1 /* SPDX-License-Identifier: BSD-3-Clause
2 * Copyright 2017,2019-2020 NXP
3 * Copyright(c) 2017-2020 Intel Corporation.
4 */
5
6 #ifndef _RTE_SECURITY_H_
7 #define _RTE_SECURITY_H_
8
9 /**
10 * @file rte_security.h
11 *
12 * RTE Security Common Definitions
13 *
14 */
15
16 #ifdef __cplusplus
17 extern "C" {
18 #endif
19
20 #include <sys/types.h>
21
22 #include <rte_compat.h>
23 #include <rte_common.h>
24 #include <rte_crypto.h>
25 #include <rte_ip.h>
26 #include <rte_mbuf_dyn.h>
27
28 /** IPSec protocol mode */
29 enum rte_security_ipsec_sa_mode {
30 RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT = 1,
31 /**< IPSec Transport mode */
32 RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
33 /**< IPSec Tunnel mode */
34 };
35
36 /** IPSec Protocol */
37 enum rte_security_ipsec_sa_protocol {
38 RTE_SECURITY_IPSEC_SA_PROTO_AH = 1,
39 /**< AH protocol */
40 RTE_SECURITY_IPSEC_SA_PROTO_ESP,
41 /**< ESP protocol */
42 };
43
44 /** IPSEC tunnel type */
45 enum rte_security_ipsec_tunnel_type {
46 RTE_SECURITY_IPSEC_TUNNEL_IPV4 = 1,
47 /**< Outer header is IPv4 */
48 RTE_SECURITY_IPSEC_TUNNEL_IPV6,
49 /**< Outer header is IPv6 */
50 };
51
52 /**
53 * IPSEC tunnel header verification mode
54 *
55 * Controls how outer IP header is verified in inbound.
56 */
57 #define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR 0x1
58 #define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR 0x2
59
60 /**
61 * Security context for crypto/eth devices
62 *
63 * Security instance for each driver to register security operations.
64 * The application can get the security context from the crypto/eth device id
65 * using the APIs rte_cryptodev_get_sec_ctx()/rte_eth_dev_get_sec_ctx()
66 * This structure is used to identify the device(crypto/eth) for which the
67 * security operations need to be performed.
68 */
69 struct rte_security_ctx {
70 void *device;
71 /**< Crypto/ethernet device attached */
72 const struct rte_security_ops *ops;
73 /**< Pointer to security ops for the device */
74 uint16_t sess_cnt;
75 /**< Number of sessions attached to this context */
76 uint32_t flags;
77 /**< Flags for security context */
78 };
79
80 #define RTE_SEC_CTX_F_FAST_SET_MDATA 0x00000001
81 /**< Driver uses fast metadata update without using driver specific callback */
82
83 #define RTE_SEC_CTX_F_FAST_GET_UDATA 0x00000002
84 /**< Driver provides udata using fast method without using driver specific
85 * callback. For fast mdata and udata, mbuf dynamic field would be registered
86 * by driver via rte_security_dynfield_register().
87 */
88
89 /**
90 * IPSEC tunnel parameters
91 *
92 * These parameters are used to build outbound tunnel headers.
93 */
94 struct rte_security_ipsec_tunnel_param {
95 enum rte_security_ipsec_tunnel_type type;
96 /**< Tunnel type: IPv4 or IPv6 */
97 RTE_STD_C11
98 union {
99 struct {
100 struct in_addr src_ip;
101 /**< IPv4 source address */
102 struct in_addr dst_ip;
103 /**< IPv4 destination address */
104 uint8_t dscp;
105 /**< IPv4 Differentiated Services Code Point */
106 uint8_t df;
107 /**< IPv4 Don't Fragment bit */
108 uint8_t ttl;
109 /**< IPv4 Time To Live */
110 } ipv4;
111 /**< IPv4 header parameters */
112 struct {
113 struct in6_addr src_addr;
114 /**< IPv6 source address */
115 struct in6_addr dst_addr;
116 /**< IPv6 destination address */
117 uint8_t dscp;
118 /**< IPv6 Differentiated Services Code Point */
119 uint32_t flabel;
120 /**< IPv6 flow label */
121 uint8_t hlimit;
122 /**< IPv6 hop limit */
123 } ipv6;
124 /**< IPv6 header parameters */
125 };
126 };
127
128 struct rte_security_ipsec_udp_param {
129 uint16_t sport;
130 uint16_t dport;
131 };
132
133 /**
134 * IPsec Security Association option flags
135 */
136 struct rte_security_ipsec_sa_options {
137 /** Extended Sequence Numbers (ESN)
138 *
139 * * 1: Use extended (64 bit) sequence numbers
140 * * 0: Use normal sequence numbers
141 */
142 uint32_t esn : 1;
143
144 /** UDP encapsulation
145 *
146 * * 1: Do UDP encapsulation/decapsulation so that IPSEC packets can
147 * traverse through NAT boxes.
