1 /* SPDX-License-Identifier: BSD-3-Clause
2 * Copyright 2017,2019-2020 NXP
3 * Copyright(c) 2017-2020 Intel Corporation.
6 #ifndef _RTE_SECURITY_H_
7 #define _RTE_SECURITY_H_
10 * @file rte_security.h
12 * RTE Security Common Definitions
20 #include <sys/types.h>
22 #include <rte_compat.h>
23 #include <rte_common.h>
24 #include <rte_crypto.h>
27 #include <rte_mbuf_dyn.h>
28 #include <rte_memory.h>
29 #include <rte_mempool.h>
31 /** IPSec protocol mode */
32 enum rte_security_ipsec_sa_mode {
33 RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT = 1,
34 /**< IPSec Transport mode */
35 RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
36 /**< IPSec Tunnel mode */
40 enum rte_security_ipsec_sa_protocol {
41 RTE_SECURITY_IPSEC_SA_PROTO_AH = 1,
43 RTE_SECURITY_IPSEC_SA_PROTO_ESP,
47 /** IPSEC tunnel type */
48 enum rte_security_ipsec_tunnel_type {
49 RTE_SECURITY_IPSEC_TUNNEL_IPV4 = 1,
50 /**< Outer header is IPv4 */
51 RTE_SECURITY_IPSEC_TUNNEL_IPV6,
52 /**< Outer header is IPv6 */
56 * IPSEC tunnel header verification mode
58 * Controls how outer IP header is verified in inbound.
60 #define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR 0x1
61 #define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR 0x2
64 * Security context for crypto/eth devices
66 * Security instance for each driver to register security operations.
67 * The application can get the security context from the crypto/eth device id
68 * using the APIs rte_cryptodev_get_sec_ctx()/rte_eth_dev_get_sec_ctx()
69 * This structure is used to identify the device(crypto/eth) for which the
70 * security operations need to be performed.
72 struct rte_security_ctx {
74 /**< Crypto/ethernet device attached */
75 const struct rte_security_ops *ops;
76 /**< Pointer to security ops for the device */
78 /**< Number of sessions attached to this context */
80 /**< Flags for security context */
83 #define RTE_SEC_CTX_F_FAST_SET_MDATA 0x00000001
84 /**< Driver uses fast metadata update without using driver specific callback */
86 #define RTE_SEC_CTX_F_FAST_GET_UDATA 0x00000002
87 /**< Driver provides udata using fast method without using driver specific
88 * callback. For fast mdata and udata, mbuf dynamic field would be registered
89 * by driver via rte_security_dynfield_register().
93 * IPSEC tunnel parameters
95 * These parameters are used to build outbound tunnel headers.
97 struct rte_security_ipsec_tunnel_param {
98 enum rte_security_ipsec_tunnel_type type;
99 /**< Tunnel type: IPv4 or IPv6 */
103 struct in_addr src_ip;
104 /**< IPv4 source address */
105 struct in_addr dst_ip;
106 /**< IPv4 destination address */
108 /**< IPv4 Differentiated Services Code Point */
110 /**< IPv4 Don't Fragment bit */
112 /**< IPv4 Time To Live */
114 /**< IPv4 header parameters */
116 struct in6_addr src_addr;
117 /**< IPv6 source address */
118 struct in6_addr dst_addr;
119 /**< IPv6 destination address */
121 /**< IPv6 Differentiated Services Code Point */
123 /**< IPv6 flow label */
125 /**< IPv6 hop limit */
127 /**< IPv6 header parameters */
131 struct rte_security_ipsec_udp_param {
137 * IPsec Security Association option flags
139 struct rte_security_ipsec_sa_options {
140 /** Extended Sequence Numbers (ESN)
142 * * 1: Use extended (64 bit) sequence numbers
143 * * 0: Use normal sequence numbers
147 /** UDP encapsulation
149 * * 1: Do UDP encapsulation/decapsulation so that IPSEC packets can
150 * traverse through NAT boxes.
