1 /* SPDX-License-Identifier: BSD-3-Clause
2 * Copyright 2017,2019-2020 NXP
3 * Copyright(c) 2017-2020 Intel Corporation.
6 #ifndef _RTE_SECURITY_H_
7 #define _RTE_SECURITY_H_
10 * @file rte_security.h
12 * RTE Security Common Definitions
20 #include <sys/types.h>
22 #include <netinet/in.h>
23 #include <netinet/ip.h>
24 #include <netinet/ip6.h>
26 #include <rte_compat.h>
27 #include <rte_common.h>
28 #include <rte_crypto.h>
30 #include <rte_memory.h>
31 #include <rte_mempool.h>
33 /** IPSec protocol mode */
34 enum rte_security_ipsec_sa_mode {
35 RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT = 1,
36 /**< IPSec Transport mode */
37 RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
38 /**< IPSec Tunnel mode */
42 enum rte_security_ipsec_sa_protocol {
43 RTE_SECURITY_IPSEC_SA_PROTO_AH = 1,
45 RTE_SECURITY_IPSEC_SA_PROTO_ESP,
49 /** IPSEC tunnel type */
50 enum rte_security_ipsec_tunnel_type {
51 RTE_SECURITY_IPSEC_TUNNEL_IPV4 = 1,
52 /**< Outer header is IPv4 */
53 RTE_SECURITY_IPSEC_TUNNEL_IPV6,
54 /**< Outer header is IPv6 */
58 * Security context for crypto/eth devices
60 * Security instance for each driver to register security operations.
61 * The application can get the security context from the crypto/eth device id
62 * using the APIs rte_cryptodev_get_sec_ctx()/rte_eth_dev_get_sec_ctx()
63 * This structure is used to identify the device(crypto/eth) for which the
64 * security operations need to be performed.
66 struct rte_security_ctx {
68 /**< Crypto/ethernet device attached */
69 const struct rte_security_ops *ops;
70 /**< Pointer to security ops for the device */
72 /**< Number of sessions attached to this context */
76 * IPSEC tunnel parameters
78 * These parameters are used to build outbound tunnel headers.
80 struct rte_security_ipsec_tunnel_param {
81 enum rte_security_ipsec_tunnel_type type;
82 /**< Tunnel type: IPv4 or IPv6 */
86 struct in_addr src_ip;
87 /**< IPv4 source address */
88 struct in_addr dst_ip;
89 /**< IPv4 destination address */
91 /**< IPv4 Differentiated Services Code Point */
93 /**< IPv4 Don't Fragment bit */
95 /**< IPv4 Time To Live */
97 /**< IPv4 header parameters */
99 struct in6_addr src_addr;
100 /**< IPv6 source address */
101 struct in6_addr dst_addr;
102 /**< IPv6 destination address */
104 /**< IPv6 Differentiated Services Code Point */
106 /**< IPv6 flow label */
108 /**< IPv6 hop limit */
110 /**< IPv6 header parameters */
115 * IPsec Security Association option flags
117 struct rte_security_ipsec_sa_options {
118 /** Extended Sequence Numbers (ESN)
120 * * 1: Use extended (64 bit) sequence numbers
121 * * 0: Use normal sequence numbers
125 /** UDP encapsulation
127 * * 1: Do UDP encapsulation/decapsulation so that IPSEC packets can
128 * traverse through NAT boxes.
129 * * 0: No UDP encapsulation
131 uint32_t udp_encap : 1;
135 * * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to
136 * the outer IP header in encapsulation, and vice versa in
138 * * 0: Do not change DSCP field.
140 uint32_t copy_dscp : 1;
142 /** Copy IPv6 Flow Label
144 * * 1: Copy IPv6 flow label from inner IPv6 header to the
146 * * 0: Outer header is not modified.
148 uint32_t copy_flabel : 1;
150 /** Copy IPv4 Don't Fragment bit
152 * * 1: Copy the DF bit from the inner IPv4 header to the outer
154 * * 0: Outer header is not modified.
156 uint32_t copy_df : 1;
158 /** Decrement inner packet Time To Live (TTL) field
160 * * 1: In tunnel mode, decrement inner packet IPv4 TTL or
161 * IPv6 Hop Limit after tunnel decapsulation, or before tunnel
163 * * 0: Inner packet is not modified.
