1 /* SPDX-License-Identifier: BSD-3-Clause 2 * Copyright 2017,2019-2020 NXP 3 * Copyright(c) 2017-2020 Intel Corporation. 4 */ 5 6 #ifndef _RTE_SECURITY_H_ 7 #define _RTE_SECURITY_H_ 8 9 /** 10 * @file rte_security.h 11 * 12 * RTE Security Common Definitions 13 */ 14 15 #ifdef __cplusplus 16 extern "C" { 17 #endif 18 19 #include <sys/types.h> 20 21 #include <rte_compat.h> 22 #include <rte_common.h> 23 #include <rte_crypto.h> 24 #include <rte_ip.h> 25 #include <rte_mbuf_dyn.h> 26 27 /** IPSec protocol mode */ 28 enum rte_security_ipsec_sa_mode { 29 RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT = 1, 30 /**< IPSec Transport mode */ 31 RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, 32 /**< IPSec Tunnel mode */ 33 }; 34 35 /** IPSec Protocol */ 36 enum rte_security_ipsec_sa_protocol { 37 RTE_SECURITY_IPSEC_SA_PROTO_AH = 1, 38 /**< AH protocol */ 39 RTE_SECURITY_IPSEC_SA_PROTO_ESP, 40 /**< ESP protocol */ 41 }; 42 43 /** IPSEC tunnel type */ 44 enum rte_security_ipsec_tunnel_type { 45 RTE_SECURITY_IPSEC_TUNNEL_IPV4 = 1, 46 /**< Outer header is IPv4 */ 47 RTE_SECURITY_IPSEC_TUNNEL_IPV6, 48 /**< Outer header is IPv6 */ 49 }; 50 51 /** 52 * IPSEC tunnel header verification mode 53 * 54 * Controls how outer IP header is verified in inbound. 55 */ 56 #define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR 0x1 57 #define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR 0x2 58 59 #define RTE_SEC_CTX_F_FAST_SET_MDATA 0x00000001 60 /**< Driver uses fast metadata update without using driver specific callback. 61 * For fast mdata, mbuf dynamic field would be registered by driver 62 * via rte_security_dynfield_register(). 63 */ 64 65 /** 66 * IPSEC tunnel parameters 67 * 68 * These parameters are used to build outbound tunnel headers. 69 */ 70 struct rte_security_ipsec_tunnel_param { 71 enum rte_security_ipsec_tunnel_type type; 72 /**< Tunnel type: IPv4 or IPv6 */ 73 union { 74 struct { 75 struct in_addr src_ip; 76 /**< IPv4 source address */ 77 struct in_addr dst_ip; 78 /**< IPv4 destination address */ 79 uint8_t dscp; 80 /**< IPv4 Differentiated Services Code Point */ 81 uint8_t df; 82 /**< IPv4 Don't Fragment bit */ 83 uint8_t ttl; 84 /**< IPv4 Time To Live */ 85 } ipv4; 86 /**< IPv4 header parameters */ 87 struct { 88 struct in6_addr src_addr; 89 /**< IPv6 source address */ 90 struct in6_addr dst_addr; 91 /**< IPv6 destination address */ 92 uint8_t dscp; 93 /**< IPv6 Differentiated Services Code Point */ 94 uint32_t flabel; 95 /**< IPv6 flow label */ 96 uint8_t hlimit; 97 /**< IPv6 hop limit */ 98 } ipv6; 99 /**< IPv6 header parameters */ 100 }; 101 }; 102 103 struct rte_security_ipsec_udp_param { 104 uint16_t sport; 105 uint16_t dport; 106 }; 107 108 /** 109 * IPsec Security Association option flags 110 */ 111 struct rte_security_ipsec_sa_options { 112 /** Extended Sequence Numbers (ESN) 113 * 114 * * 1: Use extended (64 bit) sequence numbers 115 * * 0: Use normal sequence numbers 116 */ 117 uint32_t esn : 1; 118 119 /** UDP encapsulation 120 * 121 * * 1: Do UDP encapsulation/decapsulation so that IPSEC packets can 122 * traverse through NAT boxes. 123 * * 0: No UDP encapsulation 124 */ 125 uint32_t udp_encap : 1; 126 127 /** Copy DSCP bits 128 * 129 * * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to 130 * the outer IP header in encapsulation, and vice versa in 131 * decapsulation. 132 * * 0: Do not change DSCP field. 133 */ 134 uint32_t copy_dscp : 1; 135 136 /** Copy IPv6 Flow Label 137 * 138 * * 1: Copy IPv6 flow label from inner IPv6 header to the 139 * outer IPv6 header. 140 * * 0: Outer header is not modified. 141 */ 142 uint32_t copy_flabel : 1; 143 144 /** Copy IPv4 Don't Fragment bit 145 * 146 * * 1: Copy the DF bit from the inner IPv4 header to the outer 147 * IPv4 header. 148 * * 0: Outer header is not modified. 149 */ 150 uint32_t copy_df : 1; 151 152 /** Decrement inner packet Time To Live (TTL) field 153 * 154 * * 1: In tunnel mode, decrement inner packet IPv4 TTL or 155 * IPv6 Hop Limit after tunnel decapsulation, or before tunnel 156 * encapsulation. 157 * * 0: Inner packet is not modified. 158 */ 159 uint32_t dec_ttl : 1; 160 161 /** Explicit Congestion Notification (ECN) 162 * 163 * * 1: In tunnel mode, enable outer header ECN Field copied from 164 * inner header in tunnel encapsulation, or inner header ECN 165 * field construction in decapsulation. 166 * * 0: Inner/outer header are not modified. 167 */ 168 uint32_t ecn : 1; 169 170 /** Security statistics 171 * 172 * * 1: Enable per session security statistics collection for 173 * this SA, if supported by the driver. 174 * * 0: Disable per session security statistics collection for this SA. 175 */ 176 uint32_t stats : 1; 177 178 /** Disable IV generation in PMD 179 * 180 * * 1: Disable IV generation in PMD. When disabled, IV provided in 181 * rte_crypto_op will be used by the PMD. 182 * 183 * * 0: Enable IV generation in PMD. When enabled, PMD generated random 184 * value would be used and application is not required to provide 185 * IV. 186 * 187 * Note: For inline cases, IV generation would always need to be handled 188 * by the PMD. 189 */ 190 uint32_t iv_gen_disable : 1; 191 192 /** Verify tunnel header in inbound 193 * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR``: Verify destination 194 * IP address. 195 * 196 * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR``: Verify both 197 * source and destination IP addresses. 198 */ 199 uint32_t tunnel_hdr_verify : 2; 200 201 /** Verify UDP encapsulation ports in inbound 202 * 203 * * 1: Match UDP source and destination ports 204 * * 0: Do not match UDP ports 205 */ 206 uint32_t udp_ports_verify : 1; 207 208 /** Compute/verify inner packet IPv4 header checksum in tunnel mode 209 * 210 * * 1: For outbound, compute inner packet IPv4 header checksum 211 * before tunnel encapsulation and for inbound, verify after 212 * tunnel decapsulation. 213 * * 0: Inner packet IP header checksum is not computed/verified. 214 * 215 * The checksum verification status would be set in mbuf using 216 * RTE_MBUF_F_RX_IP_CKSUM_xxx flags. 217 * 218 * Inner IP checksum computation can also be enabled(per operation) 219 * by setting the flag RTE_MBUF_F_TX_IP_CKSUM in mbuf. 220 */ 221 uint32_t ip_csum_enable : 1; 222 223 /** Compute/verify inner packet L4 checksum in tunnel mode 224 * 225 * * 1: For outbound, compute inner packet L4 checksum before 226 * tunnel encapsulation and for inbound, verify after 227 * tunnel decapsulation. 