cachepc-linux

Fork of AMDESE/linux with modifications for CachePC side-channel attack
git clone https://git.sinitax.com/sinitax/cachepc-linux
Log | Files | Refs | README | LICENSE | sfeed.txt

ipsec.c (17719B)

      1// SPDX-License-Identifier: GPL-2.0
      2/* Copyright(c) 2018 Oracle and/or its affiliates. All rights reserved. */
      3
      4#include "ixgbevf.h"
      5#include <net/xfrm.h>
      6#include <crypto/aead.h>
      7
      8#define IXGBE_IPSEC_KEY_BITS  160
      9static const char aes_gcm_name[] = "rfc4106(gcm(aes))";
     10
     11/**
     12 * ixgbevf_ipsec_set_pf_sa - ask the PF to set up an SA
     13 * @adapter: board private structure
     14 * @xs: xfrm info to be sent to the PF
     15 *
     16 * Returns: positive offload handle from the PF, or negative error code
     17 **/
     18static int ixgbevf_ipsec_set_pf_sa(struct ixgbevf_adapter *adapter,
     19				   struct xfrm_state *xs)
     20{
     21	u32 msgbuf[IXGBE_VFMAILBOX_SIZE] = { 0 };
     22	struct ixgbe_hw *hw = &adapter->hw;
     23	struct sa_mbx_msg *sam;
     24	int ret;
     25
     26	/* send the important bits to the PF */
     27	sam = (struct sa_mbx_msg *)(&msgbuf[1]);
     28	sam->dir = xs->xso.dir;
     29	sam->spi = xs->id.spi;
     30	sam->proto = xs->id.proto;
     31	sam->family = xs->props.family;
     32
     33	if (xs->props.family == AF_INET6)
     34		memcpy(sam->addr, &xs->id.daddr.a6, sizeof(xs->id.daddr.a6));
     35	else
     36		memcpy(sam->addr, &xs->id.daddr.a4, sizeof(xs->id.daddr.a4));
     37	memcpy(sam->key, xs->aead->alg_key, sizeof(sam->key));
     38
     39	msgbuf[0] = IXGBE_VF_IPSEC_ADD;
     40
     41	spin_lock_bh(&adapter->mbx_lock);
     42
     43	ret = ixgbevf_write_mbx(hw, msgbuf, IXGBE_VFMAILBOX_SIZE);
     44	if (ret)
     45		goto out;
     46
     47	ret = ixgbevf_poll_mbx(hw, msgbuf, 2);
     48	if (ret)
     49		goto out;
     50
     51	ret = (int)msgbuf[1];
     52	if (msgbuf[0] & IXGBE_VT_MSGTYPE_FAILURE && ret >= 0)
     53		ret = -1;
     54
     55out:
     56	spin_unlock_bh(&adapter->mbx_lock);
     57
     58	return ret;
     59}
     60
     61/**
     62 * ixgbevf_ipsec_del_pf_sa - ask the PF to delete an SA
     63 * @adapter: board private structure
     64 * @pfsa: sa index returned from PF when created, -1 for all
     65 *
     66 * Returns: 0 on success, or negative error code
     67 **/
     68static int ixgbevf_ipsec_del_pf_sa(struct ixgbevf_adapter *adapter, int pfsa)
     69{
     70	struct ixgbe_hw *hw = &adapter->hw;
     71	u32 msgbuf[2];
     72	int err;
     73
     74	memset(msgbuf, 0, sizeof(msgbuf));
     75	msgbuf[0] = IXGBE_VF_IPSEC_DEL;
     76	msgbuf[1] = (u32)pfsa;
     77
     78	spin_lock_bh(&adapter->mbx_lock);
     79
     80	err = ixgbevf_write_mbx(hw, msgbuf, 2);
     81	if (err)
     82		goto out;
     83
     84	err = ixgbevf_poll_mbx(hw, msgbuf, 2);
     85	if (err)
     86		goto out;
     87
     88out:
     89	spin_unlock_bh(&adapter->mbx_lock);
     90	return err;
     91}
     92
     93/**
     94 * ixgbevf_ipsec_restore - restore the IPsec HW settings after a reset
     95 * @adapter: board private structure
     96 *
     97 * Reload the HW tables from the SW tables after they've been bashed
     98 * by a chip reset.  While we're here, make sure any stale VF data is
     99 * removed, since we go through reset when num_vfs changes.
