MOD(extack, "Compression offload not supported");
153 return -EINVAL;
154 }
155
156 if (xs->xso.type != XFRM_DEV_OFFLOAD_CRYPTO) {
157 NL_SET_ERR_MSG_MOD(extack, "Unsupported ipsec offload type");
158 return -EINVAL;
159 }
160
161 /* find the first unused index */
162 ret = nsim_ipsec_find_empty_idx(ipsec);
163 if (ret < 0) {
164 NL_SET_ERR_MSG_MOD(extack, "No space for SA in Rx table!");
165 return ret;
166 }
167 sa_idx = (u16)ret;
168
169 memset(&sa, 0, sizeof(sa));
170 sa.used = true;
171 sa.xs = xs;
172
173 if (sa.xs->id.proto & IPPROTO_ESP)
174 sa.crypt = xs->ealg || xs->aead;
175
176 /* get the key and salt */
177 ret = nsim_ipsec_parse_proto_keys(xs, sa.key, &sa.salt);
178 if (ret) {
179 NL_SET_ERR_MSG_MOD(extack, "Failed to get key data for SA table");
180 return ret;
181 }
182
183 if (xs->xso.dir == XFRM_DEV_OFFLOAD_IN)
184 sa.rx = true;
185
186 if (xs->props.family == AF_INET6)
187 memcpy(sa.ipaddr, &xs->id.daddr.a6, 16);
188 else
189 memcpy(&sa.ipaddr[3], &xs->id.daddr.a4, 4);
190
191 /* the preparations worked, so save the info */
192 memcpy(&ipsec->sa[sa_idx], &sa, sizeof(sa));
193
194 /* the XFRM stack doesn't like offload_handle == 0,
195 * so add a bitflag in case our array index is 0
196 */
197 xs->xso.offload_handle = sa_idx | NSIM_IPSEC_VALID;
198 ipsec->count++;
199
200 return 0;
201}
202
203static void nsim_ipsec_del_sa(struct xfrm_state *xs)
204{
205 struct netdevsim *ns = netdev_priv(xs->xso.real_dev);
206 struct nsim_ipsec *ipsec = &ns->ipsec;
207 u16 sa_idx;
208
209 sa_idx = xs->xso.offload_handle & ~NSIM_IPSEC_VALID;
210 if (!ipsec->sa[sa_idx].used) {
211 netdev_err(ns->netdev, "Invalid SA for delete sa_idx=%d\n",
212 sa_idx);
213 return;
214 }
215
216 memset(&ipsec->sa[sa_idx], 0, sizeof(struct nsim_sa));
217 ipsec->count--;
218}
219
220static bool nsim_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs)
221{
222 struct netdevsim *ns = netdev_priv(xs->xso.real_dev);
223 struct nsim_ipsec *ipsec = &ns->ipsec;
224
225 ipsec->ok++;
226
227 return true;
228}
229
230static const struct xfrmdev_ops nsim_xfrmdev_ops = {
231 .xdo_dev_state_add = nsim_ipsec_add_sa,
232 .xdo_dev_state_delete = nsim_ipsec_del_sa,
233 .xdo_dev_offload_ok = nsim_ipsec_offload_ok,
234};
235
236bool nsim_ipsec_tx(struct netdevsim *ns, struct sk_buff *skb)
237{
238 struct sec_path *sp = skb_sec_path(skb);
239 struct nsim_ipsec *ipsec = &ns->ipsec;
240 struct xfrm_state *xs;
241 struct nsim_sa *tsa;
242 u32 sa_idx;
243
244 /* do we even need to check this packet? */
245 if (!sp)
246 return true;
247
248 if (unlikely(!sp->len)) {
249 netdev_err(ns->netdev, "no xfrm state len = %d\n",
250 sp->len);
251 return false;
252 }
253
254 xs = xfrm_input_state(skb);
255 if (unlikely(!xs)) {
256 netdev_err(ns->netdev, "no xfrm_input_state() xs = %p\n", xs);
257 return false;
258 }
259
260 sa_idx = xs->xso.offload_handle & ~NSIM_IPSEC_VALID;
261 if (unlikely(sa_idx >= NSIM_IPSEC_MAX_SA_COUNT)) {
