Branch data Line data Source code
1 : : /* SPDX-License-Identifier: BSD-3-Clause
2 : : * Copyright 2017,2019-2020 NXP
3 : : * Copyright(c) 2017-2020 Intel Corporation.
4 : : */
5 : :
6 : : #ifndef _RTE_SECURITY_H_
7 : : #define _RTE_SECURITY_H_
8 : :
9 : : /**
10 : : * @file rte_security.h
11 : : *
12 : : * RTE Security Common Definitions
13 : : */
14 : :
15 : : #include <sys/types.h>
16 : :
17 : : #include <rte_compat.h>
18 : : #include <rte_common.h>
19 : : #include <rte_crypto.h>
20 : : #include <rte_ip.h>
21 : : #include <rte_mbuf_dyn.h>
22 : :
23 : : #ifdef __cplusplus
24 : : extern "C" {
25 : : #endif
26 : :
27 : : /** IPSec protocol mode */
28 : : enum rte_security_ipsec_sa_mode {
29 : : RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT = 1,
30 : : /**< IPSec Transport mode */
31 : : RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
32 : : /**< IPSec Tunnel mode */
33 : : };
34 : :
35 : : /** IPSec Protocol */
36 : : enum rte_security_ipsec_sa_protocol {
37 : : RTE_SECURITY_IPSEC_SA_PROTO_AH = 1,
38 : : /**< AH protocol */
39 : : RTE_SECURITY_IPSEC_SA_PROTO_ESP,
40 : : /**< ESP protocol */
41 : : };
42 : :
43 : : /** IPSEC tunnel type */
44 : : enum rte_security_ipsec_tunnel_type {
45 : : RTE_SECURITY_IPSEC_TUNNEL_IPV4 = 1,
46 : : /**< Outer header is IPv4 */
47 : : RTE_SECURITY_IPSEC_TUNNEL_IPV6,
48 : : /**< Outer header is IPv6 */
49 : : };
50 : :
51 : : /**
52 : : * IPSEC tunnel header verification mode
53 : : *
54 : : * Controls how outer IP header is verified in inbound.
55 : : */
56 : : #define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR 0x1
57 : : #define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR 0x2
58 : :
59 : : #define RTE_SEC_CTX_F_FAST_SET_MDATA 0x00000001
60 : : /**< Driver uses fast metadata update without using driver specific callback.
61 : : * For fast mdata, mbuf dynamic field would be registered by driver
62 : : * via rte_security_dynfield_register().
63 : : */
64 : :
65 : : /**
66 : : * IPSEC tunnel parameters
67 : : *
68 : : * These parameters are used to build outbound tunnel headers.
69 : : */
70 : : struct rte_security_ipsec_tunnel_param {
71 : : enum rte_security_ipsec_tunnel_type type;
72 : : /**< Tunnel type: IPv4 or IPv6 */
73 : : union {
74 : : struct {
75 : : struct in_addr src_ip;
76 : : /**< IPv4 source address */
77 : : struct in_addr dst_ip;
78 : : /**< IPv4 destination address */
79 : : uint8_t dscp;
80 : : /**< IPv4 Differentiated Services Code Point */
81 : : uint8_t df;
82 : : /**< IPv4 Don't Fragment bit */
83 : : uint8_t ttl;
84 : : /**< IPv4 Time To Live */
85 : : } ipv4;
86 : : /**< IPv4 header parameters */
87 : : struct {
88 : : struct rte_ipv6_addr src_addr;
89 : : /**< IPv6 source address */
90 : : struct rte_ipv6_addr dst_addr;
91 : : /**< IPv6 destination address */
92 : : uint8_t dscp;
93 : : /**< IPv6 Differentiated Services Code Point */
94 : : uint32_t flabel;
95 : : /**< IPv6 flow label */
96 : : uint8_t hlimit;
97 : : /**< IPv6 hop limit */
98 : : } ipv6;
99 : : /**< IPv6 header parameters */
100 : : };
101 : : };
102 : :
103 : : struct rte_security_ipsec_udp_param {
104 : : uint16_t sport;
105 : : uint16_t dport;
106 : : };
107 : :
108 : : /**
109 : : * IPsec Security Association option flags
110 : : */
111 : : struct rte_security_ipsec_sa_options {
112 : : /** Extended Sequence Numbers (ESN)
113 : : *
114 : : * * 1: Use extended (64 bit) sequence numbers
115 : : * * 0: Use normal sequence numbers
116 : : */
117 : : uint32_t esn : 1;
118 : :
119 : : /** UDP encapsulation
120 : : *
121 : : * * 1: Do UDP encapsulation/decapsulation so that IPSEC packets can
122 : : * traverse through NAT boxes.
