1 /* SPDX-License-Identifier: BSD-3-Clause
2 * Copyright 2017,2019-2020 NXP
3 * Copyright(c) 2017-2020 Intel Corporation.
4 */
5
6 #ifndef _RTE_SECURITY_H_
7 #define _RTE_SECURITY_H_
8
9 /**
10 * @file rte_security.h
11 *
12 * RTE Security Common Definitions
13 *
14 */
15
16 #ifdef __cplusplus
17 extern "C" {
18 #endif
19
20 #include <sys/types.h>
21
22 #include <netinet/in.h>
23 #include <netinet/ip.h>
24 #include <netinet/ip6.h>
25
26 #include <rte_compat.h>
27 #include <rte_common.h>
28 #include <rte_crypto.h>
29 #include <rte_mbuf.h>
30 #include <rte_mbuf_dyn.h>
31 #include <rte_memory.h>
32 #include <rte_mempool.h>
33
34 /** IPSec protocol mode */
35 enum rte_security_ipsec_sa_mode {
36 RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT = 1,
37 /**< IPSec Transport mode */
38 RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
39 /**< IPSec Tunnel mode */
40 };
41
42 /** IPSec Protocol */
43 enum rte_security_ipsec_sa_protocol {
44 RTE_SECURITY_IPSEC_SA_PROTO_AH = 1,
45 /**< AH protocol */
46 RTE_SECURITY_IPSEC_SA_PROTO_ESP,
47 /**< ESP protocol */
48 };
49
50 /** IPSEC tunnel type */
51 enum rte_security_ipsec_tunnel_type {
52 RTE_SECURITY_IPSEC_TUNNEL_IPV4 = 1,
53 /**< Outer header is IPv4 */
54 RTE_SECURITY_IPSEC_TUNNEL_IPV6,
55 /**< Outer header is IPv6 */
56 };
57
58 /**
59 * Security context for crypto/eth devices
60 *
61 * Security instance for each driver to register security operations.
62 * The application can get the security context from the crypto/eth device id
63 * using the APIs rte_cryptodev_get_sec_ctx()/rte_eth_dev_get_sec_ctx()
64 * This structure is used to identify the device(crypto/eth) for which the
65 * security operations need to be performed.
66 */
67 struct rte_security_ctx {
68 void *device;
69 /**< Crypto/ethernet device attached */
70 const struct rte_security_ops *ops;
71 /**< Pointer to security ops for the device */
72 uint16_t sess_cnt;
73 /**< Number of sessions attached to this context */
74 };
75
76 /**
77 * IPSEC tunnel parameters
78 *
79 * These parameters are used to build outbound tunnel headers.
80 */
81 struct rte_security_ipsec_tunnel_param {
82 enum rte_security_ipsec_tunnel_type type;
83 /**< Tunnel type: IPv4 or IPv6 */
84 RTE_STD_C11
85 union {
86 struct {
87 struct in_addr src_ip;
88 /**< IPv4 source address */
89 struct in_addr dst_ip;
90 /**< IPv4 destination address */
91 uint8_t dscp;
92 /**< IPv4 Differentiated Services Code Point */
93 uint8_t df;
94 /**< IPv4 Don't Fragment bit */
95 uint8_t ttl;
96 /**< IPv4 Time To Live */
97 } ipv4;
98 /**< IPv4 header parameters */
99 struct {
100 struct in6_addr src_addr;
101 /**< IPv6 source address */
102 struct in6_addr dst_addr;
103 /**< IPv6 destination address */
104 uint8_t dscp;
105 /**< IPv6 Differentiated Services Code Point */
106 uint32_t flabel;
107 /**< IPv6 flow label */
108 uint8_t hlimit;
109 /**< IPv6 hop limit */
110 } ipv6;
111 /**< IPv6 header parameters */
112 };
113 };
114
115 /**
116 * IPsec Security Association option flags
117 */
118 struct rte_security_ipsec_sa_options {
119 /** Extended Sequence Numbers (ESN)
120 *
121 * * 1: Use extended (64 bit) sequence numbers
122 * * 0: Use normal sequence numbers
123 */
124 uint32_t esn : 1;
125
126 /** UDP encapsulation
127 *
128 * * 1: Do UDP encapsulation/decapsulation so that IPSEC packets can
129 * traverse through NAT boxes.
130 * * 0: No UDP encapsulation
131 */
132 uint32_t udp_encap : 1;
133
134 /** Copy DSCP bits
135 *
136 * * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to
137 * the outer IP header in encapsulation, and vice versa in
138 * decapsulation.