    100 **/
    101void ixgbevf_ipsec_restore(struct ixgbevf_adapter *adapter)
    102{
    103	struct ixgbevf_ipsec *ipsec = adapter->ipsec;
    104	struct net_device *netdev = adapter->netdev;
    105	int i;
    106
    107	if (!(adapter->netdev->features & NETIF_F_HW_ESP))
    108		return;
    109
    110	/* reload the Rx and Tx keys */
    111	for (i = 0; i < IXGBE_IPSEC_MAX_SA_COUNT; i++) {
    112		struct rx_sa *r = &ipsec->rx_tbl[i];
    113		struct tx_sa *t = &ipsec->tx_tbl[i];
    114		int ret;
    115
    116		if (r->used) {
    117			ret = ixgbevf_ipsec_set_pf_sa(adapter, r->xs);
    118			if (ret < 0)
    119				netdev_err(netdev, "reload rx_tbl[%d] failed = %d\n",
    120					   i, ret);
    121		}
    122
    123		if (t->used) {
    124			ret = ixgbevf_ipsec_set_pf_sa(adapter, t->xs);
    125			if (ret < 0)
    126				netdev_err(netdev, "reload tx_tbl[%d] failed = %d\n",
    127					   i, ret);
    128		}
    129	}
    130}
    131
    132/**
    133 * ixgbevf_ipsec_find_empty_idx - find the first unused security parameter index
    134 * @ipsec: pointer to IPsec struct
    135 * @rxtable: true if we need to look in the Rx table
    136 *
    137 * Returns the first unused index in either the Rx or Tx SA table
    138 **/
    139static
    140int ixgbevf_ipsec_find_empty_idx(struct ixgbevf_ipsec *ipsec, bool rxtable)
    141{
    142	u32 i;
    143
    144	if (rxtable) {
    145		if (ipsec->num_rx_sa == IXGBE_IPSEC_MAX_SA_COUNT)
    146			return -ENOSPC;
    147
    148		/* search rx sa table */
    149		for (i = 0; i < IXGBE_IPSEC_MAX_SA_COUNT; i++) {
    150			if (!ipsec->rx_tbl[i].used)
    151				return i;
    152		}
    153	} else {
    154		if (ipsec->num_tx_sa == IXGBE_IPSEC_MAX_SA_COUNT)
    155			return -ENOSPC;
    156
    157		/* search tx sa table */
    158		for (i = 0; i < IXGBE_IPSEC_MAX_SA_COUNT; i++) {
    159			if (!ipsec->tx_tbl[i].used)
    160				return i;
    161		}
    162	}
    163
    164	return -ENOSPC;
    165}
    166
    167/**
    168 * ixgbevf_ipsec_find_rx_state - find the state that matches
    169 * @ipsec: pointer to IPsec struct
    170 * @daddr: inbound address to match
    171 * @proto: protocol to match
    172 * @spi: SPI to match
    173 * @ip4: true if using an IPv4 address
    174 *
    175 * Returns a pointer to the matching SA state information
    176 **/
    177static
    178struct xfrm_state *ixgbevf_ipsec_find_rx_state(struct ixgbevf_ipsec *ipsec,
    179					       __be32 *daddr, u8 proto,
    180					       __be32 spi, bool ip4)
    181{
    182	struct xfrm_state *ret = NULL;
    183	struct rx_sa *rsa;
    184
    185	rcu_read_lock();
    186	hash_for_each_possible_rcu(ipsec->rx_sa_list, rsa, hlist,
    187				   (__force u32)spi) {
    188		if (spi == rsa->xs->id.spi &&
    189		    ((ip4 && *daddr == rsa->xs->id.daddr.a4) ||
    190		      (!ip4 && !memcmp(daddr, &rsa->xs->id.daddr.a6,
    191				       sizeof(rsa->xs->id.daddr.a6)))) &&
    192		    proto == rsa->xs->id.proto) {
    193			ret = rsa->xs;
    194			xfrm_state_hold(ret);
    195			break;
    196		}
    197	}
    198	rcu_read_unlock();
    199	return ret;
    200}
    201
    202/**
    203 * ixgbevf_ipsec_parse_proto_keys - find the key and salt based on the protocol
    204 * @xs: pointer to xfrm_state struct
    205 * @mykey: pointer to key array to populate
    206 * @mysalt: pointer to salt value to populate
    207 *
    208 * This copies the protocol keys and salt to our own data tables.  The
    209 * 82599 family only supports the one algorithm.
