1 /* SPDX-License-Identifier: BSD-3-Clause 2 * Copyright 2017,2019-2020 NXP 3 * Copyright(c) 2017-2020 Intel Corporation. 4 */ 5 6 #ifndef _RTE_SECURITY_H_ 7 #define _RTE_SECURITY_H_ 8 9 /** 10 * @file rte_security.h 11 * 12 * RTE Security Common Definitions 13 * 14 */ 15 16 #ifdef __cplusplus 17 extern "C" { 18 #endif 19 20 #include <sys/types.h> 21 22 #include <rte_compat.h> 23 #include <rte_common.h> 24 #include <rte_crypto.h> 25 #include <rte_ip.h> 26 #include <rte_mbuf.h> 27 #include <rte_mbuf_dyn.h> 28 #include <rte_memory.h> 29 #include <rte_mempool.h> 30 31 /** IPSec protocol mode */ 32 enum rte_security_ipsec_sa_mode { 33 RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT = 1, 34 /**< IPSec Transport mode */ 35 RTE_SECURITY_IPSEC_SA_MODE_TUNNEL, 36 /**< IPSec Tunnel mode */ 37 }; 38 39 /** IPSec Protocol */ 40 enum rte_security_ipsec_sa_protocol { 41 RTE_SECURITY_IPSEC_SA_PROTO_AH = 1, 42 /**< AH protocol */ 43 RTE_SECURITY_IPSEC_SA_PROTO_ESP, 44 /**< ESP protocol */ 45 }; 46 47 /** IPSEC tunnel type */ 48 enum rte_security_ipsec_tunnel_type { 49 RTE_SECURITY_IPSEC_TUNNEL_IPV4 = 1, 50 /**< Outer header is IPv4 */ 51 RTE_SECURITY_IPSEC_TUNNEL_IPV6, 52 /**< Outer header is IPv6 */ 53 }; 54 55 /** 56 * IPSEC tunnel header verification mode 57 * 58 * Controls how outer IP header is verified in inbound. 59 */ 60 #define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR 0x1 61 #define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR 0x2 62 63 /** 64 * Security context for crypto/eth devices 65 * 66 * Security instance for each driver to register security operations. 67 * The application can get the security context from the crypto/eth device id 68 * using the APIs rte_cryptodev_get_sec_ctx()/rte_eth_dev_get_sec_ctx() 69 * This structure is used to identify the device(crypto/eth) for which the 70 * security operations need to be performed. 71 */ 72 struct rte_security_ctx { 73 void *device; 74 /**< Crypto/ethernet device attached */ 75 const struct rte_security_ops *ops; 76 /**< Pointer to security ops for the device */ 77 uint16_t sess_cnt; 78 /**< Number of sessions attached to this context */ 79 uint32_t flags; 80 /**< Flags for security context */ 81 }; 82 83 #define RTE_SEC_CTX_F_FAST_SET_MDATA 0x00000001 84 /**< Driver uses fast metadata update without using driver specific callback */ 85 86 #define RTE_SEC_CTX_F_FAST_GET_UDATA 0x00000002 87 /**< Driver provides udata using fast method without using driver specific 88 * callback. For fast mdata and udata, mbuf dynamic field would be registered 89 * by driver via rte_security_dynfield_register(). 90 */ 91 92 /** 93 * IPSEC tunnel parameters 94 * 95 * These parameters are used to build outbound tunnel headers. 96 */ 97 struct rte_security_ipsec_tunnel_param { 98 enum rte_security_ipsec_tunnel_type type; 99 /**< Tunnel type: IPv4 or IPv6 */ 100 RTE_STD_C11 101 union { 102 struct { 103 struct in_addr src_ip; 104 /**< IPv4 source address */ 105 struct in_addr dst_ip; 106 /**< IPv4 destination address */ 107 uint8_t dscp; 108 /**< IPv4 Differentiated Services Code Point */ 109 uint8_t df; 110 /**< IPv4 Don't Fragment bit */ 111 uint8_t ttl; 112 /**< IPv4 Time To Live */ 113 } ipv4; 114 /**< IPv4 header parameters */ 115 struct { 116 struct in6_addr src_addr; 117 /**< IPv6 source address */ 118 struct in6_addr dst_addr; 119 /**< IPv6 destination address */ 120 uint8_t dscp; 121 /**< IPv6 Differentiated Services Code Point */ 122 uint32_t flabel; 123 /**< IPv6 flow label */ 124 uint8_t hlimit; 125 /**< IPv6 hop limit */ 126 } ipv6; 127 /**< IPv6 header parameters */ 128 }; 129 }; 130 131 struct rte_security_ipsec_udp_param { 132 uint16_t sport; 133 uint16_t dport; 134 }; 135 136 /** 137 * IPsec Security Association option flags 138 */ 139 struct rte_security_ipsec_sa_options { 140 /** Extended Sequence Numbers (ESN) 141 * 142 * * 1: Use extended (64 bit) sequence numbers 143 * * 0: Use normal sequence numbers 144 */ 145 uint32_t esn : 1; 146 147 /** UDP encapsulation 148 * 149 * * 1: Do UDP encapsulation/decapsulation so that IPSEC packets can 150 * traverse through NAT boxes. 