xref: /dpdk/lib/security/rte_security.h (revision b225783dda7a254fc49bc4d43b8b58f67e03be1d) 
1 /* SPDX-License-Identifier: BSD-3-Clause
2  * Copyright 2017,2019-2020 NXP
3  * Copyright(c) 2017-2020 Intel Corporation.
4  */
5 
6 #ifndef _RTE_SECURITY_H_
7 #define _RTE_SECURITY_H_
8 
9 /**
10  * @file rte_security.h
11  *
12  * RTE Security Common Definitions
13  *
14  */
15 
16 #ifdef __cplusplus
17 extern "C" {
18 #endif
19 
20 #include <sys/types.h>
21 
22 #include <rte_compat.h>
23 #include <rte_common.h>
24 #include <rte_crypto.h>
25 #include <rte_ip.h>
26 #include <rte_mbuf.h>
27 #include <rte_mbuf_dyn.h>
28 #include <rte_memory.h>
29 #include <rte_mempool.h>
30 
31 /** IPSec protocol mode */
32 enum rte_security_ipsec_sa_mode {
33 	RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT = 1,
34 	/**< IPSec Transport mode */
35 	RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
36 	/**< IPSec Tunnel mode */
37 };
38 
39 /** IPSec Protocol */
40 enum rte_security_ipsec_sa_protocol {
41 	RTE_SECURITY_IPSEC_SA_PROTO_AH = 1,
42 	/**< AH protocol */
43 	RTE_SECURITY_IPSEC_SA_PROTO_ESP,
44 	/**< ESP protocol */
45 };
46 
47 /** IPSEC tunnel type */
48 enum rte_security_ipsec_tunnel_type {
49 	RTE_SECURITY_IPSEC_TUNNEL_IPV4 = 1,
50 	/**< Outer header is IPv4 */
51 	RTE_SECURITY_IPSEC_TUNNEL_IPV6,
52 	/**< Outer header is IPv6 */
53 };
54 
55 /**
56  * IPSEC tunnel header verification mode
57  *
58  * Controls how outer IP header is verified in inbound.
59  */
60 #define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR     0x1
61 #define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR 0x2
62 
63 /**
64  * Security context for crypto/eth devices
65  *
66  * Security instance for each driver to register security operations.
67  * The application can get the security context from the crypto/eth device id
68  * using the APIs rte_cryptodev_get_sec_ctx()/rte_eth_dev_get_sec_ctx()
69  * This structure is used to identify the device(crypto/eth) for which the
70  * security operations need to be performed.
71  */
72 struct rte_security_ctx {
73 	void *device;
74 	/**< Crypto/ethernet device attached */
75 	const struct rte_security_ops *ops;
76 	/**< Pointer to security ops for the device */
77 	uint16_t sess_cnt;
78 	/**< Number of sessions attached to this context */
79 	uint32_t flags;
80 	/**< Flags for security context */
81 };
82 
83 #define RTE_SEC_CTX_F_FAST_SET_MDATA 0x00000001
84 /**< Driver uses fast metadata update without using driver specific callback */
85 
86 #define RTE_SEC_CTX_F_FAST_GET_UDATA 0x00000002
87 /**< Driver provides udata using fast method without using driver specific
88  * callback. For fast mdata and udata, mbuf dynamic field would be registered
89  * by driver via rte_security_dynfield_register().
90  */
91 
92 /**
93  * IPSEC tunnel parameters
94  *
95  * These parameters are used to build outbound tunnel headers.
