1 /* SPDX-License-Identifier: BSD-3-Clause 2 * Copyright 2017,2019-2020 NXP 3 * Copyright(c) 2017-2020 Intel Corporation. 4 */ 5 6 #ifndef _RTE_SECURITY_H_ 7 #define _RTE_SECURITY_H_ 8 9 /** 10 * @file rte_security.h 11 * 12 * RTE Security Common Definitions 13 * 14 */ 15 16 #ifdef __cplusplus 17 extern "C" { 18 #endif 19 20 #include <sys/types.h> 21 22 #include <rte_compat.h> 23 #include <rte_common.h> 24 #include <rte_crypto.h> 25 #include <rte_ip.h> 26 #include <rte_mbuf.h> 27 #include <rte_mbuf_dyn.h> 28 #include <rte_memory.h> 29 #include <rte_mempool.h> 30 31 /** IPSec protocol mode */ 32 enum rte_security_ipsec_sa_mode { 33 RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT = 1, 34 /**< IPSec Transport mode */ 35 RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, 36 /**< IPSec Tunnel mode */ 37 }; 38 39 /** IPSec Protocol */ 40 enum rte_security_ipsec_sa_protocol { 41 RTE_SECURITY_IPSEC_SA_PROTO_AH = 1, 42 /**< AH protocol */ 43 RTE_SECURITY_IPSEC_SA_PROTO_ESP, 44 /**< ESP protocol */ 45 }; 46 47 /** IPSEC tunnel type */ 48 enum rte_security_ipsec_tunnel_type { 49 RTE_SECURITY_IPSEC_TUNNEL_IPV4 = 1, 50 /**< Outer header is IPv4 */ 51 RTE_SECURITY_IPSEC_TUNNEL_IPV6, 52 /**< Outer header is IPv6 */ 53 }; 54 55 /** 56 * IPSEC tunnel header verification mode 57 * 58 * Controls how outer IP header is verified in inbound. 59 */ 60 #define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR 0x1 61 #define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR 0x2 62 63 /** 64 * Security context for crypto/eth devices 65 * 66 * Security instance for each driver to register security operations. 67 * The application can get the security context from the crypto/eth device id 68 * using the APIs rte_cryptodev_get_sec_ctx()/rte_eth_dev_get_sec_ctx() 69 * This structure is used to identify the device(crypto/eth) for which the 70 * security operations need to be performed. 71 */ 72 struct rte_security_ctx { 73 void *device; 74 /**< Crypto/ethernet device attached */ 75 const struct rte_security_ops *ops; 76 /**< Pointer to security ops for the device */ 77 uint16_t sess_cnt; 78 /**< Number of sessions attached to this context */ 79 uint32_t flags; 80 /**< Flags for security context */ 81 }; 82 83 #define RTE_SEC_CTX_F_FAST_SET_MDATA 0x00000001 84 /**< Driver uses fast metadata update without using driver specific callback */ 85 86 #define RTE_SEC_CTX_F_FAST_GET_UDATA 0x00000002 87 /**< Driver provides udata using fast method without using driver specific 88 * callback. For fast mdata and udata, mbuf dynamic field would be registered 89 * by driver via rte_security_dynfield_register(). 90 */ 91 92 /** 93 * IPSEC tunnel parameters 94 * 95 * These parameters are used to build outbound tunnel headers. 96 */ 97 struct rte_security_ipsec_tunnel_param { 98 enum rte_security_ipsec_tunnel_type type; 99 /**< Tunnel type: IPv4 or IPv6 */ 100 RTE_STD_C11 101 union { 102 struct { 103 struct in_addr src_ip; 104 /**< IPv4 source address */ 105 struct in_addr dst_ip; 106 /**< IPv4 destination address */ 107 uint8_t dscp; 108 /**< IPv4 Differentiated Services Code Point */ 109 uint8_t df; 110 /**< IPv4 Don't Fragment bit */ 111 uint8_t ttl; 112 /**< IPv4 Time To Live */ 113 } ipv4; 114 /**< IPv4 header parameters */ 115 struct { 116 struct in6_addr src_addr; 117 /**< IPv6 source address */ 118 struct in6_addr dst_addr; 119 /**< IPv6 destination address */ 120 uint8_t dscp; 121 /**< IPv6 Differentiated Services Code Point */ 122 uint32_t flabel; 123 /**< IPv6 flow label */ 124 uint8_t hlimit; 125 /**< IPv6 hop limit */ 126 } ipv6; 127 /**< IPv6 header parameters */ 128 }; 129 }; 130 131 /** 132 * IPsec Security Association option flags 133 */ 134 struct rte_security_ipsec_sa_options { 135 /** Extended Sequence Numbers (ESN) 136 * 137 * * 1: Use extended (64 bit) sequence numbers 138 * * 0: Use normal sequence numbers 139 */ 140 uint32_t esn : 1; 141 142 /** UDP encapsulation 143 * 144 * * 1: Do UDP encapsulation/decapsulation so that IPSEC packets can 145 * traverse through NAT boxes. 