1 /* SPDX-License-Identifier: BSD-3-Clause
2 * Copyright 2017,2019-2020 NXP
3 * Copyright(c) 2017-2020 Intel Corporation.
6 #ifndef _RTE_SECURITY_H_
7 #define _RTE_SECURITY_H_
10 * @file rte_security.h
12 * RTE Security Common Definitions
20 #include <sys/types.h>
22 #include <netinet/in.h>
23 #include <netinet/ip.h>
24 #include <netinet/ip6.h>
26 #include <rte_compat.h>
27 #include <rte_common.h>
28 #include <rte_crypto.h>
30 #include <rte_mbuf_dyn.h>
31 #include <rte_memory.h>
32 #include <rte_mempool.h>
34 /** IPSec protocol mode */
35 enum rte_security_ipsec_sa_mode {
36 RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT = 1,
37 /**< IPSec Transport mode */
38 RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
39 /**< IPSec Tunnel mode */
43 enum rte_security_ipsec_sa_protocol {
44 RTE_SECURITY_IPSEC_SA_PROTO_AH = 1,
46 RTE_SECURITY_IPSEC_SA_PROTO_ESP,
50 /** IPSEC tunnel type */
51 enum rte_security_ipsec_tunnel_type {
52 RTE_SECURITY_IPSEC_TUNNEL_IPV4 = 1,
53 /**< Outer header is IPv4 */
54 RTE_SECURITY_IPSEC_TUNNEL_IPV6,
55 /**< Outer header is IPv6 */
59 * IPSEC tunnel header verification mode
61 * Controls how outer IP header is verified in inbound.
63 #define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR 0x1
64 #define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR 0x2
67 * Security context for crypto/eth devices
69 * Security instance for each driver to register security operations.
70 * The application can get the security context from the crypto/eth device id
71 * using the APIs rte_cryptodev_get_sec_ctx()/rte_eth_dev_get_sec_ctx()
72 * This structure is used to identify the device(crypto/eth) for which the
73 * security operations need to be performed.
75 struct rte_security_ctx {
77 /**< Crypto/ethernet device attached */
78 const struct rte_security_ops *ops;
79 /**< Pointer to security ops for the device */
81 /**< Number of sessions attached to this context */
83 /**< Flags for security context */
86 #define RTE_SEC_CTX_F_FAST_SET_MDATA 0x00000001
87 /**< Driver uses fast metadata update without using driver specific callback */
89 #define RTE_SEC_CTX_F_FAST_GET_UDATA 0x00000002
90 /**< Driver provides udata using fast method without using driver specific
91 * callback. For fast mdata and udata, mbuf dynamic field would be registered
92 * by driver via rte_security_dynfield_register().
96 * IPSEC tunnel parameters
98 * These parameters are used to build outbound tunnel headers.
100 struct rte_security_ipsec_tunnel_param {
101 enum rte_security_ipsec_tunnel_type type;
102 /**< Tunnel type: IPv4 or IPv6 */
106 struct in_addr src_ip;
107 /**< IPv4 source address */
108 struct in_addr dst_ip;
109 /**< IPv4 destination address */
111 /**< IPv4 Differentiated Services Code Point */
113 /**< IPv4 Don't Fragment bit */
115 /**< IPv4 Time To Live */
117 /**< IPv4 header parameters */
119 struct in6_addr src_addr;
120 /**< IPv6 source address */
121 struct in6_addr dst_addr;
122 /**< IPv6 destination address */
124 /**< IPv6 Differentiated Services Code Point */
126 /**< IPv6 flow label */
128 /**< IPv6 hop limit */
130 /**< IPv6 header parameters */
135 * IPsec Security Association option flags
137 struct rte_security_ipsec_sa_options {
138 /** Extended Sequence Numbers (ESN)
140 * * 1: Use extended (64 bit) sequence numbers
141 * * 0: Use normal sequence numbers
145 /** UDP encapsulation
147 * * 1: Do UDP encapsulation/decapsulation so that IPSEC packets can
148 * traverse through NAT boxes.
149 * * 0: No UDP encapsulation
151 uint32_t udp_encap : 1;
155 * * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to
156 * the outer IP header in encapsulation, and vice versa in
158 * * 0: Do not change DSCP field.
