5 * Copyright(c) 2017 Intel Corporation. All rights reserved.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
11 * * Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * * Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in
15 * the documentation and/or other materials provided with the
17 * * Neither the name of NXP nor the names of its
18 * contributors may be used to endorse or promote products derived
19 * from this software without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
22 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
23 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
24 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
25 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
26 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
27 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
28 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
29 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
30 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
31 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 #ifndef _RTE_SECURITY_H_
35 #define _RTE_SECURITY_H_
38 * @file rte_security.h
39 * @b EXPERIMENTAL: this API may change without prior notice
41 * RTE Security Common Definitions
49 #include <sys/types.h>
51 #include <netinet/in.h>
52 #include <netinet/ip.h>
53 #include <netinet/ip6.h>
55 #include <rte_compat.h>
56 #include <rte_common.h>
57 #include <rte_crypto.h>
59 #include <rte_memory.h>
60 #include <rte_mempool.h>
62 /** IPSec protocol mode */
63 enum rte_security_ipsec_sa_mode {
64 RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT = 1,
65 /**< IPSec Transport mode */
66 RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
67 /**< IPSec Tunnel mode */
71 enum rte_security_ipsec_sa_protocol {
72 RTE_SECURITY_IPSEC_SA_PROTO_AH = 1,
74 RTE_SECURITY_IPSEC_SA_PROTO_ESP,
78 /** IPSEC tunnel type */
79 enum rte_security_ipsec_tunnel_type {
80 RTE_SECURITY_IPSEC_TUNNEL_IPV4 = 1,
81 /**< Outer header is IPv4 */
82 RTE_SECURITY_IPSEC_TUNNEL_IPV6,
83 /**< Outer header is IPv6 */
87 * Security context for crypto/eth devices
89 * Security instance for each driver to register security operations.
90 * The application can get the security context from the crypto/eth device id
91 * using the APIs rte_cryptodev_get_sec_ctx()/rte_eth_dev_get_sec_ctx()
92 * This structure is used to identify the device(crypto/eth) for which the
93 * security operations need to be performed.
95 struct rte_security_ctx {
97 /**< Crypto/ethernet device attached */
98 const struct rte_security_ops *ops;
99 /**< Pointer to security ops for the device */
101 /**< Number of sessions attached to this context */
105 * IPSEC tunnel parameters
107 * These parameters are used to build outbound tunnel headers.
109 struct rte_security_ipsec_tunnel_param {
110 enum rte_security_ipsec_tunnel_type type;
111 /**< Tunnel type: IPv4 or IPv6 */
115 struct in_addr src_ip;
116 /**< IPv4 source address */
117 struct in_addr dst_ip;
118 /**< IPv4 destination address */
120 /**< IPv4 Differentiated Services Code Point */
122 /**< IPv4 Don't Fragment bit */
124 /**< IPv4 Time To Live */
126 /**< IPv4 header parameters */
128 struct in6_addr src_addr;
129 /**< IPv6 source address */
130 struct in6_addr dst_addr;
131 /**< IPv6 destination address */
133 /**< IPv6 Differentiated Services Code Point */
135 /**< IPv6 flow label */
137 /**< IPv6 hop limit */
139 /**< IPv6 header parameters */
144 * IPsec Security Association option flags
146 struct rte_security_ipsec_sa_options {
147 /**< Extended Sequence Numbers (ESN)
149 * * 1: Use extended (64 bit) sequence numbers
150 * * 0: Use normal sequence numbers
154 /**< UDP encapsulation
156 * * 1: Do UDP encapsulation/decapsulation so that IPSEC packets can
157 * traverse through NAT boxes.
158 * * 0: No UDP encapsulation
160 uint32_t udp_encap : 1;
164 * * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to
165 * the outer IP header in encapsulation, and vice versa in
167 * * 0: Do not change DSCP field.
169 uint32_t copy_dscp : 1;
171 /**< Copy IPv6 Flow Label
173 * * 1: Copy IPv6 flow label from inner IPv6 header to the
175 * * 0: Outer header is not modified.
177 uint32_t copy_flabel : 1;
179 /**< Copy IPv4 Don't Fragment bit
181 * * 1: Copy the DF bit from the inner IPv4 header to the outer
183 * * 0: Outer header is not modified.
185 uint32_t copy_df : 1;
187 /**< Decrement inner packet Time To Live (TTL) field
189 * * 1: In tunnel mode, decrement inner packet IPv4 TTL or
190 * IPv6 Hop Limit after tunnel decapsulation, or before tunnel
192 * * 0: Inner packet is not modified.
