1 /* SPDX-License-Identifier: BSD-3-Clause 2 * Copyright 2017,2019-2020 NXP 3 * Copyright(c) 2017-2020 Intel Corporation. 4 */ 5 6 #ifndef _RTE_SECURITY_H_ 7 #define _RTE_SECURITY_H_ 8 9 /** 10 * @file rte_security.h 11 * 12 * RTE Security Common Definitions 13 * 14 */ 15 16 #ifdef __cplusplus 17 extern "C" { 18 #endif 19 20 #include <sys/types.h> 21 22 #include <rte_compat.h> 23 #include <rte_common.h> 24 #include <rte_crypto.h> 25 #include <rte_ip.h> 26 #include <rte_mbuf_dyn.h> 27 28 /** IPSec protocol mode */ 29 enum rte_security_ipsec_sa_mode { 30 RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT = 1, 31 /**< IPSec Transport mode */ 32 RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, 33 /**< IPSec Tunnel mode */ 34 }; 35 36 /** IPSec Protocol */ 37 enum rte_security_ipsec_sa_protocol { 38 RTE_SECURITY_IPSEC_SA_PROTO_AH = 1, 39 /**< AH protocol */ 40 RTE_SECURITY_IPSEC_SA_PROTO_ESP, 41 /**< ESP protocol */ 42 }; 43 44 /** IPSEC tunnel type */ 45 enum rte_security_ipsec_tunnel_type { 46 RTE_SECURITY_IPSEC_TUNNEL_IPV4 = 1, 47 /**< Outer header is IPv4 */ 48 RTE_SECURITY_IPSEC_TUNNEL_IPV6, 49 /**< Outer header is IPv6 */ 50 }; 51 52 /** 53 * IPSEC tunnel header verification mode 54 * 55 * Controls how outer IP header is verified in inbound. 56 */ 57 #define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR 0x1 58 #define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR 0x2 59 60 /** 61 * Security context for crypto/eth devices 62 * 63 * Security instance for each driver to register security operations. 64 * The application can get the security context from the crypto/eth device id 65 * using the APIs rte_cryptodev_get_sec_ctx()/rte_eth_dev_get_sec_ctx() 66 * This structure is used to identify the device(crypto/eth) for which the 67 * security operations need to be performed. 68 */ 69 struct rte_security_ctx { 70 void *device; 71 /**< Crypto/ethernet device attached */ 72 const struct rte_security_ops *ops; 73 /**< Pointer to security ops for the device */ 74 uint16_t sess_cnt; 75 /**< Number of sessions attached to this context */ 76 uint16_t macsec_sc_cnt; 77 /**< Number of MACsec SC attached to this context */ 78 uint16_t macsec_sa_cnt; 79 /**< Number of MACsec SA attached to this context */ 80 uint32_t flags; 81 /**< Flags for security context */ 82 }; 83 84 #define RTE_SEC_CTX_F_FAST_SET_MDATA 0x00000001 85 /**< Driver uses fast metadata update without using driver specific callback */ 86 87 #define RTE_SEC_CTX_F_FAST_GET_UDATA 0x00000002 88 /**< Driver provides udata using fast method without using driver specific 89 * callback. For fast mdata and udata, mbuf dynamic field would be registered 90 * by driver via rte_security_dynfield_register(). 91 */ 92 93 /** 94 * IPSEC tunnel parameters 95 * 96 * These parameters are used to build outbound tunnel headers. 97 */ 98 struct rte_security_ipsec_tunnel_param { 99 enum rte_security_ipsec_tunnel_type type; 100 /**< Tunnel type: IPv4 or IPv6 */ 101 RTE_STD_C11 102 union { 103 struct { 104 struct in_addr src_ip; 105 /**< IPv4 source address */ 106 struct in_addr dst_ip; 107 /**< IPv4 destination address */ 108 uint8_t dscp; 109 /**< IPv4 Differentiated Services Code Point */ 110 uint8_t df; 111 /**< IPv4 Don't Fragment bit */ 112 uint8_t ttl; 113 /**< IPv4 Time To Live */ 114 } ipv4; 115 /**< IPv4 header parameters */ 116 struct { 117 struct in6_addr src_addr; 118 /**< IPv6 source address */ 119 struct in6_addr dst_addr; 120 /**< IPv6 destination address */ 121 uint8_t dscp; 122 /**< IPv6 Differentiated Services Code Point */ 123 uint32_t flabel; 124 /**< IPv6 flow label */ 125 uint8_t hlimit; 126 /**< IPv6 hop limit */ 127 } ipv6; 128 /**< IPv6 header parameters */ 129 }; 130 }; 131 132 struct rte_security_ipsec_udp_param { 133 uint16_t sport; 134 uint16_t dport; 135 }; 136 137 /** 138 * IPsec Security Association option flags 139 */ 140 struct rte_security_ipsec_sa_options { 141 /** Extended Sequence Numbers (ESN) 142 * 143 * * 1: Use extended (64 bit) sequence numbers 144 * * 0: Use normal sequence numbers 145 */ 146 uint32_t esn : 1; 147 148 /** UDP encapsulation 149 * 150 * * 1: Do UDP encapsulation/decapsulation so that IPSEC packets can 151 * traverse through NAT boxes. 152 * * 0: No UDP encapsulation 153 */ 154 uint32_t udp_encap : 1; 155 156 /** Copy DSCP bits 157 * 158 * * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to 159 * the outer IP header in encapsulation, and vice versa in 160 * decapsulation. 161 * * 0: Do not change DSCP field. 162 */ 163 uint32_t copy_dscp : 1; 164 165 /** Copy IPv6 Flow Label 166 * 167 * * 1: Copy IPv6 flow label from inner IPv6 header to the 168 * outer IPv6 header. 169 * * 0: Outer header is not modified. 170 */ 171 uint32_t copy_flabel : 1; 172 173 /** Copy IPv4 Don't Fragment bit 174 * 175 * * 1: Copy the DF bit from the inner IPv4 header to the outer 176 * IPv4 header. 177 * * 0: Outer header is not modified. 178 */ 179 uint32_t copy_df : 1; 180 181 /** Decrement inner packet Time To Live (TTL) field 182 * 183 * * 1: In tunnel mode, decrement inner packet IPv4 TTL or 184 * IPv6 Hop Limit after tunnel decapsulation, or before tunnel 185 * encapsulation. 186 * * 0: Inner packet is not modified. 