X-Git-Url: http://git.droids-corp.org/?a=blobdiff_plain;f=lib%2Flibrte_security%2Frte_security.h;h=16839e53997dc348810654c016dc264e99d66c23;hb=a8cdfc69c84b7740646368a46bbd3d4d6ddf97b0;hp=ca1e91203e217334695290456dd9fe7a7215b2be;hpb=807b94b851c03db795d2a602e5b4222279806c7e;p=dpdk.git diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h index ca1e91203e..16839e5399 100644 --- a/lib/librte_security/rte_security.h +++ b/lib/librte_security/rte_security.h @@ -1,34 +1,6 @@ -/*- - * BSD LICENSE - * - * Copyright 2017 NXP. - * Copyright(c) 2017 Intel Corporation. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * * Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * * Neither the name of NXP nor the names of its - * contributors may be used to endorse or promote products derived - * from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright 2017,2019 NXP + * Copyright(c) 2017-2020 Intel Corporation. */ #ifndef _RTE_SECURITY_H_ @@ -36,7 +8,6 @@ /** * @file rte_security.h - * @b EXPERIMENTAL: this API may change without prior notice * * RTE Security Common Definitions * @@ -144,14 +115,14 @@ struct rte_security_ipsec_tunnel_param { * IPsec Security Association option flags */ struct rte_security_ipsec_sa_options { - /**< Extended Sequence Numbers (ESN) + /** Extended Sequence Numbers (ESN) * * * 1: Use extended (64 bit) sequence numbers * * 0: Use normal sequence numbers */ uint32_t esn : 1; - /**< UDP encapsulation + /** UDP encapsulation * * * 1: Do UDP encapsulation/decapsulation so that IPSEC packets can * traverse through NAT boxes. @@ -159,7 +130,7 @@ struct rte_security_ipsec_sa_options { */ uint32_t udp_encap : 1; - /**< Copy DSCP bits + /** Copy DSCP bits * * * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to * the outer IP header in encapsulation, and vice versa in @@ -168,7 +139,7 @@ struct rte_security_ipsec_sa_options { */ uint32_t copy_dscp : 1; - /**< Copy IPv6 Flow Label + /** Copy IPv6 Flow Label * * * 1: Copy IPv6 flow label from inner IPv6 header to the * outer IPv6 header. @@ -176,7 +147,7 @@ struct rte_security_ipsec_sa_options { */ uint32_t copy_flabel : 1; - /**< Copy IPv4 Don't Fragment bit + /** Copy IPv4 Don't Fragment bit * * * 1: Copy the DF bit from the inner IPv4 header to the outer * IPv4 header. @@ -184,7 +155,7 @@ struct rte_security_ipsec_sa_options { */ uint32_t copy_df : 1; - /**< Decrement inner packet Time To Live (TTL) field + /** Decrement inner packet Time To Live (TTL) field * * * 1: In tunnel mode, decrement inner packet IPv4 TTL or * IPv6 Hop Limit after tunnel decapsulation, or before tunnel @@ -192,6 +163,23 @@ struct rte_security_ipsec_sa_options { * * 0: Inner packet is not modified. */ uint32_t dec_ttl : 1; + + /** Explicit Congestion Notification (ECN) + * + * * 1: In tunnel mode, enable outer header ECN Field copied from + * inner header in tunnel encapsulation, or inner header ECN + * field construction in decapsulation. + * * 0: Inner/outer header are not modified. + */ + uint32_t ecn : 1; + + /** Security statistics + * + * * 1: Enable per session security statistics collection for + * this SA, if supported by the driver. + * * 0: Disable per session security statistics collection for this SA. + */ + uint32_t stats : 1; }; /** IPSec security association direction */ @@ -224,6 +212,10 @@ struct rte_security_ipsec_xform { /**< Tunnel parameters, NULL for transport mode */ uint64_t esn_soft_limit; /**< ESN for which the overflow event need to be raised */ + uint32_t replay_win_sz; + /**< Anti replay window size to enable sequence replay attack handling. + * replay checking is disabled if the window size is 0. + */ }; /** @@ -234,6 +226,95 @@ struct rte_security_macsec_xform { int dummy; }; +/** + * PDCP Mode of session + */ +enum rte_security_pdcp_domain { + RTE_SECURITY_PDCP_MODE_CONTROL, /**< PDCP control plane */ + RTE_SECURITY_PDCP_MODE_DATA, /**< PDCP data plane */ +}; + +/** PDCP Frame direction */ +enum rte_security_pdcp_direction { + RTE_SECURITY_PDCP_UPLINK, /**< Uplink */ + RTE_SECURITY_PDCP_DOWNLINK, /**< Downlink */ +}; + +/** PDCP Sequence Number Size selectors */ +enum rte_security_pdcp_sn_size { + /** PDCP_SN_SIZE_5: 5bit sequence number */ + RTE_SECURITY_PDCP_SN_SIZE_5 = 