148 * * 0: No UDP encapsulation
149 */
150 uint32_t udp_encap : 1;
151
152 /** Copy DSCP bits
153 *
154 * * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to
155 * the outer IP header in encapsulation, and vice versa in
156 * decapsulation.
157 * * 0: Do not change DSCP field.
158 */
159 uint32_t copy_dscp : 1;
160
161 /** Copy IPv6 Flow Label
162 *
163 * * 1: Copy IPv6 flow label from inner IPv6 header to the
164 * outer IPv6 header.
165 * * 0: Outer header is not modified.
166 */
167 uint32_t copy_flabel : 1;
168
169 /** Copy IPv4 Don't Fragment bit
170 *
171 * * 1: Copy the DF bit from the inner IPv4 header to the outer
172 * IPv4 header.
173 * * 0: Outer header is not modified.
174 */
175 uint32_t copy_df : 1;
176
177 /** Decrement inner packet Time To Live (TTL) field
178 *
179 * * 1: In tunnel mode, decrement inner packet IPv4 TTL or
180 * IPv6 Hop Limit after tunnel decapsulation, or before tunnel
181 * encapsulation.
182 * * 0: Inner packet is not modified.
183 */
184 uint32_t dec_ttl : 1;
185
186 /** Explicit Congestion Notification (ECN)
187 *
188 * * 1: In tunnel mode, enable outer header ECN Field copied from
189 * inner header in tunnel encapsulation, or inner header ECN
190 * field construction in decapsulation.
191 * * 0: Inner/outer header are not modified.
192 */
193 uint32_t ecn : 1;
194
195 /** Security statistics
196 *
197 * * 1: Enable per session security statistics collection for
198 * this SA, if supported by the driver.
199 * * 0: Disable per session security statistics collection for this SA.
200 */
201 uint32_t stats : 1;
202
203 /** Disable IV generation in PMD
204 *
205 * * 1: Disable IV generation in PMD. When disabled, IV provided in
206 * rte_crypto_op will be used by the PMD.
207 *
208 * * 0: Enable IV generation in PMD. When enabled, PMD generated random
209 * value would be used and application is not required to provide
210 * IV.
211 *
212 * Note: For inline cases, IV generation would always need to be handled
213 * by the PMD.
214 */
215 uint32_t iv_gen_disable : 1;
216
217 /** Verify tunnel header in inbound
218 * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR``: Verify destination
219 * IP address.
220 *
221 * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR``: Verify both
222 * source and destination IP addresses.
223 */
224 uint32_t tunnel_hdr_verify : 2;
225
226 /** Verify UDP encapsulation ports in inbound
227 *
228 * * 1: Match UDP source and destination ports
229 * * 0: Do not match UDP ports
230 */
231 uint32_t udp_ports_verify : 1;
232
233 /** Compute/verify inner packet IPv4 header checksum in tunnel mode
234 *
235 * * 1: For outbound, compute inner packet IPv4 header checksum
236 * before tunnel encapsulation and for inbound, verify after
237 * tunnel decapsulation.
238 * * 0: Inner packet IP header checksum is not computed/verified.
239 *
240 * The checksum verification status would be set in mbuf using
241 * RTE_MBUF_F_RX_IP_CKSUM_xxx flags.
242 *
243 * Inner IP checksum computation can also be enabled(per operation)
244 * by setting the flag RTE_MBUF_F_TX_IP_CKSUM in mbuf.
