1 /* SPDX-License-Identifier: BSD-3-Clause 2 * Copyright 2017,2019-2020 NXP 3 * Copyright(c) 2017-2020 Intel Corporation. 4 */ 5 6 #ifndef _RTE_SECURITY_H_ 7 #define _RTE_SECURITY_H_ 8 9 /** 10 * @file rte_security.h 11 * 12 * RTE Security Common Definitions 13 * 14 */ 15 16 #ifdef __cplusplus 17 extern "C" { 18 #endif 19 20 #include <sys/types.h> 21 22 #include <rte_compat.h> 23 #include <rte_common.h> 24 #include <rte_crypto.h> 25 #include <rte_ip.h> 26 #include <rte_mbuf_dyn.h> 27 28 /** IPSec protocol mode */ 29 enum rte_security_ipsec_sa_mode { 30 RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT = 1, 31 /**< IPSec Transport mode */ 32 RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, 33 /**< IPSec Tunnel mode */ 34 }; 35 36 /** IPSec Protocol */ 37 enum rte_security_ipsec_sa_protocol { 38 RTE_SECURITY_IPSEC_SA_PROTO_AH = 1, 39 /**< AH protocol */ 40 RTE_SECURITY_IPSEC_SA_PROTO_ESP, 41 /**< ESP protocol */ 42 }; 43 44 /** IPSEC tunnel type */ 45 enum rte_security_ipsec_tunnel_type { 46 RTE_SECURITY_IPSEC_TUNNEL_IPV4 = 1, 47 /**< Outer header is IPv4 */ 48 RTE_SECURITY_IPSEC_TUNNEL_IPV6, 49 /**< Outer header is IPv6 */ 50 }; 51 52 /** 53 * IPSEC tunnel header verification mode 54 * 55 * Controls how outer IP header is verified in inbound. 56 */ 57 #define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR 0x1 58 #define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR 0x2 59 60 /** 61 * Security context for crypto/eth devices 62 * 63 * Security instance for each driver to register security operations. 64 * The application can get the security context from the crypto/eth device id 65 * using the APIs rte_cryptodev_get_sec_ctx()/rte_eth_dev_get_sec_ctx() 66 * This structure is used to identify the device(crypto/eth) for which the 67 * security operations need to be performed. 68 */ 69 struct rte_security_ctx { 70 void *device; 71 /**< Crypto/ethernet device attached */ 72 const struct rte_security_ops *ops; 73 /**< Pointer to security ops for the device */ 74 uint16_t sess_cnt; 75 /**< Number of sessions attached to this context */ 76 uint32_t flags; 77 /**< Flags for security context */ 78 }; 79 80 #define RTE_SEC_CTX_F_FAST_SET_MDATA 0x00000001 81 /**< Driver uses fast metadata update without using driver specific callback */ 82 83 #define RTE_SEC_CTX_F_FAST_GET_UDATA 0x00000002 84 /**< Driver provides udata using fast method without using driver specific 85 * callback. For fast mdata and udata, mbuf dynamic field would be registered 86 * by driver via rte_security_dynfield_register(). 87 */ 88 89 /** 90 * IPSEC tunnel parameters 91 * 92 * These parameters are used to build outbound tunnel headers. 93 */ 94 struct rte_security_ipsec_tunnel_param { 95 enum rte_security_ipsec_tunnel_type type; 96 /**< Tunnel type: IPv4 or IPv6 */ 97 RTE_STD_C11 98 union { 99 struct { 100 struct in_addr src_ip; 101 /**< IPv4 source address */ 102 struct in_addr dst_ip; 103 /**< IPv4 destination address */ 104 uint8_t dscp; 105 /**< IPv4 Differentiated Services Code Point */ 106 uint8_t df; 107 /**< IPv4 Don't Fragment bit */ 108 uint8_t ttl; 109 /**< IPv4 Time To Live */ 110 } ipv4; 111 /**< IPv4 header parameters */ 112 struct { 113 struct in6_addr src_addr; 114 /**< IPv6 source address */ 115 struct in6_addr dst_addr; 116 /**< IPv6 destination address */ 117 uint8_t dscp; 118 /**< IPv6 Differentiated Services Code Point */ 119 uint32_t flabel; 120 /**< IPv6 flow label */ 121 uint8_t hlimit; 122 /**< IPv6 hop limit */ 123 } ipv6; 124 /**< IPv6 header parameters */ 125 }; 126 }; 127 128 struct rte_security_ipsec_udp_param { 129 uint16_t sport; 130 uint16_t dport; 131 }; 132 133 /** 134 * IPsec Security Association option flags 135 */ 136 struct rte_security_ipsec_sa_options { 137 /** Extended Sequence Numbers (ESN) 138 * 139 * * 1: Use extended (64 bit) sequence numbers 140 * * 0: Use normal sequence numbers 141 */ 142 uint32_t esn : 1; 143 144 /** UDP encapsulation 145 * 146 * * 1: Do UDP encapsulation/decapsulation so that IPSEC packets can 147 * traverse through NAT boxes. 