151 * * 0: No UDP encapsulation 152 */ 153 uint32_t udp_encap : 1; 154 155 /** Copy DSCP bits 156 * 157 * * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to 158 * the outer IP header in encapsulation, and vice versa in 159 * decapsulation. 160 * * 0: Do not change DSCP field. 161 */ 162 uint32_t copy_dscp : 1; 163 164 /** Copy IPv6 Flow Label 165 * 166 * * 1: Copy IPv6 flow label from inner IPv6 header to the 167 * outer IPv6 header. 168 * * 0: Outer header is not modified. 169 */ 170 uint32_t copy_flabel : 1; 171 172 /** Copy IPv4 Don't Fragment bit 173 * 174 * * 1: Copy the DF bit from the inner IPv4 header to the outer 175 * IPv4 header. 176 * * 0: Outer header is not modified. 177 */ 178 uint32_t copy_df : 1; 179 180 /** Decrement inner packet Time To Live (TTL) field 181 * 182 * * 1: In tunnel mode, decrement inner packet IPv4 TTL or 183 * IPv6 Hop Limit after tunnel decapsulation, or before tunnel 184 * encapsulation. 185 * * 0: Inner packet is not modified. 186 */ 187 uint32_t dec_ttl : 1; 188 189 /** Explicit Congestion Notification (ECN) 190 * 191 * * 1: In tunnel mode, enable outer header ECN Field copied from 192 * inner header in tunnel encapsulation, or inner header ECN 193 * field construction in decapsulation. 194 * * 0: Inner/outer header are not modified. 195 */ 196 uint32_t ecn : 1; 197 198 /** Security statistics 199 * 200 * * 1: Enable per session security statistics collection for 201 * this SA, if supported by the driver. 202 * * 0: Disable per session security statistics collection for this SA. 203 */ 204 uint32_t stats : 1; 205 206 /** Disable IV generation in PMD 207 * 208 * * 1: Disable IV generation in PMD. When disabled, IV provided in 209 * rte_crypto_op will be used by the PMD. 210 * 211 * * 0: Enable IV generation in PMD. When enabled, PMD generated random 212 * value would be used and application is not required to provide 213 * IV. 214 * 215 * Note: For inline cases, IV generation would always need to be handled 216 * by the PMD. 217 */ 218 uint32_t iv_gen_disable : 1; 219 220 /** Verify tunnel header in inbound 221 * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR``: Verify destination 222 * IP address. 223 * 224 * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR``: Verify both 225 * source and destination IP addresses. 226 */ 227 uint32_t tunnel_hdr_verify : 2; 228 229 /** Verify UDP encapsulation ports in inbound 230 * 231 * * 1: Match UDP source and destination ports 232 * * 0: Do not match UDP ports 233 */ 234 uint32_t udp_ports_verify : 1; 235 236 /** Compute/verify inner packet IPv4 header checksum in tunnel mode 237 * 238 * * 1: For outbound, compute inner packet IPv4 header checksum 239 * before tunnel encapsulation and for inbound, verify after 240 * tunnel decapsulation. 241 * * 0: Inner packet IP header checksum is not computed/verified. 242 * 243 * The checksum verification status would be set in mbuf using 244 * RTE_MBUF_F_RX_IP_CKSUM_xxx flags. 245 * 246 * Inner IP checksum computation can also be enabled(per operation) 247 * by setting the flag RTE_MBUF_F_TX_IP_CKSUM in mbuf. 248 */ 249 uint32_t ip_csum_enable : 1; 250 251 /** Compute/verify inner packet L4 checksum in tunnel mode 252 * 253 * * 1: For outbound, compute inner packet L4 checksum before 254 * tunnel encapsulation and for inbound, verify after 255 * tunnel decapsulation. 256 * * 0: Inner packet L4 checksum is not computed/verified. 