1 /* SPDX-License-Identifier: BSD-3-Clause 2 * Copyright 2017,2019-2020 NXP 3 * Copyright(c) 2017-2020 Intel Corporation. 4 */ 5 6 #ifndef _RTE_SECURITY_H_ 7 #define _RTE_SECURITY_H_ 8 9 /** 10 * @file rte_security.h 11 * 12 * RTE Security Common Definitions 13 */ 14 15 #ifdef __cplusplus 16 extern "C" { 17 #endif 18 19 #include <sys/types.h> 20 21 #include <rte_compat.h> 22 #include <rte_common.h> 23 #include <rte_crypto.h> 24 #include <rte_ip.h> 25 #include <rte_mbuf_dyn.h> 26 27 /** IPSec protocol mode */ 28 enum rte_security_ipsec_sa_mode { 29 RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT = 1, 30 /**< IPSec Transport mode */ 31 RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, 32 /**< IPSec Tunnel mode */ 33 }; 34 35 /** IPSec Protocol */ 36 enum rte_security_ipsec_sa_protocol { 37 RTE_SECURITY_IPSEC_SA_PROTO_AH = 1, 38 /**< AH protocol */ 39 RTE_SECURITY_IPSEC_SA_PROTO_ESP, 40 /**< ESP protocol */ 41 }; 42 43 /** IPSEC tunnel type */ 44 enum rte_security_ipsec_tunnel_type { 45 RTE_SECURITY_IPSEC_TUNNEL_IPV4 = 1, 46 /**< Outer header is IPv4 */ 47 RTE_SECURITY_IPSEC_TUNNEL_IPV6, 48 /**< Outer header is IPv6 */ 49 }; 50 51 /** 52 * IPSEC tunnel header verification mode 53 * 54 * Controls how outer IP header is verified in inbound. 55 */ 56 #define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR 0x1 57 #define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR 0x2 58 59 /** 60 * Security context for crypto/eth devices 61 * 62 * Security instance for each driver to register security operations. 63 * The application can get the security context from the crypto/eth device id 64 * using the APIs rte_cryptodev_get_sec_ctx()/rte_eth_dev_get_sec_ctx() 65 * This structure is used to identify the device(crypto/eth) for which the 66 * security operations need to be performed. 67 */ 68 struct rte_security_ctx { 69 void *device; 70 /**< Crypto/ethernet device attached */ 71 const struct rte_security_ops *ops; 72 /**< Pointer to security ops for the device */ 73 uint16_t sess_cnt; 74 /**< Number of sessions attached to this context */ 75 uint16_t macsec_sc_cnt; 76 /**< Number of MACsec SC attached to this context */ 77 uint16_t macsec_sa_cnt; 78 /**< Number of MACsec SA attached to this context */ 79 uint32_t flags; 80 /**< Flags for security context */ 81 }; 82 83 #define RTE_SEC_CTX_F_FAST_SET_MDATA 0x00000001 84 /**< Driver uses fast metadata update without using driver specific callback. 85 * For fast mdata, mbuf dynamic field would be registered by driver 86 * via rte_security_dynfield_register(). 87 */ 88 89 /** 90 * IPSEC tunnel parameters 91 * 92 * These parameters are used to build outbound tunnel headers. 93 */ 94 struct rte_security_ipsec_tunnel_param { 95 enum rte_security_ipsec_tunnel_type type; 96 /**< Tunnel type: IPv4 or IPv6 */ 97 RTE_STD_C11 98 union { 99 struct { 100 struct in_addr src_ip; 101 /**< IPv4 source address */ 102 struct in_addr dst_ip; 103 /**< IPv4 destination address */ 104 uint8_t dscp; 105 /**< IPv4 Differentiated Services Code Point */ 106 uint8_t df; 107 /**< IPv4 Don't Fragment bit */ 108 uint8_t ttl; 109 /**< IPv4 Time To Live */ 110 } ipv4; 111 /**< IPv4 header parameters */ 112 struct { 113 struct in6_addr src_addr; 114 /**< IPv6 source address */ 115 struct in6_addr dst_addr; 116 /**< IPv6 destination address */ 117 uint8_t dscp; 118 /**< IPv6 Differentiated Services Code Point */ 119 uint32_t flabel; 120 /**< IPv6 flow label */ 121 uint8_t hlimit; 122 /**< IPv6 hop limit */ 123 } ipv6; 124 /**< IPv6 header parameters */ 125 }; 126 }; 127 128 struct rte_security_ipsec_udp_param { 129 uint16_t sport; 130 uint16_t dport; 131 }; 132 133 /** 134 * IPsec Security Association option flags 135 */ 136 struct rte_security_ipsec_sa_options { 137 /** Extended Sequence Numbers (ESN) 138 * 139 * * 1: Use extended (64 bit) sequence numbers 140 * * 0: Use normal sequence numbers 141 */ 142 uint32_t esn : 1; 143 144 /** UDP encapsulation 145 * 146 * * 1: Do UDP encapsulation/decapsulation so that IPSEC packets can 147 * traverse through NAT boxes. 148 * * 0: No UDP encapsulation 149 */ 150 uint32_t udp_encap : 1; 151 152 /** Copy DSCP bits 153 * 154 * * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to 155 * the outer IP header in encapsulation, and vice versa in 156 * decapsulation. 157 * * 0: Do not change DSCP field. 158 */ 159 uint32_t copy_dscp : 1; 160 161 /** Copy IPv6 Flow Label 162 * 163 * * 1: Copy IPv6 flow label from inner IPv6 header to the 164 * outer IPv6 header. 165 * * 0: Outer header is not modified. 166 */ 167 uint32_t copy_flabel : 1; 168 169 /** Copy IPv4 Don't Fragment bit 170 * 171 * * 1: Copy the DF bit from the inner IPv4 header to the outer 172 * IPv4 header. 173 * * 0: Outer header is not modified. 174 */ 175 uint32_t copy_df : 1; 176 177 /** Decrement inner packet Time To Live (TTL) field 178 * 179 * * 1: In tunnel mode, decrement inner packet IPv4 TTL or 180 * IPv6 Hop Limit after tunnel decapsulation, or before tunnel 181 * encapsulation. 182 * * 0: Inner packet is not modified. 183 */ 184 uint32_t dec_ttl : 1; 185 186 /** Explicit Congestion Notification (ECN) 187 * 188 * * 1: In tunnel mode, enable outer header ECN Field copied from 189 * inner header in tunnel encapsulation, or inner header ECN 190 * field construction in decapsulation. 