5 * Copyright(c) 2017 Intel Corporation. All rights reserved.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
11 * * Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * * Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in
15 * the documentation and/or other materials provided with the
17 * * Neither the name of NXP nor the names of its
18 * contributors may be used to endorse or promote products derived
19 * from this software without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
22 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
23 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
24 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
25 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
26 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
27 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
28 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
29 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
30 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
31 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 #ifndef _RTE_SECURITY_H_
35 #define _RTE_SECURITY_H_
38 * @file rte_security.h
39 * @b EXPERIMENTAL: this API may change without prior notice
41 * RTE Security Common Definitions
49 #include <sys/types.h>
51 #include <netinet/in.h>
52 #include <netinet/ip.h>
53 #include <netinet/ip6.h>
55 #include <rte_common.h>
56 #include <rte_crypto.h>
58 #include <rte_memory.h>
59 #include <rte_mempool.h>
61 /** IPSec protocol mode */
62 enum rte_security_ipsec_sa_mode {
63 RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT,
64 /**< IPSec Transport mode */
65 RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
66 /**< IPSec Tunnel mode */
70 enum rte_security_ipsec_sa_protocol {
71 RTE_SECURITY_IPSEC_SA_PROTO_AH,
73 RTE_SECURITY_IPSEC_SA_PROTO_ESP,
77 /** IPSEC tunnel type */
78 enum rte_security_ipsec_tunnel_type {
79 RTE_SECURITY_IPSEC_TUNNEL_IPV4,
80 /**< Outer header is IPv4 */
81 RTE_SECURITY_IPSEC_TUNNEL_IPV6,
82 /**< Outer header is IPv6 */
86 * Security context for crypto/eth devices
88 * Security instance for each driver to register security operations.
89 * The application can get the security context from the crypto/eth device id
90 * using the APIs rte_cryptodev_get_sec_ctx()/rte_eth_dev_get_sec_ctx()
91 * This structure is used to identify the device(crypto/eth) for which the
92 * security operations need to be performed.
94 struct rte_security_ctx {
96 /**< Crypto/ethernet device attached */
97 struct rte_security_ops *ops;
98 /**< Pointer to security ops for the device */
100 /**< Number of sessions attached to this context */
104 * IPSEC tunnel parameters
106 * These parameters are used to build outbound tunnel headers.
108 struct rte_security_ipsec_tunnel_param {
109 enum rte_security_ipsec_tunnel_type type;
110 /**< Tunnel type: IPv4 or IPv6 */
114 struct in_addr src_ip;
115 /**< IPv4 source address */
116 struct in_addr dst_ip;
117 /**< IPv4 destination address */
119 /**< IPv4 Differentiated Services Code Point */
121 /**< IPv4 Don't Fragment bit */
123 /**< IPv4 Time To Live */
125 /**< IPv4 header parameters */
127 struct in6_addr src_addr;
128 /**< IPv6 source address */
129 struct in6_addr dst_addr;
130 /**< IPv6 destination address */
132 /**< IPv6 Differentiated Services Code Point */
134 /**< IPv6 flow label */
136 /**< IPv6 hop limit */
138 /**< IPv6 header parameters */
143 * IPsec Security Association option flags
145 struct rte_security_ipsec_sa_options {
146 /**< Extended Sequence Numbers (ESN)
148 * * 1: Use extended (64 bit) sequence numbers
149 * * 0: Use normal sequence numbers
153 /**< UDP encapsulation
155 * * 1: Do UDP encapsulation/decapsulation so that IPSEC packets can
156 * traverse through NAT boxes.
157 * * 0: No UDP encapsulation
159 uint32_t udp_encap : 1;
163 * * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to
164 * the outer IP header in encapsulation, and vice versa in
166 * * 0: Do not change DSCP field.
168 uint32_t copy_dscp : 1;
170 /**< Copy IPv6 Flow Label
172 * * 1: Copy IPv6 flow label from inner IPv6 header to the
174 * * 0: Outer header is not modified.
176 uint32_t copy_flabel : 1;
178 /**< Copy IPv4 Don't Fragment bit
180 * * 1: Copy the DF bit from the inner IPv4 header to the outer
182 * * 0: Outer header is not modified.
