[][kernel][mt7988][eip197][Add EIP-197 inline XFRM support]
[Description]
Add EIP-197 inline XFRM support.
It can only support aes-sha1 IPSec inline mode.
[Release-log]
N/A
Change-Id: I23a8fa9f9435c2bf97166cddb37568803b4e4ca4
Reviewed-on: https://gerrit.mediatek.inc/c/openwrt/feeds/mtk_openwrt_feeds/+/6789991
diff --git a/target/linux/mediatek/files-5.4/drivers/net/ethernet/mediatek/Makefile b/target/linux/mediatek/files-5.4/drivers/net/ethernet/mediatek/Makefile
index 634640d..13d852c 100755
--- a/target/linux/mediatek/files-5.4/drivers/net/ethernet/mediatek/Makefile
+++ b/target/linux/mediatek/files-5.4/drivers/net/ethernet/mediatek/Makefile
@@ -6,3 +6,4 @@
obj-$(CONFIG_NET_MEDIATEK_SOC) += mtk_eth.o
mtk_eth-y := mtk_eth_soc.o mtk_sgmii.o mtk_usxgmii.o mtk_eth_path.o mtk_eth_dbg.o mtk_eth_reset.o
obj-$(CONFIG_NET_MEDIATEK_HNAT) += mtk_hnat/
+obj-$(CONFIG_XFRM_OFFLOAD) += mtk_ipsec.o
diff --git a/target/linux/mediatek/files-5.4/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/target/linux/mediatek/files-5.4/drivers/net/ethernet/mediatek/mtk_eth_soc.c
index 6015127..bd2268e 100755
--- a/target/linux/mediatek/files-5.4/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+++ b/target/linux/mediatek/files-5.4/drivers/net/ethernet/mediatek/mtk_eth_soc.c
@@ -30,6 +30,12 @@
#include "mtk_hnat/nf_hnat_mtk.h"
#endif
+#if defined(CONFIG_XFRM_OFFLOAD)
+#include <crypto/sha.h>
+#include <net/xfrm.h>
+#include "mtk_ipsec.h"
+#endif
+
static int mtk_msg_level = -1;
atomic_t reset_lock = ATOMIC_INIT(0);
atomic_t force = ATOMIC_INIT(0);
@@ -4301,6 +4307,9 @@
mtk_napi_rx, MTK_NAPI_WEIGHT);
}
+#if defined(CONFIG_XFRM_OFFLOAD)
+ mtk_ipsec_offload_init(eth);
+#endif
mtketh_debugfs_init(eth);
debug_proc_init(eth);
diff --git a/target/linux/mediatek/files-5.4/drivers/net/ethernet/mediatek/mtk_ipsec.c b/target/linux/mediatek/files-5.4/drivers/net/ethernet/mediatek/mtk_ipsec.c
new file mode 100644
index 0000000..5219bc5
--- /dev/null
+++ b/target/linux/mediatek/files-5.4/drivers/net/ethernet/mediatek/mtk_ipsec.c
@@ -0,0 +1,285 @@
+// SPDX-License-Identifier: GPL-2.0
+// Copyright (c) 2022 MediaTek Inc.
+
+#include <crypto/aes.h>
+#include <crypto/hash.h>
+#include <crypto/hmac.h>
+#include <crypto/sha.h>
+#include <crypto/sha3.h>
+#include <net/xfrm.h>
+#include <linux/ip.h>
+#include <linux/psp-sev.h>
+#include <linux/netdevice.h>
+
+#include "mtk_eth_soc.h"
+#include "mtk_ipsec.h"
+
+static inline void write_state_le(__le32 *dst, const u32 *src, u32 size)
+{
+ int i;
+
+ for (i = 0; i < SIZE_IN_WORDS(size); i++)
+ dst[i] = cpu_to_le32(src[i]);
+}
+
+static inline void write_state_be(__le32 *dst, const u32 *src, u32 size)
+{
+ int i;
+
+ for (i = 0; i < SIZE_IN_WORDS(size); i++)
+ dst[i] = cpu_to_be32(src[i]);
+}
+
+static int hmac_init_iv(struct crypto_shash *tfm,
+ unsigned int blocksize, u8 *pad, void *state)
+{
+ SHASH_DESC_ON_STACK(desc, tfm);
+ int ret;
+
+ desc->tfm = tfm;
+
+ ret = crypto_shash_init(desc);
+ if (ret)
+ return ret;
+
+ ret = crypto_shash_update(desc, pad, blocksize);
+ if (ret && ret != -EINPROGRESS && ret != -EBUSY)
+ return ret;
+
+ crypto_shash_export(desc, state);
+ shash_desc_zero(desc);
+
+ return 0;
+}
+
+static int hmac_init_pad(unsigned int blocksize, const u8 *key,
+ unsigned int keylen, u8 *ipad, u8 *opad)
+{
+ int i;
+
+ if (keylen <= blocksize)
+ memcpy(ipad, key, keylen);
+
+ memset(ipad + keylen, 0, blocksize - keylen);
+ memcpy(opad, ipad, blocksize);
+
+ for (i = 0; i < blocksize; i++) {