148 * * 0: No UDP encapsulation 149 */ 150 uint32_t udp_encap : 1; 151 152 /** Copy DSCP bits 153 * 154 * * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to 155 * the outer IP header in encapsulation, and vice versa in 156 * decapsulation. 157 * * 0: Do not change DSCP field. 158 */ 159 uint32_t copy_dscp : 1; 160 161 /** Copy IPv6 Flow Label 162 * 163 * * 1: Copy IPv6 flow label from inner IPv6 header to the 164 * outer IPv6 header. 165 * * 0: Outer header is not modified. 166 */ 167 uint32_t copy_flabel : 1; 168 169 /** Copy IPv4 Don't Fragment bit 170 * 171 * * 1: Copy the DF bit from the inner IPv4 header to the outer 172 * IPv4 header. 173 * * 0: Outer header is not modified. 174 */ 175 uint32_t copy_df : 1; 176 177 /** Decrement inner packet Time To Live (TTL) field 178 * 179 * * 1: In tunnel mode, decrement inner packet IPv4 TTL or 180 * IPv6 Hop Limit after tunnel decapsulation, or before tunnel 181 * encapsulation. 182 * * 0: Inner packet is not modified. 183 */ 184 uint32_t dec_ttl : 1; 185 186 /** Explicit Congestion Notification (ECN) 187 * 188 * * 1: In tunnel mode, enable outer header ECN Field copied from 189 * inner header in tunnel encapsulation, or inner header ECN 190 * field construction in decapsulation. 191 * * 0: Inner/outer header are not modified. 192 */ 193 uint32_t ecn : 1; 194 195 /** Security statistics 196 * 197 * * 1: Enable per session security statistics collection for 198 * this SA, if supported by the driver. 199 * * 0: Disable per session security statistics collection for this SA. 200 */ 201 uint32_t stats : 1; 202 203 /** Disable IV generation in PMD 204 * 205 * * 1: Disable IV generation in PMD. When disabled, IV provided in 206 * rte_crypto_op will be used by the PMD. 207 * 208 * * 0: Enable IV generation in PMD. When enabled, PMD generated random 209 * value would be used and application is not required to provide 210 * IV. 211 * 212 * Note: For inline cases, IV generation would always need to be handled 213 * by the PMD. 214 */ 215 uint32_t iv_gen_disable : 1; 216 217 /** Verify tunnel header in inbound 218 * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR``: Verify destination 219 * IP address. 220 * 221 * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR``: Verify both 222 * source and destination IP addresses. 223 */ 224 uint32_t tunnel_hdr_verify : 2; 225 226 /** Verify UDP encapsulation ports in inbound 227 * 228 * * 1: Match UDP source and destination ports 229 * * 0: Do not match UDP ports 230 */ 231 uint32_t udp_ports_verify : 1; 232 233 /** Compute/verify inner packet IPv4 header checksum in tunnel mode 234 * 235 * * 1: For outbound, compute inner packet IPv4 header checksum 236 * before tunnel encapsulation and for inbound, verify after 237 * tunnel decapsulation. 238 * * 0: Inner packet IP header checksum is not computed/verified. 239 * 240 * The checksum verification status would be set in mbuf using 241 * RTE_MBUF_F_RX_IP_CKSUM_xxx flags. 242 * 243 * Inner IP checksum computation can also be enabled(per operation) 244 * by setting the flag RTE_MBUF_F_TX_IP_CKSUM in mbuf. 245 */ 246 uint32_t ip_csum_enable : 1; 247 248 /** Compute/verify inner packet L4 checksum in tunnel mode 249 * 250 * * 1: For outbound, compute inner packet L4 checksum before 251 * tunnel encapsulation and for inbound, verify after 252 * tunnel decapsulation. 253 * * 0: Inner packet L4 checksum is not computed/verified. 254 * 255 * The checksum verification status would be set in mbuf using 256 * RTE_MBUF_F_RX_L4_CKSUM_xxx flags. 