    210 **/
    211static int ixgbevf_ipsec_parse_proto_keys(struct xfrm_state *xs,
    212					  u32 *mykey, u32 *mysalt)
    213{
    214	struct net_device *dev = xs->xso.real_dev;
    215	unsigned char *key_data;
    216	char *alg_name = NULL;
    217	int key_len;
    218
    219	if (!xs->aead) {
    220		netdev_err(dev, "Unsupported IPsec algorithm\n");
    221		return -EINVAL;
    222	}
    223
    224	if (xs->aead->alg_icv_len != IXGBE_IPSEC_AUTH_BITS) {
    225		netdev_err(dev, "IPsec offload requires %d bit authentication\n",
    226			   IXGBE_IPSEC_AUTH_BITS);
    227		return -EINVAL;
    228	}
    229
    230	key_data = &xs->aead->alg_key[0];
    231	key_len = xs->aead->alg_key_len;
    232	alg_name = xs->aead->alg_name;
    233
    234	if (strcmp(alg_name, aes_gcm_name)) {
    235		netdev_err(dev, "Unsupported IPsec algorithm - please use %s\n",
    236			   aes_gcm_name);
    237		return -EINVAL;
    238	}
    239
    240	/* The key bytes come down in a big endian array of bytes, so
    241	 * we don't need to do any byte swapping.
    242	 * 160 accounts for 16 byte key and 4 byte salt
    243	 */
    244	if (key_len > IXGBE_IPSEC_KEY_BITS) {
    245		*mysalt = ((u32 *)key_data)[4];
    246	} else if (key_len == IXGBE_IPSEC_KEY_BITS) {
    247		*mysalt = 0;
    248	} else {
    249		netdev_err(dev, "IPsec hw offload only supports keys up to 128 bits with a 32 bit salt\n");
    250		return -EINVAL;
    251	}
    252	memcpy(mykey, key_data, 16);
    253
    254	return 0;
    255}
    256
    257/**
    258 * ixgbevf_ipsec_add_sa - program device with a security association
    259 * @xs: pointer to transformer state struct
    260 **/
    261static int ixgbevf_ipsec_add_sa(struct xfrm_state *xs)
    262{
    263	struct net_device *dev = xs->xso.real_dev;
    264	struct ixgbevf_adapter *adapter;
    265	struct ixgbevf_ipsec *ipsec;
    266	u16 sa_idx;
    267	int ret;
    268
    269	adapter = netdev_priv(dev);
    270	ipsec = adapter->ipsec;
    271
    272	if (xs->id.proto != IPPROTO_ESP && xs->id.proto != IPPROTO_AH) {
    273		netdev_err(dev, "Unsupported protocol 0x%04x for IPsec offload\n",
    274			   xs->id.proto);
    275		return -EINVAL;
    276	}
    277
    278	if (xs->props.mode != XFRM_MODE_TRANSPORT) {
    279		netdev_err(dev, "Unsupported mode for ipsec offload\n");
    280		return -EINVAL;
    281	}
    282
    283	if (xs->xso.dir == XFRM_DEV_OFFLOAD_IN) {
    284		struct rx_sa rsa;
    285
    286		if (xs->calg) {
    287			netdev_err(dev, "Compression offload not supported\n");
    288			return -EINVAL;
    289		}
    290
    291		/* find the first unused index */
    292		ret = ixgbevf_ipsec_find_empty_idx(ipsec, true);
    293		if (ret < 0) {
    294			netdev_err(dev, "No space for SA in Rx table!\n");
    295			return ret;
    296		}
    297		sa_idx = (u16)ret;
    298
    299		memset(&rsa, 0, sizeof(rsa));
    300		rsa.used = true;
    301		rsa.xs = xs;
    302
    303		if (rsa.xs->id.proto & IPPROTO_ESP)
    304			rsa.decrypt = xs->ealg || xs->aead;
    305
    306		/* get the key and salt */
    307		ret = ixgbevf_ipsec_parse_proto_keys(xs, rsa.key, &rsa.salt);
    308		if (ret) {
    309			netdev_err(dev, "Failed to get key data for Rx SA table\n");
    310			return ret;
    311		}
    312
    313		/* get ip for rx sa table */
    314		if (xs->props.family == AF_INET6)