257 * 258 * The checksum verification status would be set in mbuf using 259 * RTE_MBUF_F_RX_L4_CKSUM_xxx flags. 260 * 261 * Inner L4 checksum computation can also be enabled(per operation) 262 * by setting the flags RTE_MBUF_F_TX_TCP_CKSUM or RTE_MBUF_F_TX_SCTP_CKSUM or 263 * RTE_MBUF_F_TX_UDP_CKSUM or RTE_MBUF_F_TX_L4_MASK in mbuf. 264 */ 265 uint32_t l4_csum_enable : 1; 266 267 /** Enable IP reassembly on inline inbound packets. 268 * 269 * * 1: Enable driver to try reassembly of encrypted IP packets for 270 * this SA, if supported by the driver. This feature will work 271 * only if user has successfully set IP reassembly config params 272 * using rte_eth_ip_reassembly_conf_set() for the inline Ethernet 273 * device. PMD need to register mbuf dynamic fields using 274 * rte_eth_ip_reassembly_dynfield_register() and security session 275 * creation would fail if dynfield is not registered successfully. 276 * * 0: Disable IP reassembly of packets (default). 277 */ 278 uint32_t ip_reassembly_en : 1; 279 280 /** Reserved bit fields for future extension 281 * 282 * User should ensure reserved_opts is cleared as it may change in 283 * subsequent releases to support new options. 284 * 285 * Note: Reduce number of bits in reserved_opts for every new option. 286 */ 287 uint32_t reserved_opts : 17; 288 }; 289 290 /** IPSec security association direction */ 291 enum rte_security_ipsec_sa_direction { 292 RTE_SECURITY_IPSEC_SA_DIR_EGRESS, 293 /**< Encrypt and generate digest */ 294 RTE_SECURITY_IPSEC_SA_DIR_INGRESS, 295 /**< Verify digest and decrypt */ 296 }; 297 298 /** 299 * Configure soft and hard lifetime of an IPsec SA 300 * 301 * Lifetime of an IPsec SA would specify the maximum number of packets or bytes 302 * that can be processed. IPsec operations would start failing once any hard 303 * limit is reached. 304 * 305 * Soft limits can be specified to generate notification when the SA is 306 * approaching hard limits for lifetime. For inline operations, reaching soft 307 * expiry limit would result in raising an eth event for the same. For lookaside 308 * operations, this would result in a warning returned in 309 * ``rte_crypto_op.aux_flags``. 310 */ 311 struct rte_security_ipsec_lifetime { 312 uint64_t packets_soft_limit; 313 /**< Soft expiry limit in number of packets */ 314 uint64_t bytes_soft_limit; 315 /**< Soft expiry limit in bytes */ 316 uint64_t packets_hard_limit; 317 /**< Soft expiry limit in number of packets */ 318 uint64_t bytes_hard_limit; 319 /**< Soft expiry limit in bytes */ 320 }; 321 322 /** 323 * IPsec security association configuration data. 324 * 325 * This structure contains data required to create an IPsec SA security session. 326 */ 327 struct rte_security_ipsec_xform { 328 uint32_t spi; 329 /**< SA security parameter index */ 330 uint32_t salt; 331 /**< SA salt */ 332 struct rte_security_ipsec_sa_options options; 333 /**< various SA options */ 334 enum rte_security_ipsec_sa_direction direction; 335 /**< IPSec SA Direction - Egress/Ingress */ 336 enum rte_security_ipsec_sa_protocol proto; 337 /**< IPsec SA Protocol - AH/ESP */ 338 enum rte_security_ipsec_sa_mode mode; 339 /**< IPsec SA Mode - transport/tunnel */ 340 struct rte_security_ipsec_tunnel_param tunnel; 341 /**< Tunnel parameters, NULL for transport mode */ 342 struct rte_security_ipsec_lifetime life; 343 /**< IPsec SA lifetime */ 344 uint32_t replay_win_sz; 345 /**< Anti replay window size to enable sequence replay attack handling. 346 * replay checking is disabled if the window size is 0. 