165 uint32_t dec_ttl : 1;
167 /** Explicit Congestion Notification (ECN)
169 * * 1: In tunnel mode, enable outer header ECN Field copied from
170 * inner header in tunnel encapsulation, or inner header ECN
171 * field construction in decapsulation.
172 * * 0: Inner/outer header are not modified.
176 /** Security statistics
178 * * 1: Enable per session security statistics collection for
179 * this SA, if supported by the driver.
180 * * 0: Disable per session security statistics collection for this SA.
185 /** IPSec security association direction */
186 enum rte_security_ipsec_sa_direction {
187 RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
188 /**< Encrypt and generate digest */
189 RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
190 /**< Verify digest and decrypt */
194 * IPsec security association configuration data.
196 * This structure contains data required to create an IPsec SA security session.
198 struct rte_security_ipsec_xform {
200 /**< SA security parameter index */
203 struct rte_security_ipsec_sa_options options;
204 /**< various SA options */
205 enum rte_security_ipsec_sa_direction direction;
206 /**< IPSec SA Direction - Egress/Ingress */
207 enum rte_security_ipsec_sa_protocol proto;
208 /**< IPsec SA Protocol - AH/ESP */
209 enum rte_security_ipsec_sa_mode mode;
210 /**< IPsec SA Mode - transport/tunnel */
211 struct rte_security_ipsec_tunnel_param tunnel;
212 /**< Tunnel parameters, NULL for transport mode */
213 uint64_t esn_soft_limit;
214 /**< ESN for which the overflow event need to be raised */
215 uint32_t replay_win_sz;
216 /**< Anti replay window size to enable sequence replay attack handling.
217 * replay checking is disabled if the window size is 0.
222 * MACsec security session configuration
224 struct rte_security_macsec_xform {
230 * PDCP Mode of session
232 enum rte_security_pdcp_domain {
233 RTE_SECURITY_PDCP_MODE_CONTROL, /**< PDCP control plane */
234 RTE_SECURITY_PDCP_MODE_DATA, /**< PDCP data plane */
237 /** PDCP Frame direction */
238 enum rte_security_pdcp_direction {
239 RTE_SECURITY_PDCP_UPLINK, /**< Uplink */
240 RTE_SECURITY_PDCP_DOWNLINK, /**< Downlink */
243 /** PDCP Sequence Number Size selectors */
244 enum rte_security_pdcp_sn_size {
245 /** PDCP_SN_SIZE_5: 5bit sequence number */
246 RTE_SECURITY_PDCP_SN_SIZE_5 = 5,
247 /** PDCP_SN_SIZE_7: 7bit sequence number */
248 RTE_SECURITY_PDCP_SN_SIZE_7 = 7,
249 /** PDCP_SN_SIZE_12: 12bit sequence number */
250 RTE_SECURITY_PDCP_SN_SIZE_12 = 12,
251 /** PDCP_SN_SIZE_15: 15bit sequence number */
252 RTE_SECURITY_PDCP_SN_SIZE_15 = 15,
253 /** PDCP_SN_SIZE_18: 18bit sequence number */
254 RTE_SECURITY_PDCP_SN_SIZE_18 = 18
258 * PDCP security association configuration data.
260 * This structure contains data required to create a PDCP security session.
262 struct rte_security_pdcp_xform {
263 int8_t bearer; /**< PDCP bearer ID */
264 /** Enable in order delivery, this field shall be set only if
265 * driver/HW is capable. See RTE_SECURITY_PDCP_ORDERING_CAP.
268 /** Notify driver/HW to detect and remove duplicate packets.
269 * This field should be set only when driver/hw is capable.
270 * See RTE_SECURITY_PDCP_DUP_DETECT_CAP.
