1 /* SPDX-License-Identifier: BSD-3-Clause 2 * Copyright 2017,2019-2020 NXP 3 * Copyright(c) 2017-2020 Intel Corporation. 4 */ 5 6 #ifndef _RTE_SECURITY_H_ 7 #define _RTE_SECURITY_H_ 8 9 /** 10 * @file rte_security.h 11 * 12 * RTE Security Common Definitions 13 */ 14 15 #ifdef __cplusplus 16 extern "C" { 17 #endif 18 19 #include <sys/types.h> 20 21 #include <rte_compat.h> 22 #include <rte_common.h> 23 #include <rte_crypto.h> 24 #include <rte_ip.h> 25 #include <rte_mbuf_dyn.h> 26 27 /** IPSec protocol mode */ 28 enum rte_security_ipsec_sa_mode { 29 RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT = 1, 30 /**< IPSec Transport mode */ 31 RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, 32 /**< IPSec Tunnel mode */ 33 }; 34 35 /** IPSec Protocol */ 36 enum rte_security_ipsec_sa_protocol { 37 RTE_SECURITY_IPSEC_SA_PROTO_AH = 1, 38 /**< AH protocol */ 39 RTE_SECURITY_IPSEC_SA_PROTO_ESP, 40 /**< ESP protocol */ 41 }; 42 43 /** IPSEC tunnel type */ 44 enum rte_security_ipsec_tunnel_type { 45 RTE_SECURITY_IPSEC_TUNNEL_IPV4 = 1, 46 /**< Outer header is IPv4 */ 47 RTE_SECURITY_IPSEC_TUNNEL_IPV6, 48 /**< Outer header is IPv6 */ 49 }; 50 51 /** 52 * IPSEC tunnel header verification mode 53 * 54 * Controls how outer IP header is verified in inbound. 55 */ 56 #define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR 0x1 57 #define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR 0x2 58 59 /** 60 * Security context for crypto/eth devices 61 * 62 * Security instance for each driver to register security operations. 63 * The application can get the security context from the crypto/eth device id 64 * using the APIs rte_cryptodev_get_sec_ctx()/rte_eth_dev_get_sec_ctx() 65 * This structure is used to identify the device(crypto/eth) for which the 66 * security operations need to be performed. 67 */ 68 struct rte_security_ctx { 69 void *device; 70 /**< Crypto/ethernet device attached */ 71 const struct rte_security_ops *ops; 72 /**< Pointer to security ops for the device */ 73 uint16_t sess_cnt; 74 /**< Number of sessions attached to this context */ 75 uint16_t macsec_sc_cnt; 76 /**< Number of MACsec SC attached to this context */ 77 uint16_t macsec_sa_cnt; 78 /**< Number of MACsec SA attached to this context */ 79 uint32_t flags; 80 /**< Flags for security context */ 81 }; 82 83 #define RTE_SEC_CTX_F_FAST_SET_MDATA 0x00000001 84 /**< Driver uses fast metadata update without using driver specific callback. 85 * For fast mdata, mbuf dynamic field would be registered by driver 86 * via rte_security_dynfield_register(). 87 */ 88 89 /** 90 * IPSEC tunnel parameters 91 * 92 * These parameters are used to build outbound tunnel headers. 93 */ 94 struct rte_security_ipsec_tunnel_param { 95 enum rte_security_ipsec_tunnel_type type; 96 /**< Tunnel type: IPv4 or IPv6 */ 97 union { 98 struct { 99 struct in_addr src_ip; 100 /**< IPv4 source address */ 101 struct in_addr dst_ip; 102 /**< IPv4 destination address */ 103 uint8_t dscp; 104 /**< IPv4 Differentiated Services Code Point */ 105 uint8_t df; 106 /**< IPv4 Don't Fragment bit */ 107 uint8_t ttl; 108 /**< IPv4 Time To Live */ 109 } ipv4; 110 /**< IPv4 header parameters */ 111 struct { 112 struct in6_addr src_addr; 113 /**< IPv6 source address */ 114 struct in6_addr dst_addr; 115 /**< IPv6 destination address */ 116 uint8_t dscp; 117 /**< IPv6 Differentiated Services Code Point */ 118 uint32_t flabel; 119 /**< IPv6 flow label */ 120 uint8_t hlimit; 121 /**< IPv6 hop limit */ 122 } ipv6; 123 /**< IPv6 header parameters */ 124 }; 125 }; 126 127 struct rte_security_ipsec_udp_param { 128 uint16_t sport; 129 uint16_t dport; 130 }; 131 132 /** 133 * IPsec Security Association option flags 134 */ 135 struct rte_security_ipsec_sa_options { 136 /** Extended Sequence Numbers (ESN) 137 * 138 * * 1: Use extended (64 bit) sequence numbers 139 * * 0: Use normal sequence numbers 140 */ 141 uint32_t esn : 1; 142 143 /** UDP encapsulation 144 * 145 * * 1: Do UDP encapsulation/decapsulation so that IPSEC packets can 146 * traverse through NAT boxes. 147 * * 0: No UDP encapsulation 148 */ 149 uint32_t udp_encap : 1; 150 151 /** Copy DSCP bits 152 * 153 * * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to 154 * the outer IP header in encapsulation, and vice versa in 155 * decapsulation. 156 * * 0: Do not change DSCP field. 157 */ 158 uint32_t copy_dscp : 1; 159 160 /** Copy IPv6 Flow Label 161 * 162 * * 1: Copy IPv6 flow label from inner IPv6 header to the 163 * outer IPv6 header. 164 * * 0: Outer header is not modified. 165 */ 166 uint32_t copy_flabel : 1; 167 168 /** Copy IPv4 Don't Fragment bit 169 * 170 * * 1: Copy the DF bit from the inner IPv4 header to the outer 171 * IPv4 header. 172 * * 0: Outer header is not modified. 173 */ 174 uint32_t copy_df : 1; 175 176 /** Decrement inner packet Time To Live (TTL) field 177 * 178 * * 1: In tunnel mode, decrement inner packet IPv4 TTL or 179 * IPv6 Hop Limit after tunnel decapsulation, or before tunnel 180 * encapsulation. 181 * * 0: Inner packet is not modified. 182 */ 183 uint32_t dec_ttl : 1; 184 185 /** Explicit Congestion Notification (ECN) 186 * 187 * * 1: In tunnel mode, enable outer header ECN Field copied from 188 * inner header in tunnel encapsulation, or inner header ECN 189 * field construction in decapsulation. 