194 uint32_t dec_ttl : 1;
197 /** IPSec security association direction */
198 enum rte_security_ipsec_sa_direction {
199 RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
200 /**< Encrypt and generate digest */
201 RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
202 /**< Verify digest and decrypt */
206 * IPsec security association configuration data.
208 * This structure contains data required to create an IPsec SA security session.
210 struct rte_security_ipsec_xform {
212 /**< SA security parameter index */
215 struct rte_security_ipsec_sa_options options;
216 /**< various SA options */
217 enum rte_security_ipsec_sa_direction direction;
218 /**< IPSec SA Direction - Egress/Ingress */
219 enum rte_security_ipsec_sa_protocol proto;
220 /**< IPsec SA Protocol - AH/ESP */
221 enum rte_security_ipsec_sa_mode mode;
222 /**< IPsec SA Mode - transport/tunnel */
223 struct rte_security_ipsec_tunnel_param tunnel;
224 /**< Tunnel parameters, NULL for transport mode */
225 uint64_t esn_soft_limit;
226 /**< ESN for which the overflow event need to be raised */
230 * MACsec security session configuration
232 struct rte_security_macsec_xform {
238 * Security session action type.
240 enum rte_security_session_action_type {
241 RTE_SECURITY_ACTION_TYPE_NONE,
242 /**< No security actions */
243 RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO,
244 /**< Crypto processing for security protocol is processed inline
245 * during transmission
247 RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
248 /**< All security protocol processing is performed inline during
251 RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL
252 /**< All security protocol processing including crypto is performed
253 * on a lookaside accelerator
257 /** Security session protocol definition */
258 enum rte_security_session_protocol {
259 RTE_SECURITY_PROTOCOL_IPSEC = 1,
260 /**< IPsec Protocol */
261 RTE_SECURITY_PROTOCOL_MACSEC,
262 /**< MACSec Protocol */
266 * Security session configuration
268 struct rte_security_session_conf {
269 enum rte_security_session_action_type action_type;
270 /**< Type of action to be performed on the session */
271 enum rte_security_session_protocol protocol;
272 /**< Security protocol to be configured */
275 struct rte_security_ipsec_xform ipsec;
276 struct rte_security_macsec_xform macsec;
278 /**< Configuration parameters for security session */
279 struct rte_crypto_sym_xform *crypto_xform;
280 /**< Security Session Crypto Transformations */
282 /**< Application specific userdata to be saved with session */
285 struct rte_security_session {
286 void *sess_private_data;
287 /**< Private session material */
291 * Create security session as specified by the session configuration
293 * @param instance security instance
294 * @param conf session configuration parameters
295 * @param mp mempool to allocate session objects from
297 * - On success, pointer to session
300 struct rte_security_session * __rte_experimental
301 rte_security_session_create(struct rte_security_ctx *instance,
302 struct rte_security_session_conf *conf,
303 struct rte_mempool *mp);
306 * Update security session as specified by the session configuration
308 * @param instance security instance
309 * @param sess session to update parameters
310 * @param conf update configuration parameters
312 * - On success returns 0
313 * - On failure return errno
315 int __rte_experimental
316 rte_security_session_update(struct rte_security_ctx *instance,
317 struct rte_security_session *sess,
318 struct rte_security_session_conf *conf);
321 * Get the size of the security session data for a device.
323 * @param instance security instance.
326 * - Size of the private data, if successful
327 * - 0 if device is invalid or does not support the operation.
329 unsigned int __rte_experimental
330 rte_security_session_get_size(struct rte_security_ctx *instance);
333 * Free security session header and the session private data and
334 * return it to its original mempool.
336 * @param instance security instance
337 * @param sess security session to freed
341 * - -EINVAL if session is NULL.
342 * - -EBUSY if not all device private data has been freed.
344 int __rte_experimental
345 rte_security_session_destroy(struct rte_security_ctx *instance,
346 struct rte_security_session *sess);
349 * Updates the buffer with device-specific defined metadata
351 * @param instance security instance
352 * @param sess security session
353 * @param mb packet mbuf to set metadata on.
354 * @param params device-specific defined parameters
355 * required for metadata
358 * - On success, zero.
359 * - On failure, a negative value.
361 int __rte_experimental
362 rte_security_set_pkt_metadata(struct rte_security_ctx *instance,
363 struct rte_security_session *sess,
364 struct rte_mbuf *mb, void *params);
367 * Get userdata associated with the security session which processed the
368 * packet. This userdata would be registered while creating the session, and
369 * application can use this to identify the SA etc. Device-specific metadata
370 * in the mbuf would be used for this.
372 * This is valid only for inline processed ingress packets.
