1 /* SPDX-License-Identifier: BSD-3-Clause 2 * Copyright 2017,2019-2020 NXP 3 * Copyright(c) 2017-2020 Intel Corporation. 4 */ 5 6 #ifndef _RTE_SECURITY_H_ 7 #define _RTE_SECURITY_H_ 8 9 /** 10 * @file rte_security.h 11 * 12 * RTE Security Common Definitions 13 * 14 */ 15 16 #ifdef __cplusplus 17 extern "C" { 18 #endif 19 20 #include <sys/types.h> 21 22 #include <netinet/in.h> 23 #include <netinet/ip.h> 24 #include <netinet/ip6.h> 25 26 #include <rte_compat.h> 27 #include <rte_common.h> 28 #include <rte_crypto.h> 29 #include <rte_mbuf.h> 30 #include <rte_mbuf_dyn.h> 31 #include <rte_memory.h> 32 #include <rte_mempool.h> 33 34 /** IPSec protocol mode */ 35 enum rte_security_ipsec_sa_mode { 36 RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT = 1, 37 /**< IPSec Transport mode */ 38 RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, 39 /**< IPSec Tunnel mode */ 40 }; 41 42 /** IPSec Protocol */ 43 enum rte_security_ipsec_sa_protocol { 44 RTE_SECURITY_IPSEC_SA_PROTO_AH = 1, 45 /**< AH protocol */ 46 RTE_SECURITY_IPSEC_SA_PROTO_ESP, 47 /**< ESP protocol */ 48 }; 49 50 /** IPSEC tunnel type */ 51 enum rte_security_ipsec_tunnel_type { 52 RTE_SECURITY_IPSEC_TUNNEL_IPV4 = 1, 53 /**< Outer header is IPv4 */ 54 RTE_SECURITY_IPSEC_TUNNEL_IPV6, 55 /**< Outer header is IPv6 */ 56 }; 57 58 /** 59 * Security context for crypto/eth devices 60 * 61 * Security instance for each driver to register security operations. 62 * The application can get the security context from the crypto/eth device id 63 * using the APIs rte_cryptodev_get_sec_ctx()/rte_eth_dev_get_sec_ctx() 64 * This structure is used to identify the device(crypto/eth) for which the 65 * security operations need to be performed. 66 */ 67 struct rte_security_ctx { 68 void *device; 69 /**< Crypto/ethernet device attached */ 70 const struct rte_security_ops *ops; 71 /**< Pointer to security ops for the device */ 72 uint16_t sess_cnt; 73 /**< Number of sessions attached to this context */ 74 }; 75 76 /** 77 * IPSEC tunnel parameters 78 * 79 * These parameters are used to build outbound tunnel headers. 80 */ 81 struct rte_security_ipsec_tunnel_param { 82 enum rte_security_ipsec_tunnel_type type; 83 /**< Tunnel type: IPv4 or IPv6 */ 84 RTE_STD_C11 85 union { 86 struct { 87 struct in_addr src_ip; 88 /**< IPv4 source address */ 89 struct in_addr dst_ip; 90 /**< IPv4 destination address */ 91 uint8_t dscp; 92 /**< IPv4 Differentiated Services Code Point */ 93 uint8_t df; 94 /**< IPv4 Don't Fragment bit */ 95 uint8_t ttl; 96 /**< IPv4 Time To Live */ 97 } ipv4; 98 /**< IPv4 header parameters */ 99 struct { 100 struct in6_addr src_addr; 101 /**< IPv6 source address */ 102 struct in6_addr dst_addr; 103 /**< IPv6 destination address */ 104 uint8_t dscp; 105 /**< IPv6 Differentiated Services Code Point */ 106 uint32_t flabel; 107 /**< IPv6 flow label */ 108 uint8_t hlimit; 109 /**< IPv6 hop limit */ 110 } ipv6; 111 /**< IPv6 header parameters */ 112 }; 113 }; 114 115 /** 116 * IPsec Security Association option flags 117 */ 118 struct rte_security_ipsec_sa_options { 119 /** Extended Sequence Numbers (ESN) 120 * 121 * * 1: Use extended (64 bit) sequence numbers 122 * * 0: Use normal sequence numbers 123 */ 124 uint32_t esn : 1; 125 126 /** UDP encapsulation 127 * 128 * * 1: Do UDP encapsulation/decapsulation so that IPSEC packets can 129 * traverse through NAT boxes. 