5, + /** PDCP_SN_SIZE_7: 7bit sequence number */ + RTE_SECURITY_PDCP_SN_SIZE_7 = 7, + /** PDCP_SN_SIZE_12: 12bit sequence number */ + RTE_SECURITY_PDCP_SN_SIZE_12 = 12, + /** PDCP_SN_SIZE_15: 15bit sequence number */ + RTE_SECURITY_PDCP_SN_SIZE_15 = 15, + /** PDCP_SN_SIZE_18: 18bit sequence number */ + RTE_SECURITY_PDCP_SN_SIZE_18 = 18 +}; + +/** + * PDCP security association configuration data. + * + * This structure contains data required to create a PDCP security session. + */ +struct rte_security_pdcp_xform { + int8_t bearer; /**< PDCP bearer ID */ + /** Enable in order delivery, this field shall be set only if + * driver/HW is capable. See RTE_SECURITY_PDCP_ORDERING_CAP. + */ + uint8_t en_ordering; + /** Notify driver/HW to detect and remove duplicate packets. + * This field should be set only when driver/hw is capable. + * See RTE_SECURITY_PDCP_DUP_DETECT_CAP. + */ + uint8_t remove_duplicates; + /** PDCP mode of operation: Control or data */ + enum rte_security_pdcp_domain domain; + /** PDCP Frame Direction 0:UL 1:DL */ + enum rte_security_pdcp_direction pkt_dir; + /** Sequence number size, 5/7/12/15/18 */ + enum rte_security_pdcp_sn_size sn_size; + /** Starting Hyper Frame Number to be used together with the SN + * from the PDCP frames + */ + uint32_t hfn; + /** HFN Threshold for key renegotiation */ + uint32_t hfn_threshold; + /** HFN can be given as a per packet value also. + * As we do not have IV in case of PDCP, and HFN is + * used to generate IV. IV field can be used to get the + * per packet HFN while enq/deq. + * If hfn_ovrd field is set, user is expected to set the + * per packet HFN in place of IV. PMDs will extract the HFN + * and perform operations accordingly. + */ + uint32_t hfn_ovrd; +}; + +/** DOCSIS direction */ +enum rte_security_docsis_direction { + RTE_SECURITY_DOCSIS_UPLINK, + /**< Uplink + * - Decryption, followed by CRC Verification + */ + RTE_SECURITY_DOCSIS_DOWNLINK, + /**< Downlink + * - CRC Generation, followed by Encryption + */ +}; + +/** + * DOCSIS security session configuration. + * + * This structure contains data required to create a DOCSIS security session. + */ +struct rte_security_docsis_xform { + enum rte_security_docsis_direction direction; + /**< DOCSIS direction */ +}; + /** * Security session action type. */ @@ -248,10 +329,14 @@ enum rte_security_session_action_type { /**< All security protocol processing is performed inline during * transmission */ - RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL + RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, /**< All security protocol processing including crypto is performed * on a lookaside accelerator */ + RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO + /**< Similar to ACTION_TYPE_NONE but crypto processing for security + * protocol is processed synchronously by a CPU. + */ }; /** Security session protocol definition */ @@ -260,6 +345,10 @@ enum rte_security_session_protocol { /**< IPsec Protocol */ RTE_SECURITY_PROTOCOL_MACSEC, /**< MACSec Protocol */ + RTE_SECURITY_PROTOCOL_PDCP, + /**< PDCP Protocol */ + RTE_SECURITY_PROTOCOL_DOCSIS, + /**< DOCSIS Protocol */ }; /** @@ -274,6 +363,8 @@ struct rte_security_session_conf { union { struct rte_security_ipsec_xform ipsec; struct rte_security_macsec_xform macsec; + struct rte_security_pdcp_xform pdcp; + struct rte_security_docsis_xform docsis; }; /**< Configuration parameters for security session */ struct rte_crypto_sym_xform *crypto_xform; @@ -285,6 +376,8 @@ struct rte_security_session_conf { struct rte_security_session { void *sess_private_data; /**< Private session material */ + uint64_t opaque_data; + /**< Opaque user defined data */ }; /** @@ -297,7 +390,7 @@ struct rte_security_session { * - On success, pointer to session * - On failure, NULL */ -struct rte_security_session * __rte_experimental +struct rte_security_session * rte_security_session_create(struct rte_security_ctx *instance, struct rte_security_session_conf *conf, struct rte_mempool *mp); @@ -310,9 +403,10 @@ rte_security_session_create(struct rte_security_ctx *instance, * @param conf update configuration parameters * @return * - On success returns 0 - * - On failure return errno + * - On failure returns a negative errno