272 uint8_t remove_duplicates;
273 /** PDCP mode of operation: Control or data */
274 enum rte_security_pdcp_domain domain;
275 /** PDCP Frame Direction 0:UL 1:DL */
276 enum rte_security_pdcp_direction pkt_dir;
277 /** Sequence number size, 5/7/12/15/18 */
278 enum rte_security_pdcp_sn_size sn_size;
279 /** Starting Hyper Frame Number to be used together with the SN
280 * from the PDCP frames
283 /** HFN Threshold for key renegotiation */
284 uint32_t hfn_threshold;
285 /** HFN can be given as a per packet value also.
286 * As we do not have IV in case of PDCP, and HFN is
287 * used to generate IV. IV field can be used to get the
288 * per packet HFN while enq/deq.
289 * If hfn_ovrd field is set, user is expected to set the
290 * per packet HFN in place of IV. PMDs will extract the HFN
291 * and perform operations accordingly.
294 /** In case of 5G NR, a new protocol (SDAP) header may be set
295 * inside PDCP payload which should be authenticated but not
296 * encrypted. Hence, driver should be notified if SDAP is
297 * enabled or not, so that SDAP header is not encrypted.
299 uint8_t sdap_enabled;
300 /** Reserved for future */
304 /** DOCSIS direction */
305 enum rte_security_docsis_direction {
306 RTE_SECURITY_DOCSIS_UPLINK,
308 * - Decryption, followed by CRC Verification
310 RTE_SECURITY_DOCSIS_DOWNLINK,
312 * - CRC Generation, followed by Encryption
317 * DOCSIS security session configuration.
319 * This structure contains data required to create a DOCSIS security session.
321 struct rte_security_docsis_xform {
322 enum rte_security_docsis_direction direction;
323 /**< DOCSIS direction */
327 * Security session action type.
329 enum rte_security_session_action_type {
330 RTE_SECURITY_ACTION_TYPE_NONE,
331 /**< No security actions */
332 RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO,
333 /**< Crypto processing for security protocol is processed inline
334 * during transmission
336 RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
337 /**< All security protocol processing is performed inline during
340 RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
341 /**< All security protocol processing including crypto is performed
342 * on a lookaside accelerator
344 RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO
345 /**< Similar to ACTION_TYPE_NONE but crypto processing for security
346 * protocol is processed synchronously by a CPU.
350 /** Security session protocol definition */
351 enum rte_security_session_protocol {
352 RTE_SECURITY_PROTOCOL_IPSEC = 1,
353 /**< IPsec Protocol */
354 RTE_SECURITY_PROTOCOL_MACSEC,
355 /**< MACSec Protocol */
356 RTE_SECURITY_PROTOCOL_PDCP,
357 /**< PDCP Protocol */
358 RTE_SECURITY_PROTOCOL_DOCSIS,
359 /**< DOCSIS Protocol */
363 * Security session configuration
365 struct rte_security_session_conf {
366 enum rte_security_session_action_type action_type;
367 /**< Type of action to be performed on the session */
368 enum rte_security_session_protocol protocol;
369 /**< Security protocol to be configured */
372 struct rte_security_ipsec_xform ipsec;
373 struct rte_security_macsec_xform macsec;
374 struct rte_security_pdcp_xform pdcp;
375 struct rte_security_docsis_xform docsis;
377 /**< Configuration parameters for security session */
378 struct rte_crypto_sym_xform *crypto_xform;
379 /**< Security Session Crypto Transformations */
381 /**< Application specific userdata to be saved with session */
384 struct rte_security_session {
385 void *sess_private_data;
386 /**< Private session material */
387 uint64_t opaque_data;
388 /**< Opaque user defined data */
392 * Create security session as specified by the session configuration
394 * @param instance security instance
395 * @param conf session configuration parameters
396 * @param mp mempool to allocate session objects from
397 * @param priv_mp mempool to allocate session private data objects from
399 * - On success, pointer to session
402 struct rte_security_session *
403 rte_security_session_create(struct rte_security_ctx *instance,
404 struct rte_security_session_conf *conf,
405 struct rte_mempool *mp,
406 struct rte_mempool *priv_mp);
409 * Update security session as specified by the session configuration
411 * @param instance security instance
412 * @param sess session to update parameters
413 * @param conf update configuration parameters
415 * - On success returns 0
416 * - On failure returns a negative errno value.