96  */
97 struct rte_security_ipsec_tunnel_param {
98 	enum rte_security_ipsec_tunnel_type type;
99 	/**< Tunnel type: IPv4 or IPv6 */
100 	RTE_STD_C11
101 	union {
102 		struct {
103 			struct in_addr src_ip;
104 			/**< IPv4 source address */
105 			struct in_addr dst_ip;
106 			/**< IPv4 destination address */
107 			uint8_t dscp;
108 			/**< IPv4 Differentiated Services Code Point */
109 			uint8_t df;
110 			/**< IPv4 Don't Fragment bit */
111 			uint8_t ttl;
112 			/**< IPv4 Time To Live */
113 		} ipv4;
114 		/**< IPv4 header parameters */
115 		struct {
116 			struct in6_addr src_addr;
117 			/**< IPv6 source address */
118 			struct in6_addr dst_addr;
119 			/**< IPv6 destination address */
120 			uint8_t dscp;
121 			/**< IPv6 Differentiated Services Code Point */
122 			uint32_t flabel;
123 			/**< IPv6 flow label */
124 			uint8_t hlimit;
125 			/**< IPv6 hop limit */
126 		} ipv6;
127 		/**< IPv6 header parameters */
128 	};
129 };
130 
131 /**
132  * IPsec Security Association option flags
133  */
134 struct rte_security_ipsec_sa_options {
135 	/** Extended Sequence Numbers (ESN)
136 	 *
137 	 * * 1: Use extended (64 bit) sequence numbers
138 	 * * 0: Use normal sequence numbers
139 	 */
140 	uint32_t esn : 1;
141 
142 	/** UDP encapsulation
143 	 *
144 	 * * 1: Do UDP encapsulation/decapsulation so that IPSEC packets can
145 	 *      traverse through NAT boxes.
146 	 * * 0: No UDP encapsulation
147 	 */
148 	uint32_t udp_encap : 1;
149 
150 	/** Copy DSCP bits
151 	 *
152 	 * * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to
153 	 *      the outer IP header in encapsulation, and vice versa in
154 	 *      decapsulation.
155 	 * * 0: Do not change DSCP field.
156 	 */
157 	uint32_t copy_dscp : 1;
158 
159 	/** Copy IPv6 Flow Label
160 	 *
161 	 * * 1: Copy IPv6 flow label from inner IPv6 header to the
162 	 *      outer IPv6 header.
163 	 * * 0: Outer header is not modified.
164 	 */
165 	uint32_t copy_flabel : 1;
166 
167 	/** Copy IPv4 Don't Fragment bit
168 	 *
169 	 * * 1: Copy the DF bit from the inner IPv4 header to the outer
170 	 *      IPv4 header.
171 	 * * 0: Outer header is not modified.
172 	 */
173 	uint32_t copy_df : 1;
174 
175 	/** Decrement inner packet Time To Live (TTL) field
176 	 *
177 	 * * 1: In tunnel mode, decrement inner packet IPv4 TTL or
178 	 *      IPv6 Hop Limit after tunnel decapsulation, or before tunnel
179 	 *      encapsulation.
180 	 * * 0: Inner packet is not modified.
181 	 */
182 	uint32_t dec_ttl : 1;
183 
184 	/** Explicit Congestion Notification (ECN)
185 	 *
186 	 * * 1: In tunnel mode, enable outer header ECN Field copied from
187 	 *      inner header in tunnel encapsulation, or inner header ECN
188 	 *      field construction in decapsulation.
189 	 * * 0: Inner/outer header are not modified.
190 	 */
191 	uint32_t ecn : 1;
192 
193 	/** Security statistics
194 	 *
195 	 * * 1: Enable per session security statistics collection for
196 	 *      this SA, if supported by the driver.
197 	 * * 0: Disable per session security statistics collection for this SA.
198 	 */
199 	uint32_t stats : 1;
200 
201 	/** Disable IV generation in PMD
202 	 *
203 	 * * 1: Disable IV generation in PMD. When disabled, IV provided in
204 	 *      rte_crypto_op will be used by the PMD.
205 	 *
206 	 * * 0: Enable IV generation in PMD. When enabled, PMD generated random
207 	 *      value would be used and application is not required to provide
208 	 *      IV.
209 	 *
210 	 * Note: For inline cases, IV generation would always need to be handled
211 	 * by the PMD.
212 	 */
213 	uint32_t iv_gen_disable : 1;
214 
215 	/** Verify tunnel header in inbound
216 	 * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR``: Verify destination
217 	 *   IP address.