value. */ -int __rte_experimental +__rte_experimental +int rte_security_session_update(struct rte_security_ctx *instance, struct rte_security_session *sess, struct rte_security_session_conf *conf); @@ -326,7 +420,7 @@ rte_security_session_update(struct rte_security_ctx *instance, * - Size of the private data, if successful * - 0 if device is invalid or does not support the operation. */ -unsigned int __rte_experimental +unsigned int rte_security_session_get_size(struct rte_security_ctx *instance); /** @@ -334,14 +428,16 @@ rte_security_session_get_size(struct rte_security_ctx *instance); * return it to its original mempool. * * @param instance security instance - * @param sess security session to freed + * @param sess security session to be freed * * @return * - 0 if successful. - * - -EINVAL if session is NULL. + * - -EINVAL if session or context instance is NULL. * - -EBUSY if not all device private data has been freed. + * - -ENOTSUP if destroying private data is not supported. + * - other negative values in case of freeing private data errors. */ -int __rte_experimental +int rte_security_session_destroy(struct rte_security_ctx *instance, struct rte_security_session *sess); @@ -358,27 +454,30 @@ rte_security_session_destroy(struct rte_security_ctx *instance, * - On success, zero. * - On failure, a negative value. */ -int __rte_experimental +int rte_security_set_pkt_metadata(struct rte_security_ctx *instance, struct rte_security_session *sess, struct rte_mbuf *mb, void *params); /** - * Get userdata associated with the security session which processed the - * packet. This userdata would be registered while creating the session, and - * application can use this to identify the SA etc. Device-specific metadata - * in the mbuf would be used for this. + * Get userdata associated with the security session. Device specific metadata + * provided would be used to uniquely identify the security session being + * referred to. This userdata would be registered while creating the session, + * and application can use this to identify the SA etc. * - * This is valid only for inline processed ingress packets. + * Device specific metadata would be set in mbuf for inline processed inbound + * packets. In addition, the same metadata would be set for IPsec events + * reported by rte_eth_event framework. * * @param instance security instance - * @param md device-specific metadata set in mbuf + * @param md device-specific metadata * * @return * - On success, userdata * - On failure, NULL */ -void * __rte_experimental +__rte_experimental +void * rte_security_get_userdata(struct rte_security_ctx *instance, uint64_t md); /** @@ -387,7 +486,7 @@ rte_security_get_userdata(struct rte_security_ctx *instance, uint64_t md); * @param sym_op crypto operation * @param sess security session */ -static inline int __rte_experimental +static inline int __rte_security_attach_session(struct rte_crypto_sym_op *sym_op, struct rte_security_session *sess) { @@ -396,13 +495,13 @@ __rte_security_attach_session(struct rte_crypto_sym_op *sym_op, return 0; } -static inline void * __rte_experimental +static inline void * get_sec_session_private_data(const struct rte_security_session *sess) { return sess->sess_private_data; } -static inline void __rte_experimental +static inline void set_sec_session_private_data(struct rte_security_session *sess, void *private_data) { @@ -418,7 +517,7 @@ set_sec_session_private_data(struct rte_security_session *sess, * @param op crypto operation * @param sess security session */ -static inline int __rte_experimental +static inline int rte_security_attach_session(struct rte_crypto_op *op, struct rte_security_session *sess) { @@ -435,8 +534,22 @@ struct rte_security_macsec_stats { }; struct rte_security_ipsec_stats { + uint64_t ipackets; /**< Successfully received IPsec packets. */ + uint64_t opackets; /**< Successfully transmitted IPsec packets.