228 * * 0: Inner packet L4 checksum is not computed/verified. 229 * 230 * The checksum verification status would be set in mbuf using 231 * RTE_MBUF_F_RX_L4_CKSUM_xxx flags. 232 * 233 * Inner L4 checksum computation can also be enabled(per operation) 234 * by setting the flags RTE_MBUF_F_TX_TCP_CKSUM or RTE_MBUF_F_TX_SCTP_CKSUM or 235 * RTE_MBUF_F_TX_UDP_CKSUM or RTE_MBUF_F_TX_L4_MASK in mbuf. 236 */ 237 uint32_t l4_csum_enable : 1; 238 239 /** Enable IP reassembly on inline inbound packets. 240 * 241 * * 1: Enable driver to try reassembly of encrypted IP packets for 242 * this SA, if supported by the driver. This feature will work 243 * only if user has successfully set IP reassembly config params 244 * using rte_eth_ip_reassembly_conf_set() for the inline Ethernet 245 * device. PMD need to register mbuf dynamic fields using 246 * rte_eth_ip_reassembly_dynfield_register() and security session 247 * creation would fail if dynfield is not registered successfully. 248 * * 0: Disable IP reassembly of packets (default). 249 */ 250 uint32_t ip_reassembly_en : 1; 251 252 /** Enable out of place processing on inline inbound packets. 253 * 254 * * 1: Enable driver to perform Out-of-place(OOP) processing for this inline 255 * inbound SA if supported by driver. PMD need to register mbuf 256 * dynamic field using rte_security_oop_dynfield_register() 257 * and security session creation would fail if dynfield is not 258 * registered successfully. 259 * * 0: Disable OOP processing for this session (default). 260 */ 261 uint32_t ingress_oop : 1; 262 }; 263 264 /** IPSec security association direction */ 265 enum rte_security_ipsec_sa_direction { 266 RTE_SECURITY_IPSEC_SA_DIR_EGRESS, 267 /**< Encrypt and generate digest */ 268 RTE_SECURITY_IPSEC_SA_DIR_INGRESS, 269 /**< Verify digest and decrypt */ 270 }; 271 272 /** 273 * Configure soft and hard lifetime of an IPsec SA 274 * 275 * Lifetime of an IPsec SA would specify the maximum number of packets or bytes 276 * that can be processed. IPsec operations would start failing once any hard 277 * limit is reached. 278 * 279 * Soft limits can be specified to generate notification when the SA is 280 * approaching hard limits for lifetime. For inline operations, reaching soft 281 * expiry limit would result in raising an eth event for the same. For lookaside 282 * operations, this would result in a warning returned in 283 * ``rte_crypto_op.aux_flags``. 284 */ 285 struct rte_security_ipsec_lifetime { 286 uint64_t packets_soft_limit; 287 /**< Soft expiry limit in number of packets */ 288 uint64_t bytes_soft_limit; 289 /**< Soft expiry limit in bytes */ 290 uint64_t packets_hard_limit; 291 /**< Hard expiry limit in number of packets */ 292 uint64_t bytes_hard_limit; 293 /**< Hard expiry limit in bytes */ 294 }; 295 296 /** 297 * IPsec security association configuration data. 298 * 299 * This structure contains data required to create an IPsec SA security session. 300 */ 301 struct rte_security_ipsec_xform { 302 uint32_t spi; 303 /**< SA security parameter index */ 304 uint32_t salt; 305 /**< SA salt */ 306 struct rte_security_ipsec_sa_options options; 307 /**< various SA options */ 308 enum rte_security_ipsec_sa_direction direction; 309 /**< IPSec SA Direction - Egress/Ingress */ 310 enum rte_security_ipsec_sa_protocol proto; 311 /**< IPsec SA Protocol - AH/ESP */ 312 enum rte_security_ipsec_sa_mode mode; 313 /**< IPsec SA Mode - transport/tunnel */ 314 struct rte_security_ipsec_tunnel_param tunnel; 315 /**< Tunnel parameters, NULL for transport mode */ 316 struct rte_security_ipsec_lifetime life; 317 /**< IPsec SA lifetime */ 318 uint32_t replay_win_sz; 319 /**< Anti replay window size to enable sequence replay attack handling. 320 * replay checking is disabled if the window size is 0. 321 */ 322 union { 323 uint64_t value; 324 struct { 325 uint32_t low; 326 uint32_t hi; 327 }; 328 } esn; 329 /**< Extended Sequence Number */ 330 struct rte_security_ipsec_udp_param udp; 331 /**< UDP parameters, ignored when udp_encap option not specified */ 332 }; 333 334 /** 335 * MACSec packet flow direction 336 */ 337 enum rte_security_macsec_direction { 338 /** Generate SecTag and encrypt/authenticate */ 339 RTE_SECURITY_MACSEC_DIR_TX, 340 /** Remove SecTag and decrypt/verify */ 341 RTE_SECURITY_MACSEC_DIR_RX, 342 }; 343 344 /** Maximum number of association numbers for a secure channel. */ 345 #define RTE_SECURITY_MACSEC_NUM_AN 4 346 /** Salt length for MACsec SA. */ 347 #define RTE_SECURITY_MACSEC_SALT_LEN 12 348 349 /** 350 * MACsec secure association (SA) configuration structure. 351 */ 352 struct rte_security_macsec_sa { 353 /** Direction of SA */ 354 enum rte_security_macsec_direction dir; 355 /** MACsec SA key for AES-GCM 128/256 */ 356 struct { 357 const uint8_t *data; /**< pointer to key data */ 358 uint16_t length; /**< key length in bytes */ 359 } key; 360 /** 96-bit value distributed by key agreement protocol */ 361 uint8_t salt[RTE_SECURITY_MACSEC_SALT_LEN]; 362 /** Association number to be used */ 363 uint8_t an : 2; 364 /** Short Secure Channel Identifier, to be used for XPN cases */ 365 uint32_t ssci; 366 /** Extended packet number */ 367 uint32_t xpn; 368 /** Packet number expected/ to be used for next packet of this SA */ 369 uint32_t next_pn; 370 }; 371 372 /** 373 * MACsec Secure Channel configuration parameters. 374 */ 375 struct rte_security_macsec_sc { 376 /** Direction of SC */ 377 enum rte_security_macsec_direction dir; 378 /** Packet number threshold */ 379 uint64_t pn_threshold; 380 union { 381 struct { 382 /** SAs for each association number */ 383 uint16_t sa_id[RTE_SECURITY_MACSEC_NUM_AN]; 384 /** flag to denote which all SAs are in use for each association number */ 385 uint8_t sa_in_use[RTE_SECURITY_MACSEC_NUM_AN]; 386 /** Channel is active */ 387 uint8_t active : 1; 388 /** Extended packet number is enabled for SAs */ 389 uint8_t is_xpn : 1; 390 /** Reserved bitfields for future */ 391 uint8_t reserved : 6; 392 } sc_rx; 393 struct { 394 uint16_t sa_id; /**< SA ID to be used for encryption */ 395 uint16_t sa_id_rekey; /**< Rekeying SA ID to be used for encryption */ 396 uint64_t sci; /**< SCI value to be used if send_sci is set */ 397 uint8_t active : 1; /**< Channel is active */ 398 uint8_t re_key_en : 1; /**< Enable Rekeying */ 399 /** Extended packet number is enabled for SAs */ 400 uint8_t is_xpn : 1; 401 /** Reserved bitfields for future */ 402 uint8_t