190 * * 0: Inner/outer header are not modified. 191 */ 192 uint32_t ecn : 1; 193 194 /** Security statistics 195 * 196 * * 1: Enable per session security statistics collection for 197 * this SA, if supported by the driver. 198 * * 0: Disable per session security statistics collection for this SA. 199 */ 200 uint32_t stats : 1; 201 202 /** Disable IV generation in PMD 203 * 204 * * 1: Disable IV generation in PMD. When disabled, IV provided in 205 * rte_crypto_op will be used by the PMD. 206 * 207 * * 0: Enable IV generation in PMD. When enabled, PMD generated random 208 * value would be used and application is not required to provide 209 * IV. 210 * 211 * Note: For inline cases, IV generation would always need to be handled 212 * by the PMD. 213 */ 214 uint32_t iv_gen_disable : 1; 215 216 /** Verify tunnel header in inbound 217 * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR``: Verify destination 218 * IP address. 219 * 220 * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR``: Verify both 221 * source and destination IP addresses. 222 */ 223 uint32_t tunnel_hdr_verify : 2; 224 225 /** Verify UDP encapsulation ports in inbound 226 * 227 * * 1: Match UDP source and destination ports 228 * * 0: Do not match UDP ports 229 */ 230 uint32_t udp_ports_verify : 1; 231 232 /** Compute/verify inner packet IPv4 header checksum in tunnel mode 233 * 234 * * 1: For outbound, compute inner packet IPv4 header checksum 235 * before tunnel encapsulation and for inbound, verify after 236 * tunnel decapsulation. 237 * * 0: Inner packet IP header checksum is not computed/verified. 238 * 239 * The checksum verification status would be set in mbuf using 240 * RTE_MBUF_F_RX_IP_CKSUM_xxx flags. 241 * 242 * Inner IP checksum computation can also be enabled(per operation) 243 * by setting the flag RTE_MBUF_F_TX_IP_CKSUM in mbuf. 244 */ 245 uint32_t ip_csum_enable : 1; 246 247 /** Compute/verify inner packet L4 checksum in tunnel mode 248 * 249 * * 1: For outbound, compute inner packet L4 checksum before 250 * tunnel encapsulation and for inbound, verify after 251 * tunnel decapsulation. 252 * * 0: Inner packet L4 checksum is not computed/verified. 253 * 254 * The checksum verification status would be set in mbuf using 255 * RTE_MBUF_F_RX_L4_CKSUM_xxx flags. 256 * 257 * Inner L4 checksum computation can also be enabled(per operation) 258 * by setting the flags RTE_MBUF_F_TX_TCP_CKSUM or RTE_MBUF_F_TX_SCTP_CKSUM or 259 * RTE_MBUF_F_TX_UDP_CKSUM or RTE_MBUF_F_TX_L4_MASK in mbuf. 260 */ 261 uint32_t l4_csum_enable : 1; 262 263 /** Enable IP reassembly on inline inbound packets. 264 * 265 * * 1: Enable driver to try reassembly of encrypted IP packets for 266 * this SA, if supported by the driver. This feature will work 267 * only if user has successfully set IP reassembly config params 268 * using rte_eth_ip_reassembly_conf_set() for the inline Ethernet 269 * device. PMD need to register mbuf dynamic fields using 270 * rte_eth_ip_reassembly_dynfield_register() and security session 271 * creation would fail if dynfield is not registered successfully. 272 * * 0: Disable IP reassembly of packets (default). 273 */ 274 uint32_t ip_reassembly_en : 1; 275 276 /** Reserved bit fields for future extension 277 * 278 * User should ensure reserved_opts is cleared as it may change in 279 * subsequent releases to support new options. 280 * 281 * Note: Reduce number of bits in reserved_opts for every new option. 282 */ 283 uint32_t reserved_opts : 17; 284 }; 285 286 /** IPSec security association direction */ 287 enum rte_security_ipsec_sa_direction { 288 RTE_SECURITY_IPSEC_SA_DIR_EGRESS, 289 /**< Encrypt and generate digest */ 290 RTE_SECURITY_IPSEC_SA_DIR_INGRESS, 291 /**< Verify digest and decrypt */ 292 }; 293 294 /** 295 * Configure soft and hard lifetime of an IPsec SA 296 * 297 * Lifetime of an IPsec SA would specify the maximum number of packets or bytes 298 * that can be processed. IPsec operations would start failing once any hard 299 * limit is reached. 300 * 301 * Soft limits can be specified to generate notification when the SA is 302 * approaching hard limits for lifetime. For inline operations, reaching soft 303 * expiry limit would result in raising an eth event for the same. For lookaside 304 * operations, this would result in a warning returned in 305 * ``rte_crypto_op.aux_flags``. 306 */ 307 struct rte_security_ipsec_lifetime { 308 uint64_t packets_soft_limit; 309 /**< Soft expiry limit in number of packets */ 310 uint64_t bytes_soft_limit; 311 /**< Soft expiry limit in bytes */ 312 uint64_t packets_hard_limit; 313 /**< Hard expiry limit in number of packets */ 314 uint64_t bytes_hard_limit; 315 /**< Hard expiry limit in bytes */ 316 }; 317 318 /** 319 * IPsec security association configuration data. 320 * 321 * This structure contains data required to create an IPsec SA security session. 