139 * * 0: Do not change DSCP field.
140 */
141 uint32_t copy_dscp : 1;
142
143 /** Copy IPv6 Flow Label
144 *
145 * * 1: Copy IPv6 flow label from inner IPv6 header to the
146 * outer IPv6 header.
147 * * 0: Outer header is not modified.
148 */
149 uint32_t copy_flabel : 1;
150
151 /** Copy IPv4 Don't Fragment bit
152 *
153 * * 1: Copy the DF bit from the inner IPv4 header to the outer
154 * IPv4 header.
155 * * 0: Outer header is not modified.
156 */
157 uint32_t copy_df : 1;
158
159 /** Decrement inner packet Time To Live (TTL) field
160 *
161 * * 1: In tunnel mode, decrement inner packet IPv4 TTL or
162 * IPv6 Hop Limit after tunnel decapsulation, or before tunnel
163 * encapsulation.
164 * * 0: Inner packet is not modified.
165 */
166 uint32_t dec_ttl : 1;
167
168 /** Explicit Congestion Notification (ECN)
169 *
170 * * 1: In tunnel mode, enable outer header ECN Field copied from
171 * inner header in tunnel encapsulation, or inner header ECN
172 * field construction in decapsulation.
173 * * 0: Inner/outer header are not modified.
174 */
175 uint32_t ecn : 1;
176
177 /** Security statistics
178 *
179 * * 1: Enable per session security statistics collection for
180 * this SA, if supported by the driver.
181 * * 0: Disable per session security statistics collection for this SA.
182 */
183 uint32_t stats : 1;
184 };
185
186 /** IPSec security association direction */
187 enum rte_security_ipsec_sa_direction {
188 RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
189 /**< Encrypt and generate digest */
190 RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
191 /**< Verify digest and decrypt */
192 };
193
194 /**
195 * IPsec security association configuration data.
196 *
197 * This structure contains data required to create an IPsec SA security session.
198 */
199 struct rte_security_ipsec_xform {
200 uint32_t spi;
201 /**< SA security parameter index */
202 uint32_t salt;
203 /**< SA salt */
204 struct rte_security_ipsec_sa_options options;
205 /**< various SA options */
206 enum rte_security_ipsec_sa_direction direction;
207 /**< IPSec SA Direction - Egress/Ingress */
208 enum rte_security_ipsec_sa_protocol proto;
209 /**< IPsec SA Protocol - AH/ESP */
210 enum rte_security_ipsec_sa_mode mode;
211 /**< IPsec SA Mode - transport/tunnel */
212 struct rte_security_ipsec_tunnel_param tunnel;
213 /**< Tunnel parameters, NULL for transport mode */
214 uint64_t esn_soft_limit;
215 /**< ESN for which the overflow event need to be raised */
216 uint32_t replay_win_sz;
217 /**< Anti replay window size to enable sequence replay attack handling.
218 * replay checking is disabled if the window size is 0.
219 */
220 };
221
222 /**
223 * MACsec security session configuration
224 */
225 struct rte_security_macsec_xform {
226 /** To be Filled */
227 int dummy;
228 };
229
230 /**
231 * PDCP Mode of session
232 */
233 enum rte_security_pdcp_domain {
234 RTE_SECURITY_PDCP_MODE_CONTROL, /**< PDCP control plane */
235 RTE_SECURITY_PDCP_MODE_DATA, /**< PDCP data plane */
236 };
237
238 /** PDCP Frame direction */
239 enum rte_security_pdcp_direction {
240 RTE_SECURITY_PDCP_UPLINK, /**< Uplink */
241 RTE_SECURITY_PDCP_DOWNLINK, /**< Downlink */
242 };
243
244 /** PDCP Sequence Number Size selectors */
245 enum rte_security_pdcp_sn_size {
246 /** PDCP_SN_SIZE_5: 5bit sequence number */
247 RTE_SECURITY_PDCP_SN_SIZE_5 = 5,
248 /** PDCP_SN_SIZE_7: 7bit sequence number */
249 RTE_SECURITY_PDCP_SN_SIZE_7 = 7,
250 /** PDCP_SN_SIZE_12: 12bit sequence number */
251 RTE_SECURITY_PDCP_SN_SIZE_12 = 12,
252 /** PDCP_SN_SIZE_15: 15bit sequence number */
253 RTE_SECURITY_PDCP_SN_SIZE_15 = 15,
254 /** PDCP_SN_SIZE_18: 18bit sequence number */
255 RTE_SECURITY_PDCP_SN_SIZE_18 = 18
256 };
257
258 /**
259 * PDCP security association configuration data.