160 uint32_t copy_dscp : 1;
162 /** Copy IPv6 Flow Label
164 * * 1: Copy IPv6 flow label from inner IPv6 header to the
166 * * 0: Outer header is not modified.
168 uint32_t copy_flabel : 1;
170 /** Copy IPv4 Don't Fragment bit
172 * * 1: Copy the DF bit from the inner IPv4 header to the outer
174 * * 0: Outer header is not modified.
176 uint32_t copy_df : 1;
178 /** Decrement inner packet Time To Live (TTL) field
180 * * 1: In tunnel mode, decrement inner packet IPv4 TTL or
181 * IPv6 Hop Limit after tunnel decapsulation, or before tunnel
183 * * 0: Inner packet is not modified.
185 uint32_t dec_ttl : 1;
187 /** Explicit Congestion Notification (ECN)
189 * * 1: In tunnel mode, enable outer header ECN Field copied from
190 * inner header in tunnel encapsulation, or inner header ECN
191 * field construction in decapsulation.
192 * * 0: Inner/outer header are not modified.
196 /** Security statistics
198 * * 1: Enable per session security statistics collection for
199 * this SA, if supported by the driver.
200 * * 0: Disable per session security statistics collection for this SA.
204 /** Disable IV generation in PMD
206 * * 1: Disable IV generation in PMD. When disabled, IV provided in
207 * rte_crypto_op will be used by the PMD.
209 * * 0: Enable IV generation in PMD. When enabled, PMD generated random
210 * value would be used and application is not required to provide
213 * Note: For inline cases, IV generation would always need to be handled
216 uint32_t iv_gen_disable : 1;
218 /** Verify tunnel header in inbound
219 * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR``: Verify destination
222 * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR``: Verify both
223 * source and destination IP addresses.
225 uint32_t tunnel_hdr_verify : 2;
228 /** IPSec security association direction */
229 enum rte_security_ipsec_sa_direction {
230 RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
231 /**< Encrypt and generate digest */
232 RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
233 /**< Verify digest and decrypt */
237 * Configure soft and hard lifetime of an IPsec SA
239 * Lifetime of an IPsec SA would specify the maximum number of packets or bytes
240 * that can be processed. IPsec operations would start failing once any hard
243 * Soft limits can be specified to generate notification when the SA is
244 * approaching hard limits for lifetime. For inline operations, reaching soft
245 * expiry limit would result in raising an eth event for the same. For lookaside
246 * operations, this would result in a warning returned in
247 * ``rte_crypto_op.aux_flags``.
249 struct rte_security_ipsec_lifetime {
250 uint64_t packets_soft_limit;
251 /**< Soft expiry limit in number of packets */
252 uint64_t bytes_soft_limit;
253 /**< Soft expiry limit in bytes */
254 uint64_t packets_hard_limit;
255 /**< Soft expiry limit in number of packets */
256 uint64_t bytes_hard_limit;
257 /**< Soft expiry limit in bytes */
261 * IPsec security association configuration data.
263 * This structure contains data required to create an IPsec SA security session.
265 struct rte_security_ipsec_xform {
267 /**< SA security parameter index */
270 struct rte_security_ipsec_sa_options options;
271 /**< various SA options */
272 enum rte_security_ipsec_sa_direction direction;
273 /**< IPSec SA Direction - Egress/Ingress */
274 enum rte_security_ipsec_sa_protocol proto;
275 /**< IPsec SA Protocol - AH/ESP */
276 enum rte_security_ipsec_sa_mode mode;
277 /**< IPsec SA Mode - transport/tunnel */
278 struct rte_security_ipsec_tunnel_param tunnel;
279 /**< Tunnel parameters, NULL for transport mode */
280 struct rte_security_ipsec_lifetime life;
281 /**< IPsec SA lifetime */
282 uint32_t replay_win_sz;
283 /**< Anti replay window size to enable sequence replay attack handling.
284 * replay checking is disabled if the window size is 0.