245 */
246 uint32_t ip_csum_enable : 1;
247
248 /** Compute/verify inner packet L4 checksum in tunnel mode
249 *
250 * * 1: For outbound, compute inner packet L4 checksum before
251 * tunnel encapsulation and for inbound, verify after
252 * tunnel decapsulation.
253 * * 0: Inner packet L4 checksum is not computed/verified.
254 *
255 * The checksum verification status would be set in mbuf using
256 * RTE_MBUF_F_RX_L4_CKSUM_xxx flags.
257 *
258 * Inner L4 checksum computation can also be enabled(per operation)
259 * by setting the flags RTE_MBUF_F_TX_TCP_CKSUM or RTE_MBUF_F_TX_SCTP_CKSUM or
260 * RTE_MBUF_F_TX_UDP_CKSUM or RTE_MBUF_F_TX_L4_MASK in mbuf.
261 */
262 uint32_t l4_csum_enable : 1;
263
264 /** Enable IP reassembly on inline inbound packets.
265 *
266 * * 1: Enable driver to try reassembly of encrypted IP packets for
267 * this SA, if supported by the driver. This feature will work
268 * only if user has successfully set IP reassembly config params
269 * using rte_eth_ip_reassembly_conf_set() for the inline Ethernet
270 * device. PMD need to register mbuf dynamic fields using
271 * rte_eth_ip_reassembly_dynfield_register() and security session
272 * creation would fail if dynfield is not registered successfully.
273 * * 0: Disable IP reassembly of packets (default).
274 */
275 uint32_t ip_reassembly_en : 1;
276
277 /** Reserved bit fields for future extension
278 *
279 * User should ensure reserved_opts is cleared as it may change in
280 * subsequent releases to support new options.
281 *
282 * Note: Reduce number of bits in reserved_opts for every new option.
283 */
284 uint32_t reserved_opts : 17;
285 };
286
287 /** IPSec security association direction */
288 enum rte_security_ipsec_sa_direction {
289 RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
290 /**< Encrypt and generate digest */
291 RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
292 /**< Verify digest and decrypt */
293 };
294
295 /**
296 * Configure soft and hard lifetime of an IPsec SA
297 *
298 * Lifetime of an IPsec SA would specify the maximum number of packets or bytes
299 * that can be processed. IPsec operations would start failing once any hard
300 * limit is reached.
301 *
302 * Soft limits can be specified to generate notification when the SA is
303 * approaching hard limits for lifetime. For inline operations, reaching soft
304 * expiry limit would result in raising an eth event for the same. For lookaside
305 * operations, this would result in a warning returned in
306 * ``rte_crypto_op.aux_flags``.
307 */
308 struct rte_security_ipsec_lifetime {
309 uint64_t packets_soft_limit;
310 /**< Soft expiry limit in number of packets */
311 uint64_t bytes_soft_limit;
312 /**< Soft expiry limit in bytes */
313 uint64_t packets_hard_limit;
314 /**< Hard expiry limit in number of packets */
315 uint64_t bytes_hard_limit;
316 /**< Hard expiry limit in bytes */
317 };
318
319 /**
320 * IPsec security association configuration data.
321 *
322 * This structure contains data required to create an IPsec SA security session.
323 */
324 struct rte_security_ipsec_xform {
325 uint32_t spi;
326 /**< SA security parameter index */
327 uint32_t salt;
328 /**< SA salt */
329 struct rte_security_ipsec_sa_options options;
330 /**< various SA options */
331 enum rte_security_ipsec_sa_direction direction;
332 /**< IPSec SA Direction - Egress/Ingress */
333 enum rte_security_ipsec_sa_protocol proto;
334 /**< IPsec SA Protocol - AH/ESP */
335 enum rte_security_ipsec_sa_mode mode;
336 /**< IPsec SA Mode - transport/tunnel */
337 struct rte_security_ipsec_tunnel_param tunnel;
338 /**< Tunnel parameters, NULL for transport mode */
339 struct rte_security_ipsec_lifetime life;
340 /**< IPsec SA lifetime */
341 uint32_t replay_win_sz;
342 /**< Anti replay window size to enable sequence replay attack handling.
343 * replay checking is disabled if the window size is 0.