191 * * 0: Inner/outer header are not modified. 192 */ 193 uint32_t ecn : 1; 194 195 /** Security statistics 196 * 197 * * 1: Enable per session security statistics collection for 198 * this SA, if supported by the driver. 199 * * 0: Disable per session security statistics collection for this SA. 200 */ 201 uint32_t stats : 1; 202 203 /** Disable IV generation in PMD 204 * 205 * * 1: Disable IV generation in PMD. When disabled, IV provided in 206 * rte_crypto_op will be used by the PMD. 207 * 208 * * 0: Enable IV generation in PMD. When enabled, PMD generated random 209 * value would be used and application is not required to provide 210 * IV. 211 * 212 * Note: For inline cases, IV generation would always need to be handled 213 * by the PMD. 214 */ 215 uint32_t iv_gen_disable : 1; 216 217 /** Verify tunnel header in inbound 218 * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR``: Verify destination 219 * IP address. 220 * 221 * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR``: Verify both 222 * source and destination IP addresses. 223 */ 224 uint32_t tunnel_hdr_verify : 2; 225 226 /** Verify UDP encapsulation ports in inbound 227 * 228 * * 1: Match UDP source and destination ports 229 * * 0: Do not match UDP ports 230 */ 231 uint32_t udp_ports_verify : 1; 232 233 /** Compute/verify inner packet IPv4 header checksum in tunnel mode 234 * 235 * * 1: For outbound, compute inner packet IPv4 header checksum 236 * before tunnel encapsulation and for inbound, verify after 237 * tunnel decapsulation. 238 * * 0: Inner packet IP header checksum is not computed/verified. 239 * 240 * The checksum verification status would be set in mbuf using 241 * RTE_MBUF_F_RX_IP_CKSUM_xxx flags. 242 * 243 * Inner IP checksum computation can also be enabled(per operation) 244 * by setting the flag RTE_MBUF_F_TX_IP_CKSUM in mbuf. 245 */ 246 uint32_t ip_csum_enable : 1; 247 248 /** Compute/verify inner packet L4 checksum in tunnel mode 249 * 250 * * 1: For outbound, compute inner packet L4 checksum before 251 * tunnel encapsulation and for inbound, verify after 252 * tunnel decapsulation. 253 * * 0: Inner packet L4 checksum is not computed/verified. 254 * 255 * The checksum verification status would be set in mbuf using 256 * RTE_MBUF_F_RX_L4_CKSUM_xxx flags. 257 * 258 * Inner L4 checksum computation can also be enabled(per operation) 259 * by setting the flags RTE_MBUF_F_TX_TCP_CKSUM or RTE_MBUF_F_TX_SCTP_CKSUM or 260 * RTE_MBUF_F_TX_UDP_CKSUM or RTE_MBUF_F_TX_L4_MASK in mbuf. 261 */ 262 uint32_t l4_csum_enable : 1; 263 264 /** Enable IP reassembly on inline inbound packets. 265 * 266 * * 1: Enable driver to try reassembly of encrypted IP packets for 267 * this SA, if supported by the driver. This feature will work 268 * only if user has successfully set IP reassembly config params 269 * using rte_eth_ip_reassembly_conf_set() for the inline Ethernet 270 * device. PMD need to register mbuf dynamic fields using 271 * rte_eth_ip_reassembly_dynfield_register() and security session 272 * creation would fail if dynfield is not registered successfully. 273 * * 0: Disable IP reassembly of packets (default). 274 */ 275 uint32_t ip_reassembly_en : 1; 276 277 /** Reserved bit fields for future extension 278 * 279 * User should ensure reserved_opts is cleared as it may change in 280 * subsequent releases to support new options. 281 * 282 * Note: Reduce number of bits in reserved_opts for every new option. 283 */ 284 uint32_t reserved_opts : 17; 285 }; 286 287 /** IPSec security association direction */ 288 enum rte_security_ipsec_sa_direction { 289 RTE_SECURITY_IPSEC_SA_DIR_EGRESS, 290 /**< Encrypt and generate digest */ 291 RTE_SECURITY_IPSEC_SA_DIR_INGRESS, 292 /**< Verify digest and decrypt */ 293 }; 294 295 /** 296 * Configure soft and hard lifetime of an IPsec SA 297 * 298 * Lifetime of an IPsec SA would specify the maximum number of packets or bytes 299 * that can be processed. IPsec operations would start failing once any hard 300 * limit is reached. 301 * 302 * Soft limits can be specified to generate notification when the SA is 303 * approaching hard limits for lifetime. For inline operations, reaching soft 304 * expiry limit would result in raising an eth event for the same. For lookaside 305 * operations, this would result in a warning returned in 306 * ``rte_crypto_op.aux_flags``. 307 */ 308 struct rte_security_ipsec_lifetime { 309 uint64_t packets_soft_limit; 310 /**< Soft expiry limit in number of packets */ 311 uint64_t bytes_soft_limit; 312 /**< Soft expiry limit in bytes */ 313 uint64_t packets_hard_limit; 314 /**< Hard expiry limit in number of packets */ 315 uint64_t bytes_hard_limit; 316 /**< Hard expiry limit in bytes */ 317 }; 318 319 /** 320 * IPsec security association configuration data. 321 * 322 * This structure contains data required to create an IPsec SA security session. 