146 * * 0: No UDP encapsulation 147 */ 148 uint32_t udp_encap : 1; 149 150 /** Copy DSCP bits 151 * 152 * * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to 153 * the outer IP header in encapsulation, and vice versa in 154 * decapsulation. 155 * * 0: Do not change DSCP field. 156 */ 157 uint32_t copy_dscp : 1; 158 159 /** Copy IPv6 Flow Label 160 * 161 * * 1: Copy IPv6 flow label from inner IPv6 header to the 162 * outer IPv6 header. 163 * * 0: Outer header is not modified. 164 */ 165 uint32_t copy_flabel : 1; 166 167 /** Copy IPv4 Don't Fragment bit 168 * 169 * * 1: Copy the DF bit from the inner IPv4 header to the outer 170 * IPv4 header. 171 * * 0: Outer header is not modified. 172 */ 173 uint32_t copy_df : 1; 174 175 /** Decrement inner packet Time To Live (TTL) field 176 * 177 * * 1: In tunnel mode, decrement inner packet IPv4 TTL or 178 * IPv6 Hop Limit after tunnel decapsulation, or before tunnel 179 * encapsulation. 180 * * 0: Inner packet is not modified. 181 */ 182 uint32_t dec_ttl : 1; 183 184 /** Explicit Congestion Notification (ECN) 185 * 186 * * 1: In tunnel mode, enable outer header ECN Field copied from 187 * inner header in tunnel encapsulation, or inner header ECN 188 * field construction in decapsulation. 189 * * 0: Inner/outer header are not modified. 190 */ 191 uint32_t ecn : 1; 192 193 /** Security statistics 194 * 195 * * 1: Enable per session security statistics collection for 196 * this SA, if supported by the driver. 197 * * 0: Disable per session security statistics collection for this SA. 198 */ 199 uint32_t stats : 1; 200 201 /** Disable IV generation in PMD 202 * 203 * * 1: Disable IV generation in PMD. When disabled, IV provided in 204 * rte_crypto_op will be used by the PMD. 205 * 206 * * 0: Enable IV generation in PMD. When enabled, PMD generated random 207 * value would be used and application is not required to provide 208 * IV. 209 * 210 * Note: For inline cases, IV generation would always need to be handled 211 * by the PMD. 212 */ 213 uint32_t iv_gen_disable : 1; 214 215 /** Verify tunnel header in inbound 216 * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR``: Verify destination 217 * IP address. 218 * 219 * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR``: Verify both 220 * source and destination IP addresses. 221 */ 222 uint32_t tunnel_hdr_verify : 2; 223 224 /** Verify UDP encapsulation ports in inbound 225 * 226 * * 1: Match UDP source and destination ports 227 * * 0: Do not match UDP ports 228 */ 229 uint32_t udp_ports_verify : 1; 230 231 /** Compute/verify inner packet IPv4 header checksum in tunnel mode 232 * 233 * * 1: For outbound, compute inner packet IPv4 header checksum 234 * before tunnel encapsulation and for inbound, verify after 235 * tunnel decapsulation. 236 * * 0: Inner packet IP header checksum is not computed/verified. 237 * 238 * The checksum verification status would be set in mbuf using 239 * PKT_RX_IP_CKSUM_xxx flags. 240 * 241 * Inner IP checksum computation can also be enabled(per operation) 242 * by setting the flag PKT_TX_IP_CKSUM in mbuf. 243 */ 244 uint32_t ip_csum_enable : 1; 245 246 /** Compute/verify inner packet L4 checksum in tunnel mode 247 * 248 * * 1: For outbound, compute inner packet L4 checksum before 249 * tunnel encapsulation and for inbound, verify after 250 * tunnel decapsulation. 