218 	 *
219 	 * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR``: Verify both
220 	 *   source and destination IP addresses.
221 	 */
222 	uint32_t tunnel_hdr_verify : 2;
223 };
224 
225 /** IPSec security association direction */
226 enum rte_security_ipsec_sa_direction {
227 	RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
228 	/**< Encrypt and generate digest */
229 	RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
230 	/**< Verify digest and decrypt */
231 };
232 
233 /**
234  * Configure soft and hard lifetime of an IPsec SA
235  *
236  * Lifetime of an IPsec SA would specify the maximum number of packets or bytes
237  * that can be processed. IPsec operations would start failing once any hard
238  * limit is reached.
239  *
240  * Soft limits can be specified to generate notification when the SA is
241  * approaching hard limits for lifetime. For inline operations, reaching soft
242  * expiry limit would result in raising an eth event for the same. For lookaside
243  * operations, this would result in a warning returned in
244  * ``rte_crypto_op.aux_flags``.
245  */
246 struct rte_security_ipsec_lifetime {
247 	uint64_t packets_soft_limit;
248 	/**< Soft expiry limit in number of packets */
249 	uint64_t bytes_soft_limit;
250 	/**< Soft expiry limit in bytes */
251 	uint64_t packets_hard_limit;
252 	/**< Soft expiry limit in number of packets */
253 	uint64_t bytes_hard_limit;
254 	/**< Soft expiry limit in bytes */
255 };
256 
257 /**
258  * IPsec security association configuration data.
259  *
260  * This structure contains data required to create an IPsec SA security session.
261  */
262 struct rte_security_ipsec_xform {
263 	uint32_t spi;
264 	/**< SA security parameter index */
265 	uint32_t salt;
266 	/**< SA salt */
267 	struct rte_security_ipsec_sa_options options;
268 	/**< various SA options */
269 	enum rte_security_ipsec_sa_direction direction;
270 	/**< IPSec SA Direction - Egress/Ingress */
271 	enum rte_security_ipsec_sa_protocol proto;
272 	/**< IPsec SA Protocol - AH/ESP */
273 	enum rte_security_ipsec_sa_mode mode;
274 	/**< IPsec SA Mode - transport/tunnel */
275 	struct rte_security_ipsec_tunnel_param tunnel;
276 	/**< Tunnel parameters, NULL for transport mode */
277 	struct rte_security_ipsec_lifetime life;
278 	/**< IPsec SA lifetime */
279 	uint32_t replay_win_sz;
280 	/**< Anti replay window size to enable sequence replay attack handling.
281 	 * replay checking is disabled if the window size is 0.
282 	 */
283 };
284 
285 /**
286  * MACsec security session configuration
287  */
288 struct rte_security_macsec_xform {
289 	/** To be Filled */
290 	int dummy;
291 };
292 
293 /**
294  * PDCP Mode of session
295  */
296 enum rte_security_pdcp_domain {
297 	RTE_SECURITY_PDCP_MODE_CONTROL,	/**< PDCP control plane */
298 	RTE_SECURITY_PDCP_MODE_DATA,	/**< PDCP data plane */
299 	RTE_SECURITY_PDCP_MODE_SHORT_MAC,	/**< PDCP short mac */
300 };
301 
302 /** PDCP Frame direction */
303 enum rte_security_pdcp_direction {
304 	RTE_SECURITY_PDCP_UPLINK,	/**< Uplink */
305 	RTE_SECURITY_PDCP_DOWNLINK,	/**< Downlink */
306 };
307 
308 /** PDCP Sequence Number Size selectors */
309 enum rte_security_pdcp_sn_size {
310 	/** PDCP_SN_SIZE_5: 5bit sequence number */
311 	RTE_SECURITY_PDCP_SN_SIZE_5 = 5,
312 	/** PDCP_SN_SIZE_7: 7bit sequence number */
313 	RTE_SECURITY_PDCP_SN_SIZE_7 = 7,
314 	/** PDCP_SN_SIZE_12: 12bit sequence number */
315 	RTE_SECURITY_PDCP_SN_SIZE_12 = 12,
316 	/** PDCP_SN_SIZE_15: 15bit sequence number */
317 	RTE_SECURITY_PDCP_SN_SIZE_15 = 15,
318 	/** PDCP_SN_SIZE_18: 18bit sequence number */
319 	RTE_SECURITY_PDCP_SN_SIZE_18 = 18
320 };
321 
322 /**
323  * PDCP security association configuration data.