323 */ 324 struct rte_security_ipsec_xform { 325 uint32_t spi; 326 /**< SA security parameter index */ 327 uint32_t salt; 328 /**< SA salt */ 329 struct rte_security_ipsec_sa_options options; 330 /**< various SA options */ 331 enum rte_security_ipsec_sa_direction direction; 332 /**< IPSec SA Direction - Egress/Ingress */ 333 enum rte_security_ipsec_sa_protocol proto; 334 /**< IPsec SA Protocol - AH/ESP */ 335 enum rte_security_ipsec_sa_mode mode; 336 /**< IPsec SA Mode - transport/tunnel */ 337 struct rte_security_ipsec_tunnel_param tunnel; 338 /**< Tunnel parameters, NULL for transport mode */ 339 struct rte_security_ipsec_lifetime life; 340 /**< IPsec SA lifetime */ 341 uint32_t replay_win_sz; 342 /**< Anti replay window size to enable sequence replay attack handling. 343 * replay checking is disabled if the window size is 0. 344 */ 345 union { 346 uint64_t value; 347 struct { 348 uint32_t low; 349 uint32_t hi; 350 }; 351 } esn; 352 /**< Extended Sequence Number */ 353 struct rte_security_ipsec_udp_param udp; 354 /**< UDP parameters, ignored when udp_encap option not specified */ 355 }; 356 357 /** 358 * MACSec packet flow direction 359 */ 360 enum rte_security_macsec_direction { 361 /** Generate SecTag and encrypt/authenticate */ 362 RTE_SECURITY_MACSEC_DIR_TX, 363 /** Remove SecTag and decrypt/verify */ 364 RTE_SECURITY_MACSEC_DIR_RX, 365 }; 366 367 /** Maximum number of association numbers for a secure channel. */ 368 #define RTE_SECURITY_MACSEC_NUM_AN 4 369 /** Salt length for MACsec SA. */ 370 #define RTE_SECURITY_MACSEC_SALT_LEN 12 371 372 /** 373 * MACsec secure association (SA) configuration structure. 374 */ 375 struct rte_security_macsec_sa { 376 /** Direction of SA */ 377 enum rte_security_macsec_direction dir; 378 /** MACsec SA key for AES-GCM 128/256 */ 379 struct { 380 const uint8_t *data; /**< pointer to key data */ 381 uint16_t length; /**< key length in bytes */ 382 } key; 383 /** 96-bit value distributed by key agreement protocol */ 384 uint8_t salt[RTE_SECURITY_MACSEC_SALT_LEN]; 385 /** Association number to be used */ 386 uint8_t an : 2; 387 /** Short Secure Channel Identifier, to be used for XPN cases */ 388 uint32_t ssci; 389 /** Extended packet number */ 390 uint32_t xpn; 391 /** Packet number expected/ to be used for next packet of this SA */ 392 uint32_t next_pn; 393 }; 394 395 /** 396 * MACsec Secure Channel configuration parameters. 397 */ 398 struct rte_security_macsec_sc { 399 /** Direction of SC */ 400 enum rte_security_macsec_direction dir; 401 /** Packet number threshold */ 402 uint64_t pn_threshold; 403 union { 404 struct { 405 /** SAs for each association number */ 406 uint16_t sa_id[RTE_SECURITY_MACSEC_NUM_AN]; 407 /** flag to denote which all SAs are in use for each association number */ 408 uint8_t sa_in_use[RTE_SECURITY_MACSEC_NUM_AN]; 409 /** Channel is active */ 410 uint8_t active : 1; 411 /** Extended packet number is enabled for SAs */ 412 uint8_t is_xpn : 1; 413 /** Reserved bitfields for future */ 414 uint8_t reserved : 6; 415 } sc_rx; 416 struct { 417 uint16_t sa_id; /**< SA ID to be used for encryption */ 418 uint16_t sa_id_rekey; /**< Rekeying SA ID to be used for encryption */ 419 uint64_t sci; /**< SCI value to be used if send_sci is set */ 420 uint8_t active : 1; /**< Channel is active */ 421 uint8_t re_key_en : 1; /**< Enable Rekeying */ 422 /** Extended packet number is enabled for SAs */ 423 uint8_t is_xpn : 1; 424 /** Reserved bitfields for future */ 425 uint8_t reserved : 5; 426 } sc_tx; 427 }; 428 }; 429 430 /** 431 * MACsec Supported Algorithm list as per IEEE Std 802.1AE. 432 */ 433 enum rte_security_macsec_alg { 434 RTE_SECURITY_MACSEC_ALG_GCM_128, /**< AES-GCM 128 bit block cipher */ 435 RTE_SECURITY_MACSEC_ALG_GCM_256, /**< AES-GCM 256 bit block cipher */ 436 RTE_SECURITY_MACSEC_ALG_GCM_XPN_128, /**< AES-GCM 128 bit block cipher with unique SSCI */ 437 RTE_SECURITY_MACSEC_ALG_GCM_XPN_256, /**< AES-GCM 256 bit block cipher with unique SSCI */ 438 }; 439 440 /** Disable Validation of MACsec frame. */ 441 #define RTE_SECURITY_MACSEC_VALIDATE_DISABLE 0 442 /** Validate MACsec frame but do not discard invalid frame. */ 443 #define RTE_SECURITY_MACSEC_VALIDATE_NO_DISCARD 1 444 /** Validate MACsec frame and discart invalid frame. */ 445 #define RTE_SECURITY_MACSEC_VALIDATE_STRICT 2 446 /** Do not perform any MACsec operation. */ 447 #define RTE_SECURITY_MACSEC_VALIDATE_NO_OP 3 448 449 /** 450 * MACsec security session configuration 451 */ 452 struct rte_security_macsec_xform { 453 /** Direction of flow/secure channel */ 454 enum rte_security_macsec_direction dir; 455 /** MACsec algorithm to be used */ 456 enum rte_security_macsec_alg alg; 457 /** Cipher offset from start of Ethernet header */ 458 uint8_t cipher_off; 459 /** 460 * SCI to be used for RX flow identification or 461 * to set SCI in packet for TX when send_sci is set 462 */ 463 uint64_t sci; 464 /** Receive/transmit secure channel ID created by *rte_security_macsec_sc_create* */ 465 uint16_t sc_id; 466 union { 467 struct { 468 /** MTU for transmit frame (valid for inline processing) */ 469 uint16_t mtu; 470 /** 471 * Offset to insert sectag from start of ethernet header or 472 * from a matching VLAN tag 473 */ 474 uint8_t sectag_off; 475 /** Enable MACsec protection of frames */ 476 uint16_t protect_frames : 1; 477 /** 478 * Sectag insertion mode 479 * If 1, Sectag is inserted at fixed sectag_off set above. 