184 uint32_t copy_df : 1;
186 /**< Decrement inner packet Time To Live (TTL) field
188 * * 1: In tunnel mode, decrement inner packet IPv4 TTL or
189 * IPv6 Hop Limit after tunnel decapsulation, or before tunnel
191 * * 0: Inner packet is not modified.
193 uint32_t dec_ttl : 1;
196 /** IPSec security association direction */
197 enum rte_security_ipsec_sa_direction {
198 RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
199 /**< Encrypt and generate digest */
200 RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
201 /**< Verify digest and decrypt */
205 * IPsec security association configuration data.
207 * This structure contains data required to create an IPsec SA security session.
209 struct rte_security_ipsec_xform {
211 /**< SA security parameter index */
214 struct rte_security_ipsec_sa_options options;
215 /**< various SA options */
216 enum rte_security_ipsec_sa_direction direction;
217 /**< IPSec SA Direction - Egress/Ingress */
218 enum rte_security_ipsec_sa_protocol proto;
219 /**< IPsec SA Protocol - AH/ESP */
220 enum rte_security_ipsec_sa_mode mode;
221 /**< IPsec SA Mode - transport/tunnel */
222 struct rte_security_ipsec_tunnel_param tunnel;
223 /**< Tunnel parameters, NULL for transport mode */
227 * MACsec security session configuration
229 struct rte_security_macsec_xform {
234 * Security session action type.
236 enum rte_security_session_action_type {
237 RTE_SECURITY_ACTION_TYPE_NONE,
238 /**< No security actions */
239 RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO,
240 /**< Crypto processing for security protocol is processed inline
241 * during transmission
243 RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
244 /**< All security protocol processing is performed inline during
247 RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL
248 /**< All security protocol processing including crypto is performed
249 * on a lookaside accelerator
253 /** Security session protocol definition */
254 enum rte_security_session_protocol {
255 RTE_SECURITY_PROTOCOL_IPSEC,
256 /**< IPsec Protocol */
257 RTE_SECURITY_PROTOCOL_MACSEC,
258 /**< MACSec Protocol */
262 * Security session configuration
264 struct rte_security_session_conf {
265 enum rte_security_session_action_type action_type;
266 /**< Type of action to be performed on the session */
267 enum rte_security_session_protocol protocol;
268 /**< Security protocol to be configured */
271 struct rte_security_ipsec_xform ipsec;
272 struct rte_security_macsec_xform macsec;
274 /**< Configuration parameters for security session */
275 struct rte_crypto_sym_xform *crypto_xform;
276 /**< Security Session Crypto Transformations */
279 struct rte_security_session {
280 void *sess_private_data;
281 /**< Private session material */
285 * Create security session as specified by the session configuration
287 * @param instance security instance
288 * @param conf session configuration parameters
289 * @param mp mempool to allocate session objects from
291 * - On success, pointer to session
294 struct rte_security_session *
295 rte_security_session_create(struct rte_security_ctx *instance,
296 struct rte_security_session_conf *conf,
297 struct rte_mempool *mp);
300 * Update security session as specified by the session configuration
302 * @param instance security instance
303 * @param sess session to update parameters
304 * @param conf update configuration parameters
306 * - On success returns 0
307 * - On failure return errno
310 rte_security_session_update(struct rte_security_ctx *instance,
311 struct rte_security_session *sess,
312 struct rte_security_session_conf *conf);
315 * Free security session header and the session private data and
316 * return it to its original mempool.
318 * @param instance security instance
319 * @param sess security session to freed
323 * - -EINVAL if session is NULL.
324 * - -EBUSY if not all device private data has been freed.
327 rte_security_session_destroy(struct rte_security_ctx *instance,
328 struct rte_security_session *sess);
331 * Updates the buffer with device-specific defined metadata
333 * @param instance security instance
334 * @param sess security session
335 * @param mb packet mbuf to set metadata on.
336 * @param params device-specific defined parameters
337 * required for metadata
340 * - On success, zero.
341 * - On failure, a negative value.
