xref: /dpdk/lib/security/rte_security.h (revision c9902a15bd005b6d4fe072cf7b60fe4ee679155f) 
1 /* SPDX-License-Identifier: BSD-3-Clause
2  * Copyright 2017,2019-2020 NXP
3  * Copyright(c) 2017-2020 Intel Corporation.
4  */
5 
6 #ifndef _RTE_SECURITY_H_
7 #define _RTE_SECURITY_H_
8 
9 /**
10  * @file rte_security.h
11  *
12  * RTE Security Common Definitions
13  *
14  */
15 
16 #ifdef __cplusplus
17 extern "C" {
18 #endif
19 
20 #include <sys/types.h>
21 
22 #include <netinet/in.h>
23 #include <netinet/ip.h>
24 #include <netinet/ip6.h>
25 
26 #include <rte_compat.h>
27 #include <rte_common.h>
28 #include <rte_crypto.h>
29 #include <rte_mbuf.h>
30 #include <rte_mbuf_dyn.h>
31 #include <rte_memory.h>
32 #include <rte_mempool.h>
33 
34 /** IPSec protocol mode */
35 enum rte_security_ipsec_sa_mode {
36 	RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT = 1,
37 	/**< IPSec Transport mode */
38 	RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
39 	/**< IPSec Tunnel mode */
40 };
41 
42 /** IPSec Protocol */
43 enum rte_security_ipsec_sa_protocol {
44 	RTE_SECURITY_IPSEC_SA_PROTO_AH = 1,
45 	/**< AH protocol */
46 	RTE_SECURITY_IPSEC_SA_PROTO_ESP,
47 	/**< ESP protocol */
48 };
49 
50 /** IPSEC tunnel type */
51 enum rte_security_ipsec_tunnel_type {
52 	RTE_SECURITY_IPSEC_TUNNEL_IPV4 = 1,
53 	/**< Outer header is IPv4 */
54 	RTE_SECURITY_IPSEC_TUNNEL_IPV6,
55 	/**< Outer header is IPv6 */
56 };
57 
58 /**
59  * Security context for crypto/eth devices
60  *
61  * Security instance for each driver to register security operations.
62  * The application can get the security context from the crypto/eth device id
63  * using the APIs rte_cryptodev_get_sec_ctx()/rte_eth_dev_get_sec_ctx()
64  * This structure is used to identify the device(crypto/eth) for which the
65  * security operations need to be performed.
66  */
67 struct rte_security_ctx {
68 	void *device;
69 	/**< Crypto/ethernet device attached */
70 	const struct rte_security_ops *ops;
71 	/**< Pointer to security ops for the device */
72 	uint16_t sess_cnt;
73 	/**< Number of sessions attached to this context */
74 	uint32_t flags;
75 	/**< Flags for security context */
76 };
77 
78 #define RTE_SEC_CTX_F_FAST_SET_MDATA 0x00000001
79 /**< Driver uses fast metadata update without using driver specific callback */
80 
81 #define RTE_SEC_CTX_F_FAST_GET_UDATA 0x00000002
82 /**< Driver provides udata using fast method without using driver specific
83  * callback. For fast mdata and udata, mbuf dynamic field would be registered
84  * by driver via rte_security_dynfield_register().
85  */
86 
87 /**
88  * IPSEC tunnel parameters
89  *
90  * These parameters are used to build outbound tunnel headers.
91  */
92 struct rte_security_ipsec_tunnel_param {
93 	enum rte_security_ipsec_tunnel_type type;
94 	/**< Tunnel type: IPv4 or IPv6 */
95 	RTE_STD_C11
96 	union {
97 		struct {
98 			struct in_addr src_ip;
99 			/**< IPv4 source address */
100 			struct in_addr dst_ip;
101 			/**< IPv4 destination address */
102 			uint8_t dscp;
103 			/**< IPv4 Differentiated Services Code Point */
104 			uint8_t df;
105 			/**< IPv4 Don't Fragment bit */
106 			uint8_t ttl;
107 			/**< IPv4 Time To Live */
108 		} ipv4;
109 		/**< IPv4 header parameters */
110 		struct {
111 			struct in6_addr src_addr;
112 			/**< IPv6 source address */
113 			struct in6_addr dst_addr;
114 			/**< IPv6 destination address */
115 			uint8_t dscp;
116 			/**< IPv6 Differentiated Services Code Point */
117 			uint32_t flabel;
118 			/**< IPv6 flow label */
119 			uint8_t hlimit;
120 			/**< IPv6 hop limit */
121 		} ipv6;
122 		/**< IPv6 header parameters */
123 	};
124 };
125 
126 /**
127  * IPsec Security Association option flags
128  */
129 struct rte_security_ipsec_sa_options {
130 	/** Extended Sequence Numbers (ESN)
131 	 *
132 	 * * 1: Use extended (64 bit) sequence numbers
133 	 * * 0: Use normal sequence numbers
134 	 */
135 	uint32_t esn : 1;
136 
137 	/** UDP encapsulation
138 	 *
139 	 * * 1: Do UDP encapsulation/decapsulation so that IPSEC packets can
140 	 *      traverse through NAT boxes.