480 * If 0, Sectag is inserted at relative sectag_off from a matching 481 * VLAN tag set. 482 */ 483 uint16_t sectag_insert_mode : 1; 484 /** ICV includes source and destination MAC addresses */ 485 uint16_t icv_include_da_sa : 1; 486 /** Control port is enabled */ 487 uint16_t ctrl_port_enable : 1; 488 /** Version of MACsec header. Should be 0 */ 489 uint16_t sectag_version : 1; 490 /** Enable end station. SCI is not valid */ 491 uint16_t end_station : 1; 492 /** Send SCI along with sectag */ 493 uint16_t send_sci : 1; 494 /** enable secure channel support EPON - single copy broadcast */ 495 uint16_t scb : 1; 496 /** 497 * Enable packet encryption and set RTE_MACSEC_TCI_C and 498 * RTE_MACSEC_TCI_E in sectag 499 */ 500 uint16_t encrypt : 1; 501 /** Reserved bitfields for future */ 502 uint16_t reserved : 7; 503 } tx_secy; 504 struct { 505 /** Replay Window size to be supported */ 506 uint32_t replay_win_sz; 507 /** Set bits as per RTE_SECURITY_MACSEC_VALIDATE_* */ 508 uint16_t validate_frames : 2; 509 /** ICV includes source and destination MAC addresses */ 510 uint16_t icv_include_da_sa : 1; 511 /** Control port is enabled */ 512 uint16_t ctrl_port_enable : 1; 513 /** Do not strip SecTAG after processing */ 514 uint16_t preserve_sectag : 1; 515 /** Do not strip ICV from the packet after processing */ 516 uint16_t preserve_icv : 1; 517 /** Enable anti-replay protection */ 518 uint16_t replay_protect : 1; 519 /** Reserved bitfields for future */ 520 uint16_t reserved : 9; 521 } rx_secy; 522 }; 523 }; 524 525 /** 526 * PDCP Mode of session 527 */ 528 enum rte_security_pdcp_domain { 529 RTE_SECURITY_PDCP_MODE_CONTROL, /**< PDCP control plane */ 530 RTE_SECURITY_PDCP_MODE_DATA, /**< PDCP data plane */ 531 RTE_SECURITY_PDCP_MODE_SHORT_MAC, /**< PDCP short mac */ 532 }; 533 534 /** PDCP Frame direction */ 535 enum rte_security_pdcp_direction { 536 RTE_SECURITY_PDCP_UPLINK, /**< Uplink */ 537 RTE_SECURITY_PDCP_DOWNLINK, /**< Downlink */ 538 }; 539 540 /** PDCP Sequence Number Size selectors */ 541 enum rte_security_pdcp_sn_size { 542 /** PDCP_SN_SIZE_5: 5bit sequence number */ 543 RTE_SECURITY_PDCP_SN_SIZE_5 = 5, 544 /** PDCP_SN_SIZE_7: 7bit sequence number */ 545 RTE_SECURITY_PDCP_SN_SIZE_7 = 7, 546 /** PDCP_SN_SIZE_12: 12bit sequence number */ 547 RTE_SECURITY_PDCP_SN_SIZE_12 = 12, 548 /** PDCP_SN_SIZE_15: 15bit sequence number */ 549 RTE_SECURITY_PDCP_SN_SIZE_15 = 15, 550 /** PDCP_SN_SIZE_18: 18bit sequence number */ 551 RTE_SECURITY_PDCP_SN_SIZE_18 = 18 552 }; 553 554 /** 555 * PDCP security association configuration data. 556 * 557 * This structure contains data required to create a PDCP security session. 558 */ 559 struct rte_security_pdcp_xform { 560 int8_t bearer; /**< PDCP bearer ID */ 561 /** Enable in order delivery, this field shall be set only if 562 * driver/HW is capable. See RTE_SECURITY_PDCP_ORDERING_CAP. 563 */ 564 uint8_t en_ordering; 565 /** Notify driver/HW to detect and remove duplicate packets. 566 * This field should be set only when driver/hw is capable. 567 * See RTE_SECURITY_PDCP_DUP_DETECT_CAP. 568 */ 569 uint8_t remove_duplicates; 570 /** PDCP mode of operation: Control or data */ 571 enum rte_security_pdcp_domain domain; 572 /** PDCP Frame Direction 0:UL 1:DL */ 573 enum rte_security_pdcp_direction pkt_dir; 574 /** Sequence number size, 5/7/12/15/18 */ 575 enum rte_security_pdcp_sn_size sn_size; 576 /** Starting Hyper Frame Number to be used together with the SN 577 * from the PDCP frames 578 */ 579 uint32_t hfn; 580 /** HFN Threshold for key renegotiation */ 581 uint32_t hfn_threshold; 582 /** HFN can be given as a per packet value also. 583 * As we do not have IV in case of PDCP, and HFN is 584 * used to generate IV. IV field can be used to get the 585 * per packet HFN while enq/deq. 586 * If hfn_ovrd field is set, user is expected to set the 587 * per packet HFN in place of IV. PMDs will extract the HFN 588 * and perform operations accordingly. 589 */ 590 uint8_t hfn_ovrd; 591 /** In case of 5G NR, a new protocol (SDAP) header may be set 592 * inside PDCP payload which should be authenticated but not 593 * encrypted. Hence, driver should be notified if SDAP is 594 * enabled or not, so that SDAP header is not encrypted. 595 */ 596 uint8_t sdap_enabled; 597 /** Reserved for future */ 598 uint16_t reserved; 599 }; 600 601 /** DOCSIS direction */ 602 enum rte_security_docsis_direction { 603 RTE_SECURITY_DOCSIS_UPLINK, 604 /**< Uplink 605 * - Decryption, followed by CRC Verification 606 */ 607 RTE_SECURITY_DOCSIS_DOWNLINK, 608 /**< Downlink 609 * - CRC Generation, followed by Encryption 610 */ 611 }; 612 613 /** 614 * DOCSIS security session configuration. 615 * 616 * This structure contains data required to create a DOCSIS security session. 