289 * MACsec security session configuration
291 struct rte_security_macsec_xform {
297 * PDCP Mode of session
299 enum rte_security_pdcp_domain {
300 RTE_SECURITY_PDCP_MODE_CONTROL, /**< PDCP control plane */
301 RTE_SECURITY_PDCP_MODE_DATA, /**< PDCP data plane */
302 RTE_SECURITY_PDCP_MODE_SHORT_MAC, /**< PDCP short mac */
305 /** PDCP Frame direction */
306 enum rte_security_pdcp_direction {
307 RTE_SECURITY_PDCP_UPLINK, /**< Uplink */
308 RTE_SECURITY_PDCP_DOWNLINK, /**< Downlink */
311 /** PDCP Sequence Number Size selectors */
312 enum rte_security_pdcp_sn_size {
313 /** PDCP_SN_SIZE_5: 5bit sequence number */
314 RTE_SECURITY_PDCP_SN_SIZE_5 = 5,
315 /** PDCP_SN_SIZE_7: 7bit sequence number */
316 RTE_SECURITY_PDCP_SN_SIZE_7 = 7,
317 /** PDCP_SN_SIZE_12: 12bit sequence number */
318 RTE_SECURITY_PDCP_SN_SIZE_12 = 12,
319 /** PDCP_SN_SIZE_15: 15bit sequence number */
320 RTE_SECURITY_PDCP_SN_SIZE_15 = 15,
321 /** PDCP_SN_SIZE_18: 18bit sequence number */
322 RTE_SECURITY_PDCP_SN_SIZE_18 = 18
326 * PDCP security association configuration data.
328 * This structure contains data required to create a PDCP security session.
330 struct rte_security_pdcp_xform {
331 int8_t bearer; /**< PDCP bearer ID */
332 /** Enable in order delivery, this field shall be set only if
333 * driver/HW is capable. See RTE_SECURITY_PDCP_ORDERING_CAP.
336 /** Notify driver/HW to detect and remove duplicate packets.
337 * This field should be set only when driver/hw is capable.
338 * See RTE_SECURITY_PDCP_DUP_DETECT_CAP.
340 uint8_t remove_duplicates;
341 /** PDCP mode of operation: Control or data */
342 enum rte_security_pdcp_domain domain;
343 /** PDCP Frame Direction 0:UL 1:DL */
344 enum rte_security_pdcp_direction pkt_dir;
345 /** Sequence number size, 5/7/12/15/18 */
346 enum rte_security_pdcp_sn_size sn_size;
347 /** Starting Hyper Frame Number to be used together with the SN
348 * from the PDCP frames
351 /** HFN Threshold for key renegotiation */
352 uint32_t hfn_threshold;
353 /** HFN can be given as a per packet value also.
354 * As we do not have IV in case of PDCP, and HFN is
355 * used to generate IV. IV field can be used to get the
356 * per packet HFN while enq/deq.
357 * If hfn_ovrd field is set, user is expected to set the
358 * per packet HFN in place of IV. PMDs will extract the HFN
359 * and perform operations accordingly.
362 /** In case of 5G NR, a new protocol (SDAP) header may be set
363 * inside PDCP payload which should be authenticated but not
364 * encrypted. Hence, driver should be notified if SDAP is
365 * enabled or not, so that SDAP header is not encrypted.
367 uint8_t sdap_enabled;
368 /** Reserved for future */
372 /** DOCSIS direction */
373 enum rte_security_docsis_direction {
374 RTE_SECURITY_DOCSIS_UPLINK,
376 * - Decryption, followed by CRC Verification
378 RTE_SECURITY_DOCSIS_DOWNLINK,
380 * - CRC Generation, followed by Encryption
385 * DOCSIS security session configuration.
387 * This structure contains data required to create a DOCSIS security session.
389 struct rte_security_docsis_xform {
390 enum rte_security_docsis_direction direction;
391 /**< DOCSIS direction */
395 * Security session action type.
397 enum rte_security_session_action_type {
398 RTE_SECURITY_ACTION_TYPE_NONE,
399 /**< No security actions */
400 RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO,
401 /**< Crypto processing for security protocol is processed inline
402 * during transmission
404 RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
405 /**< All security protocol processing is performed inline during
408 RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
409 /**< All security protocol processing including crypto is performed
410 * on a lookaside accelerator
412 RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO
413 /**< Similar to ACTION_TYPE_NONE but crypto processing for security
414 * protocol is processed synchronously by a CPU.