347 */ 348 union { 349 uint64_t value; 350 struct { 351 uint32_t low; 352 uint32_t hi; 353 }; 354 } esn; 355 /**< Extended Sequence Number */ 356 struct rte_security_ipsec_udp_param udp; 357 /**< UDP parameters, ignored when udp_encap option not specified */ 358 }; 359 360 /** 361 * MACsec security session configuration 362 */ 363 struct rte_security_macsec_xform { 364 /** To be Filled */ 365 int dummy; 366 }; 367 368 /** 369 * PDCP Mode of session 370 */ 371 enum rte_security_pdcp_domain { 372 RTE_SECURITY_PDCP_MODE_CONTROL, /**< PDCP control plane */ 373 RTE_SECURITY_PDCP_MODE_DATA, /**< PDCP data plane */ 374 RTE_SECURITY_PDCP_MODE_SHORT_MAC, /**< PDCP short mac */ 375 }; 376 377 /** PDCP Frame direction */ 378 enum rte_security_pdcp_direction { 379 RTE_SECURITY_PDCP_UPLINK, /**< Uplink */ 380 RTE_SECURITY_PDCP_DOWNLINK, /**< Downlink */ 381 }; 382 383 /** PDCP Sequence Number Size selectors */ 384 enum rte_security_pdcp_sn_size { 385 /** PDCP_SN_SIZE_5: 5bit sequence number */ 386 RTE_SECURITY_PDCP_SN_SIZE_5 = 5, 387 /** PDCP_SN_SIZE_7: 7bit sequence number */ 388 RTE_SECURITY_PDCP_SN_SIZE_7 = 7, 389 /** PDCP_SN_SIZE_12: 12bit sequence number */ 390 RTE_SECURITY_PDCP_SN_SIZE_12 = 12, 391 /** PDCP_SN_SIZE_15: 15bit sequence number */ 392 RTE_SECURITY_PDCP_SN_SIZE_15 = 15, 393 /** PDCP_SN_SIZE_18: 18bit sequence number */ 394 RTE_SECURITY_PDCP_SN_SIZE_18 = 18 395 }; 396 397 /** 398 * PDCP security association configuration data. 399 * 400 * This structure contains data required to create a PDCP security session. 401 */ 402 struct rte_security_pdcp_xform { 403 int8_t bearer; /**< PDCP bearer ID */ 404 /** Enable in order delivery, this field shall be set only if 405 * driver/HW is capable. See RTE_SECURITY_PDCP_ORDERING_CAP. 406 */ 407 uint8_t en_ordering; 408 /** Notify driver/HW to detect and remove duplicate packets. 409 * This field should be set only when driver/hw is capable. 410 * See RTE_SECURITY_PDCP_DUP_DETECT_CAP. 411 */ 412 uint8_t remove_duplicates; 413 /** PDCP mode of operation: Control or data */ 414 enum rte_security_pdcp_domain domain; 415 /** PDCP Frame Direction 0:UL 1:DL */ 416 enum rte_security_pdcp_direction pkt_dir; 417 /** Sequence number size, 5/7/12/15/18 */ 418 enum rte_security_pdcp_sn_size sn_size; 419 /** Starting Hyper Frame Number to be used together with the SN 420 * from the PDCP frames 421 */ 422 uint32_t hfn; 423 /** HFN Threshold for key renegotiation */ 424 uint32_t hfn_threshold; 425 /** HFN can be given as a per packet value also. 426 * As we do not have IV in case of PDCP, and HFN is 427 * used to generate IV. IV field can be used to get the 428 * per packet HFN while enq/deq. 429 * If hfn_ovrd field is set, user is expected to set the 430 * per packet HFN in place of IV. PMDs will extract the HFN 431 * and perform operations accordingly. 432 */ 433 uint8_t hfn_ovrd; 434 /** In case of 5G NR, a new protocol (SDAP) header may be set 435 * inside PDCP payload which should be authenticated but not 436 * encrypted. Hence, driver should be notified if SDAP is 437 * enabled or not, so that SDAP header is not encrypted. 438 */ 439 uint8_t sdap_enabled; 440 /** Reserved for future */ 441 uint16_t reserved; 442 }; 443 444 /** DOCSIS direction */ 445 enum rte_security_docsis_direction { 446 RTE_SECURITY_DOCSIS_UPLINK, 447 /**< Uplink 448 * - Decryption, followed by CRC Verification 449 */ 450 RTE_SECURITY_DOCSIS_DOWNLINK, 451 /**< Downlink 452 * - CRC Generation, followed by Encryption 453 */ 454 }; 455 456 /** 457 * DOCSIS security session configuration. 458 * 459 * This structure contains data required to create a DOCSIS security session. 