260 *
261 * This structure contains data required to create a PDCP security session.
262 */
263 struct rte_security_pdcp_xform {
264 int8_t bearer; /**< PDCP bearer ID */
265 /** Enable in order delivery, this field shall be set only if
266 * driver/HW is capable. See RTE_SECURITY_PDCP_ORDERING_CAP.
267 */
268 uint8_t en_ordering;
269 /** Notify driver/HW to detect and remove duplicate packets.
270 * This field should be set only when driver/hw is capable.
271 * See RTE_SECURITY_PDCP_DUP_DETECT_CAP.
272 */
273 uint8_t remove_duplicates;
274 /** PDCP mode of operation: Control or data */
275 enum rte_security_pdcp_domain domain;
276 /** PDCP Frame Direction 0:UL 1:DL */
277 enum rte_security_pdcp_direction pkt_dir;
278 /** Sequence number size, 5/7/12/15/18 */
279 enum rte_security_pdcp_sn_size sn_size;
280 /** Starting Hyper Frame Number to be used together with the SN
281 * from the PDCP frames
282 */
283 uint32_t hfn;
284 /** HFN Threshold for key renegotiation */
285 uint32_t hfn_threshold;
286 /** HFN can be given as a per packet value also.
287 * As we do not have IV in case of PDCP, and HFN is
288 * used to generate IV. IV field can be used to get the
289 * per packet HFN while enq/deq.
290 * If hfn_ovrd field is set, user is expected to set the
291 * per packet HFN in place of IV. PMDs will extract the HFN
292 * and perform operations accordingly.
293 */
294 uint8_t hfn_ovrd;
295 /** In case of 5G NR, a new protocol (SDAP) header may be set
296 * inside PDCP payload which should be authenticated but not
297 * encrypted. Hence, driver should be notified if SDAP is
298 * enabled or not, so that SDAP header is not encrypted.
299 */
300 uint8_t sdap_enabled;
301 /** Reserved for future */
302 uint16_t reserved;
303 };
304
305 /** DOCSIS direction */
306 enum rte_security_docsis_direction {
307 RTE_SECURITY_DOCSIS_UPLINK,
308 /**< Uplink
309 * - Decryption, followed by CRC Verification
310 */
311 RTE_SECURITY_DOCSIS_DOWNLINK,
312 /**< Downlink
313 * - CRC Generation, followed by Encryption
314 */
315 };
316
317 /**
318 * DOCSIS security session configuration.
319 *
320 * This structure contains data required to create a DOCSIS security session.
321 */
322 struct rte_security_docsis_xform {
323 enum rte_security_docsis_direction direction;
324 /**< DOCSIS direction */
325 };
326
327 /**
328 * Security session action type.
329 */
330 enum rte_security_session_action_type {
331 RTE_SECURITY_ACTION_TYPE_NONE,
332 /**< No security actions */
333 RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO,
334 /**< Crypto processing for security protocol is processed inline
335 * during transmission
336 */
337 RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
338 /**< All security protocol processing is performed inline during
339 * transmission
340 */
341 RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
342 /**< All security protocol processing including crypto is performed
343 * on a lookaside accelerator
344 */
345 RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO
346 /**< Similar to ACTION_TYPE_NONE but crypto processing for security
347 * protocol is processed synchronously by a CPU.