reserved : 5; 403 } sc_tx; 404 }; 405 }; 406 407 /** 408 * MACsec Supported Algorithm list as per IEEE Std 802.1AE. 409 */ 410 enum rte_security_macsec_alg { 411 RTE_SECURITY_MACSEC_ALG_GCM_128, /**< AES-GCM 128 bit block cipher */ 412 RTE_SECURITY_MACSEC_ALG_GCM_256, /**< AES-GCM 256 bit block cipher */ 413 RTE_SECURITY_MACSEC_ALG_GCM_XPN_128, /**< AES-GCM 128 bit block cipher with unique SSCI */ 414 RTE_SECURITY_MACSEC_ALG_GCM_XPN_256, /**< AES-GCM 256 bit block cipher with unique SSCI */ 415 }; 416 417 /** Disable Validation of MACsec frame. */ 418 #define RTE_SECURITY_MACSEC_VALIDATE_DISABLE 0 419 /** Validate MACsec frame but do not discard invalid frame. */ 420 #define RTE_SECURITY_MACSEC_VALIDATE_NO_DISCARD 1 421 /** Validate MACsec frame and discart invalid frame. */ 422 #define RTE_SECURITY_MACSEC_VALIDATE_STRICT 2 423 /** Do not perform any MACsec operation. */ 424 #define RTE_SECURITY_MACSEC_VALIDATE_NO_OP 3 425 426 /** 427 * MACsec security session configuration 428 */ 429 struct rte_security_macsec_xform { 430 /** Direction of flow/secure channel */ 431 enum rte_security_macsec_direction dir; 432 /** MACsec algorithm to be used */ 433 enum rte_security_macsec_alg alg; 434 /** Cipher offset from start of Ethernet header */ 435 uint8_t cipher_off; 436 /** 437 * SCI to be used for RX flow identification or 438 * to set SCI in packet for TX when send_sci is set 439 */ 440 uint64_t sci; 441 /** Receive/transmit secure channel ID created by *rte_security_macsec_sc_create* */ 442 uint16_t sc_id; 443 union { 444 struct { 445 /** MTU for transmit frame (valid for inline processing) */ 446 uint16_t mtu; 447 /** 448 * Offset to insert sectag from start of ethernet header or 449 * from a matching VLAN tag 450 */ 451 uint8_t sectag_off; 452 /** Enable MACsec protection of frames */ 453 uint16_t protect_frames : 1; 454 /** 455 * Sectag insertion mode 456 * If 1, Sectag is inserted at fixed sectag_off set above. 457 * If 0, Sectag is inserted at relative sectag_off from a matching 458 * VLAN tag set. 459 */ 460 uint16_t sectag_insert_mode : 1; 461 /** ICV includes source and destination MAC addresses */ 462 uint16_t icv_include_da_sa : 1; 463 /** Control port is enabled */ 464 uint16_t ctrl_port_enable : 1; 465 /** Version of MACsec header. Should be 0 */ 466 uint16_t sectag_version : 1; 467 /** Enable end station. SCI is not valid */ 468 uint16_t end_station : 1; 469 /** Send SCI along with sectag */ 470 uint16_t send_sci : 1; 471 /** enable secure channel support EPON - single copy broadcast */ 472 uint16_t scb : 1; 473 /** 474 * Enable packet encryption and set RTE_MACSEC_TCI_C and 475 * RTE_MACSEC_TCI_E in sectag 476 */ 477 uint16_t encrypt : 1; 478 /** Reserved bitfields for future */ 479 uint16_t reserved : 7; 480 } tx_secy; 481 struct { 482 /** Replay Window size to be supported */ 483 uint32_t replay_win_sz; 484 /** Set bits as per RTE_SECURITY_MACSEC_VALIDATE_* */ 485 uint16_t validate_frames : 2; 486 /** ICV includes source and destination MAC addresses */ 487 uint16_t icv_include_da_sa : 1; 488 /** Control port is enabled */ 489 uint16_t ctrl_port_enable : 1; 490 /** Do not strip SecTAG after processing */ 491 uint16_t preserve_sectag : 1; 492 /** Do not strip ICV from the packet after processing */ 493 uint16_t preserve_icv : 1; 494 /** Enable anti-replay protection */ 495 uint16_t replay_protect : 1; 496 /** Reserved bitfields for future */ 497 uint16_t reserved : 9; 498 } rx_secy; 499 }; 500 }; 501 502 /** 503 * PDCP Mode of session 504 */ 505 enum rte_security_pdcp_domain { 506 RTE_SECURITY_PDCP_MODE_CONTROL, /**< PDCP control plane */ 507 RTE_SECURITY_PDCP_MODE_DATA, /**< PDCP data plane */ 508 RTE_SECURITY_PDCP_MODE_SHORT_MAC, /**< PDCP short mac */ 509 }; 510 511 /** PDCP Frame direction */ 512 enum rte_security_pdcp_direction { 513 RTE_SECURITY_PDCP_UPLINK, /**< Uplink */ 514 RTE_SECURITY_PDCP_DOWNLINK, /**< Downlink */ 515 }; 516 517 /** PDCP Sequence Number Size selectors */ 518 enum rte_security_pdcp_sn_size { 519 /** PDCP_SN_SIZE_5: 5bit sequence number */ 520 RTE_SECURITY_PDCP_SN_SIZE_5 = 5, 521 /** PDCP_SN_SIZE_7: 7bit sequence number */ 522 RTE_SECURITY_PDCP_SN_SIZE_7 = 7, 523 /** PDCP_SN_SIZE_12: 12bit sequence number */ 524 RTE_SECURITY_PDCP_SN_SIZE_12 = 12, 525 /** PDCP_SN_SIZE_15: 15bit sequence number */ 526 RTE_SECURITY_PDCP_SN_SIZE_15 = 15, 527 /** PDCP_SN_SIZE_18: 18bit sequence number */ 528 RTE_SECURITY_PDCP_SN_SIZE_18 = 18 529 }; 530 531 /** 532 * PDCP security association configuration data. 533 * 534 * This structure contains data required to create a PDCP security session. 535 */ 536 struct rte_security_pdcp_xform { 537 int8_t bearer; /**< PDCP bearer ID */ 538 /** Enable in order delivery, this field shall be set only if 539 * driver/HW is capable. See RTE_SECURITY_PDCP_ORDERING_CAP. 540 */ 541 uint8_t en_ordering; 542 /** Notify driver/HW to detect and remove duplicate packets. 543 * This field should be set only when driver/hw is capable. 544 * See RTE_SECURITY_PDCP_DUP_DETECT_CAP. 545 */ 546 uint8_t remove_duplicates; 547 /** PDCP mode of operation: Control or data */ 548 enum rte_security_pdcp_domain domain; 549 /** PDCP Frame Direction 0:UL 1:DL */ 550 enum rte_security_pdcp_direction pkt_dir; 551 /** Sequence number size, 5/7/12/15/18 */ 552 enum rte_security_pdcp_sn_size sn_size; 553 /** Starting Hyper Frame Number to be used together with the SN 554 * from the PDCP frames 555 */ 556 uint32_t hfn; 557 /** HFN Threshold for key renegotiation */ 558 uint32_t hfn_threshold; 559 /** HFN can be given as a per packet value also. 560 * As we do not have IV in case of PDCP, and HFN is 561 * used to generate IV. IV field can be used to get the 562 * per packet HFN while enq/deq. 563 * If hfn_ovrd field is set, user is expected to set the 564 * per packet HFN in place of IV. PMDs will extract the HFN 565 * and perform operations accordingly. 566 */ 567 uint8_t hfn_ovrd; 568 /** In case of 5G NR, a new protocol (SDAP) header may be set 569 * inside PDCP payload which should be authenticated but not 570 * encrypted. Hence, driver should be notified if SDAP is 571 * enabled or not, so that SDAP header is not encrypted. 572 */ 573 uint8_t sdap_enabled; 574 /** Reserved for future */ 575 uint16_t reserved; 576 }; 577 578 /** DOCSIS direction */ 579 enum rte_security_docsis_direction { 580 RTE_SECURITY_DOCSIS_UPLINK, 581 /**< Uplink 582 * - Decryption, followed by CRC Verification 583 */ 584 RTE_SECURITY_DOCSIS_DOWNLINK, 585 /**< Downlink 586 * - CRC Generation, followed by Encryption 587 */ 588 }; 589 590 /** 591 * DOCSIS security session configuration. 