ipsec.c 7.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300
  1. // SPDX-License-Identifier: GPL-2.0
  2. /* Copyright(c) 2018 Oracle and/or its affiliates. All rights reserved. */
  3. #include <crypto/aead.h>
  4. #include <linux/debugfs.h>
  5. #include <net/xfrm.h>
  6. #include "netdevsim.h"
  7. #define NSIM_IPSEC_AUTH_BITS 128
  8. static ssize_t nsim_dbg_netdev_ops_read(struct file *filp,
  9. char __user *buffer,
  10. size_t count, loff_t *ppos)
  11. {
  12. struct netdevsim *ns = filp->private_data;
  13. struct nsim_ipsec *ipsec = &ns->ipsec;
  14. size_t bufsize;
  15. char *buf, *p;
  16. int len;
  17. int i;
  18. /* the buffer needed is
  19. * (num SAs * 3 lines each * ~60 bytes per line) + one more line
  20. */
  21. bufsize = (ipsec->count * 4 * 60) + 60;
  22. buf = kzalloc(bufsize, GFP_KERNEL);
  23. if (!buf)
  24. return -ENOMEM;
  25. p = buf;
  26. p += snprintf(p, bufsize - (p - buf),
  27. "SA count=%u tx=%u\n",
  28. ipsec->count, ipsec->tx);
  29. for (i = 0; i < NSIM_IPSEC_MAX_SA_COUNT; i++) {
  30. struct nsim_sa *sap = &ipsec->sa[i];
  31. if (!sap->used)
  32. continue;
  33. p += snprintf(p, bufsize - (p - buf),
  34. "sa[%i] %cx ipaddr=0x%08x %08x %08x %08x\n",
  35. i, (sap->rx ? 'r' : 't'), sap->ipaddr[0],
  36. sap->ipaddr[1], sap->ipaddr[2], sap->ipaddr[3]);
  37. p += snprintf(p, bufsize - (p - buf),
  38. "sa[%i] spi=0x%08x proto=0x%x salt=0x%08x crypt=%d\n",
  39. i, be32_to_cpu(sap->xs->id.spi),
  40. sap->xs->id.proto, sap->salt, sap->crypt);
  41. p += snprintf(p, bufsize - (p - buf),
  42. "sa[%i] key=0x%08x %08x %08x %08x\n",
  43. i, sap->key[0], sap->key[1],
  44. sap->key[2], sap->key[3]);
  45. }
  46. len = simple_read_from_buffer(buffer, count, ppos, buf, p - buf);
  47. kfree(buf);
  48. return len;
  49. }
  50. static const struct file_operations ipsec_dbg_fops = {
  51. .owner = THIS_MODULE,
  52. .open = simple_open,
  53. .read = nsim_dbg_netdev_ops_read,
  54. };
  55. static int nsim_ipsec_find_empty_idx(struct nsim_ipsec *ipsec)
  56. {
  57. u32 i;
  58. if (ipsec->count == NSIM_IPSEC_MAX_SA_COUNT)
  59. return -ENOSPC;
  60. /* search sa table */
  61. for (i = 0; i < NSIM_IPSEC_MAX_SA_COUNT; i++) {
  62. if (!ipsec->sa[i].used)
  63. return i;
  64. }
  65. return -ENOSPC;
  66. }
  67. static int nsim_ipsec_parse_proto_keys(struct xfrm_state *xs,
  68. u32 *mykey, u32 *mysalt)
  69. {
  70. const char aes_gcm_name[] = "rfc4106(gcm(aes))";
  71. struct net_device *dev = xs->xso.dev;
  72. unsigned char *key_data;
  73. char *alg_name = NULL;
  74. int key_len;
  75. if (!xs->aead) {
  76. netdev_err(dev, "Unsupported IPsec algorithm\n");
  77. return -EINVAL;
  78. }
  79. if (xs->aead->alg_icv_len != NSIM_IPSEC_AUTH_BITS) {
