1 /* SPDX-License-Identifier: BSD-3-Clause 2 * Copyright 2017,2019-2020 NXP 3 * Copyright(c) 2017-2020 Intel Corporation. 4 */ 5 6 #ifndef _RTE_SECURITY_H_ 7 #define _RTE_SECURITY_H_ 8 9 /** 10 * @file rte_security.h 11 * 12 * RTE Security Common Definitions 13 * 14 */ 15 16 #ifdef __cplusplus 17 extern "C" { 18 #endif 19 20 #include <sys/types.h> 21 22 #include <netinet/in.h> 23 #include <netinet/ip.h> 24 #include <netinet/ip6.h> 25 26 #include <rte_compat.h> 27 #include <rte_common.h> 28 #include <rte_crypto.h> 29 #include <rte_mbuf.h> 30 #include <rte_mbuf_dyn.h> 31 #include <rte_memory.h> 32 #include <rte_mempool.h> 33 34 /** IPSec protocol mode */ 35 enum rte_security_ipsec_sa_mode { 36 RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT = 1, 37 /**< IPSec Transport mode */ 38 RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, 39 /**< IPSec Tunnel mode */ 40 }; 41 42 /** IPSec Protocol */ 43 enum rte_security_ipsec_sa_protocol { 44 RTE_SECURITY_IPSEC_SA_PROTO_AH = 1, 45 /**< AH protocol */ 46 RTE_SECURITY_IPSEC_SA_PROTO_ESP, 47 /**< ESP protocol */ 48 }; 49 50 /** IPSEC tunnel type */ 51 enum rte_security_ipsec_tunnel_type { 52 RTE_SECURITY_IPSEC_TUNNEL_IPV4 = 1, 53 /**< Outer header is IPv4 */ 54 RTE_SECURITY_IPSEC_TUNNEL_IPV6, 55 /**< Outer header is IPv6 */ 56 }; 57 58 /** 59 * IPSEC tunnel header verification mode 60 * 61 * Controls how outer IP header is verified in inbound. 62 */ 63 #define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR 0x1 64 #define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR 0x2 65 66 /** 67 * Security context for crypto/eth devices 68 * 69 * Security instance for each driver to register security operations. 70 * The application can get the security context from the crypto/eth device id 71 * using the APIs rte_cryptodev_get_sec_ctx()/rte_eth_dev_get_sec_ctx() 72 * This structure is used to identify the device(crypto/eth) for which the 73 * security operations need to be performed. 74 */ 75 struct rte_security_ctx { 76 void *device; 77 /**< Crypto/ethernet device attached */ 78 const struct rte_security_ops *ops; 79 /**< Pointer to security ops for the device */ 80 uint16_t sess_cnt; 81 /**< Number of sessions attached to this context */ 82 uint32_t flags; 83 /**< Flags for security context */ 84 }; 85 86 #define RTE_SEC_CTX_F_FAST_SET_MDATA 0x00000001 87 /**< Driver uses fast metadata update without using driver specific callback */ 88 89 #define RTE_SEC_CTX_F_FAST_GET_UDATA 0x00000002 90 /**< Driver provides udata using fast method without using driver specific 91 * callback. For fast mdata and udata, mbuf dynamic field would be registered 92 * by driver via rte_security_dynfield_register(). 93 */ 94 95 /** 96 * IPSEC tunnel parameters 97 * 98 * These parameters are used to build outbound tunnel headers. 99 */ 100 struct rte_security_ipsec_tunnel_param { 101 enum rte_security_ipsec_tunnel_type type; 102 /**< Tunnel type: IPv4 or IPv6 */ 103 RTE_STD_C11 104 union { 105 struct { 106 struct in_addr src_ip; 107 /**< IPv4 source address */ 108 struct in_addr dst_ip; 109 /**< IPv4 destination address */ 110 uint8_t dscp; 111 /**< IPv4 Differentiated Services Code Point */ 112 uint8_t df; 113 /**< IPv4 Don't Fragment bit */ 114 uint8_t ttl; 115 /**< IPv4 Time To Live */ 116 } ipv4; 117 /**< IPv4 header parameters */ 118 struct { 119 struct in6_addr src_addr; 120 /**< IPv6 source address */ 121 struct in6_addr dst_addr; 122 /**< IPv6 destination address */ 123 uint8_t dscp; 124 /**< IPv6 Differentiated Services Code Point */ 125 uint32_t flabel; 126 /**< IPv6 flow label */ 127 uint8_t hlimit; 128 /**< IPv6 hop limit */ 129 } ipv6; 130 /**< IPv6 header parameters */ 131 }; 132 }; 133 134 /** 135 * IPsec Security Association option flags 136 */ 137 struct rte_security_ipsec_sa_options { 138 /** Extended Sequence Numbers (ESN) 139 * 140 * * 1: Use extended (64 bit) sequence numbers 141 * * 0: Use normal sequence numbers 142 */ 143 uint32_t esn : 1; 144 145 /** UDP encapsulation 146 * 147 * * 1: Do UDP encapsulation/decapsulation so that IPSEC packets can 148 * traverse through NAT boxes. 