*/ + uint64_t ibytes; /**< Successfully received IPsec bytes. */ + uint64_t obytes; /**< Successfully transmitted IPsec bytes. */ + uint64_t ierrors; /**< IPsec packets receive/decrypt errors. */ + uint64_t oerrors; /**< IPsec packets transmit/encrypt errors. */ + uint64_t reserved1; /**< Reserved for future use. */ + uint64_t reserved2; /**< Reserved for future use. */ +}; + +struct rte_security_pdcp_stats { uint64_t reserved; +}; +struct rte_security_docsis_stats { + uint64_t reserved; }; struct rte_security_stats { @@ -447,6 +560,8 @@ struct rte_security_stats { union { struct rte_security_macsec_stats macsec; struct rte_security_ipsec_stats ipsec; + struct rte_security_pdcp_stats pdcp; + struct rte_security_docsis_stats docsis; }; }; @@ -455,12 +570,16 @@ struct rte_security_stats { * * @param instance security instance * @param sess security session + * If security session is NULL then global (per security instance) statistics + * will be retrieved, if supported. Global statistics collection is not + * dependent on the per session statistics configuration. * @param stats statistics * @return - * - On success return 0 - * - On failure errno + * - On success, return 0 + * - On failure, a negative value */ -int __rte_experimental +__rte_experimental +int rte_security_session_stats_get(struct rte_security_ctx *instance, struct rte_security_session *sess, struct rte_security_stats *stats); @@ -484,6 +603,10 @@ struct rte_security_capability { /**< IPsec SA direction */ struct rte_security_ipsec_sa_options options; /**< IPsec SA supported options */ + uint32_t replay_win_sz_max; + /**< IPsec Anti Replay Window Size. A '0' value + * indicates that Anti Replay is not supported. + */ } ipsec; /**< IPsec capability */ struct { @@ -491,6 +614,18 @@ struct rte_security_capability { int dummy; } macsec; /**< MACsec capability */ + struct { + enum rte_security_pdcp_domain domain; + /**< PDCP mode of operation: Control or data */ + uint32_t capa_flags; + /**< Capability flags, see RTE_SECURITY_PDCP_* */ + } pdcp; + /**< PDCP capability */ + struct { + enum rte_security_docsis_direction direction; + /**< DOCSIS direction */ + } docsis; + /**< DOCSIS capability */ }; const struct rte_cryptodev_capabilities *crypto_capabilities; @@ -500,6 +635,19 @@ struct rte_security_capability { /**< Device offload flags */ }; +/** Underlying Hardware/driver which support PDCP may or may not support + * packet ordering. Set RTE_SECURITY_PDCP_ORDERING_CAP if it support. + * If it is not set, driver/HW assumes packets received are in order + * and it will be application's responsibility to maintain ordering. + */ +#define RTE_SECURITY_PDCP_ORDERING_CAP 0x00000001 + +/** Underlying Hardware/driver which support PDCP may or may not detect + * duplicate packet. Set RTE_SECURITY_PDCP_DUP_DETECT_CAP if it support. + * If it is not set, driver/HW assumes there is no duplicate packet received. + */ +#define RTE_SECURITY_PDCP_DUP_DETECT_CAP 0x00000002 + #define RTE_SECURITY_TX_OLOAD_NEED_MDATA 0x00000001 /**< HW needs metadata update, see rte_security_set_pkt_metadata(). */ @@ -507,7 +655,7 @@ struct rte_security_capability { #define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD 0x00000002 /**< HW constructs trailer of packets * Transmitted packets will have the trailer added to them - * by hardawre. The next protocol field will be based on + * by hardware. The next protocol field will be based on * the mbuf->inner_esp_next_proto field. */ #define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD 0x00010000 @@ -532,6 +680,13 @@ struct rte_security_capability_idx { enum rte_security_ipsec_sa_mode mode; enum rte_security_ipsec_sa_direction direction; } ipsec; + struct { + enum rte_security_pdcp_domain domain; + uint32_t capa_flags; + } pdcp; + struct { + enum rte_security_docsis_direction direction; + } docsis; }; }; @@ -544,7 +699,7 @@ struct rte_security_capability_idx { * - Returns array of security capabilities. * - Return NULL if no capabilities available. */ -const struct rte_security_capability * __rte_experimental +const struct rte_security_capability * rte_security_capabilities_get(struct rte_security_ctx *instance); /** @@ -558,7 +713,7 @@ rte_security_capabilities_get(struct rte_security_ctx *instance); * index criteria. * - Return NULL if the capability not matched on security instance. */ -const struct rte_security_capability * __rte_experimental +const struct rte_security_capability * rte_security_capability_get(struct rte_security_ctx *instance, struct rte_security_capability_idx *idx);