X-Git-Url: http://git.droids-corp.org/?a=blobdiff_plain;f=lib%2Flibrte_security%2Frte_security.h;h=747830d67962eb5094ed487e3b6a4417ff1760b8;hb=699a225b3861bd1a02872ed389a317f2d18c8f3a;hp=e07b1328927523ef880cc8c820f1c2181d42ce97;hpb=1a81dce780a04f6f54125e6dbf23fc78ce55be97;p=dpdk.git diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h index e07b132892..747830d679 100644 --- a/lib/librte_security/rte_security.h +++ b/lib/librte_security/rte_security.h @@ -1,6 +1,6 @@ /* SPDX-License-Identifier: BSD-3-Clause - * Copyright 2017 NXP. - * Copyright(c) 2017 Intel Corporation. + * Copyright 2017,2019 NXP + * Copyright(c) 2017-2020 Intel Corporation. */ #ifndef _RTE_SECURITY_H_ @@ -115,14 +115,14 @@ struct rte_security_ipsec_tunnel_param { * IPsec Security Association option flags */ struct rte_security_ipsec_sa_options { - /**< Extended Sequence Numbers (ESN) + /** Extended Sequence Numbers (ESN) * * * 1: Use extended (64 bit) sequence numbers * * 0: Use normal sequence numbers */ uint32_t esn : 1; - /**< UDP encapsulation + /** UDP encapsulation * * * 1: Do UDP encapsulation/decapsulation so that IPSEC packets can * traverse through NAT boxes. @@ -130,7 +130,7 @@ struct rte_security_ipsec_sa_options { */ uint32_t udp_encap : 1; - /**< Copy DSCP bits + /** Copy DSCP bits * * * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to * the outer IP header in encapsulation, and vice versa in @@ -139,7 +139,7 @@ struct rte_security_ipsec_sa_options { */ uint32_t copy_dscp : 1; - /**< Copy IPv6 Flow Label + /** Copy IPv6 Flow Label * * * 1: Copy IPv6 flow label from inner IPv6 header to the * outer IPv6 header. @@ -147,7 +147,7 @@ struct rte_security_ipsec_sa_options { */ uint32_t copy_flabel : 1; - /**< Copy IPv4 Don't Fragment bit + /** Copy IPv4 Don't Fragment bit * * * 1: Copy the DF bit from the inner IPv4 header to the outer * IPv4 header. @@ -155,7 +155,7 @@ struct rte_security_ipsec_sa_options { */ uint32_t copy_df : 1; - /**< Decrement inner packet Time To Live (TTL) field + /** Decrement inner packet Time To Live (TTL) field * * * 1: In tunnel mode, decrement inner packet IPv4 TTL or * IPv6 Hop Limit after tunnel decapsulation, or before tunnel @@ -163,6 +163,23 @@ struct rte_security_ipsec_sa_options { * * 0: Inner packet is not modified. */ uint32_t dec_ttl : 1; + + /** Explicit Congestion Notification (ECN) + * + * * 1: In tunnel mode, enable outer header ECN Field copied from + * inner header in tunnel encapsulation, or inner header ECN + * field construction in decapsulation. + * * 0: Inner/outer header are not modified. + */ + uint32_t ecn : 1; + + /** Security statistics + * + * * 1: Enable per session security statistics collection for + * this SA, if supported by the driver. + * * 0: Disable per session security statistics collection for this SA. + */ + uint32_t stats : 1; }; /** IPSec security association direction */ @@ -195,6 +212,10 @@ struct rte_security_ipsec_xform { /**< Tunnel parameters, NULL for transport mode */ uint64_t esn_soft_limit; /**< ESN for which the overflow event need to be raised */ + uint32_t replay_win_sz; + /**< Anti replay window size to enable sequence replay attack handling. + * replay checking is disabled if the window size is 0. + */ }; /** @@ -261,6 +282,15 @@ struct rte_security_pdcp_xform { uint32_t hfn; /** HFN Threshold for key renegotiation */ uint32_t hfn_threshold; + /** HFN can be given as a per packet value also. + * As we do not have IV in case of PDCP, and HFN is + * used to generate IV. IV field can be used to get the + * per packet HFN while enq/deq. + * If hfn_ovrd field is set, user is expected to set the + * per packet HFN in place of IV. PMDs will extract the HFN + * and perform operations accordingly. + */ + uint32_t hfn_ovrd; }; /** @@ -277,10 +307,14 @@ enum rte_security_session_action_type { /**< All security protocol processing is performed inline during * transmission */ - RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL + RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL, /**< All security protocol processing including