    315			memcpy(rsa.ipaddr, &xs->id.daddr.a6, 16);
    316		else
    317			memcpy(&rsa.ipaddr[3], &xs->id.daddr.a4, 4);
    318
    319		rsa.mode = IXGBE_RXMOD_VALID;
    320		if (rsa.xs->id.proto & IPPROTO_ESP)
    321			rsa.mode |= IXGBE_RXMOD_PROTO_ESP;
    322		if (rsa.decrypt)
    323			rsa.mode |= IXGBE_RXMOD_DECRYPT;
    324		if (rsa.xs->props.family == AF_INET6)
    325			rsa.mode |= IXGBE_RXMOD_IPV6;
    326
    327		ret = ixgbevf_ipsec_set_pf_sa(adapter, xs);
    328		if (ret < 0)
    329			return ret;
    330		rsa.pfsa = ret;
    331
    332		/* the preparations worked, so save the info */
    333		memcpy(&ipsec->rx_tbl[sa_idx], &rsa, sizeof(rsa));
    334
    335		xs->xso.offload_handle = sa_idx + IXGBE_IPSEC_BASE_RX_INDEX;
    336
    337		ipsec->num_rx_sa++;
    338
    339		/* hash the new entry for faster search in Rx path */
    340		hash_add_rcu(ipsec->rx_sa_list, &ipsec->rx_tbl[sa_idx].hlist,
    341			     (__force u32)rsa.xs->id.spi);
    342	} else {
    343		struct tx_sa tsa;
    344
    345		/* find the first unused index */
    346		ret = ixgbevf_ipsec_find_empty_idx(ipsec, false);
    347		if (ret < 0) {
    348			netdev_err(dev, "No space for SA in Tx table\n");
    349			return ret;
    350		}
    351		sa_idx = (u16)ret;
    352
    353		memset(&tsa, 0, sizeof(tsa));
    354		tsa.used = true;
    355		tsa.xs = xs;
    356
    357		if (xs->id.proto & IPPROTO_ESP)
    358			tsa.encrypt = xs->ealg || xs->aead;
    359
    360		ret = ixgbevf_ipsec_parse_proto_keys(xs, tsa.key, &tsa.salt);
    361		if (ret) {
    362			netdev_err(dev, "Failed to get key data for Tx SA table\n");
    363			memset(&tsa, 0, sizeof(tsa));
    364			return ret;
    365		}
    366
    367		ret = ixgbevf_ipsec_set_pf_sa(adapter, xs);
    368		if (ret < 0)
    369			return ret;
    370		tsa.pfsa = ret;
    371
    372		/* the preparations worked, so save the info */
    373		memcpy(&ipsec->tx_tbl[sa_idx], &tsa, sizeof(tsa));
    374
    375		xs->xso.offload_handle = sa_idx + IXGBE_IPSEC_BASE_TX_INDEX;
    376
    377		ipsec->num_tx_sa++;
    378	}
    379
    380	return 0;
    381}
    382
    383/**
    384 * ixgbevf_ipsec_del_sa - clear out this specific SA
    385 * @xs: pointer to transformer state struct
    386 **/
    387static void ixgbevf_ipsec_del_sa(struct xfrm_state *xs)
    388{
    389	struct net_device *dev = xs->xso.real_dev;
    390	struct ixgbevf_adapter *adapter;
    391	struct ixgbevf_ipsec *ipsec;
    392	u16 sa_idx;
    393
    394	adapter = netdev_priv(dev);
    395	ipsec = adapter->ipsec;
    396
    397	if (xs->xso.dir == XFRM_DEV_OFFLOAD_IN) {
    398		sa_idx = xs->xso.offload_handle - IXGBE_IPSEC_BASE_RX_INDEX;
    399
    400		if (!ipsec->rx_tbl[sa_idx].used) {
    401			netdev_err(dev, "Invalid Rx SA selected sa_idx=%d offload_handle=%lu\n",
    402				   sa_idx, xs->xso.offload_handle);
    403			return;
    404		}
    405
    406		ixgbevf_ipsec_del_pf_sa(adapter, ipsec->rx_tbl[sa_idx].pfsa);
    407		hash_del_rcu(&ipsec->rx_tbl[sa_idx].hlist);
    408		memset(&ipsec->rx_tbl[sa_idx], 0, sizeof(struct rx_sa));
    409		ipsec->num_rx_sa--;
    410	} else {
    411		sa_idx = xs->xso.offload_handle - IXGBE_IPSEC_BASE_TX_INDEX;
    412
    413		if (!ipsec->tx_tbl[sa_idx].used) {
    414			netdev_err(dev, "Invalid Tx SA selected sa_idx=%d offload_handle=%lu\n",
    415				   sa_idx, xs->xso.offload_handle);
