1 /* SPDX-License-Identifier: BSD-3-Clause 2 * Copyright 2017,2019-2020 NXP 3 * Copyright(c) 2017-2020 Intel Corporation. 4 */ 5 6 #ifndef _RTE_SECURITY_H_ 7 #define _RTE_SECURITY_H_ 8 9 /** 10 * @file rte_security.h 11 * 12 * RTE Security Common Definitions 13 * 14 */ 15 16 #ifdef __cplusplus 17 extern "C" { 18 #endif 19 20 #include <sys/types.h> 21 22 #include <rte_compat.h> 23 #include <rte_common.h> 24 #include <rte_crypto.h> 25 #include <rte_ip.h> 26 #include <rte_mbuf_dyn.h> 27 28 /** IPSec protocol mode */ 29 enum rte_security_ipsec_sa_mode { 30 RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT = 1, 31 /**< IPSec Transport mode */ 32 RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, 33 /**< IPSec Tunnel mode */ 34 }; 35 36 /** IPSec Protocol */ 37 enum rte_security_ipsec_sa_protocol { 38 RTE_SECURITY_IPSEC_SA_PROTO_AH = 1, 39 /**< AH protocol */ 40 RTE_SECURITY_IPSEC_SA_PROTO_ESP, 41 /**< ESP protocol */ 42 }; 43 44 /** IPSEC tunnel type */ 45 enum rte_security_ipsec_tunnel_type { 46 RTE_SECURITY_IPSEC_TUNNEL_IPV4 = 1, 47 /**< Outer header is IPv4 */ 48 RTE_SECURITY_IPSEC_TUNNEL_IPV6, 49 /**< Outer header is IPv6 */ 50 }; 51 52 /** 53 * IPSEC tunnel header verification mode 54 * 55 * Controls how outer IP header is verified in inbound. 56 */ 57 #define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR 0x1 58 #define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR 0x2 59 60 /** 61 * Security context for crypto/eth devices 62 * 63 * Security instance for each driver to register security operations. 64 * The application can get the security context from the crypto/eth device id 65 * using the APIs rte_cryptodev_get_sec_ctx()/rte_eth_dev_get_sec_ctx() 66 * This structure is used to identify the device(crypto/eth) for which the 67 * security operations need to be performed. 68 */ 69 struct rte_security_ctx { 70 void *device; 71 /**< Crypto/ethernet device attached */ 72 const struct rte_security_ops *ops; 73 /**< Pointer to security ops for the device */ 74 uint16_t sess_cnt; 75 /**< Number of sessions attached to this context */ 76 uint16_t macsec_sc_cnt; 77 /**< Number of MACsec SC attached to this context */ 78 uint16_t macsec_sa_cnt; 79 /**< Number of MACsec SA attached to this context */ 80 uint32_t flags; 81 /**< Flags for security context */ 82 }; 83 84 #define RTE_SEC_CTX_F_FAST_SET_MDATA 0x00000001 85 /**< Driver uses fast metadata update without using driver specific callback. 86 * For fast mdata, mbuf dynamic field would be registered by driver 87 * via rte_security_dynfield_register(). 88 */ 89 90 /** 91 * IPSEC tunnel parameters 92 * 93 * These parameters are used to build outbound tunnel headers. 94 */ 95 struct rte_security_ipsec_tunnel_param { 96 enum rte_security_ipsec_tunnel_type type; 97 /**< Tunnel type: IPv4 or IPv6 */ 98 RTE_STD_C11 99 union { 100 struct { 101 struct in_addr src_ip; 102 /**< IPv4 source address */ 103 struct in_addr dst_ip; 104 /**< IPv4 destination address */ 105 uint8_t dscp; 106 /**< IPv4 Differentiated Services Code Point */ 107 uint8_t df; 108 /**< IPv4 Don't Fragment bit */ 109 uint8_t ttl; 110 /**< IPv4 Time To Live */ 111 } ipv4; 112 /**< IPv4 header parameters */ 113 struct { 114 struct in6_addr src_addr; 115 /**< IPv6 source address */ 116 struct in6_addr dst_addr; 117 /**< IPv6 destination address */ 118 uint8_t dscp; 119 /**< IPv6 Differentiated Services Code Point */ 120 uint32_t flabel; 121 /**< IPv6 flow label */ 122 uint8_t hlimit; 123 /**< IPv6 hop limit */ 124 } ipv6; 125 /**< IPv6 header parameters */ 126 }; 127 }; 128 129 struct rte_security_ipsec_udp_param { 130 uint16_t sport; 131 uint16_t dport; 132 }; 133 134 /** 135 * IPsec Security Association option flags 136 */ 137 struct rte_security_ipsec_sa_options { 138 /** Extended Sequence Numbers (ESN) 139 * 140 * * 1: Use extended (64 bit) sequence numbers 141 * * 0: Use normal sequence numbers 142 */ 143 uint32_t esn : 1; 144 145 /** UDP encapsulation 146 * 147 * * 1: Do UDP encapsulation/decapsulation so that IPSEC packets can 148 * traverse through NAT boxes. 149 * * 0: No UDP encapsulation 150 */ 151 uint32_t udp_encap : 1; 152 153 /** Copy DSCP bits 154 * 155 * * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to 156 * the outer IP header in encapsulation, and vice versa in 157 * decapsulation. 158 * * 0: Do not change DSCP field. 159 */ 160 uint32_t copy_dscp : 1; 161 162 /** Copy IPv6 Flow Label 163 * 164 * * 1: Copy IPv6 flow label from inner IPv6 header to the 165 * outer IPv6 header. 166 * * 0: Outer header is not modified. 167 */ 168 uint32_t copy_flabel : 1; 169 170 /** Copy IPv4 Don't Fragment bit 171 * 172 * * 1: Copy the DF bit from the inner IPv4 header to the outer 173 * IPv4 header. 174 * * 0: Outer header is not modified. 175 */ 176 uint32_t copy_df : 1; 177 178 /** Decrement inner packet Time To Live (TTL) field 179 * 180 * * 1: In tunnel mode, decrement inner packet IPv4 TTL or 181 * IPv6 Hop Limit after tunnel decapsulation, or before tunnel 182 * encapsulation. 183 * * 0: Inner packet is not modified. 184 */ 185 uint32_t dec_ttl : 1; 186 187 /** Explicit Congestion Notification (ECN) 188 * 189 * * 1: In tunnel mode, enable outer header ECN Field copied from 190 * inner header in tunnel encapsulation, or inner header ECN 191 * field construction in decapsulation. 