130 * * 0: No UDP encapsulation 131 */ 132 uint32_t udp_encap : 1; 133 134 /** Copy DSCP bits 135 * 136 * * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to 137 * the outer IP header in encapsulation, and vice versa in 138 * decapsulation. 139 * * 0: Do not change DSCP field. 140 */ 141 uint32_t copy_dscp : 1; 142 143 /** Copy IPv6 Flow Label 144 * 145 * * 1: Copy IPv6 flow label from inner IPv6 header to the 146 * outer IPv6 header. 147 * * 0: Outer header is not modified. 148 */ 149 uint32_t copy_flabel : 1; 150 151 /** Copy IPv4 Don't Fragment bit 152 * 153 * * 1: Copy the DF bit from the inner IPv4 header to the outer 154 * IPv4 header. 155 * * 0: Outer header is not modified. 156 */ 157 uint32_t copy_df : 1; 158 159 /** Decrement inner packet Time To Live (TTL) field 160 * 161 * * 1: In tunnel mode, decrement inner packet IPv4 TTL or 162 * IPv6 Hop Limit after tunnel decapsulation, or before tunnel 163 * encapsulation. 164 * * 0: Inner packet is not modified. 165 */ 166 uint32_t dec_ttl : 1; 167 168 /** Explicit Congestion Notification (ECN) 169 * 170 * * 1: In tunnel mode, enable outer header ECN Field copied from 171 * inner header in tunnel encapsulation, or inner header ECN 172 * field construction in decapsulation. 173 * * 0: Inner/outer header are not modified. 174 */ 175 uint32_t ecn : 1; 176 177 /** Security statistics 178 * 179 * * 1: Enable per session security statistics collection for 180 * this SA, if supported by the driver. 181 * * 0: Disable per session security statistics collection for this SA. 182 */ 183 uint32_t stats : 1; 184 }; 185 186 /** IPSec security association direction */ 187 enum rte_security_ipsec_sa_direction { 188 RTE_SECURITY_IPSEC_SA_DIR_EGRESS, 189 /**< Encrypt and generate digest */ 190 RTE_SECURITY_IPSEC_SA_DIR_INGRESS, 191 /**< Verify digest and decrypt */ 192 }; 193 194 /** 195 * IPsec security association configuration data. 196 * 197 * This structure contains data required to create an IPsec SA security session. 198 */ 199 struct rte_security_ipsec_xform { 200 uint32_t spi; 201 /**< SA security parameter index */ 202 uint32_t salt; 203 /**< SA salt */ 204 struct rte_security_ipsec_sa_options options; 205 /**< various SA options */ 206 enum rte_security_ipsec_sa_direction direction; 207 /**< IPSec SA Direction - Egress/Ingress */ 208 enum rte_security_ipsec_sa_protocol proto; 209 /**< IPsec SA Protocol - AH/ESP */ 210 enum rte_security_ipsec_sa_mode mode; 211 /**< IPsec SA Mode - transport/tunnel */ 212 struct rte_security_ipsec_tunnel_param tunnel; 213 /**< Tunnel parameters, NULL for transport mode */ 214 uint64_t esn_soft_limit; 215 /**< ESN for which the overflow event need to be raised */ 216 uint32_t replay_win_sz; 217 /**< Anti replay window size to enable sequence replay attack handling. 218 * replay checking is disabled if the window size is 0. 219 */ 220 }; 221 222 /** 223 * MACsec security session configuration 224 */ 225 struct rte_security_macsec_xform { 226 /** To be Filled */ 227 int dummy; 228 }; 229 230 /** 231 * PDCP Mode of session 232 */ 233 enum rte_security_pdcp_domain { 234 RTE_SECURITY_PDCP_MODE_CONTROL, /**< PDCP control plane */ 235 RTE_SECURITY_PDCP_MODE_DATA, /**< PDCP data plane */ 236 RTE_SECURITY_PDCP_MODE_SHORT_MAC, /**< PDCP short mac */ 237 }; 238 239 /** PDCP Frame direction */ 240 enum rte_security_pdcp_direction { 241 RTE_SECURITY_PDCP_UPLINK, /**< Uplink */ 242 RTE_SECURITY_PDCP_DOWNLINK, /**< Downlink */ 243 }; 244 245 /** PDCP Sequence Number Size selectors */ 246 enum