1 /* SPDX-License-Identifier: BSD-3-Clause
2 * Copyright 2017,2019-2020 NXP
3 * Copyright(c) 2017-2020 Intel Corporation.
6 #ifndef _RTE_SECURITY_H_
7 #define _RTE_SECURITY_H_
10 * @file rte_security.h
12 * RTE Security Common Definitions
20 #include <sys/types.h>
22 #include <netinet/in.h>
23 #include <netinet/ip.h>
24 #include <netinet/ip6.h>
26 #include <rte_compat.h>
27 #include <rte_common.h>
28 #include <rte_crypto.h>
30 #include <rte_mbuf_dyn.h>
31 #include <rte_memory.h>
32 #include <rte_mempool.h>
34 /** IPSec protocol mode */
35 enum rte_security_ipsec_sa_mode {
36 RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT = 1,
37 /**< IPSec Transport mode */
38 RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
39 /**< IPSec Tunnel mode */
43 enum rte_security_ipsec_sa_protocol {
44 RTE_SECURITY_IPSEC_SA_PROTO_AH = 1,
46 RTE_SECURITY_IPSEC_SA_PROTO_ESP,
50 /** IPSEC tunnel type */
51 enum rte_security_ipsec_tunnel_type {
52 RTE_SECURITY_IPSEC_TUNNEL_IPV4 = 1,
53 /**< Outer header is IPv4 */
54 RTE_SECURITY_IPSEC_TUNNEL_IPV6,
55 /**< Outer header is IPv6 */
59 * Security context for crypto/eth devices
61 * Security instance for each driver to register security operations.
62 * The application can get the security context from the crypto/eth device id
63 * using the APIs rte_cryptodev_get_sec_ctx()/rte_eth_dev_get_sec_ctx()
64 * This structure is used to identify the device(crypto/eth) for which the
65 * security operations need to be performed.
67 struct rte_security_ctx {
69 /**< Crypto/ethernet device attached */
70 const struct rte_security_ops *ops;
71 /**< Pointer to security ops for the device */
73 /**< Number of sessions attached to this context */
75 /**< Flags for security context */
78 #define RTE_SEC_CTX_F_FAST_SET_MDATA 0x00000001
79 /**< Driver uses fast metadata update without using driver specific callback */
81 #define RTE_SEC_CTX_F_FAST_GET_UDATA 0x00000002
82 /**< Driver provides udata using fast method without using driver specific
83 * callback. For fast mdata and udata, mbuf dynamic field would be registered
84 * by driver via rte_security_dynfield_register().
88 * IPSEC tunnel parameters
90 * These parameters are used to build outbound tunnel headers.
92 struct rte_security_ipsec_tunnel_param {
93 enum rte_security_ipsec_tunnel_type type;
94 /**< Tunnel type: IPv4 or IPv6 */
98 struct in_addr src_ip;
99 /**< IPv4 source address */
100 struct in_addr dst_ip;
101 /**< IPv4 destination address */
103 /**< IPv4 Differentiated Services Code Point */
105 /**< IPv4 Don't Fragment bit */
107 /**< IPv4 Time To Live */
109 /**< IPv4 header parameters */
111 struct in6_addr src_addr;
112 /**< IPv6 source address */
113 struct in6_addr dst_addr;
114 /**< IPv6 destination address */
116 /**< IPv6 Differentiated Services Code Point */
118 /**< IPv6 flow label */
120 /**< IPv6 hop limit */
122 /**< IPv6 header parameters */
127 * IPsec Security Association option flags
129 struct rte_security_ipsec_sa_options {
130 /** Extended Sequence Numbers (ESN)
132 * * 1: Use extended (64 bit) sequence numbers
133 * * 0: Use normal sequence numbers
137 /** UDP encapsulation
139 * * 1: Do UDP encapsulation/decapsulation so that IPSEC packets can
140 * traverse through NAT boxes.