  80. netdev_err(dev, "IPsec offload requires %d bit authentication\n",
  81. NSIM_IPSEC_AUTH_BITS);
  82. return -EINVAL;
  83. }
  84. key_data = &xs->aead->alg_key[0];
  85. key_len = xs->aead->alg_key_len;
  86. alg_name = xs->aead->alg_name;
  87. if (strcmp(alg_name, aes_gcm_name)) {
  88. netdev_err(dev, "Unsupported IPsec algorithm - please use %s\n",
  89. aes_gcm_name);
  90. return -EINVAL;
  91. }
  92. /* 160 accounts for 16 byte key and 4 byte salt */
  93. if (key_len > NSIM_IPSEC_AUTH_BITS) {
  94. *mysalt = ((u32 *)key_data)[4];
  95. } else if (key_len == NSIM_IPSEC_AUTH_BITS) {
  96. *mysalt = 0;
  97. } else {
  98. netdev_err(dev, "IPsec hw offload only supports 128 bit keys with optional 32 bit salt\n");
  99. return -EINVAL;
  100. }
  101. memcpy(mykey, key_data, 16);
  102. return 0;
  103. }
  104. static int nsim_ipsec_add_sa(struct xfrm_state *xs)
  105. {
  106. struct nsim_ipsec *ipsec;
  107. struct net_device *dev;
  108. struct netdevsim *ns;
  109. struct nsim_sa sa;
  110. u16 sa_idx;
  111. int ret;
  112. dev = xs->xso.dev;
  113. ns = netdev_priv(dev);
  114. ipsec = &ns->ipsec;
  115. if (xs->id.proto != IPPROTO_ESP && xs->id.proto != IPPROTO_AH) {
  116. netdev_err(dev, "Unsupported protocol 0x%04x for ipsec offload\n",
  117. xs->id.proto);
  118. return -EINVAL;
  119. }
  120. if (xs->calg) {
  121. netdev_err(dev, "Compression offload not supported\n");
  122. return -EINVAL;
  123. }
  124. /* find the first unused index */
  125. ret = nsim_ipsec_find_empty_idx(ipsec);
  126. if (ret < 0) {
  127. netdev_err(dev, "No space for SA in Rx table!\n");
  128. return ret;
  129. }
  130. sa_idx = (u16)ret;
  131. memset(&sa, 0, sizeof(sa));
  132. sa.used = true;
  133. sa.xs = xs;
  134. if (sa.xs->id.proto & IPPROTO_ESP)
  135. sa.crypt = xs->ealg || xs->aead;
  136. /* get the key and salt */
  137. ret = nsim_ipsec_parse_proto_keys(xs, sa.key, &sa.salt);
  138. if (ret) {
  139. netdev_err(dev, "Failed to get key data for SA table\n");
  140. return ret;
  141. }
  142. if (xs->xso.flags & XFRM_OFFLOAD_INBOUND) {
  143. sa.rx = true;
  144. if (xs->props.family == AF_INET6)
  145. memcpy(sa.ipaddr, &xs->id.daddr.a6, 16);
  146. else
  147. memcpy(&sa.ipaddr[3], &xs->id.daddr.a4, 4);
  148. }
  149. /* the preparations worked, so save the info */
  150. memcpy(&ipsec->sa[sa_idx], &sa, sizeof(sa));
  151. /* the XFRM stack doesn't like offload_handle == 0,
  152. * so add a bitflag in case our array index is 0
  153. */
  154. xs->xso.offload_handle = sa_idx | NSIM_IPSEC_VALID;
  155. ipsec->count++;
  156. return 0;
  157. }
  158. static void nsim_ipsec_del_sa(struct xfrm_state *xs)
  159. {
  160. struct netdevsim *ns = netdev_priv(xs->xso.dev);
  161. struct nsim_ipsec *ipsec = &ns->ipsec;
  162. u16 sa_idx;