344 */
345 union {
346 uint64_t value;
347 struct {
348 uint32_t low;
349 uint32_t hi;
350 };
351 } esn;
352 /**< Extended Sequence Number */
353 struct rte_security_ipsec_udp_param udp;
354 /**< UDP parameters, ignored when udp_encap option not specified */
355 };
356
357 /**
358 * MACsec security session configuration
359 */
360 struct rte_security_macsec_xform {
361 /** To be Filled */
362 int dummy;
363 };
364
365 /**
366 * PDCP Mode of session
367 */
368 enum rte_security_pdcp_domain {
369 RTE_SECURITY_PDCP_MODE_CONTROL, /**< PDCP control plane */
370 RTE_SECURITY_PDCP_MODE_DATA, /**< PDCP data plane */
371 RTE_SECURITY_PDCP_MODE_SHORT_MAC, /**< PDCP short mac */
372 };
373
374 /** PDCP Frame direction */
375 enum rte_security_pdcp_direction {
376 RTE_SECURITY_PDCP_UPLINK, /**< Uplink */
377 RTE_SECURITY_PDCP_DOWNLINK, /**< Downlink */
378 };
379
380 /** PDCP Sequence Number Size selectors */
381 enum rte_security_pdcp_sn_size {
382 /** PDCP_SN_SIZE_5: 5bit sequence number */
383 RTE_SECURITY_PDCP_SN_SIZE_5 = 5,
384 /** PDCP_SN_SIZE_7: 7bit sequence number */
385 RTE_SECURITY_PDCP_SN_SIZE_7 = 7,
386 /** PDCP_SN_SIZE_12: 12bit sequence number */
387 RTE_SECURITY_PDCP_SN_SIZE_12 = 12,
388 /** PDCP_SN_SIZE_15: 15bit sequence number */
389 RTE_SECURITY_PDCP_SN_SIZE_15 = 15,
390 /** PDCP_SN_SIZE_18: 18bit sequence number */
391 RTE_SECURITY_PDCP_SN_SIZE_18 = 18
392 };
393
394 /**
395 * PDCP security association configuration data.
396 *
397 * This structure contains data required to create a PDCP security session.
398 */
399 struct rte_security_pdcp_xform {
400 int8_t bearer; /**< PDCP bearer ID */
401 /** Enable in order delivery, this field shall be set only if
402 * driver/HW is capable. See RTE_SECURITY_PDCP_ORDERING_CAP.
403 */
404 uint8_t en_ordering;
405 /** Notify driver/HW to detect and remove duplicate packets.
406 * This field should be set only when driver/hw is capable.
407 * See RTE_SECURITY_PDCP_DUP_DETECT_CAP.
408 */
409 uint8_t remove_duplicates;
410 /** PDCP mode of operation: Control or data */
411 enum rte_security_pdcp_domain domain;
412 /** PDCP Frame Direction 0:UL 1:DL */
413 enum rte_security_pdcp_direction pkt_dir;
414 /** Sequence number size, 5/7/12/15/18 */
415 enum rte_security_pdcp_sn_size sn_size;
416 /** Starting Hyper Frame Number to be used together with the SN
417 * from the PDCP frames
418 */
419 uint32_t hfn;
420 /** HFN Threshold for key renegotiation */
421 uint32_t hfn_threshold;
422 /** HFN can be given as a per packet value also.
423 * As we do not have IV in case of PDCP, and HFN is
424 * used to generate IV. IV field can be used to get the
425 * per packet HFN while enq/deq.
426 * If hfn_ovrd field is set, user is expected to set the
427 * per packet HFN in place of IV. PMDs will extract the HFN
428 * and perform operations accordingly.
429 */
430 uint8_t hfn_ovrd;
431 /** In case of 5G NR, a new protocol (SDAP) header may be set
432 * inside PDCP payload which should be authenticated but not
433 * encrypted. Hence, driver should be notified if SDAP is
434 * enabled or not, so that SDAP header is not encrypted.
435 */
436 uint8_t sdap_enabled;
437 /** Reserved for future */
438 uint16_t reserved;
439 };
440
441 /** DOCSIS direction */
442 enum rte_security_docsis_direction {
443 RTE_SECURITY_DOCSIS_UPLINK,
444 /**< Uplink
445 * - Decryption, followed by CRC Verification
446 */
447 RTE_SECURITY_DOCSIS_DOWNLINK,
448 /**< Downlink
449 * - CRC Generation, followed by Encryption
450 */
451 };
452
453 /**
454 * DOCSIS security session configuration.