141 * * 0: No UDP encapsulation
143 uint32_t udp_encap : 1;
147 * * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to
148 * the outer IP header in encapsulation, and vice versa in
150 * * 0: Do not change DSCP field.
152 uint32_t copy_dscp : 1;
154 /** Copy IPv6 Flow Label
156 * * 1: Copy IPv6 flow label from inner IPv6 header to the
158 * * 0: Outer header is not modified.
160 uint32_t copy_flabel : 1;
162 /** Copy IPv4 Don't Fragment bit
164 * * 1: Copy the DF bit from the inner IPv4 header to the outer
166 * * 0: Outer header is not modified.
168 uint32_t copy_df : 1;
170 /** Decrement inner packet Time To Live (TTL) field
172 * * 1: In tunnel mode, decrement inner packet IPv4 TTL or
173 * IPv6 Hop Limit after tunnel decapsulation, or before tunnel
175 * * 0: Inner packet is not modified.
177 uint32_t dec_ttl : 1;
179 /** Explicit Congestion Notification (ECN)
181 * * 1: In tunnel mode, enable outer header ECN Field copied from
182 * inner header in tunnel encapsulation, or inner header ECN
183 * field construction in decapsulation.
184 * * 0: Inner/outer header are not modified.
188 /** Security statistics
190 * * 1: Enable per session security statistics collection for
191 * this SA, if supported by the driver.
192 * * 0: Disable per session security statistics collection for this SA.
196 /** Disable IV generation in PMD
198 * * 1: Disable IV generation in PMD. When disabled, IV provided in
199 * rte_crypto_op will be used by the PMD.
201 * * 0: Enable IV generation in PMD. When enabled, PMD generated random
202 * value would be used and application is not required to provide
205 * Note: For inline cases, IV generation would always need to be handled
208 uint32_t iv_gen_disable : 1;
211 /** IPSec security association direction */
212 enum rte_security_ipsec_sa_direction {
213 RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
214 /**< Encrypt and generate digest */
215 RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
216 /**< Verify digest and decrypt */
220 * IPsec security association configuration data.
222 * This structure contains data required to create an IPsec SA security session.
224 struct rte_security_ipsec_xform {
226 /**< SA security parameter index */
229 struct rte_security_ipsec_sa_options options;
230 /**< various SA options */
231 enum rte_security_ipsec_sa_direction direction;
232 /**< IPSec SA Direction - Egress/Ingress */
233 enum rte_security_ipsec_sa_protocol proto;
234 /**< IPsec SA Protocol - AH/ESP */
235 enum rte_security_ipsec_sa_mode mode;
236 /**< IPsec SA Mode - transport/tunnel */
237 struct rte_security_ipsec_tunnel_param tunnel;
238 /**< Tunnel parameters, NULL for transport mode */
239 uint64_t esn_soft_limit;
240 /**< ESN for which the overflow event need to be raised */
241 uint32_t replay_win_sz;
242 /**< Anti replay window size to enable sequence replay attack handling.
243 * replay checking is disabled if the window size is 0.
248 * MACsec security session configuration
250 struct rte_security_macsec_xform {
256 * PDCP Mode of session
258 enum rte_security_pdcp_domain {
259 RTE_SECURITY_PDCP_MODE_CONTROL, /**< PDCP control plane */
260 RTE_SECURITY_PDCP_MODE_DATA, /**< PDCP data plane */
261 RTE_SECURITY_PDCP_MODE_SHORT_MAC, /**< PDCP short mac */
264 /** PDCP Frame direction */
265 enum rte_security_pdcp_direction {
266 RTE_SECURITY_PDCP_UPLINK, /**< Uplink */
267 RTE_SECURITY_PDCP_DOWNLINK, /**< Downlink */
270 /** PDCP Sequence Number Size selectors */
271 enum rte_security_pdcp_sn_size {
272 /** PDCP_SN_SIZE_5: 5bit sequence number */
273 RTE_SECURITY_PDCP_SN_SIZE_5 = 5,
274 /** PDCP_SN_SIZE_7: 7bit sequence number */
275 RTE_SECURITY_PDCP_SN_SIZE_7 = 7,
276 /** PDCP_SN_SIZE_12: 12bit sequence number */
277 RTE_SECURITY_PDCP_SN_SIZE_12 = 12,
278 /** PDCP_SN_SIZE_15: 15bit sequence number */
279 RTE_SECURITY_PDCP_SN_SIZE_15 = 15,
280 /** PDCP_SN_SIZE_18: 18bit sequence number */
281 RTE_SECURITY_PDCP_SN_SIZE_18 = 18
285 * PDCP security association configuration data.