418 /** Security session protocol definition */
419 enum rte_security_session_protocol {
420 RTE_SECURITY_PROTOCOL_IPSEC = 1,
421 /**< IPsec Protocol */
422 RTE_SECURITY_PROTOCOL_MACSEC,
423 /**< MACSec Protocol */
424 RTE_SECURITY_PROTOCOL_PDCP,
425 /**< PDCP Protocol */
426 RTE_SECURITY_PROTOCOL_DOCSIS,
427 /**< DOCSIS Protocol */
431 * Security session configuration
433 struct rte_security_session_conf {
434 enum rte_security_session_action_type action_type;
435 /**< Type of action to be performed on the session */
436 enum rte_security_session_protocol protocol;
437 /**< Security protocol to be configured */
440 struct rte_security_ipsec_xform ipsec;
441 struct rte_security_macsec_xform macsec;
442 struct rte_security_pdcp_xform pdcp;
443 struct rte_security_docsis_xform docsis;
445 /**< Configuration parameters for security session */
446 struct rte_crypto_sym_xform *crypto_xform;
447 /**< Security Session Crypto Transformations */
449 /**< Application specific userdata to be saved with session */
452 struct rte_security_session {
453 void *sess_private_data;
454 /**< Private session material */
455 uint64_t opaque_data;
456 /**< Opaque user defined data */
460 * Create security session as specified by the session configuration
462 * @param instance security instance
463 * @param conf session configuration parameters
464 * @param mp mempool to allocate session objects from
465 * @param priv_mp mempool to allocate session private data objects from
467 * - On success, pointer to session
470 struct rte_security_session *
471 rte_security_session_create(struct rte_security_ctx *instance,
472 struct rte_security_session_conf *conf,
473 struct rte_mempool *mp,
474 struct rte_mempool *priv_mp);
477 * Update security session as specified by the session configuration
479 * @param instance security instance
480 * @param sess session to update parameters
481 * @param conf update configuration parameters
483 * - On success returns 0
484 * - On failure returns a negative errno value.
488 rte_security_session_update(struct rte_security_ctx *instance,
489 struct rte_security_session *sess,
490 struct rte_security_session_conf *conf);
493 * Get the size of the security session data for a device.
495 * @param instance security instance.
498 * - Size of the private data, if successful
499 * - 0 if device is invalid or does not support the operation.
502 rte_security_session_get_size(struct rte_security_ctx *instance);
505 * Free security session header and the session private data and
506 * return it to its original mempool.
508 * @param instance security instance
509 * @param sess security session to be freed
513 * - -EINVAL if session or context instance is NULL.
514 * - -EBUSY if not all device private data has been freed.
515 * - -ENOTSUP if destroying private data is not supported.
516 * - other negative values in case of freeing private data errors.
519 rte_security_session_destroy(struct rte_security_ctx *instance,
520 struct rte_security_session *sess);
522 /** Device-specific metadata field type */
523 typedef uint64_t rte_security_dynfield_t;
524 /** Dynamic mbuf field for device-specific metadata */
525 extern int rte_security_dynfield_offset;
529 * @b EXPERIMENTAL: this API may change without prior notice
531 * Get pointer to mbuf field for device-specific metadata.
533 * For performance reason, no check is done,
534 * the dynamic field may not be registered.
535 * @see rte_security_dynfield_is_registered
537 * @param mbuf packet to access
538 * @return pointer to mbuf field
541 static inline rte_security_dynfield_t *
542 rte_security_dynfield(struct rte_mbuf *mbuf)
544 return RTE_MBUF_DYNFIELD(mbuf,
545 rte_security_dynfield_offset,
546 rte_security_dynfield_t *);
551 * @b EXPERIMENTAL: this API may change without prior notice
553 * Check whether the dynamic field is registered.
555 * @return true if rte_security_dynfield_register() has been called.
