1 /* SPDX-License-Identifier: BSD-3-Clause
3 * Copyright(c) 2017 Intel Corporation.
6 #ifndef _RTE_SECURITY_H_
7 #define _RTE_SECURITY_H_
10 * @file rte_security.h
11 * @b EXPERIMENTAL: this API may change without prior notice
13 * RTE Security Common Definitions
21 #include <sys/types.h>
23 #include <netinet/in.h>
24 #include <netinet/ip.h>
25 #include <netinet/ip6.h>
27 #include <rte_compat.h>
28 #include <rte_common.h>
29 #include <rte_crypto.h>
31 #include <rte_memory.h>
32 #include <rte_mempool.h>
34 /** IPSec protocol mode */
35 enum rte_security_ipsec_sa_mode {
36 RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT = 1,
37 /**< IPSec Transport mode */
38 RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
39 /**< IPSec Tunnel mode */
43 enum rte_security_ipsec_sa_protocol {
44 RTE_SECURITY_IPSEC_SA_PROTO_AH = 1,
46 RTE_SECURITY_IPSEC_SA_PROTO_ESP,
50 /** IPSEC tunnel type */
51 enum rte_security_ipsec_tunnel_type {
52 RTE_SECURITY_IPSEC_TUNNEL_IPV4 = 1,
53 /**< Outer header is IPv4 */
54 RTE_SECURITY_IPSEC_TUNNEL_IPV6,
55 /**< Outer header is IPv6 */
59 * Security context for crypto/eth devices
61 * Security instance for each driver to register security operations.
62 * The application can get the security context from the crypto/eth device id
63 * using the APIs rte_cryptodev_get_sec_ctx()/rte_eth_dev_get_sec_ctx()
64 * This structure is used to identify the device(crypto/eth) for which the
65 * security operations need to be performed.
67 struct rte_security_ctx {
69 /**< Crypto/ethernet device attached */
70 const struct rte_security_ops *ops;
71 /**< Pointer to security ops for the device */
73 /**< Number of sessions attached to this context */
77 * IPSEC tunnel parameters
79 * These parameters are used to build outbound tunnel headers.
81 struct rte_security_ipsec_tunnel_param {
82 enum rte_security_ipsec_tunnel_type type;
83 /**< Tunnel type: IPv4 or IPv6 */
87 struct in_addr src_ip;
88 /**< IPv4 source address */
89 struct in_addr dst_ip;
90 /**< IPv4 destination address */
92 /**< IPv4 Differentiated Services Code Point */
94 /**< IPv4 Don't Fragment bit */
96 /**< IPv4 Time To Live */
98 /**< IPv4 header parameters */
100 struct in6_addr src_addr;
101 /**< IPv6 source address */
102 struct in6_addr dst_addr;
103 /**< IPv6 destination address */
105 /**< IPv6 Differentiated Services Code Point */
107 /**< IPv6 flow label */
109 /**< IPv6 hop limit */
111 /**< IPv6 header parameters */
116 * IPsec Security Association option flags
118 struct rte_security_ipsec_sa_options {
119 /**< Extended Sequence Numbers (ESN)
121 * * 1: Use extended (64 bit) sequence numbers
122 * * 0: Use normal sequence numbers
126 /**< UDP encapsulation
128 * * 1: Do UDP encapsulation/decapsulation so that IPSEC packets can
129 * traverse through NAT boxes.
130 * * 0: No UDP encapsulation
132 uint32_t udp_encap : 1;
136 * * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to
137 * the outer IP header in encapsulation, and vice versa in
139 * * 0: Do not change DSCP field.
141 uint32_t copy_dscp : 1;
143 /**< Copy IPv6 Flow Label
145 * * 1: Copy IPv6 flow label from inner IPv6 header to the
147 * * 0: Outer header is not modified.
149 uint32_t copy_flabel : 1;
151 /**< Copy IPv4 Don't Fragment bit
153 * * 1: Copy the DF bit from the inner IPv4 header to the outer
155 * * 0: Outer header is not modified.
157 uint32_t copy_df : 1;
159 /**< Decrement inner packet Time To Live (TTL) field
161 * * 1: In tunnel mode, decrement inner packet IPv4 TTL or
162 * IPv6 Hop Limit after tunnel decapsulation, or before tunnel
164 * * 0: Inner packet is not modified.