141 	 * * 0: No UDP encapsulation
142 	 */
143 	uint32_t udp_encap : 1;
144 
145 	/** Copy DSCP bits
146 	 *
147 	 * * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to
148 	 *      the outer IP header in encapsulation, and vice versa in
149 	 *      decapsulation.
150 	 * * 0: Do not change DSCP field.
151 	 */
152 	uint32_t copy_dscp : 1;
153 
154 	/** Copy IPv6 Flow Label
155 	 *
156 	 * * 1: Copy IPv6 flow label from inner IPv6 header to the
157 	 *      outer IPv6 header.
158 	 * * 0: Outer header is not modified.
159 	 */
160 	uint32_t copy_flabel : 1;
161 
162 	/** Copy IPv4 Don't Fragment bit
163 	 *
164 	 * * 1: Copy the DF bit from the inner IPv4 header to the outer
165 	 *      IPv4 header.
166 	 * * 0: Outer header is not modified.
167 	 */
168 	uint32_t copy_df : 1;
169 
170 	/** Decrement inner packet Time To Live (TTL) field
171 	 *
172 	 * * 1: In tunnel mode, decrement inner packet IPv4 TTL or
173 	 *      IPv6 Hop Limit after tunnel decapsulation, or before tunnel
174 	 *      encapsulation.
175 	 * * 0: Inner packet is not modified.
176 	 */
177 	uint32_t dec_ttl : 1;
178 
179 	/** Explicit Congestion Notification (ECN)
180 	 *
181 	 * * 1: In tunnel mode, enable outer header ECN Field copied from
182 	 *      inner header in tunnel encapsulation, or inner header ECN
183 	 *      field construction in decapsulation.
184 	 * * 0: Inner/outer header are not modified.
185 	 */
186 	uint32_t ecn : 1;
187 
188 	/** Security statistics
189 	 *
190 	 * * 1: Enable per session security statistics collection for
191 	 *      this SA, if supported by the driver.
192 	 * * 0: Disable per session security statistics collection for this SA.
193 	 */
194 	uint32_t stats : 1;
195 };
196 
197 /** IPSec security association direction */
198 enum rte_security_ipsec_sa_direction {
199 	RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
200 	/**< Encrypt and generate digest */
201 	RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
202 	/**< Verify digest and decrypt */
203 };
204 
205 /**
206  * IPsec security association configuration data.
207  *
208  * This structure contains data required to create an IPsec SA security session.
209  */
210 struct rte_security_ipsec_xform {
211 	uint32_t spi;
212 	/**< SA security parameter index */
213 	uint32_t salt;
214 	/**< SA salt */
215 	struct rte_security_ipsec_sa_options options;
216 	/**< various SA options */
217 	enum rte_security_ipsec_sa_direction direction;
218 	/**< IPSec SA Direction - Egress/Ingress */
219 	enum rte_security_ipsec_sa_protocol proto;
220 	/**< IPsec SA Protocol - AH/ESP */
221 	enum rte_security_ipsec_sa_mode mode;
222 	/**< IPsec SA Mode - transport/tunnel */
223 	struct rte_security_ipsec_tunnel_param tunnel;
224 	/**< Tunnel parameters, NULL for transport mode */
225 	uint64_t esn_soft_limit;
226 	/**< ESN for which the overflow event need to be raised */
227 	uint32_t replay_win_sz;
228 	/**< Anti replay window size to enable sequence replay attack handling.