374 * @param instance security instance
375 * @param md device-specific metadata set in mbuf
378 * - On success, userdata
381 void * __rte_experimental
382 rte_security_get_userdata(struct rte_security_ctx *instance, uint64_t md);
385 * Attach a session to a symmetric crypto operation
387 * @param sym_op crypto operation
388 * @param sess security session
390 static inline int __rte_experimental
391 __rte_security_attach_session(struct rte_crypto_sym_op *sym_op,
392 struct rte_security_session *sess)
394 sym_op->sec_session = sess;
399 static inline void * __rte_experimental
400 get_sec_session_private_data(const struct rte_security_session *sess)
402 return sess->sess_private_data;
405 static inline void __rte_experimental
406 set_sec_session_private_data(struct rte_security_session *sess,
409 sess->sess_private_data = private_data;
413 * Attach a session to a crypto operation.
414 * This API is needed only in case of RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD
415 * For other rte_security_session_action_type, ol_flags in rte_mbuf may be
416 * defined to perform security operations.
418 * @param op crypto operation
419 * @param sess security session
421 static inline int __rte_experimental
422 rte_security_attach_session(struct rte_crypto_op *op,
423 struct rte_security_session *sess)
425 if (unlikely(op->type != RTE_CRYPTO_OP_TYPE_SYMMETRIC))
428 op->sess_type = RTE_CRYPTO_OP_SECURITY_SESSION;
430 return __rte_security_attach_session(op->sym, sess);
433 struct rte_security_macsec_stats {
437 struct rte_security_ipsec_stats {
442 struct rte_security_stats {
443 enum rte_security_session_protocol protocol;
444 /**< Security protocol to be configured */
448 struct rte_security_macsec_stats macsec;
449 struct rte_security_ipsec_stats ipsec;
454 * Get security session statistics
456 * @param instance security instance
457 * @param sess security session
458 * @param stats statistics
460 * - On success return 0
463 int __rte_experimental
464 rte_security_session_stats_get(struct rte_security_ctx *instance,
465 struct rte_security_session *sess,
466 struct rte_security_stats *stats);
469 * Security capability definition
471 struct rte_security_capability {
472 enum rte_security_session_action_type action;
473 /**< Security action type*/
474 enum rte_security_session_protocol protocol;
475 /**< Security protocol */
479 enum rte_security_ipsec_sa_protocol proto;
480 /**< IPsec SA protocol */
481 enum rte_security_ipsec_sa_mode mode;
482 /**< IPsec SA mode */
483 enum rte_security_ipsec_sa_direction direction;
484 /**< IPsec SA direction */
485 struct rte_security_ipsec_sa_options options;
486 /**< IPsec SA supported options */
488 /**< IPsec capability */
493 /**< MACsec capability */
496 const struct rte_cryptodev_capabilities *crypto_capabilities;
497 /**< Corresponding crypto capabilities for security capability */
500 /**< Device offload flags */
503 #define RTE_SECURITY_TX_OLOAD_NEED_MDATA 0x00000001
504 /**< HW needs metadata update, see rte_security_set_pkt_metadata().
507 #define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD 0x00000002
508 /**< HW constructs trailer of packets
509 * Transmitted packets will have the trailer added to them
510 * by hardawre. The next protocol field will be based on
511 * the mbuf->inner_esp_next_proto field.
513 #define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD 0x00010000
514 /**< HW removes trailer of packets
515 * Received packets have no trailer, the next protocol field
516 * is supplied in the mbuf->inner_esp_next_proto field.
517 * Inner packet is not modified.
521 * Security capability index used to query a security instance for a specific
522 * security capability
524 struct rte_security_capability_idx {
525 enum rte_security_session_action_type action;
526 enum rte_security_session_protocol protocol;
531 enum rte_security_ipsec_sa_protocol proto;
532 enum rte_security_ipsec_sa_mode mode;
533 enum rte_security_ipsec_sa_direction direction;
539 * Returns array of security instance capabilities
541 * @param instance Security instance.
544 * - Returns array of security capabilities.
545 * - Return NULL if no capabilities available.
547 const struct rte_security_capability * __rte_experimental
548 rte_security_capabilities_get(struct rte_security_ctx *instance);
551 * Query if a specific capability is available on security instance
553 * @param instance security instance.
554 * @param idx security capability index to match against
557 * - Returns pointer to security capability on match of capability
559 * - Return NULL if the capability not matched on security instance.
561 const struct rte_security_capability * __rte_experimental
562 rte_security_capability_get(struct rte_security_ctx *instance,
563 struct rte_security_capability_idx *idx);
569 #endif /* _RTE_SECURITY_H_ */