192 * * 0: Inner/outer header are not modified. 193 */ 194 uint32_t ecn : 1; 195 196 /** Security statistics 197 * 198 * * 1: Enable per session security statistics collection for 199 * this SA, if supported by the driver. 200 * * 0: Disable per session security statistics collection for this SA. 201 */ 202 uint32_t stats : 1; 203 204 /** Disable IV generation in PMD 205 * 206 * * 1: Disable IV generation in PMD. When disabled, IV provided in 207 * rte_crypto_op will be used by the PMD. 208 * 209 * * 0: Enable IV generation in PMD. When enabled, PMD generated random 210 * value would be used and application is not required to provide 211 * IV. 212 * 213 * Note: For inline cases, IV generation would always need to be handled 214 * by the PMD. 215 */ 216 uint32_t iv_gen_disable : 1; 217 218 /** Verify tunnel header in inbound 219 * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR``: Verify destination 220 * IP address. 221 * 222 * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR``: Verify both 223 * source and destination IP addresses. 224 */ 225 uint32_t tunnel_hdr_verify : 2; 226 227 /** Verify UDP encapsulation ports in inbound 228 * 229 * * 1: Match UDP source and destination ports 230 * * 0: Do not match UDP ports 231 */ 232 uint32_t udp_ports_verify : 1; 233 234 /** Compute/verify inner packet IPv4 header checksum in tunnel mode 235 * 236 * * 1: For outbound, compute inner packet IPv4 header checksum 237 * before tunnel encapsulation and for inbound, verify after 238 * tunnel decapsulation. 239 * * 0: Inner packet IP header checksum is not computed/verified. 240 * 241 * The checksum verification status would be set in mbuf using 242 * RTE_MBUF_F_RX_IP_CKSUM_xxx flags. 243 * 244 * Inner IP checksum computation can also be enabled(per operation) 245 * by setting the flag RTE_MBUF_F_TX_IP_CKSUM in mbuf. 246 */ 247 uint32_t ip_csum_enable : 1; 248 249 /** Compute/verify inner packet L4 checksum in tunnel mode 250 * 251 * * 1: For outbound, compute inner packet L4 checksum before 252 * tunnel encapsulation and for inbound, verify after 253 * tunnel decapsulation. 254 * * 0: Inner packet L4 checksum is not computed/verified. 255 * 256 * The checksum verification status would be set in mbuf using 257 * RTE_MBUF_F_RX_L4_CKSUM_xxx flags. 258 * 259 * Inner L4 checksum computation can also be enabled(per operation) 260 * by setting the flags RTE_MBUF_F_TX_TCP_CKSUM or RTE_MBUF_F_TX_SCTP_CKSUM or 261 * RTE_MBUF_F_TX_UDP_CKSUM or RTE_MBUF_F_TX_L4_MASK in mbuf. 262 */ 263 uint32_t l4_csum_enable : 1; 264 265 /** Enable IP reassembly on inline inbound packets. 266 * 267 * * 1: Enable driver to try reassembly of encrypted IP packets for 268 * this SA, if supported by the driver. This feature will work 269 * only if user has successfully set IP reassembly config params 270 * using rte_eth_ip_reassembly_conf_set() for the inline Ethernet 271 * device. PMD need to register mbuf dynamic fields using 272 * rte_eth_ip_reassembly_dynfield_register() and security session 273 * creation would fail if dynfield is not registered successfully. 274 * * 0: Disable IP reassembly of packets (default). 275 */ 276 uint32_t ip_reassembly_en : 1; 277 278 /** Reserved bit fields for future extension 279 * 280 * User should ensure reserved_opts is cleared as it may change in 281 * subsequent releases to support new options. 282 * 283 * Note: Reduce number of bits in reserved_opts for every new option. 284 */ 285 uint32_t reserved_opts : 17; 286 }; 287 288 /** IPSec security association direction */ 289 enum rte_security_ipsec_sa_direction { 290 RTE_SECURITY_IPSEC_SA_DIR_EGRESS, 291 /**< Encrypt and generate digest */ 292 RTE_SECURITY_IPSEC_SA_DIR_INGRESS, 293 /**< Verify digest and decrypt */ 294 }; 295 296 /** 297 * Configure soft and hard lifetime of an IPsec SA 298 * 299 * Lifetime of an IPsec SA would specify the maximum number of packets or bytes 300 * that can be processed. IPsec operations would start failing once any hard 301 * limit is reached. 302 * 303 * Soft limits can be specified to generate notification when the SA is 304 * approaching hard limits for lifetime. For inline operations, reaching soft 305 * expiry limit would result in raising an eth event for the same. For lookaside 306 * operations, this would result in a warning returned in 307 * ``rte_crypto_op.aux_flags``. 308 */ 309 struct rte_security_ipsec_lifetime { 310 uint64_t packets_soft_limit; 311 /**< Soft expiry limit in number of packets */ 312 uint64_t bytes_soft_limit; 313 /**< Soft expiry limit in bytes */ 314 uint64_t packets_hard_limit; 315 /**< Hard expiry limit in number of packets */ 316 uint64_t bytes_hard_limit; 317 /**< Hard expiry limit in bytes */ 318 }; 319 320 /** 321 * IPsec security association configuration data. 322 * 323 * This structure contains data required to create an IPsec SA security session. 