+ ipad[i] ^= HMAC_IPAD_VALUE;
+ opad[i] ^= HMAC_OPAD_VALUE;
+ }
+
+ return 0;
+}
+
+int hmac_setkey(const char *alg, const u8 *key, unsigned int keylen,
+ void *istate, void *ostate)
+{
+ struct crypto_shash *tfm;
+ unsigned int blocksize;
+ u8 *ipad, *opad;
+ int ret;
+
+ tfm = crypto_alloc_shash(alg, 0, 0);
+ if (IS_ERR(tfm))
+ return PTR_ERR(tfm);
+
+ crypto_shash_clear_flags(tfm, ~0);
+ blocksize = crypto_tfm_alg_blocksize(crypto_shash_tfm(tfm));
+
+ ipad = kcalloc(2, blocksize, GFP_KERNEL);
+ if (!ipad) {
+ ret = -ENOMEM;
+ goto free_request;
+ }
+
+ opad = ipad + blocksize;
+
+ ret = hmac_init_pad(blocksize, key, keylen, ipad, opad);
+ if (ret)
+ goto free_ipad;
+
+ ret = hmac_init_iv(tfm, blocksize, ipad, istate);
+ if (ret)
+ goto free_ipad;
+
+ ret = hmac_init_iv(tfm, blocksize, opad, ostate);
+
+free_ipad:
+ kfree(ipad);
+free_request:
+ crypto_free_shash(tfm);
+
+ return ret;
+}
+
+static int mtk_ipsec_add_sa(struct xfrm_state *xs)
+{
+ struct net_device *dev = xs->xso.dev;
+ struct mtk_mac *mac = netdev_priv(dev);
+ struct mtk_eth *eth = mac->hw;
+ struct context_record *context;
+ struct ahash_export_state istate, ostate;
+ unsigned char *key_aalg;
+ unsigned char *key_ealg;
+ unsigned int key_len;
+ int i;
+ int cdrt_idx;
+
+ if (xs->props.family != AF_INET) {
+ netdev_info(dev, "Only IPv4 xfrm states may be offloaded\n");
+ return -EINVAL;
+ }
+
+ if (xs->id.proto != IPPROTO_ESP) {
+ netdev_info(dev, "Unsupported protocol 0x%04x\n",
+ xs->id.proto);
+ return -EINVAL;
+ }
+
+ context = kzalloc(sizeof(*context), GFP_KERNEL);
+ if (unlikely(!context))
+ return -ENOMEM;
+
+ /**
+ * Set Transform record
+ * cdrt_idx=0, outbound for encryption
+ * cdrt_idx=1, inbound for decryption
+ **/
+ if (xs->xso.flags & XFRM_OFFLOAD_INBOUND) {
+ /* rx path */
+ context->control0 = CTRL_WORD0_IN;
+ context->control1 = CTRL_WORD1_IN;
+ context->data[46] = 0x01020000;
+ context->data[49] = 0x6117d6a5;
+ context->data[50] = 0x07040c10;
+ context->data[52] = 0xdd07000c;
+ context->data[53] = 0xe4561820;
+ cdrt_idx = 1;
+
+ } else {
+ /* tx path */
+ context->control0 = CTRL_WORD0_OUT;
+ context->control1 = CTRL_WORD1_OUT;
+ memcpy(context->data + 38, &xs->props.saddr.a4, 4);
+ memcpy(context->data + 42, &xs->id.daddr.a4, 4);
+ context->data[39] = 0x00005938;
+ context->data[46] = 0x04020000;
+ context->data[49] = 0x9e14ed69;
+ context->data[50] = 0x01020c10;
+ context->data[52] = 0xd0060000;
+ context->data[53] = 0xe1560811;
+ context->data[55] = 0x00000049;
+ cdrt_idx = 0;
+ }
+ context->data[47] = 0x00080000;
+ context->data[48] = 0x00f00008;
+ context->data[51] = 0x94119411;
+
+ /* EIP-96 context words[2...39]*/
+ if (strcmp(xs->aalg->alg_name, "hmac(sha1)") == 0) {
+ key_aalg = &xs->aalg->alg_key[0];
+ hmac_setkey("sha1-generic", key_aalg,
+ xs->aalg->alg_key_len / 8,
+ &istate.state, &ostate.state);
+ key_ealg = &xs->ealg->alg_key[0];
+ key_len = xs->ealg->alg_key_len / 8;
+ write_state_le(context->data, (const u32 *)key_ealg, key_len);
+ write_state_be(context->data + SIZE_IN_WORDS(key_len),
+ (const u32 *)&istate.state, SHA1_DIGEST_SIZE);
+
+ key_len += SHA1_DIGEST_SIZE;
+ write_state_be(context->data + SIZE_IN_WORDS(key_len),
+ (const u32 *)&ostate.state, SHA1_DIGEST_SIZE);
+
+ key_len += SHA1_DIGEST_SIZE;
+ memcpy(context->data + SIZE_IN_WORDS(key_len),
+ &xs->id.spi, 4);
+ }
+ //TODO: sha256
+ //else if (strcmp(xs->aalg->alg_name, "hmac(sha256)") == 0) {
+ //}
+
+ /**
+ * Set CDRT for inline IPSec
+ * Follow FE_CSR_MEM config flow.