257 * 258 * Inner L4 checksum computation can also be enabled(per operation) 259 * by setting the flags RTE_MBUF_F_TX_TCP_CKSUM or RTE_MBUF_F_TX_SCTP_CKSUM or 260 * RTE_MBUF_F_TX_UDP_CKSUM or RTE_MBUF_F_TX_L4_MASK in mbuf. 261 */ 262 uint32_t l4_csum_enable : 1; 263 264 /** Enable IP reassembly on inline inbound packets. 265 * 266 * * 1: Enable driver to try reassembly of encrypted IP packets for 267 * this SA, if supported by the driver. This feature will work 268 * only if user has successfully set IP reassembly config params 269 * using rte_eth_ip_reassembly_conf_set() for the inline Ethernet 270 * device. PMD need to register mbuf dynamic fields using 271 * rte_eth_ip_reassembly_dynfield_register() and security session 272 * creation would fail if dynfield is not registered successfully. 273 * * 0: Disable IP reassembly of packets (default). 274 */ 275 uint32_t ip_reassembly_en : 1; 276 277 /** Reserved bit fields for future extension 278 * 279 * User should ensure reserved_opts is cleared as it may change in 280 * subsequent releases to support new options. 281 * 282 * Note: Reduce number of bits in reserved_opts for every new option. 283 */ 284 uint32_t reserved_opts : 17; 285 }; 286 287 /** IPSec security association direction */ 288 enum rte_security_ipsec_sa_direction { 289 RTE_SECURITY_IPSEC_SA_DIR_EGRESS, 290 /**< Encrypt and generate digest */ 291 RTE_SECURITY_IPSEC_SA_DIR_INGRESS, 292 /**< Verify digest and decrypt */ 293 }; 294 295 /** 296 * Configure soft and hard lifetime of an IPsec SA 297 * 298 * Lifetime of an IPsec SA would specify the maximum number of packets or bytes 299 * that can be processed. IPsec operations would start failing once any hard 300 * limit is reached. 301 * 302 * Soft limits can be specified to generate notification when the SA is 303 * approaching hard limits for lifetime. For inline operations, reaching soft 304 * expiry limit would result in raising an eth event for the same. For lookaside 305 * operations, this would result in a warning returned in 306 * ``rte_crypto_op.aux_flags``. 307 */ 308 struct rte_security_ipsec_lifetime { 309 uint64_t packets_soft_limit; 310 /**< Soft expiry limit in number of packets */ 311 uint64_t bytes_soft_limit; 312 /**< Soft expiry limit in bytes */ 313 uint64_t packets_hard_limit; 314 /**< Hard expiry limit in number of packets */ 315 uint64_t bytes_hard_limit; 316 /**< Hard expiry limit in bytes */ 317 }; 318 319 /** 320 * IPsec security association configuration data. 321 * 322 * This structure contains data required to create an IPsec SA security session. 323 */ 324 struct rte_security_ipsec_xform { 325 uint32_t spi; 326 /**< SA security parameter index */ 327 uint32_t salt; 328 /**< SA salt */ 329 struct rte_security_ipsec_sa_options options; 330 /**< various SA options */ 331 enum rte_security_ipsec_sa_direction direction; 332 /**< IPSec SA Direction - Egress/Ingress */ 333 enum rte_security_ipsec_sa_protocol proto; 334 /**< IPsec SA Protocol - AH/ESP */ 335 enum rte_security_ipsec_sa_mode mode; 336 /**< IPsec SA Mode - transport/tunnel */ 337 struct rte_security_ipsec_tunnel_param tunnel; 338 /**< Tunnel parameters, NULL for transport mode */ 339 struct rte_security_ipsec_lifetime life; 340 /**< IPsec SA lifetime */ 341 uint32_t replay_win_sz; 342 /**< Anti replay window size to enable sequence replay attack handling. 343 * replay checking is disabled if the window size is 0. 