324  *
325  * This structure contains data required to create a PDCP security session.
326  */
327 struct rte_security_pdcp_xform {
328 	int8_t bearer;	/**< PDCP bearer ID */
329 	/** Enable in order delivery, this field shall be set only if
330 	 * driver/HW is capable. See RTE_SECURITY_PDCP_ORDERING_CAP.
331 	 */
332 	uint8_t en_ordering;
333 	/** Notify driver/HW to detect and remove duplicate packets.
334 	 * This field should be set only when driver/hw is capable.
335 	 * See RTE_SECURITY_PDCP_DUP_DETECT_CAP.
336 	 */
337 	uint8_t remove_duplicates;
338 	/** PDCP mode of operation: Control or data */
339 	enum rte_security_pdcp_domain domain;
340 	/** PDCP Frame Direction 0:UL 1:DL */
341 	enum rte_security_pdcp_direction pkt_dir;
342 	/** Sequence number size, 5/7/12/15/18 */
343 	enum rte_security_pdcp_sn_size sn_size;
344 	/** Starting Hyper Frame Number to be used together with the SN
345 	 * from the PDCP frames
346 	 */
347 	uint32_t hfn;
348 	/** HFN Threshold for key renegotiation */
349 	uint32_t hfn_threshold;
350 	/** HFN can be given as a per packet value also.
351 	 * As we do not have IV in case of PDCP, and HFN is
352 	 * used to generate IV. IV field can be used to get the
353 	 * per packet HFN while enq/deq.
354 	 * If hfn_ovrd field is set, user is expected to set the
355 	 * per packet HFN in place of IV. PMDs will extract the HFN
356 	 * and perform operations accordingly.
357 	 */
358 	uint8_t hfn_ovrd;
359 	/** In case of 5G NR, a new protocol (SDAP) header may be set
360 	 * inside PDCP payload which should be authenticated but not
361 	 * encrypted. Hence, driver should be notified if SDAP is
362 	 * enabled or not, so that SDAP header is not encrypted.
363 	 */
364 	uint8_t sdap_enabled;
365 	/** Reserved for future */
366 	uint16_t reserved;
367 };
368 
369 /** DOCSIS direction */
370 enum rte_security_docsis_direction {
371 	RTE_SECURITY_DOCSIS_UPLINK,
372 	/**< Uplink
373 	 * - Decryption, followed by CRC Verification
374 	 */
375 	RTE_SECURITY_DOCSIS_DOWNLINK,
376 	/**< Downlink
377 	 * - CRC Generation, followed by Encryption
378 	 */
379 };
380 
381 /**
382  * DOCSIS security session configuration.
383  *
384  * This structure contains data required to create a DOCSIS security session.
385  */
386 struct rte_security_docsis_xform {
387 	enum rte_security_docsis_direction direction;
388 	/**< DOCSIS direction */
389 };
390 
391 /**
392  * Security session action type.
393  */
394 enum rte_security_session_action_type {
395 	RTE_SECURITY_ACTION_TYPE_NONE,
396 	/**< No security actions */
397 	RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO,
398 	/**< Crypto processing for security protocol is processed inline
399 	 * during transmission
400 	 */
401 	RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
402 	/**< All security protocol processing is performed inline during
403 	 * transmission
404 	 */
405 	RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
406 	/**< All security protocol processing including crypto is performed
407 	 * on a lookaside accelerator
408 	 */
409 	RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO
410 	/**< Similar to ACTION_TYPE_NONE but crypto processing for security
411 	 * protocol is processed synchronously by a CPU.
