+4

drivers/net/netdevsim/Makefile

reviewed

··· 13 13 ifneq ($(CONFIG_NET_DEVLINK),) 14 14 netdevsim-objs += devlink.o fib.o 15 15 endif 16 16 + 17 17 + ifneq ($(CONFIG_XFRM_OFFLOAD),) 18 18 + netdevsim-objs += ipsec.o 19 19 + endif

+297

drivers/net/netdevsim/ipsec.c

reviewed

··· 1 1 + // SPDX-License-Identifier: GPL-2.0 2 2 + /* Copyright(c) 2018 Oracle and/or its affiliates. All rights reserved. */ 3 3 + 4 4 + #include <crypto/aead.h> 5 5 + #include <linux/debugfs.h> 6 6 + #include <net/xfrm.h> 7 7 + 8 8 + #include "netdevsim.h" 9 9 + 10 10 + #define NSIM_IPSEC_AUTH_BITS 128 11 11 + 12 12 + static ssize_t nsim_dbg_netdev_ops_read(struct file *filp, 13 13 + char __user *buffer, 14 14 + size_t count, loff_t *ppos) 15 15 + { 16 16 + struct netdevsim *ns = filp->private_data; 17 17 + struct nsim_ipsec *ipsec = &ns->ipsec; 18 18 + size_t bufsize; 19 19 + char *buf, *p; 20 20 + int len; 21 21 + int i; 22 22 + 23 23 + /* the buffer needed is 24 24 + * (num SAs * 3 lines each * ~60 bytes per line) + one more line 25 25 + */ 26 26 + bufsize = (ipsec->count * 4 * 60) + 60; 27 27 + buf = kzalloc(bufsize, GFP_KERNEL); 28 28 + if (!buf) 29 29 + return -ENOMEM; 30 30 + 31 31 + p = buf; 32 32 + p += snprintf(p, bufsize - (p - buf), 33 33 + "SA count=%u tx=%u\n", 34 34 + ipsec->count, ipsec->tx); 35 35 + 36 36 + for (i = 0; i < NSIM_IPSEC_MAX_SA_COUNT; i++) { 37 37 + struct nsim_sa *sap = &ipsec->sa[i]; 38 38 + 39 39 + if (!sap->used) 40 40 + continue; 41 41 + 42 42 + p += snprintf(p, bufsize - (p - buf), 43 43 + "sa[%i] %cx ipaddr=0x%08x %08x %08x %08x\n", 44 44 + i, (sap->rx ? 'r' : 't'), sap->ipaddr[0], 45 45 + sap->ipaddr[1], sap->ipaddr[2], sap->ipaddr[3]); 46 46 + p += snprintf(p, bufsize - (p - buf), 47 47 + "sa[%i] spi=0x%08x proto=0x%x salt=0x%08x crypt=%d\n", 48 48 + i, be32_to_cpu(sap->xs->id.spi), 49 49 + sap->xs->id.proto, sap->salt, sap->crypt); 50 50 + p += snprintf(p, bufsize - (p - buf), 51 51 + "sa[%i] key=0x%08x %08x %08x %08x\n", 52 52 + i, sap->key[0], sap->key[1], 53 53 + sap->key[2], sap->key[3]); 54 54 + } 55 55 + 56 56 + len = simple_read_from_buffer(buffer, count, ppos, buf, p - buf); 57 57 + 58 58 + kfree(buf); 59 59 + return len; 60 60 + } 61 61 + 62 62 + static const struct file_operations ipsec_dbg_fops = { 63 63 + .owner = THIS_MODULE, 64 64 + .open = simple_open, 65 65 + .read = nsim_dbg_netdev_ops_read, 66 66 + }; 67 67 + 68 68 + static int nsim_ipsec_find_empty_idx(struct nsim_ipsec *ipsec) 69 69 + { 70 70 + u32 i; 71 71 + 72 72 + if (ipsec->count == NSIM_IPSEC_MAX_SA_COUNT) 73 73 + return -ENOSPC; 74 74 + 75 75 + /* search sa table */ 76 76 + for (i = 0; i < NSIM_IPSEC_MAX_SA_COUNT; i++) { 77 77 + if (!ipsec->sa[i].used) 78 78 + return i; 79 79 + } 80 80 + 81 81 + return -ENOSPC; 82 82 + } 83 83 + 84 84 + static int nsim_ipsec_parse_proto_keys(struct xfrm_state *xs, 85 85 + u32 *mykey, u32 *mysalt) 86 86 + { 87 87 + const char aes_gcm_name[] = "rfc4106(gcm(aes))"; 88 88 + struct net_device *dev = xs->xso.dev; 89 89 + unsigned char *key_data; 90 90 + char *alg_name = NULL; 91 91 + int key_len; 92 92 + 93 93 + if (!xs->aead) { 94 94 + netdev_err(dev, "Unsupported IPsec algorithm\n"); 95 95 + return -EINVAL; 96 96 + } 97 97 + 98 98 + if (xs->aead->alg_icv_len != NSIM_IPSEC_AUTH_BITS) { 99 99 + netdev_err(dev, "IPsec offload requires %d bit authentication\n", 100 100 + NSIM_IPSEC_AUTH_BITS); 101 101 + return -EINVAL; 102 102 + } 103 103 + 104 104 + key_data = &xs->aead->alg_key[0]; 105 105 + key_len = xs->aead->alg_key_len; 106 106 + alg_name = xs->aead->alg_name; 107 107 + 108 108 + if (strcmp(alg_name, aes_gcm_name)) { 109 109 + netdev_err(dev, "Unsupported IPsec algorithm - please use %s\n", 110 110 + aes_gcm_name); 111 111 + return -EINVAL; 112 112 + } 113 113 + 114 114 + /* 160 accounts for 16 byte key and 4 byte salt */ 115 115 + if (key_len > NSIM_IPSEC_AUTH_BITS) { 116 116 + *mysalt = ((u32 *)key_data)[4]; 117 117 + } else if (key_len == NSIM_IPSEC_AUTH_BITS) { 118 118 + *mysalt = 0; 119 119 + } else { 120 120 + netdev_err(dev, "IPsec hw offload only supports 128 bit keys with optional 32 bit salt\n"); 121 121 + return -EINVAL; 122 122 + } 123 123 + memcpy(mykey, key_data, 16); 124 124 + 125 125 + return 0; 126 126 + } 127 127 + 128 128 + static int nsim_ipsec_add_sa(struct xfrm_state *xs) 129 129 + { 130 130 + struct nsim_ipsec *ipsec; 131 131 + struct net_device *dev; 132 132 + struct netdevsim *ns; 133 133 + struct nsim_sa sa; 134 134 + u16 sa_idx; 135 135 + int ret; 136 136 + 137 137 + dev = xs->xso.dev; 138 138 + ns = netdev_priv(dev); 139 139 + ipsec = &ns->ipsec; 140 140 + 141 141 + if (xs->id.proto != IPPROTO_ESP && xs->id.proto != IPPROTO_AH) { 142 142 + netdev_err(dev, "Unsupported protocol 0x%04x for ipsec offload\n", 143 143 + xs->id.proto); 144 144 + return -EINVAL; 145 145 + } 146 146 + 147 147 + if (xs->calg) { 148 148 + netdev_err(dev, "Compression offload not supported\n"); 149 149 + return -EINVAL; 150 150 + } 151 151 + 152 152 + /* find the first unused index */ 153 153 + ret = nsim_ipsec_find_empty_idx(ipsec); 154 154 + if (ret < 0) { 155 155 + netdev_err(dev, "No space for SA in Rx table!\n"); 156 156 + return ret; 157 157 + } 158 158 + sa_idx = (u16)ret; 159 159 + 160 160 + memset(&sa, 0, sizeof(sa)); 161 161 + sa.used = true; 162 162 + sa.xs = xs; 163 163 + 164 164 + if (sa.xs->id.proto & IPPROTO_ESP) 165 165 + sa.crypt = xs->ealg || xs->aead; 166 166 + 167 167 + /* get the key and salt */ 168 168 + ret = nsim_ipsec_parse_proto_keys(xs, sa.key, &sa.salt); 169 169 + if (ret) { 170 170 + netdev_err(dev, "Failed to get key data for SA table\n"); 171 171 + return ret; 172 172 + } 173 173 + 174 174 + if (xs->xso.flags & XFRM_OFFLOAD_INBOUND) { 175 175 + sa.rx = true; 176 176 + 177 177 + if (xs->props.family == AF_INET6) 178 178 + memcpy(sa.ipaddr, &xs->id.daddr.a6, 16); 179 179 + else 180 180 + memcpy(&sa.ipaddr[3], &xs->id.daddr.a4, 4); 181 181 + } 182 182 + 183 183 + /* the preparations worked, so save the info */ 184 184 + memcpy(&ipsec->sa[sa_idx], &sa, sizeof(sa)); 185 185 + 186 186 + /* the XFRM stack doesn't like offload_handle == 0, 187 187 + * so add a bitflag in case our array index is 0 188 188 + */ 189 189 + xs->xso.offload_handle = sa_idx | NSIM_IPSEC_VALID; 190 190 + ipsec->count++; 191 191 + 192 192 + return 0; 193 193 + } 194 194 + 195 195 + static void nsim_ipsec_del_sa(struct xfrm_state *xs) 196 196 + { 197 197 + struct netdevsim *ns = netdev_priv(xs->xso.dev); 