344 */ 345 union { 346 uint64_t value; 347 struct { 348 uint32_t low; 349 uint32_t hi; 350 }; 351 } esn; 352 /**< Extended Sequence Number */ 353 struct rte_security_ipsec_udp_param udp; 354 /**< UDP parameters, ignored when udp_encap option not specified */ 355 }; 356 357 /** 358 * MACsec security session configuration 359 */ 360 struct rte_security_macsec_xform { 361 /** To be Filled */ 362 int dummy; 363 }; 364 365 /** 366 * PDCP Mode of session 367 */ 368 enum rte_security_pdcp_domain { 369 RTE_SECURITY_PDCP_MODE_CONTROL, /**< PDCP control plane */ 370 RTE_SECURITY_PDCP_MODE_DATA, /**< PDCP data plane */ 371 RTE_SECURITY_PDCP_MODE_SHORT_MAC, /**< PDCP short mac */ 372 }; 373 374 /** PDCP Frame direction */ 375 enum rte_security_pdcp_direction { 376 RTE_SECURITY_PDCP_UPLINK, /**< Uplink */ 377 RTE_SECURITY_PDCP_DOWNLINK, /**< Downlink */ 378 }; 379 380 /** PDCP Sequence Number Size selectors */ 381 enum rte_security_pdcp_sn_size { 382 /** PDCP_SN_SIZE_5: 5bit sequence number */ 383 RTE_SECURITY_PDCP_SN_SIZE_5 = 5, 384 /** PDCP_SN_SIZE_7: 7bit sequence number */ 385 RTE_SECURITY_PDCP_SN_SIZE_7 = 7, 386 /** PDCP_SN_SIZE_12: 12bit sequence number */ 387 RTE_SECURITY_PDCP_SN_SIZE_12 = 12, 388 /** PDCP_SN_SIZE_15: 15bit sequence number */ 389 RTE_SECURITY_PDCP_SN_SIZE_15 = 15, 390 /** PDCP_SN_SIZE_18: 18bit sequence number */ 391 RTE_SECURITY_PDCP_SN_SIZE_18 = 18 392 }; 393 394 /** 395 * PDCP security association configuration data. 396 * 397 * This structure contains data required to create a PDCP security session. 398 */ 399 struct rte_security_pdcp_xform { 400 int8_t bearer; /**< PDCP bearer ID */ 401 /** Enable in order delivery, this field shall be set only if 402 * driver/HW is capable. See RTE_SECURITY_PDCP_ORDERING_CAP. 403 */ 404 uint8_t en_ordering; 405 /** Notify driver/HW to detect and remove duplicate packets. 406 * This field should be set only when driver/hw is capable. 407 * See RTE_SECURITY_PDCP_DUP_DETECT_CAP. 408 */ 409 uint8_t remove_duplicates; 410 /** PDCP mode of operation: Control or data */ 411 enum rte_security_pdcp_domain domain; 412 /** PDCP Frame Direction 0:UL 1:DL */ 413 enum rte_security_pdcp_direction pkt_dir; 414 /** Sequence number size, 5/7/12/15/18 */ 415 enum rte_security_pdcp_sn_size sn_size; 416 /** Starting Hyper Frame Number to be used together with the SN 417 * from the PDCP frames 418 */ 419 uint32_t hfn; 420 /** HFN Threshold for key renegotiation */ 421 uint32_t hfn_threshold; 422 /** HFN can be given as a per packet value also. 423 * As we do not have IV in case of PDCP, and HFN is 424 * used to generate IV. IV field can be used to get the 425 * per packet HFN while enq/deq. 426 * If hfn_ovrd field is set, user is expected to set the 427 * per packet HFN in place of IV. PMDs will extract the HFN 428 * and perform operations accordingly. 429 */ 430 uint8_t hfn_ovrd; 431 /** In case of 5G NR, a new protocol (SDAP) header may be set 432 * inside PDCP payload which should be authenticated but not 433 * encrypted. Hence, driver should be notified if SDAP is 434 * enabled or not, so that SDAP header is not encrypted. 435 */ 436 uint8_t sdap_enabled; 437 /** Reserved for future */ 438 uint16_t reserved; 439 }; 440 441 /** DOCSIS direction */ 442 enum rte_security_docsis_direction { 443 RTE_SECURITY_DOCSIS_UPLINK, 444 /**< Uplink 445 * - Decryption, followed by CRC Verification 446 */ 447 RTE_SECURITY_DOCSIS_DOWNLINK, 448 /**< Downlink 449 * - CRC Generation, followed by Encryption 450 */ 451 }; 452 453 /** 454 * DOCSIS security session configuration. 455 * 456 * This structure contains data required to create a DOCSIS security session. 