123 : : * * 0: No UDP encapsulation
124 : : */
125 : : uint32_t udp_encap : 1;
126 : :
127 : : /** Copy DSCP bits
128 : : *
129 : : * * 1: Copy IPv4 or IPv6 DSCP bits from inner IP header to
130 : : * the outer IP header in encapsulation, and vice versa in
131 : : * decapsulation.
132 : : * * 0: Do not change DSCP field.
133 : : */
134 : : uint32_t copy_dscp : 1;
135 : :
136 : : /** Copy IPv6 Flow Label
137 : : *
138 : : * * 1: Copy IPv6 flow label from inner IPv6 header to the
139 : : * outer IPv6 header.
140 : : * * 0: Outer header is not modified.
141 : : */
142 : : uint32_t copy_flabel : 1;
143 : :
144 : : /** Copy IPv4 Don't Fragment bit
145 : : *
146 : : * * 1: Copy the DF bit from the inner IPv4 header to the outer
147 : : * IPv4 header.
148 : : * * 0: Outer header is not modified.
149 : : */
150 : : uint32_t copy_df : 1;
151 : :
152 : : /** Decrement inner packet Time To Live (TTL) field
153 : : *
154 : : * * 1: In tunnel mode, decrement inner packet IPv4 TTL or
155 : : * IPv6 Hop Limit after tunnel decapsulation, or before tunnel
156 : : * encapsulation.
157 : : * * 0: Inner packet is not modified.
158 : : */
159 : : uint32_t dec_ttl : 1;
160 : :
161 : : /** Explicit Congestion Notification (ECN)
162 : : *
163 : : * * 1: In tunnel mode, enable outer header ECN Field copied from
164 : : * inner header in tunnel encapsulation, or inner header ECN
165 : : * field construction in decapsulation.
166 : : * * 0: Inner/outer header are not modified.
167 : : */
168 : : uint32_t ecn : 1;
169 : :
170 : : /** Security statistics
171 : : *
172 : : * * 1: Enable per session security statistics collection for
173 : : * this SA, if supported by the driver.
174 : : * * 0: Disable per session security statistics collection for this SA.
175 : : */
176 : : uint32_t stats : 1;
177 : :
178 : : /** Disable IV generation in PMD
179 : : *
180 : : * * 1: Disable IV generation in PMD. When disabled, IV provided in
181 : : * rte_crypto_op will be used by the PMD.
182 : : *
183 : : * * 0: Enable IV generation in PMD. When enabled, PMD generated random
184 : : * value would be used and application is not required to provide
185 : : * IV.
186 : : *
187 : : * Note: For inline cases, IV generation would always need to be handled
188 : : * by the PMD.
189 : : */
190 : : uint32_t iv_gen_disable : 1;
191 : :
192 : : /** Verify tunnel header in inbound
193 : : * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR``: Verify destination
194 : : * IP address.
195 : : *
196 : : * * ``RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR``: Verify both
197 : : * source and destination IP addresses.
198 : : */
199 : : uint32_t tunnel_hdr_verify : 2;
200 : :
201 : : /** Verify UDP encapsulation ports in inbound
202 : : *
203 : : * * 1: Match UDP source and destination ports
204 : : * * 0: Do not match UDP ports
205 : : */
206 : : uint32_t udp_ports_verify : 1;
207 : :
208 : : /** Compute/verify inner packet IPv4 header checksum in tunnel mode
209 : : *
210 : : * * 1: For outbound, compute inner packet IPv4 header checksum
211 : : * before tunnel encapsulation and for inbound, verify after
212 : : * tunnel decapsulation.