455 *
456 * This structure contains data required to create a DOCSIS security session.
457 */
458 struct rte_security_docsis_xform {
459 enum rte_security_docsis_direction direction;
460 /**< DOCSIS direction */
461 };
462
463 /**
464 * Security session action type.
465 */
466 enum rte_security_session_action_type {
467 RTE_SECURITY_ACTION_TYPE_NONE,
468 /**< No security actions */
469 RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO,
470 /**< Crypto processing for security protocol is processed inline
471 * during transmission
472 */
473 RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
474 /**< All security protocol processing is performed inline during
475 * transmission
476 */
477 RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
478 /**< All security protocol processing including crypto is performed
479 * on a lookaside accelerator
480 */
481 RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO
482 /**< Similar to ACTION_TYPE_NONE but crypto processing for security
483 * protocol is processed synchronously by a CPU.
484 */
485 };
486
487 /** Security session protocol definition */
488 enum rte_security_session_protocol {
489 RTE_SECURITY_PROTOCOL_IPSEC = 1,
490 /**< IPsec Protocol */
491 RTE_SECURITY_PROTOCOL_MACSEC,
492 /**< MACSec Protocol */
493 RTE_SECURITY_PROTOCOL_PDCP,
494 /**< PDCP Protocol */
495 RTE_SECURITY_PROTOCOL_DOCSIS,
496 /**< DOCSIS Protocol */
497 };
498
499 /**
500 * Security session configuration
501 */
502 struct rte_security_session_conf {
503 enum rte_security_session_action_type action_type;
504 /**< Type of action to be performed on the session */
505 enum rte_security_session_protocol protocol;
506 /**< Security protocol to be configured */
507 RTE_STD_C11
508 union {
509 struct rte_security_ipsec_xform ipsec;
510 struct rte_security_macsec_xform macsec;
511 struct rte_security_pdcp_xform pdcp;
512 struct rte_security_docsis_xform docsis;
513 };
514 /**< Configuration parameters for security session */
515 struct rte_crypto_sym_xform *crypto_xform;
516 /**< Security Session Crypto Transformations */
517 void *userdata;
518 /**< Application specific userdata to be saved with session */
519 };
520
521 struct rte_security_session {
522 void *sess_private_data;
523 /**< Private session material */
524 uint64_t opaque_data;
525 /**< Opaque user defined data */
526 };
527
528 /**
529 * Create security session as specified by the session configuration
530 *
531 * @param instance security instance
532 * @param conf session configuration parameters
533 * @param mp mempool to allocate session objects from
534 * @param priv_mp mempool to allocate session private data objects from
535 * @return
536 * - On success, pointer to session
537 * - On failure, NULL
538 */
539 struct rte_security_session *
540 rte_security_session_create(struct rte_security_ctx *instance,
541 struct rte_security_session_conf *conf,
542 struct rte_mempool *mp,
543 struct rte_mempool *priv_mp);
544
545 /**
546 * Update security session as specified by the session configuration
547 *
548 * @param instance security instance
549 * @param sess session to update parameters
550 * @param conf update configuration parameters
551 * @return
552 * - On success returns 0
553 * - On failure returns a negative errno value.
554 */
555 __rte_experimental
556 int
557 rte_security_session_update(struct rte_security_ctx *instance,
558 struct rte_security_session *sess,
559 struct rte_security_session_conf *conf);
560
561 /**
562 * Get the size of the security session data for a device.
563 *
564 * @param instance security instance.
565 *
566 * @return
567 * - Size of the private data, if successful
568 * - 0 if device is invalid or does not support the operation.
569 */
570 unsigned int
571 rte_security_session_get_size(struct rte_security_ctx *instance);
572
573 /**
574 * Free security session header and the session private data and
575 * return it to its original mempool.
576 *
577 * @param instance security instance
578 * @param sess security session to be freed
579 *
580 * @return
581 * - 0 if successful.
582 * - -EINVAL if session or context instance is NULL.
583 * - -EBUSY if not all device private data has been freed.
584 * - -ENOTSUP if destroying private data is not supported.