592 * 593 * This structure contains data required to create a DOCSIS security session. 594 */ 595 struct rte_security_docsis_xform { 596 enum rte_security_docsis_direction direction; 597 /**< DOCSIS direction */ 598 }; 599 600 /** Implicit nonce length to be used with AEAD algos in TLS 1.2 */ 601 #define RTE_SECURITY_TLS_1_2_IMP_NONCE_LEN 4 602 /** Implicit nonce length to be used with AEAD algos in TLS 1.3 */ 603 #define RTE_SECURITY_TLS_1_3_IMP_NONCE_LEN 12 604 /** Implicit nonce length to be used with AEAD algos in DTLS 1.2 */ 605 #define RTE_SECURITY_DTLS_1_2_IMP_NONCE_LEN 4 606 607 /** TLS version */ 608 enum rte_security_tls_version { 609 RTE_SECURITY_VERSION_TLS_1_2, /**< TLS 1.2 */ 610 RTE_SECURITY_VERSION_TLS_1_3, /**< TLS 1.3 */ 611 RTE_SECURITY_VERSION_DTLS_1_2, /**< DTLS 1.2 */ 612 }; 613 614 /** TLS session type */ 615 enum rte_security_tls_sess_type { 616 /** Record read session 617 * - Decrypt & digest verification. 618 */ 619 RTE_SECURITY_TLS_SESS_TYPE_READ, 620 /** Record write session 621 * - Encrypt & digest generation. 622 */ 623 RTE_SECURITY_TLS_SESS_TYPE_WRITE, 624 }; 625 626 /** 627 * TLS record session options 628 */ 629 struct rte_security_tls_record_sess_options { 630 /** Disable IV generation in PMD. 631 * 632 * * 1: Disable IV generation in PMD. When disabled, IV provided in rte_crypto_op will be 633 * used by the PMD. 634 * 635 * * 0: Enable IV generation in PMD. When enabled, PMD generated random value would be used 636 * and application is not required to provide IV. 637 */ 638 uint32_t iv_gen_disable : 1; 639 /** Enable extra padding 640 * 641 * TLS allows user to pad the plain text to hide the actual size of the record. 642 * This is required to achieve traffic flow confidentiality in case of TLS/DTLS flows. 643 * This padding is in addition to the default padding performed by PMD 644 * (which ensures ciphertext is aligned to block size). 645 * 646 * On supported devices, application may pass the required additional padding via 647 * ``rte_crypto_op.aux_flags`` field. 648 * 649 * 1 : Enable extra padding of the plain text provided. The extra padding value would be 650 * read from ``rte_crypto_op.aux_flags``. 651 * 652 * 0 : Disable extra padding 653 */ 654 uint32_t extra_padding_enable : 1; 655 }; 656 657 /** 658 * Configure soft and hard lifetime of a TLS record session. 659 * 660 * Lifetime of a TLS record session would specify the maximum number of packets that can be 661 * processed. TLS record processing operations would start failing once hard limit is reached. 662 * 663 * Soft limits can be specified to generate notification when the TLS record session is approaching 664 * hard limits for lifetime. This would result in a warning returned in ``rte_crypto_op.aux_flags``. 665 */ 666 struct rte_security_tls_record_lifetime { 667 /** Soft expiry limit in number of packets */ 668 uint64_t packets_soft_limit; 669 /** Hard expiry limit in number of packets */ 670 uint64_t packets_hard_limit; 671 }; 672 673 /** 674 * TLS record protocol session configuration. 675 * 676 * This structure contains data required to create a TLS record security session. 677 */ 678 struct rte_security_tls_record_xform { 679 /** TLS record version. */ 680 enum rte_security_tls_version ver; 681 /** TLS record session type. */ 682 enum rte_security_tls_sess_type type; 683 /** TLS record session options. */ 684 struct rte_security_tls_record_sess_options options; 685 /** TLS record session lifetime. */ 686 struct rte_security_tls_record_lifetime life; 687 union { 688 /** TLS 1.2 parameters. */ 689 struct { 690 /** Starting sequence number. */ 691 uint64_t seq_no; 692 /** Implicit nonce to be used for AEAD algos. */ 693 uint8_t imp_nonce[RTE_SECURITY_TLS_1_2_IMP_NONCE_LEN]; 694 } tls_1_2; 695 696 /** TLS 1.3 parameters. */ 697 struct { 698 /** Starting sequence number. */ 699 uint64_t seq_no; 700 /** Implicit nonce to be used for AEAD algos. */ 701 uint8_t imp_nonce[RTE_SECURITY_TLS_1_3_IMP_NONCE_LEN]; 702 /** 703 * Minimum payload length (in case of write sessions). 704 * For shorter inputs, the payload would be padded appropriately 705 * before performing crypto transformations. 706 */ 707 uint32_t min_payload_len; 708 } tls_1_3; 709 710 /** DTLS 1.2 parameters */ 711 struct { 712 /** Epoch value to be used. */ 713 uint16_t epoch; 714 /** 6B starting sequence number to be used. */ 715 uint64_t seq_no; 716 /** Implicit nonce to be used for AEAD algos. */ 717 uint8_t imp_nonce[RTE_SECURITY_DTLS_1_2_IMP_NONCE_LEN]; 718 /** 719 * Anti replay window size to enable sequence replay attack handling. 720 * Anti replay check is disabled if the window size is 0. 721 */ 722 uint32_t ar_win_sz; 723 } dtls_1_2; 724 }; 725 }; 726 727 /** 728 * Security session action type. 729 */ 730 /* Enumeration of rte_security_session_action_type 8<*/ 731 enum rte_security_session_action_type { 732 RTE_SECURITY_ACTION_TYPE_NONE, 733 /**< No security actions */ 734 RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO, 735 /**< Crypto processing for security protocol is processed inline 736 * during transmission 737 */ 738 RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL, 739 /**< All security protocol processing is performed inline during 740 * transmission 741 */ 742 RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, 743 /**< All security protocol processing including crypto is performed 744 * on a lookaside accelerator 745 */ 746 RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO 747 /**< Similar to ACTION_TYPE_NONE but crypto processing for security 748 * protocol is processed synchronously by a CPU. 749 */ 750 }; 751 /* >8 End enumeration of rte_security_session_action_type. */ 752 753 /** Security session protocol definition */ 754 /* Enumeration of rte_security_session_protocol 8<*/ 755 enum rte_security_session_protocol { 756 RTE_SECURITY_PROTOCOL_IPSEC = 1, 757 /**< IPsec Protocol */ 758 RTE_SECURITY_PROTOCOL_MACSEC, 759 /**< MACSec Protocol */ 760 RTE_SECURITY_PROTOCOL_PDCP, 761 /**< PDCP Protocol */ 762 RTE_SECURITY_PROTOCOL_DOCSIS, 763 /**< DOCSIS Protocol */ 764 RTE_SECURITY_PROTOCOL_TLS_RECORD, 765 /**< TLS Record Protocol */ 766 }; 767 /* >8 End enumeration of rte_security_session_protocol. */ 768 769 /** 770 * Security session configuration 771 */ 772 /* Structure