198 198 + struct nsim_ipsec *ipsec = &ns->ipsec; 199 199 + u16 sa_idx; 200 200 + 201 201 + sa_idx = xs->xso.offload_handle & ~NSIM_IPSEC_VALID; 202 202 + if (!ipsec->sa[sa_idx].used) { 203 203 + netdev_err(ns->netdev, "Invalid SA for delete sa_idx=%d\n", 204 204 + sa_idx); 205 205 + return; 206 206 + } 207 207 + 208 208 + memset(&ipsec->sa[sa_idx], 0, sizeof(struct nsim_sa)); 209 209 + ipsec->count--; 210 210 + } 211 211 + 212 212 + static bool nsim_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs) 213 213 + { 214 214 + struct netdevsim *ns = netdev_priv(xs->xso.dev); 215 215 + struct nsim_ipsec *ipsec = &ns->ipsec; 216 216 + 217 217 + ipsec->ok++; 218 218 + 219 219 + return true; 220 220 + } 221 221 + 222 222 + static const struct xfrmdev_ops nsim_xfrmdev_ops = { 223 223 + .xdo_dev_state_add = nsim_ipsec_add_sa, 224 224 + .xdo_dev_state_delete = nsim_ipsec_del_sa, 225 225 + .xdo_dev_offload_ok = nsim_ipsec_offload_ok, 226 226 + }; 227 227 + 228 228 + bool nsim_ipsec_tx(struct netdevsim *ns, struct sk_buff *skb) 229 229 + { 230 230 + struct nsim_ipsec *ipsec = &ns->ipsec; 231 231 + struct xfrm_state *xs; 232 232 + struct nsim_sa *tsa; 233 233 + u32 sa_idx; 234 234 + 235 235 + /* do we even need to check this packet? */ 236 236 + if (!skb->sp) 237 237 + return true; 238 238 + 239 239 + if (unlikely(!skb->sp->len)) { 240 240 + netdev_err(ns->netdev, "no xfrm state len = %d\n", 241 241 + skb->sp->len); 242 242 + return false; 243 243 + } 244 244 + 245 245 + xs = xfrm_input_state(skb); 246 246 + if (unlikely(!xs)) { 247 247 + netdev_err(ns->netdev, "no xfrm_input_state() xs = %p\n", xs); 248 248 + return false; 249 249 + } 250 250 + 251 251 + sa_idx = xs->xso.offload_handle & ~NSIM_IPSEC_VALID; 252 252 + if (unlikely(sa_idx > NSIM_IPSEC_MAX_SA_COUNT)) { 253 253 + netdev_err(ns->netdev, "bad sa_idx=%d max=%d\n", 254 254 + sa_idx, NSIM_IPSEC_MAX_SA_COUNT); 255 255 + return false; 256 256 + } 257 257 + 258 258 + tsa = &ipsec->sa[sa_idx]; 259 259 + if (unlikely(!tsa->used)) { 260 260 + netdev_err(ns->netdev, "unused sa_idx=%d\n", sa_idx); 261 261 + return false; 262 262 + } 263 263 + 264 264 + if (xs->id.proto != IPPROTO_ESP && xs->id.proto != IPPROTO_AH) { 265 265 + netdev_err(ns->netdev, "unexpected proto=%d\n", xs->id.proto); 266 266 + return false; 267 267 + } 268 268 + 269 269 + ipsec->tx++; 270 270 + 271 271 + return true; 272 272 + } 273 273 + 274 274 + void nsim_ipsec_init(struct netdevsim *ns) 275 275 + { 276 276 + ns->netdev->xfrmdev_ops = &nsim_xfrmdev_ops; 277 277 + 278 278 + #define NSIM_ESP_FEATURES (NETIF_F_HW_ESP | \ 279 279 + NETIF_F_HW_ESP_TX_CSUM | \ 280 280 + NETIF_F_GSO_ESP) 281 281 + 282 282 + ns->netdev->features |= NSIM_ESP_FEATURES; 283 283 + ns->netdev->hw_enc_features |= NSIM_ESP_FEATURES; 284 284 + 285 285 + ns->ipsec.pfile = debugfs_create_file("ipsec", 0400, ns->ddir, ns, 286 286 + &ipsec_dbg_fops); 287 287 + } 288 288 + 289 289 + void nsim_ipsec_teardown(struct netdevsim *ns) 290 290 + { 291 291 + struct nsim_ipsec *ipsec = &ns->ipsec; 292 292 + 293 293 + if (ipsec->count) 294 294 + netdev_err(ns->netdev, "tearing down IPsec offload with %d SAs left\n", 295 295 + ipsec->count); 296 296 + debugfs_remove_recursive(ipsec->pfile); 297 297 + }