585 * - other negative values in case of freeing private data errors.
586 */
587 int
588 rte_security_session_destroy(struct rte_security_ctx *instance,
589 struct rte_security_session *sess);
590
591 /** Device-specific metadata field type */
592 typedef uint64_t rte_security_dynfield_t;
593 /** Dynamic mbuf field for device-specific metadata */
594 extern int rte_security_dynfield_offset;
595
596 /**
597 * @warning
598 * @b EXPERIMENTAL: this API may change without prior notice
599 *
600 * Get pointer to mbuf field for device-specific metadata.
601 *
602 * For performance reason, no check is done,
603 * the dynamic field may not be registered.
604 * @see rte_security_dynfield_is_registered
605 *
606 * @param mbuf packet to access
607 * @return pointer to mbuf field
608 */
609 __rte_experimental
610 static inline rte_security_dynfield_t *
rte_security_dynfield(struct rte_mbuf * mbuf)611 rte_security_dynfield(struct rte_mbuf *mbuf)
612 {
613 return RTE_MBUF_DYNFIELD(mbuf,
614 rte_security_dynfield_offset,
615 rte_security_dynfield_t *);
616 }
617
618 /**
619 * @warning
620 * @b EXPERIMENTAL: this API may change without prior notice
621 *
622 * Check whether the dynamic field is registered.
623 *
624 * @return true if rte_security_dynfield_register() has been called.
625 */
626 __rte_experimental
rte_security_dynfield_is_registered(void)627 static inline bool rte_security_dynfield_is_registered(void)
628 {
629 return rte_security_dynfield_offset >= 0;
630 }
631
632 /** Function to call PMD specific function pointer set_pkt_metadata() */
633 __rte_experimental
634 extern int __rte_security_set_pkt_metadata(struct rte_security_ctx *instance,
635 struct rte_security_session *sess,
636 struct rte_mbuf *m, void *params);
637
638 /**
639 * Updates the buffer with device-specific defined metadata
640 *
641 * @param instance security instance
642 * @param sess security session
643 * @param mb packet mbuf to set metadata on.
644 * @param params device-specific defined parameters
645 * required for metadata
646 *
647 * @return
648 * - On success, zero.
649 * - On failure, a negative value.
650 */
651 static inline int
rte_security_set_pkt_metadata(struct rte_security_ctx * instance,struct rte_security_session * sess,struct rte_mbuf * mb,void * params)652 rte_security_set_pkt_metadata(struct rte_security_ctx *instance,
653 struct rte_security_session *sess,
654 struct rte_mbuf *mb, void *params)
655 {
656 /* Fast Path */
657 if (instance->flags & RTE_SEC_CTX_F_FAST_SET_MDATA) {
658 *rte_security_dynfield(mb) =
659 (rte_security_dynfield_t)(sess->sess_private_data);
660 return 0;
661 }
662
663 /* Jump to PMD specific function pointer */
664 return __rte_security_set_pkt_metadata(instance, sess, mb, params);
665 }
666
667 /** Function to call PMD specific function pointer get_userdata() */
668 __rte_experimental
669 extern void *__rte_security_get_userdata(struct rte_security_ctx *instance,
670 uint64_t md);
671
672 /**
673 * Get userdata associated with the security session. Device specific metadata
674 * provided would be used to uniquely identify the security session being
675 * referred to. This userdata would be registered while creating the session,
676 * and application can use this to identify the SA etc.
677 *
678 * Device specific metadata would be set in mbuf for inline processed inbound
679 * packets. In addition, the same metadata would be set for IPsec events
680 * reported by rte_eth_event framework.