213 : : * * 0: Inner packet IP header checksum is not computed/verified.
214 : : *
215 : : * The checksum verification status would be set in mbuf using
216 : : * RTE_MBUF_F_RX_IP_CKSUM_xxx flags.
217 : : *
218 : : * Inner IP checksum computation can also be enabled(per operation)
219 : : * by setting the flag RTE_MBUF_F_TX_IP_CKSUM in mbuf.
220 : : */
221 : : uint32_t ip_csum_enable : 1;
222 : :
223 : : /** Compute/verify inner packet L4 checksum in tunnel mode
224 : : *
225 : : * * 1: For outbound, compute inner packet L4 checksum before
226 : : * tunnel encapsulation and for inbound, verify after
227 : : * tunnel decapsulation.
228 : : * * 0: Inner packet L4 checksum is not computed/verified.
229 : : *
230 : : * The checksum verification status would be set in mbuf using
231 : : * RTE_MBUF_F_RX_L4_CKSUM_xxx flags.
232 : : *
233 : : * Inner L4 checksum computation can also be enabled(per operation)
234 : : * by setting the flags RTE_MBUF_F_TX_TCP_CKSUM or RTE_MBUF_F_TX_SCTP_CKSUM or
235 : : * RTE_MBUF_F_TX_UDP_CKSUM or RTE_MBUF_F_TX_L4_MASK in mbuf.
236 : : */
237 : : uint32_t l4_csum_enable : 1;
238 : :
239 : : /** Enable IP reassembly on inline inbound packets.
240 : : *
241 : : * * 1: Enable driver to try reassembly of encrypted IP packets for
242 : : * this SA, if supported by the driver. This feature will work
243 : : * only if user has successfully set IP reassembly config params
244 : : * using rte_eth_ip_reassembly_conf_set() for the inline Ethernet
245 : : * device. PMD need to register mbuf dynamic fields using
246 : : * rte_eth_ip_reassembly_dynfield_register() and security session
247 : : * creation would fail if dynfield is not registered successfully.
248 : : * * 0: Disable IP reassembly of packets (default).
249 : : */
250 : : uint32_t ip_reassembly_en : 1;
251 : :
252 : : /** Enable out of place processing on inline inbound packets.
253 : : *
254 : : * * 1: Enable driver to perform Out-of-place(OOP) processing for this inline
255 : : * inbound SA if supported by driver. PMD need to register mbuf
256 : : * dynamic field using rte_security_oop_dynfield_register()
257 : : * and security session creation would fail if dynfield is not
258 : : * registered successfully.
259 : : * * 0: Disable OOP processing for this session (default).
260 : : */
261 : : uint32_t ingress_oop : 1;
262 : : };
263 : :
264 : : /** IPSec security association direction */
265 : : enum rte_security_ipsec_sa_direction {
266 : : RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
267 : : /**< Encrypt and generate digest */
268 : : RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
269 : : /**< Verify digest and decrypt */
270 : : };
271 : :
272 : : /**
273 : : * Configure soft and hard lifetime of an IPsec SA
274 : : *
275 : : * Lifetime of an IPsec SA would specify the maximum number of packets or bytes
276 : : * that can be processed. IPsec operations would start failing once any hard
277 : : * limit is reached.
278 : : *
279 : : * Soft limits can be specified to generate notification when the SA is
280 : : * approaching hard limits for lifetime. For inline operations, reaching soft
281 : : * expiry limit would result in raising an eth event for the same. For lookaside
282 : : * operations, this would result in a warning returned in
283 : : * ``rte_crypto_op.aux_flags``.