617 */ 618 struct rte_security_docsis_xform { 619 enum rte_security_docsis_direction direction; 620 /**< DOCSIS direction */ 621 }; 622 623 /** 624 * Security session action type. 625 */ 626 enum rte_security_session_action_type { 627 RTE_SECURITY_ACTION_TYPE_NONE, 628 /**< No security actions */ 629 RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO, 630 /**< Crypto processing for security protocol is processed inline 631 * during transmission 632 */ 633 RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL, 634 /**< All security protocol processing is performed inline during 635 * transmission 636 */ 637 RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, 638 /**< All security protocol processing including crypto is performed 639 * on a lookaside accelerator 640 */ 641 RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO 642 /**< Similar to ACTION_TYPE_NONE but crypto processing for security 643 * protocol is processed synchronously by a CPU. 644 */ 645 }; 646 647 /** Security session protocol definition */ 648 enum rte_security_session_protocol { 649 RTE_SECURITY_PROTOCOL_IPSEC = 1, 650 /**< IPsec Protocol */ 651 RTE_SECURITY_PROTOCOL_MACSEC, 652 /**< MACSec Protocol */ 653 RTE_SECURITY_PROTOCOL_PDCP, 654 /**< PDCP Protocol */ 655 RTE_SECURITY_PROTOCOL_DOCSIS, 656 /**< DOCSIS Protocol */ 657 }; 658 659 /** 660 * Security session configuration 661 */ 662 struct rte_security_session_conf { 663 enum rte_security_session_action_type action_type; 664 /**< Type of action to be performed on the session */ 665 enum rte_security_session_protocol protocol; 666 /**< Security protocol to be configured */ 667 RTE_STD_C11 668 union { 669 struct rte_security_ipsec_xform ipsec; 670 struct rte_security_macsec_xform macsec; 671 struct rte_security_pdcp_xform pdcp; 672 struct rte_security_docsis_xform docsis; 673 }; 674 /**< Configuration parameters for security session */ 675 struct rte_crypto_sym_xform *crypto_xform; 676 /**< Security Session Crypto Transformations. NULL in case of MACsec. */ 677 void *userdata; 678 /**< Application specific userdata to be saved with session */ 679 }; 680 681 /** 682 * Create security session as specified by the session configuration 683 * 684 * @param instance security instance 685 * @param conf session configuration parameters 686 * @param mp mempool to allocate session objects from 687 * @return 688 * - On success, pointer to session 689 * - On failure, NULL 690 */ 691 void * 692 rte_security_session_create(struct rte_security_ctx *instance, 693 struct rte_security_session_conf *conf, 694 struct rte_mempool *mp); 695 696 /** 697 * Update security session as specified by the session configuration 698 * 699 * @param instance security instance 700 * @param sess session to update parameters 701 * @param conf update configuration parameters 702 * @return 703 * - On success returns 0 704 * - On failure returns a negative errno value. 705 */ 706 __rte_experimental 707 int 708 rte_security_session_update(struct rte_security_ctx *instance, 709 void *sess, 710 struct rte_security_session_conf *conf); 711 712 /** 713 * Get the size of the security session data for a device. 714 * 715 * @param instance security instance. 716 * 717 * @return 718 * - Size of the private data, if successful 719 * - 0 if device is invalid or does not support the operation. 720 */ 721 unsigned int 722 rte_security_session_get_size(struct rte_security_ctx *instance); 723 724 /** 725 * Free security session header and the session private data and 726 * return it to its original mempool. 727 * 728 * @param instance security instance 729 * @param sess security session to be freed 730 * 731 * @return 732 * - 0 if successful. 733 * - -EINVAL if session or context instance is NULL. 734 * - -EBUSY if not all device private data has been freed. 735 * - -ENOTSUP if destroying private data is not supported. 736 * - other negative values in case of freeing private data errors. 737 */ 738 int 739 rte_security_session_destroy(struct rte_security_ctx *instance, void *sess); 740 741 /** 742 * @warning 743 * @b EXPERIMENTAL: this API may change without prior notice 744 * 745 * Create MACsec security channel (SC). 746 * 747 * @param instance security instance 748 * @param conf MACsec SC configuration params 749 * @return 750 * - secure channel ID if successful. 751 * - -EINVAL if configuration params are invalid of instance is NULL. 752 * - -ENOTSUP if device does not support MACsec. 753 * - -ENOMEM if PMD is not capable to create more SC. 754 * - other negative value for other errors. 755 */ 756 __rte_experimental 757 int 758 rte_security_macsec_sc_create(struct rte_security_ctx *instance, 759 struct rte_security_macsec_sc *conf); 760 761 /** 762 * @warning 763 * @b EXPERIMENTAL: this API may change without prior notice 764 * 765 * Destroy MACsec security channel (SC). 766 * 767 * @param instance security instance 768 * @param sc_id SC ID to be destroyed 769 * @param dir direction of the SC 770 * @return 771 * - 0 if successful. 772 * - -EINVAL if sc_id is invalid or instance is NULL. 773 * - -EBUSY if sc is being used by some session. 774 */ 775 __rte_experimental 776 int 777 rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id, 778 enum rte_security_macsec_direction dir); 779 780 /** 781 * @warning 782 * @b EXPERIMENTAL: this API may change without prior notice 783 * 784 * Create MACsec security association (SA). 785 * 786 * @param instance security instance 787 * @param conf MACsec SA configuration params 788 * @return 789 * - positive SA ID if successful. 790 * - -EINVAL if configuration params are invalid of instance is NULL. 791 * - -ENOTSUP if device does not support MACsec. 