457 */ 458 struct rte_security_docsis_xform { 459 enum rte_security_docsis_direction direction; 460 /**< DOCSIS direction */ 461 }; 462 463 /** 464 * Security session action type. 465 */ 466 enum rte_security_session_action_type { 467 RTE_SECURITY_ACTION_TYPE_NONE, 468 /**< No security actions */ 469 RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO, 470 /**< Crypto processing for security protocol is processed inline 471 * during transmission 472 */ 473 RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL, 474 /**< All security protocol processing is performed inline during 475 * transmission 476 */ 477 RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, 478 /**< All security protocol processing including crypto is performed 479 * on a lookaside accelerator 480 */ 481 RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO 482 /**< Similar to ACTION_TYPE_NONE but crypto processing for security 483 * protocol is processed synchronously by a CPU. 484 */ 485 }; 486 487 /** Security session protocol definition */ 488 enum rte_security_session_protocol { 489 RTE_SECURITY_PROTOCOL_IPSEC = 1, 490 /**< IPsec Protocol */ 491 RTE_SECURITY_PROTOCOL_MACSEC, 492 /**< MACSec Protocol */ 493 RTE_SECURITY_PROTOCOL_PDCP, 494 /**< PDCP Protocol */ 495 RTE_SECURITY_PROTOCOL_DOCSIS, 496 /**< DOCSIS Protocol */ 497 }; 498 499 /** 500 * Security session configuration 501 */ 502 struct rte_security_session_conf { 503 enum rte_security_session_action_type action_type; 504 /**< Type of action to be performed on the session */ 505 enum rte_security_session_protocol protocol; 506 /**< Security protocol to be configured */ 507 RTE_STD_C11 508 union { 509 struct rte_security_ipsec_xform ipsec; 510 struct rte_security_macsec_xform macsec; 511 struct rte_security_pdcp_xform pdcp; 512 struct rte_security_docsis_xform docsis; 513 }; 514 /**< Configuration parameters for security session */ 515 struct rte_crypto_sym_xform *crypto_xform; 516 /**< Security Session Crypto Transformations */ 517 void *userdata; 518 /**< Application specific userdata to be saved with session */ 519 }; 520 521 struct rte_security_session { 522 void *sess_private_data; 523 /**< Private session material */ 524 uint64_t opaque_data; 525 /**< Opaque user defined data */ 526 }; 527 528 /** 529 * Create security session as specified by the session configuration 530 * 531 * @param instance security instance 532 * @param conf session configuration parameters 533 * @param mp mempool to allocate session objects from 534 * @param priv_mp mempool to allocate session private data objects from 535 * @return 536 * - On success, pointer to session 537 * - On failure, NULL 538 */ 539 struct rte_security_session * 540 rte_security_session_create(struct rte_security_ctx *instance, 541 struct rte_security_session_conf *conf, 542 struct rte_mempool *mp, 543 struct rte_mempool *priv_mp); 544 545 /** 546 * Update security session as specified by the session configuration 547 * 548 * @param instance security instance 549 * @param sess session to update parameters 550 * @param conf update configuration parameters 551 * @return 552 * - On success returns 0 553 * - On failure returns a negative errno value. 554 */ 555 __rte_experimental 556 int 557 rte_security_session_update(struct rte_security_ctx *instance, 558 struct rte_security_session *sess, 559 struct rte_security_session_conf *conf); 560 561 /** 562 * Get the size of the security session data for a device. 563 * 564 * @param instance security instance. 565 * 566 * @return 567 * - Size of the private data, if successful 568 * - 0 if device is invalid or does not support the operation. 569 */ 570 unsigned int 571 rte_security_session_get_size(struct rte_security_ctx *instance); 572 573 /** 574 * Free security session header and the session private data and 575 * return it to its original mempool. 576 * 577 * @param instance security instance 578 * @param sess security session to be freed 579 * 580 * @return 581 * - 0 if successful. 582 * - -EINVAL if session or context instance is NULL. 583 * - -EBUSY if not all device private data has been freed. 584 * - -ENOTSUP if destroying private data is not supported. 585 * - other negative values in case of freeing private data errors. 