187 */ 188 uint32_t dec_ttl : 1; 189 190 /** Explicit Congestion Notification (ECN) 191 * 192 * * 1: In tunnel mode, enable outer header ECN Field copied from 193 * inner header in tunnel encapsulation, or inner header ECN 194 * field construction in decapsulation. 195 * * 0: Inner/outer header are not modified. 196 */ 197 uint32_t ecn : 1; 198 199 /** Security statistics 200 * 201 * * 1: Enable per session security statistics collection for 202 * this SA, if supported by the driver. 203 * * 0: Disable per session security statistics collection for this SA. 204 */ 205 uint32_t stats : 1; 206 207 /** Disable IV generation in PMD 208 * 209 * * 1: Disable IV generation in PMD. When disabled, IV provided in 210 * rte_crypto_op will be used by the PMD. 211 * 212 * * 0: Enable IV generation in PMD. When enabled, PMD generated random 213 * value would be used and application is not required to provide 214 * IV. 215 * 216 * Note: For inline cases, IV generation would always need to be handled 217 * by the PMD. 218 */ 219 uint32_t iv_gen_disable : 1; 220 221 /** Verify tunnel header in inbound 222 * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR``: Verify destination 223 * IP address. 224 * 225 * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR``: Verify both 226 * source and destination IP addresses. 227 */ 228 uint32_t tunnel_hdr_verify : 2; 229 230 /** Verify UDP encapsulation ports in inbound 231 * 232 * * 1: Match UDP source and destination ports 233 * * 0: Do not match UDP ports 234 */ 235 uint32_t udp_ports_verify : 1; 236 237 /** Compute/verify inner packet IPv4 header checksum in tunnel mode 238 * 239 * * 1: For outbound, compute inner packet IPv4 header checksum 240 * before tunnel encapsulation and for inbound, verify after 241 * tunnel decapsulation. 242 * * 0: Inner packet IP header checksum is not computed/verified. 243 * 244 * The checksum verification status would be set in mbuf using 245 * RTE_MBUF_F_RX_IP_CKSUM_xxx flags. 246 * 247 * Inner IP checksum computation can also be enabled(per operation) 248 * by setting the flag RTE_MBUF_F_TX_IP_CKSUM in mbuf. 249 */ 250 uint32_t ip_csum_enable : 1; 251 252 /** Compute/verify inner packet L4 checksum in tunnel mode 253 * 254 * * 1: For outbound, compute inner packet L4 checksum before 255 * tunnel encapsulation and for inbound, verify after 256 * tunnel decapsulation. 257 * * 0: Inner packet L4 checksum is not computed/verified. 258 * 259 * The checksum verification status would be set in mbuf using 260 * RTE_MBUF_F_RX_L4_CKSUM_xxx flags. 261 * 262 * Inner L4 checksum computation can also be enabled(per operation) 263 * by setting the flags RTE_MBUF_F_TX_TCP_CKSUM or RTE_MBUF_F_TX_SCTP_CKSUM or 264 * RTE_MBUF_F_TX_UDP_CKSUM or RTE_MBUF_F_TX_L4_MASK in mbuf. 265 */ 266 uint32_t l4_csum_enable : 1; 267 268 /** Enable IP reassembly on inline inbound packets. 269 * 270 * * 1: Enable driver to try reassembly of encrypted IP packets for 271 * this SA, if supported by the driver. This feature will work 272 * only if user has successfully set IP reassembly config params 273 * using rte_eth_ip_reassembly_conf_set() for the inline Ethernet 274 * device. PMD need to register mbuf dynamic fields using 275 * rte_eth_ip_reassembly_dynfield_register() and security session 276 * creation would fail if dynfield is not registered successfully. 277 * * 0: Disable IP reassembly of packets (default). 278 */ 279 uint32_t ip_reassembly_en : 1; 280 281 /** Reserved bit fields for future extension 282 * 283 * User should ensure reserved_opts is cleared as it may change in 284 * subsequent releases to support new options. 285 * 286 * Note: Reduce number of bits in reserved_opts for every new option. 287 */ 288 uint32_t reserved_opts : 17; 289 }; 290 291 /** IPSec security association direction */ 292 enum rte_security_ipsec_sa_direction { 293 RTE_SECURITY_IPSEC_SA_DIR_EGRESS, 294 /**< Encrypt and generate digest */ 295 RTE_SECURITY_IPSEC_SA_DIR_INGRESS, 296 /**< Verify digest and decrypt */ 297 }; 298 299 /** 300 * Configure soft and hard lifetime of an IPsec SA 301 * 302 * Lifetime of an IPsec SA would specify the maximum number of packets or bytes 303 * that can be processed. IPsec operations would start failing once any hard 304 * limit is reached. 305 * 306 * Soft limits can be specified to generate notification when the SA is 307 * approaching hard limits for lifetime. For inline operations, reaching soft 308 * expiry limit would result in raising an eth event for the same. For lookaside 309 * operations, this would result in a warning returned in 310 * ``rte_crypto_op.aux_flags``. 311 */ 312 struct rte_security_ipsec_lifetime { 313 uint64_t packets_soft_limit; 314 /**< Soft expiry limit in number of packets */ 315 uint64_t bytes_soft_limit; 316 /**< Soft expiry limit in bytes */ 317 uint64_t packets_hard_limit; 318 /**< Hard expiry limit in number of packets */ 319 uint64_t bytes_hard_limit; 320 /**< Hard expiry limit in bytes */ 321 }; 322 323 /** 324 * IPsec security association configuration data. 325 * 326 * This structure contains data required to create an IPsec SA security session. 