792 * - -ENOMEM if PMD is not capable to create more SAs. 793 * - other negative value for other errors. 794 */ 795 __rte_experimental 796 int 797 rte_security_macsec_sa_create(struct rte_security_ctx *instance, 798 struct rte_security_macsec_sa *conf); 799 800 /** 801 * @warning 802 * @b EXPERIMENTAL: this API may change without prior notice 803 * 804 * Destroy MACsec security association (SA). 805 * 806 * @param instance security instance 807 * @param sa_id SA ID to be destroyed 808 * @param dir direction of the SA 809 * @return 810 * - 0 if successful. 811 * - -EINVAL if sa_id is invalid or instance is NULL. 812 * - -EBUSY if sa is being used by some session. 813 */ 814 __rte_experimental 815 int 816 rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id, 817 enum rte_security_macsec_direction dir); 818 819 /** Device-specific metadata field type */ 820 typedef uint64_t rte_security_dynfield_t; 821 /** Dynamic mbuf field for device-specific metadata */ 822 extern int rte_security_dynfield_offset; 823 824 /** 825 * @warning 826 * @b EXPERIMENTAL: this API may change without prior notice 827 * 828 * Get pointer to mbuf field for device-specific metadata. 829 * 830 * For performance reason, no check is done, 831 * the dynamic field may not be registered. 832 * @see rte_security_dynfield_is_registered 833 * 834 * @param mbuf packet to access 835 * @return pointer to mbuf field 836 */ 837 __rte_experimental 838 static inline rte_security_dynfield_t * 839 rte_security_dynfield(struct rte_mbuf *mbuf) 840 { 841 return RTE_MBUF_DYNFIELD(mbuf, 842 rte_security_dynfield_offset, 843 rte_security_dynfield_t *); 844 } 845 846 /** 847 * @warning 848 * @b EXPERIMENTAL: this API may change without prior notice 849 * 850 * Check whether the dynamic field is registered. 851 * 852 * @return true if rte_security_dynfield_register() has been called. 853 */ 854 __rte_experimental 855 static inline bool rte_security_dynfield_is_registered(void) 856 { 857 return rte_security_dynfield_offset >= 0; 858 } 859 860 #define RTE_SECURITY_SESS_OPAQUE_DATA_OFF 0 861 #define RTE_SECURITY_SESS_FAST_MDATA_OFF 1 862 /** 863 * Get opaque data from session handle 864 */ 865 static inline uint64_t 866 rte_security_session_opaque_data_get(void *sess) 867 { 868 return *((uint64_t *)sess + RTE_SECURITY_SESS_OPAQUE_DATA_OFF); 869 } 870 871 /** 872 * Set opaque data in session handle 873 */ 874 static inline void 875 rte_security_session_opaque_data_set(void *sess, uint64_t opaque) 876 { 877 uint64_t *data; 878 data = (((uint64_t *)sess) + RTE_SECURITY_SESS_OPAQUE_DATA_OFF); 879 *data = opaque; 880 } 881 882 /** 883 * Get fast mdata from session handle 884 */ 885 static inline uint64_t 886 rte_security_session_fast_mdata_get(void *sess) 887 { 888 return *((uint64_t *)sess + RTE_SECURITY_SESS_FAST_MDATA_OFF); 889 } 890 891 /** 892 * Set fast mdata in session handle 893 */ 894 static inline void 895 rte_security_session_fast_mdata_set(void *sess, uint64_t fdata) 896 { 897 uint64_t *data; 898 data = (((uint64_t *)sess) + RTE_SECURITY_SESS_FAST_MDATA_OFF); 899 *data = fdata; 900 } 901 902 /** Function to call PMD specific function pointer set_pkt_metadata() */ 903 __rte_experimental 904 int __rte_security_set_pkt_metadata(struct rte_security_ctx *instance, 905 void *sess, 906 struct rte_mbuf *m, void *params); 907 908 /** 909 * Updates the buffer with device-specific defined metadata 910 * 911 * @param instance security instance 912 * @param sess security session 913 * @param mb packet mbuf to set metadata on. 914 * @param params device-specific defined parameters 915 * required for metadata 916 * 917 * @return 918 * - On success, zero. 919 * - On failure, a negative value. 920 */ 921 static inline int 922 rte_security_set_pkt_metadata(struct rte_security_ctx *instance, 923 void *sess, 924 struct rte_mbuf *mb, void *params) 925 { 926 /* Fast Path */ 927 if (instance->flags & RTE_SEC_CTX_F_FAST_SET_MDATA) { 928 *rte_security_dynfield(mb) = (rte_security_dynfield_t) 929 rte_security_session_fast_mdata_get(sess); 930 return 0; 931 } 932 933 /* Jump to PMD specific function pointer */ 934 return __rte_security_set_pkt_metadata(instance, sess, mb, params); 935 } 936 937 /** 938 * Attach a session to a symmetric crypto operation 939 * 940 * @param sym_op crypto operation 941 * @param sess security session 942 */ 943 static inline int 944 __rte_security_attach_session(struct rte_crypto_sym_op *sym_op, void *sess) 945 { 946 sym_op->session = sess; 947 948 return 0; 949 } 950 951 /** 952 * Attach a session to a crypto operation. 953 * This API is needed only in case of RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD 954 * For other rte_security_session_action_type, ol_flags in rte_mbuf may be 955 * defined to perform security operations. 