251 * * 0: Inner packet L4 checksum is not computed/verified. 252 * 253 * The checksum verification status would be set in mbuf using 254 * PKT_RX_L4_CKSUM_xxx flags. 255 * 256 * Inner L4 checksum computation can also be enabled(per operation) 257 * by setting the flags PKT_TX_TCP_CKSUM or PKT_TX_SCTP_CKSUM or 258 * PKT_TX_UDP_CKSUM or PKT_TX_L4_MASK in mbuf. 259 */ 260 uint32_t l4_csum_enable : 1; 261 }; 262 263 /** IPSec security association direction */ 264 enum rte_security_ipsec_sa_direction { 265 RTE_SECURITY_IPSEC_SA_DIR_EGRESS, 266 /**< Encrypt and generate digest */ 267 RTE_SECURITY_IPSEC_SA_DIR_INGRESS, 268 /**< Verify digest and decrypt */ 269 }; 270 271 /** 272 * Configure soft and hard lifetime of an IPsec SA 273 * 274 * Lifetime of an IPsec SA would specify the maximum number of packets or bytes 275 * that can be processed. IPsec operations would start failing once any hard 276 * limit is reached. 277 * 278 * Soft limits can be specified to generate notification when the SA is 279 * approaching hard limits for lifetime. For inline operations, reaching soft 280 * expiry limit would result in raising an eth event for the same. For lookaside 281 * operations, this would result in a warning returned in 282 * ``rte_crypto_op.aux_flags``. 283 */ 284 struct rte_security_ipsec_lifetime { 285 uint64_t packets_soft_limit; 286 /**< Soft expiry limit in number of packets */ 287 uint64_t bytes_soft_limit; 288 /**< Soft expiry limit in bytes */ 289 uint64_t packets_hard_limit; 290 /**< Soft expiry limit in number of packets */ 291 uint64_t bytes_hard_limit; 292 /**< Soft expiry limit in bytes */ 293 }; 294 295 /** 296 * IPsec security association configuration data. 297 * 298 * This structure contains data required to create an IPsec SA security session. 299 */ 300 struct rte_security_ipsec_xform { 301 uint32_t spi; 302 /**< SA security parameter index */ 303 uint32_t salt; 304 /**< SA salt */ 305 struct rte_security_ipsec_sa_options options; 306 /**< various SA options */ 307 enum rte_security_ipsec_sa_direction direction; 308 /**< IPSec SA Direction - Egress/Ingress */ 309 enum rte_security_ipsec_sa_protocol proto; 310 /**< IPsec SA Protocol - AH/ESP */ 311 enum rte_security_ipsec_sa_mode mode; 312 /**< IPsec SA Mode - transport/tunnel */ 313 struct rte_security_ipsec_tunnel_param tunnel; 314 /**< Tunnel parameters, NULL for transport mode */ 315 struct rte_security_ipsec_lifetime life; 316 /**< IPsec SA lifetime */ 317 uint32_t replay_win_sz; 318 /**< Anti replay window size to enable sequence replay attack handling. 319 * replay checking is disabled if the window size is 0. 320 */ 321 }; 322 323 /** 324 * MACsec security session configuration 325 */ 326 struct rte_security_macsec_xform { 327 /** To be Filled */ 328 int dummy; 329 }; 330 331 /** 332 * PDCP Mode of session 333 */ 334 enum rte_security_pdcp_domain { 335 RTE_SECURITY_PDCP_MODE_CONTROL, /**< PDCP control plane */ 336 RTE_SECURITY_PDCP_MODE_DATA, /**< PDCP data plane */ 337 RTE_SECURITY_PDCP_MODE_SHORT_MAC, /**< PDCP short mac */ 338 }; 339 340 /** PDCP Frame direction */ 341 enum rte_security_pdcp_direction { 342 RTE_SECURITY_PDCP_UPLINK, /**< Uplink */ 343 RTE_SECURITY_PDCP_DOWNLINK, /**< Downlink */ 344 }; 345 346 /** PDCP Sequence Number Size selectors */ 347 enum rte_security_pdcp_sn_size { 348 /** PDCP_SN_SIZE_5: 5bit sequence number */ 349 RTE_SECURITY_PDCP_SN_SIZE_5 = 5, 350 /** PDCP_SN_SIZE_7: 7bit sequence number */ 351 RTE_SECURITY_PDCP_SN_SIZE_7 = 7, 352 /** PDCP_SN_SIZE_12: 12bit sequence number */ 353 RTE_SECURITY_PDCP_SN_SIZE_12 = 12, 354 /** PDCP_SN_SIZE_15: 15bit sequence number */ 355 RTE_SECURITY_PDCP_SN_SIZE_15 = 15, 356 /** PDCP_SN_SIZE_18: 18bit sequence number */ 357 RTE_SECURITY_PDCP_SN_SIZE_18 = 18 358 }; 359 360 /** 361 * PDCP security association configuration data. 362 * 363 * This structure contains data required to create a PDCP security session. 