322 */ 323 struct rte_security_ipsec_xform { 324 uint32_t spi; 325 /**< SA security parameter index */ 326 uint32_t salt; 327 /**< SA salt */ 328 struct rte_security_ipsec_sa_options options; 329 /**< various SA options */ 330 enum rte_security_ipsec_sa_direction direction; 331 /**< IPSec SA Direction - Egress/Ingress */ 332 enum rte_security_ipsec_sa_protocol proto; 333 /**< IPsec SA Protocol - AH/ESP */ 334 enum rte_security_ipsec_sa_mode mode; 335 /**< IPsec SA Mode - transport/tunnel */ 336 struct rte_security_ipsec_tunnel_param tunnel; 337 /**< Tunnel parameters, NULL for transport mode */ 338 struct rte_security_ipsec_lifetime life; 339 /**< IPsec SA lifetime */ 340 uint32_t replay_win_sz; 341 /**< Anti replay window size to enable sequence replay attack handling. 342 * replay checking is disabled if the window size is 0. 343 */ 344 union { 345 uint64_t value; 346 struct { 347 uint32_t low; 348 uint32_t hi; 349 }; 350 } esn; 351 /**< Extended Sequence Number */ 352 struct rte_security_ipsec_udp_param udp; 353 /**< UDP parameters, ignored when udp_encap option not specified */ 354 }; 355 356 /** 357 * MACSec packet flow direction 358 */ 359 enum rte_security_macsec_direction { 360 /** Generate SecTag and encrypt/authenticate */ 361 RTE_SECURITY_MACSEC_DIR_TX, 362 /** Remove SecTag and decrypt/verify */ 363 RTE_SECURITY_MACSEC_DIR_RX, 364 }; 365 366 /** Maximum number of association numbers for a secure channel. */ 367 #define RTE_SECURITY_MACSEC_NUM_AN 4 368 /** Salt length for MACsec SA. */ 369 #define RTE_SECURITY_MACSEC_SALT_LEN 12 370 371 /** 372 * MACsec secure association (SA) configuration structure. 373 */ 374 struct rte_security_macsec_sa { 375 /** Direction of SA */ 376 enum rte_security_macsec_direction dir; 377 /** MACsec SA key for AES-GCM 128/256 */ 378 struct { 379 const uint8_t *data; /**< pointer to key data */ 380 uint16_t length; /**< key length in bytes */ 381 } key; 382 /** 96-bit value distributed by key agreement protocol */ 383 uint8_t salt[RTE_SECURITY_MACSEC_SALT_LEN]; 384 /** Association number to be used */ 385 uint8_t an : 2; 386 /** Short Secure Channel Identifier, to be used for XPN cases */ 387 uint32_t ssci; 388 /** Extended packet number */ 389 uint32_t xpn; 390 /** Packet number expected/ to be used for next packet of this SA */ 391 uint32_t next_pn; 392 }; 393 394 /** 395 * MACsec Secure Channel configuration parameters. 396 */ 397 struct rte_security_macsec_sc { 398 /** Direction of SC */ 399 enum rte_security_macsec_direction dir; 400 /** Packet number threshold */ 401 uint64_t pn_threshold; 402 union { 403 struct { 404 /** SAs for each association number */ 405 uint16_t sa_id[RTE_SECURITY_MACSEC_NUM_AN]; 406 /** flag to denote which all SAs are in use for each association number */ 407 uint8_t sa_in_use[RTE_SECURITY_MACSEC_NUM_AN]; 408 /** Channel is active */ 409 uint8_t active : 1; 410 /** Extended packet number is enabled for SAs */ 411 uint8_t is_xpn : 1; 412 /** Reserved bitfields for future */ 413 uint8_t reserved : 6; 414 } sc_rx; 415 struct { 416 uint16_t sa_id; /**< SA ID to be used for encryption */ 417 uint16_t sa_id_rekey; /**< Rekeying SA ID to be used for encryption */ 418 uint64_t sci; /**< SCI value to be used if send_sci is set */ 419 uint8_t active : 1; /**< Channel is active */ 420 uint8_t re_key_en : 1; /**< Enable Rekeying */ 421 /** Extended packet number is enabled for SAs */ 422 uint8_t is_xpn : 1; 423 /** Reserved bitfields for future */ 424 uint8_t reserved : 5; 425 } sc_tx; 426 }; 427 }; 428 429 /** 430 * MACsec Supported Algorithm list as per IEEE Std 802.1AE. 431 */ 432 enum rte_security_macsec_alg { 433 RTE_SECURITY_MACSEC_ALG_GCM_128, /**< AES-GCM 128 bit block cipher */ 434 RTE_SECURITY_MACSEC_ALG_GCM_256, /**< AES-GCM 256 bit block cipher */ 435 RTE_SECURITY_MACSEC_ALG_GCM_XPN_128, /**< AES-GCM 128 bit block cipher with unique SSCI */ 436 RTE_SECURITY_MACSEC_ALG_GCM_XPN_256, /**< AES-GCM 256 bit block cipher with unique SSCI */ 437 }; 438 439 /** Disable Validation of MACsec frame. */ 440 #define RTE_SECURITY_MACSEC_VALIDATE_DISABLE 0 441 /** Validate MACsec frame but do not discard invalid frame. */ 442 #define RTE_SECURITY_MACSEC_VALIDATE_NO_DISCARD 1 443 /** Validate MACsec frame and discart invalid frame. */ 444 #define RTE_SECURITY_MACSEC_VALIDATE_STRICT 2 445 /** Do not perform any MACsec operation. */ 446 #define RTE_SECURITY_MACSEC_VALIDATE_NO_OP 3 447 448 /** 449 * MACsec security session configuration 450 */ 451 struct rte_security_macsec_xform { 452 /** Direction of flow/secure channel */ 453 enum rte_security_macsec_direction dir; 454 /** MACsec algorithm to be used */ 455 enum rte_security_macsec_alg alg; 456 /** Cipher offset from start of Ethernet header */ 457 uint8_t cipher_off; 458 /** 459 * SCI to be used for RX flow identification or 460 * to set SCI in packet for TX when send_sci is set 461 */ 462 uint64_t sci; 463 /** Receive/transmit secure channel ID created by *rte_security_macsec_sc_create* */ 464 uint16_t sc_id; 465 union { 466 struct { 467 /** MTU for transmit frame (valid for inline processing) */ 468 uint16_t mtu; 469 /** 470 * Offset to insert sectag from start of ethernet header or 471 * from a matching VLAN tag 472 */ 473 uint8_t sectag_off; 474 /** Enable MACsec protection of frames */ 475 uint16_t protect_frames : 1; 476 /** 477 * Sectag insertion mode 478 * If 1, Sectag is inserted at fixed sectag_off set above. 