149 * * 0: No UDP encapsulation 150 */ 151 uint32_t udp_encap : 1; 152 153 /** Copy DSCP bits 154 * 155 * * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to 156 * the outer IP header in encapsulation, and vice versa in 157 * decapsulation. 158 * * 0: Do not change DSCP field. 159 */ 160 uint32_t copy_dscp : 1; 161 162 /** Copy IPv6 Flow Label 163 * 164 * * 1: Copy IPv6 flow label from inner IPv6 header to the 165 * outer IPv6 header. 166 * * 0: Outer header is not modified. 167 */ 168 uint32_t copy_flabel : 1; 169 170 /** Copy IPv4 Don't Fragment bit 171 * 172 * * 1: Copy the DF bit from the inner IPv4 header to the outer 173 * IPv4 header. 174 * * 0: Outer header is not modified. 175 */ 176 uint32_t copy_df : 1; 177 178 /** Decrement inner packet Time To Live (TTL) field 179 * 180 * * 1: In tunnel mode, decrement inner packet IPv4 TTL or 181 * IPv6 Hop Limit after tunnel decapsulation, or before tunnel 182 * encapsulation. 183 * * 0: Inner packet is not modified. 184 */ 185 uint32_t dec_ttl : 1; 186 187 /** Explicit Congestion Notification (ECN) 188 * 189 * * 1: In tunnel mode, enable outer header ECN Field copied from 190 * inner header in tunnel encapsulation, or inner header ECN 191 * field construction in decapsulation. 192 * * 0: Inner/outer header are not modified. 193 */ 194 uint32_t ecn : 1; 195 196 /** Security statistics 197 * 198 * * 1: Enable per session security statistics collection for 199 * this SA, if supported by the driver. 200 * * 0: Disable per session security statistics collection for this SA. 201 */ 202 uint32_t stats : 1; 203 204 /** Disable IV generation in PMD 205 * 206 * * 1: Disable IV generation in PMD. When disabled, IV provided in 207 * rte_crypto_op will be used by the PMD. 208 * 209 * * 0: Enable IV generation in PMD. When enabled, PMD generated random 210 * value would be used and application is not required to provide 211 * IV. 212 * 213 * Note: For inline cases, IV generation would always need to be handled 214 * by the PMD. 215 */ 216 uint32_t iv_gen_disable : 1; 217 218 /** Verify tunnel header in inbound 219 * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR``: Verify destination 220 * IP address. 221 * 222 * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR``: Verify both 223 * source and destination IP addresses. 224 */ 225 uint32_t tunnel_hdr_verify : 2; 226 }; 227 228 /** IPSec security association direction */ 229 enum rte_security_ipsec_sa_direction { 230 RTE_SECURITY_IPSEC_SA_DIR_EGRESS, 231 /**< Encrypt and generate digest */ 232 RTE_SECURITY_IPSEC_SA_DIR_INGRESS, 233 /**< Verify digest and decrypt */ 234 }; 235 236 /** 237 * Configure soft and hard lifetime of an IPsec SA 238 * 239 * Lifetime of an IPsec SA would specify the maximum number of packets or bytes 240 * that can be processed. IPsec operations would start failing once any hard 241 * limit is reached. 242 * 243 * Soft limits can be specified to generate notification when the SA is 244 * approaching hard limits for lifetime. For inline operations, reaching soft 245 * expiry limit would result in raising an eth event for the same. For lookaside 246 * operations, this would result in a warning returned in 247 * ``rte_crypto_op.aux_flags``. 248 */ 249 struct rte_security_ipsec_lifetime { 250 uint64_t packets_soft_limit; 251 /**< Soft expiry limit in number of packets */ 252 uint64_t bytes_soft_limit; 253 /**< Soft expiry limit in bytes */ 254 uint64_t packets_hard_limit; 255 /**< Soft expiry limit in number of packets */ 256 uint64_t bytes_hard_limit; 257 /**< Soft expiry limit in bytes */ 258 }; 259 260 /** 261 * IPsec security association configuration data. 262 * 263 * This structure contains data required to create an IPsec SA security session. 