rte_security_pdcp_sn_size { 247 /** PDCP_SN_SIZE_5: 5bit sequence number */ 248 RTE_SECURITY_PDCP_SN_SIZE_5 = 5, 249 /** PDCP_SN_SIZE_7: 7bit sequence number */ 250 RTE_SECURITY_PDCP_SN_SIZE_7 = 7, 251 /** PDCP_SN_SIZE_12: 12bit sequence number */ 252 RTE_SECURITY_PDCP_SN_SIZE_12 = 12, 253 /** PDCP_SN_SIZE_15: 15bit sequence number */ 254 RTE_SECURITY_PDCP_SN_SIZE_15 = 15, 255 /** PDCP_SN_SIZE_18: 18bit sequence number */ 256 RTE_SECURITY_PDCP_SN_SIZE_18 = 18 257 }; 258 259 /** 260 * PDCP security association configuration data. 261 * 262 * This structure contains data required to create a PDCP security session. 263 */ 264 struct rte_security_pdcp_xform { 265 int8_t bearer; /**< PDCP bearer ID */ 266 /** Enable in order delivery, this field shall be set only if 267 * driver/HW is capable. See RTE_SECURITY_PDCP_ORDERING_CAP. 268 */ 269 uint8_t en_ordering; 270 /** Notify driver/HW to detect and remove duplicate packets. 271 * This field should be set only when driver/hw is capable. 272 * See RTE_SECURITY_PDCP_DUP_DETECT_CAP. 273 */ 274 uint8_t remove_duplicates; 275 /** PDCP mode of operation: Control or data */ 276 enum rte_security_pdcp_domain domain; 277 /** PDCP Frame Direction 0:UL 1:DL */ 278 enum rte_security_pdcp_direction pkt_dir; 279 /** Sequence number size, 5/7/12/15/18 */ 280 enum rte_security_pdcp_sn_size sn_size; 281 /** Starting Hyper Frame Number to be used together with the SN 282 * from the PDCP frames 283 */ 284 uint32_t hfn; 285 /** HFN Threshold for key renegotiation */ 286 uint32_t hfn_threshold; 287 /** HFN can be given as a per packet value also. 288 * As we do not have IV in case of PDCP, and HFN is 289 * used to generate IV. IV field can be used to get the 290 * per packet HFN while enq/deq. 291 * If hfn_ovrd field is set, user is expected to set the 292 * per packet HFN in place of IV. PMDs will extract the HFN 293 * and perform operations accordingly. 294 */ 295 uint8_t hfn_ovrd; 296 /** In case of 5G NR, a new protocol (SDAP) header may be set 297 * inside PDCP payload which should be authenticated but not 298 * encrypted. Hence, driver should be notified if SDAP is 299 * enabled or not, so that SDAP header is not encrypted. 300 */ 301 uint8_t sdap_enabled; 302 /** Reserved for future */ 303 uint16_t reserved; 304 }; 305 306 /** DOCSIS direction */ 307 enum rte_security_docsis_direction { 308 RTE_SECURITY_DOCSIS_UPLINK, 309 /**< Uplink 310 * - Decryption, followed by CRC Verification 311 */ 312 RTE_SECURITY_DOCSIS_DOWNLINK, 313 /**< Downlink 314 * - CRC Generation, followed by Encryption 315 */ 316 }; 317 318 /** 319 * DOCSIS security session configuration. 320 * 321 * This structure contains data required to create a DOCSIS security session. 322 */ 323 struct rte_security_docsis_xform { 324 enum rte_security_docsis_direction direction; 325 /**< DOCSIS direction */ 326 }; 327 328 /** 329 * Security session action type. 330 */ 331 enum rte_security_session_action_type { 332 RTE_SECURITY_ACTION_TYPE_NONE, 333 /**< No security actions */ 334 RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO, 335 /**< Crypto processing for security protocol is processed inline 336 * during transmission 337 */ 338 RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL, 339 /**< All security protocol processing is performed inline during 340 * transmission 341 */ 342 RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, 343 /**< All security protocol processing including