xref: /dpdk/lib/security/rte_security_driver.h (revision 719834a6849e1daf4a70ff7742bbcc3ae7e25607) 
1 /* SPDX-License-Identifier: BSD-3-Clause
2  * Copyright 2017 NXP.
3  * Copyright(c) 2017 Intel Corporation.
4  */
5 
6 #ifndef _RTE_SECURITY_DRIVER_H_
7 #define _RTE_SECURITY_DRIVER_H_
8 
9 /**
10  * @file rte_security_driver.h
11  *
12  * RTE Security Common Definitions
13  */
14 
15 #include <rte_compat.h>
16 #include "rte_security.h"
17 
18 #ifdef __cplusplus
19 extern "C" {
20 #endif
21 
22 /**
23  * @internal
24  * Security session to be used by library for internal usage
25  */
26 struct rte_security_session {
27 	uint64_t opaque_data;
28 	/**< Opaque user defined data */
29 	uint64_t fast_mdata;
30 	/**< Fast metadata to be used for inline path */
31 	rte_iova_t driver_priv_data_iova;
32 	/**< session private data IOVA address */
33 
34 	alignas(RTE_CACHE_LINE_MIN_SIZE)
35 	uint8_t driver_priv_data[];
36 	/**< Private session material, variable size (depends on driver) */
37 };
38 
39 /**
40  * Security context for crypto/eth devices
41  *
42  * Security instance for each driver to register security operations.
43  * The application can get the security context from the crypto/eth device id
44  * using the APIs rte_cryptodev_get_sec_ctx()/rte_eth_dev_get_sec_ctx()
45  * This structure is used to identify the device(crypto/eth) for which the
46  * security operations need to be performed.
47  */
48 struct rte_security_ctx {
49 	void *device;
50 	/**< Crypto/ethernet device attached */
51 	const struct rte_security_ops *ops;
52 	/**< Pointer to security ops for the device */
53 	uint32_t flags;
54 	/**< Flags for security context */
55 	uint16_t sess_cnt;
56 	/**< Number of sessions attached to this context */
57 	uint16_t macsec_sc_cnt;
58 	/**< Number of MACsec SC attached to this context */
59 	uint16_t macsec_sa_cnt;
60 	/**< Number of MACsec SA attached to this context */
61 };
62 
63 /**
64  * Helper macro to get driver private data
65  */
66 #define SECURITY_GET_SESS_PRIV(s) \
67 	((void *)(((struct rte_security_session *)s)->driver_priv_data))
68 #define SECURITY_GET_SESS_PRIV_IOVA(s) \
69 	(((struct rte_security_session *)s)->driver_priv_data_iova)
70 
71 /**
72  * Configure a security session on a device.
73  *
74  * @param	device		Crypto/eth device pointer
75  * @param	conf		Security session configuration
76  * @param	sess		Pointer to Security private session structure
77  *
78  * @return
79  *  - Returns 0 if private session structure have been created successfully.
80  *  - Returns -EINVAL if input parameters are invalid.
81  *  - Returns -ENOTSUP if crypto device does not support the crypto transform.
82  */
83 typedef int (*security_session_create_t)(void *device,
84 		struct rte_security_session_conf *conf,
85 		struct rte_security_session *sess);
86 
87 /**
88  * Free driver private session data.
89  *
90  * @param	device		Crypto/eth device pointer
91  * @param	sess		Security session structure
92  */
93 typedef int (*security_session_destroy_t)(void *device,
94 		struct rte_security_session *sess);
95 
96 /**
97  * Update driver private session data.
98  *
99  * @param	device		Crypto/eth device pointer
100  * @param	sess		Pointer to Security private session structure
101  * @param	conf		Security session configuration
102  *
103  * @return
104  *  - Returns 0 if private session structure have been updated successfully.
105  *  - Returns -EINVAL if input parameters are invalid.
106  *  - Returns -ENOTSUP if crypto device does not support the crypto transform.
107  */
108 typedef int (*security_session_update_t)(void *device,
109 		struct rte_security_session *sess,
110 		struct rte_security_session_conf *conf);
111 
112 /**
113  * Configure a MACsec secure channel (SC) on a device.
114  *
115  * @param	device		Crypto/eth device pointer
116  * @param	conf		MACsec SC configuration params
117  *
118  * @return
119  *  - positive sc_id if SC is created successfully.