348 */
349 };
350
351 /** Security session protocol definition */
352 enum rte_security_session_protocol {
353 RTE_SECURITY_PROTOCOL_IPSEC = 1,
354 /**< IPsec Protocol */
355 RTE_SECURITY_PROTOCOL_MACSEC,
356 /**< MACSec Protocol */
357 RTE_SECURITY_PROTOCOL_PDCP,
358 /**< PDCP Protocol */
359 RTE_SECURITY_PROTOCOL_DOCSIS,
360 /**< DOCSIS Protocol */
361 };
362
363 /**
364 * Security session configuration
365 */
366 struct rte_security_session_conf {
367 enum rte_security_session_action_type action_type;
368 /**< Type of action to be performed on the session */
369 enum rte_security_session_protocol protocol;
370 /**< Security protocol to be configured */
371 RTE_STD_C11
372 union {
373 struct rte_security_ipsec_xform ipsec;
374 struct rte_security_macsec_xform macsec;
375 struct rte_security_pdcp_xform pdcp;
376 struct rte_security_docsis_xform docsis;
377 };
378 /**< Configuration parameters for security session */
379 struct rte_crypto_sym_xform *crypto_xform;
380 /**< Security Session Crypto Transformations */
381 void *userdata;
382 /**< Application specific userdata to be saved with session */
383 };
384
385 struct rte_security_session {
386 void *sess_private_data;
387 /**< Private session material */
388 uint64_t opaque_data;
389 /**< Opaque user defined data */
390 };
391
392 /**
393 * Create security session as specified by the session configuration
394 *
395 * @param instance security instance
396 * @param conf session configuration parameters
397 * @param mp mempool to allocate session objects from
398 * @param priv_mp mempool to allocate session private data objects from
399 * @return
400 * - On success, pointer to session
401 * - On failure, NULL
402 */
403 struct rte_security_session *
404 rte_security_session_create(struct rte_security_ctx *instance,
405 struct rte_security_session_conf *conf,
406 struct rte_mempool *mp,
407 struct rte_mempool *priv_mp);
408
409 /**
410 * Update security session as specified by the session configuration
411 *
412 * @param instance security instance
413 * @param sess session to update parameters
414 * @param conf update configuration parameters
415 * @return
416 * - On success returns 0
417 * - On failure returns a negative errno value.
418 */
419 __rte_experimental
420 int
421 rte_security_session_update(struct rte_security_ctx *instance,
422 struct rte_security_session *sess,
423 struct rte_security_session_conf *conf);
424
425 /**
426 * Get the size of the security session data for a device.
427 *
428 * @param instance security instance.
429 *
430 * @return
431 * - Size of the private data, if successful
432 * - 0 if device is invalid or does not support the operation.
433 */
434 unsigned int
435 rte_security_session_get_size(struct rte_security_ctx *instance);
436
437 /**
438 * Free security session header and the session private data and
439 * return it to its original mempool.
440 *
441 * @param instance security instance
442 * @param sess security session to be freed
443 *
444 * @return
445 * - 0 if successful.
446 * - -EINVAL if session or context instance is NULL.
447 * - -EBUSY if not all device private data has been freed.
448 * - -ENOTSUP if destroying private data is not supported.
449 * - other negative values in case of freeing private data errors.
450 */
451 int
452 rte_security_session_destroy(struct rte_security_ctx *instance,
453 struct rte_security_session *sess);
454
455 /** Device-specific metadata field type */
456 typedef uint64_t rte_security_dynfield_t;
457 /** Dynamic mbuf field for device-specific metadata */
458 extern int rte_security_dynfield_offset;
459
460 /**
461 * @warning
462 * @b EXPERIMENTAL: this API may change without prior notice
463 *
464 * Get pointer to mbuf field for device-specific metadata.
465 *
466 * For performance reason, no check is done,
467 * the dynamic field may not be registered.
468 * @see rte_security_dynfield_is_registered
469 *
470 * @param mbuf packet to access
471 * @return pointer to mbuf field
472 */
473 __rte_experimental
474 static inline rte_security_dynfield_t *
rte_security_dynfield(struct rte_mbuf * mbuf)475 rte_security_dynfield(struct rte_mbuf *mbuf)
476 {
477 return RTE_MBUF_DYNFIELD(mbuf,
478 rte_security_dynfield_offset,
479 rte_security_dynfield_t *);
480 }
481
482 /**
483 * @warning
484 * @b EXPERIMENTAL: this API may change without prior notice
485 *
486 * Check whether the dynamic field is registered.
487 *
488 * @return true if rte_security_dynfield_register() has been called.
489 */
490 __rte_experimental
rte_security_dynfield_is_registered(void)491 static inline bool rte_security_dynfield_is_registered(void)
492 {
493 return rte_security_dynfield_offset >= 0;
494 }
495
496 /**
497 * Updates the buffer with device-specific defined metadata
498 *
499 * @param instance security instance
500 * @param sess security session
501 * @param mb packet mbuf to set metadata on.
502 * @param params device-specific defined parameters
503 * required for metadata
504 *
505 * @return
506 * - On success, zero.
507 * - On failure, a negative value.
508 */
509 int
510 rte_security_set_pkt_metadata(struct rte_security_ctx *instance,
511 struct rte_security_session *sess,
512 struct rte_mbuf *mb, void *params);
513
514 /**
515 * Get userdata associated with the security session. Device specific metadata
516 * provided would be used to uniquely identify the security session being
517 * referred to. This userdata would be registered while creating the session,
518 * and application can use this to identify the SA etc.