crypto is performed 344 * on a lookaside accelerator 345 */ 346 RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO 347 /**< Similar to ACTION_TYPE_NONE but crypto processing for security 348 * protocol is processed synchronously by a CPU. 349 */ 350 }; 351 352 /** Security session protocol definition */ 353 enum rte_security_session_protocol { 354 RTE_SECURITY_PROTOCOL_IPSEC = 1, 355 /**< IPsec Protocol */ 356 RTE_SECURITY_PROTOCOL_MACSEC, 357 /**< MACSec Protocol */ 358 RTE_SECURITY_PROTOCOL_PDCP, 359 /**< PDCP Protocol */ 360 RTE_SECURITY_PROTOCOL_DOCSIS, 361 /**< DOCSIS Protocol */ 362 }; 363 364 /** 365 * Security session configuration 366 */ 367 struct rte_security_session_conf { 368 enum rte_security_session_action_type action_type; 369 /**< Type of action to be performed on the session */ 370 enum rte_security_session_protocol protocol; 371 /**< Security protocol to be configured */ 372 RTE_STD_C11 373 union { 374 struct rte_security_ipsec_xform ipsec; 375 struct rte_security_macsec_xform macsec; 376 struct rte_security_pdcp_xform pdcp; 377 struct rte_security_docsis_xform docsis; 378 }; 379 /**< Configuration parameters for security session */ 380 struct rte_crypto_sym_xform *crypto_xform; 381 /**< Security Session Crypto Transformations */ 382 void *userdata; 383 /**< Application specific userdata to be saved with session */ 384 }; 385 386 struct rte_security_session { 387 void *sess_private_data; 388 /**< Private session material */ 389 uint64_t opaque_data; 390 /**< Opaque user defined data */ 391 }; 392 393 /** 394 * Create security session as specified by the session configuration 395 * 396 * @param instance security instance 397 * @param conf session configuration parameters 398 * @param mp mempool to allocate session objects from 399 * @param priv_mp mempool to allocate session private data objects from 400 * @return 401 * - On success, pointer to session 402 * - On failure, NULL 403 */ 404 struct rte_security_session * 405 rte_security_session_create(struct rte_security_ctx *instance, 406 struct rte_security_session_conf *conf, 407 struct rte_mempool *mp, 408 struct rte_mempool *priv_mp); 409 410 /** 411 * Update security session as specified by the session configuration 412 * 413 * @param instance security instance 414 * @param sess session to update parameters 415 * @param conf update configuration parameters 416 * @return 417 * - On success returns 0 418 * - On failure returns a negative errno value. 419 */ 420 __rte_experimental 421 int 422 rte_security_session_update(struct rte_security_ctx *instance, 423 struct rte_security_session *sess, 424 struct rte_security_session_conf *conf); 425 426 /** 427 * Get the size of the security session data for a device. 428 * 429 * @param instance security instance. 430 * 431 * @return 432 * - Size of the private data, if successful 433 * - 0 if device is invalid or does not support the operation. 434 */ 435 unsigned int 436 rte_security_session_get_size(struct rte_security_ctx *instance); 437 438 /** 439 * Free security session header and the session private data and 440 * return it to its original mempool. 441 * 442 * @param instance security instance 443 * @param sess security session to be freed 444 * 445 * @return 446 * - 0 if successful. 447 * - -EINVAL if session or context instance is NULL. 448 * - -EBUSY if not all device private data has been freed. 449 * - -ENOTSUP if destroying private data is not supported. 