284 : : */
285 : : struct rte_security_ipsec_lifetime {
286 : : uint64_t packets_soft_limit;
287 : : /**< Soft expiry limit in number of packets */
288 : : uint64_t bytes_soft_limit;
289 : : /**< Soft expiry limit in bytes */
290 : : uint64_t packets_hard_limit;
291 : : /**< Hard expiry limit in number of packets */
292 : : uint64_t bytes_hard_limit;
293 : : /**< Hard expiry limit in bytes */
294 : : };
295 : :
296 : : /**
297 : : * IPsec security association configuration data.
298 : : *
299 : : * This structure contains data required to create an IPsec SA security session.
300 : : */
301 : : struct rte_security_ipsec_xform {
302 : : uint32_t spi;
303 : : /**< SA security parameter index */
304 : : uint32_t salt;
305 : : /**< SA salt */
306 : : struct rte_security_ipsec_sa_options options;
307 : : /**< various SA options */
308 : : enum rte_security_ipsec_sa_direction direction;
309 : : /**< IPSec SA Direction - Egress/Ingress */
310 : : enum rte_security_ipsec_sa_protocol proto;
311 : : /**< IPsec SA Protocol - AH/ESP */
312 : : enum rte_security_ipsec_sa_mode mode;
313 : : /**< IPsec SA Mode - transport/tunnel */
314 : : struct rte_security_ipsec_tunnel_param tunnel;
315 : : /**< Tunnel parameters, NULL for transport mode */
316 : : struct rte_security_ipsec_lifetime life;
317 : : /**< IPsec SA lifetime */
318 : : uint32_t replay_win_sz;
319 : : /**< Anti replay window size to enable sequence replay attack handling.
320 : : * replay checking is disabled if the window size is 0.
321 : : */
322 : : union {
323 : : uint64_t value;
324 : : struct {
325 : : uint32_t low;
326 : : uint32_t hi;
327 : : };
328 : : } esn;
329 : : /**< Extended Sequence Number */
330 : : struct rte_security_ipsec_udp_param udp;
331 : : /**< UDP parameters, ignored when udp_encap option not specified */
332 : : };
333 : :
334 : : /**
335 : : * MACSec packet flow direction
336 : : */
337 : : enum rte_security_macsec_direction {
338 : : /** Generate SecTag and encrypt/authenticate */
339 : : RTE_SECURITY_MACSEC_DIR_TX,
340 : : /** Remove SecTag and decrypt/verify */
341 : : RTE_SECURITY_MACSEC_DIR_RX,
342 : : };
343 : :
344 : : /** Maximum number of association numbers for a secure channel. */
345 : : #define RTE_SECURITY_MACSEC_NUM_AN 4
346 : : /** Salt length for MACsec SA. */
347 : : #define RTE_SECURITY_MACSEC_SALT_LEN 12
348 : :
349 : : /**
350 : : * MACsec secure association (SA) configuration structure.
351 : : */
352 : : struct rte_security_macsec_sa {
353 : : /** Direction of SA */
354 : : enum rte_security_macsec_direction dir;
355 : : /** MACsec SA key for AES-GCM 128/256 */
356 : : struct {
357 : : const uint8_t *data; /**< pointer to key data */
358 : : uint16_t length; /**< key length in bytes */
359 : : } key;
360 : : /** 96-bit value distributed by key agreement protocol */
361 : : uint8_t salt[RTE_SECURITY_MACSEC_SALT_LEN];
362 : : /** Association number to be used */
363 : : uint8_t an : 2;
364 : : /** Short Secure Channel Identifier, to be used for XPN cases */
365 : : uint32_t ssci;
366 : : /** Extended packet number */
367 : : uint32_t xpn;
368 : : /** Packet number expected/ to be used for next packet of this SA */
369 : : uint32_t next_pn;
370 : : };
371 : :
372 : : /**
373 : : * MACsec Secure Channel configuration parameters.