+ **/
+
+ /* Command descriptor W0-W3 */
+ for (i = MTK_GLO_MEM_DATA0; i <= MTK_GLO_MEM_DATA9; i = i + 4)
+ mtk_w32(eth, 0, i);
+
+ mtk_w32(eth, TYPE(3), MTK_GLO_MEM_DATA0);
+ mtk_w32(eth, TOKEN_LEN(48), MTK_GLO_MEM_DATA1);
+ mtk_w32(eth, __psp_pa(context) | 2, MTK_GLO_MEM_DATA2);
+ mtk_w32(eth, CTRL_CMD(1) | CTRL_INDEX(3) | CTRL_ADDR(cdrt_idx * 3),
+ MTK_GLO_MEM_CTRL);
+
+ /* Command descriptor W4-W7 */
+ for (i = MTK_GLO_MEM_DATA0; i <= MTK_GLO_MEM_DATA9; i = i + 4)
+ mtk_w32(eth, 0, i);
+
+ mtk_w32(eth, HW_SER(2) | ALLOW_PAD | STRIP_PAD, MTK_GLO_MEM_DATA0);
+ mtk_w32(eth, CTRL_CMD(1) | CTRL_INDEX(3) | CTRL_ADDR(cdrt_idx * 3 + 1),
+ MTK_GLO_MEM_CTRL);
+
+ /* Command descriptor W8-W11 */
+ for (i = MTK_GLO_MEM_DATA0; i <= MTK_GLO_MEM_DATA9; i = i + 4)
+ mtk_w32(eth, 0, i);
+
+ mtk_w32(eth, CTRL_CMD(1) | CTRL_INDEX(3) | CTRL_ADDR(cdrt_idx * 3 + 2),
+ MTK_GLO_MEM_CTRL);
+
+ xs->xso.offload_handle = (unsigned long)context;
+
+ return 0;
+}
+
+static void mtk_ipsec_free_state(struct xfrm_state *xs)
+{
+ struct context_record *context;
+
+ if (!xs->xso.offload_handle)
+ return;
+
+ context = (struct context_record *)xs->xso.offload_handle;
+ kfree(context);
+}
+
+static bool mtk_ipsec_offload_ok(struct sk_buff *skb,
+ struct xfrm_state *xs)
+{
+ struct xfrm_offload *xo = NULL;
+
+ if (xs->xso.flags & XFRM_OFFLOAD_INBOUND) {
+ /* rx path */
+ if (xfrm_offload(skb) != NULL)
+ xo = xfrm_offload(skb);
+
+ } else {
+ /* tx path */
+ if (xfrm_offload(skb) != NULL)
+ xo = xfrm_offload(skb);
+ }
+
+ if (xs->props.family == AF_INET) {
+ /* Offload with IPv4 options is not supported yet */
+ if (ip_hdr(skb)->ihl != 5)
+ return false;
+ }
+
+ return true;
+}
+
+static const struct xfrmdev_ops mtk_xfrmdev_ops = {
+ .xdo_dev_state_add = mtk_ipsec_add_sa,
+ .xdo_dev_state_free = mtk_ipsec_free_state,
+ .xdo_dev_offload_ok = mtk_ipsec_offload_ok,
+};
+
+void mtk_ipsec_offload_init(struct mtk_eth *eth)
+{
+ int i;
+
+ for (i = 0; i < MTK_MAC_COUNT; i++)
+ eth->netdev[i]->xfrmdev_ops = &mtk_xfrmdev_ops;
+}
diff --git a/target/linux/mediatek/files-5.4/drivers/net/ethernet/mediatek/mtk_ipsec.h b/target/linux/mediatek/files-5.4/drivers/net/ethernet/mediatek/mtk_ipsec.h
new file mode 100644
index 0000000..5d7635a
--- /dev/null
+++ b/target/linux/mediatek/files-5.4/drivers/net/ethernet/mediatek/mtk_ipsec.h
@@ -0,0 +1,106 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/* Copyright (c) 2022 MediaTek Inc. */
+
+#ifndef MTK_IPSEC_H
+#define MTK_IPSEC_H
+
+#define CTRL_WORD0_OUT 0x196b1006