229 	 * replay checking is disabled if the window size is 0.
230 	 */
231 };
232 
233 /**
234  * MACsec security session configuration
235  */
236 struct rte_security_macsec_xform {
237 	/** To be Filled */
238 	int dummy;
239 };
240 
241 /**
242  * PDCP Mode of session
243  */
244 enum rte_security_pdcp_domain {
245 	RTE_SECURITY_PDCP_MODE_CONTROL,	/**< PDCP control plane */
246 	RTE_SECURITY_PDCP_MODE_DATA,	/**< PDCP data plane */
247 	RTE_SECURITY_PDCP_MODE_SHORT_MAC,	/**< PDCP short mac */
248 };
249 
250 /** PDCP Frame direction */
251 enum rte_security_pdcp_direction {
252 	RTE_SECURITY_PDCP_UPLINK,	/**< Uplink */
253 	RTE_SECURITY_PDCP_DOWNLINK,	/**< Downlink */
254 };
255 
256 /** PDCP Sequence Number Size selectors */
257 enum rte_security_pdcp_sn_size {
258 	/** PDCP_SN_SIZE_5: 5bit sequence number */
259 	RTE_SECURITY_PDCP_SN_SIZE_5 = 5,
260 	/** PDCP_SN_SIZE_7: 7bit sequence number */
261 	RTE_SECURITY_PDCP_SN_SIZE_7 = 7,
262 	/** PDCP_SN_SIZE_12: 12bit sequence number */
263 	RTE_SECURITY_PDCP_SN_SIZE_12 = 12,
264 	/** PDCP_SN_SIZE_15: 15bit sequence number */
265 	RTE_SECURITY_PDCP_SN_SIZE_15 = 15,
266 	/** PDCP_SN_SIZE_18: 18bit sequence number */
267 	RTE_SECURITY_PDCP_SN_SIZE_18 = 18
268 };
269 
270 /**
271  * PDCP security association configuration data.
272  *
273  * This structure contains data required to create a PDCP security session.
274  */
275 struct rte_security_pdcp_xform {
276 	int8_t bearer;	/**< PDCP bearer ID */
277 	/** Enable in order delivery, this field shall be set only if
278 	 * driver/HW is capable. See RTE_SECURITY_PDCP_ORDERING_CAP.
279 	 */
280 	uint8_t en_ordering;
281 	/** Notify driver/HW to detect and remove duplicate packets.
282 	 * This field should be set only when driver/hw is capable.
283 	 * See RTE_SECURITY_PDCP_DUP_DETECT_CAP.
284 	 */
285 	uint8_t remove_duplicates;
286 	/** PDCP mode of operation: Control or data */
287 	enum rte_security_pdcp_domain domain;
288 	/** PDCP Frame Direction 0:UL 1:DL */
289 	enum rte_security_pdcp_direction pkt_dir;
290 	/** Sequence number size, 5/7/12/15/18 */
291 	enum rte_security_pdcp_sn_size sn_size;
292 	/** Starting Hyper Frame Number to be used together with the SN
293 	 * from the PDCP frames
294 	 */
295 	uint32_t hfn;
296 	/** HFN Threshold for key renegotiation */
297 	uint32_t hfn_threshold;
298 	/** HFN can be given as a per packet value also.
299 	 * As we do not have IV in case of PDCP, and HFN is
300 	 * used to generate IV. IV field can be used to get the
301 	 * per packet HFN while enq/deq.
302 	 * If hfn_ovrd field is set, user is expected to set the
303 	 * per packet HFN in place of IV. PMDs will extract the HFN
304 	 * and perform operations accordingly.
305 	 */
306 	uint8_t hfn_ovrd;
307 	/** In case of 5G NR, a new protocol (SDAP) header may be set
308 	 * inside PDCP payload which should be authenticated but not
309 	 * encrypted. Hence, driver should be notified if SDAP is
310 	 * enabled or not, so that SDAP header is not encrypted.
311 	 */
312 	uint8_t sdap_enabled;
313 	/** Reserved for future */
314 	uint16_t reserved;
315 };
316 
317 /** DOCSIS direction */
318 enum rte_security_docsis_direction {
319 	RTE_SECURITY_DOCSIS_UPLINK,
320 	/**< Uplink
321 	 * - Decryption, followed by CRC Verification
322 	 */
323 	RTE_SECURITY_DOCSIS_DOWNLINK,
324 	/**< Downlink
325 	 * - CRC Generation, followed by Encryption
326 	 */
327 };
328 
329 /**
330  * DOCSIS security session configuration.