479 * If 0, Sectag is inserted at relative sectag_off from a matching 480 * VLAN tag set. 481 */ 482 uint16_t sectag_insert_mode : 1; 483 /** ICV includes source and destination MAC addresses */ 484 uint16_t icv_include_da_sa : 1; 485 /** Control port is enabled */ 486 uint16_t ctrl_port_enable : 1; 487 /** Version of MACsec header. Should be 0 */ 488 uint16_t sectag_version : 1; 489 /** Enable end station. SCI is not valid */ 490 uint16_t end_station : 1; 491 /** Send SCI along with sectag */ 492 uint16_t send_sci : 1; 493 /** enable secure channel support EPON - single copy broadcast */ 494 uint16_t scb : 1; 495 /** 496 * Enable packet encryption and set RTE_MACSEC_TCI_C and 497 * RTE_MACSEC_TCI_E in sectag 498 */ 499 uint16_t encrypt : 1; 500 /** Reserved bitfields for future */ 501 uint16_t reserved : 7; 502 } tx_secy; 503 struct { 504 /** Replay Window size to be supported */ 505 uint32_t replay_win_sz; 506 /** Set bits as per RTE_SECURITY_MACSEC_VALIDATE_* */ 507 uint16_t validate_frames : 2; 508 /** ICV includes source and destination MAC addresses */ 509 uint16_t icv_include_da_sa : 1; 510 /** Control port is enabled */ 511 uint16_t ctrl_port_enable : 1; 512 /** Do not strip SecTAG after processing */ 513 uint16_t preserve_sectag : 1; 514 /** Do not strip ICV from the packet after processing */ 515 uint16_t preserve_icv : 1; 516 /** Enable anti-replay protection */ 517 uint16_t replay_protect : 1; 518 /** Reserved bitfields for future */ 519 uint16_t reserved : 9; 520 } rx_secy; 521 }; 522 }; 523 524 /** 525 * PDCP Mode of session 526 */ 527 enum rte_security_pdcp_domain { 528 RTE_SECURITY_PDCP_MODE_CONTROL, /**< PDCP control plane */ 529 RTE_SECURITY_PDCP_MODE_DATA, /**< PDCP data plane */ 530 RTE_SECURITY_PDCP_MODE_SHORT_MAC, /**< PDCP short mac */ 531 }; 532 533 /** PDCP Frame direction */ 534 enum rte_security_pdcp_direction { 535 RTE_SECURITY_PDCP_UPLINK, /**< Uplink */ 536 RTE_SECURITY_PDCP_DOWNLINK, /**< Downlink */ 537 }; 538 539 /** PDCP Sequence Number Size selectors */ 540 enum rte_security_pdcp_sn_size { 541 /** PDCP_SN_SIZE_5: 5bit sequence number */ 542 RTE_SECURITY_PDCP_SN_SIZE_5 = 5, 543 /** PDCP_SN_SIZE_7: 7bit sequence number */ 544 RTE_SECURITY_PDCP_SN_SIZE_7 = 7, 545 /** PDCP_SN_SIZE_12: 12bit sequence number */ 546 RTE_SECURITY_PDCP_SN_SIZE_12 = 12, 547 /** PDCP_SN_SIZE_15: 15bit sequence number */ 548 RTE_SECURITY_PDCP_SN_SIZE_15 = 15, 549 /** PDCP_SN_SIZE_18: 18bit sequence number */ 550 RTE_SECURITY_PDCP_SN_SIZE_18 = 18 551 }; 552 553 /** 554 * PDCP security association configuration data. 555 * 556 * This structure contains data required to create a PDCP security session. 557 */ 558 struct rte_security_pdcp_xform { 559 int8_t bearer; /**< PDCP bearer ID */ 560 /** Enable in order delivery, this field shall be set only if 561 * driver/HW is capable. See RTE_SECURITY_PDCP_ORDERING_CAP. 562 */ 563 uint8_t en_ordering; 564 /** Notify driver/HW to detect and remove duplicate packets. 565 * This field should be set only when driver/hw is capable. 566 * See RTE_SECURITY_PDCP_DUP_DETECT_CAP. 567 */ 568 uint8_t remove_duplicates; 569 /** PDCP mode of operation: Control or data */ 570 enum rte_security_pdcp_domain domain; 571 /** PDCP Frame Direction 0:UL 1:DL */ 572 enum rte_security_pdcp_direction pkt_dir; 573 /** Sequence number size, 5/7/12/15/18 */ 574 enum rte_security_pdcp_sn_size sn_size; 575 /** Starting Hyper Frame Number to be used together with the SN 576 * from the PDCP frames 577 */ 578 uint32_t hfn; 579 /** HFN Threshold for key renegotiation */ 580 uint32_t hfn_threshold; 581 /** HFN can be given as a per packet value also. 582 * As we do not have IV in case of PDCP, and HFN is 583 * used to generate IV. IV field can be used to get the 584 * per packet HFN while enq/deq. 585 * If hfn_ovrd field is set, user is expected to set the 586 * per packet HFN in place of IV. PMDs will extract the HFN 587 * and perform operations accordingly. 588 */ 589 uint8_t hfn_ovrd; 590 /** In case of 5G NR, a new protocol (SDAP) header may be set 591 * inside PDCP payload which should be authenticated but not 592 * encrypted. Hence, driver should be notified if SDAP is 593 * enabled or not, so that SDAP header is not encrypted. 594 */ 595 uint8_t sdap_enabled; 596 /** Reserved for future */ 597 uint16_t reserved; 598 }; 599 600 /** DOCSIS direction */ 601 enum rte_security_docsis_direction { 602 RTE_SECURITY_DOCSIS_UPLINK, 603 /**< Uplink 604 * - Decryption, followed by CRC Verification 605 */ 606 RTE_SECURITY_DOCSIS_DOWNLINK, 607 /**< Downlink 608 * - CRC Generation, followed by Encryption 609 */ 610 }; 611 612 /** 613 * DOCSIS security session configuration. 614 * 615 * This structure contains data required to create a DOCSIS security session. 