    416			return;
    417		}
    418
    419		ixgbevf_ipsec_del_pf_sa(adapter, ipsec->tx_tbl[sa_idx].pfsa);
    420		memset(&ipsec->tx_tbl[sa_idx], 0, sizeof(struct tx_sa));
    421		ipsec->num_tx_sa--;
    422	}
    423}
    424
    425/**
    426 * ixgbevf_ipsec_offload_ok - can this packet use the xfrm hw offload
    427 * @skb: current data packet
    428 * @xs: pointer to transformer state struct
    429 **/
    430static bool ixgbevf_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs)
    431{
    432	if (xs->props.family == AF_INET) {
    433		/* Offload with IPv4 options is not supported yet */
    434		if (ip_hdr(skb)->ihl != 5)
    435			return false;
    436	} else {
    437		/* Offload with IPv6 extension headers is not support yet */
    438		if (ipv6_ext_hdr(ipv6_hdr(skb)->nexthdr))
    439			return false;
    440	}
    441
    442	return true;
    443}
    444
    445static const struct xfrmdev_ops ixgbevf_xfrmdev_ops = {
    446	.xdo_dev_state_add = ixgbevf_ipsec_add_sa,
    447	.xdo_dev_state_delete = ixgbevf_ipsec_del_sa,
    448	.xdo_dev_offload_ok = ixgbevf_ipsec_offload_ok,
    449};
    450
    451/**
    452 * ixgbevf_ipsec_tx - setup Tx flags for IPsec offload
    453 * @tx_ring: outgoing context
    454 * @first: current data packet
    455 * @itd: ipsec Tx data for later use in building context descriptor
    456 **/
    457int ixgbevf_ipsec_tx(struct ixgbevf_ring *tx_ring,
    458		     struct ixgbevf_tx_buffer *first,
    459		     struct ixgbevf_ipsec_tx_data *itd)
    460{
    461	struct ixgbevf_adapter *adapter = netdev_priv(tx_ring->netdev);
    462	struct ixgbevf_ipsec *ipsec = adapter->ipsec;
    463	struct xfrm_state *xs;
    464	struct sec_path *sp;
    465	struct tx_sa *tsa;
    466	u16 sa_idx;
    467
    468	sp = skb_sec_path(first->skb);
    469	if (unlikely(!sp->len)) {
    470		netdev_err(tx_ring->netdev, "%s: no xfrm state len = %d\n",
    471			   __func__, sp->len);
    472		return 0;
    473	}
    474
    475	xs = xfrm_input_state(first->skb);
    476	if (unlikely(!xs)) {
    477		netdev_err(tx_ring->netdev, "%s: no xfrm_input_state() xs = %p\n",
    478			   __func__, xs);
    479		return 0;
    480	}
    481
    482	sa_idx = xs->xso.offload_handle - IXGBE_IPSEC_BASE_TX_INDEX;
    483	if (unlikely(sa_idx >= IXGBE_IPSEC_MAX_SA_COUNT)) {
    484		netdev_err(tx_ring->netdev, "%s: bad sa_idx=%d handle=%lu\n",
    485			   __func__, sa_idx, xs->xso.offload_handle);
    486		return 0;
    487	}
    488
    489	tsa = &ipsec->tx_tbl[sa_idx];
    490	if (unlikely(!tsa->used)) {
    491		netdev_err(tx_ring->netdev, "%s: unused sa_idx=%d\n",
    492			   __func__, sa_idx);
    493		return 0;
    494	}
    495
    496	itd->pfsa = tsa->pfsa - IXGBE_IPSEC_BASE_TX_INDEX;
    497
    498	first->tx_flags |= IXGBE_TX_FLAGS_IPSEC | IXGBE_TX_FLAGS_CSUM;
    499
    500	if (xs->id.proto == IPPROTO_ESP) {
    501		itd->flags |= IXGBE_ADVTXD_TUCMD_IPSEC_TYPE_ESP |
    502			      IXGBE_ADVTXD_TUCMD_L4T_TCP;
    503		if (first->protocol == htons(ETH_P_IP))
    504			itd->flags |= IXGBE_ADVTXD_TUCMD_IPV4;
    505
    506		/* The actual trailer length is authlen (16 bytes) plus
    507		 * 2 bytes for the proto and the padlen values, plus
    508		 * padlen bytes of padding.  This ends up not the same
    509		 * as the static value found in xs->props.trailer_len (21).