rte_security_session_conf 8< */ 773 struct rte_security_session_conf { 774 enum rte_security_session_action_type action_type; 775 /**< Type of action to be performed on the session */ 776 enum rte_security_session_protocol protocol; 777 /**< Security protocol to be configured */ 778 union { 779 struct rte_security_ipsec_xform ipsec; 780 struct rte_security_macsec_xform macsec; 781 struct rte_security_pdcp_xform pdcp; 782 struct rte_security_docsis_xform docsis; 783 struct rte_security_tls_record_xform tls_record; 784 }; 785 /**< Configuration parameters for security session */ 786 struct rte_crypto_sym_xform *crypto_xform; 787 /**< Security Session Crypto Transformations. NULL in case of MACsec. */ 788 void *userdata; 789 /**< Application specific userdata to be saved with session */ 790 }; 791 /* >8 End of structure rte_security_session_conf. */ 792 793 /** 794 * Create security session as specified by the session configuration 795 * 796 * @param instance security instance 797 * @param conf session configuration parameters 798 * @param mp mempool to allocate session objects from 799 * @return 800 * - On success, pointer to session 801 * - On failure, NULL 802 */ 803 void * 804 rte_security_session_create(void *instance, 805 struct rte_security_session_conf *conf, 806 struct rte_mempool *mp); 807 808 /** 809 * Update security session as specified by the session configuration 810 * 811 * @param instance security instance 812 * @param sess session to update parameters 813 * @param conf update configuration parameters 814 * @return 815 * - On success returns 0 816 * - On failure returns a negative errno value. 817 */ 818 __rte_experimental 819 int 820 rte_security_session_update(void *instance, 821 void *sess, 822 struct rte_security_session_conf *conf); 823 824 /** 825 * Get the size of the security session data for a device. 826 * 827 * @param instance security instance. 828 * 829 * @return 830 * - Size of the private data, if successful 831 * - 0 if device is invalid or does not support the operation. 832 */ 833 unsigned int 834 rte_security_session_get_size(void *instance); 835 836 /** 837 * Free security session header and the session private data and 838 * return it to its original mempool. 839 * 840 * @param instance security instance 841 * @param sess security session to be freed 842 * 843 * @return 844 * - 0 if successful. 845 * - -EINVAL if session or context instance is NULL. 846 * - -EBUSY if not all device private data has been freed. 847 * - -ENOTSUP if destroying private data is not supported. 848 * - other negative values in case of freeing private data errors. 849 */ 850 int 851 rte_security_session_destroy(void *instance, void *sess); 852 853 /** 854 * @warning 855 * @b EXPERIMENTAL: this API may change without prior notice 856 * 857 * Create MACsec security channel (SC). 858 * 859 * @param instance security instance 860 * @param conf MACsec SC configuration params 861 * @return 862 * - secure channel ID if successful. 863 * - -EINVAL if configuration params are invalid of instance is NULL. 864 * - -ENOTSUP if device does not support MACsec. 865 * - -ENOMEM if PMD is not capable to create more SC. 866 * - other negative value for other errors. 867 */ 868 __rte_experimental 869 int 870 rte_security_macsec_sc_create(void *instance, 871 struct rte_security_macsec_sc *conf); 872 873 /** 874 * @warning 875 * @b EXPERIMENTAL: this API may change without prior notice 876 * 877 * Destroy MACsec security channel (SC). 878 * 879 * @param instance security instance 880 * @param sc_id SC ID to be destroyed 881 * @param dir direction of the SC 882 * @return 883 * - 0 if successful. 884 * - -EINVAL if sc_id is invalid or instance is NULL. 885 * - -EBUSY if sc is being used by some session. 886 */ 887 __rte_experimental 888 int 889 rte_security_macsec_sc_destroy(void *instance, uint16_t sc_id, 890 enum rte_security_macsec_direction dir); 891 892 /** 893 * @warning 894 * @b EXPERIMENTAL: this API may change without prior notice 895 * 896 * Create MACsec security association (SA). 897 * 898 * @param instance security instance 899 * @param conf MACsec SA configuration params 900 * @return 901 * - positive SA ID if successful. 902 * - -EINVAL if configuration params are invalid of instance is NULL. 903 * - -ENOTSUP if device does not support MACsec. 904 * - -ENOMEM if PMD is not capable to create more SAs. 905 * - other negative value for other errors. 906 */ 907 __rte_experimental 908 int 909 rte_security_macsec_sa_create(void *instance, 910 struct rte_security_macsec_sa *conf); 911 912 /** 913 * @warning 914 * @b EXPERIMENTAL: this API may change without prior notice 915 * 916 * Destroy MACsec security association (SA). 917 * 918 * @param instance security instance 919 * @param sa_id SA ID to be destroyed 920 * @param dir direction of the SA 921 * @return 922 * - 0 if successful. 923 * - -EINVAL if sa_id is invalid or instance is NULL. 924 * - -EBUSY if sa is being used by some session. 925 */ 926 __rte_experimental 927 int 928 rte_security_macsec_sa_destroy(void *instance, uint16_t sa_id, 929 enum rte_security_macsec_direction dir); 930 931 /** Device-specific metadata field type */ 932 typedef uint64_t rte_security_dynfield_t; 933 /** Dynamic mbuf field for device-specific metadata */ 934 extern int rte_security_dynfield_offset; 935 936 /** Out-of-Place(OOP) processing field type */ 937 typedef struct rte_mbuf *rte_security_oop_dynfield_t; 938 /** Dynamic mbuf field for pointer to original mbuf for 939 * OOP processing session. 940 */ 941 extern int rte_security_oop_dynfield_offset; 942 943 /** 944 * @warning 945 * @b EXPERIMENTAL: this API may change without prior notice 946 * 947 * Get pointer to mbuf field for device-specific metadata. 948 * 949 * For performance reason, no check is done, 950 * the dynamic field may not be registered. 951 * @see rte_security_dynfield_is_registered 952 * 953 * @param mbuf packet to access 954 * @return pointer to mbuf field 955 */ 956 __rte_experimental 957 static inline rte_security_dynfield_t * 958 rte_security_dynfield(struct rte_mbuf *mbuf) 959 { 960 return RTE_MBUF_DYNFIELD(mbuf, 961 rte_security_dynfield_offset, 962 rte_security_dynfield_t *); 963 } 964 965 /** 966 * @warning 967 * @b EXPERIMENTAL: this API may change without prior notice 968 * 969 * Get pointer to mbuf field for original mbuf pointer when 970 * Out-Of-Place(OOP) processing is enabled in security session. 