287 * This structure contains data required to create a PDCP security session.
289 struct rte_security_pdcp_xform {
290 int8_t bearer; /**< PDCP bearer ID */
291 /** Enable in order delivery, this field shall be set only if
292 * driver/HW is capable. See RTE_SECURITY_PDCP_ORDERING_CAP.
295 /** Notify driver/HW to detect and remove duplicate packets.
296 * This field should be set only when driver/hw is capable.
297 * See RTE_SECURITY_PDCP_DUP_DETECT_CAP.
299 uint8_t remove_duplicates;
300 /** PDCP mode of operation: Control or data */
301 enum rte_security_pdcp_domain domain;
302 /** PDCP Frame Direction 0:UL 1:DL */
303 enum rte_security_pdcp_direction pkt_dir;
304 /** Sequence number size, 5/7/12/15/18 */
305 enum rte_security_pdcp_sn_size sn_size;
306 /** Starting Hyper Frame Number to be used together with the SN
307 * from the PDCP frames
310 /** HFN Threshold for key renegotiation */
311 uint32_t hfn_threshold;
312 /** HFN can be given as a per packet value also.
313 * As we do not have IV in case of PDCP, and HFN is
314 * used to generate IV. IV field can be used to get the
315 * per packet HFN while enq/deq.
316 * If hfn_ovrd field is set, user is expected to set the
317 * per packet HFN in place of IV. PMDs will extract the HFN
318 * and perform operations accordingly.
321 /** In case of 5G NR, a new protocol (SDAP) header may be set
322 * inside PDCP payload which should be authenticated but not
323 * encrypted. Hence, driver should be notified if SDAP is
324 * enabled or not, so that SDAP header is not encrypted.
326 uint8_t sdap_enabled;
327 /** Reserved for future */
331 /** DOCSIS direction */
332 enum rte_security_docsis_direction {
333 RTE_SECURITY_DOCSIS_UPLINK,
335 * - Decryption, followed by CRC Verification
337 RTE_SECURITY_DOCSIS_DOWNLINK,
339 * - CRC Generation, followed by Encryption
344 * DOCSIS security session configuration.
346 * This structure contains data required to create a DOCSIS security session.
348 struct rte_security_docsis_xform {
349 enum rte_security_docsis_direction direction;
350 /**< DOCSIS direction */
354 * Security session action type.
356 enum rte_security_session_action_type {
357 RTE_SECURITY_ACTION_TYPE_NONE,
358 /**< No security actions */
359 RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO,
360 /**< Crypto processing for security protocol is processed inline
361 * during transmission
363 RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
364 /**< All security protocol processing is performed inline during
367 RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
368 /**< All security protocol processing including crypto is performed
369 * on a lookaside accelerator
371 RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO
372 /**< Similar to ACTION_TYPE_NONE but crypto processing for security
373 * protocol is processed synchronously by a CPU.