166 uint32_t dec_ttl : 1;
169 /** IPSec security association direction */
170 enum rte_security_ipsec_sa_direction {
171 RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
172 /**< Encrypt and generate digest */
173 RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
174 /**< Verify digest and decrypt */
178 * IPsec security association configuration data.
180 * This structure contains data required to create an IPsec SA security session.
182 struct rte_security_ipsec_xform {
184 /**< SA security parameter index */
187 struct rte_security_ipsec_sa_options options;
188 /**< various SA options */
189 enum rte_security_ipsec_sa_direction direction;
190 /**< IPSec SA Direction - Egress/Ingress */
191 enum rte_security_ipsec_sa_protocol proto;
192 /**< IPsec SA Protocol - AH/ESP */
193 enum rte_security_ipsec_sa_mode mode;
194 /**< IPsec SA Mode - transport/tunnel */
195 struct rte_security_ipsec_tunnel_param tunnel;
196 /**< Tunnel parameters, NULL for transport mode */
197 uint64_t esn_soft_limit;
198 /**< ESN for which the overflow event need to be raised */
202 * MACsec security session configuration
204 struct rte_security_macsec_xform {
210 * PDCP Mode of session
212 enum rte_security_pdcp_domain {
213 RTE_SECURITY_PDCP_MODE_CONTROL, /**< PDCP control plane */
214 RTE_SECURITY_PDCP_MODE_DATA, /**< PDCP data plane */
217 /** PDCP Frame direction */
218 enum rte_security_pdcp_direction {
219 RTE_SECURITY_PDCP_UPLINK, /**< Uplink */
220 RTE_SECURITY_PDCP_DOWNLINK, /**< Downlink */
223 /** PDCP Sequence Number Size selectors */
224 enum rte_security_pdcp_sn_size {
225 /** PDCP_SN_SIZE_5: 5bit sequence number */
226 RTE_SECURITY_PDCP_SN_SIZE_5 = 5,
227 /** PDCP_SN_SIZE_7: 7bit sequence number */
228 RTE_SECURITY_PDCP_SN_SIZE_7 = 7,
229 /** PDCP_SN_SIZE_12: 12bit sequence number */
230 RTE_SECURITY_PDCP_SN_SIZE_12 = 12,
231 /** PDCP_SN_SIZE_15: 15bit sequence number */
232 RTE_SECURITY_PDCP_SN_SIZE_15 = 15,
233 /** PDCP_SN_SIZE_18: 18bit sequence number */
234 RTE_SECURITY_PDCP_SN_SIZE_18 = 18
238 * PDCP security association configuration data.
240 * This structure contains data required to create a PDCP security session.
242 struct rte_security_pdcp_xform {
243 int8_t bearer; /**< PDCP bearer ID */
244 /** Enable in order delivery, this field shall be set only if
245 * driver/HW is capable. See RTE_SECURITY_PDCP_ORDERING_CAP.
248 /** Notify driver/HW to detect and remove duplicate packets.
249 * This field should be set only when driver/hw is capable.
250 * See RTE_SECURITY_PDCP_DUP_DETECT_CAP.
252 uint8_t remove_duplicates;
253 /** PDCP mode of operation: Control or data */
254 enum rte_security_pdcp_domain domain;
255 /** PDCP Frame Direction 0:UL 1:DL */
256 enum rte_security_pdcp_direction pkt_dir;
257 /** Sequence number size, 5/7/12/15/18 */
258 enum rte_security_pdcp_sn_size sn_size;
259 /** Starting Hyper Frame Number to be used together with the SN
260 * from the PDCP frames
263 /** HFN Threshold for key renegotiation */
264 uint32_t hfn_threshold;
268 * Security session action type.