971 * 972 * @param mbuf packet to access 973 * @return pointer to mbuf field 974 */ 975 __rte_experimental 976 static inline rte_security_oop_dynfield_t * 977 rte_security_oop_dynfield(struct rte_mbuf *mbuf) 978 { 979 return RTE_MBUF_DYNFIELD(mbuf, 980 rte_security_oop_dynfield_offset, 981 rte_security_oop_dynfield_t *); 982 } 983 984 /** 985 * @warning 986 * @b EXPERIMENTAL: this API may change without prior notice 987 * 988 * Check whether the dynamic field is registered. 989 * 990 * @return true if rte_security_dynfield_register() has been called. 991 */ 992 __rte_experimental 993 static inline bool rte_security_dynfield_is_registered(void) 994 { 995 return rte_security_dynfield_offset >= 0; 996 } 997 998 #define RTE_SECURITY_CTX_FLAGS_OFF 4 999 /** 1000 * Get security flags from security instance. 1001 */ 1002 static inline uint32_t 1003 rte_security_ctx_flags_get(void *ctx) 1004 { 1005 return *((uint32_t *)ctx + RTE_SECURITY_CTX_FLAGS_OFF); 1006 } 1007 1008 /** 1009 * Set security flags in security instance. 1010 */ 1011 static inline void 1012 rte_security_ctx_flags_set(void *ctx, uint32_t flags) 1013 { 1014 uint32_t *data; 1015 data = (((uint32_t *)ctx) + RTE_SECURITY_CTX_FLAGS_OFF); 1016 *data = flags; 1017 } 1018 1019 #define RTE_SECURITY_SESS_OPAQUE_DATA_OFF 0 1020 #define RTE_SECURITY_SESS_FAST_MDATA_OFF 1 1021 /** 1022 * Get opaque data from session handle 1023 */ 1024 static inline uint64_t 1025 rte_security_session_opaque_data_get(void *sess) 1026 { 1027 return *((uint64_t *)sess + RTE_SECURITY_SESS_OPAQUE_DATA_OFF); 1028 } 1029 1030 /** 1031 * Set opaque data in session handle 1032 */ 1033 static inline void 1034 rte_security_session_opaque_data_set(void *sess, uint64_t opaque) 1035 { 1036 uint64_t *data; 1037 data = (((uint64_t *)sess) + RTE_SECURITY_SESS_OPAQUE_DATA_OFF); 1038 *data = opaque; 1039 } 1040 1041 /** 1042 * Get fast mdata from session handle 1043 */ 1044 static inline uint64_t 1045 rte_security_session_fast_mdata_get(void *sess) 1046 { 1047 return *((uint64_t *)sess + RTE_SECURITY_SESS_FAST_MDATA_OFF); 1048 } 1049 1050 /** 1051 * Set fast mdata in session handle 1052 */ 1053 static inline void 1054 rte_security_session_fast_mdata_set(void *sess, uint64_t fdata) 1055 { 1056 uint64_t *data; 1057 data = (((uint64_t *)sess) + RTE_SECURITY_SESS_FAST_MDATA_OFF); 1058 *data = fdata; 1059 } 1060 1061 /** Function to call PMD specific function pointer set_pkt_metadata() */ 1062 __rte_experimental 1063 int __rte_security_set_pkt_metadata(void *instance, 1064 void *sess, 1065 struct rte_mbuf *m, void *params); 1066 1067 /** 1068 * Updates the buffer with device-specific defined metadata 1069 * 1070 * @param instance security instance 1071 * @param sess security session 1072 * @param mb packet mbuf to set metadata on. 1073 * @param params device-specific defined parameters 1074 * required for metadata 1075 * 1076 * @return 1077 * - On success, zero. 1078 * - On failure, a negative value. 1079 */ 1080 static inline int 1081 rte_security_set_pkt_metadata(void *instance, 1082 void *sess, 1083 struct rte_mbuf *mb, void *params) 1084 { 1085 /* Fast Path */ 1086 if (rte_security_ctx_flags_get(instance) & RTE_SEC_CTX_F_FAST_SET_MDATA) { 1087 *rte_security_dynfield(mb) = (rte_security_dynfield_t) 1088 rte_security_session_fast_mdata_get(sess); 1089 return 0; 1090 } 1091 1092 /* Jump to PMD specific function pointer */ 1093 return __rte_security_set_pkt_metadata(instance, sess, mb, params); 1094 } 1095 1096 /** 1097 * Attach a session to a symmetric crypto operation 1098 * 1099 * @param sym_op crypto operation 1100 * @param sess security session 1101 */ 1102 static inline int 1103 __rte_security_attach_session(struct rte_crypto_sym_op *sym_op, void *sess) 1104 { 1105 sym_op->session = sess; 1106 1107 return 0; 1108 } 1109 1110 /** 1111 * Attach a session to a crypto operation. 1112 * This API is needed only in case of RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD 1113 * For other rte_security_session_action_type, ol_flags in rte_mbuf may be 1114 * defined to perform security operations. 1115 * 1116 * @param op crypto operation 1117 * @param sess security session 1118 */ 1119 static inline int 1120 rte_security_attach_session(struct rte_crypto_op *op, 1121 void *sess) 1122 { 1123 if (unlikely(op->type != RTE_CRYPTO_OP_TYPE_SYMMETRIC)) 1124 return -EINVAL; 1125 1126 op->sess_type = RTE_CRYPTO_OP_SECURITY_SESSION; 1127 1128 return __rte_security_attach_session(op->sym, sess); 1129 } 1130 1131 struct rte_security_macsec_secy_stats { 1132 uint64_t ctl_pkt_bcast_cnt; 1133 uint64_t ctl_pkt_mcast_cnt; 1134 uint64_t ctl_pkt_ucast_cnt; 1135 uint64_t ctl_octet_cnt; 1136 uint64_t unctl_pkt_bcast_cnt; 1137 uint64_t unctl_pkt_mcast_cnt; 1138 uint64_t unctl_pkt_ucast_cnt; 1139 uint64_t unctl_octet_cnt; 1140 /* Valid only for Rx */ 1141 uint64_t octet_decrypted_cnt; 1142 uint64_t octet_validated_cnt; 1143 uint64_t pkt_port_disabled_cnt; 1144 uint64_t pkt_badtag_cnt; 1145 uint64_t pkt_nosa_cnt; 1146 uint64_t pkt_nosaerror_cnt; 1147 uint64_t pkt_tagged_ctl_cnt; 1148 uint64_t pkt_untaged_cnt; 1149 uint64_t pkt_ctl_cnt; 1150 uint64_t pkt_notag_cnt; 1151 /* Valid only for Tx */ 1152 uint64_t octet_encrypted_cnt; 1153 uint64_t octet_protected_cnt; 1154 uint64_t pkt_noactivesa_cnt; 1155 uint64_t pkt_toolong_cnt; 1156 uint64_t pkt_untagged_cnt; 1157 }; 1158 1159 struct rte_security_macsec_sc_stats { 1160 /* Rx */ 1161 uint64_t hit_cnt; 1162 uint64_t pkt_invalid_cnt; 1163 uint64_t pkt_late_cnt; 1164 uint64_t pkt_notvalid_cnt; 1165 uint64_t pkt_unchecked_cnt; 1166 uint64_t pkt_delay_cnt; 1167 uint64_t pkt_ok_cnt; 1168 uint64_t octet_decrypt_cnt; 1169 uint64_t octet_validate_cnt; 1170 /* Tx */ 1171 uint64_t pkt_encrypt_cnt; 1172 uint64_t pkt_protected_cnt; 1173 uint64_t octet_encrypt_cnt; 1174 uint64_t octet_protected_cnt; 1175 }; 1176 1177 struct rte_security_macsec_sa_stats { 1178 /* Rx */ 1179 uint64_t pkt_invalid_cnt; 1180 uint64_t pkt_nosaerror_cnt; 1181 uint64_t pkt_notvalid_cnt; 1182 uint64_t pkt_ok_cnt; 1183 uint64_t pkt_nosa_cnt; 1184 /* Tx */ 1185 uint64_t pkt_encrypt_cnt; 1186 uint64_t pkt_protected_cnt; 1187 }; 1188 1189 struct rte_security_ipsec_stats { 1190 uint64_t ipackets; /**< Successfully received IPsec packets. */ 1191 uint64_t opackets; /**< Successfully transmitted IPsec packets.