151 * * 0: No UDP encapsulation
153 uint32_t udp_encap : 1;
157 * * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to
158 * the outer IP header in encapsulation, and vice versa in
160 * * 0: Do not change DSCP field.
162 uint32_t copy_dscp : 1;
164 /** Copy IPv6 Flow Label
166 * * 1: Copy IPv6 flow label from inner IPv6 header to the
168 * * 0: Outer header is not modified.
170 uint32_t copy_flabel : 1;
172 /** Copy IPv4 Don't Fragment bit
174 * * 1: Copy the DF bit from the inner IPv4 header to the outer
176 * * 0: Outer header is not modified.
178 uint32_t copy_df : 1;
180 /** Decrement inner packet Time To Live (TTL) field
182 * * 1: In tunnel mode, decrement inner packet IPv4 TTL or
183 * IPv6 Hop Limit after tunnel decapsulation, or before tunnel
185 * * 0: Inner packet is not modified.
187 uint32_t dec_ttl : 1;
189 /** Explicit Congestion Notification (ECN)
191 * * 1: In tunnel mode, enable outer header ECN Field copied from
192 * inner header in tunnel encapsulation, or inner header ECN
193 * field construction in decapsulation.
194 * * 0: Inner/outer header are not modified.
198 /** Security statistics
200 * * 1: Enable per session security statistics collection for
201 * this SA, if supported by the driver.
202 * * 0: Disable per session security statistics collection for this SA.
206 /** Disable IV generation in PMD
208 * * 1: Disable IV generation in PMD. When disabled, IV provided in
209 * rte_crypto_op will be used by the PMD.
211 * * 0: Enable IV generation in PMD. When enabled, PMD generated random
212 * value would be used and application is not required to provide
215 * Note: For inline cases, IV generation would always need to be handled
218 uint32_t iv_gen_disable : 1;
220 /** Verify tunnel header in inbound
221 * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR``: Verify destination
224 * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR``: Verify both
225 * source and destination IP addresses.
227 uint32_t tunnel_hdr_verify : 2;
229 /** Verify UDP encapsulation ports in inbound
231 * * 1: Match UDP source and destination ports
232 * * 0: Do not match UDP ports
234 uint32_t udp_ports_verify : 1;
236 /** Compute/verify inner packet IPv4 header checksum in tunnel mode
238 * * 1: For outbound, compute inner packet IPv4 header checksum
239 * before tunnel encapsulation and for inbound, verify after
240 * tunnel decapsulation.
241 * * 0: Inner packet IP header checksum is not computed/verified.
243 * The checksum verification status would be set in mbuf using
244 * RTE_MBUF_F_RX_IP_CKSUM_xxx flags.
246 * Inner IP checksum computation can also be enabled(per operation)
247 * by setting the flag RTE_MBUF_F_TX_IP_CKSUM in mbuf.
249 uint32_t ip_csum_enable : 1;
251 /** Compute/verify inner packet L4 checksum in tunnel mode
253 * * 1: For outbound, compute inner packet L4 checksum before
254 * tunnel encapsulation and for inbound, verify after
255 * tunnel decapsulation.
256 * * 0: Inner packet L4 checksum is not computed/verified.
258 * The checksum verification status would be set in mbuf using
259 * RTE_MBUF_F_RX_L4_CKSUM_xxx flags.
261 * Inner L4 checksum computation can also be enabled(per operation)
262 * by setting the flags RTE_MBUF_F_TX_TCP_CKSUM or RTE_MBUF_F_TX_SCTP_CKSUM or
263 * RTE_MBUF_F_TX_UDP_CKSUM or RTE_MBUF_F_TX_L4_MASK in mbuf.
265 uint32_t l4_csum_enable : 1;
267 /** Reserved bit fields for future extension
269 * User should ensure reserved_opts is cleared as it may change in
270 * subsequent releases to support new options.