586 */ 587 int 588 rte_security_session_destroy(struct rte_security_ctx *instance, 589 struct rte_security_session *sess); 590 591 /** Device-specific metadata field type */ 592 typedef uint64_t rte_security_dynfield_t; 593 /** Dynamic mbuf field for device-specific metadata */ 594 extern int rte_security_dynfield_offset; 595 596 /** 597 * @warning 598 * @b EXPERIMENTAL: this API may change without prior notice 599 * 600 * Get pointer to mbuf field for device-specific metadata. 601 * 602 * For performance reason, no check is done, 603 * the dynamic field may not be registered. 604 * @see rte_security_dynfield_is_registered 605 * 606 * @param mbuf packet to access 607 * @return pointer to mbuf field 608 */ 609 __rte_experimental 610 static inline rte_security_dynfield_t * 611 rte_security_dynfield(struct rte_mbuf *mbuf) 612 { 613 return RTE_MBUF_DYNFIELD(mbuf, 614 rte_security_dynfield_offset, 615 rte_security_dynfield_t *); 616 } 617 618 /** 619 * @warning 620 * @b EXPERIMENTAL: this API may change without prior notice 621 * 622 * Check whether the dynamic field is registered. 623 * 624 * @return true if rte_security_dynfield_register() has been called. 625 */ 626 __rte_experimental 627 static inline bool rte_security_dynfield_is_registered(void) 628 { 629 return rte_security_dynfield_offset >= 0; 630 } 631 632 /** Function to call PMD specific function pointer set_pkt_metadata() */ 633 __rte_experimental 634 extern int __rte_security_set_pkt_metadata(struct rte_security_ctx *instance, 635 struct rte_security_session *sess, 636 struct rte_mbuf *m, void *params); 637 638 /** 639 * Updates the buffer with device-specific defined metadata 640 * 641 * @param instance security instance 642 * @param sess security session 643 * @param mb packet mbuf to set metadata on. 644 * @param params device-specific defined parameters 645 * required for metadata 646 * 647 * @return 648 * - On success, zero. 649 * - On failure, a negative value. 650 */ 651 static inline int 652 rte_security_set_pkt_metadata(struct rte_security_ctx *instance, 653 struct rte_security_session *sess, 654 struct rte_mbuf *mb, void *params) 655 { 656 /* Fast Path */ 657 if (instance->flags & RTE_SEC_CTX_F_FAST_SET_MDATA) { 658 *rte_security_dynfield(mb) = 659 (rte_security_dynfield_t)(sess->sess_private_data); 660 return 0; 661 } 662 663 /* Jump to PMD specific function pointer */ 664 return __rte_security_set_pkt_metadata(instance, sess, mb, params); 665 } 666 667 /** Function to call PMD specific function pointer get_userdata() */ 668 __rte_experimental 669 extern void *__rte_security_get_userdata(struct rte_security_ctx *instance, 670 uint64_t md); 671 672 /** 673 * Get userdata associated with the security session. Device specific metadata 674 * provided would be used to uniquely identify the security session being 675 * referred to. This userdata would be registered while creating the session, 676 * and application can use this to identify the SA etc. 677 * 678 * Device specific metadata would be set in mbuf for inline processed inbound 679 * packets. In addition, the same metadata would be set for IPsec events 680 * reported by rte_eth_event framework. 681 * 682 * @param instance security instance 683 * @param md device-specific metadata 684 * 685 * @return 686 * - On success, userdata 687 * - On failure, NULL 688 */ 689 __rte_experimental 690 static inline void * 691 rte_security_get_userdata(struct rte_security_ctx *instance, uint64_t md) 692 { 693 /* Fast Path */ 694 if (instance->flags & RTE_SEC_CTX_F_FAST_GET_UDATA) 695 return (void *)(uintptr_t)md; 696 697 /* Jump to PMD specific function pointer */ 698 return __rte_security_get_userdata(instance, md); 699 } 700 701 /** 702 * Attach a session to a symmetric crypto