364 */ 365 struct rte_security_pdcp_xform { 366 int8_t bearer; /**< PDCP bearer ID */ 367 /** Enable in order delivery, this field shall be set only if 368 * driver/HW is capable. See RTE_SECURITY_PDCP_ORDERING_CAP. 369 */ 370 uint8_t en_ordering; 371 /** Notify driver/HW to detect and remove duplicate packets. 372 * This field should be set only when driver/hw is capable. 373 * See RTE_SECURITY_PDCP_DUP_DETECT_CAP. 374 */ 375 uint8_t remove_duplicates; 376 /** PDCP mode of operation: Control or data */ 377 enum rte_security_pdcp_domain domain; 378 /** PDCP Frame Direction 0:UL 1:DL */ 379 enum rte_security_pdcp_direction pkt_dir; 380 /** Sequence number size, 5/7/12/15/18 */ 381 enum rte_security_pdcp_sn_size sn_size; 382 /** Starting Hyper Frame Number to be used together with the SN 383 * from the PDCP frames 384 */ 385 uint32_t hfn; 386 /** HFN Threshold for key renegotiation */ 387 uint32_t hfn_threshold; 388 /** HFN can be given as a per packet value also. 389 * As we do not have IV in case of PDCP, and HFN is 390 * used to generate IV. IV field can be used to get the 391 * per packet HFN while enq/deq. 392 * If hfn_ovrd field is set, user is expected to set the 393 * per packet HFN in place of IV. PMDs will extract the HFN 394 * and perform operations accordingly. 395 */ 396 uint8_t hfn_ovrd; 397 /** In case of 5G NR, a new protocol (SDAP) header may be set 398 * inside PDCP payload which should be authenticated but not 399 * encrypted. Hence, driver should be notified if SDAP is 400 * enabled or not, so that SDAP header is not encrypted. 401 */ 402 uint8_t sdap_enabled; 403 /** Reserved for future */ 404 uint16_t reserved; 405 }; 406 407 /** DOCSIS direction */ 408 enum rte_security_docsis_direction { 409 RTE_SECURITY_DOCSIS_UPLINK, 410 /**< Uplink 411 * - Decryption, followed by CRC Verification 412 */ 413 RTE_SECURITY_DOCSIS_DOWNLINK, 414 /**< Downlink 415 * - CRC Generation, followed by Encryption 416 */ 417 }; 418 419 /** 420 * DOCSIS security session configuration. 421 * 422 * This structure contains data required to create a DOCSIS security session. 423 */ 424 struct rte_security_docsis_xform { 425 enum rte_security_docsis_direction direction; 426 /**< DOCSIS direction */ 427 }; 428 429 /** 430 * Security session action type. 431 */ 432 enum rte_security_session_action_type { 433 RTE_SECURITY_ACTION_TYPE_NONE, 434 /**< No security actions */ 435 RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO, 436 /**< Crypto processing for security protocol is processed inline 437 * during transmission 438 */ 439 RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL, 440 /**< All security protocol processing is performed inline during 441 * transmission 442 */ 443 RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, 444 /**< All security protocol processing including crypto is performed 445 * on a lookaside accelerator 446 */ 447 RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO 448 /**< Similar to ACTION_TYPE_NONE but crypto processing for security 449 * protocol is processed synchronously by a CPU. 450 */ 451 }; 452 453 /** Security session protocol definition */ 454 enum rte_security_session_protocol { 455 RTE_SECURITY_PROTOCOL_IPSEC = 1, 456 /**< IPsec Protocol */ 457 RTE_SECURITY_PROTOCOL_MACSEC, 458 /**< MACSec Protocol */ 459 RTE_SECURITY_PROTOCOL_PDCP, 460 /**< PDCP Protocol */ 461 RTE_SECURITY_PROTOCOL_DOCSIS, 462 /**< DOCSIS Protocol */ 463 }; 464 465 /** 466 * Security session configuration 467 */ 468 struct rte_security_session_conf { 469 enum rte_security_session_action_type action_type; 470 /**< Type of action to be performed on the session */ 471 enum rte_security_session_protocol protocol; 472 /**< Security protocol to be configured */ 473 RTE_STD_C11 474 union { 475 struct rte_security_ipsec_xform ipsec; 476 struct rte_security_macsec_xform macsec; 477 struct rte_security_pdcp_xform pdcp; 478 struct rte_security_docsis_xform docsis; 479 }; 480 /**< Configuration parameters for security session */ 481 struct rte_crypto_sym_xform *crypto_xform; 482 /**< Security Session Crypto Transformations */ 483 void *userdata; 484 /**< Application specific userdata to be saved with session */ 485 }; 486 487 struct rte_security_session { 488 void *sess_private_data; 489 /**< Private session material */ 490 uint64_t opaque_data; 491 /**< Opaque user defined data */ 492 }; 493 494 /** 495 * Create security session as specified by the session configuration 496 * 497 * @param instance security instance 498 * @param conf session configuration parameters 499 * @param mp mempool to allocate session objects from 500 * @param priv_mp mempool to allocate session private data objects from 501 * @return 502 * - On success, pointer to session 503 * - On failure, NULL 504 */ 505 struct rte_security_session * 506 rte_security_session_create(struct rte_security_ctx *instance, 507 struct rte_security_session_conf *conf, 508 struct rte_mempool *mp, 509 struct rte_mempool *priv_mp); 510 511 /** 512 * Update security session as specified by the session configuration 513 * 514 * @param instance security instance 515 * @param sess session to update parameters 516 * @param conf update configuration parameters 517 * @return 518 * - On success returns 0 519 * - On failure returns a negative errno value. 520 */ 521 __rte_experimental 522 int 523 rte_security_session_update(struct rte_security_ctx *instance, 524 struct rte_security_session *sess, 525 struct rte_security_session_conf *conf); 526 527 /** 528 * Get the size of the security session data for a device. 529 * 530 * @param instance security instance. 531 * 532 * @return 533 * - Size of the private data, if successful 534 * - 0 if device is invalid or does not support the operation. 535 */ 536 unsigned int 537 rte_security_session_get_size(struct rte_security_ctx *instance); 538 539 /** 540 * Free security session header and the session private data and 541 * return it to its original mempool. 542 * 543 * @param instance security instance 544 * @param sess security session to be freed 545 * 546 * @return 547 * - 0 if successful. 548 * - -EINVAL if session or context instance is NULL. 549 * - -EBUSY if not all device private data has been freed. 550 * - -ENOTSUP if destroying private data is not supported. 551 * - other negative values in case of freeing private data errors. 552 */ 553 int 554 rte_security_session_destroy(struct rte_security_ctx *instance, 555 struct rte_security_session *sess); 556 557 /** Device-specific metadata field type */ 558 typedef uint64_t rte_security_dynfield_t; 559 /** Dynamic mbuf field for device-specific metadata */ 560 extern int rte_security_dynfield_offset; 561 562 /** 563 * @warning 564 * @b EXPERIMENTAL: this API may change without prior notice 565 * 566 * Get pointer to mbuf field for device-specific metadata. 