519 *
520 * Device specific metadata would be set in mbuf for inline processed inbound
521 * packets. In addition, the same metadata would be set for IPsec events
522 * reported by rte_eth_event framework.
523 *
524 * @param instance security instance
525 * @param md device-specific metadata
526 *
527 * @return
528 * - On success, userdata
529 * - On failure, NULL
530 */
531 __rte_experimental
532 void *
533 rte_security_get_userdata(struct rte_security_ctx *instance, uint64_t md);
534
535 /**
536 * Attach a session to a symmetric crypto operation
537 *
538 * @param sym_op crypto operation
539 * @param sess security session
540 */
541 static inline int
__rte_security_attach_session(struct rte_crypto_sym_op * sym_op,struct rte_security_session * sess)542 __rte_security_attach_session(struct rte_crypto_sym_op *sym_op,
543 struct rte_security_session *sess)
544 {
545 sym_op->sec_session = sess;
546
547 return 0;
548 }
549
550 static inline void *
get_sec_session_private_data(const struct rte_security_session * sess)551 get_sec_session_private_data(const struct rte_security_session *sess)
552 {
553 return sess->sess_private_data;
554 }
555
556 static inline void
set_sec_session_private_data(struct rte_security_session * sess,void * private_data)557 set_sec_session_private_data(struct rte_security_session *sess,
558 void *private_data)
559 {
560 sess->sess_private_data = private_data;
561 }
562
563 /**
564 * Attach a session to a crypto operation.
565 * This API is needed only in case of RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD
566 * For other rte_security_session_action_type, ol_flags in rte_mbuf may be
567 * defined to perform security operations.
568 *
569 * @param op crypto operation
570 * @param sess security session
571 */
572 static inline int
rte_security_attach_session(struct rte_crypto_op * op,struct rte_security_session * sess)573 rte_security_attach_session(struct rte_crypto_op *op,
574 struct rte_security_session *sess)
575 {
576 if (unlikely(op->type != RTE_CRYPTO_OP_TYPE_SYMMETRIC))
577 return -EINVAL;
578
579 op->sess_type = RTE_CRYPTO_OP_SECURITY_SESSION;
580
581 return __rte_security_attach_session(op->sym, sess);
582 }
583
584 struct rte_security_macsec_stats {
585 uint64_t reserved;
586 };
587
588 struct rte_security_ipsec_stats {
589 uint64_t ipackets; /**< Successfully received IPsec packets. */
590 uint64_t opackets; /**< Successfully transmitted IPsec packets.*/
591 uint64_t ibytes; /**< Successfully received IPsec bytes. */
592 uint64_t obytes; /**< Successfully transmitted IPsec bytes. */
593 uint64_t ierrors; /**< IPsec packets receive/decrypt errors. */
594 uint64_t oerrors; /**< IPsec packets transmit/encrypt errors. */
595 uint64_t reserved1; /**< Reserved for future use. */
596 uint64_t reserved2; /**< Reserved for future use. */
597 };
598
599 struct rte_security_pdcp_stats {
600 uint64_t reserved;
601 };
602
603 struct rte_security_docsis_stats {
604 uint64_t reserved;
605 };
606
607 struct rte_security_stats {
608 enum rte_security_session_protocol protocol;
609 /**< Security protocol to be configured */
610
611 RTE_STD_C11
612 union {
613 struct rte_security_macsec_stats macsec;
614 struct rte_security_ipsec_stats ipsec;
615 struct rte_security_pdcp_stats pdcp;
616 struct rte_security_docsis_stats docsis;
617 };
618 };
619
620 /**
621 * Get security session statistics
622 *
623 * @param instance security instance
624 * @param sess security session
625 * If security session is NULL then global (per security instance) statistics
626 * will be retrieved, if supported. Global statistics collection is not
627 * dependent on the per session statistics configuration.