264 */ 265 struct rte_security_ipsec_xform { 266 uint32_t spi; 267 /**< SA security parameter index */ 268 uint32_t salt; 269 /**< SA salt */ 270 struct rte_security_ipsec_sa_options options; 271 /**< various SA options */ 272 enum rte_security_ipsec_sa_direction direction; 273 /**< IPSec SA Direction - Egress/Ingress */ 274 enum rte_security_ipsec_sa_protocol proto; 275 /**< IPsec SA Protocol - AH/ESP */ 276 enum rte_security_ipsec_sa_mode mode; 277 /**< IPsec SA Mode - transport/tunnel */ 278 struct rte_security_ipsec_tunnel_param tunnel; 279 /**< Tunnel parameters, NULL for transport mode */ 280 struct rte_security_ipsec_lifetime life; 281 /**< IPsec SA lifetime */ 282 uint32_t replay_win_sz; 283 /**< Anti replay window size to enable sequence replay attack handling. 284 * replay checking is disabled if the window size is 0. 285 */ 286 }; 287 288 /** 289 * MACsec security session configuration 290 */ 291 struct rte_security_macsec_xform { 292 /** To be Filled */ 293 int dummy; 294 }; 295 296 /** 297 * PDCP Mode of session 298 */ 299 enum rte_security_pdcp_domain { 300 RTE_SECURITY_PDCP_MODE_CONTROL, /**< PDCP control plane */ 301 RTE_SECURITY_PDCP_MODE_DATA, /**< PDCP data plane */ 302 RTE_SECURITY_PDCP_MODE_SHORT_MAC, /**< PDCP short mac */ 303 }; 304 305 /** PDCP Frame direction */ 306 enum rte_security_pdcp_direction { 307 RTE_SECURITY_PDCP_UPLINK, /**< Uplink */ 308 RTE_SECURITY_PDCP_DOWNLINK, /**< Downlink */ 309 }; 310 311 /** PDCP Sequence Number Size selectors */ 312 enum rte_security_pdcp_sn_size { 313 /** PDCP_SN_SIZE_5: 5bit sequence number */ 314 RTE_SECURITY_PDCP_SN_SIZE_5 = 5, 315 /** PDCP_SN_SIZE_7: 7bit sequence number */ 316 RTE_SECURITY_PDCP_SN_SIZE_7 = 7, 317 /** PDCP_SN_SIZE_12: 12bit sequence number */ 318 RTE_SECURITY_PDCP_SN_SIZE_12 = 12, 319 /** PDCP_SN_SIZE_15: 15bit sequence number */ 320 RTE_SECURITY_PDCP_SN_SIZE_15 = 15, 321 /** PDCP_SN_SIZE_18: 18bit sequence number */ 322 RTE_SECURITY_PDCP_SN_SIZE_18 = 18 323 }; 324 325 /** 326 * PDCP security association configuration data. 327 * 328 * This structure contains data required to create a PDCP security session. 329 */ 330 struct rte_security_pdcp_xform { 331 int8_t bearer; /**< PDCP bearer ID */ 332 /** Enable in order delivery, this field shall be set only if 333 * driver/HW is capable. See RTE_SECURITY_PDCP_ORDERING_CAP. 334 */ 335 uint8_t en_ordering; 336 /** Notify driver/HW to detect and remove duplicate packets. 337 * This field should be set only when driver/hw is capable. 338 * See RTE_SECURITY_PDCP_DUP_DETECT_CAP. 339 */ 340 uint8_t remove_duplicates; 341 /** PDCP mode of operation: Control or data */ 342 enum rte_security_pdcp_domain domain; 343 /** PDCP Frame Direction 0:UL 1:DL */ 344 enum rte_security_pdcp_direction pkt_dir; 345 /** Sequence number size, 5/7/12/15/18 */ 346 enum rte_security_pdcp_sn_size sn_size; 347 /** Starting Hyper Frame Number to be used together with the SN 348 * from the PDCP frames 349 */ 350 uint32_t hfn; 351 /** HFN Threshold for key renegotiation */ 352 uint32_t hfn_threshold; 353 /** HFN can be given as a per packet value also. 354 * As we do not have IV in case of PDCP, and HFN is 355 * used to generate IV. IV field can be used to get the 356 * per packet HFN while enq/deq. 357 * If hfn_ovrd field is set, user is expected to set the 358 * per packet HFN in place of IV. PMDs will extract the HFN 359 * and perform operations accordingly. 360 */ 361 uint8_t hfn_ovrd; 362 /** In case of 5G NR, a new protocol (SDAP) header may be set 363 * inside PDCP payload which should be authenticated but not 364 * encrypted. Hence, driver should be notified if SDAP is 365 * enabled or not, so that SDAP header is not encrypted. 366 */ 367 uint8_t sdap_enabled; 368 /** Reserved for future */ 369 uint16_t reserved; 370 }; 371 372 /** DOCSIS direction */ 373 enum rte_security_docsis_direction { 374 RTE_SECURITY_DOCSIS_UPLINK, 375 /**< Uplink 376 * - Decryption, followed by CRC Verification 377 */ 378 RTE_SECURITY_DOCSIS_DOWNLINK, 379 /**< Downlink 380 * - CRC Generation, followed by Encryption 381 */ 382 }; 383 384 /** 385 * DOCSIS security session configuration. 