270 enum rte_security_session_action_type {
271 RTE_SECURITY_ACTION_TYPE_NONE,
272 /**< No security actions */
273 RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO,
274 /**< Crypto processing for security protocol is processed inline
275 * during transmission
277 RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
278 /**< All security protocol processing is performed inline during
281 RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL
282 /**< All security protocol processing including crypto is performed
283 * on a lookaside accelerator
287 /** Security session protocol definition */
288 enum rte_security_session_protocol {
289 RTE_SECURITY_PROTOCOL_IPSEC = 1,
290 /**< IPsec Protocol */
291 RTE_SECURITY_PROTOCOL_MACSEC,
292 /**< MACSec Protocol */
293 RTE_SECURITY_PROTOCOL_PDCP,
294 /**< PDCP Protocol */
298 * Security session configuration
300 struct rte_security_session_conf {
301 enum rte_security_session_action_type action_type;
302 /**< Type of action to be performed on the session */
303 enum rte_security_session_protocol protocol;
304 /**< Security protocol to be configured */
307 struct rte_security_ipsec_xform ipsec;
308 struct rte_security_macsec_xform macsec;
309 struct rte_security_pdcp_xform pdcp;
311 /**< Configuration parameters for security session */
312 struct rte_crypto_sym_xform *crypto_xform;
313 /**< Security Session Crypto Transformations */
315 /**< Application specific userdata to be saved with session */
318 struct rte_security_session {
319 void *sess_private_data;
320 /**< Private session material */
324 * Create security session as specified by the session configuration
326 * @param instance security instance
327 * @param conf session configuration parameters
328 * @param mp mempool to allocate session objects from
330 * - On success, pointer to session
333 struct rte_security_session * __rte_experimental
334 rte_security_session_create(struct rte_security_ctx *instance,
335 struct rte_security_session_conf *conf,
336 struct rte_mempool *mp);
339 * Update security session as specified by the session configuration
341 * @param instance security instance
342 * @param sess session to update parameters
343 * @param conf update configuration parameters
345 * - On success returns 0
346 * - On failure return errno
348 int __rte_experimental
349 rte_security_session_update(struct rte_security_ctx *instance,
350 struct rte_security_session *sess,
351 struct rte_security_session_conf *conf);
354 * Get the size of the security session data for a device.
356 * @param instance security instance.
359 * - Size of the private data, if successful
360 * - 0 if device is invalid or does not support the operation.
362 unsigned int __rte_experimental
363 rte_security_session_get_size(struct rte_security_ctx *instance);
366 * Free security session header and the session private data and
367 * return it to its original mempool.
369 * @param instance security instance
370 * @param sess security session to freed
374 * - -EINVAL if session is NULL.
375 * - -EBUSY if not all device private data has been freed.
377 int __rte_experimental
378 rte_security_session_destroy(struct rte_security_ctx *instance,
379 struct rte_security_session *sess);
382 * Updates the buffer with device-specific defined metadata
384 * @param instance security instance
385 * @param sess security session
386 * @param mb packet mbuf to set metadata on.
387 * @param params device-specific defined parameters
388 * required for metadata
391 * - On success, zero.
392 * - On failure, a negative value.
394 int __rte_experimental
395 rte_security_set_pkt_metadata(struct rte_security_ctx *instance,
396 struct rte_security_session *sess,
397 struct rte_mbuf *mb, void *params);
400 * Get userdata associated with the security session. Device specific metadata
401 * provided would be used to uniquely identify the security session being
402 * referred to. This userdata would be registered while creating the session,
403 * and application can use this to identify the SA etc.
405 * Device specific metadata would be set in mbuf for inline processed inbound
406 * packets. In addition, the same metadata would be set for IPsec events
407 * reported by rte_eth_event framework.
409 * @param instance security instance
410 * @param md device-specific metadata
413 * - On success, userdata
416 void * __rte_experimental
417 rte_security_get_userdata(struct rte_security_ctx *instance, uint64_t md);
420 * Attach a session to a symmetric crypto operation
422 * @param sym_op crypto operation
423 * @param sess security session
425 static inline int __rte_experimental
426 __rte_security_attach_session(struct rte_crypto_sym_op *sym_op,
427 struct rte_security_session *sess)
429 sym_op->sec_session = sess;
434 static inline void * __rte_experimental
435 get_sec_session_private_data(const struct rte_security_session *sess)
437 return sess->sess_private_data;
440 static inline void __rte_experimental
441 set_sec_session_private_data(struct rte_security_session *sess,
444 sess->sess_private_data = private_data;
448 * Attach a session to a crypto operation.
449 * This API is needed only in case of RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD
450 * For other rte_security_session_action_type, ol_flags in rte_mbuf may be
451 * defined to perform security operations.