324 */ 325 struct rte_security_ipsec_xform { 326 uint32_t spi; 327 /**< SA security parameter index */ 328 uint32_t salt; 329 /**< SA salt */ 330 struct rte_security_ipsec_sa_options options; 331 /**< various SA options */ 332 enum rte_security_ipsec_sa_direction direction; 333 /**< IPSec SA Direction - Egress/Ingress */ 334 enum rte_security_ipsec_sa_protocol proto; 335 /**< IPsec SA Protocol - AH/ESP */ 336 enum rte_security_ipsec_sa_mode mode; 337 /**< IPsec SA Mode - transport/tunnel */ 338 struct rte_security_ipsec_tunnel_param tunnel; 339 /**< Tunnel parameters, NULL for transport mode */ 340 struct rte_security_ipsec_lifetime life; 341 /**< IPsec SA lifetime */ 342 uint32_t replay_win_sz; 343 /**< Anti replay window size to enable sequence replay attack handling. 344 * replay checking is disabled if the window size is 0. 345 */ 346 union { 347 uint64_t value; 348 struct { 349 uint32_t low; 350 uint32_t hi; 351 }; 352 } esn; 353 /**< Extended Sequence Number */ 354 struct rte_security_ipsec_udp_param udp; 355 /**< UDP parameters, ignored when udp_encap option not specified */ 356 }; 357 358 /** 359 * MACSec packet flow direction 360 */ 361 enum rte_security_macsec_direction { 362 /** Generate SecTag and encrypt/authenticate */ 363 RTE_SECURITY_MACSEC_DIR_TX, 364 /** Remove SecTag and decrypt/verify */ 365 RTE_SECURITY_MACSEC_DIR_RX, 366 }; 367 368 /** Maximum number of association numbers for a secure channel. */ 369 #define RTE_SECURITY_MACSEC_NUM_AN 4 370 /** Salt length for MACsec SA. */ 371 #define RTE_SECURITY_MACSEC_SALT_LEN 12 372 373 /** 374 * MACsec secure association (SA) configuration structure. 375 */ 376 struct rte_security_macsec_sa { 377 /** Direction of SA */ 378 enum rte_security_macsec_direction dir; 379 /** MACsec SA key for AES-GCM 128/256 */ 380 struct { 381 const uint8_t *data; /**< pointer to key data */ 382 uint16_t length; /**< key length in bytes */ 383 } key; 384 /** 96-bit value distributed by key agreement protocol */ 385 uint8_t salt[RTE_SECURITY_MACSEC_SALT_LEN]; 386 /** Association number to be used */ 387 uint8_t an : 2; 388 /** Short Secure Channel Identifier, to be used for XPN cases */ 389 uint32_t ssci; 390 /** Extended packet number */ 391 uint32_t xpn; 392 /** Packet number expected/ to be used for next packet of this SA */ 393 uint32_t next_pn; 394 }; 395 396 /** 397 * MACsec Secure Channel configuration parameters. 398 */ 399 struct rte_security_macsec_sc { 400 /** Direction of SC */ 401 enum rte_security_macsec_direction dir; 402 /** Packet number threshold */ 403 uint64_t pn_threshold; 404 union { 405 struct { 406 /** SAs for each association number */ 407 uint16_t sa_id[RTE_SECURITY_MACSEC_NUM_AN]; 408 /** flag to denote which all SAs are in use for each association number */ 409 uint8_t sa_in_use[RTE_SECURITY_MACSEC_NUM_AN]; 410 /** Channel is active */ 411 uint8_t active : 1; 412 /** Extended packet number is enabled for SAs */ 413 uint8_t is_xpn : 1; 414 /** Reserved bitfields for future */ 415 uint8_t reserved : 6; 416 } sc_rx; 417 struct { 418 uint16_t sa_id; /**< SA ID to be used for encryption */ 419 uint16_t sa_id_rekey; /**< Rekeying SA ID to be used for encryption */ 420 uint64_t sci; /**< SCI value to be used if send_sci is set */ 421 uint8_t active : 1; /**< Channel is active */ 422 uint8_t re_key_en : 1; /**< Enable Rekeying */ 423 /** Extended packet number is enabled for SAs */ 424 uint8_t is_xpn : 1; 425 /** Reserved bitfields for future */ 426 uint8_t reserved : 5; 427 } sc_tx; 428 }; 429 }; 430 431 /** 432 * MACsec Supported Algorithm list as per IEEE Std 802.1AE. 433 */ 434 enum rte_security_macsec_alg { 435 RTE_SECURITY_MACSEC_ALG_GCM_128, /**< AES-GCM 128 bit block cipher */ 436 RTE_SECURITY_MACSEC_ALG_GCM_256, /**< AES-GCM 256 bit block cipher */ 437 RTE_SECURITY_MACSEC_ALG_GCM_XPN_128, /**< AES-GCM 128 bit block cipher with unique SSCI */ 438 RTE_SECURITY_MACSEC_ALG_GCM_XPN_256, /**< AES-GCM 256 bit block cipher with unique SSCI */ 439 }; 440 441 /** Disable Validation of MACsec frame. */ 442 #define RTE_SECURITY_MACSEC_VALIDATE_DISABLE 0 443 /** Validate MACsec frame but do not discard invalid frame. */ 444 #define RTE_SECURITY_MACSEC_VALIDATE_NO_DISCARD 1 445 /** Validate MACsec frame and discart invalid frame. */ 446 #define RTE_SECURITY_MACSEC_VALIDATE_STRICT 2 447 /** Do not perform any MACsec operation. */ 448 #define RTE_SECURITY_MACSEC_VALIDATE_NO_OP 3 449 450 /** 451 * MACsec security session configuration 452 */ 453 struct rte_security_macsec_xform { 454 /** Direction of flow/secure channel */ 455 enum rte_security_macsec_direction dir; 456 /** MACsec algorithm to be used */ 457 enum rte_security_macsec_alg alg; 458 /** Cipher offset from start of Ethernet header */ 459 uint8_t cipher_off; 460 /** 461 * SCI to be used for RX flow identification or 462 * to set SCI in packet for TX when send_sci is set 463 */ 464 uint64_t sci; 465 /** Receive/transmit secure channel ID created by *rte_security_macsec_sc_create* */ 466 uint16_t sc_id; 467 union { 468 struct { 469 /** MTU for transmit frame (valid for inline processing) */ 470 uint16_t mtu; 471 /** 472 * Offset to insert sectag from start of ethernet header or 473 * from a matching VLAN tag 474 */ 475 uint8_t sectag_off; 476 /** Enable MACsec protection of frames */ 477 uint16_t protect_frames : 1; 478 /** 479 * Sectag insertion mode 480 * If 1, Sectag is inserted at fixed sectag_off set above. 