1 // SPDX-License-Identifier: GPL-2.0
2 /* Copyright(c) 2018 Oracle and/or its affiliates. All rights reserved. */
3
4 #include <crypto/aead.h>
5 #include <linux/debugfs.h>
6 #include <net/xfrm.h>
7
8 #include "netdevsim.h"
9
10 #define NSIM_IPSEC_AUTH_BITS 128
11
nsim_dbg_netdev_ops_read(struct file * filp,char __user * buffer,size_t count,loff_t * ppos)12 static ssize_t nsim_dbg_netdev_ops_read(struct file *filp,
13 char __user *buffer,
14 size_t count, loff_t *ppos)
15 {
16 struct netdevsim *ns = filp->private_data;
17 struct nsim_ipsec *ipsec = &ns->ipsec;
18 size_t bufsize;
19 char *buf, *p;
20 int len;
21 int i;
22
23 /* the buffer needed is
24 * (num SAs * 3 lines each * ~60 bytes per line) + one more line
25 */
26 bufsize = (ipsec->count * 4 * 60) + 60;
27 buf = kzalloc(bufsize, GFP_KERNEL);
28 if (!buf)
29 return -ENOMEM;
30
31 p = buf;
32 p += scnprintf(p, bufsize - (p - buf),
33 "SA count=%u tx=%u\n",
34 ipsec->count, ipsec->tx);
35
36 for (i = 0; i < NSIM_IPSEC_MAX_SA_COUNT; i++) {
37 struct nsim_sa *sap = &ipsec->sa[i];
38
39 if (!sap->used)
40 continue;
41
42 if (sap->xs->props.family == AF_INET6)
43 p += scnprintf(p, bufsize - (p - buf),
44 "sa[%i] %cx ipaddr=%pI6c\n",
45 i, (sap->rx ? 'r' : 't'), &sap->ipaddr);
46 else
47 p += scnprintf(p, bufsize - (p - buf),
48 "sa[%i] %cx ipaddr=%pI4\n",
49 i, (sap->rx ? 'r' : 't'), &sap->ipaddr[3]);
50 p += scnprintf(p, bufsize - (p - buf),
51 "sa[%i] spi=0x%08x proto=0x%x salt=0x%08x crypt=%d\n",
52 i, be32_to_cpu(sap->xs->id.spi),
53 sap->xs->id.proto, sap->salt, sap->crypt);
54 p += scnprintf(p, bufsize - (p - buf),
55 "sa[%i] key=0x%08x %08x %08x %08x\n",
56 i, sap->key[0], sap->key[1],
57 sap->key[2], sap->key[3]);
58 }
59
60 len = simple_read_from_buffer(buffer, count, ppos, buf, p - buf);
61
62 kfree(buf);
63 return len;
64 }
65
66 static const struct file_operations ipsec_dbg_fops = {
67 .owner = THIS_MODULE,
68 .open = simple_open,
69 .read = nsim_dbg_netdev_ops_read,
70 };
71
nsim_ipsec_find_empty_idx(struct nsim_ipsec * ipsec)72 static int nsim_ipsec_find_empty_idx(struct nsim_ipsec *ipsec)
73 {
74 u32 i;
75
76 if (ipsec->count == NSIM_IPSEC_MAX_SA_COUNT)
77 return -ENOSPC;
78
79 /* search sa table */
80 for (i = 0; i < NSIM_IPSEC_MAX_SA_COUNT; i++) {
81 if (!ipsec->sa[i].used)
82 return i;
83 }
84
85 return -ENOSPC;
86 }
87
nsim_ipsec_parse_proto_keys(struct net_device * dev,struct xfrm_state * xs,u32 * mykey,u32 * mysalt)88 static int nsim_ipsec_parse_proto_keys(struct net_device *dev,
89 struct xfrm_state *xs,
90 u32 *mykey, u32 *mysalt)
91 {
92 const char aes_gcm_name[] = "rfc4106(gcm(aes))";
93 unsigned char *key_data;
94 char *alg_name = NULL;
95 int key_len;
96
97 if (!xs->aead) {
98 netdev_err(dev, "Unsupported IPsec algorithm\n");
99 return -EINVAL;