386 * 387 * This structure contains data required to create a DOCSIS security session. 388 */ 389 struct rte_security_docsis_xform { 390 enum rte_security_docsis_direction direction; 391 /**< DOCSIS direction */ 392 }; 393 394 /** 395 * Security session action type. 396 */ 397 enum rte_security_session_action_type { 398 RTE_SECURITY_ACTION_TYPE_NONE, 399 /**< No security actions */ 400 RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO, 401 /**< Crypto processing for security protocol is processed inline 402 * during transmission 403 */ 404 RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL, 405 /**< All security protocol processing is performed inline during 406 * transmission 407 */ 408 RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, 409 /**< All security protocol processing including crypto is performed 410 * on a lookaside accelerator 411 */ 412 RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO 413 /**< Similar to ACTION_TYPE_NONE but crypto processing for security 414 * protocol is processed synchronously by a CPU. 415 */ 416 }; 417 418 /** Security session protocol definition */ 419 enum rte_security_session_protocol { 420 RTE_SECURITY_PROTOCOL_IPSEC = 1, 421 /**< IPsec Protocol */ 422 RTE_SECURITY_PROTOCOL_MACSEC, 423 /**< MACSec Protocol */ 424 RTE_SECURITY_PROTOCOL_PDCP, 425 /**< PDCP Protocol */ 426 RTE_SECURITY_PROTOCOL_DOCSIS, 427 /**< DOCSIS Protocol */ 428 }; 429 430 /** 431 * Security session configuration 432 */ 433 struct rte_security_session_conf { 434 enum rte_security_session_action_type action_type; 435 /**< Type of action to be performed on the session */ 436 enum rte_security_session_protocol protocol; 437 /**< Security protocol to be configured */ 438 RTE_STD_C11 439 union { 440 struct rte_security_ipsec_xform ipsec; 441 struct rte_security_macsec_xform macsec; 442 struct rte_security_pdcp_xform pdcp; 443 struct rte_security_docsis_xform docsis; 444 }; 445 /**< Configuration parameters for security session */ 446 struct rte_crypto_sym_xform *crypto_xform; 447 /**< Security Session Crypto Transformations */ 448 void *userdata; 449 /**< Application specific userdata to be saved with session */ 450 }; 451 452 struct rte_security_session { 453 void *sess_private_data; 454 /**< Private session material */ 455 uint64_t opaque_data; 456 /**< Opaque user defined data */ 457 }; 458 459 /** 460 * Create security session as specified by the session configuration 461 * 462 * @param instance security instance 463 * @param conf session configuration parameters 464 * @param mp mempool to allocate session objects from 465 * @param priv_mp mempool to allocate session private data objects from 466 * @return 467 * - On success, pointer to session 468 * - On failure, NULL 469 */ 470 struct rte_security_session * 471 rte_security_session_create(struct rte_security_ctx *instance, 472 struct rte_security_session_conf *conf, 473 struct rte_mempool *mp, 474 struct rte_mempool *priv_mp); 475 476 /** 477 * Update security session as specified by the session configuration 478 * 479 * @param instance security instance 480 * @param sess session to update parameters 481 * @param conf update configuration parameters 482 * @return 483 * - On success returns 0 484 * - On failure returns a negative errno value. 485 */ 486 __rte_experimental 487 int 488 rte_security_session_update(struct rte_security_ctx *instance, 489 struct rte_security_session *sess, 490 struct rte_security_session_conf *conf); 491 492 /** 493 * Get the size of the security session data for a device. 494 * 495 * @param instance security instance. 496 * 497 * @return 498 * - Size of the private data, if successful 499 * - 0 if device is invalid or does not support the operation. 