481 * If 0, Sectag is inserted at relative sectag_off from a matching 482 * VLAN tag set. 483 */ 484 uint16_t sectag_insert_mode : 1; 485 /** ICV includes source and destination MAC addresses */ 486 uint16_t icv_include_da_sa : 1; 487 /** Control port is enabled */ 488 uint16_t ctrl_port_enable : 1; 489 /** Version of MACsec header. Should be 0 */ 490 uint16_t sectag_version : 1; 491 /** Enable end station. SCI is not valid */ 492 uint16_t end_station : 1; 493 /** Send SCI along with sectag */ 494 uint16_t send_sci : 1; 495 /** enable secure channel support EPON - single copy broadcast */ 496 uint16_t scb : 1; 497 /** 498 * Enable packet encryption and set RTE_MACSEC_TCI_C and 499 * RTE_MACSEC_TCI_E in sectag 500 */ 501 uint16_t encrypt : 1; 502 /** Reserved bitfields for future */ 503 uint16_t reserved : 7; 504 } tx_secy; 505 struct { 506 /** Replay Window size to be supported */ 507 uint32_t replay_win_sz; 508 /** Set bits as per RTE_SECURITY_MACSEC_VALIDATE_* */ 509 uint16_t validate_frames : 2; 510 /** ICV includes source and destination MAC addresses */ 511 uint16_t icv_include_da_sa : 1; 512 /** Control port is enabled */ 513 uint16_t ctrl_port_enable : 1; 514 /** Do not strip SecTAG after processing */ 515 uint16_t preserve_sectag : 1; 516 /** Do not strip ICV from the packet after processing */ 517 uint16_t preserve_icv : 1; 518 /** Enable anti-replay protection */ 519 uint16_t replay_protect : 1; 520 /** Reserved bitfields for future */ 521 uint16_t reserved : 9; 522 } rx_secy; 523 }; 524 }; 525 526 /** 527 * PDCP Mode of session 528 */ 529 enum rte_security_pdcp_domain { 530 RTE_SECURITY_PDCP_MODE_CONTROL, /**< PDCP control plane */ 531 RTE_SECURITY_PDCP_MODE_DATA, /**< PDCP data plane */ 532 RTE_SECURITY_PDCP_MODE_SHORT_MAC, /**< PDCP short mac */ 533 }; 534 535 /** PDCP Frame direction */ 536 enum rte_security_pdcp_direction { 537 RTE_SECURITY_PDCP_UPLINK, /**< Uplink */ 538 RTE_SECURITY_PDCP_DOWNLINK, /**< Downlink */ 539 }; 540 541 /** PDCP Sequence Number Size selectors */ 542 enum rte_security_pdcp_sn_size { 543 /** PDCP_SN_SIZE_5: 5bit sequence number */ 544 RTE_SECURITY_PDCP_SN_SIZE_5 = 5, 545 /** PDCP_SN_SIZE_7: 7bit sequence number */ 546 RTE_SECURITY_PDCP_SN_SIZE_7 = 7, 547 /** PDCP_SN_SIZE_12: 12bit sequence number */ 548 RTE_SECURITY_PDCP_SN_SIZE_12 = 12, 549 /** PDCP_SN_SIZE_15: 15bit sequence number */ 550 RTE_SECURITY_PDCP_SN_SIZE_15 = 15, 551 /** PDCP_SN_SIZE_18: 18bit sequence number */ 552 RTE_SECURITY_PDCP_SN_SIZE_18 = 18 553 }; 554 555 /** 556 * PDCP security association configuration data. 557 * 558 * This structure contains data required to create a PDCP security session. 559 */ 560 struct rte_security_pdcp_xform { 561 int8_t bearer; /**< PDCP bearer ID */ 562 /** Enable in order delivery, this field shall be set only if 563 * driver/HW is capable. See RTE_SECURITY_PDCP_ORDERING_CAP. 564 */ 565 uint8_t en_ordering; 566 /** Notify driver/HW to detect and remove duplicate packets. 567 * This field should be set only when driver/hw is capable. 568 * See RTE_SECURITY_PDCP_DUP_DETECT_CAP. 569 */ 570 uint8_t remove_duplicates; 571 /** PDCP mode of operation: Control or data */ 572 enum rte_security_pdcp_domain domain; 573 /** PDCP Frame Direction 0:UL 1:DL */ 574 enum rte_security_pdcp_direction pkt_dir; 575 /** Sequence number size, 5/7/12/15/18 */ 576 enum rte_security_pdcp_sn_size sn_size; 577 /** Starting Hyper Frame Number to be used together with the SN 578 * from the PDCP frames 579 */ 580 uint32_t hfn; 581 /** HFN Threshold for key renegotiation */ 582 uint32_t hfn_threshold; 583 /** HFN can be given as a per packet value also. 584 * As we do not have IV in case of PDCP, and HFN is 585 * used to generate IV. IV field can be used to get the 586 * per packet HFN while enq/deq. 587 * If hfn_ovrd field is set, user is expected to set the 588 * per packet HFN in place of IV. PMDs will extract the HFN 589 * and perform operations accordingly. 590 */ 591 uint8_t hfn_ovrd; 592 /** In case of 5G NR, a new protocol (SDAP) header may be set 593 * inside PDCP payload which should be authenticated but not 594 * encrypted. Hence, driver should be notified if SDAP is 595 * enabled or not, so that SDAP header is not encrypted. 596 */ 597 uint8_t sdap_enabled; 598 /** Reserved for future */ 599 uint16_t reserved; 600 }; 601 602 /** DOCSIS direction */ 603 enum rte_security_docsis_direction { 604 RTE_SECURITY_DOCSIS_UPLINK, 605 /**< Uplink 606 * - Decryption, followed by CRC Verification 607 */ 608 RTE_SECURITY_DOCSIS_DOWNLINK, 609 /**< Downlink 610 * - CRC Generation, followed by Encryption 611 */ 612 }; 613 614 /** 615 * DOCSIS security session configuration. 616 * 617 * This structure contains data required to create a DOCSIS security session. 