100 }
101
102 if (xs->aead->alg_icv_len != NSIM_IPSEC_AUTH_BITS) {
103 netdev_err(dev, "IPsec offload requires %d bit authentication\n",
104 NSIM_IPSEC_AUTH_BITS);
105 return -EINVAL;
106 }
107
108 key_data = &xs->aead->alg_key[0];
109 key_len = xs->aead->alg_key_len;
110 alg_name = xs->aead->alg_name;
111
112 if (strcmp(alg_name, aes_gcm_name)) {
113 netdev_err(dev, "Unsupported IPsec algorithm - please use %s\n",
114 aes_gcm_name);
115 return -EINVAL;
116 }
117
118 /* 160 accounts for 16 byte key and 4 byte salt */
119 if (key_len > NSIM_IPSEC_AUTH_BITS) {
120 *mysalt = ((u32 *)key_data)[4];
121 } else if (key_len == NSIM_IPSEC_AUTH_BITS) {
122 *mysalt = 0;
123 } else {
124 netdev_err(dev, "IPsec hw offload only supports 128 bit keys with optional 32 bit salt\n");
125 return -EINVAL;
126 }
127 memcpy(mykey, key_data, 16);
128
129 return 0;
130 }
131
nsim_ipsec_add_sa(struct net_device * dev,struct xfrm_state * xs,struct netlink_ext_ack * extack)132 static int nsim_ipsec_add_sa(struct net_device *dev,
133 struct xfrm_state *xs,
134 struct netlink_ext_ack *extack)
135 {
136 struct nsim_ipsec *ipsec;
137 struct netdevsim *ns;
138 struct nsim_sa sa;
139 u16 sa_idx;
140 int ret;
141
142 ns = netdev_priv(dev);
143 ipsec = &ns->ipsec;
144
145 if (xs->id.proto != IPPROTO_ESP && xs->id.proto != IPPROTO_AH) {
146 NL_SET_ERR_MSG_MOD(extack, "Unsupported protocol for ipsec offload");
147 return -EINVAL;
148 }
149
150 if (xs->calg) {
151 NL_SET_ERR_MSG_MOD(extack, "Compression offload not supported");
152 return -EINVAL;
153 }
154
155 if (xs->xso.type != XFRM_DEV_OFFLOAD_CRYPTO) {
156 NL_SET_ERR_MSG_MOD(extack, "Unsupported ipsec offload type");
157 return -EINVAL;
158 }
159
160 /* find the first unused index */
161 ret = nsim_ipsec_find_empty_idx(ipsec);
162 if (ret < 0) {
163 NL_SET_ERR_MSG_MOD(extack, "No space for SA in Rx table!");
164 return ret;
165 }
166 sa_idx = (u16)ret;
167
168 memset(&sa, 0, sizeof(sa));
169 sa.used = true;
170 sa.xs = xs;
171
172 if (sa.xs->id.proto & IPPROTO_ESP)
173 sa.crypt = xs->ealg || xs->aead;
174
175 /* get the key and salt */
176 ret = nsim_ipsec_parse_proto_keys(dev, xs, sa.key, &sa.salt);
177 if (ret) {
178 NL_SET_ERR_MSG_MOD(extack, "Failed to get key data for SA table");
179 return ret;
180 }
181
182 if (xs->xso.dir == XFRM_DEV_OFFLOAD_IN)
183 sa.rx = true;
184
185 if (xs->props.family == AF_INET6)
186 memcpy(sa.ipaddr, &xs->id.daddr.a6, 16);
187 else
188 memcpy(&sa.ipaddr[3], &xs->id.daddr.a4, 4);
189
190 /* the preparations worked, so save the info */
191 memcpy(&ipsec->sa[sa_idx], &sa, sizeof(sa));
192
193 /* the XFRM stack doesn't like offload_handle == 0,
194 * so add a bitflag in case our array index is 0
195 */
196 xs->xso.offload_handle = sa_idx | NSIM_IPSEC_VALID;
197 ipsec->count++;