420 rte_security_session_update(struct rte_security_ctx *instance,
421 struct rte_security_session *sess,
422 struct rte_security_session_conf *conf);
425 * Get the size of the security session data for a device.
427 * @param instance security instance.
430 * - Size of the private data, if successful
431 * - 0 if device is invalid or does not support the operation.
434 rte_security_session_get_size(struct rte_security_ctx *instance);
437 * Free security session header and the session private data and
438 * return it to its original mempool.
440 * @param instance security instance
441 * @param sess security session to be freed
445 * - -EINVAL if session or context instance is NULL.
446 * - -EBUSY if not all device private data has been freed.
447 * - -ENOTSUP if destroying private data is not supported.
448 * - other negative values in case of freeing private data errors.
451 rte_security_session_destroy(struct rte_security_ctx *instance,
452 struct rte_security_session *sess);
455 * Updates the buffer with device-specific defined metadata
457 * @param instance security instance
458 * @param sess security session
459 * @param mb packet mbuf to set metadata on.
460 * @param params device-specific defined parameters
461 * required for metadata
464 * - On success, zero.
465 * - On failure, a negative value.
468 rte_security_set_pkt_metadata(struct rte_security_ctx *instance,
469 struct rte_security_session *sess,
470 struct rte_mbuf *mb, void *params);
473 * Get userdata associated with the security session. Device specific metadata
474 * provided would be used to uniquely identify the security session being
475 * referred to. This userdata would be registered while creating the session,
476 * and application can use this to identify the SA etc.
478 * Device specific metadata would be set in mbuf for inline processed inbound
479 * packets. In addition, the same metadata would be set for IPsec events
480 * reported by rte_eth_event framework.
482 * @param instance security instance
483 * @param md device-specific metadata
486 * - On success, userdata
491 rte_security_get_userdata(struct rte_security_ctx *instance, uint64_t md);
494 * Attach a session to a symmetric crypto operation
496 * @param sym_op crypto operation
497 * @param sess security session
500 __rte_security_attach_session(struct rte_crypto_sym_op *sym_op,
501 struct rte_security_session *sess)
503 sym_op->sec_session = sess;
509 get_sec_session_private_data(const struct rte_security_session *sess)
511 return sess->sess_private_data;
515 set_sec_session_private_data(struct rte_security_session *sess,
518 sess->sess_private_data = private_data;
522 * Attach a session to a crypto operation.
523 * This API is needed only in case of RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD
524 * For other rte_security_session_action_type, ol_flags in rte_mbuf may be
525 * defined to perform security operations.
527 * @param op crypto operation
528 * @param sess security session
531 rte_security_attach_session(struct rte_crypto_op *op,
532 struct rte_security_session *sess)
534 if (unlikely(op->type != RTE_CRYPTO_OP_TYPE_SYMMETRIC))
537 op->sess_type = RTE_CRYPTO_OP_SECURITY_SESSION;
539 return __rte_security_attach_session(op->sym, sess);
542 struct rte_security_macsec_stats {
546 struct rte_security_ipsec_stats {
547 uint64_t ipackets; /**< Successfully received IPsec packets. */
548 uint64_t opackets; /**< Successfully transmitted IPsec packets.*/
549 uint64_t ibytes; /**< Successfully received IPsec bytes. */
550 uint64_t obytes; /**< Successfully transmitted IPsec bytes. */
551 uint64_t ierrors; /**< IPsec packets receive/decrypt errors. */
552 uint64_t oerrors; /**< IPsec packets transmit/encrypt errors. */
553 uint64_t reserved1; /**< Reserved for future use. */
554 uint64_t reserved2; /**< Reserved for future use. */
557 struct rte_security_pdcp_stats {
561 struct rte_security_docsis_stats {
565 struct rte_security_stats {
566 enum rte_security_session_protocol protocol;
567 /**< Security protocol to be configured */
571 struct rte_security_macsec_stats macsec;
572 struct rte_security_ipsec_stats ipsec;
573 struct rte_security_pdcp_stats pdcp;
574 struct rte_security_docsis_stats docsis;
579 * Get security session statistics
581 * @param instance security instance
582 * @param sess security session
583 * If security session is NULL then global (per security instance) statistics
584 * will be retrieved, if supported. Global statistics collection is not
585 * dependent on the per session statistics configuration.