450 * - other negative values in case of freeing private data errors. 451 */ 452 int 453 rte_security_session_destroy(struct rte_security_ctx *instance, 454 struct rte_security_session *sess); 455 456 /** Device-specific metadata field type */ 457 typedef uint64_t rte_security_dynfield_t; 458 /** Dynamic mbuf field for device-specific metadata */ 459 extern int rte_security_dynfield_offset; 460 461 /** 462 * @warning 463 * @b EXPERIMENTAL: this API may change without prior notice 464 * 465 * Get pointer to mbuf field for device-specific metadata. 466 * 467 * For performance reason, no check is done, 468 * the dynamic field may not be registered. 469 * @see rte_security_dynfield_is_registered 470 * 471 * @param mbuf packet to access 472 * @return pointer to mbuf field 473 */ 474 __rte_experimental 475 static inline rte_security_dynfield_t * 476 rte_security_dynfield(struct rte_mbuf *mbuf) 477 { 478 return RTE_MBUF_DYNFIELD(mbuf, 479 rte_security_dynfield_offset, 480 rte_security_dynfield_t *); 481 } 482 483 /** 484 * @warning 485 * @b EXPERIMENTAL: this API may change without prior notice 486 * 487 * Check whether the dynamic field is registered. 488 * 489 * @return true if rte_security_dynfield_register() has been called. 490 */ 491 __rte_experimental 492 static inline bool rte_security_dynfield_is_registered(void) 493 { 494 return rte_security_dynfield_offset >= 0; 495 } 496 497 /** 498 * Updates the buffer with device-specific defined metadata 499 * 500 * @param instance security instance 501 * @param sess security session 502 * @param mb packet mbuf to set metadata on. 503 * @param params device-specific defined parameters 504 * required for metadata 505 * 506 * @return 507 * - On success, zero. 508 * - On failure, a negative value. 509 */ 510 int 511 rte_security_set_pkt_metadata(struct rte_security_ctx *instance, 512 struct rte_security_session *sess, 513 struct rte_mbuf *mb, void *params); 514 515 /** 516 * Get userdata associated with the security session. Device specific metadata 517 * provided would be used to uniquely identify the security session being 518 * referred to. This userdata would be registered while creating the session, 519 * and application can use this to identify the SA etc. 520 * 521 * Device specific metadata would be set in mbuf for inline processed inbound 522 * packets. In addition, the same metadata would be set for IPsec events 523 * reported by rte_eth_event framework. 524 * 525 * @param instance security instance 526 * @param md device-specific metadata 527 * 528 * @return 529 * - On success, userdata 530 * - On failure, NULL 531 */ 532 __rte_experimental 533 void * 534 rte_security_get_userdata(struct rte_security_ctx *instance, uint64_t md); 535 536 /** 537 * Attach a session to a symmetric crypto operation 538 * 539 * @param sym_op crypto operation 540 * @param sess security session 541 */ 542 static inline int 543 __rte_security_attach_session(struct rte_crypto_sym_op *sym_op, 544 struct rte_security_session *sess) 545 { 546 sym_op->sec_session = sess; 547 548 return 0; 549 } 550 551 static inline void * 552 get_sec_session_private_data(const struct rte_security_session *sess) 553 { 554 return sess->sess_private_data; 555 } 556 557 static inline void 558 set_sec_session_private_data(struct rte_security_session *sess, 559 void *private_data) 560 { 561 sess->sess_private_data = private_data; 562 } 563 564 /** 565 * Attach a session to a crypto operation. 