567 * 568 * For performance reason, no check is done, 569 * the dynamic field may not be registered. 570 * @see rte_security_dynfield_is_registered 571 * 572 * @param mbuf packet to access 573 * @return pointer to mbuf field 574 */ 575 __rte_experimental 576 static inline rte_security_dynfield_t * 577 rte_security_dynfield(struct rte_mbuf *mbuf) 578 { 579 return RTE_MBUF_DYNFIELD(mbuf, 580 rte_security_dynfield_offset, 581 rte_security_dynfield_t *); 582 } 583 584 /** 585 * @warning 586 * @b EXPERIMENTAL: this API may change without prior notice 587 * 588 * Check whether the dynamic field is registered. 589 * 590 * @return true if rte_security_dynfield_register() has been called. 591 */ 592 __rte_experimental 593 static inline bool rte_security_dynfield_is_registered(void) 594 { 595 return rte_security_dynfield_offset >= 0; 596 } 597 598 /** Function to call PMD specific function pointer set_pkt_metadata() */ 599 __rte_experimental 600 extern int __rte_security_set_pkt_metadata(struct rte_security_ctx *instance, 601 struct rte_security_session *sess, 602 struct rte_mbuf *m, void *params); 603 604 /** 605 * Updates the buffer with device-specific defined metadata 606 * 607 * @param instance security instance 608 * @param sess security session 609 * @param mb packet mbuf to set metadata on. 610 * @param params device-specific defined parameters 611 * required for metadata 612 * 613 * @return 614 * - On success, zero. 615 * - On failure, a negative value. 616 */ 617 static inline int 618 rte_security_set_pkt_metadata(struct rte_security_ctx *instance, 619 struct rte_security_session *sess, 620 struct rte_mbuf *mb, void *params) 621 { 622 /* Fast Path */ 623 if (instance->flags & RTE_SEC_CTX_F_FAST_SET_MDATA) { 624 *rte_security_dynfield(mb) = 625 (rte_security_dynfield_t)(sess->sess_private_data); 626 return 0; 627 } 628 629 /* Jump to PMD specific function pointer */ 630 return __rte_security_set_pkt_metadata(instance, sess, mb, params); 631 } 632 633 /** Function to call PMD specific function pointer get_userdata() */ 634 __rte_experimental 635 extern void *__rte_security_get_userdata(struct rte_security_ctx *instance, 636 uint64_t md); 637 638 /** 639 * Get userdata associated with the security session. Device specific metadata 640 * provided would be used to uniquely identify the security session being 641 * referred to. This userdata would be registered while creating the session, 642 * and application can use this to identify the SA etc. 643 * 644 * Device specific metadata would be set in mbuf for inline processed inbound 645 * packets. In addition, the same metadata would be set for IPsec events 646 * reported by rte_eth_event framework. 647 * 648 * @param instance security instance 649 * @param md device-specific metadata 650 * 651 * @return 652 * - On success, userdata 653 * - On failure, NULL 654 */ 655 __rte_experimental 656 static inline void * 657 rte_security_get_userdata(struct rte_security_ctx *instance, uint64_t md) 658 { 659 /* Fast Path */ 660 if (instance->flags & RTE_SEC_CTX_F_FAST_GET_UDATA) 661 return (void *)(uintptr_t)md; 662 663 /* Jump to PMD specific function pointer */ 664 return __rte_security_get_userdata(instance, md); 665 } 666 667 /** 668 * Attach a session to a symmetric crypto operation 669 * 670 * @param sym_op crypto operation 671 * @param sess security session 672 */ 673 static inline int 674 __rte_security_attach_session(struct rte_crypto_sym_op *sym_op, 675 struct rte_security_session *sess) 676 { 677 sym_op->sec_session = sess; 678 679 return 0; 680 } 681 682 static inline void * 683 get_sec_session_private_data(const struct rte_security_session *sess) 684 { 685 return sess->sess_private_data; 686 } 687 688 static inline void 689 set_sec_session_private_data(struct rte_security_session *sess, 690 void *private_data) 691 { 692 sess->sess_private_data = private_data; 693 } 694 695 /** 696 * Attach a session to a crypto operation. 