331  *
332  * This structure contains data required to create a DOCSIS security session.
333  */
334 struct rte_security_docsis_xform {
335 	enum rte_security_docsis_direction direction;
336 	/**< DOCSIS direction */
337 };
338 
339 /**
340  * Security session action type.
341  */
342 enum rte_security_session_action_type {
343 	RTE_SECURITY_ACTION_TYPE_NONE,
344 	/**< No security actions */
345 	RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO,
346 	/**< Crypto processing for security protocol is processed inline
347 	 * during transmission
348 	 */
349 	RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
350 	/**< All security protocol processing is performed inline during
351 	 * transmission
352 	 */
353 	RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
354 	/**< All security protocol processing including crypto is performed
355 	 * on a lookaside accelerator
356 	 */
357 	RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO
358 	/**< Similar to ACTION_TYPE_NONE but crypto processing for security
359 	 * protocol is processed synchronously by a CPU.
360 	 */
361 };
362 
363 /** Security session protocol definition */
364 enum rte_security_session_protocol {
365 	RTE_SECURITY_PROTOCOL_IPSEC = 1,
366 	/**< IPsec Protocol */
367 	RTE_SECURITY_PROTOCOL_MACSEC,
368 	/**< MACSec Protocol */
369 	RTE_SECURITY_PROTOCOL_PDCP,
370 	/**< PDCP Protocol */
371 	RTE_SECURITY_PROTOCOL_DOCSIS,
372 	/**< DOCSIS Protocol */
373 };
374 
375 /**
376  * Security session configuration
377  */
378 struct rte_security_session_conf {
379 	enum rte_security_session_action_type action_type;
380 	/**< Type of action to be performed on the session */
381 	enum rte_security_session_protocol protocol;
382 	/**< Security protocol to be configured */
383 	RTE_STD_C11
384 	union {
385 		struct rte_security_ipsec_xform ipsec;
386 		struct rte_security_macsec_xform macsec;
387 		struct rte_security_pdcp_xform pdcp;
388 		struct rte_security_docsis_xform docsis;
389 	};
390 	/**< Configuration parameters for security session */
391 	struct rte_crypto_sym_xform *crypto_xform;
392 	/**< Security Session Crypto Transformations */
393 	void *userdata;
394 	/**< Application specific userdata to be saved with session */
395 };
396 
397 struct rte_security_session {
398 	void *sess_private_data;
399 	/**< Private session material */
400 	uint64_t opaque_data;
401 	/**< Opaque user defined data */
402 };
403 
404 /**
405  * Create security session as specified by the session configuration
406  *
407  * @param   instance	security instance
408  * @param   conf	session configuration parameters
409  * @param   mp		mempool to allocate session objects from
410  * @param   priv_mp	mempool to allocate session private data objects from
411  * @return
412  *  - On success, pointer to session
413  *  - On failure, NULL
414  */
415 struct rte_security_session *
416 rte_security_session_create(struct rte_security_ctx *instance,
417 			    struct rte_security_session_conf *conf,
418 			    struct rte_mempool *mp,
419 			    struct rte_mempool *priv_mp);
420 
421 /**
422  * Update security session as specified by the session configuration
423  *
424  * @param   instance	security instance
425  * @param   sess	session to update parameters
426  * @param   conf	update configuration parameters
427  * @return
428  *  - On success returns 0
429  *  - On failure returns a negative errno value.
430  */
431 __rte_experimental
432 int
433 rte_security_session_update(struct rte_security_ctx *instance,
434 			    struct rte_security_session *sess,
435 			    struct rte_security_session_conf *conf);
436 
437 /**
438  * Get the size of the security session data for a device.
439  *
440  * @param   instance	security instance.
441  *
442  * @return
443  *   - Size of the private data, if successful
444  *   - 0 if device is invalid or does not support the operation.
445  */
446 unsigned int
447 rte_security_session_get_size(struct rte_security_ctx *instance);
448 
449 /**
450  * Free security session header and the session private data and
451  * return it to its original mempool.