operation 703 * 704 * @param sym_op crypto operation 705 * @param sess security session 706 */ 707 static inline int 708 __rte_security_attach_session(struct rte_crypto_sym_op *sym_op, 709 struct rte_security_session *sess) 710 { 711 sym_op->sec_session = sess; 712 713 return 0; 714 } 715 716 static inline void * 717 get_sec_session_private_data(const struct rte_security_session *sess) 718 { 719 return sess->sess_private_data; 720 } 721 722 static inline void 723 set_sec_session_private_data(struct rte_security_session *sess, 724 void *private_data) 725 { 726 sess->sess_private_data = private_data; 727 } 728 729 /** 730 * Attach a session to a crypto operation. 731 * This API is needed only in case of RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD 732 * For other rte_security_session_action_type, ol_flags in rte_mbuf may be 733 * defined to perform security operations. 734 * 735 * @param op crypto operation 736 * @param sess security session 737 */ 738 static inline int 739 rte_security_attach_session(struct rte_crypto_op *op, 740 struct rte_security_session *sess) 741 { 742 if (unlikely(op->type != RTE_CRYPTO_OP_TYPE_SYMMETRIC)) 743 return -EINVAL; 744 745 op->sess_type = RTE_CRYPTO_OP_SECURITY_SESSION; 746 747 return __rte_security_attach_session(op->sym, sess); 748 } 749 750 struct rte_security_macsec_stats { 751 uint64_t reserved; 752 }; 753 754 struct rte_security_ipsec_stats { 755 uint64_t ipackets; /**< Successfully received IPsec packets. */ 756 uint64_t opackets; /**< Successfully transmitted IPsec packets.*/ 757 uint64_t ibytes; /**< Successfully received IPsec bytes. */ 758 uint64_t obytes; /**< Successfully transmitted IPsec bytes. */ 759 uint64_t ierrors; /**< IPsec packets receive/decrypt errors. */ 760 uint64_t oerrors; /**< IPsec packets transmit/encrypt errors. */ 761 uint64_t reserved1; /**< Reserved for future use. */ 762 uint64_t reserved2; /**< Reserved for future use. */ 763 }; 764 765 struct rte_security_pdcp_stats { 766 uint64_t reserved; 767 }; 768 769 struct rte_security_docsis_stats { 770 uint64_t reserved; 771 }; 772 773 struct rte_security_stats { 774 enum rte_security_session_protocol protocol; 775 /**< Security protocol to be configured */ 776 777 RTE_STD_C11 778 union { 779 struct rte_security_macsec_stats macsec; 780 struct rte_security_ipsec_stats ipsec; 781 struct rte_security_pdcp_stats pdcp; 782 struct rte_security_docsis_stats docsis; 783 }; 784 }; 785 786 /** 787 * Get security session statistics 788 * 789 * @param instance security instance 790 * @param sess security session 791 * If security session is NULL then global (per security instance) statistics 792 * will be retrieved, if supported. Global statistics collection is not 793 * dependent on the per session statistics configuration. 794 * @param stats statistics 795 * @return 796 * - On success, return 0 797 * - On failure, a negative value 798 */ 799 __rte_experimental 800 int 801 rte_security_session_stats_get(struct rte_security_ctx *instance, 802 struct rte_security_session *sess, 803 struct rte_security_stats *stats); 804 805 /** 806 * Security capability definition 807 */ 808 struct rte_security_capability { 809 enum rte_security_session_action_type action; 810 /**< Security action type*/ 811 enum rte_security_session_protocol protocol; 812 /**< Security protocol */ 813 RTE_STD_C11 814 union { 815 struct { 816 enum rte_security_ipsec_sa_protocol proto; 817 /**< IPsec SA protocol */ 818 enum rte_security_ipsec_sa_mode mode; 819 /**< IPsec SA mode */ 820 enum rte_security_ipsec_sa_direction direction; 821 /**< IPsec SA direction */ 822 struct rte_security_ipsec_sa_options options; 823 /**< IPsec SA supported options */ 824 uint32_t replay_win_sz_max; 825 /**< IPsec Anti Replay Window Size. A '0' value 826 * indicates that Anti Replay is not supported. 