*/ 1192 uint64_t ibytes; /**< Successfully received IPsec bytes. */ 1193 uint64_t obytes; /**< Successfully transmitted IPsec bytes. */ 1194 uint64_t ierrors; /**< IPsec packets receive/decrypt errors. */ 1195 uint64_t oerrors; /**< IPsec packets transmit/encrypt errors. */ 1196 uint64_t reserved1; /**< Reserved for future use. */ 1197 uint64_t reserved2; /**< Reserved for future use. */ 1198 }; 1199 1200 struct rte_security_pdcp_stats { 1201 uint64_t reserved; 1202 }; 1203 1204 struct rte_security_docsis_stats { 1205 uint64_t reserved; 1206 }; 1207 1208 struct rte_security_stats { 1209 enum rte_security_session_protocol protocol; 1210 /**< Security protocol to be configured */ 1211 1212 union { 1213 struct rte_security_macsec_secy_stats macsec; 1214 struct rte_security_ipsec_stats ipsec; 1215 struct rte_security_pdcp_stats pdcp; 1216 struct rte_security_docsis_stats docsis; 1217 }; 1218 }; 1219 1220 /** 1221 * Get security session statistics 1222 * 1223 * @param instance security instance 1224 * @param sess security session 1225 * If security session is NULL then global (per security instance) statistics 1226 * will be retrieved, if supported. Global statistics collection is not 1227 * dependent on the per session statistics configuration. 1228 * @param stats statistics 1229 * @return 1230 * - On success, return 0 1231 * - On failure, a negative value 1232 */ 1233 __rte_experimental 1234 int 1235 rte_security_session_stats_get(void *instance, 1236 void *sess, 1237 struct rte_security_stats *stats); 1238 1239 /** 1240 * @warning 1241 * @b EXPERIMENTAL: this API may change without prior notice 1242 * 1243 * Get MACsec SA statistics. 1244 * 1245 * @param instance security instance 1246 * @param sa_id SA ID for which stats are needed 1247 * @param dir direction of the SA 1248 * @param stats statistics 1249 * @return 1250 * - On success, return 0. 1251 * - On failure, a negative value. 1252 */ 1253 __rte_experimental 1254 int 1255 rte_security_macsec_sa_stats_get(void *instance, 1256 uint16_t sa_id, enum rte_security_macsec_direction dir, 1257 struct rte_security_macsec_sa_stats *stats); 1258 1259 /** 1260 * @warning 1261 * @b EXPERIMENTAL: this API may change without prior notice 1262 * 1263 * Get MACsec SC statistics. 1264 * 1265 * @param instance security instance 1266 * @param sc_id SC ID for which stats are needed 1267 * @param dir direction of the SC 1268 * @param stats SC statistics 1269 * @return 1270 * - On success, return 0. 1271 * - On failure, a negative value. 1272 */ 1273 __rte_experimental 1274 int 1275 rte_security_macsec_sc_stats_get(void *instance, 1276 uint16_t sc_id, enum rte_security_macsec_direction dir, 1277 struct rte_security_macsec_sc_stats *stats); 1278 1279 /** 1280 * Security capability definition 1281 */ 1282 struct rte_security_capability { 1283 enum rte_security_session_action_type action; 1284 /**< Security action type*/ 1285 enum rte_security_session_protocol protocol; 1286 /**< Security protocol */ 1287 union { 1288 struct { 1289 enum rte_security_ipsec_sa_protocol proto; 1290 /**< IPsec SA protocol */ 1291 enum rte_security_ipsec_sa_mode mode; 1292 /**< IPsec SA mode */ 1293 enum rte_security_ipsec_sa_direction direction; 1294 /**< IPsec SA direction */ 1295 struct rte_security_ipsec_sa_options options; 1296 /**< IPsec SA supported options */ 1297 uint32_t replay_win_sz_max; 1298 /**< IPsec Anti Replay Window Size. A '0' value 1299 * indicates that Anti Replay is not supported. 1300 */ 1301 } ipsec; 1302 /**< IPsec capability */ 1303 struct { 1304 /** MTU supported for inline TX */ 1305 uint16_t mtu; 1306 /** MACsec algorithm to be used */ 1307 enum rte_security_macsec_alg alg; 1308 /** Maximum number of secure channels supported */ 1309 uint16_t max_nb_sc; 1310 /** Maximum number of SAs supported */ 1311 uint16_t max_nb_sa; 1312 /** Maximum number of SAs supported */ 1313 uint16_t max_nb_sess; 1314 /** MACsec anti replay window size */ 1315 uint32_t replay_win_sz; 1316 /** Support Sectag insertion at relative offset */ 1317 uint16_t relative_sectag_insert : 1; 1318 /** Support Sectag insertion at fixed offset */ 1319 uint16_t fixed_sectag_insert : 1; 1320 /** ICV includes source and destination MAC addresses */ 1321 uint16_t icv_include_da_sa : 1; 1322 /** Control port traffic is supported */ 1323 uint16_t ctrl_port_enable : 1; 1324 /** Do not strip SecTAG after processing */ 1325 uint16_t preserve_sectag : 1; 1326 /** Do not strip ICV from the packet after processing */ 1327 uint16_t preserve_icv : 1; 1328 /** Support frame validation as per RTE_SECURITY_MACSEC_VALIDATE_* */ 1329 uint16_t validate_frames : 1; 1330 /** support re-keying on SA expiry */ 1331 uint16_t re_key : 1; 1332 /** support anti replay */ 1333 uint16_t anti_replay : 1; 1334 /** Reserved bitfields for future capabilities */ 1335 uint16_t reserved : 7; 1336 } macsec; 1337 /**< MACsec capability */ 1338 struct { 1339 enum rte_security_pdcp_domain domain; 1340 /**< PDCP mode of operation: Control or data */ 1341 uint32_t capa_flags; 1342 /**< Capability flags, see RTE_SECURITY_PDCP_* */ 1343 } pdcp; 1344 /**< PDCP capability */ 1345 struct { 1346 enum rte_security_docsis_direction direction; 1347 /**< DOCSIS direction */ 1348 } docsis; 1349 /**< DOCSIS capability */ 1350 struct { 1351 enum rte_security_tls_version ver; 1352 /**< TLS record version. */ 1353 enum rte_security_tls_sess_type type; 1354 /**< TLS record session type. */ 1355 uint32_t ar_win_size; 1356 /**< Maximum anti replay window size supported for DTLS 1.2 record read 1357 * operation. Value of 0 means anti replay check is not supported. 1358 */ 1359 } tls_record; 1360 /**< TLS record capability */ 1361 }; 1362 1363 const struct rte_cryptodev_capabilities *crypto_capabilities; 1364 /**< Corresponding crypto capabilities for security capability */ 1365 1366 uint32_t ol_flags; 1367 /**< Device offload flags */ 1368 }; 1369 1370 /** Underlying Hardware/driver which support PDCP may or may not support 1371 * packet ordering. Set RTE_SECURITY_PDCP_ORDERING_CAP if it support. 1372 * If it is not set, driver/HW assumes packets received are in order 1373 * and it will be application's responsibility to maintain ordering. 1374 */ 1375 #define RTE_SECURITY_PDCP_ORDERING_CAP 0x00000001 1376 1377 /** Underlying Hardware/driver which support PDCP may or may not detect 1378 * duplicate packet. Set RTE_SECURITY_PDCP_DUP_DETECT_CAP if it support. 1379 * If it is not set, driver/HW assumes there is no duplicate packet received. 1380 */ 1381 #define RTE_SECURITY_PDCP_DUP_DETECT_CAP 0x00000002 1382 1383 #define RTE_SECURITY_TX_OLOAD_NEED_MDATA 0x00000001 1384 /**< HW needs metadata update, see rte_security_set_pkt_metadata(). 