412 	 */
413 };
414 
415 /** Security session protocol definition */
416 enum rte_security_session_protocol {
417 	RTE_SECURITY_PROTOCOL_IPSEC = 1,
418 	/**< IPsec Protocol */
419 	RTE_SECURITY_PROTOCOL_MACSEC,
420 	/**< MACSec Protocol */
421 	RTE_SECURITY_PROTOCOL_PDCP,
422 	/**< PDCP Protocol */
423 	RTE_SECURITY_PROTOCOL_DOCSIS,
424 	/**< DOCSIS Protocol */
425 };
426 
427 /**
428  * Security session configuration
429  */
430 struct rte_security_session_conf {
431 	enum rte_security_session_action_type action_type;
432 	/**< Type of action to be performed on the session */
433 	enum rte_security_session_protocol protocol;
434 	/**< Security protocol to be configured */
435 	RTE_STD_C11
436 	union {
437 		struct rte_security_ipsec_xform ipsec;
438 		struct rte_security_macsec_xform macsec;
439 		struct rte_security_pdcp_xform pdcp;
440 		struct rte_security_docsis_xform docsis;
441 	};
442 	/**< Configuration parameters for security session */
443 	struct rte_crypto_sym_xform *crypto_xform;
444 	/**< Security Session Crypto Transformations */
445 	void *userdata;
446 	/**< Application specific userdata to be saved with session */
447 };
448 
449 struct rte_security_session {
450 	void *sess_private_data;
451 	/**< Private session material */
452 	uint64_t opaque_data;
453 	/**< Opaque user defined data */
454 };
455 
456 /**
457  * Create security session as specified by the session configuration
458  *
459  * @param   instance	security instance
460  * @param   conf	session configuration parameters
461  * @param   mp		mempool to allocate session objects from
462  * @param   priv_mp	mempool to allocate session private data objects from
463  * @return
464  *  - On success, pointer to session
465  *  - On failure, NULL
466  */
467 struct rte_security_session *
468 rte_security_session_create(struct rte_security_ctx *instance,
469 			    struct rte_security_session_conf *conf,
470 			    struct rte_mempool *mp,
471 			    struct rte_mempool *priv_mp);
472 
473 /**
474  * Update security session as specified by the session configuration
475  *
476  * @param   instance	security instance
477  * @param   sess	session to update parameters
478  * @param   conf	update configuration parameters
479  * @return
480  *  - On success returns 0
481  *  - On failure returns a negative errno value.
482  */
483 __rte_experimental
484 int
485 rte_security_session_update(struct rte_security_ctx *instance,
486 			    struct rte_security_session *sess,
487 			    struct rte_security_session_conf *conf);
488 
489 /**
490  * Get the size of the security session data for a device.
491  *
492  * @param   instance	security instance.
493  *
494  * @return
495  *   - Size of the private data, if successful
496  *   - 0 if device is invalid or does not support the operation.
497  */
498 unsigned int
499 rte_security_session_get_size(struct rte_security_ctx *instance);
500 
501 /**
502  * Free security session header and the session private data and
503  * return it to its original mempool.
504  *
505  * @param   instance	security instance
506  * @param   sess	security session to be freed
507  *
508  * @return
509  *  - 0 if successful.
510  *  - -EINVAL if session or context instance is NULL.
511  *  - -EBUSY if not all device private data has been freed.
512  *  - -ENOTSUP if destroying private data is not supported.
513  *  - other negative values in case of freeing private data errors.
514  */
515 int
516 rte_security_session_destroy(struct rte_security_ctx *instance,
517 			     struct rte_security_session *sess);
518 
519 /** Device-specific metadata field type */
520 typedef uint64_t rte_security_dynfield_t;
521 /** Dynamic mbuf field for device-specific metadata */
522 extern int rte_security_dynfield_offset;
523 
524 /**
525  * @warning
526  * @b EXPERIMENTAL: this API may change without prior notice
527  *
528  * Get pointer to mbuf field for device-specific metadata.