+7

drivers/net/netdevsim/netdev.c

reviewed

··· 171 171 if (err) 172 172 goto err_unreg_dev; 173 173 174 174 + nsim_ipsec_init(ns); 175 175 + 174 176 return 0; 175 177 176 178 err_unreg_dev: ··· 188 186 { 189 187 struct netdevsim *ns = netdev_priv(dev); 190 188 189 189 + nsim_ipsec_teardown(ns); 191 190 nsim_devlink_teardown(ns); 192 191 debugfs_remove_recursive(ns->ddir); 193 192 nsim_bpf_uninit(ns); ··· 206 203 { 207 204 struct netdevsim *ns = netdev_priv(dev); 208 205 206 206 + if (!nsim_ipsec_tx(ns, skb)) 207 207 + goto out; 208 208 + 209 209 u64_stats_update_begin(&ns->syncp); 210 210 ns->tx_packets++; 211 211 ns->tx_bytes += skb->len; 212 212 u64_stats_update_end(&ns->syncp); 213 213 214 214 + out: 214 215 dev_kfree_skb(skb); 215 216 216 217 return NETDEV_TX_OK;

+41

drivers/net/netdevsim/netdevsim.h

reviewed

··· 29 29 struct dentry; 30 30 struct nsim_vf_config; 31 31 32 32 + #define NSIM_IPSEC_MAX_SA_COUNT 33 33 33 + #define NSIM_IPSEC_VALID BIT(31) 34 34 + 35 35 + struct nsim_sa { 36 36 + struct xfrm_state *xs; 37 37 + __be32 ipaddr[4]; 38 38 + u32 key[4]; 39 39 + u32 salt; 40 40 + bool used; 41 41 + bool crypt; 42 42 + bool rx; 43 43 + }; 44 44 + 45 45 + struct nsim_ipsec { 46 46 + struct nsim_sa sa[NSIM_IPSEC_MAX_SA_COUNT]; 47 47 + struct dentry *pfile; 48 48 + u32 count; 49 49 + u32 tx; 50 50 + u32 ok; 51 51 + }; 52 52 + 32 53 struct netdevsim { 33 54 struct net_device *netdev; 34 55 ··· 88 67 #if IS_ENABLED(CONFIG_NET_DEVLINK) 89 68 struct devlink *devlink; 90 69 #endif 70 70 + struct nsim_ipsec ipsec; 91 71 }; 92 72 93 73 extern struct dentry *nsim_ddir; ··· 167 145 168 146 static inline void nsim_devlink_exit(void) 169 147 { 148 148 + } 149 149 + #endif 150 150 + 151 151 + #if IS_ENABLED(CONFIG_XFRM_OFFLOAD) 152 152 + void nsim_ipsec_init(struct netdevsim *ns); 153 153 + void nsim_ipsec_teardown(struct netdevsim *ns); 154 154 + bool nsim_ipsec_tx(struct netdevsim *ns, struct sk_buff *skb); 155 155 + #else 156 156 + static inline void nsim_ipsec_init(struct netdevsim *ns) 157 157 + { 158 158 + } 159 159 + 160 160 + static inline void nsim_ipsec_teardown(struct netdevsim *ns) 161 161 + { 162 162 + } 163 163 + 164 164 + static inline bool nsim_ipsec_tx(struct netdevsim *ns, struct sk_buff *skb) 165 165 + { 166 166 + return true; 170 167 } 171 168 #endif 172 169