681 *
682 * @param instance security instance
683 * @param md device-specific metadata
684 *
685 * @return
686 * - On success, userdata
687 * - On failure, NULL
688 */
689 __rte_experimental
690 static inline void *
rte_security_get_userdata(struct rte_security_ctx * instance,uint64_t md)691 rte_security_get_userdata(struct rte_security_ctx *instance, uint64_t md)
692 {
693 /* Fast Path */
694 if (instance->flags & RTE_SEC_CTX_F_FAST_GET_UDATA)
695 return (void *)(uintptr_t)md;
696
697 /* Jump to PMD specific function pointer */
698 return __rte_security_get_userdata(instance, md);
699 }
700
701 /**
702 * Attach a session to a symmetric crypto operation
703 *
704 * @param sym_op crypto operation
705 * @param sess security session
706 */
707 static inline int
__rte_security_attach_session(struct rte_crypto_sym_op * sym_op,struct rte_security_session * sess)708 __rte_security_attach_session(struct rte_crypto_sym_op *sym_op,
709 struct rte_security_session *sess)
710 {
711 sym_op->sec_session = sess;
712
713 return 0;
714 }
715
716 static inline void *
get_sec_session_private_data(const struct rte_security_session * sess)717 get_sec_session_private_data(const struct rte_security_session *sess)
718 {
719 return sess->sess_private_data;
720 }
721
722 static inline void
set_sec_session_private_data(struct rte_security_session * sess,void * private_data)723 set_sec_session_private_data(struct rte_security_session *sess,
724 void *private_data)
725 {
726 sess->sess_private_data = private_data;
727 }
728
729 /**
730 * Attach a session to a crypto operation.
731 * This API is needed only in case of RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD
732 * For other rte_security_session_action_type, ol_flags in rte_mbuf may be
733 * defined to perform security operations.
734 *
735 * @param op crypto operation
736 * @param sess security session
737 */
738 static inline int
rte_security_attach_session(struct rte_crypto_op * op,struct rte_security_session * sess)739 rte_security_attach_session(struct rte_crypto_op *op,
740 struct rte_security_session *sess)
741 {
742 if (unlikely(op->type != RTE_CRYPTO_OP_TYPE_SYMMETRIC))
743 return -EINVAL;
744
745 op->sess_type = RTE_CRYPTO_OP_SECURITY_SESSION;
746
747 return __rte_security_attach_session(op->sym, sess);
748 }
749
750 struct rte_security_macsec_stats {
751 uint64_t reserved;
752 };
753
754 struct rte_security_ipsec_stats {
755 uint64_t ipackets; /**< Successfully received IPsec packets. */
756 uint64_t opackets; /**< Successfully transmitted IPsec packets.*/
757 uint64_t ibytes; /**< Successfully received IPsec bytes. */
758 uint64_t obytes; /**< Successfully transmitted IPsec bytes. */
759 uint64_t ierrors; /**< IPsec packets receive/decrypt errors. */
760 uint64_t oerrors; /**< IPsec packets transmit/encrypt errors. */
761 uint64_t reserved1; /**< Reserved for future use. */
762 uint64_t reserved2; /**< Reserved for future use. */
763 };
764
765 struct rte_security_pdcp_stats {
766 uint64_t reserved;
767 };
768
769 struct rte_security_docsis_stats {
770 uint64_t reserved;
771 };
772
773 struct rte_security_stats {
774 enum rte_security_session_protocol protocol;
775 /**< Security protocol to be configured */
776
777 RTE_STD_C11
778 union {
779 struct rte_security_macsec_stats macsec;
780 struct rte_security_ipsec_stats ipsec;
781 struct rte_security_pdcp_stats pdcp;
782 struct rte_security_docsis_stats docsis;
783 };
784 };
785
786 /**
787 * Get security session statistics
788 *
789 * @param instance security instance
790 * @param sess security session
791 * If security session is NULL then global (per security instance) statistics
792 * will be retrieved, if supported. Global statistics collection is not
793 * dependent on the per session statistics configuration.
794 * @param stats statistics
795 * @return
796 * - On success, return 0
797 * - On failure, a negative value
798 */
799 __rte_experimental
800 int
801 rte_security_session_stats_get(struct rte_security_ctx *instance,
802 struct rte_security_session *sess,
803 struct rte_security_stats *stats);
804
805 /**
806 * Security capability definition
807 */
808 struct rte_security_capability {
809 enum rte_security_session_action_type action;
810 /**< Security action type*/
811 enum rte_security_session_protocol protocol;
812 /**< Security protocol */
813 RTE_STD_C11
814 union {
815 struct {
816 enum rte_security_ipsec_sa_protocol proto;
817 /**< IPsec SA protocol */
818 enum rte_security_ipsec_sa_mode mode;
819 /**< IPsec SA mode */
820 enum rte_security_ipsec_sa_direction direction;
821 /**< IPsec SA direction */
822 struct rte_security_ipsec_sa_options options;
823 /**< IPsec SA supported options */
824 uint32_t replay_win_sz_max;
825 /**< IPsec Anti Replay Window Size. A '0' value
826 * indicates that Anti Replay is not supported.