558 static inline bool rte_security_dynfield_is_registered(void)
560 return rte_security_dynfield_offset >= 0;
563 /** Function to call PMD specific function pointer set_pkt_metadata() */
565 extern int __rte_security_set_pkt_metadata(struct rte_security_ctx *instance,
566 struct rte_security_session *sess,
567 struct rte_mbuf *m, void *params);
570 * Updates the buffer with device-specific defined metadata
572 * @param instance security instance
573 * @param sess security session
574 * @param mb packet mbuf to set metadata on.
575 * @param params device-specific defined parameters
576 * required for metadata
579 * - On success, zero.
580 * - On failure, a negative value.
583 rte_security_set_pkt_metadata(struct rte_security_ctx *instance,
584 struct rte_security_session *sess,
585 struct rte_mbuf *mb, void *params)
588 if (instance->flags & RTE_SEC_CTX_F_FAST_SET_MDATA) {
589 *rte_security_dynfield(mb) =
590 (rte_security_dynfield_t)(sess->sess_private_data);
594 /* Jump to PMD specific function pointer */
595 return __rte_security_set_pkt_metadata(instance, sess, mb, params);
598 /** Function to call PMD specific function pointer get_userdata() */
600 extern void *__rte_security_get_userdata(struct rte_security_ctx *instance,
604 * Get userdata associated with the security session. Device specific metadata
605 * provided would be used to uniquely identify the security session being
606 * referred to. This userdata would be registered while creating the session,
607 * and application can use this to identify the SA etc.
609 * Device specific metadata would be set in mbuf for inline processed inbound
610 * packets. In addition, the same metadata would be set for IPsec events
611 * reported by rte_eth_event framework.
613 * @param instance security instance
614 * @param md device-specific metadata
617 * - On success, userdata
622 rte_security_get_userdata(struct rte_security_ctx *instance, uint64_t md)
625 if (instance->flags & RTE_SEC_CTX_F_FAST_GET_UDATA)
626 return (void *)(uintptr_t)md;
628 /* Jump to PMD specific function pointer */
629 return __rte_security_get_userdata(instance, md);
633 * Attach a session to a symmetric crypto operation
635 * @param sym_op crypto operation
636 * @param sess security session
639 __rte_security_attach_session(struct rte_crypto_sym_op *sym_op,
640 struct rte_security_session *sess)
642 sym_op->sec_session = sess;
648 get_sec_session_private_data(const struct rte_security_session *sess)
650 return sess->sess_private_data;
654 set_sec_session_private_data(struct rte_security_session *sess,
657 sess->sess_private_data = private_data;
661 * Attach a session to a crypto operation.
662 * This API is needed only in case of RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD
663 * For other rte_security_session_action_type, ol_flags in rte_mbuf may be
664 * defined to perform security operations.
666 * @param op crypto operation
667 * @param sess security session
670 rte_security_attach_session(struct rte_crypto_op *op,
671 struct rte_security_session *sess)
673 if (unlikely(op->type != RTE_CRYPTO_OP_TYPE_SYMMETRIC))
676 op->sess_type = RTE_CRYPTO_OP_SECURITY_SESSION;
678 return __rte_security_attach_session(op->sym, sess);
681 struct rte_security_macsec_stats {
685 struct rte_security_ipsec_stats {
686 uint64_t ipackets; /**< Successfully received IPsec packets. */
687 uint64_t opackets; /**< Successfully transmitted IPsec packets.*/
688 uint64_t ibytes; /**< Successfully received IPsec bytes. */
689 uint64_t obytes; /**< Successfully transmitted IPsec bytes. */
690 uint64_t ierrors; /**< IPsec packets receive/decrypt errors. */
691 uint64_t oerrors; /**< IPsec packets transmit/encrypt errors. */
692 uint64_t reserved1; /**< Reserved for future use. */
693 uint64_t reserved2; /**< Reserved for future use. */
696 struct rte_security_pdcp_stats {
700 struct rte_security_docsis_stats {
704 struct rte_security_stats {
705 enum rte_security_session_protocol protocol;
706 /**< Security protocol to be configured */
710 struct rte_security_macsec_stats macsec;
711 struct rte_security_ipsec_stats ipsec;
712 struct rte_security_pdcp_stats pdcp;
713 struct rte_security_docsis_stats docsis;
718 * Get security session statistics
720 * @param instance security instance
721 * @param sess security session
722 * If security session is NULL then global (per security instance) statistics
723 * will be retrieved, if supported. Global statistics collection is not
724 * dependent on the per session statistics configuration.