262 netdev_err(ns->netdev, "bad sa_idx=%d max=%d\n",
263 sa_idx, NSIM_IPSEC_MAX_SA_COUNT);
264 return false;
265 }
266
267 tsa = &ipsec->sa[sa_idx];
268 if (unlikely(!tsa->used)) {
269 netdev_err(ns->netdev, "unused sa_idx=%d\n", sa_idx);
270 return false;
271 }
272
273 if (xs->id.proto != IPPROTO_ESP && xs->id.proto != IPPROTO_AH) {
274 netdev_err(ns->netdev, "unexpected proto=%d\n", xs->id.proto);
275 return false;
276 }
277
278 ipsec->tx++;
279
280 return true;
281}
282
283void nsim_ipsec_init(struct netdevsim *ns)
284{
285 ns->netdev->xfrmdev_ops = &nsim_xfrmdev_ops;
286
287#define NSIM_ESP_FEATURES (NETIF_F_HW_ESP | \
288 NETIF_F_HW_ESP_TX_CSUM | \
289 NETIF_F_GSO_ESP)
290
291 ns->netdev->features |= NSIM_ESP_FEATURES;
292 ns->netdev->hw_enc_features |= NSIM_ESP_FEATURES;
293
294 ns->ipsec.pfile = debugfs_create_file("ipsec", 0400,
295 ns->nsim_dev_port->ddir, ns,
296 &ipsec_dbg_fops);
297}
298
299void nsim_ipsec_teardown(struct netdevsim *ns)
300{
301 struct nsim_ipsec *ipsec = &ns->ipsec;
302
303 if (ipsec->count)
304 netdev_err(ns->netdev, "tearing down IPsec offload with %d SAs left\n",
305 ipsec->count);
306 debugfs_remove_recursive(ipsec->pfile);
307}
1// SPDX-License-Identifier: GPL-2.0
2/* Copyright(c) 2018 Oracle and/or its affiliates. All rights reserved. */
3
4#include <crypto/aead.h>
5#include <linux/debugfs.h>
6#include <net/xfrm.h>
7
8#include "netdevsim.h"
9
10#define NSIM_IPSEC_AUTH_BITS 128
11
12static ssize_t nsim_dbg_netdev_ops_read(struct file *filp,
13 char __user *buffer,
14 size_t count, loff_t *ppos)
15{
16 struct netdevsim *ns = filp->private_data;
17 struct nsim_ipsec *ipsec = &ns->ipsec;
18 size_t bufsize;
19 char *buf, *p;
20 int len;
21 int i;
22
23 /* the buffer needed is
24 * (num SAs * 3 lines each * ~60 bytes per line) + one more line
25 */
26 bufsize = (ipsec->count * 4 * 60) + 60;
27 buf = kzalloc(bufsize, GFP_KERNEL);
28 if (!buf)
29 return -ENOMEM;
30
31 p = buf;
32 p += snprintf(p, bufsize - (p - buf),
33 "SA count=%u tx=%u\n",
34 ipsec->count, ipsec->tx);
35
36 for (i = 0; i < NSIM_IPSEC_MAX_SA_COUNT; i++) {
37 struct nsim_sa *sap = &ipsec->sa[i];
38
39 if (!sap->used)
40 continue;
41
42 p += snprintf(p, bufsize - (p - buf),
43 "sa[%i] %cx ipaddr=0x%08x %08x %08x %08x\n",
44 i, (sap->rx ? 'r' : 't'), sap->ipaddr[0],
45 sap->ipaddr[1], sap->ipaddr[2], sap->ipaddr[3]);
46 p += snprintf(p, bufsize - (p - buf),
47 "sa[%i] spi=0x%08x proto=0x%x salt=0x%08x crypt=%d\n",
48 i, be32_to_cpu(sap->xs->id.spi),
49 sap->xs->id.proto, sap->salt, sap->crypt);
50 p += snprintf(p, bufsize - (p - buf),
51 "sa[%i] key=0x%08x %08x %08x %08x\n",
52 i, sap->key[0], sap->key[1],
53 sap->key[2], sap->key[3]);
54 }
55
56 len = simple_read_from_buffer(buffer, count, ppos, buf, p - buf);
57
58 kfree(buf);
59 return len;
60}
61
62static const struct file_operations ipsec_dbg_fops = {
63 .owner = THIS_MODULE,
64 .open = simple_open,
65 .read = nsim_dbg_netdev_ops_read,
66};
67
68static int nsim_ipsec_find_empty_idx(struct nsim_ipsec *ipsec)