327 */ 328 struct rte_security_ipsec_xform { 329 uint32_t spi; 330 /**< SA security parameter index */ 331 uint32_t salt; 332 /**< SA salt */ 333 struct rte_security_ipsec_sa_options options; 334 /**< various SA options */ 335 enum rte_security_ipsec_sa_direction direction; 336 /**< IPSec SA Direction - Egress/Ingress */ 337 enum rte_security_ipsec_sa_protocol proto; 338 /**< IPsec SA Protocol - AH/ESP */ 339 enum rte_security_ipsec_sa_mode mode; 340 /**< IPsec SA Mode - transport/tunnel */ 341 struct rte_security_ipsec_tunnel_param tunnel; 342 /**< Tunnel parameters, NULL for transport mode */ 343 struct rte_security_ipsec_lifetime life; 344 /**< IPsec SA lifetime */ 345 uint32_t replay_win_sz; 346 /**< Anti replay window size to enable sequence replay attack handling. 347 * replay checking is disabled if the window size is 0. 348 */ 349 union { 350 uint64_t value; 351 struct { 352 uint32_t low; 353 uint32_t hi; 354 }; 355 } esn; 356 /**< Extended Sequence Number */ 357 struct rte_security_ipsec_udp_param udp; 358 /**< UDP parameters, ignored when udp_encap option not specified */ 359 }; 360 361 /** 362 * MACSec packet flow direction 363 */ 364 enum rte_security_macsec_direction { 365 /** Generate SecTag and encrypt/authenticate */ 366 RTE_SECURITY_MACSEC_DIR_TX, 367 /** Remove SecTag and decrypt/verify */ 368 RTE_SECURITY_MACSEC_DIR_RX, 369 }; 370 371 /** Maximum number of association numbers for a secure channel. */ 372 #define RTE_SECURITY_MACSEC_NUM_AN 4 373 /** Salt length for MACsec SA. */ 374 #define RTE_SECURITY_MACSEC_SALT_LEN 12 375 376 /** 377 * MACsec secure association (SA) configuration structure. 378 */ 379 struct rte_security_macsec_sa { 380 /** Direction of SA */ 381 enum rte_security_macsec_direction dir; 382 /** MACsec SA key for AES-GCM 128/256 */ 383 struct { 384 const uint8_t *data; /**< pointer to key data */ 385 uint16_t length; /**< key length in bytes */ 386 } key; 387 /** 96-bit value distributed by key agreement protocol */ 388 uint8_t salt[RTE_SECURITY_MACSEC_SALT_LEN]; 389 /** Association number to be used */ 390 uint8_t an : 2; 391 /** Short Secure Channel Identifier, to be used for XPN cases */ 392 uint32_t ssci; 393 /** Extended packet number */ 394 uint32_t xpn; 395 /** Packet number expected/ to be used for next packet of this SA */ 396 uint32_t next_pn; 397 }; 398 399 /** 400 * MACsec Secure Channel configuration parameters. 401 */ 402 struct rte_security_macsec_sc { 403 /** Direction of SC */ 404 enum rte_security_macsec_direction dir; 405 union { 406 struct { 407 /** SAs for each association number */ 408 uint16_t sa_id[RTE_SECURITY_MACSEC_NUM_AN]; 409 /** flag to denote which all SAs are in use for each association number */ 410 uint8_t sa_in_use[RTE_SECURITY_MACSEC_NUM_AN]; 411 /** Channel is active */ 412 uint8_t active : 1; 413 /** Reserved bitfields for future */ 414 uint8_t reserved : 7; 415 } sc_rx; 416 struct { 417 uint16_t sa_id; /**< SA ID to be used for encryption */ 418 uint16_t sa_id_rekey; /**< Rekeying SA ID to be used for encryption */ 419 uint64_t sci; /**< SCI value to be used if send_sci is set */ 420 uint8_t active : 1; /**< Channel is active */ 421 uint8_t re_key_en : 1; /**< Enable Rekeying */ 422 /** Reserved bitfields for future */ 423 uint8_t reserved : 6; 424 } sc_tx; 425 }; 426 }; 427 428 /** 429 * MACsec Supported Algorithm list as per IEEE Std 802.1AE. 430 */ 431 enum rte_security_macsec_alg { 432 RTE_SECURITY_MACSEC_ALG_GCM_128, /**< AES-GCM 128 bit block cipher */ 433 RTE_SECURITY_MACSEC_ALG_GCM_256, /**< AES-GCM 256 bit block cipher */ 434 RTE_SECURITY_MACSEC_ALG_GCM_XPN_128, /**< AES-GCM 128 bit block cipher with unique SSCI */ 435 RTE_SECURITY_MACSEC_ALG_GCM_XPN_256, /**< AES-GCM 256 bit block cipher with unique SSCI */ 436 }; 437 438 /** Disable Validation of MACsec frame. */ 439 #define RTE_SECURITY_MACSEC_VALIDATE_DISABLE 0 440 /** Validate MACsec frame but do not discard invalid frame. */ 441 #define RTE_SECURITY_MACSEC_VALIDATE_NO_DISCARD 1 442 /** Validate MACsec frame and discart invalid frame. */ 443 #define RTE_SECURITY_MACSEC_VALIDATE_STRICT 2 444 /** Do not perform any MACsec operation. */ 445 #define RTE_SECURITY_MACSEC_VALIDATE_NO_OP 3 446 447 /** 448 * MACsec security session configuration 449 */ 450 struct rte_security_macsec_xform { 451 /** Direction of flow/secure channel */ 452 enum rte_security_macsec_direction dir; 453 /** MACsec algorithm to be used */ 454 enum rte_security_macsec_alg alg; 455 /** Cipher offset from start of Ethernet header */ 456 uint8_t cipher_off; 457 /** 458 * SCI to be used for RX flow identification or 459 * to set SCI in packet for TX when send_sci is set 460 */ 461 uint64_t sci; 462 /** Receive/transmit secure channel ID created by *rte_security_macsec_sc_create* */ 463 uint16_t sc_id; 464 union { 465 struct { 466 /** MTU for transmit frame (valid for inline processing) */ 467 uint16_t mtu; 468 /** 469 * Offset to insert sectag from start of ethernet header or 470 * from a matching VLAN tag 471 */ 472 uint8_t sectag_off; 473 /** Enable MACsec protection of frames */ 474 uint16_t protect_frames : 1; 475 /** 476 * Sectag insertion mode 477 * If 1, Sectag is inserted at fixed sectag_off set above. 