616 */ 617 struct rte_security_docsis_xform { 618 enum rte_security_docsis_direction direction; 619 /**< DOCSIS direction */ 620 }; 621 622 /** 623 * Security session action type. 624 */ 625 /* Enumeration of rte_security_session_action_type 8<*/ 626 enum rte_security_session_action_type { 627 RTE_SECURITY_ACTION_TYPE_NONE, 628 /**< No security actions */ 629 RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO, 630 /**< Crypto processing for security protocol is processed inline 631 * during transmission 632 */ 633 RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL, 634 /**< All security protocol processing is performed inline during 635 * transmission 636 */ 637 RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, 638 /**< All security protocol processing including crypto is performed 639 * on a lookaside accelerator 640 */ 641 RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO 642 /**< Similar to ACTION_TYPE_NONE but crypto processing for security 643 * protocol is processed synchronously by a CPU. 644 */ 645 }; 646 /* >8 End enumeration of rte_security_session_action_type. */ 647 648 /** Security session protocol definition */ 649 /* Enumeration of rte_security_session_protocol 8<*/ 650 enum rte_security_session_protocol { 651 RTE_SECURITY_PROTOCOL_IPSEC = 1, 652 /**< IPsec Protocol */ 653 RTE_SECURITY_PROTOCOL_MACSEC, 654 /**< MACSec Protocol */ 655 RTE_SECURITY_PROTOCOL_PDCP, 656 /**< PDCP Protocol */ 657 RTE_SECURITY_PROTOCOL_DOCSIS, 658 /**< DOCSIS Protocol */ 659 }; 660 /* >8 End enumeration of rte_security_session_protocol. */ 661 662 /** 663 * Security session configuration 664 */ 665 /* Structure rte_security_session_conf 8< */ 666 struct rte_security_session_conf { 667 enum rte_security_session_action_type action_type; 668 /**< Type of action to be performed on the session */ 669 enum rte_security_session_protocol protocol; 670 /**< Security protocol to be configured */ 671 union { 672 struct rte_security_ipsec_xform ipsec; 673 struct rte_security_macsec_xform macsec; 674 struct rte_security_pdcp_xform pdcp; 675 struct rte_security_docsis_xform docsis; 676 }; 677 /**< Configuration parameters for security session */ 678 struct rte_crypto_sym_xform *crypto_xform; 679 /**< Security Session Crypto Transformations. NULL in case of MACsec. */ 680 void *userdata; 681 /**< Application specific userdata to be saved with session */ 682 }; 683 /* >8 End of structure rte_security_session_conf. */ 684 685 /** 686 * Create security session as specified by the session configuration 687 * 688 * @param instance security instance 689 * @param conf session configuration parameters 690 * @param mp mempool to allocate session objects from 691 * @return 692 * - On success, pointer to session 693 * - On failure, NULL 694 */ 695 void * 696 rte_security_session_create(struct rte_security_ctx *instance, 697 struct rte_security_session_conf *conf, 698 struct rte_mempool *mp); 699 700 /** 701 * Update security session as specified by the session configuration 702 * 703 * @param instance security instance 704 * @param sess session to update parameters 705 * @param conf update configuration parameters 706 * @return 707 * - On success returns 0 708 * - On failure returns a negative errno value. 709 */ 710 __rte_experimental 711 int 712 rte_security_session_update(struct rte_security_ctx *instance, 713 void *sess, 714 struct rte_security_session_conf *conf); 715 716 /** 717 * Get the size of the security session data for a device. 718 * 719 * @param instance security instance. 720 * 721 * @return 722 * - Size of the private data, if successful 723 * - 0 if device is invalid or does not support the operation. 724 */ 725 unsigned int 726 rte_security_session_get_size(struct rte_security_ctx *instance); 727 728 /** 729 * Free security session header and the session private data and 730 * return it to its original mempool. 731 * 732 * @param instance security instance 733 * @param sess security session to be freed 734 * 735 * @return 736 * - 0 if successful. 737 * - -EINVAL if session or context instance is NULL. 738 * - -EBUSY if not all device private data has been freed. 739 * - -ENOTSUP if destroying private data is not supported. 740 * - other negative values in case of freeing private data errors. 741 */ 742 int 743 rte_security_session_destroy(struct rte_security_ctx *instance, void *sess); 744 745 /** 746 * @warning 747 * @b EXPERIMENTAL: this API may change without prior notice 748 * 749 * Create MACsec security channel (SC). 750 * 751 * @param instance security instance 752 * @param conf MACsec SC configuration params 753 * @return 754 * - secure channel ID if successful. 755 * - -EINVAL if configuration params are invalid of instance is NULL. 756 * - -ENOTSUP if device does not support MACsec. 757 * - -ENOMEM if PMD is not capable to create more SC. 758 * - other negative value for other errors. 759 */ 760 __rte_experimental 761 int 762 rte_security_macsec_sc_create(struct rte_security_ctx *instance, 763 struct rte_security_macsec_sc *conf); 764 765 /** 766 * @warning 767 * @b EXPERIMENTAL: this API may change without prior notice 768 * 769 * Destroy MACsec security channel (SC). 770 * 771 * @param instance security instance 772 * @param sc_id SC ID to be destroyed 773 * @param dir direction of the SC 774 * @return 775 * - 0 if successful. 776 * - -EINVAL if sc_id is invalid or instance is NULL. 777 * - -EBUSY if sc is being used by some session. 778 */ 779 __rte_experimental 780 int 781 rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id, 782 enum rte_security_macsec_direction dir); 783 784 /** 785 * @warning 786 * @b EXPERIMENTAL: this API may change without prior notice 787 * 788 * Create MACsec security association (SA). 789 * 790 * @param instance security instance 791 * @param conf MACsec SA configuration params 792 * @return 793 * - positive SA ID if successful. 