344 rte_security_set_pkt_metadata(struct rte_security_ctx *instance,
345 struct rte_security_session *sess,
346 struct rte_mbuf *mb, void *params);
349 * Attach a session to a symmetric crypto operation
351 * @param sym_op crypto operation
352 * @param sess security session
355 __rte_security_attach_session(struct rte_crypto_sym_op *sym_op,
356 struct rte_security_session *sess)
358 sym_op->sec_session = sess;
364 get_sec_session_private_data(const struct rte_security_session *sess)
366 return sess->sess_private_data;
370 set_sec_session_private_data(struct rte_security_session *sess,
373 sess->sess_private_data = private_data;
377 * Attach a session to a crypto operation.
378 * This API is needed only in case of RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD
379 * For other rte_security_session_action_type, ol_flags in rte_mbuf may be
380 * defined to perform security operations.
382 * @param op crypto operation
383 * @param sess security session
386 rte_security_attach_session(struct rte_crypto_op *op,
387 struct rte_security_session *sess)
389 if (unlikely(op->type != RTE_CRYPTO_OP_TYPE_SYMMETRIC))
392 op->sess_type = RTE_CRYPTO_OP_SECURITY_SESSION;
394 return __rte_security_attach_session(op->sym, sess);
397 struct rte_security_macsec_stats {
401 struct rte_security_ipsec_stats {
406 struct rte_security_stats {
407 enum rte_security_session_protocol protocol;
408 /**< Security protocol to be configured */
412 struct rte_security_macsec_stats macsec;
413 struct rte_security_ipsec_stats ipsec;
418 * Get security session statistics
420 * @param instance security instance
421 * @param sess security session
422 * @param stats statistics
424 * - On success return 0
428 rte_security_session_stats_get(struct rte_security_ctx *instance,
429 struct rte_security_session *sess,
430 struct rte_security_stats *stats);
433 * Security capability definition
435 struct rte_security_capability {
436 enum rte_security_session_action_type action;
437 /**< Security action type*/
438 enum rte_security_session_protocol protocol;
439 /**< Security protocol */
443 enum rte_security_ipsec_sa_protocol proto;
444 /**< IPsec SA protocol */
445 enum rte_security_ipsec_sa_mode mode;
446 /**< IPsec SA mode */
447 enum rte_security_ipsec_sa_direction direction;
448 /**< IPsec SA direction */
449 struct rte_security_ipsec_sa_options options;
450 /**< IPsec SA supported options */
452 /**< IPsec capability */
456 /**< MACsec capability */
459 const struct rte_cryptodev_capabilities *crypto_capabilities;
460 /**< Corresponding crypto capabilities for security capability */
463 /**< Device offload flags */
466 #define RTE_SECURITY_TX_OLOAD_NEED_MDATA 0x00000001
467 /**< HW needs metadata update, see rte_security_set_pkt_metadata().
470 #define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD 0x00000002
471 /**< HW constructs trailer of packets
472 * Transmitted packets will have the trailer added to them
473 * by hardawre. The next protocol field will be based on
474 * the mbuf->inner_esp_next_proto field.
476 #define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD 0x00010000
477 /**< HW removes trailer of packets
478 * Received packets have no trailer, the next protocol field
479 * is supplied in the mbuf->inner_esp_next_proto field.
480 * Inner packet is not modified.
484 * Security capability index used to query a security instance for a specific
485 * security capability
487 struct rte_security_capability_idx {
488 enum rte_security_session_action_type action;
489 enum rte_security_session_protocol protocol;
494 enum rte_security_ipsec_sa_protocol proto;
495 enum rte_security_ipsec_sa_mode mode;
496 enum rte_security_ipsec_sa_direction direction;
502 * Returns array of security instance capabilities
504 * @param instance Security instance.
507 * - Returns array of security capabilities.
508 * - Return NULL if no capabilities available.
510 const struct rte_security_capability *
511 rte_security_capabilities_get(struct rte_security_ctx *instance);
514 * Query if a specific capability is available on security instance
516 * @param instance security instance.
517 * @param idx security capability index to match against
520 * - Returns pointer to security capability on match of capability
522 * - Return NULL if the capability not matched on security instance.
524 const struct rte_security_capability *
525 rte_security_capability_get(struct rte_security_ctx *instance,
526 struct rte_security_capability_idx *idx);
532 #endif /* _RTE_SECURITY_H_ */