529  *
530  * For performance reason, no check is done,
531  * the dynamic field may not be registered.
532  * @see rte_security_dynfield_is_registered
533  *
534  * @param	mbuf	packet to access
535  * @return pointer to mbuf field
536  */
537 __rte_experimental
538 static inline rte_security_dynfield_t *
539 rte_security_dynfield(struct rte_mbuf *mbuf)
540 {
541 	return RTE_MBUF_DYNFIELD(mbuf,
542 		rte_security_dynfield_offset,
543 		rte_security_dynfield_t *);
544 }
545 
546 /**
547  * @warning
548  * @b EXPERIMENTAL: this API may change without prior notice
549  *
550  * Check whether the dynamic field is registered.
551  *
552  * @return true if rte_security_dynfield_register() has been called.
553  */
554 __rte_experimental
555 static inline bool rte_security_dynfield_is_registered(void)
556 {
557 	return rte_security_dynfield_offset >= 0;
558 }
559 
560 /** Function to call PMD specific function pointer set_pkt_metadata() */
561 __rte_experimental
562 extern int __rte_security_set_pkt_metadata(struct rte_security_ctx *instance,
563 					   struct rte_security_session *sess,
564 					   struct rte_mbuf *m, void *params);
565 
566 /**
567  *  Updates the buffer with device-specific defined metadata
568  *
569  * @param	instance	security instance
570  * @param	sess		security session
571  * @param	mb		packet mbuf to set metadata on.
572  * @param	params		device-specific defined parameters
573  *				required for metadata
574  *
575  * @return
576  *  - On success, zero.
577  *  - On failure, a negative value.
578  */
579 static inline int
580 rte_security_set_pkt_metadata(struct rte_security_ctx *instance,
581 			      struct rte_security_session *sess,
582 			      struct rte_mbuf *mb, void *params)
583 {
584 	/* Fast Path */
585 	if (instance->flags & RTE_SEC_CTX_F_FAST_SET_MDATA) {
586 		*rte_security_dynfield(mb) =
587 			(rte_security_dynfield_t)(sess->sess_private_data);
588 		return 0;
589 	}
590 
591 	/* Jump to PMD specific function pointer */
592 	return __rte_security_set_pkt_metadata(instance, sess, mb, params);
593 }
594 
595 /** Function to call PMD specific function pointer get_userdata() */
596 __rte_experimental
597 extern void *__rte_security_get_userdata(struct rte_security_ctx *instance,
598 					 uint64_t md);
599 
600 /**
601  * Get userdata associated with the security session. Device specific metadata
602  * provided would be used to uniquely identify the security session being
603  * referred to. This userdata would be registered while creating the session,
604  * and application can use this to identify the SA etc.
605  *
606  * Device specific metadata would be set in mbuf for inline processed inbound
607  * packets. In addition, the same metadata would be set for IPsec events
608  * reported by rte_eth_event framework.
609  *
610  * @param   instance	security instance
611  * @param   md		device-specific metadata
612  *
613  * @return
614  *  - On success, userdata
615  *  - On failure, NULL
616  */
617 __rte_experimental
618 static inline void *
619 rte_security_get_userdata(struct rte_security_ctx *instance, uint64_t md)
620 {
621 	/* Fast Path */
622 	if (instance->flags & RTE_SEC_CTX_F_FAST_GET_UDATA)
623 		return (void *)(uintptr_t)md;
624 
625 	/* Jump to PMD specific function pointer */
626 	return __rte_security_get_userdata(instance, md);
627 }
628 
629 /**
630  * Attach a session to a symmetric crypto operation
631  *
632  * @param	sym_op	crypto operation
633  * @param	sess	security session
634  */
635 static inline int
636 __rte_security_attach_session(struct rte_crypto_sym_op *sym_op,
637 			      struct rte_security_session *sess)
638 {
639 	sym_op->sec_session = sess;
640 
641 	return 0;
642 }
643 
644 static inline void *
645 get_sec_session_private_data(const struct rte_security_session *sess)
646 {
647 	return sess->sess_private_data;
648 }
649 
650 static inline void
651 set_sec_session_private_data(struct rte_security_session *sess,
652 			     void *private_data)
653 {
654 	sess->sess_private_data = private_data;
655 }
656 
657 /**
658  * Attach a session to a crypto operation.