272 * Note: Reduce number of bits in reserved_opts for every new option.
274 uint32_t reserved_opts : 18;
277 /** IPSec security association direction */
278 enum rte_security_ipsec_sa_direction {
279 RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
280 /**< Encrypt and generate digest */
281 RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
282 /**< Verify digest and decrypt */
286 * Configure soft and hard lifetime of an IPsec SA
288 * Lifetime of an IPsec SA would specify the maximum number of packets or bytes
289 * that can be processed. IPsec operations would start failing once any hard
292 * Soft limits can be specified to generate notification when the SA is
293 * approaching hard limits for lifetime. For inline operations, reaching soft
294 * expiry limit would result in raising an eth event for the same. For lookaside
295 * operations, this would result in a warning returned in
296 * ``rte_crypto_op.aux_flags``.
298 struct rte_security_ipsec_lifetime {
299 uint64_t packets_soft_limit;
300 /**< Soft expiry limit in number of packets */
301 uint64_t bytes_soft_limit;
302 /**< Soft expiry limit in bytes */
303 uint64_t packets_hard_limit;
304 /**< Soft expiry limit in number of packets */
305 uint64_t bytes_hard_limit;
306 /**< Soft expiry limit in bytes */
310 * IPsec security association configuration data.
312 * This structure contains data required to create an IPsec SA security session.
314 struct rte_security_ipsec_xform {
316 /**< SA security parameter index */
319 struct rte_security_ipsec_sa_options options;
320 /**< various SA options */
321 enum rte_security_ipsec_sa_direction direction;
322 /**< IPSec SA Direction - Egress/Ingress */
323 enum rte_security_ipsec_sa_protocol proto;
324 /**< IPsec SA Protocol - AH/ESP */
325 enum rte_security_ipsec_sa_mode mode;
326 /**< IPsec SA Mode - transport/tunnel */
327 struct rte_security_ipsec_tunnel_param tunnel;
328 /**< Tunnel parameters, NULL for transport mode */
329 struct rte_security_ipsec_lifetime life;
330 /**< IPsec SA lifetime */
331 uint32_t replay_win_sz;
332 /**< Anti replay window size to enable sequence replay attack handling.
333 * replay checking is disabled if the window size is 0.
342 /**< Extended Sequence Number */
343 struct rte_security_ipsec_udp_param udp;
344 /**< UDP parameters, ignored when udp_encap option not specified */
348 * MACsec security session configuration
350 struct rte_security_macsec_xform {
356 * PDCP Mode of session
358 enum rte_security_pdcp_domain {
359 RTE_SECURITY_PDCP_MODE_CONTROL, /**< PDCP control plane */
360 RTE_SECURITY_PDCP_MODE_DATA, /**< PDCP data plane */
361 RTE_SECURITY_PDCP_MODE_SHORT_MAC, /**< PDCP short mac */
364 /** PDCP Frame direction */
365 enum rte_security_pdcp_direction {
366 RTE_SECURITY_PDCP_UPLINK, /**< Uplink */
367 RTE_SECURITY_PDCP_DOWNLINK, /**< Downlink */
370 /** PDCP Sequence Number Size selectors */
371 enum rte_security_pdcp_sn_size {
372 /** PDCP_SN_SIZE_5: 5bit sequence number */
373 RTE_SECURITY_PDCP_SN_SIZE_5 = 5,
374 /** PDCP_SN_SIZE_7: 7bit sequence number */
375 RTE_SECURITY_PDCP_SN_SIZE_7 = 7,
376 /** PDCP_SN_SIZE_12: 12bit sequence number */
377 RTE_SECURITY_PDCP_SN_SIZE_12 = 12,
378 /** PDCP_SN_SIZE_15: 15bit sequence number */
379 RTE_SECURITY_PDCP_SN_SIZE_15 = 15,
380 /** PDCP_SN_SIZE_18: 18bit sequence number */
381 RTE_SECURITY_PDCP_SN_SIZE_18 = 18
385 * PDCP security association configuration data.