794 * - -EINVAL if configuration params are invalid of instance is NULL. 795 * - -ENOTSUP if device does not support MACsec. 796 * - -ENOMEM if PMD is not capable to create more SAs. 797 * - other negative value for other errors. 798 */ 799 __rte_experimental 800 int 801 rte_security_macsec_sa_create(struct rte_security_ctx *instance, 802 struct rte_security_macsec_sa *conf); 803 804 /** 805 * @warning 806 * @b EXPERIMENTAL: this API may change without prior notice 807 * 808 * Destroy MACsec security association (SA). 809 * 810 * @param instance security instance 811 * @param sa_id SA ID to be destroyed 812 * @param dir direction of the SA 813 * @return 814 * - 0 if successful. 815 * - -EINVAL if sa_id is invalid or instance is NULL. 816 * - -EBUSY if sa is being used by some session. 817 */ 818 __rte_experimental 819 int 820 rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id, 821 enum rte_security_macsec_direction dir); 822 823 /** Device-specific metadata field type */ 824 typedef uint64_t rte_security_dynfield_t; 825 /** Dynamic mbuf field for device-specific metadata */ 826 extern int rte_security_dynfield_offset; 827 828 /** 829 * @warning 830 * @b EXPERIMENTAL: this API may change without prior notice 831 * 832 * Get pointer to mbuf field for device-specific metadata. 833 * 834 * For performance reason, no check is done, 835 * the dynamic field may not be registered. 836 * @see rte_security_dynfield_is_registered 837 * 838 * @param mbuf packet to access 839 * @return pointer to mbuf field 840 */ 841 __rte_experimental 842 static inline rte_security_dynfield_t * 843 rte_security_dynfield(struct rte_mbuf *mbuf) 844 { 845 return RTE_MBUF_DYNFIELD(mbuf, 846 rte_security_dynfield_offset, 847 rte_security_dynfield_t *); 848 } 849 850 /** 851 * @warning 852 * @b EXPERIMENTAL: this API may change without prior notice 853 * 854 * Check whether the dynamic field is registered. 855 * 856 * @return true if rte_security_dynfield_register() has been called. 857 */ 858 __rte_experimental 859 static inline bool rte_security_dynfield_is_registered(void) 860 { 861 return rte_security_dynfield_offset >= 0; 862 } 863 864 #define RTE_SECURITY_SESS_OPAQUE_DATA_OFF 0 865 #define RTE_SECURITY_SESS_FAST_MDATA_OFF 1 866 /** 867 * Get opaque data from session handle 868 */ 869 static inline uint64_t 870 rte_security_session_opaque_data_get(void *sess) 871 { 872 return *((uint64_t *)sess + RTE_SECURITY_SESS_OPAQUE_DATA_OFF); 873 } 874 875 /** 876 * Set opaque data in session handle 877 */ 878 static inline void 879 rte_security_session_opaque_data_set(void *sess, uint64_t opaque) 880 { 881 uint64_t *data; 882 data = (((uint64_t *)sess) + RTE_SECURITY_SESS_OPAQUE_DATA_OFF); 883 *data = opaque; 884 } 885 886 /** 887 * Get fast mdata from session handle 888 */ 889 static inline uint64_t 890 rte_security_session_fast_mdata_get(void *sess) 891 { 892 return *((uint64_t *)sess + RTE_SECURITY_SESS_FAST_MDATA_OFF); 893 } 894 895 /** 896 * Set fast mdata in session handle 897 */ 898 static inline void 899 rte_security_session_fast_mdata_set(void *sess, uint64_t fdata) 900 { 901 uint64_t *data; 902 data = (((uint64_t *)sess) + RTE_SECURITY_SESS_FAST_MDATA_OFF); 903 *data = fdata; 904 } 905 906 /** Function to call PMD specific function pointer set_pkt_metadata() */ 907 __rte_experimental 908 int __rte_security_set_pkt_metadata(struct rte_security_ctx *instance, 909 void *sess, 910 struct rte_mbuf *m, void *params); 911 912 /** 913 * Updates the buffer with device-specific defined metadata 914 * 915 * @param instance security instance 916 * @param sess security session 917 * @param mb packet mbuf to set metadata on. 918 * @param params device-specific defined parameters 919 * required for metadata 920 * 921 * @return 922 * - On success, zero. 923 * - On failure, a negative value. 924 */ 925 static inline int 926 rte_security_set_pkt_metadata(struct rte_security_ctx *instance, 927 void *sess, 928 struct rte_mbuf *mb, void *params) 929 { 930 /* Fast Path */ 931 if (instance->flags & RTE_SEC_CTX_F_FAST_SET_MDATA) { 932 *rte_security_dynfield(mb) = (rte_security_dynfield_t) 933 rte_security_session_fast_mdata_get(sess); 934 return 0; 935 } 936 937 /* Jump to PMD specific function pointer */ 938 return __rte_security_set_pkt_metadata(instance, sess, mb, params); 939 } 940 941 /** 942 * Attach a session to a symmetric crypto operation 943 * 944 * @param sym_op crypto operation 945 * @param sess security session 946 */ 947 static inline int 948 __rte_security_attach_session(struct rte_crypto_sym_op *sym_op, void *sess) 949 { 950 sym_op->session = sess; 951 952 return 0; 953 } 954 955 /** 956 * Attach a session to a crypto operation. 957 * This API is needed only in case of RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD 958 * For other rte_security_session_action_type, ol_flags in rte_mbuf may be 959 * defined to perform security operations. 