374 : : */
375 : : struct rte_security_macsec_sc {
376 : : /** Direction of SC */
377 : : enum rte_security_macsec_direction dir;
378 : : /** Packet number threshold */
379 : : uint64_t pn_threshold;
380 : : union {
381 : : struct {
382 : : /** SAs for each association number */
383 : : uint16_t sa_id[RTE_SECURITY_MACSEC_NUM_AN];
384 : : /** flag to denote which all SAs are in use for each association number */
385 : : uint8_t sa_in_use[RTE_SECURITY_MACSEC_NUM_AN];
386 : : /** Channel is active */
387 : : uint8_t active : 1;
388 : : /** Extended packet number is enabled for SAs */
389 : : uint8_t is_xpn : 1;
390 : : /** Reserved bitfields for future */
391 : : uint8_t reserved : 6;
392 : : } sc_rx;
393 : : struct {
394 : : uint16_t sa_id; /**< SA ID to be used for encryption */
395 : : uint16_t sa_id_rekey; /**< Rekeying SA ID to be used for encryption */
396 : : uint64_t sci; /**< SCI value to be used if send_sci is set */
397 : : uint8_t active : 1; /**< Channel is active */
398 : : uint8_t re_key_en : 1; /**< Enable Rekeying */
399 : : /** Extended packet number is enabled for SAs */
400 : : uint8_t is_xpn : 1;
401 : : /** Reserved bitfields for future */
402 : : uint8_t reserved : 5;
403 : : } sc_tx;
404 : : };
405 : : };
406 : :
407 : : /**
408 : : * MACsec Supported Algorithm list as per IEEE Std 802.1AE.
409 : : */
410 : : enum rte_security_macsec_alg {
411 : : RTE_SECURITY_MACSEC_ALG_GCM_128, /**< AES-GCM 128 bit block cipher */
412 : : RTE_SECURITY_MACSEC_ALG_GCM_256, /**< AES-GCM 256 bit block cipher */
413 : : RTE_SECURITY_MACSEC_ALG_GCM_XPN_128, /**< AES-GCM 128 bit block cipher with unique SSCI */
414 : : RTE_SECURITY_MACSEC_ALG_GCM_XPN_256, /**< AES-GCM 256 bit block cipher with unique SSCI */
415 : : };
416 : :
417 : : /** Disable Validation of MACsec frame. */
418 : : #define RTE_SECURITY_MACSEC_VALIDATE_DISABLE 0
419 : : /** Validate MACsec frame but do not discard invalid frame. */
420 : : #define RTE_SECURITY_MACSEC_VALIDATE_NO_DISCARD 1
421 : : /** Validate MACsec frame and discart invalid frame. */
422 : : #define RTE_SECURITY_MACSEC_VALIDATE_STRICT 2
423 : : /** Do not perform any MACsec operation. */
424 : : #define RTE_SECURITY_MACSEC_VALIDATE_NO_OP 3
425 : :
426 : : /**
427 : : * MACsec security session configuration
428 : : */
429 : : struct rte_security_macsec_xform {
430 : : /** Direction of flow/secure channel */
431 : : enum rte_security_macsec_direction dir;
432 : : /** MACsec algorithm to be used */
433 : : enum rte_security_macsec_alg alg;
434 : : /** Cipher offset from start of Ethernet header */
435 : : uint8_t cipher_off;
436 : : /**
437 : : * SCI to be used for RX flow identification or
438 : : * to set SCI in packet for TX when send_sci is set
439 : : */
440 : : uint64_t sci;
441 : : /** Receive/transmit secure channel ID created by *rte_security_macsec_sc_create* */
442 : : uint16_t sc_id;
443 : : union {
444 : : struct {
445 : : /** MTU for transmit frame (valid for inline processing) */
446 : : uint16_t mtu;
447 : : /**
448 : : * Offset to insert sectag from start of ethernet header or
449 : : * from a matching VLAN tag
450 : : */
451 : : uint8_t sectag_off;
452 : : /** Enable MACsec protection of frames */
453 : : uint16_t protect_frames : 1;
454 : : /**
455 : : * Sectag insertion mode
456 : : * If 1, Sectag is inserted at fixed sectag_off set above.