827 */
828 } ipsec;
829 /**< IPsec capability */
830 struct {
831 /* To be Filled */
832 int dummy;
833 } macsec;
834 /**< MACsec capability */
835 struct {
836 enum rte_security_pdcp_domain domain;
837 /**< PDCP mode of operation: Control or data */
838 uint32_t capa_flags;
839 /**< Capability flags, see RTE_SECURITY_PDCP_* */
840 } pdcp;
841 /**< PDCP capability */
842 struct {
843 enum rte_security_docsis_direction direction;
844 /**< DOCSIS direction */
845 } docsis;
846 /**< DOCSIS capability */
847 };
848
849 const struct rte_cryptodev_capabilities *crypto_capabilities;
850 /**< Corresponding crypto capabilities for security capability */
851
852 uint32_t ol_flags;
853 /**< Device offload flags */
854 };
855
856 /** Underlying Hardware/driver which support PDCP may or may not support
857 * packet ordering. Set RTE_SECURITY_PDCP_ORDERING_CAP if it support.
858 * If it is not set, driver/HW assumes packets received are in order
859 * and it will be application's responsibility to maintain ordering.
860 */
861 #define RTE_SECURITY_PDCP_ORDERING_CAP 0x00000001
862
863 /** Underlying Hardware/driver which support PDCP may or may not detect
864 * duplicate packet. Set RTE_SECURITY_PDCP_DUP_DETECT_CAP if it support.
865 * If it is not set, driver/HW assumes there is no duplicate packet received.
866 */
867 #define RTE_SECURITY_PDCP_DUP_DETECT_CAP 0x00000002
868
869 #define RTE_SECURITY_TX_OLOAD_NEED_MDATA 0x00000001
870 /**< HW needs metadata update, see rte_security_set_pkt_metadata().
871 */
872
873 #define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD 0x00000002
874 /**< HW constructs trailer of packets
875 * Transmitted packets will have the trailer added to them
876 * by hardware. The next protocol field will be based on
877 * the mbuf->inner_esp_next_proto field.
878 */
879 #define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD 0x00010000
880 /**< HW removes trailer of packets
881 * Received packets have no trailer, the next protocol field
882 * is supplied in the mbuf->inner_esp_next_proto field.
883 * Inner packet is not modified.
884 */
885
886 /**
887 * Security capability index used to query a security instance for a specific
888 * security capability
889 */
890 struct rte_security_capability_idx {
891 enum rte_security_session_action_type action;
892 enum rte_security_session_protocol protocol;
893
894 RTE_STD_C11
895 union {
896 struct {
897 enum rte_security_ipsec_sa_protocol proto;
898 enum rte_security_ipsec_sa_mode mode;
899 enum rte_security_ipsec_sa_direction direction;
900 } ipsec;
901 struct {
902 enum rte_security_pdcp_domain domain;
903 uint32_t capa_flags;
904 } pdcp;
905 struct {
906 enum rte_security_docsis_direction direction;
907 } docsis;
908 };
909 };
910
911 /**
912 * Returns array of security instance capabilities
913 *
914 * @param instance Security instance.
915 *
916 * @return
917 * - Returns array of security capabilities.
918 * - Return NULL if no capabilities available.
919 */
920 const struct rte_security_capability *
921 rte_security_capabilities_get(struct rte_security_ctx *instance);
922
923 /**
924 * Query if a specific capability is available on security instance
925 *
926 * @param instance security instance.
927 * @param idx security capability index to match against
928 *
929 * @return
930 * - Returns pointer to security capability on match of capability
931 * index criteria.
932 * - Return NULL if the capability not matched on security instance.
933 */
934 const struct rte_security_capability *
935 rte_security_capability_get(struct rte_security_ctx *instance,
936 struct rte_security_capability_idx *idx);
937
938 #ifdef __cplusplus
939 }
940 #endif
941
942 #endif /* _RTE_SECURITY_H_ */
943