387 * This structure contains data required to create a PDCP security session.
389 struct rte_security_pdcp_xform {
390 int8_t bearer; /**< PDCP bearer ID */
391 /** Enable in order delivery, this field shall be set only if
392 * driver/HW is capable. See RTE_SECURITY_PDCP_ORDERING_CAP.
395 /** Notify driver/HW to detect and remove duplicate packets.
396 * This field should be set only when driver/hw is capable.
397 * See RTE_SECURITY_PDCP_DUP_DETECT_CAP.
399 uint8_t remove_duplicates;
400 /** PDCP mode of operation: Control or data */
401 enum rte_security_pdcp_domain domain;
402 /** PDCP Frame Direction 0:UL 1:DL */
403 enum rte_security_pdcp_direction pkt_dir;
404 /** Sequence number size, 5/7/12/15/18 */
405 enum rte_security_pdcp_sn_size sn_size;
406 /** Starting Hyper Frame Number to be used together with the SN
407 * from the PDCP frames
410 /** HFN Threshold for key renegotiation */
411 uint32_t hfn_threshold;
412 /** HFN can be given as a per packet value also.
413 * As we do not have IV in case of PDCP, and HFN is
414 * used to generate IV. IV field can be used to get the
415 * per packet HFN while enq/deq.
416 * If hfn_ovrd field is set, user is expected to set the
417 * per packet HFN in place of IV. PMDs will extract the HFN
418 * and perform operations accordingly.
421 /** In case of 5G NR, a new protocol (SDAP) header may be set
422 * inside PDCP payload which should be authenticated but not
423 * encrypted. Hence, driver should be notified if SDAP is
424 * enabled or not, so that SDAP header is not encrypted.
426 uint8_t sdap_enabled;
427 /** Reserved for future */
431 /** DOCSIS direction */
432 enum rte_security_docsis_direction {
433 RTE_SECURITY_DOCSIS_UPLINK,
435 * - Decryption, followed by CRC Verification
437 RTE_SECURITY_DOCSIS_DOWNLINK,
439 * - CRC Generation, followed by Encryption
444 * DOCSIS security session configuration.
446 * This structure contains data required to create a DOCSIS security session.
448 struct rte_security_docsis_xform {
449 enum rte_security_docsis_direction direction;
450 /**< DOCSIS direction */
454 * Security session action type.
456 enum rte_security_session_action_type {
457 RTE_SECURITY_ACTION_TYPE_NONE,
458 /**< No security actions */
459 RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO,
460 /**< Crypto processing for security protocol is processed inline
461 * during transmission
463 RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
464 /**< All security protocol processing is performed inline during
467 RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
468 /**< All security protocol processing including crypto is performed
469 * on a lookaside accelerator
471 RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO
472 /**< Similar to ACTION_TYPE_NONE but crypto processing for security
473 * protocol is processed synchronously by a CPU.