452  *
453  * @param   instance	security instance
454  * @param   sess	security session to be freed
455  *
456  * @return
457  *  - 0 if successful.
458  *  - -EINVAL if session or context instance is NULL.
459  *  - -EBUSY if not all device private data has been freed.
460  *  - -ENOTSUP if destroying private data is not supported.
461  *  - other negative values in case of freeing private data errors.
462  */
463 int
464 rte_security_session_destroy(struct rte_security_ctx *instance,
465 			     struct rte_security_session *sess);
466 
467 /** Device-specific metadata field type */
468 typedef uint64_t rte_security_dynfield_t;
469 /** Dynamic mbuf field for device-specific metadata */
470 extern int rte_security_dynfield_offset;
471 
472 /**
473  * @warning
474  * @b EXPERIMENTAL: this API may change without prior notice
475  *
476  * Get pointer to mbuf field for device-specific metadata.
477  *
478  * For performance reason, no check is done,
479  * the dynamic field may not be registered.
480  * @see rte_security_dynfield_is_registered
481  *
482  * @param	mbuf	packet to access
483  * @return pointer to mbuf field
484  */
485 __rte_experimental
486 static inline rte_security_dynfield_t *
487 rte_security_dynfield(struct rte_mbuf *mbuf)
488 {
489 	return RTE_MBUF_DYNFIELD(mbuf,
490 		rte_security_dynfield_offset,
491 		rte_security_dynfield_t *);
492 }
493 
494 /**
495  * @warning
496  * @b EXPERIMENTAL: this API may change without prior notice
497  *
498  * Check whether the dynamic field is registered.
499  *
500  * @return true if rte_security_dynfield_register() has been called.
501  */
502 __rte_experimental
503 static inline bool rte_security_dynfield_is_registered(void)
504 {
505 	return rte_security_dynfield_offset >= 0;
506 }
507 
508 /** Function to call PMD specific function pointer set_pkt_metadata() */
509 __rte_experimental
510 extern int __rte_security_set_pkt_metadata(struct rte_security_ctx *instance,
511 					   struct rte_security_session *sess,
512 					   struct rte_mbuf *m, void *params);
513 
514 /**
515  *  Updates the buffer with device-specific defined metadata
516  *
517  * @param	instance	security instance
518  * @param	sess		security session
519  * @param	mb		packet mbuf to set metadata on.
520  * @param	params		device-specific defined parameters
521  *				required for metadata
522  *
523  * @return
524  *  - On success, zero.
525  *  - On failure, a negative value.
526  */
527 static inline int
528 rte_security_set_pkt_metadata(struct rte_security_ctx *instance,
529 			      struct rte_security_session *sess,
530 			      struct rte_mbuf *mb, void *params)
531 {
532 	/* Fast Path */
533 	if (instance->flags & RTE_SEC_CTX_F_FAST_SET_MDATA) {
534 		*rte_security_dynfield(mb) =
535 			(rte_security_dynfield_t)(sess->sess_private_data);
536 		return 0;
537 	}
538 
539 	/* Jump to PMD specific function pointer */
540 	return __rte_security_set_pkt_metadata(instance, sess, mb, params);
541 }
542 
543 /** Function to call PMD specific function pointer get_userdata() */
544 __rte_experimental
545 extern void *__rte_security_get_userdata(struct rte_security_ctx *instance,
546 					 uint64_t md);
547 
548 /**
549  * Get userdata associated with the security session. Device specific metadata
550  * provided would be used to uniquely identify the security session being
551  * referred to. This userdata would be registered while creating the session,
552  * and application can use this to identify the SA etc.
553  *
554  * Device specific metadata would be set in mbuf for inline processed inbound
555  * packets. In addition, the same metadata would be set for IPsec events
556  * reported by rte_eth_event framework.