  163. sa_idx = xs->xso.offload_handle & ~NSIM_IPSEC_VALID;
  164. if (!ipsec->sa[sa_idx].used) {
  165. netdev_err(ns->netdev, "Invalid SA for delete sa_idx=%d\n",
  166. sa_idx);
  167. return;
  168. }
  169. memset(&ipsec->sa[sa_idx], 0, sizeof(struct nsim_sa));
  170. ipsec->count--;
  171. }
  172. static bool nsim_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs)
  173. {
  174. struct netdevsim *ns = netdev_priv(xs->xso.dev);
  175. struct nsim_ipsec *ipsec = &ns->ipsec;
  176. ipsec->ok++;
  177. return true;
  178. }
  179. static const struct xfrmdev_ops nsim_xfrmdev_ops = {
  180. .xdo_dev_state_add = nsim_ipsec_add_sa,
  181. .xdo_dev_state_delete = nsim_ipsec_del_sa,
  182. .xdo_dev_offload_ok = nsim_ipsec_offload_ok,
  183. };
  184. bool nsim_ipsec_tx(struct netdevsim *ns, struct sk_buff *skb)
  185. {
  186. struct sec_path *sp = skb_sec_path(skb);
  187. struct nsim_ipsec *ipsec = &ns->ipsec;
  188. struct xfrm_state *xs;
  189. struct nsim_sa *tsa;
  190. u32 sa_idx;
  191. /* do we even need to check this packet? */
  192. if (!sp)
  193. return true;
  194. if (unlikely(!sp->len)) {
  195. netdev_err(ns->netdev, "no xfrm state len = %d\n",
  196. sp->len);
  197. return false;
  198. }
  199. xs = xfrm_input_state(skb);
  200. if (unlikely(!xs)) {
  201. netdev_err(ns->netdev, "no xfrm_input_state() xs = %p\n", xs);
  202. return false;
  203. }
  204. sa_idx = xs->xso.offload_handle & ~NSIM_IPSEC_VALID;
  205. if (unlikely(sa_idx >= NSIM_IPSEC_MAX_SA_COUNT)) {
  206. netdev_err(ns->netdev, "bad sa_idx=%d max=%d\n",
  207. sa_idx, NSIM_IPSEC_MAX_SA_COUNT);
  208. return false;
  209. }
  210. tsa = &ipsec->sa[sa_idx];
  211. if (unlikely(!tsa->used)) {
  212. netdev_err(ns->netdev, "unused sa_idx=%d\n", sa_idx);
  213. return false;
  214. }
  215. if (xs->id.proto != IPPROTO_ESP && xs->id.proto != IPPROTO_AH) {
  216. netdev_err(ns->netdev, "unexpected proto=%d\n", xs->id.proto);
  217. return false;
  218. }
  219. ipsec->tx++;
  220. return true;
  221. }
  222. void nsim_ipsec_init(struct netdevsim *ns)
  223. {
  224. ns->netdev->xfrmdev_ops = &nsim_xfrmdev_ops;
  225. #define NSIM_ESP_FEATURES (NETIF_F_HW_ESP | \
  226. NETIF_F_HW_ESP_TX_CSUM | \
  227. NETIF_F_GSO_ESP)
  228. ns->netdev->features |= NSIM_ESP_FEATURES;
  229. ns->netdev->hw_enc_features |= NSIM_ESP_FEATURES;
  230. ns->ipsec.pfile = debugfs_create_file("ipsec", 0400,
  231. ns->nsim_dev_port->ddir, ns,
  232. &ipsec_dbg_fops);
  233. }
  234. void nsim_ipsec_teardown(struct netdevsim *ns)
  235. {
  236. struct nsim_ipsec *ipsec = &ns->ipsec;
  237. if (ipsec->count)
  238. netdev_err(ns->netdev, "tearing down IPsec offload with %d SAs left\n",
  239. ipsec->count);
  240. debugfs_remove_recursive(ipsec->pfile);
  241. }