crypto is performed * on a lookaside accelerator */ + RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO + /**< Similar to ACTION_TYPE_NONE but crypto processing for security + * protocol is processed synchronously by a CPU. + */ }; /** Security session protocol definition */ @@ -317,6 +351,8 @@ struct rte_security_session_conf { struct rte_security_session { void *sess_private_data; /**< Private session material */ + uint64_t opaque_data; + /**< Opaque user defined data */ }; /** @@ -342,8 +378,9 @@ rte_security_session_create(struct rte_security_ctx *instance, * @param conf update configuration parameters * @return * - On success returns 0 - * - On failure return errno + * - On failure returns a negative errno value. */ +__rte_experimental int rte_security_session_update(struct rte_security_ctx *instance, struct rte_security_session *sess, @@ -366,12 +403,14 @@ rte_security_session_get_size(struct rte_security_ctx *instance); * return it to its original mempool. * * @param instance security instance - * @param sess security session to freed + * @param sess security session to be freed * * @return * - 0 if successful. - * - -EINVAL if session is NULL. + * - -EINVAL if session or context instance is NULL. * - -EBUSY if not all device private data has been freed. + * - -ENOTSUP if destroying private data is not supported. + * - other negative values in case of freeing private data errors. */ int rte_security_session_destroy(struct rte_security_ctx *instance, @@ -412,6 +451,7 @@ rte_security_set_pkt_metadata(struct rte_security_ctx *instance, * - On success, userdata * - On failure, NULL */ +__rte_experimental void * rte_security_get_userdata(struct rte_security_ctx *instance, uint64_t md); @@ -469,8 +509,14 @@ struct rte_security_macsec_stats { }; struct rte_security_ipsec_stats { - uint64_t reserved; - + uint64_t ipackets; /**< Successfully received IPsec packets. */ + uint64_t opackets; /**< Successfully transmitted IPsec packets.*/ + uint64_t ibytes; /**< Successfully received IPsec bytes. */ + uint64_t obytes; /**< Successfully transmitted IPsec bytes. */ + uint64_t ierrors; /**< IPsec packets receive/decrypt errors. */ + uint64_t oerrors; /**< IPsec packets transmit/encrypt errors. */ + uint64_t reserved1; /**< Reserved for future use. */ + uint64_t reserved2; /**< Reserved for future use. */ }; struct rte_security_pdcp_stats { @@ -494,11 +540,15 @@ struct rte_security_stats { * * @param instance security instance * @param sess security session + * If security session is NULL then global (per security instance) statistics + * will be retrieved, if supported. Global statistics collection is not + * dependent on the per session statistics configuration. * @param stats statistics * @return - * - On success return 0 - * - On failure errno + * - On success, return 0 + * - On failure, a negative value */ +__rte_experimental int rte_security_session_stats_get(struct rte_security_ctx *instance, struct rte_security_session *sess, @@ -523,6 +573,10 @@ struct rte_security_capability { /**< IPsec SA direction */ struct rte_security_ipsec_sa_options options; /**< IPsec SA supported options */ + uint32_t replay_win_sz_max; + /**< IPsec Anti Replay Window Size. A '0' value + * indicates that Anti Replay is not supported. + */ } ipsec; /**< IPsec capability */ struct { @@ -534,7 +588,7 @@ struct rte_security_capability { enum rte_security_pdcp_domain domain; /**< PDCP mode of operation: Control or data */ uint32_t capa_flags; - /**< Capabilitity flags, see RTE_SECURITY_PDCP_* */ + /**< Capability flags, see RTE_SECURITY_PDCP_* */ } pdcp; /**< PDCP capability */ }; @@ -566,7 +620,7 @@ struct rte_security_capability { #define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD 0x00000002 /**< HW constructs trailer of packets * Transmitted packets will have the trailer added to them - * by hardawre. The next protocol field will be based on + * by hardware. The next protocol field will be based on * the mbuf->inner_esp_next_proto field. */ #define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD 0x00010000