120  *  - -EINVAL if input parameters are invalid.
121  *  - -ENOTSUP if device does not support MACsec.
122  *  - -ENOMEM if the SC cannot be created.
123  */
124 typedef int (*security_macsec_sc_create_t)(void *device, struct rte_security_macsec_sc *conf);
125 
126 /**
127  * Free MACsec secure channel (SC).
128  *
129  * @param	device		Crypto/eth device pointer
130  * @param	sc_id		MACsec SC ID
131  * @param	dir		Direction of SC
132  */
133 typedef int (*security_macsec_sc_destroy_t)(void *device, uint16_t sc_id,
134 		enum rte_security_macsec_direction dir);
135 
136 /**
137  * Configure a MACsec security Association (SA) on a device.
138  *
139  * @param	device		Crypto/eth device pointer
140  * @param	conf		MACsec SA configuration params
141  *
142  * @return
143  *  - positive sa_id if SA is created successfully.
144  *  - -EINVAL if input parameters are invalid.
145  *  - -ENOTSUP if device does not support MACsec.
146  *  - -ENOMEM if the SA cannot be created.
147  */
148 typedef int (*security_macsec_sa_create_t)(void *device, struct rte_security_macsec_sa *conf);
149 
150 /**
151  * Free MACsec security association (SA).
152  *
153  * @param	device		Crypto/eth device pointer
154  * @param	sa_id		MACsec SA ID
155  * @param	dir		Direction of SA
156  */
157 typedef int (*security_macsec_sa_destroy_t)(void *device, uint16_t sa_id,
158 		enum rte_security_macsec_direction dir);
159 
160 /**
161  * Get the size of a security session
162  *
163  * @param	device		Crypto/eth device pointer
164  *
165  * @return
166  *  - On success returns the size of the session structure for device
167  *  - On failure returns 0
168  */
169 typedef unsigned int (*security_session_get_size)(void *device);
170 
171 /**
172  * Get stats from the PMD.
173  *
174  * @param	device		Crypto/eth device pointer
175  * @param	sess		Pointer to Security private session structure
176  * @param	stats		Security stats of the driver
177  *
178  * @return
179  *  - Returns 0 if private session structure have been updated successfully.
180  *  - Returns -EINVAL if session parameters are invalid.
181  */
182 typedef int (*security_session_stats_get_t)(void *device,
183 		struct rte_security_session *sess,
184 		struct rte_security_stats *stats);
185 
186 /**
187  * Get MACsec secure channel stats from the PMD.
188  *
189  * @param	device		Crypto/eth device pointer
190  * @param	sc_id		secure channel ID created by rte_security_macsec_sc_create()
191  * @param	dir		direction of SC
192  * @param	stats		SC stats of the driver
193  *
194  * @return
195  *  - 0 if success.
196  *  - -EINVAL if sc_id or device is invalid.
197  */
198 typedef int (*security_macsec_sc_stats_get_t)(void *device, uint16_t sc_id,
199 		enum rte_security_macsec_direction dir,
200 		struct rte_security_macsec_sc_stats *stats);
201 
202 /**
203  * Get MACsec SA stats from the PMD.
204  *
205  * @param	device		Crypto/eth device pointer
206  * @param	sa_id		secure channel ID created by rte_security_macsec_sc_create()
207  * @param	dir		direction of SA
208  * @param	stats		SC stats of the driver
209  *
210  * @return
211  *  - 0 if success.
212  *  - -EINVAL if sa_id or device is invalid.
213  */
214 typedef int (*security_macsec_sa_stats_get_t)(void *device, uint16_t sa_id,
215 		enum rte_security_macsec_direction dir,
216 		struct rte_security_macsec_sa_stats *stats);
217 
218 
219 
220 __rte_internal
221 int rte_security_dynfield_register(void);
222 
223 /**
224  * @internal
225  * Register mbuf dynamic field for security inline ingress Out-of-Place(OOP)
226  * processing.
227  */
228 __rte_internal
229 int rte_security_oop_dynfield_register(void);
230 
231 /**
232  * Update the mbuf with provided metadata.