659  * This API is needed only in case of RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD
660  * For other rte_security_session_action_type, ol_flags in rte_mbuf may be
661  * defined to perform security operations.
662  *
663  * @param	op	crypto operation
664  * @param	sess	security session
665  */
666 static inline int
667 rte_security_attach_session(struct rte_crypto_op *op,
668 			    struct rte_security_session *sess)
669 {
670 	if (unlikely(op->type != RTE_CRYPTO_OP_TYPE_SYMMETRIC))
671 		return -EINVAL;
672 
673 	op->sess_type =  RTE_CRYPTO_OP_SECURITY_SESSION;
674 
675 	return __rte_security_attach_session(op->sym, sess);
676 }
677 
678 struct rte_security_macsec_stats {
679 	uint64_t reserved;
680 };
681 
682 struct rte_security_ipsec_stats {
683 	uint64_t ipackets;  /**< Successfully received IPsec packets. */
684 	uint64_t opackets;  /**< Successfully transmitted IPsec packets.*/
685 	uint64_t ibytes;    /**< Successfully received IPsec bytes. */
686 	uint64_t obytes;    /**< Successfully transmitted IPsec bytes. */
687 	uint64_t ierrors;   /**< IPsec packets receive/decrypt errors. */
688 	uint64_t oerrors;   /**< IPsec packets transmit/encrypt errors. */
689 	uint64_t reserved1; /**< Reserved for future use. */
690 	uint64_t reserved2; /**< Reserved for future use. */
691 };
692 
693 struct rte_security_pdcp_stats {
694 	uint64_t reserved;
695 };
696 
697 struct rte_security_docsis_stats {
698 	uint64_t reserved;
699 };
700 
701 struct rte_security_stats {
702 	enum rte_security_session_protocol protocol;
703 	/**< Security protocol to be configured */
704 
705 	RTE_STD_C11
706 	union {
707 		struct rte_security_macsec_stats macsec;
708 		struct rte_security_ipsec_stats ipsec;
709 		struct rte_security_pdcp_stats pdcp;
710 		struct rte_security_docsis_stats docsis;
711 	};
712 };
713 
714 /**
715  * Get security session statistics
716  *
717  * @param	instance	security instance
718  * @param	sess		security session
719  * If security session is NULL then global (per security instance) statistics
720  * will be retrieved, if supported. Global statistics collection is not
721  * dependent on the per session statistics configuration.
722  * @param	stats		statistics
723  * @return
724  *  - On success, return 0
725  *  - On failure, a negative value
726  */
727 __rte_experimental
728 int
729 rte_security_session_stats_get(struct rte_security_ctx *instance,
730 			       struct rte_security_session *sess,
731 			       struct rte_security_stats *stats);
732 
733 /**
734  * Security capability definition
735  */
736 struct rte_security_capability {
737 	enum rte_security_session_action_type action;
738 	/**< Security action type*/
739 	enum rte_security_session_protocol protocol;
740 	/**< Security protocol */
741 	RTE_STD_C11
742 	union {
743 		struct {
744 			enum rte_security_ipsec_sa_protocol proto;
745 			/**< IPsec SA protocol */
746 			enum rte_security_ipsec_sa_mode mode;
747 			/**< IPsec SA mode */
748 			enum rte_security_ipsec_sa_direction direction;
749 			/**< IPsec SA direction */
750 			struct rte_security_ipsec_sa_options options;
751 			/**< IPsec SA supported options */
752 			uint32_t replay_win_sz_max;
753 			/**< IPsec Anti Replay Window Size. A '0' value
754 			 * indicates that Anti Replay is not supported.