586 * @param stats statistics
588 * - On success, return 0
589 * - On failure, a negative value
593 rte_security_session_stats_get(struct rte_security_ctx *instance,
594 struct rte_security_session *sess,
595 struct rte_security_stats *stats);
598 * Security capability definition
600 struct rte_security_capability {
601 enum rte_security_session_action_type action;
602 /**< Security action type*/
603 enum rte_security_session_protocol protocol;
604 /**< Security protocol */
608 enum rte_security_ipsec_sa_protocol proto;
609 /**< IPsec SA protocol */
610 enum rte_security_ipsec_sa_mode mode;
611 /**< IPsec SA mode */
612 enum rte_security_ipsec_sa_direction direction;
613 /**< IPsec SA direction */
614 struct rte_security_ipsec_sa_options options;
615 /**< IPsec SA supported options */
616 uint32_t replay_win_sz_max;
617 /**< IPsec Anti Replay Window Size. A '0' value
618 * indicates that Anti Replay is not supported.
621 /**< IPsec capability */
626 /**< MACsec capability */
628 enum rte_security_pdcp_domain domain;
629 /**< PDCP mode of operation: Control or data */
631 /**< Capability flags, see RTE_SECURITY_PDCP_* */
633 /**< PDCP capability */
635 enum rte_security_docsis_direction direction;
636 /**< DOCSIS direction */
638 /**< DOCSIS capability */
641 const struct rte_cryptodev_capabilities *crypto_capabilities;
642 /**< Corresponding crypto capabilities for security capability */
645 /**< Device offload flags */
648 /** Underlying Hardware/driver which support PDCP may or may not support
649 * packet ordering. Set RTE_SECURITY_PDCP_ORDERING_CAP if it support.
650 * If it is not set, driver/HW assumes packets received are in order
651 * and it will be application's responsibility to maintain ordering.
653 #define RTE_SECURITY_PDCP_ORDERING_CAP 0x00000001
655 /** Underlying Hardware/driver which support PDCP may or may not detect
656 * duplicate packet. Set RTE_SECURITY_PDCP_DUP_DETECT_CAP if it support.
657 * If it is not set, driver/HW assumes there is no duplicate packet received.
659 #define RTE_SECURITY_PDCP_DUP_DETECT_CAP 0x00000002
661 #define RTE_SECURITY_TX_OLOAD_NEED_MDATA 0x00000001
662 /**< HW needs metadata update, see rte_security_set_pkt_metadata().
665 #define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD 0x00000002
666 /**< HW constructs trailer of packets
667 * Transmitted packets will have the trailer added to them
668 * by hardware. The next protocol field will be based on
669 * the mbuf->inner_esp_next_proto field.
671 #define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD 0x00010000
672 /**< HW removes trailer of packets
673 * Received packets have no trailer, the next protocol field
674 * is supplied in the mbuf->inner_esp_next_proto field.
675 * Inner packet is not modified.
679 * Security capability index used to query a security instance for a specific
680 * security capability
682 struct rte_security_capability_idx {
683 enum rte_security_session_action_type action;
684 enum rte_security_session_protocol protocol;
689 enum rte_security_ipsec_sa_protocol proto;
690 enum rte_security_ipsec_sa_mode mode;
691 enum rte_security_ipsec_sa_direction direction;
694 enum rte_security_pdcp_domain domain;
698 enum rte_security_docsis_direction direction;
704 * Returns array of security instance capabilities
706 * @param instance Security instance.
709 * - Returns array of security capabilities.
710 * - Return NULL if no capabilities available.
712 const struct rte_security_capability *
713 rte_security_capabilities_get(struct rte_security_ctx *instance);
716 * Query if a specific capability is available on security instance
718 * @param instance security instance.
719 * @param idx security capability index to match against
722 * - Returns pointer to security capability on match of capability
724 * - Return NULL if the capability not matched on security instance.
726 const struct rte_security_capability *
727 rte_security_capability_get(struct rte_security_ctx *instance,
728 struct rte_security_capability_idx *idx);
734 #endif /* _RTE_SECURITY_H_ */