827 */ 828 } ipsec; 829 /**< IPsec capability */ 830 struct { 831 /* To be Filled */ 832 int dummy; 833 } macsec; 834 /**< MACsec capability */ 835 struct { 836 enum rte_security_pdcp_domain domain; 837 /**< PDCP mode of operation: Control or data */ 838 uint32_t capa_flags; 839 /**< Capability flags, see RTE_SECURITY_PDCP_* */ 840 } pdcp; 841 /**< PDCP capability */ 842 struct { 843 enum rte_security_docsis_direction direction; 844 /**< DOCSIS direction */ 845 } docsis; 846 /**< DOCSIS capability */ 847 }; 848 849 const struct rte_cryptodev_capabilities *crypto_capabilities; 850 /**< Corresponding crypto capabilities for security capability */ 851 852 uint32_t ol_flags; 853 /**< Device offload flags */ 854 }; 855 856 /** Underlying Hardware/driver which support PDCP may or may not support 857 * packet ordering. Set RTE_SECURITY_PDCP_ORDERING_CAP if it support. 858 * If it is not set, driver/HW assumes packets received are in order 859 * and it will be application's responsibility to maintain ordering. 860 */ 861 #define RTE_SECURITY_PDCP_ORDERING_CAP 0x00000001 862 863 /** Underlying Hardware/driver which support PDCP may or may not detect 864 * duplicate packet. Set RTE_SECURITY_PDCP_DUP_DETECT_CAP if it support. 865 * If it is not set, driver/HW assumes there is no duplicate packet received. 866 */ 867 #define RTE_SECURITY_PDCP_DUP_DETECT_CAP 0x00000002 868 869 #define RTE_SECURITY_TX_OLOAD_NEED_MDATA 0x00000001 870 /**< HW needs metadata update, see rte_security_set_pkt_metadata(). 871 */ 872 873 #define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD 0x00000002 874 /**< HW constructs trailer of packets 875 * Transmitted packets will have the trailer added to them 876 * by hardware. The next protocol field will be based on 877 * the mbuf->inner_esp_next_proto field. 878 */ 879 #define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD 0x00010000 880 /**< HW removes trailer of packets 881 * Received packets have no trailer, the next protocol field 882 * is supplied in the mbuf->inner_esp_next_proto field. 883 * Inner packet is not modified. 884 */ 885 886 /** 887 * Security capability index used to query a security instance for a specific 888 * security capability 889 */ 890 struct rte_security_capability_idx { 891 enum rte_security_session_action_type action; 892 enum rte_security_session_protocol protocol; 893 894 RTE_STD_C11 895 union { 896 struct { 897 enum rte_security_ipsec_sa_protocol proto; 898 enum rte_security_ipsec_sa_mode mode; 899 enum rte_security_ipsec_sa_direction direction; 900 } ipsec; 901 struct { 902 enum rte_security_pdcp_domain domain; 903 uint32_t capa_flags; 904 } pdcp; 905 struct { 906 enum rte_security_docsis_direction direction; 907 } docsis; 908 }; 909 }; 910 911 /** 912 * Returns array of security instance capabilities 913 * 914 * @param instance Security instance. 915 * 916 * @return 917 * - Returns array of security capabilities. 918 * - Return NULL if no capabilities available. 919 */ 920 const struct rte_security_capability * 921 rte_security_capabilities_get(struct rte_security_ctx *instance); 922 923 /** 924 * Query if a specific capability is available on security instance 925 * 926 * @param instance security instance. 927 * @param idx security capability index to match against 928 * 929 * @return 930 * - Returns pointer to security capability on match of capability 931 * index criteria. 932 * - Return NULL if the capability not matched on security instance. 933 */ 934 const struct rte_security_capability * 935 rte_security_capability_get(struct rte_security_ctx *instance, 936 struct rte_security_capability_idx *idx); 937 938 #ifdef __cplusplus 939 } 940 #endif 941 942 #endif /* _RTE_SECURITY_H_ */ 943