69{
70 u32 i;
71
72 if (ipsec->count == NSIM_IPSEC_MAX_SA_COUNT)
73 return -ENOSPC;
74
75 /* search sa table */
76 for (i = 0; i < NSIM_IPSEC_MAX_SA_COUNT; i++) {
77 if (!ipsec->sa[i].used)
78 return i;
79 }
80
81 return -ENOSPC;
82}
83
84static int nsim_ipsec_parse_proto_keys(struct xfrm_state *xs,
85 u32 *mykey, u32 *mysalt)
86{
87 const char aes_gcm_name[] = "rfc4106(gcm(aes))";
88 struct net_device *dev = xs->xso.dev;
89 unsigned char *key_data;
90 char *alg_name = NULL;
91 int key_len;
92
93 if (!xs->aead) {
94 netdev_err(dev, "Unsupported IPsec algorithm\n");
95 return -EINVAL;
96 }
97
98 if (xs->aead->alg_icv_len != NSIM_IPSEC_AUTH_BITS) {
99 netdev_err(dev, "IPsec offload requires %d bit authentication\n",
100 NSIM_IPSEC_AUTH_BITS);
101 return -EINVAL;
102 }
103
104 key_data = &xs->aead->alg_key[0];
105 key_len = xs->aead->alg_key_len;
106 alg_name = xs->aead->alg_name;
107
108 if (strcmp(alg_name, aes_gcm_name)) {
109 netdev_err(dev, "Unsupported IPsec algorithm - please use %s\n",
110 aes_gcm_name);
111 return -EINVAL;
112 }
113
114 /* 160 accounts for 16 byte key and 4 byte salt */
115 if (key_len > NSIM_IPSEC_AUTH_BITS) {
116 *mysalt = ((u32 *)key_data)[4];
117 } else if (key_len == NSIM_IPSEC_AUTH_BITS) {
118 *mysalt = 0;
119 } else {
120 netdev_err(dev, "IPsec hw offload only supports 128 bit keys with optional 32 bit salt\n");
121 return -EINVAL;
122 }
123 memcpy(mykey, key_data, 16);
124
125 return 0;
126}
127
128static int nsim_ipsec_add_sa(struct xfrm_state *xs)
129{
130 struct nsim_ipsec *ipsec;
131 struct net_device *dev;
132 struct netdevsim *ns;
133 struct nsim_sa sa;
134 u16 sa_idx;
135 int ret;
136
137 dev = xs->xso.dev;
138 ns = netdev_priv(dev);
139 ipsec = &ns->ipsec;
140
141 if (xs->id.proto != IPPROTO_ESP && xs->id.proto != IPPROTO_AH) {
142 netdev_err(dev, "Unsupported protocol 0x%04x for ipsec offload\n",
143 xs->id.proto);
144 return -EINVAL;
145 }
146
147 if (xs->calg) {
148 netdev_err(dev, "Compression offload not supported\n");
149 return -EINVAL;
150 }
151
152 /* find the first unused index */
153 ret = nsim_ipsec_find_empty_idx(ipsec);
154 if (ret < 0) {
155 netdev_err(dev, "No space for SA in Rx table!\n");
156 return ret;
157 }
158 sa_idx = (u16)ret;
159
160 memset(&sa, 0, sizeof(sa));
161 sa.used = true;
162 sa.xs = xs;
163
164 if (sa.xs->id.proto & IPPROTO_ESP)
165 sa.crypt = xs->ealg || xs->aead;
166
167 /* get the key and salt */
168 ret = nsim_ipsec_parse_proto_keys(xs, sa.key, &sa.salt);
169 if (ret) {
170 netdev_err(dev, "Failed to get key data for SA table\n");
171 return ret;
172 }
173
174 if (xs->xso.flags & XFRM_OFFLOAD_INBOUND) {
175 sa.rx = true;
176
177 if (xs->props.family == AF_INET6)
178 memcpy(sa.ipaddr, &xs->id.daddr.a6, 16);
179 else
180 memcpy(&sa.ipaddr[3], &xs->id.daddr.a4, 4);
181 }
182
183 /* the preparations worked, so save the info */
184 memcpy(&ipsec->sa[sa_idx], &sa, sizeof(sa));
185
186 /* the XFRM stack doesn't like offload_handle == 0,