477 /** Security session protocol definition */
478 enum rte_security_session_protocol {
479 RTE_SECURITY_PROTOCOL_IPSEC = 1,
480 /**< IPsec Protocol */
481 RTE_SECURITY_PROTOCOL_MACSEC,
482 /**< MACSec Protocol */
483 RTE_SECURITY_PROTOCOL_PDCP,
484 /**< PDCP Protocol */
485 RTE_SECURITY_PROTOCOL_DOCSIS,
486 /**< DOCSIS Protocol */
490 * Security session configuration
492 struct rte_security_session_conf {
493 enum rte_security_session_action_type action_type;
494 /**< Type of action to be performed on the session */
495 enum rte_security_session_protocol protocol;
496 /**< Security protocol to be configured */
499 struct rte_security_ipsec_xform ipsec;
500 struct rte_security_macsec_xform macsec;
501 struct rte_security_pdcp_xform pdcp;
502 struct rte_security_docsis_xform docsis;
504 /**< Configuration parameters for security session */
505 struct rte_crypto_sym_xform *crypto_xform;
506 /**< Security Session Crypto Transformations */
508 /**< Application specific userdata to be saved with session */
511 struct rte_security_session {
512 void *sess_private_data;
513 /**< Private session material */
514 uint64_t opaque_data;
515 /**< Opaque user defined data */
519 * Create security session as specified by the session configuration
521 * @param instance security instance
522 * @param conf session configuration parameters
523 * @param mp mempool to allocate session objects from
524 * @param priv_mp mempool to allocate session private data objects from
526 * - On success, pointer to session
529 struct rte_security_session *
530 rte_security_session_create(struct rte_security_ctx *instance,
531 struct rte_security_session_conf *conf,
532 struct rte_mempool *mp,
533 struct rte_mempool *priv_mp);
536 * Update security session as specified by the session configuration
538 * @param instance security instance
539 * @param sess session to update parameters
540 * @param conf update configuration parameters
542 * - On success returns 0
543 * - On failure returns a negative errno value.
547 rte_security_session_update(struct rte_security_ctx *instance,
548 struct rte_security_session *sess,
549 struct rte_security_session_conf *conf);
552 * Get the size of the security session data for a device.
554 * @param instance security instance.
557 * - Size of the private data, if successful
558 * - 0 if device is invalid or does not support the operation.
561 rte_security_session_get_size(struct rte_security_ctx *instance);
564 * Free security session header and the session private data and
565 * return it to its original mempool.
567 * @param instance security instance
568 * @param sess security session to be freed
572 * - -EINVAL if session or context instance is NULL.
573 * - -EBUSY if not all device private data has been freed.
574 * - -ENOTSUP if destroying private data is not supported.
575 * - other negative values in case of freeing private data errors.
578 rte_security_session_destroy(struct rte_security_ctx *instance,
579 struct rte_security_session *sess);
581 /** Device-specific metadata field type */
582 typedef uint64_t rte_security_dynfield_t;
583 /** Dynamic mbuf field for device-specific metadata */
584 extern int rte_security_dynfield_offset;
588 * @b EXPERIMENTAL: this API may change without prior notice
590 * Get pointer to mbuf field for device-specific metadata.
592 * For performance reason, no check is done,
593 * the dynamic field may not be registered.
594 * @see rte_security_dynfield_is_registered
596 * @param mbuf packet to access
597 * @return pointer to mbuf field
600 static inline rte_security_dynfield_t *
601 rte_security_dynfield(struct rte_mbuf *mbuf)
603 return RTE_MBUF_DYNFIELD(mbuf,
604 rte_security_dynfield_offset,
605 rte_security_dynfield_t *);
610 * @b EXPERIMENTAL: this API may change without prior notice
612 * Check whether the dynamic field is registered.
614 * @return true if rte_security_dynfield_register() has been called.
617 static inline bool rte_security_dynfield_is_registered(void)
619 return rte_security_dynfield_offset >= 0;
622 /** Function to call PMD specific function pointer set_pkt_metadata() */
624 extern int __rte_security_set_pkt_metadata(struct rte_security_ctx *instance,
625 struct rte_security_session *sess,
626 struct rte_mbuf *m, void *params);
629 * Updates the buffer with device-specific defined metadata
631 * @param instance security instance
632 * @param sess security session
633 * @param mb packet mbuf to set metadata on.
634 * @param params device-specific defined parameters
635 * required for metadata
638 * - On success, zero.
639 * - On failure, a negative value.