460 */ 461 struct rte_security_docsis_xform { 462 enum rte_security_docsis_direction direction; 463 /**< DOCSIS direction */ 464 }; 465 466 /** 467 * Security session action type. 468 */ 469 enum rte_security_session_action_type { 470 RTE_SECURITY_ACTION_TYPE_NONE, 471 /**< No security actions */ 472 RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO, 473 /**< Crypto processing for security protocol is processed inline 474 * during transmission 475 */ 476 RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL, 477 /**< All security protocol processing is performed inline during 478 * transmission 479 */ 480 RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, 481 /**< All security protocol processing including crypto is performed 482 * on a lookaside accelerator 483 */ 484 RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO 485 /**< Similar to ACTION_TYPE_NONE but crypto processing for security 486 * protocol is processed synchronously by a CPU. 487 */ 488 }; 489 490 /** Security session protocol definition */ 491 enum rte_security_session_protocol { 492 RTE_SECURITY_PROTOCOL_IPSEC = 1, 493 /**< IPsec Protocol */ 494 RTE_SECURITY_PROTOCOL_MACSEC, 495 /**< MACSec Protocol */ 496 RTE_SECURITY_PROTOCOL_PDCP, 497 /**< PDCP Protocol */ 498 RTE_SECURITY_PROTOCOL_DOCSIS, 499 /**< DOCSIS Protocol */ 500 }; 501 502 /** 503 * Security session configuration 504 */ 505 struct rte_security_session_conf { 506 enum rte_security_session_action_type action_type; 507 /**< Type of action to be performed on the session */ 508 enum rte_security_session_protocol protocol; 509 /**< Security protocol to be configured */ 510 RTE_STD_C11 511 union { 512 struct rte_security_ipsec_xform ipsec; 513 struct rte_security_macsec_xform macsec; 514 struct rte_security_pdcp_xform pdcp; 515 struct rte_security_docsis_xform docsis; 516 }; 517 /**< Configuration parameters for security session */ 518 struct rte_crypto_sym_xform *crypto_xform; 519 /**< Security Session Crypto Transformations */ 520 void *userdata; 521 /**< Application specific userdata to be saved with session */ 522 }; 523 524 struct rte_security_session { 525 void *sess_private_data; 526 /**< Private session material */ 527 uint64_t opaque_data; 528 /**< Opaque user defined data */ 529 }; 530 531 /** 532 * Create security session as specified by the session configuration 533 * 534 * @param instance security instance 535 * @param conf session configuration parameters 536 * @param mp mempool to allocate session objects from 537 * @param priv_mp mempool to allocate session private data objects from 538 * @return 539 * - On success, pointer to session 540 * - On failure, NULL 541 */ 542 struct rte_security_session * 543 rte_security_session_create(struct rte_security_ctx *instance, 544 struct rte_security_session_conf *conf, 545 struct rte_mempool *mp, 546 struct rte_mempool *priv_mp); 547 548 /** 549 * Update security session as specified by the session configuration 550 * 551 * @param instance security instance 552 * @param sess session to update parameters 553 * @param conf update configuration parameters 554 * @return 555 * - On success returns 0 556 * - On failure returns a negative errno value. 557 */ 558 __rte_experimental 559 int 560 rte_security_session_update(struct rte_security_ctx *instance, 561 struct rte_security_session *sess, 562 struct rte_security_session_conf *conf); 563 564 /** 565 * Get the size of the security session data for a device. 566 * 567 * @param instance security instance. 568 * 569 * @return 570 * - Size of the private data, if successful 571 * - 0 if device is invalid or does not support the operation. 572 */ 573 unsigned int 574 rte_security_session_get_size(struct rte_security_ctx *instance); 575 576 /** 577 * Free security session header and the session private data and 578 * return it to its original mempool. 579 * 580 * @param instance security instance 581 * @param sess security session to be freed 582 * 583 * @return 584 * - 0 if successful. 585 * - -EINVAL if session or context instance is NULL. 586 * - -EBUSY if not all device private data has been freed. 587 * - -ENOTSUP if destroying private data is not supported. 