960 * 961 * @param op crypto operation 962 * @param sess security session 963 */ 964 static inline int 965 rte_security_attach_session(struct rte_crypto_op *op, 966 void *sess) 967 { 968 if (unlikely(op->type != RTE_CRYPTO_OP_TYPE_SYMMETRIC)) 969 return -EINVAL; 970 971 op->sess_type = RTE_CRYPTO_OP_SECURITY_SESSION; 972 973 return __rte_security_attach_session(op->sym, sess); 974 } 975 976 struct rte_security_macsec_secy_stats { 977 uint64_t ctl_pkt_bcast_cnt; 978 uint64_t ctl_pkt_mcast_cnt; 979 uint64_t ctl_pkt_ucast_cnt; 980 uint64_t ctl_octet_cnt; 981 uint64_t unctl_pkt_bcast_cnt; 982 uint64_t unctl_pkt_mcast_cnt; 983 uint64_t unctl_pkt_ucast_cnt; 984 uint64_t unctl_octet_cnt; 985 /* Valid only for Rx */ 986 uint64_t octet_decrypted_cnt; 987 uint64_t octet_validated_cnt; 988 uint64_t pkt_port_disabled_cnt; 989 uint64_t pkt_badtag_cnt; 990 uint64_t pkt_nosa_cnt; 991 uint64_t pkt_nosaerror_cnt; 992 uint64_t pkt_tagged_ctl_cnt; 993 uint64_t pkt_untaged_cnt; 994 uint64_t pkt_ctl_cnt; 995 uint64_t pkt_notag_cnt; 996 /* Valid only for Tx */ 997 uint64_t octet_encrypted_cnt; 998 uint64_t octet_protected_cnt; 999 uint64_t pkt_noactivesa_cnt; 1000 uint64_t pkt_toolong_cnt; 1001 uint64_t pkt_untagged_cnt; 1002 }; 1003 1004 struct rte_security_macsec_sc_stats { 1005 /* Rx */ 1006 uint64_t hit_cnt; 1007 uint64_t pkt_invalid_cnt; 1008 uint64_t pkt_late_cnt; 1009 uint64_t pkt_notvalid_cnt; 1010 uint64_t pkt_unchecked_cnt; 1011 uint64_t pkt_delay_cnt; 1012 uint64_t pkt_ok_cnt; 1013 uint64_t octet_decrypt_cnt; 1014 uint64_t octet_validate_cnt; 1015 /* Tx */ 1016 uint64_t pkt_encrypt_cnt; 1017 uint64_t pkt_protected_cnt; 1018 uint64_t octet_encrypt_cnt; 1019 uint64_t octet_protected_cnt; 1020 }; 1021 1022 struct rte_security_macsec_sa_stats { 1023 /* Rx */ 1024 uint64_t pkt_invalid_cnt; 1025 uint64_t pkt_nosaerror_cnt; 1026 uint64_t pkt_notvalid_cnt; 1027 uint64_t pkt_ok_cnt; 1028 uint64_t pkt_nosa_cnt; 1029 /* Tx */ 1030 uint64_t pkt_encrypt_cnt; 1031 uint64_t pkt_protected_cnt; 1032 }; 1033 1034 struct rte_security_ipsec_stats { 1035 uint64_t ipackets; /**< Successfully received IPsec packets. */ 1036 uint64_t opackets; /**< Successfully transmitted IPsec packets.*/ 1037 uint64_t ibytes; /**< Successfully received IPsec bytes. */ 1038 uint64_t obytes; /**< Successfully transmitted IPsec bytes. */ 1039 uint64_t ierrors; /**< IPsec packets receive/decrypt errors. */ 1040 uint64_t oerrors; /**< IPsec packets transmit/encrypt errors. */ 1041 uint64_t reserved1; /**< Reserved for future use. */ 1042 uint64_t reserved2; /**< Reserved for future use. */ 1043 }; 1044 1045 struct rte_security_pdcp_stats { 1046 uint64_t reserved; 1047 }; 1048 1049 struct rte_security_docsis_stats { 1050 uint64_t reserved; 1051 }; 1052 1053 struct rte_security_stats { 1054 enum rte_security_session_protocol protocol; 1055 /**< Security protocol to be configured */ 1056 1057 union { 1058 struct rte_security_macsec_secy_stats macsec; 1059 struct rte_security_ipsec_stats ipsec; 1060 struct rte_security_pdcp_stats pdcp; 1061 struct rte_security_docsis_stats docsis; 1062 }; 1063 }; 1064 1065 /** 1066 * Get security session statistics 1067 * 1068 * @param instance security instance 1069 * @param sess security session 1070 * If security session is NULL then global (per security instance) statistics 1071 * will be retrieved, if supported. Global statistics collection is not 1072 * dependent on the per session statistics configuration. 1073 * @param stats statistics 1074 * @return 1075 * - On success, return 0 1076 * - On failure, a negative value 1077 */ 1078 __rte_experimental 1079 int 1080 rte_security_session_stats_get(struct rte_security_ctx *instance, 1081 void *sess, 1082 struct rte_security_stats *stats); 1083 1084 /** 1085 * @warning 1086 * @b EXPERIMENTAL: this API may change without prior notice 1087 * 1088 * Get MACsec SA statistics. 1089 * 1090 * @param instance security instance 1091 * @param sa_id SA ID for which stats are needed 1092 * @param dir direction of the SA 1093 * @param stats statistics 1094 * @return 1095 * - On success, return 0. 1096 * - On failure, a negative value. 1097 */ 1098 __rte_experimental 1099 int 1100 rte_security_macsec_sa_stats_get(struct rte_security_ctx *instance, 1101 uint16_t sa_id, enum rte_security_macsec_direction dir, 1102 struct rte_security_macsec_sa_stats *stats); 1103 1104 /** 1105 * @warning 1106 * @b EXPERIMENTAL: this API may change without prior notice 1107 * 1108 * Get MACsec SC statistics. 1109 * 1110 * @param instance security instance 1111 * @param sc_id SC ID for which stats are needed 1112 * @param dir direction of the SC 1113 * @param stats SC statistics 1114 * @return 1115 * - On success, return 0. 1116 * - On failure, a negative value. 1117 */ 1118 __rte_experimental 1119 int 1120 rte_security_macsec_sc_stats_get(struct rte_security_ctx *instance, 1121 uint16_t sc_id, enum rte_security_macsec_direction dir, 1122 struct rte_security_macsec_sc_stats *stats); 1123 1124 /** 1125 * Security capability definition 1126 */ 1127 struct rte_security_capability { 1128 enum rte_security_session_action_type action; 1129 /**< Security action type*/ 1130 enum rte_security_session_protocol protocol; 1131 /**< Security protocol */ 1132 union { 1133 struct { 1134 enum rte_security_ipsec_sa_protocol proto; 1135 /**< IPsec SA protocol */ 1136 enum rte_security_ipsec_sa_mode mode; 1137 /**< IPsec SA mode */ 1138 enum rte_security_ipsec_sa_direction direction; 1139 /**< IPsec SA direction */ 1140 struct rte_security_ipsec_sa_options options; 1141 /**< IPsec SA supported options */ 1142 uint32_t replay_win_sz_max; 1143 /**< IPsec Anti Replay Window Size. A '0' value 1144 * indicates that Anti Replay is not supported. 