956 * 957 * @param op crypto operation 958 * @param sess security session 959 */ 960 static inline int 961 rte_security_attach_session(struct rte_crypto_op *op, 962 void *sess) 963 { 964 if (unlikely(op->type != RTE_CRYPTO_OP_TYPE_SYMMETRIC)) 965 return -EINVAL; 966 967 op->sess_type = RTE_CRYPTO_OP_SECURITY_SESSION; 968 969 return __rte_security_attach_session(op->sym, sess); 970 } 971 972 struct rte_security_macsec_secy_stats { 973 uint64_t ctl_pkt_bcast_cnt; 974 uint64_t ctl_pkt_mcast_cnt; 975 uint64_t ctl_pkt_ucast_cnt; 976 uint64_t ctl_octet_cnt; 977 uint64_t unctl_pkt_bcast_cnt; 978 uint64_t unctl_pkt_mcast_cnt; 979 uint64_t unctl_pkt_ucast_cnt; 980 uint64_t unctl_octet_cnt; 981 /* Valid only for Rx */ 982 uint64_t octet_decrypted_cnt; 983 uint64_t octet_validated_cnt; 984 uint64_t pkt_port_disabled_cnt; 985 uint64_t pkt_badtag_cnt; 986 uint64_t pkt_nosa_cnt; 987 uint64_t pkt_nosaerror_cnt; 988 uint64_t pkt_tagged_ctl_cnt; 989 uint64_t pkt_untaged_cnt; 990 uint64_t pkt_ctl_cnt; 991 uint64_t pkt_notag_cnt; 992 /* Valid only for Tx */ 993 uint64_t octet_encrypted_cnt; 994 uint64_t octet_protected_cnt; 995 uint64_t pkt_noactivesa_cnt; 996 uint64_t pkt_toolong_cnt; 997 uint64_t pkt_untagged_cnt; 998 }; 999 1000 struct rte_security_macsec_sc_stats { 1001 /* Rx */ 1002 uint64_t hit_cnt; 1003 uint64_t pkt_invalid_cnt; 1004 uint64_t pkt_late_cnt; 1005 uint64_t pkt_notvalid_cnt; 1006 uint64_t pkt_unchecked_cnt; 1007 uint64_t pkt_delay_cnt; 1008 uint64_t pkt_ok_cnt; 1009 uint64_t octet_decrypt_cnt; 1010 uint64_t octet_validate_cnt; 1011 /* Tx */ 1012 uint64_t pkt_encrypt_cnt; 1013 uint64_t pkt_protected_cnt; 1014 uint64_t octet_encrypt_cnt; 1015 uint64_t octet_protected_cnt; 1016 }; 1017 1018 struct rte_security_macsec_sa_stats { 1019 /* Rx */ 1020 uint64_t pkt_invalid_cnt; 1021 uint64_t pkt_nosaerror_cnt; 1022 uint64_t pkt_notvalid_cnt; 1023 uint64_t pkt_ok_cnt; 1024 uint64_t pkt_nosa_cnt; 1025 /* Tx */ 1026 uint64_t pkt_encrypt_cnt; 1027 uint64_t pkt_protected_cnt; 1028 }; 1029 1030 struct rte_security_ipsec_stats { 1031 uint64_t ipackets; /**< Successfully received IPsec packets. */ 1032 uint64_t opackets; /**< Successfully transmitted IPsec packets.*/ 1033 uint64_t ibytes; /**< Successfully received IPsec bytes. */ 1034 uint64_t obytes; /**< Successfully transmitted IPsec bytes. */ 1035 uint64_t ierrors; /**< IPsec packets receive/decrypt errors. */ 1036 uint64_t oerrors; /**< IPsec packets transmit/encrypt errors. */ 1037 uint64_t reserved1; /**< Reserved for future use. */ 1038 uint64_t reserved2; /**< Reserved for future use. */ 1039 }; 1040 1041 struct rte_security_pdcp_stats { 1042 uint64_t reserved; 1043 }; 1044 1045 struct rte_security_docsis_stats { 1046 uint64_t reserved; 1047 }; 1048 1049 struct rte_security_stats { 1050 enum rte_security_session_protocol protocol; 1051 /**< Security protocol to be configured */ 1052 1053 RTE_STD_C11 1054 union { 1055 struct rte_security_macsec_secy_stats macsec; 1056 struct rte_security_ipsec_stats ipsec; 1057 struct rte_security_pdcp_stats pdcp; 1058 struct rte_security_docsis_stats docsis; 1059 }; 1060 }; 1061 1062 /** 1063 * Get security session statistics 1064 * 1065 * @param instance security instance 1066 * @param sess security session 1067 * If security session is NULL then global (per security instance) statistics 1068 * will be retrieved, if supported. Global statistics collection is not 1069 * dependent on the per session statistics configuration. 1070 * @param stats statistics 1071 * @return 1072 * - On success, return 0 1073 * - On failure, a negative value 1074 */ 1075 __rte_experimental 1076 int 1077 rte_security_session_stats_get(struct rte_security_ctx *instance, 1078 void *sess, 1079 struct rte_security_stats *stats); 1080 1081 /** 1082 * @warning 1083 * @b EXPERIMENTAL: this API may change without prior notice 1084 * 1085 * Get MACsec SA statistics. 1086 * 1087 * @param instance security instance 1088 * @param sa_id SA ID for which stats are needed 1089 * @param dir direction of the SA 1090 * @param stats statistics 1091 * @return 1092 * - On success, return 0. 1093 * - On failure, a negative value. 1094 */ 1095 __rte_experimental 1096 int 1097 rte_security_macsec_sa_stats_get(struct rte_security_ctx *instance, 1098 uint16_t sa_id, enum rte_security_macsec_direction dir, 1099 struct rte_security_macsec_sa_stats *stats); 1100 1101 /** 1102 * @warning 1103 * @b EXPERIMENTAL: this API may change without prior notice 1104 * 1105 * Get MACsec SC statistics. 1106 * 1107 * @param instance security instance 1108 * @param sc_id SC ID for which stats are needed 1109 * @param dir direction of the SC 1110 * @param stats SC statistics 1111 * @return 1112 * - On success, return 0. 1113 * - On failure, a negative value. 1114 */ 1115 __rte_experimental 1116 int 1117 rte_security_macsec_sc_stats_get(struct rte_security_ctx *instance, 1118 uint16_t sc_id, enum rte_security_macsec_direction dir, 1119 struct rte_security_macsec_sc_stats *stats); 1120 1121 /** 1122 * Security capability definition 1123 */ 1124 struct rte_security_capability { 1125 enum rte_security_session_action_type action; 1126 /**< Security action type*/ 1127 enum rte_security_session_protocol protocol; 1128 /**< Security protocol */ 1129 RTE_STD_C11 1130 union { 1131 struct { 1132 enum rte_security_ipsec_sa_protocol proto; 1133 /**< IPsec SA protocol */ 1134 enum rte_security_ipsec_sa_mode mode; 1135 /**< IPsec SA mode */ 1136 enum rte_security_ipsec_sa_direction direction; 1137 /**< IPsec SA direction */ 1138 struct rte_security_ipsec_sa_options options; 1139 /**< IPsec SA supported options */ 1140 uint32_t replay_win_sz_max; 1141 /**< IPsec Anti Replay Window Size. A '0' value 1142 * indicates that Anti Replay is not supported. 