478 * If 0, Sectag is inserted at relative sectag_off from a matching 479 * VLAN tag set. 480 */ 481 uint16_t sectag_insert_mode : 1; 482 /** ICV includes source and destination MAC addresses */ 483 uint16_t icv_include_da_sa : 1; 484 /** Control port is enabled */ 485 uint16_t ctrl_port_enable : 1; 486 /** Version of MACsec header. Should be 0 */ 487 uint16_t sectag_version : 1; 488 /** Enable end station. SCI is not valid */ 489 uint16_t end_station : 1; 490 /** Send SCI along with sectag */ 491 uint16_t send_sci : 1; 492 /** enable secure channel support EPON - single copy broadcast */ 493 uint16_t scb : 1; 494 /** 495 * Enable packet encryption and set RTE_MACSEC_TCI_C and 496 * RTE_MACSEC_TCI_E in sectag 497 */ 498 uint16_t encrypt : 1; 499 /** Reserved bitfields for future */ 500 uint16_t reserved : 7; 501 } tx_secy; 502 struct { 503 /** Replay Window size to be supported */ 504 uint32_t replay_win_sz; 505 /** Set bits as per RTE_SECURITY_MACSEC_VALIDATE_* */ 506 uint16_t validate_frames : 2; 507 /** ICV includes source and destination MAC addresses */ 508 uint16_t icv_include_da_sa : 1; 509 /** Control port is enabled */ 510 uint16_t ctrl_port_enable : 1; 511 /** Do not strip SecTAG after processing */ 512 uint16_t preserve_sectag : 1; 513 /** Do not strip ICV from the packet after processing */ 514 uint16_t preserve_icv : 1; 515 /** Enable anti-replay protection */ 516 uint16_t replay_protect : 1; 517 /** Reserved bitfields for future */ 518 uint16_t reserved : 9; 519 } rx_secy; 520 }; 521 }; 522 523 /** 524 * PDCP Mode of session 525 */ 526 enum rte_security_pdcp_domain { 527 RTE_SECURITY_PDCP_MODE_CONTROL, /**< PDCP control plane */ 528 RTE_SECURITY_PDCP_MODE_DATA, /**< PDCP data plane */ 529 RTE_SECURITY_PDCP_MODE_SHORT_MAC, /**< PDCP short mac */ 530 }; 531 532 /** PDCP Frame direction */ 533 enum rte_security_pdcp_direction { 534 RTE_SECURITY_PDCP_UPLINK, /**< Uplink */ 535 RTE_SECURITY_PDCP_DOWNLINK, /**< Downlink */ 536 }; 537 538 /** PDCP Sequence Number Size selectors */ 539 enum rte_security_pdcp_sn_size { 540 /** PDCP_SN_SIZE_5: 5bit sequence number */ 541 RTE_SECURITY_PDCP_SN_SIZE_5 = 5, 542 /** PDCP_SN_SIZE_7: 7bit sequence number */ 543 RTE_SECURITY_PDCP_SN_SIZE_7 = 7, 544 /** PDCP_SN_SIZE_12: 12bit sequence number */ 545 RTE_SECURITY_PDCP_SN_SIZE_12 = 12, 546 /** PDCP_SN_SIZE_15: 15bit sequence number */ 547 RTE_SECURITY_PDCP_SN_SIZE_15 = 15, 548 /** PDCP_SN_SIZE_18: 18bit sequence number */ 549 RTE_SECURITY_PDCP_SN_SIZE_18 = 18 550 }; 551 552 /** 553 * PDCP security association configuration data. 554 * 555 * This structure contains data required to create a PDCP security session. 556 */ 557 struct rte_security_pdcp_xform { 558 int8_t bearer; /**< PDCP bearer ID */ 559 /** Enable in order delivery, this field shall be set only if 560 * driver/HW is capable. See RTE_SECURITY_PDCP_ORDERING_CAP. 561 */ 562 uint8_t en_ordering; 563 /** Notify driver/HW to detect and remove duplicate packets. 564 * This field should be set only when driver/hw is capable. 565 * See RTE_SECURITY_PDCP_DUP_DETECT_CAP. 566 */ 567 uint8_t remove_duplicates; 568 /** PDCP mode of operation: Control or data */ 569 enum rte_security_pdcp_domain domain; 570 /** PDCP Frame Direction 0:UL 1:DL */ 571 enum rte_security_pdcp_direction pkt_dir; 572 /** Sequence number size, 5/7/12/15/18 */ 573 enum rte_security_pdcp_sn_size sn_size; 574 /** Starting Hyper Frame Number to be used together with the SN 575 * from the PDCP frames 576 */ 577 uint32_t hfn; 578 /** HFN Threshold for key renegotiation */ 579 uint32_t hfn_threshold; 580 /** HFN can be given as a per packet value also. 581 * As we do not have IV in case of PDCP, and HFN is 582 * used to generate IV. IV field can be used to get the 583 * per packet HFN while enq/deq. 584 * If hfn_ovrd field is set, user is expected to set the 585 * per packet HFN in place of IV. PMDs will extract the HFN 586 * and perform operations accordingly. 587 */ 588 uint8_t hfn_ovrd; 589 /** In case of 5G NR, a new protocol (SDAP) header may be set 590 * inside PDCP payload which should be authenticated but not 591 * encrypted. Hence, driver should be notified if SDAP is 592 * enabled or not, so that SDAP header is not encrypted. 593 */ 594 uint8_t sdap_enabled; 595 /** Reserved for future */ 596 uint16_t reserved; 597 }; 598 599 /** DOCSIS direction */ 600 enum rte_security_docsis_direction { 601 RTE_SECURITY_DOCSIS_UPLINK, 602 /**< Uplink 603 * - Decryption, followed by CRC Verification 604 */ 605 RTE_SECURITY_DOCSIS_DOWNLINK, 606 /**< Downlink 607 * - CRC Generation, followed by Encryption 608 */ 609 }; 610 611 /** 612 * DOCSIS security session configuration. 613 * 614 * This structure contains data required to create a DOCSIS security session. 615 */ 616 struct rte_security_docsis_xform { 617 enum rte_security_docsis_direction direction; 618 /**< DOCSIS direction */ 619 }; 620 621 /** 622 * Security session action type. 623 */ 624 enum rte_security_session_action_type { 625 RTE_SECURITY_ACTION_TYPE_NONE, 626 /**< No security actions */ 627 RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO, 628 /**< Crypto processing for security protocol is processed inline 629 * during transmission 630 */ 631 RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL, 632 /**< All security protocol processing is performed inline during 633 * transmission 634 */ 635 RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, 636 /**< All security protocol processing including crypto is performed 637 * on a lookaside accelerator 638 */ 639 RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO 640 /**< Similar to ACTION_TYPE_NONE but crypto processing for security 641 * protocol is processed synchronously by a CPU. 642 */ 643 }; 644 645 /** Security session protocol definition */ 646 enum rte_security_session_protocol { 647 RTE_SECURITY_PROTOCOL_IPSEC = 1, 648 /**< IPsec Protocol */ 649 RTE_SECURITY_PROTOCOL_MACSEC, 650 /**< MACSec Protocol */ 651 RTE_SECURITY_PROTOCOL_PDCP, 652 /**< PDCP Protocol */ 653 RTE_SECURITY_PROTOCOL_DOCSIS, 654 /**< DOCSIS Protocol */ 655 }; 656 657 /** 658 * Security session configuration 659 */ 660 struct rte_security_session_conf { 661 enum rte_security_session_action_type action_type; 662 /**< Type of action to be performed on the session */ 663 enum rte_security_session_protocol protocol; 664 /**< Security protocol to be configured */ 665 RTE_STD_C11 666 union { 667 struct rte_security_ipsec_xform ipsec; 668 struct rte_security_macsec_xform macsec; 669 struct rte_security_pdcp_xform pdcp; 670 struct rte_security_docsis_xform docsis; 671 }; 672 /**< Configuration parameters for security session */ 673 struct rte_crypto_sym_xform *crypto_xform; 674 /**< Security Session Crypto Transformations. NULL in case of MACsec. */ 675 void *userdata; 676 /**< Application specific userdata to be saved with session */ 677 }; 678 679 struct rte_security_session { 680 void *sess_private_data; 681 /**< Private session material */ 682 uint64_t opaque_data; 683 /**< Opaque user defined data */ 684 }; 685 686 /** 687 * Create security session as specified by the session configuration 688 * 689 * @param instance security instance 690 * @param conf session configuration parameters 691 * @param mp mempool to allocate session objects from 692 * @param priv_mp mempool to allocate session private data objects from 693 * @return 694 * - On success, pointer to session 695 * - On failure, NULL 696 */ 697 struct rte_security_session * 698 rte_security_session_create(struct rte_security_ctx *instance, 699 struct rte_security_session_conf *conf, 700 struct rte_mempool *mp, 701 struct rte_mempool *priv_mp); 702 703 /** 704 * Update security session as specified by the session configuration 705 * 706 * @param instance security instance 707 * @param sess session to update parameters 708 * @param conf update configuration parameters 709 * @return 710 * - On success returns 0 711 * - On failure returns a negative errno value. 712 */ 713 __rte_experimental 714 int 715 rte_security_session_update(struct rte_security_ctx *instance, 716 struct rte_security_session *sess, 717 struct rte_security_session_conf *conf); 718 719 /** 720 * Get the size of the security session data for a device. 721 * 722 * @param instance security instance. 723 * 724 * @return 725 * - Size of the private data, if successful 726 * - 0 if device is invalid or does not support the operation. 727 */ 728 unsigned int 729 rte_security_session_get_size(struct rte_security_ctx *instance); 730 731 /** 732 * Free security session header and the session private data and 733 * return it to its original mempool. 734 * 735 * @param instance security instance 736 * @param sess security session to be freed 737 * 738 * @return 739 * - 0 if successful. 740 * - -EINVAL if session or context instance is NULL. 741 * - -EBUSY if not all device private data has been freed. 742 * - -ENOTSUP if destroying private data is not supported. 743 * - other negative values in case of freeing private data errors. 744 */ 745 int 746 rte_security_session_destroy(struct rte_security_ctx *instance, 747 struct rte_security_session *sess); 748 749 /** 750 * @warning 751 * @b EXPERIMENTAL: this API may change without prior notice 752 * 753 * Create MACsec security channel (SC). 754 * 755 * @param instance security instance 756 * @param conf MACsec SC configuration params 757 * @return 758 * - secure channel ID if successful. 759 * - -EINVAL if configuration params are invalid of instance is NULL. 760 * - -ENOTSUP if device does not support MACsec. 761 * - -ENOMEM if PMD is not capable to create more SC. 762 * - other negative value for other errors. 763 */ 764 __rte_experimental 765 int 766 rte_security_macsec_sc_create(struct rte_security_ctx *instance, 767 struct rte_security_macsec_sc *conf); 768 769 /** 770 * @warning 771 * @b EXPERIMENTAL: this API may change without prior notice 772 * 773 * Destroy MACsec security channel (SC). 774 * 775 * @param instance security instance 776 * @param sc_id SC ID to be destroyed 777 * @return 778 * - 0 if successful. 779 * - -EINVAL if sc_id is invalid or instance is NULL. 780 * - -EBUSY if sc is being used by some session. 781 */ 782 __rte_experimental 783 int 784 rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id); 785 786 /** 787 * @warning 788 * @b EXPERIMENTAL: this API may change without prior notice 789 * 790 * Create MACsec security association (SA). 791 * 792 * @param instance security instance 793 * @param conf MACsec SA configuration params 794 * @return 795 * - positive SA ID if successful. 796 * - -EINVAL if configuration params are invalid of instance is NULL. 797 * - -ENOTSUP if device does not support MACsec. 798 * - -ENOMEM if PMD is not capable to create more SAs. 799 * - other negative value for other errors. 