1385 */ 1386 1387 #define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD 0x00000002 1388 /**< HW constructs trailer of packets 1389 * Transmitted packets will have the trailer added to them 1390 * by hardware. The next protocol field will be based on 1391 * the mbuf->inner_esp_next_proto field. 1392 */ 1393 #define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD 0x00010000 1394 /**< HW removes trailer of packets 1395 * Received packets have no trailer, the next protocol field 1396 * is supplied in the mbuf->inner_esp_next_proto field. 1397 * Inner packet is not modified. 1398 */ 1399 1400 /** 1401 * Security capability index used to query a security instance for a specific 1402 * security capability 1403 */ 1404 struct rte_security_capability_idx { 1405 enum rte_security_session_action_type action; 1406 enum rte_security_session_protocol protocol; 1407 1408 union { 1409 struct { 1410 enum rte_security_ipsec_sa_protocol proto; 1411 enum rte_security_ipsec_sa_mode mode; 1412 enum rte_security_ipsec_sa_direction direction; 1413 } ipsec; 1414 struct { 1415 enum rte_security_pdcp_domain domain; 1416 uint32_t capa_flags; 1417 } pdcp; 1418 struct { 1419 enum rte_security_docsis_direction direction; 1420 } docsis; 1421 struct { 1422 enum rte_security_macsec_alg alg; 1423 } macsec; 1424 struct { 1425 enum rte_security_tls_version ver; 1426 enum rte_security_tls_sess_type type; 1427 } tls_record; 1428 }; 1429 }; 1430 1431 /** 1432 * Returns array of security instance capabilities 1433 * 1434 * @param instance Security instance. 1435 * 1436 * @return 1437 * - Returns array of security capabilities. 1438 * - Return NULL if no capabilities available. 1439 */ 1440 const struct rte_security_capability * 1441 rte_security_capabilities_get(void *instance); 1442 1443 /** 1444 * Query if a specific capability is available on security instance 1445 * 1446 * @param instance security instance. 1447 * @param idx security capability index to match against 1448 * 1449 * @return 1450 * - Returns pointer to security capability on match of capability 1451 * index criteria. 1452 * - Return NULL if the capability not matched on security instance. 1453 */ 1454 const struct rte_security_capability * 1455 rte_security_capability_get(void *instance, 1456 struct rte_security_capability_idx *idx); 1457 1458 /** 1459 * @warning 1460 * @b EXPERIMENTAL: this API may change, or be removed, without prior notice 1461 * 1462 * Configure security device to inject packets to an ethdev port. 1463 * 1464 * This API must be called only when both security device and the ethdev is in 1465 * stopped state. The security device need to be configured before any packets 1466 * are submitted to ``rte_security_inb_pkt_rx_inject`` API. 1467 * 1468 * @param ctx Security ctx 1469 * @param port_id Port identifier of the ethernet device to which 1470 * packets need to be injected. 1471 * @param enable Flag to enable and disable connection between a 1472 * security device and an ethdev port. 1473 * @return 1474 * - 0 if successful. 1475 * - -EINVAL if context NULL or port_id is invalid. 1476 * - -EBUSY if devices are not in stopped state. 1477 * - -ENOTSUP if security device does not support injecting to ethdev port. 1478 * 1479 * @see rte_security_inb_pkt_rx_inject 1480 */ 1481 __rte_experimental 1482 int 1483 rte_security_rx_inject_configure(void *ctx, uint16_t port_id, bool enable); 1484 1485 /** 1486 * @warning 1487 * @b EXPERIMENTAL: this API may change, or be removed, without prior notice 1488 * 1489 * Perform security processing of packets and inject the processed packet to 1490 * ethdev Rx. 1491 * 1492 * Rx inject would behave similarly to ethdev loopback but with the additional 1493 * security processing. In case of ethdev loopback, application would be 1494 * submitting packets to ethdev Tx queues and would be received as is from 1495 * ethdev Rx queues. With Rx inject, packets would be received after security 1496 * processing from ethdev Rx queues. 1497 * 1498 * With inline protocol offload capable ethdevs, Rx injection can be used to 1499 * handle packets which failed the regular security Rx path. This can be due to 1500 * cases such as outer fragmentation, in which case applications can reassemble 1501 * the fragments and then subsequently submit for inbound processing and Rx 1502 * injection, so that packets are received as regular security processed 1503 * packets. 1504 * 1505 * With lookaside protocol offload capable cryptodevs, Rx injection can be used 1506 * to perform packet parsing after security processing. This would allow for 1507 * re-classification after security protocol processing is done (ie, inner 1508 * packet parsing). The ethdev queue on which the packet would be received would 1509 * be based on rte_flow rules matching the packet after security processing. 1510 * 1511 * The security device which is injecting packets to ethdev Rx need to be 1512 * configured using ``rte_security_rx_inject_configure`` with enable flag set 1513 * to `true` before any packets are submitted. 1514 * 1515 * If `hash.fdir.h` field is set in mbuf, it would be treated as the value for 1516 * `MARK` pattern for the subsequent rte_flow parsing. The packet would appear 1517 * as if it is received from `port` field in mbuf. 1518 * 1519 * Since the packet would be received back from ethdev Rx queues, 1520 * it is expected that application retains/adds L2 header with the 1521 * mbuf field 'l2_len' reflecting the size of L2 header in the packet. 1522 * 1523 * @param ctx Security ctx 1524 * @param pkts The address of an array of *nb_pkts* pointers to 1525 * *rte_mbuf* structures which contain the packets. 1526 * @param sess The address of an array of *nb_pkts* pointers to 1527 * security sessions corresponding to each packet. 1528 * @param nb_pkts The maximum number of packets to process. 1529 * 1530 * @return 1531 * The number of packets successfully injected to ethdev Rx. 1532 * The return value can be less than the value of the *nb_pkts* parameter 1533 * when the PMD internal queues have been filled up. 1534 * 1535 * @see rte_security_rx_inject_configure 1536 */ 1537 __rte_experimental 1538 uint16_t 1539 rte_security_inb_pkt_rx_inject(void *ctx, struct rte_mbuf **pkts, void **sess, 1540 uint16_t nb_pkts); 1541 1542 #ifdef __cplusplus 1543 } 1544 #endif 1545 1546 #endif /* _RTE_SECURITY_H_ */ 1547