618 */ 619 struct rte_security_docsis_xform { 620 enum rte_security_docsis_direction direction; 621 /**< DOCSIS direction */ 622 }; 623 624 /** 625 * Security session action type. 626 */ 627 enum rte_security_session_action_type { 628 RTE_SECURITY_ACTION_TYPE_NONE, 629 /**< No security actions */ 630 RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO, 631 /**< Crypto processing for security protocol is processed inline 632 * during transmission 633 */ 634 RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL, 635 /**< All security protocol processing is performed inline during 636 * transmission 637 */ 638 RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, 639 /**< All security protocol processing including crypto is performed 640 * on a lookaside accelerator 641 */ 642 RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO 643 /**< Similar to ACTION_TYPE_NONE but crypto processing for security 644 * protocol is processed synchronously by a CPU. 645 */ 646 }; 647 648 /** Security session protocol definition */ 649 enum rte_security_session_protocol { 650 RTE_SECURITY_PROTOCOL_IPSEC = 1, 651 /**< IPsec Protocol */ 652 RTE_SECURITY_PROTOCOL_MACSEC, 653 /**< MACSec Protocol */ 654 RTE_SECURITY_PROTOCOL_PDCP, 655 /**< PDCP Protocol */ 656 RTE_SECURITY_PROTOCOL_DOCSIS, 657 /**< DOCSIS Protocol */ 658 }; 659 660 /** 661 * Security session configuration 662 */ 663 struct rte_security_session_conf { 664 enum rte_security_session_action_type action_type; 665 /**< Type of action to be performed on the session */ 666 enum rte_security_session_protocol protocol; 667 /**< Security protocol to be configured */ 668 RTE_STD_C11 669 union { 670 struct rte_security_ipsec_xform ipsec; 671 struct rte_security_macsec_xform macsec; 672 struct rte_security_pdcp_xform pdcp; 673 struct rte_security_docsis_xform docsis; 674 }; 675 /**< Configuration parameters for security session */ 676 struct rte_crypto_sym_xform *crypto_xform; 677 /**< Security Session Crypto Transformations. NULL in case of MACsec. */ 678 void *userdata; 679 /**< Application specific userdata to be saved with session */ 680 }; 681 682 /** 683 * Create security session as specified by the session configuration 684 * 685 * @param instance security instance 686 * @param conf session configuration parameters 687 * @param mp mempool to allocate session objects from 688 * @return 689 * - On success, pointer to session 690 * - On failure, NULL 691 */ 692 void * 693 rte_security_session_create(struct rte_security_ctx *instance, 694 struct rte_security_session_conf *conf, 695 struct rte_mempool *mp); 696 697 /** 698 * Update security session as specified by the session configuration 699 * 700 * @param instance security instance 701 * @param sess session to update parameters 702 * @param conf update configuration parameters 703 * @return 704 * - On success returns 0 705 * - On failure returns a negative errno value. 706 */ 707 __rte_experimental 708 int 709 rte_security_session_update(struct rte_security_ctx *instance, 710 void *sess, 711 struct rte_security_session_conf *conf); 712 713 /** 714 * Get the size of the security session data for a device. 715 * 716 * @param instance security instance. 717 * 718 * @return 719 * - Size of the private data, if successful 720 * - 0 if device is invalid or does not support the operation. 721 */ 722 unsigned int 723 rte_security_session_get_size(struct rte_security_ctx *instance); 724 725 /** 726 * Free security session header and the session private data and 727 * return it to its original mempool. 728 * 729 * @param instance security instance 730 * @param sess security session to be freed 731 * 732 * @return 733 * - 0 if successful. 734 * - -EINVAL if session or context instance is NULL. 735 * - -EBUSY if not all device private data has been freed. 736 * - -ENOTSUP if destroying private data is not supported. 737 * - other negative values in case of freeing private data errors. 738 */ 739 int 740 rte_security_session_destroy(struct rte_security_ctx *instance, void *sess); 741 742 /** 743 * @warning 744 * @b EXPERIMENTAL: this API may change without prior notice 745 * 746 * Create MACsec security channel (SC). 747 * 748 * @param instance security instance 749 * @param conf MACsec SC configuration params 750 * @return 751 * - secure channel ID if successful. 752 * - -EINVAL if configuration params are invalid of instance is NULL. 753 * - -ENOTSUP if device does not support MACsec. 754 * - -ENOMEM if PMD is not capable to create more SC. 755 * - other negative value for other errors. 756 */ 757 __rte_experimental 758 int 759 rte_security_macsec_sc_create(struct rte_security_ctx *instance, 760 struct rte_security_macsec_sc *conf); 761 762 /** 763 * @warning 764 * @b EXPERIMENTAL: this API may change without prior notice 765 * 766 * Destroy MACsec security channel (SC). 767 * 768 * @param instance security instance 769 * @param sc_id SC ID to be destroyed 770 * @param dir direction of the SC 771 * @return 772 * - 0 if successful. 773 * - -EINVAL if sc_id is invalid or instance is NULL. 774 * - -EBUSY if sc is being used by some session. 775 */ 776 __rte_experimental 777 int 778 rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id, 779 enum rte_security_macsec_direction dir); 780 781 /** 782 * @warning 783 * @b EXPERIMENTAL: this API may change without prior notice 784 * 785 * Create MACsec security association (SA). 786 * 787 * @param instance security instance 788 * @param conf MACsec SA configuration params 789 * @return 790 * - positive SA ID if successful. 791 * - -EINVAL if configuration params are invalid of instance is NULL. 792 * - -ENOTSUP if device does not support MACsec. 