377 /** Security session protocol definition */
378 enum rte_security_session_protocol {
379 RTE_SECURITY_PROTOCOL_IPSEC = 1,
380 /**< IPsec Protocol */
381 RTE_SECURITY_PROTOCOL_MACSEC,
382 /**< MACSec Protocol */
383 RTE_SECURITY_PROTOCOL_PDCP,
384 /**< PDCP Protocol */
385 RTE_SECURITY_PROTOCOL_DOCSIS,
386 /**< DOCSIS Protocol */
390 * Security session configuration
392 struct rte_security_session_conf {
393 enum rte_security_session_action_type action_type;
394 /**< Type of action to be performed on the session */
395 enum rte_security_session_protocol protocol;
396 /**< Security protocol to be configured */
399 struct rte_security_ipsec_xform ipsec;
400 struct rte_security_macsec_xform macsec;
401 struct rte_security_pdcp_xform pdcp;
402 struct rte_security_docsis_xform docsis;
404 /**< Configuration parameters for security session */
405 struct rte_crypto_sym_xform *crypto_xform;
406 /**< Security Session Crypto Transformations */
408 /**< Application specific userdata to be saved with session */
411 struct rte_security_session {
412 void *sess_private_data;
413 /**< Private session material */
414 uint64_t opaque_data;
415 /**< Opaque user defined data */
419 * Create security session as specified by the session configuration
421 * @param instance security instance
422 * @param conf session configuration parameters
423 * @param mp mempool to allocate session objects from
424 * @param priv_mp mempool to allocate session private data objects from
426 * - On success, pointer to session
429 struct rte_security_session *
430 rte_security_session_create(struct rte_security_ctx *instance,
431 struct rte_security_session_conf *conf,
432 struct rte_mempool *mp,
433 struct rte_mempool *priv_mp);
436 * Update security session as specified by the session configuration
438 * @param instance security instance
439 * @param sess session to update parameters
440 * @param conf update configuration parameters
442 * - On success returns 0
443 * - On failure returns a negative errno value.
447 rte_security_session_update(struct rte_security_ctx *instance,
448 struct rte_security_session *sess,
449 struct rte_security_session_conf *conf);
452 * Get the size of the security session data for a device.
454 * @param instance security instance.
457 * - Size of the private data, if successful
458 * - 0 if device is invalid or does not support the operation.
461 rte_security_session_get_size(struct rte_security_ctx *instance);
464 * Free security session header and the session private data and
465 * return it to its original mempool.
467 * @param instance security instance
468 * @param sess security session to be freed
472 * - -EINVAL if session or context instance is NULL.
473 * - -EBUSY if not all device private data has been freed.
474 * - -ENOTSUP if destroying private data is not supported.
475 * - other negative values in case of freeing private data errors.
478 rte_security_session_destroy(struct rte_security_ctx *instance,
479 struct rte_security_session *sess);
481 /** Device-specific metadata field type */
482 typedef uint64_t rte_security_dynfield_t;
483 /** Dynamic mbuf field for device-specific metadata */
484 extern int rte_security_dynfield_offset;
488 * @b EXPERIMENTAL: this API may change without prior notice
490 * Get pointer to mbuf field for device-specific metadata.
492 * For performance reason, no check is done,
493 * the dynamic field may not be registered.
494 * @see rte_security_dynfield_is_registered
496 * @param mbuf packet to access
497 * @return pointer to mbuf field
500 static inline rte_security_dynfield_t *
501 rte_security_dynfield(struct rte_mbuf *mbuf)
503 return RTE_MBUF_DYNFIELD(mbuf,
504 rte_security_dynfield_offset,
505 rte_security_dynfield_t *);
510 * @b EXPERIMENTAL: this API may change without prior notice
512 * Check whether the dynamic field is registered.
514 * @return true if rte_security_dynfield_register() has been called.
517 static inline bool rte_security_dynfield_is_registered(void)
519 return rte_security_dynfield_offset >= 0;
522 /** Function to call PMD specific function pointer set_pkt_metadata() */
524 extern int __rte_security_set_pkt_metadata(struct rte_security_ctx *instance,
525 struct rte_security_session *sess,
526 struct rte_mbuf *m, void *params);
529 * Updates the buffer with device-specific defined metadata
531 * @param instance security instance
532 * @param sess security session
533 * @param mb packet mbuf to set metadata on.
534 * @param params device-specific defined parameters
535 * required for metadata
538 * - On success, zero.
539 * - On failure, a negative value.