+#define CTRL_WORD1_OUT 0x51400001
+#define CTRL_WORD0_IN 0x096ba20f
+#define CTRL_WORD1_IN 0x00010001
+#define SIZE_IN_WORDS(x) ((x) >> 2)
+
+/* Global memory */
+#define MTK_GLO_MEM_CFG 0x600
+#define MTK_GLO_MEM_CTRL 0x604
+#define MTK_GLO_MEM_DATA0 0x608
+#define MTK_GLO_MEM_DATA1 0x60c
+#define MTK_GLO_MEM_DATA2 0x610
+#define MTK_GLO_MEM_DATA3 0x614
+#define MTK_GLO_MEM_DATA4 0x618
+#define MTK_GLO_MEM_DATA5 0x61c
+#define MTK_GLO_MEM_DATA6 0x620
+#define MTK_GLO_MEM_DATA7 0x624
+#define MTK_GLO_MEM_DATA8 0x628
+#define MTK_GLO_MEM_DATA9 0x62c
+
+/* GLO MEM CTRL */
+#define CTRL_CMD(x) ((x) << 30)
+#define CTRL_CMD_SFT 30
+#define CTRL_CMD_MASK GENMASK(31, 30)
+#define CTRL_INDEX(x) ((x) << 20)
+#define CTRL_INDEX_SFT 20
+#define CTRL_INDEX_MASK GENMASK(29, 20)
+#define CTRL_ADDR(x) ((x) << 0)
+#define CTRL_ADDR_SFT 0
+#define CTRL_ADDR_MASK GENMASK(19, 0)
+
+/* CDR Word0 */
+#define TYPE(x) ((x) << 30)
+#define TYPE_SFT 30
+#define TYPE_MASK GENMASK(31, 30)
+#define ENCLASTDEST BIT(25)
+#define ENCLASTDEST_MASK BIT(25)
+
+/* CDR Word1 */
+#define TOKEN_LEN(x) ((x) << 16)
+#define TOKEN_LEN_SFT 16
+#define TOKEN_LEN_MASK GENMASK(23, 16)
+#define APP_ID(x) ((x) << 9)
+#define APP_ID_SFT 9
+#define APP_ID_MASK GENMASK(15, 9)
+#define ADD_LEN(x) ((x) << 0)
+#define ADD_LEN_SFT 0
+#define ADD_LEN_MASK GENMASK(7, 0)
+
+/* CDR Word4 */
+#define FLOW_LOOKUP BIT(31)
+#define FLOW_LOOKUP_MASK BIT(31)
+#define HW_SER(x) ((x) << 24)
+#define HW_SER_SFT 24
+#define HW_SER_MASK GENMASK(29, 24)
+#define ALLOW_PAD BIT(23)
+#define ALLOW_PAD_MASK BIT(23)
+#define STRIP_PAD BIT(22)
+#define STRIP_PAD_MASK BIT(22)
+#define USER_DEF(x) ((x) << 0)
+#define USER_DEF_SFT 0
+#define USER_DEF_MASK GENMASK(15, 0)
+
+/* CDR Word5 */
+#define KEEP_OUTER BIT(28)
+#define KEEP_OUTER_MASK BIT(28)
+#define PARSE_ETH BIT(27)
+#define PARSE_ETH_MASK BIT(27)
+#define L4CHECKSUM BIT(26)
+#define L4CHECKSUM_MASK BIT(26)
+#define IPV4CHECKSUM BIT(25)
+#define IPV4CHECKSUM_MASK BIT(25)
+#define FL BIT(24)
+#define FL_MASK BIT(24)
+#define NEXT_HEADER(x) ((x) << 16)
+#define NEXT_HEADER_SFT 16
+#define NEXT_HEADER_MASK GENMASK(23, 16)
+
+#define HASH_CACHE_SIZE SHA512_BLOCK_SIZE
+
+struct ahash_export_state {
+ u64 len;
+ u64 processed;
+
+ u32 digest;
+
+ u32 state[SHA512_DIGEST_SIZE / sizeof(u32)];
+ u8 cache[HASH_CACHE_SIZE];
+};
+
+/* Context Control */
+struct context_record {
+ __le32 control0;
+ __le32 control1;
+
+ __le32 data[62];
+};
+
+void mtk_ipsec_offload_init(struct mtk_eth *eth);
+#endif /* MTK_IPSEC_H */