755 			 */
756 		} ipsec;
757 		/**< IPsec capability */
758 		struct {
759 			/* To be Filled */
760 			int dummy;
761 		} macsec;
762 		/**< MACsec capability */
763 		struct {
764 			enum rte_security_pdcp_domain domain;
765 			/**< PDCP mode of operation: Control or data */
766 			uint32_t capa_flags;
767 			/**< Capability flags, see RTE_SECURITY_PDCP_* */
768 		} pdcp;
769 		/**< PDCP capability */
770 		struct {
771 			enum rte_security_docsis_direction direction;
772 			/**< DOCSIS direction */
773 		} docsis;
774 		/**< DOCSIS capability */
775 	};
776 
777 	const struct rte_cryptodev_capabilities *crypto_capabilities;
778 	/**< Corresponding crypto capabilities for security capability  */
779 
780 	uint32_t ol_flags;
781 	/**< Device offload flags */
782 };
783 
784 /** Underlying Hardware/driver which support PDCP may or may not support
785  * packet ordering. Set RTE_SECURITY_PDCP_ORDERING_CAP if it support.
786  * If it is not set, driver/HW assumes packets received are in order
787  * and it will be application's responsibility to maintain ordering.
788  */
789 #define RTE_SECURITY_PDCP_ORDERING_CAP		0x00000001
790 
791 /** Underlying Hardware/driver which support PDCP may or may not detect
792  * duplicate packet. Set RTE_SECURITY_PDCP_DUP_DETECT_CAP if it support.
793  * If it is not set, driver/HW assumes there is no duplicate packet received.
794  */
795 #define RTE_SECURITY_PDCP_DUP_DETECT_CAP	0x00000002
796 
797 #define RTE_SECURITY_TX_OLOAD_NEED_MDATA	0x00000001
798 /**< HW needs metadata update, see rte_security_set_pkt_metadata().
799  */
800 
801 #define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD	0x00000002
802 /**< HW constructs trailer of packets
803  * Transmitted packets will have the trailer added to them
804  * by hardware. The next protocol field will be based on
805  * the mbuf->inner_esp_next_proto field.
806  */
807 #define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD	0x00010000
808 /**< HW removes trailer of packets
809  * Received packets have no trailer, the next protocol field
810  * is supplied in the mbuf->inner_esp_next_proto field.
811  * Inner packet is not modified.
812  */
813 
814 /**
815  * Security capability index used to query a security instance for a specific
816  * security capability
817  */
818 struct rte_security_capability_idx {
819 	enum rte_security_session_action_type action;
820 	enum rte_security_session_protocol protocol;
821 
822 	RTE_STD_C11
823 	union {
824 		struct {
825 			enum rte_security_ipsec_sa_protocol proto;
826 			enum rte_security_ipsec_sa_mode mode;
827 			enum rte_security_ipsec_sa_direction direction;
828 		} ipsec;
829 		struct {
830 			enum rte_security_pdcp_domain domain;
831 			uint32_t capa_flags;
832 		} pdcp;
833 		struct {
834 			enum rte_security_docsis_direction direction;
835 		} docsis;
836 	};
837 };
838 
839 /**
840  *  Returns array of security instance capabilities
841  *
842  * @param	instance	Security instance.
843  *
844  * @return
845  *   - Returns array of security capabilities.
846  *   - Return NULL if no capabilities available.
847  */
848 const struct rte_security_capability *
849 rte_security_capabilities_get(struct rte_security_ctx *instance);
850 
851 /**
852  * Query if a specific capability is available on security instance
853  *
854  * @param	instance	security instance.
855  * @param	idx		security capability index to match against
856  *
857  * @return
858  *   - Returns pointer to security capability on match of capability
859  *     index criteria.
860  *   - Return NULL if the capability not matched on security instance.
861  */
862 const struct rte_security_capability *
863 rte_security_capability_get(struct rte_security_ctx *instance,
864 			    struct rte_security_capability_idx *idx);
865 
866 #ifdef __cplusplus
867 }
868 #endif
869 
870 #endif /* _RTE_SECURITY_H_ */
871