793 * - -ENOMEM if PMD is not capable to create more SAs. 794 * - other negative value for other errors. 795 */ 796 __rte_experimental 797 int 798 rte_security_macsec_sa_create(struct rte_security_ctx *instance, 799 struct rte_security_macsec_sa *conf); 800 801 /** 802 * @warning 803 * @b EXPERIMENTAL: this API may change without prior notice 804 * 805 * Destroy MACsec security association (SA). 806 * 807 * @param instance security instance 808 * @param sa_id SA ID to be destroyed 809 * @param dir direction of the SA 810 * @return 811 * - 0 if successful. 812 * - -EINVAL if sa_id is invalid or instance is NULL. 813 * - -EBUSY if sa is being used by some session. 814 */ 815 __rte_experimental 816 int 817 rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id, 818 enum rte_security_macsec_direction dir); 819 820 /** Device-specific metadata field type */ 821 typedef uint64_t rte_security_dynfield_t; 822 /** Dynamic mbuf field for device-specific metadata */ 823 extern int rte_security_dynfield_offset; 824 825 /** 826 * @warning 827 * @b EXPERIMENTAL: this API may change without prior notice 828 * 829 * Get pointer to mbuf field for device-specific metadata. 830 * 831 * For performance reason, no check is done, 832 * the dynamic field may not be registered. 833 * @see rte_security_dynfield_is_registered 834 * 835 * @param mbuf packet to access 836 * @return pointer to mbuf field 837 */ 838 __rte_experimental 839 static inline rte_security_dynfield_t * 840 rte_security_dynfield(struct rte_mbuf *mbuf) 841 { 842 return RTE_MBUF_DYNFIELD(mbuf, 843 rte_security_dynfield_offset, 844 rte_security_dynfield_t *); 845 } 846 847 /** 848 * @warning 849 * @b EXPERIMENTAL: this API may change without prior notice 850 * 851 * Check whether the dynamic field is registered. 852 * 853 * @return true if rte_security_dynfield_register() has been called. 854 */ 855 __rte_experimental 856 static inline bool rte_security_dynfield_is_registered(void) 857 { 858 return rte_security_dynfield_offset >= 0; 859 } 860 861 #define RTE_SECURITY_SESS_OPAQUE_DATA_OFF 0 862 #define RTE_SECURITY_SESS_FAST_MDATA_OFF 1 863 /** 864 * Get opaque data from session handle 865 */ 866 static inline uint64_t 867 rte_security_session_opaque_data_get(void *sess) 868 { 869 return *((uint64_t *)sess + RTE_SECURITY_SESS_OPAQUE_DATA_OFF); 870 } 871 872 /** 873 * Set opaque data in session handle 874 */ 875 static inline void 876 rte_security_session_opaque_data_set(void *sess, uint64_t opaque) 877 { 878 uint64_t *data; 879 data = (((uint64_t *)sess) + RTE_SECURITY_SESS_OPAQUE_DATA_OFF); 880 *data = opaque; 881 } 882 883 /** 884 * Get fast mdata from session handle 885 */ 886 static inline uint64_t 887 rte_security_session_fast_mdata_get(void *sess) 888 { 889 return *((uint64_t *)sess + RTE_SECURITY_SESS_FAST_MDATA_OFF); 890 } 891 892 /** 893 * Set fast mdata in session handle 894 */ 895 static inline void 896 rte_security_session_fast_mdata_set(void *sess, uint64_t fdata) 897 { 898 uint64_t *data; 899 data = (((uint64_t *)sess) + RTE_SECURITY_SESS_FAST_MDATA_OFF); 900 *data = fdata; 901 } 902 903 /** Function to call PMD specific function pointer set_pkt_metadata() */ 904 __rte_experimental 905 extern int __rte_security_set_pkt_metadata(struct rte_security_ctx *instance, 906 void *sess, 907 struct rte_mbuf *m, void *params); 908 909 /** 910 * Updates the buffer with device-specific defined metadata 911 * 912 * @param instance security instance 913 * @param sess security session 914 * @param mb packet mbuf to set metadata on. 915 * @param params device-specific defined parameters 916 * required for metadata 917 * 918 * @return 919 * - On success, zero. 920 * - On failure, a negative value. 921 */ 922 static inline int 923 rte_security_set_pkt_metadata(struct rte_security_ctx *instance, 924 void *sess, 925 struct rte_mbuf *mb, void *params) 926 { 927 /* Fast Path */ 928 if (instance->flags & RTE_SEC_CTX_F_FAST_SET_MDATA) { 929 *rte_security_dynfield(mb) = (rte_security_dynfield_t) 930 rte_security_session_fast_mdata_get(sess); 931 return 0; 932 } 933 934 /* Jump to PMD specific function pointer */ 935 return __rte_security_set_pkt_metadata(instance, sess, mb, params); 936 } 937 938 /** 939 * Attach a session to a symmetric crypto operation 940 * 941 * @param sym_op crypto operation 942 * @param sess security session 943 */ 944 static inline int 945 __rte_security_attach_session(struct rte_crypto_sym_op *sym_op, void *sess) 946 { 947 sym_op->session = sess; 948 949 return 0; 950 } 951 952 /** 953 * Attach a session to a crypto operation. 954 * This API is needed only in case of RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD 955 * For other rte_security_session_action_type, ol_flags in rte_mbuf may be 956 * defined to perform security operations. 