697 * This API is needed only in case of RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD 698 * For other rte_security_session_action_type, ol_flags in rte_mbuf may be 699 * defined to perform security operations. 700 * 701 * @param op crypto operation 702 * @param sess security session 703 */ 704 static inline int 705 rte_security_attach_session(struct rte_crypto_op *op, 706 struct rte_security_session *sess) 707 { 708 if (unlikely(op->type != RTE_CRYPTO_OP_TYPE_SYMMETRIC)) 709 return -EINVAL; 710 711 op->sess_type = RTE_CRYPTO_OP_SECURITY_SESSION; 712 713 return __rte_security_attach_session(op->sym, sess); 714 } 715 716 struct rte_security_macsec_stats { 717 uint64_t reserved; 718 }; 719 720 struct rte_security_ipsec_stats { 721 uint64_t ipackets; /**< Successfully received IPsec packets. */ 722 uint64_t opackets; /**< Successfully transmitted IPsec packets.*/ 723 uint64_t ibytes; /**< Successfully received IPsec bytes. */ 724 uint64_t obytes; /**< Successfully transmitted IPsec bytes. */ 725 uint64_t ierrors; /**< IPsec packets receive/decrypt errors. */ 726 uint64_t oerrors; /**< IPsec packets transmit/encrypt errors. */ 727 uint64_t reserved1; /**< Reserved for future use. */ 728 uint64_t reserved2; /**< Reserved for future use. */ 729 }; 730 731 struct rte_security_pdcp_stats { 732 uint64_t reserved; 733 }; 734 735 struct rte_security_docsis_stats { 736 uint64_t reserved; 737 }; 738 739 struct rte_security_stats { 740 enum rte_security_session_protocol protocol; 741 /**< Security protocol to be configured */ 742 743 RTE_STD_C11 744 union { 745 struct rte_security_macsec_stats macsec; 746 struct rte_security_ipsec_stats ipsec; 747 struct rte_security_pdcp_stats pdcp; 748 struct rte_security_docsis_stats docsis; 749 }; 750 }; 751 752 /** 753 * Get security session statistics 754 * 755 * @param instance security instance 756 * @param sess security session 757 * If security session is NULL then global (per security instance) statistics 758 * will be retrieved, if supported. Global statistics collection is not 759 * dependent on the per session statistics configuration. 760 * @param stats statistics 761 * @return 762 * - On success, return 0 763 * - On failure, a negative value 764 */ 765 __rte_experimental 766 int 767 rte_security_session_stats_get(struct rte_security_ctx *instance, 768 struct rte_security_session *sess, 769 struct rte_security_stats *stats); 770 771 /** 772 * Security capability definition 773 */ 774 struct rte_security_capability { 775 enum rte_security_session_action_type action; 776 /**< Security action type*/ 777 enum rte_security_session_protocol protocol; 778 /**< Security protocol */ 779 RTE_STD_C11 780 union { 781 struct { 782 enum rte_security_ipsec_sa_protocol proto; 783 /**< IPsec SA protocol */ 784 enum rte_security_ipsec_sa_mode mode; 785 /**< IPsec SA mode */ 786 enum rte_security_ipsec_sa_direction direction; 787 /**< IPsec SA direction */ 788 struct rte_security_ipsec_sa_options options; 789 /**< IPsec SA supported options */ 790 uint32_t replay_win_sz_max; 791 /**< IPsec Anti Replay Window Size. A '0' value 792 * indicates that Anti Replay is not supported. 