453 * @param op crypto operation
454 * @param sess security session
456 static inline int __rte_experimental
457 rte_security_attach_session(struct rte_crypto_op *op,
458 struct rte_security_session *sess)
460 if (unlikely(op->type != RTE_CRYPTO_OP_TYPE_SYMMETRIC))
463 op->sess_type = RTE_CRYPTO_OP_SECURITY_SESSION;
465 return __rte_security_attach_session(op->sym, sess);
468 struct rte_security_macsec_stats {
472 struct rte_security_ipsec_stats {
477 struct rte_security_pdcp_stats {
481 struct rte_security_stats {
482 enum rte_security_session_protocol protocol;
483 /**< Security protocol to be configured */
487 struct rte_security_macsec_stats macsec;
488 struct rte_security_ipsec_stats ipsec;
489 struct rte_security_pdcp_stats pdcp;
494 * Get security session statistics
496 * @param instance security instance
497 * @param sess security session
498 * @param stats statistics
500 * - On success return 0
503 int __rte_experimental
504 rte_security_session_stats_get(struct rte_security_ctx *instance,
505 struct rte_security_session *sess,
506 struct rte_security_stats *stats);
509 * Security capability definition
511 struct rte_security_capability {
512 enum rte_security_session_action_type action;
513 /**< Security action type*/
514 enum rte_security_session_protocol protocol;
515 /**< Security protocol */
519 enum rte_security_ipsec_sa_protocol proto;
520 /**< IPsec SA protocol */
521 enum rte_security_ipsec_sa_mode mode;
522 /**< IPsec SA mode */
523 enum rte_security_ipsec_sa_direction direction;
524 /**< IPsec SA direction */
525 struct rte_security_ipsec_sa_options options;
526 /**< IPsec SA supported options */
528 /**< IPsec capability */
533 /**< MACsec capability */
535 enum rte_security_pdcp_domain domain;
536 /**< PDCP mode of operation: Control or data */
538 /**< Capabilitity flags, see RTE_SECURITY_PDCP_* */
540 /**< PDCP capability */
543 const struct rte_cryptodev_capabilities *crypto_capabilities;
544 /**< Corresponding crypto capabilities for security capability */
547 /**< Device offload flags */
550 /** Underlying Hardware/driver which support PDCP may or may not support
551 * packet ordering. Set RTE_SECURITY_PDCP_ORDERING_CAP if it support.
552 * If it is not set, driver/HW assumes packets received are in order
553 * and it will be application's responsibility to maintain ordering.
555 #define RTE_SECURITY_PDCP_ORDERING_CAP 0x00000001
557 /** Underlying Hardware/driver which support PDCP may or may not detect
558 * duplicate packet. Set RTE_SECURITY_PDCP_DUP_DETECT_CAP if it support.
559 * If it is not set, driver/HW assumes there is no duplicate packet received.
561 #define RTE_SECURITY_PDCP_DUP_DETECT_CAP 0x00000002
563 #define RTE_SECURITY_TX_OLOAD_NEED_MDATA 0x00000001
564 /**< HW needs metadata update, see rte_security_set_pkt_metadata().
567 #define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD 0x00000002
568 /**< HW constructs trailer of packets
569 * Transmitted packets will have the trailer added to them
570 * by hardawre. The next protocol field will be based on
571 * the mbuf->inner_esp_next_proto field.
573 #define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD 0x00010000
574 /**< HW removes trailer of packets
575 * Received packets have no trailer, the next protocol field
576 * is supplied in the mbuf->inner_esp_next_proto field.
577 * Inner packet is not modified.
581 * Security capability index used to query a security instance for a specific
582 * security capability
584 struct rte_security_capability_idx {
585 enum rte_security_session_action_type action;
586 enum rte_security_session_protocol protocol;
591 enum rte_security_ipsec_sa_protocol proto;
592 enum rte_security_ipsec_sa_mode mode;
593 enum rte_security_ipsec_sa_direction direction;
596 enum rte_security_pdcp_domain domain;
603 * Returns array of security instance capabilities
605 * @param instance Security instance.
608 * - Returns array of security capabilities.
609 * - Return NULL if no capabilities available.
611 const struct rte_security_capability * __rte_experimental
612 rte_security_capabilities_get(struct rte_security_ctx *instance);
615 * Query if a specific capability is available on security instance
617 * @param instance security instance.
618 * @param idx security capability index to match against
621 * - Returns pointer to security capability on match of capability
623 * - Return NULL if the capability not matched on security instance.
625 const struct rte_security_capability * __rte_experimental
626 rte_security_capability_get(struct rte_security_ctx *instance,
627 struct rte_security_capability_idx *idx);
633 #endif /* _RTE_SECURITY_H_ */