500 */ 501 unsigned int 502 rte_security_session_get_size(struct rte_security_ctx *instance); 503 504 /** 505 * Free security session header and the session private data and 506 * return it to its original mempool. 507 * 508 * @param instance security instance 509 * @param sess security session to be freed 510 * 511 * @return 512 * - 0 if successful. 513 * - -EINVAL if session or context instance is NULL. 514 * - -EBUSY if not all device private data has been freed. 515 * - -ENOTSUP if destroying private data is not supported. 516 * - other negative values in case of freeing private data errors. 517 */ 518 int 519 rte_security_session_destroy(struct rte_security_ctx *instance, 520 struct rte_security_session *sess); 521 522 /** Device-specific metadata field type */ 523 typedef uint64_t rte_security_dynfield_t; 524 /** Dynamic mbuf field for device-specific metadata */ 525 extern int rte_security_dynfield_offset; 526 527 /** 528 * @warning 529 * @b EXPERIMENTAL: this API may change without prior notice 530 * 531 * Get pointer to mbuf field for device-specific metadata. 532 * 533 * For performance reason, no check is done, 534 * the dynamic field may not be registered. 535 * @see rte_security_dynfield_is_registered 536 * 537 * @param mbuf packet to access 538 * @return pointer to mbuf field 539 */ 540 __rte_experimental 541 static inline rte_security_dynfield_t * 542 rte_security_dynfield(struct rte_mbuf *mbuf) 543 { 544 return RTE_MBUF_DYNFIELD(mbuf, 545 rte_security_dynfield_offset, 546 rte_security_dynfield_t *); 547 } 548 549 /** 550 * @warning 551 * @b EXPERIMENTAL: this API may change without prior notice 552 * 553 * Check whether the dynamic field is registered. 554 * 555 * @return true if rte_security_dynfield_register() has been called. 556 */ 557 __rte_experimental 558 static inline bool rte_security_dynfield_is_registered(void) 559 { 560 return rte_security_dynfield_offset >= 0; 561 } 562 563 /** Function to call PMD specific function pointer set_pkt_metadata() */ 564 __rte_experimental 565 extern int __rte_security_set_pkt_metadata(struct rte_security_ctx *instance, 566 struct rte_security_session *sess, 567 struct rte_mbuf *m, void *params); 568 569 /** 570 * Updates the buffer with device-specific defined metadata 571 * 572 * @param instance security instance 573 * @param sess security session 574 * @param mb packet mbuf to set metadata on. 575 * @param params device-specific defined parameters 576 * required for metadata 577 * 578 * @return 579 * - On success, zero. 580 * - On failure, a negative value. 581 */ 582 static inline int 583 rte_security_set_pkt_metadata(struct rte_security_ctx *instance, 584 struct rte_security_session *sess, 585 struct rte_mbuf *mb, void *params) 586 { 587 /* Fast Path */ 588 if (instance->flags & RTE_SEC_CTX_F_FAST_SET_MDATA) { 589 *rte_security_dynfield(mb) = 590 (rte_security_dynfield_t)(sess->sess_private_data); 591 return 0; 592 } 593 594 /* Jump to PMD specific function pointer */ 595 return __rte_security_set_pkt_metadata(instance, sess, mb, params); 596 } 597 598 /** Function to call PMD specific function pointer get_userdata() */ 599 __rte_experimental 600 extern void *__rte_security_get_userdata(struct rte_security_ctx *instance, 601 uint64_t md); 602 603 /** 604 * Get userdata associated with the security session. Device specific metadata 605 * provided would be used to uniquely identify the security session being 606 * referred to. This userdata would be registered while creating the session, 607 * and application can use this to identify the SA etc. 608 * 609 * Device specific metadata would be set in mbuf for inline processed inbound 610 * packets. In addition, the same metadata would be set for IPsec events 611 * reported by rte_eth_event framework. 