793 */ 794 } ipsec; 795 /**< IPsec capability */ 796 struct { 797 /* To be Filled */ 798 int dummy; 799 } macsec; 800 /**< MACsec capability */ 801 struct { 802 enum rte_security_pdcp_domain domain; 803 /**< PDCP mode of operation: Control or data */ 804 uint32_t capa_flags; 805 /**< Capability flags, see RTE_SECURITY_PDCP_* */ 806 } pdcp; 807 /**< PDCP capability */ 808 struct { 809 enum rte_security_docsis_direction direction; 810 /**< DOCSIS direction */ 811 } docsis; 812 /**< DOCSIS capability */ 813 }; 814 815 const struct rte_cryptodev_capabilities *crypto_capabilities; 816 /**< Corresponding crypto capabilities for security capability */ 817 818 uint32_t ol_flags; 819 /**< Device offload flags */ 820 }; 821 822 /** Underlying Hardware/driver which support PDCP may or may not support 823 * packet ordering. Set RTE_SECURITY_PDCP_ORDERING_CAP if it support. 824 * If it is not set, driver/HW assumes packets received are in order 825 * and it will be application's responsibility to maintain ordering. 826 */ 827 #define RTE_SECURITY_PDCP_ORDERING_CAP 0x00000001 828 829 /** Underlying Hardware/driver which support PDCP may or may not detect 830 * duplicate packet. Set RTE_SECURITY_PDCP_DUP_DETECT_CAP if it support. 831 * If it is not set, driver/HW assumes there is no duplicate packet received. 832 */ 833 #define RTE_SECURITY_PDCP_DUP_DETECT_CAP 0x00000002 834 835 #define RTE_SECURITY_TX_OLOAD_NEED_MDATA 0x00000001 836 /**< HW needs metadata update, see rte_security_set_pkt_metadata(). 837 */ 838 839 #define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD 0x00000002 840 /**< HW constructs trailer of packets 841 * Transmitted packets will have the trailer added to them 842 * by hardware. The next protocol field will be based on 843 * the mbuf->inner_esp_next_proto field. 844 */ 845 #define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD 0x00010000 846 /**< HW removes trailer of packets 847 * Received packets have no trailer, the next protocol field 848 * is supplied in the mbuf->inner_esp_next_proto field. 849 * Inner packet is not modified. 850 */ 851 852 /** 853 * Security capability index used to query a security instance for a specific 854 * security capability 855 */ 856 struct rte_security_capability_idx { 857 enum rte_security_session_action_type action; 858 enum rte_security_session_protocol protocol; 859 860 RTE_STD_C11 861 union { 862 struct { 863 enum rte_security_ipsec_sa_protocol proto; 864 enum rte_security_ipsec_sa_mode mode; 865 enum rte_security_ipsec_sa_direction direction; 866 } ipsec; 867 struct { 868 enum rte_security_pdcp_domain domain; 869 uint32_t capa_flags; 870 } pdcp; 871 struct { 872 enum rte_security_docsis_direction direction; 873 } docsis; 874 }; 875 }; 876 877 /** 878 * Returns array of security instance capabilities 879 * 880 * @param instance Security instance. 881 * 882 * @return 883 * - Returns array of security capabilities. 884 * - Return NULL if no capabilities available. 885 */ 886 const struct rte_security_capability * 887 rte_security_capabilities_get(struct rte_security_ctx *instance); 888 889 /** 890 * Query if a specific capability is available on security instance 891 * 892 * @param instance security instance. 893 * @param idx security capability index to match against 894 * 895 * @return 896 * - Returns pointer to security capability on match of capability 897 * index criteria. 898 * - Return NULL if the capability not matched on security instance. 899 */ 900 const struct rte_security_capability * 901 rte_security_capability_get(struct rte_security_ctx *instance, 902 struct rte_security_capability_idx *idx); 903 904 #ifdef __cplusplus 905 } 906 #endif 907 908 #endif /* _RTE_SECURITY_H_ */ 909