957 * 958 * @param op crypto operation 959 * @param sess security session 960 */ 961 static inline int 962 rte_security_attach_session(struct rte_crypto_op *op, 963 void *sess) 964 { 965 if (unlikely(op->type != RTE_CRYPTO_OP_TYPE_SYMMETRIC)) 966 return -EINVAL; 967 968 op->sess_type = RTE_CRYPTO_OP_SECURITY_SESSION; 969 970 return __rte_security_attach_session(op->sym, sess); 971 } 972 973 struct rte_security_macsec_secy_stats { 974 uint64_t ctl_pkt_bcast_cnt; 975 uint64_t ctl_pkt_mcast_cnt; 976 uint64_t ctl_pkt_ucast_cnt; 977 uint64_t ctl_octet_cnt; 978 uint64_t unctl_pkt_bcast_cnt; 979 uint64_t unctl_pkt_mcast_cnt; 980 uint64_t unctl_pkt_ucast_cnt; 981 uint64_t unctl_octet_cnt; 982 /* Valid only for Rx */ 983 uint64_t octet_decrypted_cnt; 984 uint64_t octet_validated_cnt; 985 uint64_t pkt_port_disabled_cnt; 986 uint64_t pkt_badtag_cnt; 987 uint64_t pkt_nosa_cnt; 988 uint64_t pkt_nosaerror_cnt; 989 uint64_t pkt_tagged_ctl_cnt; 990 uint64_t pkt_untaged_cnt; 991 uint64_t pkt_ctl_cnt; 992 uint64_t pkt_notag_cnt; 993 /* Valid only for Tx */ 994 uint64_t octet_encrypted_cnt; 995 uint64_t octet_protected_cnt; 996 uint64_t pkt_noactivesa_cnt; 997 uint64_t pkt_toolong_cnt; 998 uint64_t pkt_untagged_cnt; 999 }; 1000 1001 struct rte_security_macsec_sc_stats { 1002 /* Rx */ 1003 uint64_t hit_cnt; 1004 uint64_t pkt_invalid_cnt; 1005 uint64_t pkt_late_cnt; 1006 uint64_t pkt_notvalid_cnt; 1007 uint64_t pkt_unchecked_cnt; 1008 uint64_t pkt_delay_cnt; 1009 uint64_t pkt_ok_cnt; 1010 uint64_t octet_decrypt_cnt; 1011 uint64_t octet_validate_cnt; 1012 /* Tx */ 1013 uint64_t pkt_encrypt_cnt; 1014 uint64_t pkt_protected_cnt; 1015 uint64_t octet_encrypt_cnt; 1016 uint64_t octet_protected_cnt; 1017 }; 1018 1019 struct rte_security_macsec_sa_stats { 1020 /* Rx */ 1021 uint64_t pkt_invalid_cnt; 1022 uint64_t pkt_nosaerror_cnt; 1023 uint64_t pkt_notvalid_cnt; 1024 uint64_t pkt_ok_cnt; 1025 uint64_t pkt_nosa_cnt; 1026 /* Tx */ 1027 uint64_t pkt_encrypt_cnt; 1028 uint64_t pkt_protected_cnt; 1029 }; 1030 1031 struct rte_security_ipsec_stats { 1032 uint64_t ipackets; /**< Successfully received IPsec packets. */ 1033 uint64_t opackets; /**< Successfully transmitted IPsec packets.*/ 1034 uint64_t ibytes; /**< Successfully received IPsec bytes. */ 1035 uint64_t obytes; /**< Successfully transmitted IPsec bytes. */ 1036 uint64_t ierrors; /**< IPsec packets receive/decrypt errors. */ 1037 uint64_t oerrors; /**< IPsec packets transmit/encrypt errors. */ 1038 uint64_t reserved1; /**< Reserved for future use. */ 1039 uint64_t reserved2; /**< Reserved for future use. */ 1040 }; 1041 1042 struct rte_security_pdcp_stats { 1043 uint64_t reserved; 1044 }; 1045 1046 struct rte_security_docsis_stats { 1047 uint64_t reserved; 1048 }; 1049 1050 struct rte_security_stats { 1051 enum rte_security_session_protocol protocol; 1052 /**< Security protocol to be configured */ 1053 1054 RTE_STD_C11 1055 union { 1056 struct rte_security_macsec_secy_stats macsec; 1057 struct rte_security_ipsec_stats ipsec; 1058 struct rte_security_pdcp_stats pdcp; 1059 struct rte_security_docsis_stats docsis; 1060 }; 1061 }; 1062 1063 /** 1064 * Get security session statistics 1065 * 1066 * @param instance security instance 1067 * @param sess security session 1068 * If security session is NULL then global (per security instance) statistics 1069 * will be retrieved, if supported. Global statistics collection is not 1070 * dependent on the per session statistics configuration. 1071 * @param stats statistics 1072 * @return 1073 * - On success, return 0 1074 * - On failure, a negative value 1075 */ 1076 __rte_experimental 1077 int 1078 rte_security_session_stats_get(struct rte_security_ctx *instance, 1079 void *sess, 1080 struct rte_security_stats *stats); 1081 1082 /** 1083 * @warning 1084 * @b EXPERIMENTAL: this API may change without prior notice 1085 * 1086 * Get MACsec SA statistics. 1087 * 1088 * @param instance security instance 1089 * @param sa_id SA ID for which stats are needed 1090 * @param dir direction of the SA 1091 * @param stats statistics 1092 * @return 1093 * - On success, return 0. 1094 * - On failure, a negative value. 1095 */ 1096 __rte_experimental 1097 int 1098 rte_security_macsec_sa_stats_get(struct rte_security_ctx *instance, 1099 uint16_t sa_id, enum rte_security_macsec_direction dir, 1100 struct rte_security_macsec_sa_stats *stats); 1101 1102 /** 1103 * @warning 1104 * @b EXPERIMENTAL: this API may change without prior notice 1105 * 1106 * Get MACsec SC statistics. 1107 * 1108 * @param instance security instance 1109 * @param sc_id SC ID for which stats are needed 1110 * @param dir direction of the SC 1111 * @param stats SC statistics 1112 * @return 1113 * - On success, return 0. 1114 * - On failure, a negative value. 1115 */ 1116 __rte_experimental 1117 int 1118 rte_security_macsec_sc_stats_get(struct rte_security_ctx *instance, 1119 uint16_t sc_id, enum rte_security_macsec_direction dir, 1120 struct rte_security_macsec_sc_stats *stats); 1121 1122 /** 1123 * Security capability definition 1124 */ 1125 struct rte_security_capability { 1126 enum rte_security_session_action_type action; 1127 /**< Security action type*/ 1128 enum rte_security_session_protocol protocol; 1129 /**< Security protocol */ 1130 RTE_STD_C11 1131 union { 1132 struct { 1133 enum rte_security_ipsec_sa_protocol proto; 1134 /**< IPsec SA protocol */ 1135 enum rte_security_ipsec_sa_mode mode; 1136 /**< IPsec SA mode */ 1137 enum rte_security_ipsec_sa_direction direction; 1138 /**< IPsec SA direction */ 1139 struct rte_security_ipsec_sa_options options; 1140 /**< IPsec SA supported options */ 1141 uint32_t replay_win_sz_max; 1142 /**< IPsec Anti Replay Window Size. A '0' value 1143 * indicates that Anti Replay is not supported. 