1143 */ 1144 } ipsec; 1145 /**< IPsec capability */ 1146 struct { 1147 /** MTU supported for inline TX */ 1148 uint16_t mtu; 1149 /** MACsec algorithm to be used */ 1150 enum rte_security_macsec_alg alg; 1151 /** Maximum number of secure channels supported */ 1152 uint16_t max_nb_sc; 1153 /** Maximum number of SAs supported */ 1154 uint16_t max_nb_sa; 1155 /** Maximum number of SAs supported */ 1156 uint16_t max_nb_sess; 1157 /** MACsec anti replay window size */ 1158 uint32_t replay_win_sz; 1159 /** Support Sectag insertion at relative offset */ 1160 uint16_t relative_sectag_insert : 1; 1161 /** Support Sectag insertion at fixed offset */ 1162 uint16_t fixed_sectag_insert : 1; 1163 /** ICV includes source and destination MAC addresses */ 1164 uint16_t icv_include_da_sa : 1; 1165 /** Control port traffic is supported */ 1166 uint16_t ctrl_port_enable : 1; 1167 /** Do not strip SecTAG after processing */ 1168 uint16_t preserve_sectag : 1; 1169 /** Do not strip ICV from the packet after processing */ 1170 uint16_t preserve_icv : 1; 1171 /** Support frame validation as per RTE_SECURITY_MACSEC_VALIDATE_* */ 1172 uint16_t validate_frames : 1; 1173 /** support re-keying on SA expiry */ 1174 uint16_t re_key : 1; 1175 /** support anti replay */ 1176 uint16_t anti_replay : 1; 1177 /** Reserved bitfields for future capabilities */ 1178 uint16_t reserved : 7; 1179 } macsec; 1180 /**< MACsec capability */ 1181 struct { 1182 enum rte_security_pdcp_domain domain; 1183 /**< PDCP mode of operation: Control or data */ 1184 uint32_t capa_flags; 1185 /**< Capability flags, see RTE_SECURITY_PDCP_* */ 1186 } pdcp; 1187 /**< PDCP capability */ 1188 struct { 1189 enum rte_security_docsis_direction direction; 1190 /**< DOCSIS direction */ 1191 } docsis; 1192 /**< DOCSIS capability */ 1193 }; 1194 1195 const struct rte_cryptodev_capabilities *crypto_capabilities; 1196 /**< Corresponding crypto capabilities for security capability */ 1197 1198 uint32_t ol_flags; 1199 /**< Device offload flags */ 1200 }; 1201 1202 /** Underlying Hardware/driver which support PDCP may or may not support 1203 * packet ordering. Set RTE_SECURITY_PDCP_ORDERING_CAP if it support. 1204 * If it is not set, driver/HW assumes packets received are in order 1205 * and it will be application's responsibility to maintain ordering. 1206 */ 1207 #define RTE_SECURITY_PDCP_ORDERING_CAP 0x00000001 1208 1209 /** Underlying Hardware/driver which support PDCP may or may not detect 1210 * duplicate packet. Set RTE_SECURITY_PDCP_DUP_DETECT_CAP if it support. 1211 * If it is not set, driver/HW assumes there is no duplicate packet received. 1212 */ 1213 #define RTE_SECURITY_PDCP_DUP_DETECT_CAP 0x00000002 1214 1215 #define RTE_SECURITY_TX_OLOAD_NEED_MDATA 0x00000001 1216 /**< HW needs metadata update, see rte_security_set_pkt_metadata(). 1217 */ 1218 1219 #define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD 0x00000002 1220 /**< HW constructs trailer of packets 1221 * Transmitted packets will have the trailer added to them 1222 * by hardware. The next protocol field will be based on 1223 * the mbuf->inner_esp_next_proto field. 1224 */ 1225 #define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD 0x00010000 1226 /**< HW removes trailer of packets 1227 * Received packets have no trailer, the next protocol field 1228 * is supplied in the mbuf->inner_esp_next_proto field. 1229 * Inner packet is not modified. 1230 */ 1231 1232 /** 1233 * Security capability index used to query a security instance for a specific 1234 * security capability 1235 */ 1236 struct rte_security_capability_idx { 1237 enum rte_security_session_action_type action; 1238 enum rte_security_session_protocol protocol; 1239 1240 RTE_STD_C11 1241 union { 1242 struct { 1243 enum rte_security_ipsec_sa_protocol proto; 1244 enum rte_security_ipsec_sa_mode mode; 1245 enum rte_security_ipsec_sa_direction direction; 1246 } ipsec; 1247 struct { 1248 enum rte_security_pdcp_domain domain; 1249 uint32_t capa_flags; 1250 } pdcp; 1251 struct { 1252 enum rte_security_docsis_direction direction; 1253 } docsis; 1254 }; 1255 }; 1256 1257 /** 1258 * Returns array of security instance capabilities 1259 * 1260 * @param instance Security instance. 1261 * 1262 * @return 1263 * - Returns array of security capabilities. 1264 * - Return NULL if no capabilities available. 1265 */ 1266 const struct rte_security_capability * 1267 rte_security_capabilities_get(struct rte_security_ctx *instance); 1268 1269 /** 1270 * Query if a specific capability is available on security instance 1271 * 1272 * @param instance security instance. 1273 * @param idx security capability index to match against 1274 * 1275 * @return 1276 * - Returns pointer to security capability on match of capability 1277 * index criteria. 1278 * - Return NULL if the capability not matched on security instance. 1279 */ 1280 const struct rte_security_capability * 1281 rte_security_capability_get(struct rte_security_ctx *instance, 1282 struct rte_security_capability_idx *idx); 1283 1284 #ifdef __cplusplus 1285 } 1286 #endif 1287 1288 #endif /* _RTE_SECURITY_H_ */ 1289