628 * @param stats statistics
629 * @return
630 * - On success, return 0
631 * - On failure, a negative value
632 */
633 __rte_experimental
634 int
635 rte_security_session_stats_get(struct rte_security_ctx *instance,
636 struct rte_security_session *sess,
637 struct rte_security_stats *stats);
638
639 /**
640 * Security capability definition
641 */
642 struct rte_security_capability {
643 enum rte_security_session_action_type action;
644 /**< Security action type*/
645 enum rte_security_session_protocol protocol;
646 /**< Security protocol */
647 RTE_STD_C11
648 union {
649 struct {
650 enum rte_security_ipsec_sa_protocol proto;
651 /**< IPsec SA protocol */
652 enum rte_security_ipsec_sa_mode mode;
653 /**< IPsec SA mode */
654 enum rte_security_ipsec_sa_direction direction;
655 /**< IPsec SA direction */
656 struct rte_security_ipsec_sa_options options;
657 /**< IPsec SA supported options */
658 uint32_t replay_win_sz_max;
659 /**< IPsec Anti Replay Window Size. A '0' value
660 * indicates that Anti Replay is not supported.
661 */
662 } ipsec;
663 /**< IPsec capability */
664 struct {
665 /* To be Filled */
666 int dummy;
667 } macsec;
668 /**< MACsec capability */
669 struct {
670 enum rte_security_pdcp_domain domain;
671 /**< PDCP mode of operation: Control or data */
672 uint32_t capa_flags;
673 /**< Capability flags, see RTE_SECURITY_PDCP_* */
674 } pdcp;
675 /**< PDCP capability */
676 struct {
677 enum rte_security_docsis_direction direction;
678 /**< DOCSIS direction */
679 } docsis;
680 /**< DOCSIS capability */
681 };
682
683 const struct rte_cryptodev_capabilities *crypto_capabilities;
684 /**< Corresponding crypto capabilities for security capability */
685
686 uint32_t ol_flags;
687 /**< Device offload flags */
688 };
689
690 /** Underlying Hardware/driver which support PDCP may or may not support
691 * packet ordering. Set RTE_SECURITY_PDCP_ORDERING_CAP if it support.
692 * If it is not set, driver/HW assumes packets received are in order
693 * and it will be application's responsibility to maintain ordering.
694 */
695 #define RTE_SECURITY_PDCP_ORDERING_CAP 0x00000001
696
697 /** Underlying Hardware/driver which support PDCP may or may not detect
698 * duplicate packet. Set RTE_SECURITY_PDCP_DUP_DETECT_CAP if it support.
699 * If it is not set, driver/HW assumes there is no duplicate packet received.
700 */
701 #define RTE_SECURITY_PDCP_DUP_DETECT_CAP 0x00000002
702
703 #define RTE_SECURITY_TX_OLOAD_NEED_MDATA 0x00000001
704 /**< HW needs metadata update, see rte_security_set_pkt_metadata().
705 */
706
707 #define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD 0x00000002
708 /**< HW constructs trailer of packets
709 * Transmitted packets will have the trailer added to them
710 * by hardware. The next protocol field will be based on
711 * the mbuf->inner_esp_next_proto field.
712 */
713 #define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD 0x00010000
714 /**< HW removes trailer of packets
715 * Received packets have no trailer, the next protocol field
716 * is supplied in the mbuf->inner_esp_next_proto field.
717 * Inner packet is not modified.
718 */
719
720 /**
721 * Security capability index used to query a security instance for a specific
722 * security capability
723 */
724 struct rte_security_capability_idx {
725 enum rte_security_session_action_type action;
726 enum rte_security_session_protocol protocol;
727
728 RTE_STD_C11
729 union {
730 struct {
731 enum rte_security_ipsec_sa_protocol proto;
732 enum rte_security_ipsec_sa_mode mode;
733 enum rte_security_ipsec_sa_direction direction;
734 } ipsec;
735 struct {
736 enum rte_security_pdcp_domain domain;
737 uint32_t capa_flags;
738 } pdcp;
739 struct {
740 enum rte_security_docsis_direction direction;
741 } docsis;
742 };
743 };
744
745 /**
746 * Returns array of security instance capabilities
747 *
748 * @param instance Security instance.
749 *
750 * @return
751 * - Returns array of security capabilities.
752 * - Return NULL if no capabilities available.
753 */
754 const struct rte_security_capability *
755 rte_security_capabilities_get(struct rte_security_ctx *instance);
756
757 /**
758 * Query if a specific capability is available on security instance
759 *
760 * @param instance security instance.
761 * @param idx security capability index to match against
762 *
763 * @return
764 * - Returns pointer to security capability on match of capability
765 * index criteria.
766 * - Return NULL if the capability not matched on security instance.
767 */
768 const struct rte_security_capability *
769 rte_security_capability_get(struct rte_security_ctx *instance,
770 struct rte_security_capability_idx *idx);
771
772 #ifdef __cplusplus
773 }
774 #endif
775
776 #endif /* _RTE_SECURITY_H_ */
777