542 rte_security_set_pkt_metadata(struct rte_security_ctx *instance,
543 struct rte_security_session *sess,
544 struct rte_mbuf *mb, void *params)
547 if (instance->flags & RTE_SEC_CTX_F_FAST_SET_MDATA) {
548 *rte_security_dynfield(mb) =
549 (rte_security_dynfield_t)(sess->sess_private_data);
553 /* Jump to PMD specific function pointer */
554 return __rte_security_set_pkt_metadata(instance, sess, mb, params);
557 /** Function to call PMD specific function pointer get_userdata() */
559 extern void *__rte_security_get_userdata(struct rte_security_ctx *instance,
563 * Get userdata associated with the security session. Device specific metadata
564 * provided would be used to uniquely identify the security session being
565 * referred to. This userdata would be registered while creating the session,
566 * and application can use this to identify the SA etc.
568 * Device specific metadata would be set in mbuf for inline processed inbound
569 * packets. In addition, the same metadata would be set for IPsec events
570 * reported by rte_eth_event framework.
572 * @param instance security instance
573 * @param md device-specific metadata
576 * - On success, userdata
581 rte_security_get_userdata(struct rte_security_ctx *instance, uint64_t md)
584 if (instance->flags & RTE_SEC_CTX_F_FAST_GET_UDATA)
585 return (void *)(uintptr_t)md;
587 /* Jump to PMD specific function pointer */
588 return __rte_security_get_userdata(instance, md);
592 * Attach a session to a symmetric crypto operation
594 * @param sym_op crypto operation
595 * @param sess security session
598 __rte_security_attach_session(struct rte_crypto_sym_op *sym_op,
599 struct rte_security_session *sess)
601 sym_op->sec_session = sess;
607 get_sec_session_private_data(const struct rte_security_session *sess)
609 return sess->sess_private_data;
613 set_sec_session_private_data(struct rte_security_session *sess,
616 sess->sess_private_data = private_data;
620 * Attach a session to a crypto operation.
621 * This API is needed only in case of RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD
622 * For other rte_security_session_action_type, ol_flags in rte_mbuf may be
623 * defined to perform security operations.
625 * @param op crypto operation
626 * @param sess security session
629 rte_security_attach_session(struct rte_crypto_op *op,
630 struct rte_security_session *sess)
632 if (unlikely(op->type != RTE_CRYPTO_OP_TYPE_SYMMETRIC))
635 op->sess_type = RTE_CRYPTO_OP_SECURITY_SESSION;
637 return __rte_security_attach_session(op->sym, sess);
640 struct rte_security_macsec_stats {
644 struct rte_security_ipsec_stats {
645 uint64_t ipackets; /**< Successfully received IPsec packets. */
646 uint64_t opackets; /**< Successfully transmitted IPsec packets.*/
647 uint64_t ibytes; /**< Successfully received IPsec bytes. */
648 uint64_t obytes; /**< Successfully transmitted IPsec bytes. */
649 uint64_t ierrors; /**< IPsec packets receive/decrypt errors. */
650 uint64_t oerrors; /**< IPsec packets transmit/encrypt errors. */
651 uint64_t reserved1; /**< Reserved for future use. */
652 uint64_t reserved2; /**< Reserved for future use. */
655 struct rte_security_pdcp_stats {
659 struct rte_security_docsis_stats {
663 struct rte_security_stats {
664 enum rte_security_session_protocol protocol;
665 /**< Security protocol to be configured */
669 struct rte_security_macsec_stats macsec;
670 struct rte_security_ipsec_stats ipsec;
671 struct rte_security_pdcp_stats pdcp;
672 struct rte_security_docsis_stats docsis;
677 * Get security session statistics
679 * @param instance security instance
680 * @param sess security session
681 * If security session is NULL then global (per security instance) statistics
682 * will be retrieved, if supported. Global statistics collection is not
683 * dependent on the per session statistics configuration.