588 * - other negative values in case of freeing private data errors. 589 */ 590 int 591 rte_security_session_destroy(struct rte_security_ctx *instance, 592 struct rte_security_session *sess); 593 594 /** Device-specific metadata field type */ 595 typedef uint64_t rte_security_dynfield_t; 596 /** Dynamic mbuf field for device-specific metadata */ 597 extern int rte_security_dynfield_offset; 598 599 /** 600 * @warning 601 * @b EXPERIMENTAL: this API may change without prior notice 602 * 603 * Get pointer to mbuf field for device-specific metadata. 604 * 605 * For performance reason, no check is done, 606 * the dynamic field may not be registered. 607 * @see rte_security_dynfield_is_registered 608 * 609 * @param mbuf packet to access 610 * @return pointer to mbuf field 611 */ 612 __rte_experimental 613 static inline rte_security_dynfield_t * 614 rte_security_dynfield(struct rte_mbuf *mbuf) 615 { 616 return RTE_MBUF_DYNFIELD(mbuf, 617 rte_security_dynfield_offset, 618 rte_security_dynfield_t *); 619 } 620 621 /** 622 * @warning 623 * @b EXPERIMENTAL: this API may change without prior notice 624 * 625 * Check whether the dynamic field is registered. 626 * 627 * @return true if rte_security_dynfield_register() has been called. 628 */ 629 __rte_experimental 630 static inline bool rte_security_dynfield_is_registered(void) 631 { 632 return rte_security_dynfield_offset >= 0; 633 } 634 635 /** Function to call PMD specific function pointer set_pkt_metadata() */ 636 __rte_experimental 637 extern int __rte_security_set_pkt_metadata(struct rte_security_ctx *instance, 638 struct rte_security_session *sess, 639 struct rte_mbuf *m, void *params); 640 641 /** 642 * Updates the buffer with device-specific defined metadata 643 * 644 * @param instance security instance 645 * @param sess security session 646 * @param mb packet mbuf to set metadata on. 647 * @param params device-specific defined parameters 648 * required for metadata 649 * 650 * @return 651 * - On success, zero. 652 * - On failure, a negative value. 653 */ 654 static inline int 655 rte_security_set_pkt_metadata(struct rte_security_ctx *instance, 656 struct rte_security_session *sess, 657 struct rte_mbuf *mb, void *params) 658 { 659 /* Fast Path */ 660 if (instance->flags & RTE_SEC_CTX_F_FAST_SET_MDATA) { 661 *rte_security_dynfield(mb) = 662 (rte_security_dynfield_t)(sess->sess_private_data); 663 return 0; 664 } 665 666 /* Jump to PMD specific function pointer */ 667 return __rte_security_set_pkt_metadata(instance, sess, mb, params); 668 } 669 670 /** Function to call PMD specific function pointer get_userdata() */ 671 __rte_experimental 672 extern void *__rte_security_get_userdata(struct rte_security_ctx *instance, 673 uint64_t md); 674 675 /** 676 * Get userdata associated with the security session. Device specific metadata 677 * provided would be used to uniquely identify the security session being 678 * referred to. This userdata would be registered while creating the session, 679 * and application can use this to identify the SA etc. 680 * 681 * Device specific metadata would be set in mbuf for inline processed inbound 682 * packets. In addition, the same metadata would be set for IPsec events 683 * reported by rte_eth_event framework. 