1145 */ 1146 } ipsec; 1147 /**< IPsec capability */ 1148 struct { 1149 /** MTU supported for inline TX */ 1150 uint16_t mtu; 1151 /** MACsec algorithm to be used */ 1152 enum rte_security_macsec_alg alg; 1153 /** Maximum number of secure channels supported */ 1154 uint16_t max_nb_sc; 1155 /** Maximum number of SAs supported */ 1156 uint16_t max_nb_sa; 1157 /** Maximum number of SAs supported */ 1158 uint16_t max_nb_sess; 1159 /** MACsec anti replay window size */ 1160 uint32_t replay_win_sz; 1161 /** Support Sectag insertion at relative offset */ 1162 uint16_t relative_sectag_insert : 1; 1163 /** Support Sectag insertion at fixed offset */ 1164 uint16_t fixed_sectag_insert : 1; 1165 /** ICV includes source and destination MAC addresses */ 1166 uint16_t icv_include_da_sa : 1; 1167 /** Control port traffic is supported */ 1168 uint16_t ctrl_port_enable : 1; 1169 /** Do not strip SecTAG after processing */ 1170 uint16_t preserve_sectag : 1; 1171 /** Do not strip ICV from the packet after processing */ 1172 uint16_t preserve_icv : 1; 1173 /** Support frame validation as per RTE_SECURITY_MACSEC_VALIDATE_* */ 1174 uint16_t validate_frames : 1; 1175 /** support re-keying on SA expiry */ 1176 uint16_t re_key : 1; 1177 /** support anti replay */ 1178 uint16_t anti_replay : 1; 1179 /** Reserved bitfields for future capabilities */ 1180 uint16_t reserved : 7; 1181 } macsec; 1182 /**< MACsec capability */ 1183 struct { 1184 enum rte_security_pdcp_domain domain; 1185 /**< PDCP mode of operation: Control or data */ 1186 uint32_t capa_flags; 1187 /**< Capability flags, see RTE_SECURITY_PDCP_* */ 1188 } pdcp; 1189 /**< PDCP capability */ 1190 struct { 1191 enum rte_security_docsis_direction direction; 1192 /**< DOCSIS direction */ 1193 } docsis; 1194 /**< DOCSIS capability */ 1195 }; 1196 1197 const struct rte_cryptodev_capabilities *crypto_capabilities; 1198 /**< Corresponding crypto capabilities for security capability */ 1199 1200 uint32_t ol_flags; 1201 /**< Device offload flags */ 1202 }; 1203 1204 /** Underlying Hardware/driver which support PDCP may or may not support 1205 * packet ordering. Set RTE_SECURITY_PDCP_ORDERING_CAP if it support. 1206 * If it is not set, driver/HW assumes packets received are in order 1207 * and it will be application's responsibility to maintain ordering. 1208 */ 1209 #define RTE_SECURITY_PDCP_ORDERING_CAP 0x00000001 1210 1211 /** Underlying Hardware/driver which support PDCP may or may not detect 1212 * duplicate packet. Set RTE_SECURITY_PDCP_DUP_DETECT_CAP if it support. 1213 * If it is not set, driver/HW assumes there is no duplicate packet received. 1214 */ 1215 #define RTE_SECURITY_PDCP_DUP_DETECT_CAP 0x00000002 1216 1217 #define RTE_SECURITY_TX_OLOAD_NEED_MDATA 0x00000001 1218 /**< HW needs metadata update, see rte_security_set_pkt_metadata(). 1219 */ 1220 1221 #define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD 0x00000002 1222 /**< HW constructs trailer of packets 1223 * Transmitted packets will have the trailer added to them 1224 * by hardware. The next protocol field will be based on 1225 * the mbuf->inner_esp_next_proto field. 1226 */ 1227 #define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD 0x00010000 1228 /**< HW removes trailer of packets 1229 * Received packets have no trailer, the next protocol field 1230 * is supplied in the mbuf->inner_esp_next_proto field. 1231 * Inner packet is not modified. 1232 */ 1233 1234 /** 1235 * Security capability index used to query a security instance for a specific 1236 * security capability 1237 */ 1238 struct rte_security_capability_idx { 1239 enum rte_security_session_action_type action; 1240 enum rte_security_session_protocol protocol; 1241 1242 union { 1243 struct { 1244 enum rte_security_ipsec_sa_protocol proto; 1245 enum rte_security_ipsec_sa_mode mode; 1246 enum rte_security_ipsec_sa_direction direction; 1247 } ipsec; 1248 struct { 1249 enum rte_security_pdcp_domain domain; 1250 uint32_t capa_flags; 1251 } pdcp; 1252 struct { 1253 enum rte_security_docsis_direction direction; 1254 } docsis; 1255 }; 1256 }; 1257 1258 /** 1259 * Returns array of security instance capabilities 1260 * 1261 * @param instance Security instance. 1262 * 1263 * @return 1264 * - Returns array of security capabilities. 1265 * - Return NULL if no capabilities available. 1266 */ 1267 const struct rte_security_capability * 1268 rte_security_capabilities_get(struct rte_security_ctx *instance); 1269 1270 /** 1271 * Query if a specific capability is available on security instance 1272 * 1273 * @param instance security instance. 1274 * @param idx security capability index to match against 1275 * 1276 * @return 1277 * - Returns pointer to security capability on match of capability 1278 * index criteria. 1279 * - Return NULL if the capability not matched on security instance. 1280 */ 1281 const struct rte_security_capability * 1282 rte_security_capability_get(struct rte_security_ctx *instance, 1283 struct rte_security_capability_idx *idx); 1284 1285 #ifdef __cplusplus 1286 } 1287 #endif 1288 1289 #endif /* _RTE_SECURITY_H_ */ 1290