800 */ 801 __rte_experimental 802 int 803 rte_security_macsec_sa_create(struct rte_security_ctx *instance, 804 struct rte_security_macsec_sa *conf); 805 806 /** 807 * @warning 808 * @b EXPERIMENTAL: this API may change without prior notice 809 * 810 * Destroy MACsec security association (SA). 811 * 812 * @param instance security instance 813 * @param sa_id SA ID to be destroyed 814 * @return 815 * - 0 if successful. 816 * - -EINVAL if sa_id is invalid or instance is NULL. 817 * - -EBUSY if sa is being used by some session. 818 */ 819 __rte_experimental 820 int 821 rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id); 822 823 /** Device-specific metadata field type */ 824 typedef uint64_t rte_security_dynfield_t; 825 /** Dynamic mbuf field for device-specific metadata */ 826 extern int rte_security_dynfield_offset; 827 828 /** 829 * @warning 830 * @b EXPERIMENTAL: this API may change without prior notice 831 * 832 * Get pointer to mbuf field for device-specific metadata. 833 * 834 * For performance reason, no check is done, 835 * the dynamic field may not be registered. 836 * @see rte_security_dynfield_is_registered 837 * 838 * @param mbuf packet to access 839 * @return pointer to mbuf field 840 */ 841 __rte_experimental 842 static inline rte_security_dynfield_t * 843 rte_security_dynfield(struct rte_mbuf *mbuf) 844 { 845 return RTE_MBUF_DYNFIELD(mbuf, 846 rte_security_dynfield_offset, 847 rte_security_dynfield_t *); 848 } 849 850 /** 851 * @warning 852 * @b EXPERIMENTAL: this API may change without prior notice 853 * 854 * Check whether the dynamic field is registered. 855 * 856 * @return true if rte_security_dynfield_register() has been called. 857 */ 858 __rte_experimental 859 static inline bool rte_security_dynfield_is_registered(void) 860 { 861 return rte_security_dynfield_offset >= 0; 862 } 863 864 /** Function to call PMD specific function pointer set_pkt_metadata() */ 865 __rte_experimental 866 extern int __rte_security_set_pkt_metadata(struct rte_security_ctx *instance, 867 struct rte_security_session *sess, 868 struct rte_mbuf *m, void *params); 869 870 /** 871 * Updates the buffer with device-specific defined metadata 872 * 873 * @param instance security instance 874 * @param sess security session 875 * @param mb packet mbuf to set metadata on. 876 * @param params device-specific defined parameters 877 * required for metadata 878 * 879 * @return 880 * - On success, zero. 881 * - On failure, a negative value. 882 */ 883 static inline int 884 rte_security_set_pkt_metadata(struct rte_security_ctx *instance, 885 struct rte_security_session *sess, 886 struct rte_mbuf *mb, void *params) 887 { 888 /* Fast Path */ 889 if (instance->flags & RTE_SEC_CTX_F_FAST_SET_MDATA) { 890 *rte_security_dynfield(mb) = 891 (rte_security_dynfield_t)(sess->sess_private_data); 892 return 0; 893 } 894 895 /* Jump to PMD specific function pointer */ 896 return __rte_security_set_pkt_metadata(instance, sess, mb, params); 897 } 898 899 /** Function to call PMD specific function pointer get_userdata() */ 900 __rte_experimental 901 extern void *__rte_security_get_userdata(struct rte_security_ctx *instance, 902 uint64_t md); 903 904 /** 905 * Get userdata associated with the security session. Device specific metadata 906 * provided would be used to uniquely identify the security session being 907 * referred to. This userdata would be registered while creating the session, 908 * and application can use this to identify the SA etc. 909 * 910 * Device specific metadata would be set in mbuf for inline processed inbound 911 * packets. In addition, the same metadata would be set for IPsec events 912 * reported by rte_eth_event framework. 913 * 914 * @param instance security instance 915 * @param md device-specific metadata 916 * 917 * @return 918 * - On success, userdata 919 * - On failure, NULL 920 */ 921 __rte_experimental 922 static inline void * 923 rte_security_get_userdata(struct rte_security_ctx *instance, uint64_t md) 924 { 925 /* Fast Path */ 926 if (instance->flags & RTE_SEC_CTX_F_FAST_GET_UDATA) 927 return (void *)(uintptr_t)md; 928 929 /* Jump to PMD specific function pointer */ 930 return __rte_security_get_userdata(instance, md); 931 } 932 933 /** 934 * Attach a session to a symmetric crypto operation 935 * 936 * @param sym_op crypto operation 937 * @param sess security session 938 */ 939 static inline int 940 __rte_security_attach_session(struct rte_crypto_sym_op *sym_op, 941 struct rte_security_session *sess) 942 { 943 sym_op->sec_session = sess; 944 945 return 0; 946 } 947 948 static inline void * 949 get_sec_session_private_data(const struct rte_security_session *sess) 950 { 951 return sess->sess_private_data; 952 } 953 954 static inline void 955 set_sec_session_private_data(struct rte_security_session *sess, 956 void *private_data) 957 { 958 sess->sess_private_data = private_data; 959 } 960 961 /** 962 * Attach a session to a crypto operation. 963 * This API is needed only in case of RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD 964 * For other rte_security_session_action_type, ol_flags in rte_mbuf may be 965 * defined to perform security operations. 