457 : : * If 0, Sectag is inserted at relative sectag_off from a matching
458 : : * VLAN tag set.
459 : : */
460 : : uint16_t sectag_insert_mode : 1;
461 : : /** ICV includes source and destination MAC addresses */
462 : : uint16_t icv_include_da_sa : 1;
463 : : /** Control port is enabled */
464 : : uint16_t ctrl_port_enable : 1;
465 : : /** Version of MACsec header. Should be 0 */
466 : : uint16_t sectag_version : 1;
467 : : /** Enable end station. SCI is not valid */
468 : : uint16_t end_station : 1;
469 : : /** Send SCI along with sectag */
470 : : uint16_t send_sci : 1;
471 : : /** enable secure channel support EPON - single copy broadcast */
472 : : uint16_t scb : 1;
473 : : /**
474 : : * Enable packet encryption and set RTE_MACSEC_TCI_C and
475 : : * RTE_MACSEC_TCI_E in sectag
476 : : */
477 : : uint16_t encrypt : 1;
478 : : /** Reserved bitfields for future */
479 : : uint16_t reserved : 7;
480 : : } tx_secy;
481 : : struct {
482 : : /** Replay Window size to be supported */
483 : : uint32_t replay_win_sz;
484 : : /** Set bits as per RTE_SECURITY_MACSEC_VALIDATE_* */
485 : : uint16_t validate_frames : 2;
486 : : /** ICV includes source and destination MAC addresses */
487 : : uint16_t icv_include_da_sa : 1;
488 : : /** Control port is enabled */
489 : : uint16_t ctrl_port_enable : 1;
490 : : /** Do not strip SecTAG after processing */
491 : : uint16_t preserve_sectag : 1;
492 : : /** Do not strip ICV from the packet after processing */
493 : : uint16_t preserve_icv : 1;
494 : : /** Enable anti-replay protection */
495 : : uint16_t replay_protect : 1;
496 : : /** Reserved bitfields for future */
497 : : uint16_t reserved : 9;
498 : : } rx_secy;
499 : : };
500 : : };
501 : :
502 : : /**
503 : : * PDCP Mode of session
504 : : */
505 : : enum rte_security_pdcp_domain {
506 : : RTE_SECURITY_PDCP_MODE_CONTROL, /**< PDCP control plane */
507 : : RTE_SECURITY_PDCP_MODE_DATA, /**< PDCP data plane */
508 : : RTE_SECURITY_PDCP_MODE_SHORT_MAC, /**< PDCP short mac */
509 : : };
510 : :
511 : : /** PDCP Frame direction */
512 : : enum rte_security_pdcp_direction {
513 : : RTE_SECURITY_PDCP_UPLINK, /**< Uplink */
514 : : RTE_SECURITY_PDCP_DOWNLINK, /**< Downlink */
515 : : };
516 : :
517 : : /** PDCP Sequence Number Size selectors */
518 : : enum rte_security_pdcp_sn_size {
519 : : /** PDCP_SN_SIZE_5: 5bit sequence number */
520 : : RTE_SECURITY_PDCP_SN_SIZE_5 = 5,
521 : : /** PDCP_SN_SIZE_7: 7bit sequence number */
522 : : RTE_SECURITY_PDCP_SN_SIZE_7 = 7,
523 : : /** PDCP_SN_SIZE_12: 12bit sequence number */
524 : : RTE_SECURITY_PDCP_SN_SIZE_12 = 12,
525 : : /** PDCP_SN_SIZE_15: 15bit sequence number */
526 : : RTE_SECURITY_PDCP_SN_SIZE_15 = 15,
527 : : /** PDCP_SN_SIZE_18: 18bit sequence number */
528 : : RTE_SECURITY_PDCP_SN_SIZE_18 = 18
529 : : };
530 : :
531 : : /**
532 : : * PDCP security association configuration data.
533 : : *
534 : : * This structure contains data required to create a PDCP security session.