566 * This API is needed only in case of RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD 567 * For other rte_security_session_action_type, ol_flags in rte_mbuf may be 568 * defined to perform security operations. 569 * 570 * @param op crypto operation 571 * @param sess security session 572 */ 573 static inline int 574 rte_security_attach_session(struct rte_crypto_op *op, 575 struct rte_security_session *sess) 576 { 577 if (unlikely(op->type != RTE_CRYPTO_OP_TYPE_SYMMETRIC)) 578 return -EINVAL; 579 580 op->sess_type = RTE_CRYPTO_OP_SECURITY_SESSION; 581 582 return __rte_security_attach_session(op->sym, sess); 583 } 584 585 struct rte_security_macsec_stats { 586 uint64_t reserved; 587 }; 588 589 struct rte_security_ipsec_stats { 590 uint64_t ipackets; /**< Successfully received IPsec packets. */ 591 uint64_t opackets; /**< Successfully transmitted IPsec packets.*/ 592 uint64_t ibytes; /**< Successfully received IPsec bytes. */ 593 uint64_t obytes; /**< Successfully transmitted IPsec bytes. */ 594 uint64_t ierrors; /**< IPsec packets receive/decrypt errors. */ 595 uint64_t oerrors; /**< IPsec packets transmit/encrypt errors. */ 596 uint64_t reserved1; /**< Reserved for future use. */ 597 uint64_t reserved2; /**< Reserved for future use. */ 598 }; 599 600 struct rte_security_pdcp_stats { 601 uint64_t reserved; 602 }; 603 604 struct rte_security_docsis_stats { 605 uint64_t reserved; 606 }; 607 608 struct rte_security_stats { 609 enum rte_security_session_protocol protocol; 610 /**< Security protocol to be configured */ 611 612 RTE_STD_C11 613 union { 614 struct rte_security_macsec_stats macsec; 615 struct rte_security_ipsec_stats ipsec; 616 struct rte_security_pdcp_stats pdcp; 617 struct rte_security_docsis_stats docsis; 618 }; 619 }; 620 621 /** 622 * Get security session statistics 623 * 624 * @param instance security instance 625 * @param sess security session 626 * If security session is NULL then global (per security instance) statistics 627 * will be retrieved, if supported. Global statistics collection is not 628 * dependent on the per session statistics configuration. 629 * @param stats statistics 630 * @return 631 * - On success, return 0 632 * - On failure, a negative value 633 */ 634 __rte_experimental 635 int 636 rte_security_session_stats_get(struct rte_security_ctx *instance, 637 struct rte_security_session *sess, 638 struct rte_security_stats *stats); 639 640 /** 641 * Security capability definition 642 */ 643 struct rte_security_capability { 644 enum rte_security_session_action_type action; 645 /**< Security action type*/ 646 enum rte_security_session_protocol protocol; 647 /**< Security protocol */ 648 RTE_STD_C11 649 union { 650 struct { 651 enum rte_security_ipsec_sa_protocol proto; 652 /**< IPsec SA protocol */ 653 enum rte_security_ipsec_sa_mode mode; 654 /**< IPsec SA mode */ 655 enum rte_security_ipsec_sa_direction direction; 656 /**< IPsec SA direction */ 657 struct rte_security_ipsec_sa_options options; 658 /**< IPsec SA supported options */ 659 uint32_t replay_win_sz_max; 660 /**< IPsec Anti Replay Window Size. A '0' value 661 * indicates that Anti Replay is not supported. 