557  *
558  * @param   instance	security instance
559  * @param   md		device-specific metadata
560  *
561  * @return
562  *  - On success, userdata
563  *  - On failure, NULL
564  */
565 __rte_experimental
566 static inline void *
567 rte_security_get_userdata(struct rte_security_ctx *instance, uint64_t md)
568 {
569 	/* Fast Path */
570 	if (instance->flags & RTE_SEC_CTX_F_FAST_GET_UDATA)
571 		return (void *)(uintptr_t)md;
572 
573 	/* Jump to PMD specific function pointer */
574 	return __rte_security_get_userdata(instance, md);
575 }
576 
577 /**
578  * Attach a session to a symmetric crypto operation
579  *
580  * @param	sym_op	crypto operation
581  * @param	sess	security session
582  */
583 static inline int
584 __rte_security_attach_session(struct rte_crypto_sym_op *sym_op,
585 			      struct rte_security_session *sess)
586 {
587 	sym_op->sec_session = sess;
588 
589 	return 0;
590 }
591 
592 static inline void *
593 get_sec_session_private_data(const struct rte_security_session *sess)
594 {
595 	return sess->sess_private_data;
596 }
597 
598 static inline void
599 set_sec_session_private_data(struct rte_security_session *sess,
600 			     void *private_data)
601 {
602 	sess->sess_private_data = private_data;
603 }
604 
605 /**
606  * Attach a session to a crypto operation.
607  * This API is needed only in case of RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD
608  * For other rte_security_session_action_type, ol_flags in rte_mbuf may be
609  * defined to perform security operations.
610  *
611  * @param	op	crypto operation
612  * @param	sess	security session
613  */
614 static inline int
615 rte_security_attach_session(struct rte_crypto_op *op,
616 			    struct rte_security_session *sess)
617 {
618 	if (unlikely(op->type != RTE_CRYPTO_OP_TYPE_SYMMETRIC))
619 		return -EINVAL;
620 
621 	op->sess_type =  RTE_CRYPTO_OP_SECURITY_SESSION;
622 
623 	return __rte_security_attach_session(op->sym, sess);
624 }
625 
626 struct rte_security_macsec_stats {
627 	uint64_t reserved;
628 };
629 
630 struct rte_security_ipsec_stats {
631 	uint64_t ipackets;  /**< Successfully received IPsec packets. */
632 	uint64_t opackets;  /**< Successfully transmitted IPsec packets.*/
633 	uint64_t ibytes;    /**< Successfully received IPsec bytes. */
634 	uint64_t obytes;    /**< Successfully transmitted IPsec bytes. */
635 	uint64_t ierrors;   /**< IPsec packets receive/decrypt errors. */
636 	uint64_t oerrors;   /**< IPsec packets transmit/encrypt errors. */
637 	uint64_t reserved1; /**< Reserved for future use. */
638 	uint64_t reserved2; /**< Reserved for future use. */
639 };
640 
641 struct rte_security_pdcp_stats {
642 	uint64_t reserved;
643 };
644 
645 struct rte_security_docsis_stats {
646 	uint64_t reserved;
647 };
648 
649 struct rte_security_stats {
650 	enum rte_security_session_protocol protocol;
651 	/**< Security protocol to be configured */
652 
653 	RTE_STD_C11
654 	union {
655 		struct rte_security_macsec_stats macsec;
656 		struct rte_security_ipsec_stats ipsec;
657 		struct rte_security_pdcp_stats pdcp;
658 		struct rte_security_docsis_stats docsis;
659 	};
660 };
661 
662 /**
663  * Get security session statistics
664  *
665  * @param	instance	security instance
666  * @param	sess		security session
667  * If security session is NULL then global (per security instance) statistics
668  * will be retrieved, if supported. Global statistics collection is not
669  * dependent on the per session statistics configuration.
670  * @param	stats		statistics
671  * @return
672  *  - On success, return 0
673  *  - On failure, a negative value
674  */
675 __rte_experimental
676 int
677 rte_security_session_stats_get(struct rte_security_ctx *instance,
678 			       struct rte_security_session *sess,
679 			       struct rte_security_stats *stats);
680 
681 /**
682  * Security capability definition
683  */
684 struct rte_security_capability {
685 	enum rte_security_session_action_type action;
686 	/**< Security action type*/
687 	enum rte_security_session_protocol protocol;
688 	/**< Security protocol */
689 	RTE_STD_C11
690 	union {
691 		struct {
692 			enum rte_security_ipsec_sa_protocol proto;
693 			/**< IPsec SA protocol */
694 			enum rte_security_ipsec_sa_mode mode;
695 			/**< IPsec SA mode */
696 			enum rte_security_ipsec_sa_direction direction;
697 			/**< IPsec SA direction */
698 			struct rte_security_ipsec_sa_options options;
699 			/**< IPsec SA supported options */
700 			uint32_t replay_win_sz_max;
701 			/**< IPsec Anti Replay Window Size. A '0' value
702 			 * indicates that Anti Replay is not supported.