233  *
234  * @param	device		Crypto/eth device pointer
235  * @param	sess		Security session structure
236  * @param	mb		Packet buffer
237  * @param	params		Metadata
238  *
239  * @return
240  *  - Returns 0 if metadata updated successfully.
241  *  - Returns -ve value for errors.
242  */
243 typedef int (*security_set_pkt_metadata_t)(void *device,
244 		struct rte_security_session *sess, struct rte_mbuf *mb,
245 		void *params);
246 
247 /**
248  * Get security capabilities of the device.
249  *
250  * @param	device		crypto/eth device pointer
251  *
252  * @return
253  *  - Returns rte_security_capability pointer on success.
254  *  - Returns NULL on error.
255  */
256 typedef const struct rte_security_capability *(*security_capabilities_get_t)(
257 		void *device);
258 
259 /**
260  * Configure security device to inject packets to an ethdev port.
261  *
262  * @param	device		Crypto/eth device pointer
263  * @param	port_id		Port identifier of the ethernet device to which packets need to be
264  *				injected.
265  * @param	enable		Flag to enable and disable connection between a security device and
266  *				an ethdev port.
267  * @return
268  *   - 0 if successful.
269  *   - -EINVAL if context NULL or port_id is invalid.
270  *   - -EBUSY if devices are not in stopped state.
271  *   - -ENOTSUP if security device does not support injecting to the ethdev port.
272  */
273 typedef int (*security_rx_inject_configure)(void *device, uint16_t port_id, bool enable);
274 
275 /**
276  * Perform security processing of packets and inject the processed packet to
277  * ethdev Rx.
278  *
279  * Rx inject would behave similarly to ethdev loopback but with the additional
280  * security processing.
281  *
282  * @param	device		Crypto/eth device pointer
283  * @param	pkts		The address of an array of *nb_pkts* pointers to
284  *				*rte_mbuf* structures which contain the packets.
285  * @param	sess		The address of an array of *nb_pkts* pointers to
286  *				*rte_security_session* structures corresponding
287  *				to each packet.
288  * @param	nb_pkts		The maximum number of packets to process.
289  *
290  * @return
291  *   The number of packets successfully injected to ethdev Rx. The return
292  *   value can be less than the value of the *nb_pkts* parameter when the
293  *   PMD internal queues have been filled up.
294  */
295 typedef uint16_t (*security_inb_pkt_rx_inject)(void *device,
296 		struct rte_mbuf **pkts, struct rte_security_session **sess,
297 		uint16_t nb_pkts);
298 
299 /** Security operations function pointer table */
300 struct rte_security_ops {
301 	security_session_create_t session_create;
302 	/**< Configure a security session. */
303 	security_session_update_t session_update;
304 	/**< Update a security session. */
305 	security_session_get_size session_get_size;
306 	/**< Return size of security session. */
307 	security_session_stats_get_t session_stats_get;
308 	/**< Get security session statistics. */
309 	security_session_destroy_t session_destroy;
310 	/**< Clear a security sessions private data. */
311 	security_set_pkt_metadata_t set_pkt_metadata;
312 	/**< Update mbuf metadata. */
313 	security_capabilities_get_t capabilities_get;
314 	/**< Get security capabilities. */
315 	security_macsec_sc_create_t macsec_sc_create;
316 	/**< Configure a MACsec security channel (SC). */
317 	security_macsec_sc_destroy_t macsec_sc_destroy;
318 	/**< Free a MACsec security channel (SC). */
319 	security_macsec_sa_create_t macsec_sa_create;
320 	/**< Configure a MACsec security association (SA). */
321 	security_macsec_sa_destroy_t macsec_sa_destroy;
322 	/**< Free a MACsec security association (SA). */
323 	security_macsec_sc_stats_get_t macsec_sc_stats_get;
324 	/**< Get MACsec SC statistics. */
325 	security_macsec_sa_stats_get_t macsec_sa_stats_get;
326 	/**< Get MACsec SA statistics. */
327 	security_rx_inject_configure rx_inject_configure;
328 	/**< Rx inject configure. */
329 	security_inb_pkt_rx_inject inb_pkt_rx_inject;
330 	/**< Perform security processing and do Rx inject. */
331 };
332 
333 #ifdef __cplusplus
334 }
335 #endif
336 
337 #endif /* _RTE_SECURITY_DRIVER_H_ */
338