966 * 967 * @param op crypto operation 968 * @param sess security session 969 */ 970 static inline int 971 rte_security_attach_session(struct rte_crypto_op *op, 972 struct rte_security_session *sess) 973 { 974 if (unlikely(op->type != RTE_CRYPTO_OP_TYPE_SYMMETRIC)) 975 return -EINVAL; 976 977 op->sess_type = RTE_CRYPTO_OP_SECURITY_SESSION; 978 979 return __rte_security_attach_session(op->sym, sess); 980 } 981 982 struct rte_security_macsec_secy_stats { 983 uint64_t ctl_pkt_bcast_cnt; 984 uint64_t ctl_pkt_mcast_cnt; 985 uint64_t ctl_pkt_ucast_cnt; 986 uint64_t ctl_octet_cnt; 987 uint64_t unctl_pkt_bcast_cnt; 988 uint64_t unctl_pkt_mcast_cnt; 989 uint64_t unctl_pkt_ucast_cnt; 990 uint64_t unctl_octet_cnt; 991 /* Valid only for Rx */ 992 uint64_t octet_decrypted_cnt; 993 uint64_t octet_validated_cnt; 994 uint64_t pkt_port_disabled_cnt; 995 uint64_t pkt_badtag_cnt; 996 uint64_t pkt_nosa_cnt; 997 uint64_t pkt_nosaerror_cnt; 998 uint64_t pkt_tagged_ctl_cnt; 999 uint64_t pkt_untaged_cnt; 1000 uint64_t pkt_ctl_cnt; 1001 uint64_t pkt_notag_cnt; 1002 /* Valid only for Tx */ 1003 uint64_t octet_encrypted_cnt; 1004 uint64_t octet_protected_cnt; 1005 uint64_t pkt_noactivesa_cnt; 1006 uint64_t pkt_toolong_cnt; 1007 uint64_t pkt_untagged_cnt; 1008 }; 1009 1010 struct rte_security_macsec_sc_stats { 1011 /* Rx */ 1012 uint64_t hit_cnt; 1013 uint64_t pkt_invalid_cnt; 1014 uint64_t pkt_late_cnt; 1015 uint64_t pkt_notvalid_cnt; 1016 uint64_t pkt_unchecked_cnt; 1017 uint64_t pkt_delay_cnt; 1018 uint64_t pkt_ok_cnt; 1019 uint64_t octet_decrypt_cnt; 1020 uint64_t octet_validate_cnt; 1021 /* Tx */ 1022 uint64_t pkt_encrypt_cnt; 1023 uint64_t pkt_protected_cnt; 1024 uint64_t octet_encrypt_cnt; 1025 uint64_t octet_protected_cnt; 1026 }; 1027 1028 struct rte_security_macsec_sa_stats { 1029 /* Rx */ 1030 uint64_t pkt_invalid_cnt; 1031 uint64_t pkt_nosaerror_cnt; 1032 uint64_t pkt_notvalid_cnt; 1033 uint64_t pkt_ok_cnt; 1034 uint64_t pkt_nosa_cnt; 1035 /* Tx */ 1036 uint64_t pkt_encrypt_cnt; 1037 uint64_t pkt_protected_cnt; 1038 }; 1039 1040 struct rte_security_ipsec_stats { 1041 uint64_t ipackets; /**< Successfully received IPsec packets. */ 1042 uint64_t opackets; /**< Successfully transmitted IPsec packets.*/ 1043 uint64_t ibytes; /**< Successfully received IPsec bytes. */ 1044 uint64_t obytes; /**< Successfully transmitted IPsec bytes. */ 1045 uint64_t ierrors; /**< IPsec packets receive/decrypt errors. */ 1046 uint64_t oerrors; /**< IPsec packets transmit/encrypt errors. */ 1047 uint64_t reserved1; /**< Reserved for future use. */ 1048 uint64_t reserved2; /**< Reserved for future use. */ 1049 }; 1050 1051 struct rte_security_pdcp_stats { 1052 uint64_t reserved; 1053 }; 1054 1055 struct rte_security_docsis_stats { 1056 uint64_t reserved; 1057 }; 1058 1059 struct rte_security_stats { 1060 enum rte_security_session_protocol protocol; 1061 /**< Security protocol to be configured */ 1062 1063 RTE_STD_C11 1064 union { 1065 struct rte_security_macsec_secy_stats macsec; 1066 struct rte_security_ipsec_stats ipsec; 1067 struct rte_security_pdcp_stats pdcp; 1068 struct rte_security_docsis_stats docsis; 1069 }; 1070 }; 1071 1072 /** 1073 * Get security session statistics 1074 * 1075 * @param instance security instance 1076 * @param sess security session 1077 * If security session is NULL then global (per security instance) statistics 1078 * will be retrieved, if supported. Global statistics collection is not 1079 * dependent on the per session statistics configuration. 1080 * @param stats statistics 1081 * @return 1082 * - On success, return 0 1083 * - On failure, a negative value 1084 */ 1085 __rte_experimental 1086 int 1087 rte_security_session_stats_get(struct rte_security_ctx *instance, 1088 struct rte_security_session *sess, 1089 struct rte_security_stats *stats); 1090 1091 /** 1092 * @warning 1093 * @b EXPERIMENTAL: this API may change without prior notice 1094 * 1095 * Get MACsec SA statistics. 1096 * 1097 * @param instance security instance 1098 * @param sa_id SA ID for which stats are needed 1099 * @param stats statistics 1100 * @return 1101 * - On success, return 0. 1102 * - On failure, a negative value. 1103 */ 1104 __rte_experimental 1105 int 1106 rte_security_macsec_sa_stats_get(struct rte_security_ctx *instance, 1107 uint16_t sa_id, 1108 struct rte_security_macsec_sa_stats *stats); 1109 1110 /** 1111 * @warning 1112 * @b EXPERIMENTAL: this API may change without prior notice 1113 * 1114 * Get MACsec SC statistics. 1115 * 1116 * @param instance security instance 1117 * @param sc_id SC ID for which stats are needed 1118 * @param stats SC statistics 1119 * @return 1120 * - On success, return 0. 1121 * - On failure, a negative value. 1122 */ 1123 __rte_experimental 1124 int 1125 rte_security_macsec_sc_stats_get(struct rte_security_ctx *instance, 1126 uint16_t sc_id, 1127 struct rte_security_macsec_sc_stats *stats); 1128 1129 /** 1130 * Security capability definition 1131 */ 1132 struct rte_security_capability { 1133 enum rte_security_session_action_type action; 1134 /**< Security action type*/ 1135 enum rte_security_session_protocol protocol; 1136 /**< Security protocol */ 1137 RTE_STD_C11 1138 union { 1139 struct { 1140 enum rte_security_ipsec_sa_protocol proto; 1141 /**< IPsec SA protocol */ 1142 enum rte_security_ipsec_sa_mode mode; 1143 /**< IPsec SA mode */ 1144 enum rte_security_ipsec_sa_direction direction; 1145 /**< IPsec SA direction */ 1146 struct rte_security_ipsec_sa_options options; 1147 /**< IPsec SA supported options */ 1148 uint32_t replay_win_sz_max; 1149 /**< IPsec Anti Replay Window Size. A '0' value 1150 * indicates that Anti Replay is not supported. 