703 			 */
704 		} ipsec;
705 		/**< IPsec capability */
706 		struct {
707 			/* To be Filled */
708 			int dummy;
709 		} macsec;
710 		/**< MACsec capability */
711 		struct {
712 			enum rte_security_pdcp_domain domain;
713 			/**< PDCP mode of operation: Control or data */
714 			uint32_t capa_flags;
715 			/**< Capability flags, see RTE_SECURITY_PDCP_* */
716 		} pdcp;
717 		/**< PDCP capability */
718 		struct {
719 			enum rte_security_docsis_direction direction;
720 			/**< DOCSIS direction */
721 		} docsis;
722 		/**< DOCSIS capability */
723 	};
724 
725 	const struct rte_cryptodev_capabilities *crypto_capabilities;
726 	/**< Corresponding crypto capabilities for security capability  */
727 
728 	uint32_t ol_flags;
729 	/**< Device offload flags */
730 };
731 
732 /** Underlying Hardware/driver which support PDCP may or may not support
733  * packet ordering. Set RTE_SECURITY_PDCP_ORDERING_CAP if it support.
734  * If it is not set, driver/HW assumes packets received are in order
735  * and it will be application's responsibility to maintain ordering.
736  */
737 #define RTE_SECURITY_PDCP_ORDERING_CAP		0x00000001
738 
739 /** Underlying Hardware/driver which support PDCP may or may not detect
740  * duplicate packet. Set RTE_SECURITY_PDCP_DUP_DETECT_CAP if it support.
741  * If it is not set, driver/HW assumes there is no duplicate packet received.
742  */
743 #define RTE_SECURITY_PDCP_DUP_DETECT_CAP	0x00000002
744 
745 #define RTE_SECURITY_TX_OLOAD_NEED_MDATA	0x00000001
746 /**< HW needs metadata update, see rte_security_set_pkt_metadata().
747  */
748 
749 #define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD	0x00000002
750 /**< HW constructs trailer of packets
751  * Transmitted packets will have the trailer added to them
752  * by hardware. The next protocol field will be based on
753  * the mbuf->inner_esp_next_proto field.
754  */
755 #define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD	0x00010000
756 /**< HW removes trailer of packets
757  * Received packets have no trailer, the next protocol field
758  * is supplied in the mbuf->inner_esp_next_proto field.
759  * Inner packet is not modified.
760  */
761 
762 /**
763  * Security capability index used to query a security instance for a specific
764  * security capability
765  */
766 struct rte_security_capability_idx {
767 	enum rte_security_session_action_type action;
768 	enum rte_security_session_protocol protocol;
769 
770 	RTE_STD_C11
771 	union {
772 		struct {
773 			enum rte_security_ipsec_sa_protocol proto;
774 			enum rte_security_ipsec_sa_mode mode;
775 			enum rte_security_ipsec_sa_direction direction;
776 		} ipsec;
777 		struct {
778 			enum rte_security_pdcp_domain domain;
779 			uint32_t capa_flags;
780 		} pdcp;
781 		struct {
782 			enum rte_security_docsis_direction direction;
783 		} docsis;
784 	};
785 };
786 
787 /**
788  *  Returns array of security instance capabilities
789  *
790  * @param	instance	Security instance.
791  *
792  * @return
793  *   - Returns array of security capabilities.
794  *   - Return NULL if no capabilities available.
795  */
796 const struct rte_security_capability *
797 rte_security_capabilities_get(struct rte_security_ctx *instance);
798 
799 /**
800  * Query if a specific capability is available on security instance
801  *
802  * @param	instance	security instance.
803  * @param	idx		security capability index to match against
804  *
805  * @return
806  *   - Returns pointer to security capability on match of capability
807  *     index criteria.
808  *   - Return NULL if the capability not matched on security instance.
809  */
810 const struct rte_security_capability *
811 rte_security_capability_get(struct rte_security_ctx *instance,
812 			    struct rte_security_capability_idx *idx);
813 
814 #ifdef __cplusplus
815 }
816 #endif
817 
818 #endif /* _RTE_SECURITY_H_ */
819