612 * 613 * @param instance security instance 614 * @param md device-specific metadata 615 * 616 * @return 617 * - On success, userdata 618 * - On failure, NULL 619 */ 620 __rte_experimental 621 static inline void * 622 rte_security_get_userdata(struct rte_security_ctx *instance, uint64_t md) 623 { 624 /* Fast Path */ 625 if (instance->flags & RTE_SEC_CTX_F_FAST_GET_UDATA) 626 return (void *)(uintptr_t)md; 627 628 /* Jump to PMD specific function pointer */ 629 return __rte_security_get_userdata(instance, md); 630 } 631 632 /** 633 * Attach a session to a symmetric crypto operation 634 * 635 * @param sym_op crypto operation 636 * @param sess security session 637 */ 638 static inline int 639 __rte_security_attach_session(struct rte_crypto_sym_op *sym_op, 640 struct rte_security_session *sess) 641 { 642 sym_op->sec_session = sess; 643 644 return 0; 645 } 646 647 static inline void * 648 get_sec_session_private_data(const struct rte_security_session *sess) 649 { 650 return sess->sess_private_data; 651 } 652 653 static inline void 654 set_sec_session_private_data(struct rte_security_session *sess, 655 void *private_data) 656 { 657 sess->sess_private_data = private_data; 658 } 659 660 /** 661 * Attach a session to a crypto operation. 662 * This API is needed only in case of RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD 663 * For other rte_security_session_action_type, ol_flags in rte_mbuf may be 664 * defined to perform security operations. 665 * 666 * @param op crypto operation 667 * @param sess security session 668 */ 669 static inline int 670 rte_security_attach_session(struct rte_crypto_op *op, 671 struct rte_security_session *sess) 672 { 673 if (unlikely(op->type != RTE_CRYPTO_OP_TYPE_SYMMETRIC)) 674 return -EINVAL; 675 676 op->sess_type = RTE_CRYPTO_OP_SECURITY_SESSION; 677 678 return __rte_security_attach_session(op->sym, sess); 679 } 680 681 struct rte_security_macsec_stats { 682 uint64_t reserved; 683 }; 684 685 struct rte_security_ipsec_stats { 686 uint64_t ipackets; /**< Successfully received IPsec packets. */ 687 uint64_t opackets; /**< Successfully transmitted IPsec packets.*/ 688 uint64_t ibytes; /**< Successfully received IPsec bytes. */ 689 uint64_t obytes; /**< Successfully transmitted IPsec bytes. */ 690 uint64_t ierrors; /**< IPsec packets receive/decrypt errors. */ 691 uint64_t oerrors; /**< IPsec packets transmit/encrypt errors. */ 692 uint64_t reserved1; /**< Reserved for future use. */ 693 uint64_t reserved2; /**< Reserved for future use. */ 694 }; 695 696 struct rte_security_pdcp_stats { 697 uint64_t reserved; 698 }; 699 700 struct rte_security_docsis_stats { 701 uint64_t reserved; 702 }; 703 704 struct rte_security_stats { 705 enum rte_security_session_protocol protocol; 706 /**< Security protocol to be configured */ 707 708 RTE_STD_C11 709 union { 710 struct rte_security_macsec_stats macsec; 711 struct rte_security_ipsec_stats ipsec; 712 struct rte_security_pdcp_stats pdcp; 713 struct rte_security_docsis_stats docsis; 714 }; 715 }; 716 717 /** 718 * Get security session statistics 719 * 720 * @param instance security instance 721 * @param sess security session 722 * If security session is NULL then global (per security instance) statistics 723 * will be retrieved, if supported. Global statistics collection is not 724 * dependent on the per session statistics configuration. 725 * @param stats statistics 726 * @return 727 * - On success, return 0 728 * - On failure, a negative value 729 */ 730 __rte_experimental 731 int 732 rte_security_session_stats_get(struct rte_security_ctx *instance, 733 struct rte_security_session *sess, 734 struct rte_security_stats *stats); 735 736 /** 737 * Security capability definition 738 */ 739 struct rte_security_capability { 740 enum rte_security_session_action_type action; 741 /**< Security action type*/ 742 enum rte_security_session_protocol protocol; 743 /**< Security protocol */ 744 RTE_STD_C11 745 union { 746 struct { 747 enum rte_security_ipsec_sa_protocol proto; 748 /**< IPsec SA protocol */ 749 enum rte_security_ipsec_sa_mode mode; 750 /**< IPsec SA mode */ 751 enum rte_security_ipsec_sa_direction direction; 752 /**< IPsec SA direction */ 753 struct rte_security_ipsec_sa_options options; 754 /**< IPsec SA supported options */ 755 uint32_t replay_win_sz_max; 756 /**< IPsec Anti Replay Window Size. A '0' value 757 * indicates that Anti Replay is not supported. 