1144 */ 1145 } ipsec; 1146 /**< IPsec capability */ 1147 struct { 1148 /** MTU supported for inline TX */ 1149 uint16_t mtu; 1150 /** MACsec algorithm to be used */ 1151 enum rte_security_macsec_alg alg; 1152 /** Maximum number of secure channels supported */ 1153 uint16_t max_nb_sc; 1154 /** Maximum number of SAs supported */ 1155 uint16_t max_nb_sa; 1156 /** Maximum number of SAs supported */ 1157 uint16_t max_nb_sess; 1158 /** MACsec anti replay window size */ 1159 uint32_t replay_win_sz; 1160 /** Support Sectag insertion at relative offset */ 1161 uint16_t relative_sectag_insert : 1; 1162 /** Support Sectag insertion at fixed offset */ 1163 uint16_t fixed_sectag_insert : 1; 1164 /** ICV includes source and destination MAC addresses */ 1165 uint16_t icv_include_da_sa : 1; 1166 /** Control port traffic is supported */ 1167 uint16_t ctrl_port_enable : 1; 1168 /** Do not strip SecTAG after processing */ 1169 uint16_t preserve_sectag : 1; 1170 /** Do not strip ICV from the packet after processing */ 1171 uint16_t preserve_icv : 1; 1172 /** Support frame validation as per RTE_SECURITY_MACSEC_VALIDATE_* */ 1173 uint16_t validate_frames : 1; 1174 /** support re-keying on SA expiry */ 1175 uint16_t re_key : 1; 1176 /** support anti replay */ 1177 uint16_t anti_replay : 1; 1178 /** Reserved bitfields for future capabilities */ 1179 uint16_t reserved : 7; 1180 } macsec; 1181 /**< MACsec capability */ 1182 struct { 1183 enum rte_security_pdcp_domain domain; 1184 /**< PDCP mode of operation: Control or data */ 1185 uint32_t capa_flags; 1186 /**< Capability flags, see RTE_SECURITY_PDCP_* */ 1187 } pdcp; 1188 /**< PDCP capability */ 1189 struct { 1190 enum rte_security_docsis_direction direction; 1191 /**< DOCSIS direction */ 1192 } docsis; 1193 /**< DOCSIS capability */ 1194 }; 1195 1196 const struct rte_cryptodev_capabilities *crypto_capabilities; 1197 /**< Corresponding crypto capabilities for security capability */ 1198 1199 uint32_t ol_flags; 1200 /**< Device offload flags */ 1201 }; 1202 1203 /** Underlying Hardware/driver which support PDCP may or may not support 1204 * packet ordering. Set RTE_SECURITY_PDCP_ORDERING_CAP if it support. 1205 * If it is not set, driver/HW assumes packets received are in order 1206 * and it will be application's responsibility to maintain ordering. 1207 */ 1208 #define RTE_SECURITY_PDCP_ORDERING_CAP 0x00000001 1209 1210 /** Underlying Hardware/driver which support PDCP may or may not detect 1211 * duplicate packet. Set RTE_SECURITY_PDCP_DUP_DETECT_CAP if it support. 1212 * If it is not set, driver/HW assumes there is no duplicate packet received. 1213 */ 1214 #define RTE_SECURITY_PDCP_DUP_DETECT_CAP 0x00000002 1215 1216 #define RTE_SECURITY_TX_OLOAD_NEED_MDATA 0x00000001 1217 /**< HW needs metadata update, see rte_security_set_pkt_metadata(). 1218 */ 1219 1220 #define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD 0x00000002 1221 /**< HW constructs trailer of packets 1222 * Transmitted packets will have the trailer added to them 1223 * by hardware. The next protocol field will be based on 1224 * the mbuf->inner_esp_next_proto field. 1225 */ 1226 #define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD 0x00010000 1227 /**< HW removes trailer of packets 1228 * Received packets have no trailer, the next protocol field 1229 * is supplied in the mbuf->inner_esp_next_proto field. 1230 * Inner packet is not modified. 1231 */ 1232 1233 /** 1234 * Security capability index used to query a security instance for a specific 1235 * security capability 1236 */ 1237 struct rte_security_capability_idx { 1238 enum rte_security_session_action_type action; 1239 enum rte_security_session_protocol protocol; 1240 1241 RTE_STD_C11 1242 union { 1243 struct { 1244 enum rte_security_ipsec_sa_protocol proto; 1245 enum rte_security_ipsec_sa_mode mode; 1246 enum rte_security_ipsec_sa_direction direction; 1247 } ipsec; 1248 struct { 1249 enum rte_security_pdcp_domain domain; 1250 uint32_t capa_flags; 1251 } pdcp; 1252 struct { 1253 enum rte_security_docsis_direction direction; 1254 } docsis; 1255 }; 1256 }; 1257 1258 /** 1259 * Returns array of security instance capabilities 1260 * 1261 * @param instance Security instance. 1262 * 1263 * @return 1264 * - Returns array of security capabilities. 1265 * - Return NULL if no capabilities available. 1266 */ 1267 const struct rte_security_capability * 1268 rte_security_capabilities_get(struct rte_security_ctx *instance); 1269 1270 /** 1271 * Query if a specific capability is available on security instance 1272 * 1273 * @param instance security instance. 1274 * @param idx security capability index to match against 1275 * 1276 * @return 1277 * - Returns pointer to security capability on match of capability 1278 * index criteria. 1279 * - Return NULL if the capability not matched on security instance. 1280 */ 1281 const struct rte_security_capability * 1282 rte_security_capability_get(struct rte_security_ctx *instance, 1283 struct rte_security_capability_idx *idx); 1284 1285 #ifdef __cplusplus 1286 } 1287 #endif 1288 1289 #endif /* _RTE_SECURITY_H_ */ 1290