684 * 685 * @param instance security instance 686 * @param md device-specific metadata 687 * 688 * @return 689 * - On success, userdata 690 * - On failure, NULL 691 */ 692 __rte_experimental 693 static inline void * 694 rte_security_get_userdata(struct rte_security_ctx *instance, uint64_t md) 695 { 696 /* Fast Path */ 697 if (instance->flags & RTE_SEC_CTX_F_FAST_GET_UDATA) 698 return (void *)(uintptr_t)md; 699 700 /* Jump to PMD specific function pointer */ 701 return __rte_security_get_userdata(instance, md); 702 } 703 704 /** 705 * Attach a session to a symmetric crypto operation 706 * 707 * @param sym_op crypto operation 708 * @param sess security session 709 */ 710 static inline int 711 __rte_security_attach_session(struct rte_crypto_sym_op *sym_op, 712 struct rte_security_session *sess) 713 { 714 sym_op->sec_session = sess; 715 716 return 0; 717 } 718 719 static inline void * 720 get_sec_session_private_data(const struct rte_security_session *sess) 721 { 722 return sess->sess_private_data; 723 } 724 725 static inline void 726 set_sec_session_private_data(struct rte_security_session *sess, 727 void *private_data) 728 { 729 sess->sess_private_data = private_data; 730 } 731 732 /** 733 * Attach a session to a crypto operation. 734 * This API is needed only in case of RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD 735 * For other rte_security_session_action_type, ol_flags in rte_mbuf may be 736 * defined to perform security operations. 737 * 738 * @param op crypto operation 739 * @param sess security session 740 */ 741 static inline int 742 rte_security_attach_session(struct rte_crypto_op *op, 743 struct rte_security_session *sess) 744 { 745 if (unlikely(op->type != RTE_CRYPTO_OP_TYPE_SYMMETRIC)) 746 return -EINVAL; 747 748 op->sess_type = RTE_CRYPTO_OP_SECURITY_SESSION; 749 750 return __rte_security_attach_session(op->sym, sess); 751 } 752 753 struct rte_security_macsec_stats { 754 uint64_t reserved; 755 }; 756 757 struct rte_security_ipsec_stats { 758 uint64_t ipackets; /**< Successfully received IPsec packets. */ 759 uint64_t opackets; /**< Successfully transmitted IPsec packets.*/ 760 uint64_t ibytes; /**< Successfully received IPsec bytes. */ 761 uint64_t obytes; /**< Successfully transmitted IPsec bytes. */ 762 uint64_t ierrors; /**< IPsec packets receive/decrypt errors. */ 763 uint64_t oerrors; /**< IPsec packets transmit/encrypt errors. */ 764 uint64_t reserved1; /**< Reserved for future use. */ 765 uint64_t reserved2; /**< Reserved for future use. */ 766 }; 767 768 struct rte_security_pdcp_stats { 769 uint64_t reserved; 770 }; 771 772 struct rte_security_docsis_stats { 773 uint64_t reserved; 774 }; 775 776 struct rte_security_stats { 777 enum rte_security_session_protocol protocol; 778 /**< Security protocol to be configured */ 779 780 RTE_STD_C11 781 union { 782 struct rte_security_macsec_stats macsec; 783 struct rte_security_ipsec_stats ipsec; 784 struct rte_security_pdcp_stats pdcp; 785 struct rte_security_docsis_stats docsis; 786 }; 787 }; 788 789 /** 790 * Get security session statistics 791 * 792 * @param instance security instance 793 * @param sess security session 794 * If security session is NULL then global (per security instance) statistics 795 * will be retrieved, if supported. Global statistics collection is not 796 * dependent on the per session statistics configuration. 797 * @param stats statistics 798 * @return 799 * - On success, return 0 800 * - On failure, a negative value 801 */ 802 __rte_experimental 803 int 804 rte_security_session_stats_get(struct rte_security_ctx *instance, 805 struct rte_security_session *sess, 806 struct rte_security_stats *stats); 807 808 /** 809 * Security capability definition 810 */ 811 struct rte_security_capability { 812 enum rte_security_session_action_type action; 813 /**< Security action type*/ 814 enum rte_security_session_protocol protocol; 815 /**< Security protocol */ 816 RTE_STD_C11 817 union { 818 struct { 819 enum rte_security_ipsec_sa_protocol proto; 820 /**< IPsec SA protocol */ 821 enum rte_security_ipsec_sa_mode mode; 822 /**< IPsec SA mode */ 823 enum rte_security_ipsec_sa_direction direction; 824 /**< IPsec SA direction */ 825 struct rte_security_ipsec_sa_options options; 826 /**< IPsec SA supported options */ 827 uint32_t replay_win_sz_max; 828 /**< IPsec Anti Replay Window Size. A '0' value 829 * indicates that Anti Replay is not supported. 