187 * so add a bitflag in case our array index is 0
188 */
189 xs->xso.offload_handle = sa_idx | NSIM_IPSEC_VALID;
190 ipsec->count++;
191
192 return 0;
193}
194
195static void nsim_ipsec_del_sa(struct xfrm_state *xs)
196{
197 struct netdevsim *ns = netdev_priv(xs->xso.dev);
198 struct nsim_ipsec *ipsec = &ns->ipsec;
199 u16 sa_idx;
200
201 sa_idx = xs->xso.offload_handle & ~NSIM_IPSEC_VALID;
202 if (!ipsec->sa[sa_idx].used) {
203 netdev_err(ns->netdev, "Invalid SA for delete sa_idx=%d\n",
204 sa_idx);
205 return;
206 }
207
208 memset(&ipsec->sa[sa_idx], 0, sizeof(struct nsim_sa));
209 ipsec->count--;
210}
211
212static bool nsim_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs)
213{
214 struct netdevsim *ns = netdev_priv(xs->xso.dev);
215 struct nsim_ipsec *ipsec = &ns->ipsec;
216
217 ipsec->ok++;
218
219 return true;
220}
221
222static const struct xfrmdev_ops nsim_xfrmdev_ops = {
223 .xdo_dev_state_add = nsim_ipsec_add_sa,
224 .xdo_dev_state_delete = nsim_ipsec_del_sa,
225 .xdo_dev_offload_ok = nsim_ipsec_offload_ok,
226};
227
228bool nsim_ipsec_tx(struct netdevsim *ns, struct sk_buff *skb)
229{
230 struct sec_path *sp = skb_sec_path(skb);
231 struct nsim_ipsec *ipsec = &ns->ipsec;
232 struct xfrm_state *xs;
233 struct nsim_sa *tsa;
234 u32 sa_idx;
235
236 /* do we even need to check this packet? */
237 if (!sp)
238 return true;
239
240 if (unlikely(!sp->len)) {
241 netdev_err(ns->netdev, "no xfrm state len = %d\n",
242 sp->len);
243 return false;
244 }
245
246 xs = xfrm_input_state(skb);
247 if (unlikely(!xs)) {
248 netdev_err(ns->netdev, "no xfrm_input_state() xs = %p\n", xs);
249 return false;
250 }
251
252 sa_idx = xs->xso.offload_handle & ~NSIM_IPSEC_VALID;
253 if (unlikely(sa_idx >= NSIM_IPSEC_MAX_SA_COUNT)) {
254 netdev_err(ns->netdev, "bad sa_idx=%d max=%d\n",
255 sa_idx, NSIM_IPSEC_MAX_SA_COUNT);
256 return false;
257 }
258
259 tsa = &ipsec->sa[sa_idx];
260 if (unlikely(!tsa->used)) {
261 netdev_err(ns->netdev, "unused sa_idx=%d\n", sa_idx);
262 return false;
263 }
264
265 if (xs->id.proto != IPPROTO_ESP && xs->id.proto != IPPROTO_AH) {
266 netdev_err(ns->netdev, "unexpected proto=%d\n", xs->id.proto);
267 return false;
268 }
269
270 ipsec->tx++;
271
272 return true;
273}
274
275void nsim_ipsec_init(struct netdevsim *ns)
276{
277 ns->netdev->xfrmdev_ops = &nsim_xfrmdev_ops;
278
279#define NSIM_ESP_FEATURES (NETIF_F_HW_ESP | \
280 NETIF_F_HW_ESP_TX_CSUM | \
281 NETIF_F_GSO_ESP)
282
283 ns->netdev->features |= NSIM_ESP_FEATURES;
284 ns->netdev->hw_enc_features |= NSIM_ESP_FEATURES;
285
286 ns->ipsec.pfile = debugfs_create_file("ipsec", 0400,
287 ns->nsim_dev_port->ddir, ns,
288 &ipsec_dbg_fops);
289}
290
291void nsim_ipsec_teardown(struct netdevsim *ns)
292{
293 struct nsim_ipsec *ipsec = &ns->ipsec;
294
295 if (ipsec->count)
296 netdev_err(ns->netdev, "tearing down IPsec offload with %d SAs left\n",
297 ipsec->count);
298 debugfs_remove_recursive(ipsec->pfile);
299}