758 */ 759 } ipsec; 760 /**< IPsec capability */ 761 struct { 762 /* To be Filled */ 763 int dummy; 764 } macsec; 765 /**< MACsec capability */ 766 struct { 767 enum rte_security_pdcp_domain domain; 768 /**< PDCP mode of operation: Control or data */ 769 uint32_t capa_flags; 770 /**< Capability flags, see RTE_SECURITY_PDCP_* */ 771 } pdcp; 772 /**< PDCP capability */ 773 struct { 774 enum rte_security_docsis_direction direction; 775 /**< DOCSIS direction */ 776 } docsis; 777 /**< DOCSIS capability */ 778 }; 779 780 const struct rte_cryptodev_capabilities *crypto_capabilities; 781 /**< Corresponding crypto capabilities for security capability */ 782 783 uint32_t ol_flags; 784 /**< Device offload flags */ 785 }; 786 787 /** Underlying Hardware/driver which support PDCP may or may not support 788 * packet ordering. Set RTE_SECURITY_PDCP_ORDERING_CAP if it support. 789 * If it is not set, driver/HW assumes packets received are in order 790 * and it will be application's responsibility to maintain ordering. 791 */ 792 #define RTE_SECURITY_PDCP_ORDERING_CAP 0x00000001 793 794 /** Underlying Hardware/driver which support PDCP may or may not detect 795 * duplicate packet. Set RTE_SECURITY_PDCP_DUP_DETECT_CAP if it support. 796 * If it is not set, driver/HW assumes there is no duplicate packet received. 797 */ 798 #define RTE_SECURITY_PDCP_DUP_DETECT_CAP 0x00000002 799 800 #define RTE_SECURITY_TX_OLOAD_NEED_MDATA 0x00000001 801 /**< HW needs metadata update, see rte_security_set_pkt_metadata(). 802 */ 803 804 #define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD 0x00000002 805 /**< HW constructs trailer of packets 806 * Transmitted packets will have the trailer added to them 807 * by hardware. The next protocol field will be based on 808 * the mbuf->inner_esp_next_proto field. 809 */ 810 #define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD 0x00010000 811 /**< HW removes trailer of packets 812 * Received packets have no trailer, the next protocol field 813 * is supplied in the mbuf->inner_esp_next_proto field. 814 * Inner packet is not modified. 815 */ 816 817 /** 818 * Security capability index used to query a security instance for a specific 819 * security capability 820 */ 821 struct rte_security_capability_idx { 822 enum rte_security_session_action_type action; 823 enum rte_security_session_protocol protocol; 824 825 RTE_STD_C11 826 union { 827 struct { 828 enum rte_security_ipsec_sa_protocol proto; 829 enum rte_security_ipsec_sa_mode mode; 830 enum rte_security_ipsec_sa_direction direction; 831 } ipsec; 832 struct { 833 enum rte_security_pdcp_domain domain; 834 uint32_t capa_flags; 835 } pdcp; 836 struct { 837 enum rte_security_docsis_direction direction; 838 } docsis; 839 }; 840 }; 841 842 /** 843 * Returns array of security instance capabilities 844 * 845 * @param instance Security instance. 846 * 847 * @return 848 * - Returns array of security capabilities. 849 * - Return NULL if no capabilities available. 850 */ 851 const struct rte_security_capability * 852 rte_security_capabilities_get(struct rte_security_ctx *instance); 853 854 /** 855 * Query if a specific capability is available on security instance 856 * 857 * @param instance security instance. 858 * @param idx security capability index to match against 859 * 860 * @return 861 * - Returns pointer to security capability on match of capability 862 * index criteria. 863 * - Return NULL if the capability not matched on security instance. 864 */ 865 const struct rte_security_capability * 866 rte_security_capability_get(struct rte_security_ctx *instance, 867 struct rte_security_capability_idx *idx); 868 869 #ifdef __cplusplus 870 } 871 #endif 872 873 #endif /* _RTE_SECURITY_H_ */ 874