830 */ 831 } ipsec; 832 /**< IPsec capability */ 833 struct { 834 /* To be Filled */ 835 int dummy; 836 } macsec; 837 /**< MACsec capability */ 838 struct { 839 enum rte_security_pdcp_domain domain; 840 /**< PDCP mode of operation: Control or data */ 841 uint32_t capa_flags; 842 /**< Capability flags, see RTE_SECURITY_PDCP_* */ 843 } pdcp; 844 /**< PDCP capability */ 845 struct { 846 enum rte_security_docsis_direction direction; 847 /**< DOCSIS direction */ 848 } docsis; 849 /**< DOCSIS capability */ 850 }; 851 852 const struct rte_cryptodev_capabilities *crypto_capabilities; 853 /**< Corresponding crypto capabilities for security capability */ 854 855 uint32_t ol_flags; 856 /**< Device offload flags */ 857 }; 858 859 /** Underlying Hardware/driver which support PDCP may or may not support 860 * packet ordering. Set RTE_SECURITY_PDCP_ORDERING_CAP if it support. 861 * If it is not set, driver/HW assumes packets received are in order 862 * and it will be application's responsibility to maintain ordering. 863 */ 864 #define RTE_SECURITY_PDCP_ORDERING_CAP 0x00000001 865 866 /** Underlying Hardware/driver which support PDCP may or may not detect 867 * duplicate packet. Set RTE_SECURITY_PDCP_DUP_DETECT_CAP if it support. 868 * If it is not set, driver/HW assumes there is no duplicate packet received. 869 */ 870 #define RTE_SECURITY_PDCP_DUP_DETECT_CAP 0x00000002 871 872 #define RTE_SECURITY_TX_OLOAD_NEED_MDATA 0x00000001 873 /**< HW needs metadata update, see rte_security_set_pkt_metadata(). 874 */ 875 876 #define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD 0x00000002 877 /**< HW constructs trailer of packets 878 * Transmitted packets will have the trailer added to them 879 * by hardware. The next protocol field will be based on 880 * the mbuf->inner_esp_next_proto field. 881 */ 882 #define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD 0x00010000 883 /**< HW removes trailer of packets 884 * Received packets have no trailer, the next protocol field 885 * is supplied in the mbuf->inner_esp_next_proto field. 886 * Inner packet is not modified. 887 */ 888 889 /** 890 * Security capability index used to query a security instance for a specific 891 * security capability 892 */ 893 struct rte_security_capability_idx { 894 enum rte_security_session_action_type action; 895 enum rte_security_session_protocol protocol; 896 897 RTE_STD_C11 898 union { 899 struct { 900 enum rte_security_ipsec_sa_protocol proto; 901 enum rte_security_ipsec_sa_mode mode; 902 enum rte_security_ipsec_sa_direction direction; 903 } ipsec; 904 struct { 905 enum rte_security_pdcp_domain domain; 906 uint32_t capa_flags; 907 } pdcp; 908 struct { 909 enum rte_security_docsis_direction direction; 910 } docsis; 911 }; 912 }; 913 914 /** 915 * Returns array of security instance capabilities 916 * 917 * @param instance Security instance. 918 * 919 * @return 920 * - Returns array of security capabilities. 921 * - Return NULL if no capabilities available. 922 */ 923 const struct rte_security_capability * 924 rte_security_capabilities_get(struct rte_security_ctx *instance); 925 926 /** 927 * Query if a specific capability is available on security instance 928 * 929 * @param instance security instance. 930 * @param idx security capability index to match against 931 * 932 * @return 933 * - Returns pointer to security capability on match of capability 934 * index criteria. 935 * - Return NULL if the capability not matched on security instance. 936 */ 937 const struct rte_security_capability * 938 rte_security_capability_get(struct rte_security_ctx *instance, 939 struct rte_security_capability_idx *idx); 940 941 #ifdef __cplusplus 942 } 943 #endif 944 945 #endif /* _RTE_SECURITY_H_ */ 946