662 */ 663 } ipsec; 664 /**< IPsec capability */ 665 struct { 666 /* To be Filled */ 667 int dummy; 668 } macsec; 669 /**< MACsec capability */ 670 struct { 671 enum rte_security_pdcp_domain domain; 672 /**< PDCP mode of operation: Control or data */ 673 uint32_t capa_flags; 674 /**< Capability flags, see RTE_SECURITY_PDCP_* */ 675 } pdcp; 676 /**< PDCP capability */ 677 struct { 678 enum rte_security_docsis_direction direction; 679 /**< DOCSIS direction */ 680 } docsis; 681 /**< DOCSIS capability */ 682 }; 683 684 const struct rte_cryptodev_capabilities *crypto_capabilities; 685 /**< Corresponding crypto capabilities for security capability */ 686 687 uint32_t ol_flags; 688 /**< Device offload flags */ 689 }; 690 691 /** Underlying Hardware/driver which support PDCP may or may not support 692 * packet ordering. Set RTE_SECURITY_PDCP_ORDERING_CAP if it support. 693 * If it is not set, driver/HW assumes packets received are in order 694 * and it will be application's responsibility to maintain ordering. 695 */ 696 #define RTE_SECURITY_PDCP_ORDERING_CAP 0x00000001 697 698 /** Underlying Hardware/driver which support PDCP may or may not detect 699 * duplicate packet. Set RTE_SECURITY_PDCP_DUP_DETECT_CAP if it support. 700 * If it is not set, driver/HW assumes there is no duplicate packet received. 701 */ 702 #define RTE_SECURITY_PDCP_DUP_DETECT_CAP 0x00000002 703 704 #define RTE_SECURITY_TX_OLOAD_NEED_MDATA 0x00000001 705 /**< HW needs metadata update, see rte_security_set_pkt_metadata(). 706 */ 707 708 #define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD 0x00000002 709 /**< HW constructs trailer of packets 710 * Transmitted packets will have the trailer added to them 711 * by hardware. The next protocol field will be based on 712 * the mbuf->inner_esp_next_proto field. 713 */ 714 #define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD 0x00010000 715 /**< HW removes trailer of packets 716 * Received packets have no trailer, the next protocol field 717 * is supplied in the mbuf->inner_esp_next_proto field. 718 * Inner packet is not modified. 719 */ 720 721 /** 722 * Security capability index used to query a security instance for a specific 723 * security capability 724 */ 725 struct rte_security_capability_idx { 726 enum rte_security_session_action_type action; 727 enum rte_security_session_protocol protocol; 728 729 RTE_STD_C11 730 union { 731 struct { 732 enum rte_security_ipsec_sa_protocol proto; 733 enum rte_security_ipsec_sa_mode mode; 734 enum rte_security_ipsec_sa_direction direction; 735 } ipsec; 736 struct { 737 enum rte_security_pdcp_domain domain; 738 uint32_t capa_flags; 739 } pdcp; 740 struct { 741 enum rte_security_docsis_direction direction; 742 } docsis; 743 }; 744 }; 745 746 /** 747 * Returns array of security instance capabilities 748 * 749 * @param instance Security instance. 750 * 751 * @return 752 * - Returns array of security capabilities. 753 * - Return NULL if no capabilities available. 754 */ 755 const struct rte_security_capability * 756 rte_security_capabilities_get(struct rte_security_ctx *instance); 757 758 /** 759 * Query if a specific capability is available on security instance 760 * 761 * @param instance security instance. 762 * @param idx security capability index to match against 763 * 764 * @return 765 * - Returns pointer to security capability on match of capability 766 * index criteria. 767 * - Return NULL if the capability not matched on security instance. 768 */ 769 const struct rte_security_capability * 770 rte_security_capability_get(struct rte_security_ctx *instance, 771 struct rte_security_capability_idx *idx); 772 773 #ifdef __cplusplus 774 } 775 #endif 776 777 #endif /* _RTE_SECURITY_H_ */ 778