642 rte_security_set_pkt_metadata(struct rte_security_ctx *instance,
643 struct rte_security_session *sess,
644 struct rte_mbuf *mb, void *params)
647 if (instance->flags & RTE_SEC_CTX_F_FAST_SET_MDATA) {
648 *rte_security_dynfield(mb) =
649 (rte_security_dynfield_t)(sess->sess_private_data);
653 /* Jump to PMD specific function pointer */
654 return __rte_security_set_pkt_metadata(instance, sess, mb, params);
657 /** Function to call PMD specific function pointer get_userdata() */
659 extern void *__rte_security_get_userdata(struct rte_security_ctx *instance,
663 * Get userdata associated with the security session. Device specific metadata
664 * provided would be used to uniquely identify the security session being
665 * referred to. This userdata would be registered while creating the session,
666 * and application can use this to identify the SA etc.
668 * Device specific metadata would be set in mbuf for inline processed inbound
669 * packets. In addition, the same metadata would be set for IPsec events
670 * reported by rte_eth_event framework.
672 * @param instance security instance
673 * @param md device-specific metadata
676 * - On success, userdata
681 rte_security_get_userdata(struct rte_security_ctx *instance, uint64_t md)
684 if (instance->flags & RTE_SEC_CTX_F_FAST_GET_UDATA)
685 return (void *)(uintptr_t)md;
687 /* Jump to PMD specific function pointer */
688 return __rte_security_get_userdata(instance, md);
692 * Attach a session to a symmetric crypto operation
694 * @param sym_op crypto operation
695 * @param sess security session
698 __rte_security_attach_session(struct rte_crypto_sym_op *sym_op,
699 struct rte_security_session *sess)
701 sym_op->sec_session = sess;
707 get_sec_session_private_data(const struct rte_security_session *sess)
709 return sess->sess_private_data;
713 set_sec_session_private_data(struct rte_security_session *sess,
716 sess->sess_private_data = private_data;
720 * Attach a session to a crypto operation.
721 * This API is needed only in case of RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD
722 * For other rte_security_session_action_type, ol_flags in rte_mbuf may be
723 * defined to perform security operations.
725 * @param op crypto operation
726 * @param sess security session
729 rte_security_attach_session(struct rte_crypto_op *op,
730 struct rte_security_session *sess)
732 if (unlikely(op->type != RTE_CRYPTO_OP_TYPE_SYMMETRIC))
735 op->sess_type = RTE_CRYPTO_OP_SECURITY_SESSION;
737 return __rte_security_attach_session(op->sym, sess);
740 struct rte_security_macsec_stats {
744 struct rte_security_ipsec_stats {
745 uint64_t ipackets; /**< Successfully received IPsec packets. */
746 uint64_t opackets; /**< Successfully transmitted IPsec packets.*/
747 uint64_t ibytes; /**< Successfully received IPsec bytes. */
748 uint64_t obytes; /**< Successfully transmitted IPsec bytes. */
749 uint64_t ierrors; /**< IPsec packets receive/decrypt errors. */
750 uint64_t oerrors; /**< IPsec packets transmit/encrypt errors. */
751 uint64_t reserved1; /**< Reserved for future use. */
752 uint64_t reserved2; /**< Reserved for future use. */
755 struct rte_security_pdcp_stats {
759 struct rte_security_docsis_stats {
763 struct rte_security_stats {
764 enum rte_security_session_protocol protocol;
765 /**< Security protocol to be configured */
769 struct rte_security_macsec_stats macsec;
770 struct rte_security_ipsec_stats ipsec;
771 struct rte_security_pdcp_stats pdcp;
772 struct rte_security_docsis_stats docsis;
777 * Get security session statistics
779 * @param instance security instance
780 * @param sess security session
781 * If security session is NULL then global (per security instance) statistics
782 * will be retrieved, if supported. Global statistics collection is not
783 * dependent on the per session statistics configuration.