1151 */ 1152 } ipsec; 1153 /**< IPsec capability */ 1154 struct { 1155 /** MTU supported for inline TX */ 1156 uint16_t mtu; 1157 /** MACsec algorithm to be used */ 1158 enum rte_security_macsec_alg alg; 1159 /** Maximum number of secure channels supported */ 1160 uint16_t max_nb_sc; 1161 /** Maximum number of SAs supported */ 1162 uint16_t max_nb_sa; 1163 /** Maximum number of SAs supported */ 1164 uint16_t max_nb_sess; 1165 /** MACsec anti replay window size */ 1166 uint32_t replay_win_sz; 1167 /** Support Sectag insertion at relative offset */ 1168 uint16_t relative_sectag_insert : 1; 1169 /** Support Sectag insertion at fixed offset */ 1170 uint16_t fixed_sectag_insert : 1; 1171 /** ICV includes source and destination MAC addresses */ 1172 uint16_t icv_include_da_sa : 1; 1173 /** Control port traffic is supported */ 1174 uint16_t ctrl_port_enable : 1; 1175 /** Do not strip SecTAG after processing */ 1176 uint16_t preserve_sectag : 1; 1177 /** Do not strip ICV from the packet after processing */ 1178 uint16_t preserve_icv : 1; 1179 /** Support frame validation as per RTE_SECURITY_MACSEC_VALIDATE_* */ 1180 uint16_t validate_frames : 1; 1181 /** support re-keying on SA expiry */ 1182 uint16_t re_key : 1; 1183 /** support anti replay */ 1184 uint16_t anti_replay : 1; 1185 /** Reserved bitfields for future capabilities */ 1186 uint16_t reserved : 7; 1187 } macsec; 1188 /**< MACsec capability */ 1189 struct { 1190 enum rte_security_pdcp_domain domain; 1191 /**< PDCP mode of operation: Control or data */ 1192 uint32_t capa_flags; 1193 /**< Capability flags, see RTE_SECURITY_PDCP_* */ 1194 } pdcp; 1195 /**< PDCP capability */ 1196 struct { 1197 enum rte_security_docsis_direction direction; 1198 /**< DOCSIS direction */ 1199 } docsis; 1200 /**< DOCSIS capability */ 1201 }; 1202 1203 const struct rte_cryptodev_capabilities *crypto_capabilities; 1204 /**< Corresponding crypto capabilities for security capability */ 1205 1206 uint32_t ol_flags; 1207 /**< Device offload flags */ 1208 }; 1209 1210 /** Underlying Hardware/driver which support PDCP may or may not support 1211 * packet ordering. Set RTE_SECURITY_PDCP_ORDERING_CAP if it support. 1212 * If it is not set, driver/HW assumes packets received are in order 1213 * and it will be application's responsibility to maintain ordering. 1214 */ 1215 #define RTE_SECURITY_PDCP_ORDERING_CAP 0x00000001 1216 1217 /** Underlying Hardware/driver which support PDCP may or may not detect 1218 * duplicate packet. Set RTE_SECURITY_PDCP_DUP_DETECT_CAP if it support. 1219 * If it is not set, driver/HW assumes there is no duplicate packet received. 1220 */ 1221 #define RTE_SECURITY_PDCP_DUP_DETECT_CAP 0x00000002 1222 1223 #define RTE_SECURITY_TX_OLOAD_NEED_MDATA 0x00000001 1224 /**< HW needs metadata update, see rte_security_set_pkt_metadata(). 1225 */ 1226 1227 #define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD 0x00000002 1228 /**< HW constructs trailer of packets 1229 * Transmitted packets will have the trailer added to them 1230 * by hardware. The next protocol field will be based on 1231 * the mbuf->inner_esp_next_proto field. 1232 */ 1233 #define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD 0x00010000 1234 /**< HW removes trailer of packets 1235 * Received packets have no trailer, the next protocol field 1236 * is supplied in the mbuf->inner_esp_next_proto field. 1237 * Inner packet is not modified. 1238 */ 1239 1240 /** 1241 * Security capability index used to query a security instance for a specific 1242 * security capability 1243 */ 1244 struct rte_security_capability_idx { 1245 enum rte_security_session_action_type action; 1246 enum rte_security_session_protocol protocol; 1247 1248 RTE_STD_C11 1249 union { 1250 struct { 1251 enum rte_security_ipsec_sa_protocol proto; 1252 enum rte_security_ipsec_sa_mode mode; 1253 enum rte_security_ipsec_sa_direction direction; 1254 } ipsec; 1255 struct { 1256 enum rte_security_pdcp_domain domain; 1257 uint32_t capa_flags; 1258 } pdcp; 1259 struct { 1260 enum rte_security_docsis_direction direction; 1261 } docsis; 1262 }; 1263 }; 1264 1265 /** 1266 * Returns array of security instance capabilities 1267 * 1268 * @param instance Security instance. 1269 * 1270 * @return 1271 * - Returns array of security capabilities. 1272 * - Return NULL if no capabilities available. 1273 */ 1274 const struct rte_security_capability * 1275 rte_security_capabilities_get(struct rte_security_ctx *instance); 1276 1277 /** 1278 * Query if a specific capability is available on security instance 1279 * 1280 * @param instance security instance. 1281 * @param idx security capability index to match against 1282 * 1283 * @return 1284 * - Returns pointer to security capability on match of capability 1285 * index criteria. 1286 * - Return NULL if the capability not matched on security instance. 1287 */ 1288 const struct rte_security_capability * 1289 rte_security_capability_get(struct rte_security_ctx *instance, 1290 struct rte_security_capability_idx *idx); 1291 1292 #ifdef __cplusplus 1293 } 1294 #endif 1295 1296 #endif /* _RTE_SECURITY_H_ */ 1297