    510		 *
    511		 * ... but if we're doing GSO, don't bother as the stack
    512		 * doesn't add a trailer for those.
    513		 */
    514		if (!skb_is_gso(first->skb)) {
    515			/* The "correct" way to get the auth length would be
    516			 * to use
    517			 *    authlen = crypto_aead_authsize(xs->data);
    518			 * but since we know we only have one size to worry
    519			 * about * we can let the compiler use the constant
    520			 * and save us a few CPU cycles.
    521			 */
    522			const int authlen = IXGBE_IPSEC_AUTH_BITS / 8;
    523			struct sk_buff *skb = first->skb;
    524			u8 padlen;
    525			int ret;
    526
    527			ret = skb_copy_bits(skb, skb->len - (authlen + 2),
    528					    &padlen, 1);
    529			if (unlikely(ret))
    530				return 0;
    531			itd->trailer_len = authlen + 2 + padlen;
    532		}
    533	}
    534	if (tsa->encrypt)
    535		itd->flags |= IXGBE_ADVTXD_TUCMD_IPSEC_ENCRYPT_EN;
    536
    537	return 1;
    538}
    539
    540/**
    541 * ixgbevf_ipsec_rx - decode IPsec bits from Rx descriptor
    542 * @rx_ring: receiving ring
    543 * @rx_desc: receive data descriptor
    544 * @skb: current data packet
    545 *
    546 * Determine if there was an IPsec encapsulation noticed, and if so set up
    547 * the resulting status for later in the receive stack.
    548 **/
    549void ixgbevf_ipsec_rx(struct ixgbevf_ring *rx_ring,
    550		      union ixgbe_adv_rx_desc *rx_desc,
    551		      struct sk_buff *skb)
    552{
    553	struct ixgbevf_adapter *adapter = netdev_priv(rx_ring->netdev);
    554	__le16 pkt_info = rx_desc->wb.lower.lo_dword.hs_rss.pkt_info;
    555	__le16 ipsec_pkt_types = cpu_to_le16(IXGBE_RXDADV_PKTTYPE_IPSEC_AH |
    556					     IXGBE_RXDADV_PKTTYPE_IPSEC_ESP);
    557	struct ixgbevf_ipsec *ipsec = adapter->ipsec;
    558	struct xfrm_offload *xo = NULL;
    559	struct xfrm_state *xs = NULL;
    560	struct ipv6hdr *ip6 = NULL;
    561	struct iphdr *ip4 = NULL;
    562	struct sec_path *sp;
    563	void *daddr;
    564	__be32 spi;
    565	u8 *c_hdr;
    566	u8 proto;
    567
    568	/* Find the IP and crypto headers in the data.
    569	 * We can assume no VLAN header in the way, b/c the
    570	 * hw won't recognize the IPsec packet and anyway the
    571	 * currently VLAN device doesn't support xfrm offload.