198
199 return 0;
200 }
201
nsim_ipsec_del_sa(struct net_device * dev,struct xfrm_state * xs)202 static void nsim_ipsec_del_sa(struct net_device *dev, struct xfrm_state *xs)
203 {
204 struct netdevsim *ns = netdev_priv(dev);
205 struct nsim_ipsec *ipsec = &ns->ipsec;
206 u16 sa_idx;
207
208 sa_idx = xs->xso.offload_handle & ~NSIM_IPSEC_VALID;
209 if (!ipsec->sa[sa_idx].used) {
210 netdev_err(ns->netdev, "Invalid SA for delete sa_idx=%d\n",
211 sa_idx);
212 return;
213 }
214
215 memset(&ipsec->sa[sa_idx], 0, sizeof(struct nsim_sa));
216 ipsec->count--;
217 }
218
219 static const struct xfrmdev_ops nsim_xfrmdev_ops = {
220 .xdo_dev_state_add = nsim_ipsec_add_sa,
221 .xdo_dev_state_delete = nsim_ipsec_del_sa,
222 };
223
nsim_ipsec_tx(struct netdevsim * ns,struct sk_buff * skb)224 bool nsim_ipsec_tx(struct netdevsim *ns, struct sk_buff *skb)
225 {
226 struct sec_path *sp = skb_sec_path(skb);
227 struct nsim_ipsec *ipsec = &ns->ipsec;
228 struct xfrm_state *xs;
229 struct nsim_sa *tsa;
230 u32 sa_idx;
231
232 /* do we even need to check this packet? */
233 if (!sp)
234 return true;
235
236 if (unlikely(!sp->len)) {
237 netdev_err(ns->netdev, "no xfrm state len = %d\n",
238 sp->len);
239 return false;
240 }
241
242 xs = xfrm_input_state(skb);
243 if (unlikely(!xs)) {
244 netdev_err(ns->netdev, "no xfrm_input_state() xs = %p\n", xs);
245 return false;
246 }
247
248 sa_idx = xs->xso.offload_handle & ~NSIM_IPSEC_VALID;
249 if (unlikely(sa_idx >= NSIM_IPSEC_MAX_SA_COUNT)) {
250 netdev_err(ns->netdev, "bad sa_idx=%d max=%d\n",
251 sa_idx, NSIM_IPSEC_MAX_SA_COUNT);
252 return false;
253 }
254
255 tsa = &ipsec->sa[sa_idx];
256 if (unlikely(!tsa->used)) {
257 netdev_err(ns->netdev, "unused sa_idx=%d\n", sa_idx);
258 return false;
259 }
260
261 if (xs->id.proto != IPPROTO_ESP && xs->id.proto != IPPROTO_AH) {
262 netdev_err(ns->netdev, "unexpected proto=%d\n", xs->id.proto);
263 return false;
264 }
265
266 ipsec->tx++;
267
268 return true;
269 }
270
nsim_ipsec_init(struct netdevsim * ns)271 void nsim_ipsec_init(struct netdevsim *ns)
272 {
273 ns->netdev->xfrmdev_ops = &nsim_xfrmdev_ops;
274
275 #define NSIM_ESP_FEATURES (NETIF_F_HW_ESP | \
276 NETIF_F_HW_ESP_TX_CSUM | \
277 NETIF_F_GSO_ESP)
278
279 ns->netdev->features |= NSIM_ESP_FEATURES;
280 ns->netdev->hw_enc_features |= NSIM_ESP_FEATURES;
281
282 ns->ipsec.pfile = debugfs_create_file("ipsec", 0400,
283 ns->nsim_dev_port->ddir, ns,
284 &ipsec_dbg_fops);
285 }
286
nsim_ipsec_teardown(struct netdevsim * ns)287 void nsim_ipsec_teardown(struct netdevsim *ns)
288 {
289 struct nsim_ipsec *ipsec = &ns->ipsec;
290
291 if (ipsec->count)
292 netdev_err(ns->netdev, "tearing down IPsec offload with %d SAs left\n",
293 ipsec->count);
294 debugfs_remove_recursive(ipsec->pfile);
295 }
296