784 * @param stats statistics
786 * - On success, return 0
787 * - On failure, a negative value
791 rte_security_session_stats_get(struct rte_security_ctx *instance,
792 struct rte_security_session *sess,
793 struct rte_security_stats *stats);
796 * Security capability definition
798 struct rte_security_capability {
799 enum rte_security_session_action_type action;
800 /**< Security action type*/
801 enum rte_security_session_protocol protocol;
802 /**< Security protocol */
806 enum rte_security_ipsec_sa_protocol proto;
807 /**< IPsec SA protocol */
808 enum rte_security_ipsec_sa_mode mode;
809 /**< IPsec SA mode */
810 enum rte_security_ipsec_sa_direction direction;
811 /**< IPsec SA direction */
812 struct rte_security_ipsec_sa_options options;
813 /**< IPsec SA supported options */
814 uint32_t replay_win_sz_max;
815 /**< IPsec Anti Replay Window Size. A '0' value
816 * indicates that Anti Replay is not supported.
819 /**< IPsec capability */
824 /**< MACsec capability */
826 enum rte_security_pdcp_domain domain;
827 /**< PDCP mode of operation: Control or data */
829 /**< Capability flags, see RTE_SECURITY_PDCP_* */
831 /**< PDCP capability */
833 enum rte_security_docsis_direction direction;
834 /**< DOCSIS direction */
836 /**< DOCSIS capability */
839 const struct rte_cryptodev_capabilities *crypto_capabilities;
840 /**< Corresponding crypto capabilities for security capability */
843 /**< Device offload flags */
846 /** Underlying Hardware/driver which support PDCP may or may not support
847 * packet ordering. Set RTE_SECURITY_PDCP_ORDERING_CAP if it support.
848 * If it is not set, driver/HW assumes packets received are in order
849 * and it will be application's responsibility to maintain ordering.
851 #define RTE_SECURITY_PDCP_ORDERING_CAP 0x00000001
853 /** Underlying Hardware/driver which support PDCP may or may not detect
854 * duplicate packet. Set RTE_SECURITY_PDCP_DUP_DETECT_CAP if it support.
855 * If it is not set, driver/HW assumes there is no duplicate packet received.
857 #define RTE_SECURITY_PDCP_DUP_DETECT_CAP 0x00000002
859 #define RTE_SECURITY_TX_OLOAD_NEED_MDATA 0x00000001
860 /**< HW needs metadata update, see rte_security_set_pkt_metadata().
863 #define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD 0x00000002
864 /**< HW constructs trailer of packets
865 * Transmitted packets will have the trailer added to them
866 * by hardware. The next protocol field will be based on
867 * the mbuf->inner_esp_next_proto field.
869 #define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD 0x00010000
870 /**< HW removes trailer of packets
871 * Received packets have no trailer, the next protocol field
872 * is supplied in the mbuf->inner_esp_next_proto field.
873 * Inner packet is not modified.
877 * Security capability index used to query a security instance for a specific
878 * security capability
880 struct rte_security_capability_idx {
881 enum rte_security_session_action_type action;
882 enum rte_security_session_protocol protocol;
887 enum rte_security_ipsec_sa_protocol proto;
888 enum rte_security_ipsec_sa_mode mode;
889 enum rte_security_ipsec_sa_direction direction;
892 enum rte_security_pdcp_domain domain;
896 enum rte_security_docsis_direction direction;
902 * Returns array of security instance capabilities
904 * @param instance Security instance.
907 * - Returns array of security capabilities.
908 * - Return NULL if no capabilities available.
910 const struct rte_security_capability *
911 rte_security_capabilities_get(struct rte_security_ctx *instance);
914 * Query if a specific capability is available on security instance
916 * @param instance security instance.
917 * @param idx security capability index to match against
920 * - Returns pointer to security capability on match of capability
922 * - Return NULL if the capability not matched on security instance.
924 const struct rte_security_capability *
925 rte_security_capability_get(struct rte_security_ctx *instance,
926 struct rte_security_capability_idx *idx);
932 #endif /* _RTE_SECURITY_H_ */