684 * @param stats statistics
686 * - On success, return 0
687 * - On failure, a negative value
691 rte_security_session_stats_get(struct rte_security_ctx *instance,
692 struct rte_security_session *sess,
693 struct rte_security_stats *stats);
696 * Security capability definition
698 struct rte_security_capability {
699 enum rte_security_session_action_type action;
700 /**< Security action type*/
701 enum rte_security_session_protocol protocol;
702 /**< Security protocol */
706 enum rte_security_ipsec_sa_protocol proto;
707 /**< IPsec SA protocol */
708 enum rte_security_ipsec_sa_mode mode;
709 /**< IPsec SA mode */
710 enum rte_security_ipsec_sa_direction direction;
711 /**< IPsec SA direction */
712 struct rte_security_ipsec_sa_options options;
713 /**< IPsec SA supported options */
714 uint32_t replay_win_sz_max;
715 /**< IPsec Anti Replay Window Size. A '0' value
716 * indicates that Anti Replay is not supported.
719 /**< IPsec capability */
724 /**< MACsec capability */
726 enum rte_security_pdcp_domain domain;
727 /**< PDCP mode of operation: Control or data */
729 /**< Capability flags, see RTE_SECURITY_PDCP_* */
731 /**< PDCP capability */
733 enum rte_security_docsis_direction direction;
734 /**< DOCSIS direction */
736 /**< DOCSIS capability */
739 const struct rte_cryptodev_capabilities *crypto_capabilities;
740 /**< Corresponding crypto capabilities for security capability */
743 /**< Device offload flags */
746 /** Underlying Hardware/driver which support PDCP may or may not support
747 * packet ordering. Set RTE_SECURITY_PDCP_ORDERING_CAP if it support.
748 * If it is not set, driver/HW assumes packets received are in order
749 * and it will be application's responsibility to maintain ordering.
751 #define RTE_SECURITY_PDCP_ORDERING_CAP 0x00000001
753 /** Underlying Hardware/driver which support PDCP may or may not detect
754 * duplicate packet. Set RTE_SECURITY_PDCP_DUP_DETECT_CAP if it support.
755 * If it is not set, driver/HW assumes there is no duplicate packet received.
757 #define RTE_SECURITY_PDCP_DUP_DETECT_CAP 0x00000002
759 #define RTE_SECURITY_TX_OLOAD_NEED_MDATA 0x00000001
760 /**< HW needs metadata update, see rte_security_set_pkt_metadata().
763 #define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD 0x00000002
764 /**< HW constructs trailer of packets
765 * Transmitted packets will have the trailer added to them
766 * by hardware. The next protocol field will be based on
767 * the mbuf->inner_esp_next_proto field.
769 #define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD 0x00010000
770 /**< HW removes trailer of packets
771 * Received packets have no trailer, the next protocol field
772 * is supplied in the mbuf->inner_esp_next_proto field.
773 * Inner packet is not modified.
777 * Security capability index used to query a security instance for a specific
778 * security capability
780 struct rte_security_capability_idx {
781 enum rte_security_session_action_type action;
782 enum rte_security_session_protocol protocol;
787 enum rte_security_ipsec_sa_protocol proto;
788 enum rte_security_ipsec_sa_mode mode;
789 enum rte_security_ipsec_sa_direction direction;
792 enum rte_security_pdcp_domain domain;
796 enum rte_security_docsis_direction direction;
802 * Returns array of security instance capabilities
804 * @param instance Security instance.
807 * - Returns array of security capabilities.
808 * - Return NULL if no capabilities available.
810 const struct rte_security_capability *
811 rte_security_capabilities_get(struct rte_security_ctx *instance);
814 * Query if a specific capability is available on security instance
816 * @param instance security instance.
817 * @param idx security capability index to match against
820 * - Returns pointer to security capability on match of capability
822 * - Return NULL if the capability not matched on security instance.
824 const struct rte_security_capability *
825 rte_security_capability_get(struct rte_security_ctx *instance,
826 struct rte_security_capability_idx *idx);
832 #endif /* _RTE_SECURITY_H_ */