    572	 */
    573	if (pkt_info & cpu_to_le16(IXGBE_RXDADV_PKTTYPE_IPV4)) {
    574		ip4 = (struct iphdr *)(skb->data + ETH_HLEN);
    575		daddr = &ip4->daddr;
    576		c_hdr = (u8 *)ip4 + ip4->ihl * 4;
    577	} else if (pkt_info & cpu_to_le16(IXGBE_RXDADV_PKTTYPE_IPV6)) {
    578		ip6 = (struct ipv6hdr *)(skb->data + ETH_HLEN);
    579		daddr = &ip6->daddr;
    580		c_hdr = (u8 *)ip6 + sizeof(struct ipv6hdr);
    581	} else {
    582		return;
    583	}
    584
    585	switch (pkt_info & ipsec_pkt_types) {
    586	case cpu_to_le16(IXGBE_RXDADV_PKTTYPE_IPSEC_AH):
    587		spi = ((struct ip_auth_hdr *)c_hdr)->spi;
    588		proto = IPPROTO_AH;
    589		break;
    590	case cpu_to_le16(IXGBE_RXDADV_PKTTYPE_IPSEC_ESP):
    591		spi = ((struct ip_esp_hdr *)c_hdr)->spi;
    592		proto = IPPROTO_ESP;
    593		break;
    594	default:
    595		return;
    596	}
    597
    598	xs = ixgbevf_ipsec_find_rx_state(ipsec, daddr, proto, spi, !!ip4);
    599	if (unlikely(!xs))
    600		return;
    601
    602	sp = secpath_set(skb);
    603	if (unlikely(!sp))
    604		return;
    605
    606	sp->xvec[sp->len++] = xs;
    607	sp->olen++;
    608	xo = xfrm_offload(skb);
    609	xo->flags = CRYPTO_DONE;
    610	xo->status = CRYPTO_SUCCESS;
    611
    612	adapter->rx_ipsec++;
    613}
    614
    615/**
    616 * ixgbevf_init_ipsec_offload - initialize registers for IPsec operation
    617 * @adapter: board private structure
    618 **/
    619void ixgbevf_init_ipsec_offload(struct ixgbevf_adapter *adapter)
    620{
    621	struct ixgbevf_ipsec *ipsec;
    622	size_t size;
    623
    624	switch (adapter->hw.api_version) {
    625	case ixgbe_mbox_api_14:
    626	case ixgbe_mbox_api_15:
    627		break;
    628	default:
    629		return;
    630	}
    631
    632	ipsec = kzalloc(sizeof(*ipsec), GFP_KERNEL);
    633	if (!ipsec)
    634		goto err1;
    635	hash_init(ipsec->rx_sa_list);
    636
    637	size = sizeof(struct rx_sa) * IXGBE_IPSEC_MAX_SA_COUNT;
    638	ipsec->rx_tbl = kzalloc(size, GFP_KERNEL);
    639	if (!ipsec->rx_tbl)
    640		goto err2;
    641
    642	size = sizeof(struct tx_sa) * IXGBE_IPSEC_MAX_SA_COUNT;
    643	ipsec->tx_tbl = kzalloc(size, GFP_KERNEL);
    644	if (!ipsec->tx_tbl)
    645		goto err2;
    646
    647	ipsec->num_rx_sa = 0;
    648	ipsec->num_tx_sa = 0;
    649
    650	adapter->ipsec = ipsec;
    651
    652	adapter->netdev->xfrmdev_ops = &ixgbevf_xfrmdev_ops;
    653
    654#define IXGBEVF_ESP_FEATURES	(NETIF_F_HW_ESP | \
    655				 NETIF_F_HW_ESP_TX_CSUM | \
    656				 NETIF_F_GSO_ESP)
    657
    658	adapter->netdev->features |= IXGBEVF_ESP_FEATURES;
    659	adapter->netdev->hw_enc_features |= IXGBEVF_ESP_FEATURES;
    660
    661	return;
    662
    663err2:
    664	kfree(ipsec->rx_tbl);
    665	kfree(ipsec->tx_tbl);
    666	kfree(ipsec);
    667err1:
    668	netdev_err(adapter->netdev, "Unable to allocate memory for SA tables");
    669}
    670
    671/**
    672 * ixgbevf_stop_ipsec_offload - tear down the IPsec offload
    673 * @adapter: board private structure
    674 **/
    675void ixgbevf_stop_ipsec_offload(struct ixgbevf_adapter *adapter)
    676{
    677	struct ixgbevf_ipsec *ipsec = adapter->ipsec;
    678
    679	adapter->ipsec = NULL;
    680	if (ipsec) {
    681		kfree(ipsec->rx_tbl);
    682		kfree(ipsec->tx_tbl);
    683		kfree(ipsec);
    684	}
    685}