725 * @param stats statistics
727 * - On success, return 0
728 * - On failure, a negative value
732 rte_security_session_stats_get(struct rte_security_ctx *instance,
733 struct rte_security_session *sess,
734 struct rte_security_stats *stats);
737 * Security capability definition
739 struct rte_security_capability {
740 enum rte_security_session_action_type action;
741 /**< Security action type*/
742 enum rte_security_session_protocol protocol;
743 /**< Security protocol */
747 enum rte_security_ipsec_sa_protocol proto;
748 /**< IPsec SA protocol */
749 enum rte_security_ipsec_sa_mode mode;
750 /**< IPsec SA mode */
751 enum rte_security_ipsec_sa_direction direction;
752 /**< IPsec SA direction */
753 struct rte_security_ipsec_sa_options options;
754 /**< IPsec SA supported options */
755 uint32_t replay_win_sz_max;
756 /**< IPsec Anti Replay Window Size. A '0' value
757 * indicates that Anti Replay is not supported.
760 /**< IPsec capability */
765 /**< MACsec capability */
767 enum rte_security_pdcp_domain domain;
768 /**< PDCP mode of operation: Control or data */
770 /**< Capability flags, see RTE_SECURITY_PDCP_* */
772 /**< PDCP capability */
774 enum rte_security_docsis_direction direction;
775 /**< DOCSIS direction */
777 /**< DOCSIS capability */
780 const struct rte_cryptodev_capabilities *crypto_capabilities;
781 /**< Corresponding crypto capabilities for security capability */
784 /**< Device offload flags */
787 /** Underlying Hardware/driver which support PDCP may or may not support
788 * packet ordering. Set RTE_SECURITY_PDCP_ORDERING_CAP if it support.
789 * If it is not set, driver/HW assumes packets received are in order
790 * and it will be application's responsibility to maintain ordering.
792 #define RTE_SECURITY_PDCP_ORDERING_CAP 0x00000001
794 /** Underlying Hardware/driver which support PDCP may or may not detect
795 * duplicate packet. Set RTE_SECURITY_PDCP_DUP_DETECT_CAP if it support.
796 * If it is not set, driver/HW assumes there is no duplicate packet received.
798 #define RTE_SECURITY_PDCP_DUP_DETECT_CAP 0x00000002
800 #define RTE_SECURITY_TX_OLOAD_NEED_MDATA 0x00000001
801 /**< HW needs metadata update, see rte_security_set_pkt_metadata().
804 #define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD 0x00000002
805 /**< HW constructs trailer of packets
806 * Transmitted packets will have the trailer added to them
807 * by hardware. The next protocol field will be based on
808 * the mbuf->inner_esp_next_proto field.
810 #define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD 0x00010000
811 /**< HW removes trailer of packets
812 * Received packets have no trailer, the next protocol field
813 * is supplied in the mbuf->inner_esp_next_proto field.
814 * Inner packet is not modified.
818 * Security capability index used to query a security instance for a specific
819 * security capability
821 struct rte_security_capability_idx {
822 enum rte_security_session_action_type action;
823 enum rte_security_session_protocol protocol;
828 enum rte_security_ipsec_sa_protocol proto;
829 enum rte_security_ipsec_sa_mode mode;
830 enum rte_security_ipsec_sa_direction direction;
833 enum rte_security_pdcp_domain domain;
837 enum rte_security_docsis_direction direction;
843 * Returns array of security instance capabilities
845 * @param instance Security instance.
848 * - Returns array of security capabilities.
849 * - Return NULL if no capabilities available.
851 const struct rte_security_capability *
852 rte_security_capabilities_get(struct rte_security_ctx *instance);
855 * Query if a specific capability is available on security instance
857 * @param instance security instance.
858 * @param idx security capability index to match against
861 * - Returns pointer to security capability on match of capability
863 * - Return NULL if the capability not matched on security instance.
865 const struct rte_security_capability *
866 rte_security_capability_get(struct rte_security_ctx *instance,
867 struct rte_security_capability_idx *idx);
873 #endif /* _RTE_SECURITY_H_ */