535 : : */
536 : : struct rte_security_pdcp_xform {
537 : : int8_t bearer; /**< PDCP bearer ID */
538 : : /** Enable in order delivery, this field shall be set only if
539 : : * driver/HW is capable. See RTE_SECURITY_PDCP_ORDERING_CAP.
540 : : */
541 : : uint8_t en_ordering;
542 : : /** Notify driver/HW to detect and remove duplicate packets.
543 : : * This field should be set only when driver/hw is capable.
544 : : * See RTE_SECURITY_PDCP_DUP_DETECT_CAP.
545 : : */
546 : : uint8_t remove_duplicates;
547 : : /** PDCP mode of operation: Control or data */
548 : : enum rte_security_pdcp_domain domain;
549 : : /** PDCP Frame Direction 0:UL 1:DL */
550 : : enum rte_security_pdcp_direction pkt_dir;
551 : : /** Sequence number size, 5/7/12/15/18 */
552 : : enum rte_security_pdcp_sn_size sn_size;
553 : : /** Starting Hyper Frame Number to be used together with the SN
554 : : * from the PDCP frames
555 : : */
556 : : uint32_t hfn;
557 : : /** HFN Threshold for key renegotiation */
558 : : uint32_t hfn_threshold;
559 : : /** HFN can be given as a per packet value also.
560 : : * As we do not have IV in case of PDCP, and HFN is
561 : : * used to generate IV. IV field can be used to get the
562 : : * per packet HFN while enq/deq.
563 : : * If hfn_ovrd field is set, user is expected to set the
564 : : * per packet HFN in place of IV. PMDs will extract the HFN
565 : : * and perform operations accordingly.
566 : : */
567 : : uint8_t hfn_ovrd;
568 : : /** In case of 5G NR, a new protocol (SDAP) header may be set
569 : : * inside PDCP payload which should be authenticated but not
570 : : * encrypted. Hence, driver should be notified if SDAP is
571 : : * enabled or not, so that SDAP header is not encrypted.
572 : : */
573 : : uint8_t sdap_enabled;
574 : : /** Reserved for future */
575 : : uint16_t reserved;
576 : : };
577 : :
578 : : /** DOCSIS direction */
579 : : enum rte_security_docsis_direction {
580 : : RTE_SECURITY_DOCSIS_UPLINK,
581 : : /**< Uplink
582 : : * - Decryption, followed by CRC Verification
583 : : */
584 : : RTE_SECURITY_DOCSIS_DOWNLINK,
585 : : /**< Downlink
586 : : * - CRC Generation, followed by Encryption
587 : : */
588 : : };
589 : :
590 : : /**
591 : : * DOCSIS security session configuration.
592 : : *
593 : : * This structure contains data required to create a DOCSIS security session.
594 : : */
595 : : struct rte_security_docsis_xform {
596 : : enum rte_security_docsis_direction direction;
597 : : /**< DOCSIS direction */
598 : : };
599 : :
600 : : /** Implicit nonce length to be used with AEAD algos in TLS 1.2 */
601 : : #define RTE_SECURITY_TLS_1_2_IMP_NONCE_LEN 4
602 : : /** Implicit nonce length to be used with AEAD algos in TLS 1.3 */
603 : : #define RTE_SECURITY_TLS_1_3_IMP_NONCE_LEN 12
604 : : /** Implicit nonce length to be used with AEAD algos in DTLS 1.2 */
605 : : #define RTE_SECURITY_DTLS_1_2_IMP_NONCE_LEN 4
606 : :
607 : : /** TLS version */
608 : : enum rte_security_tls_version {
609 : : RTE_SECURITY_VERSION_TLS_1_2, /**< TLS 1.2 */
610 : : RTE_SECURITY_VERSION_TLS_1_3, /**< TLS 1.3 */
611 : : RTE_SECURITY_VERSION_DTLS_1_2, /**< DTLS 1.2 */
612 : : };
613 : :
614 : : /** TLS session type */
615 : : enum rte_security_tls_sess_type {
616 : : /** Record read session
617 : : * - Decrypt & digest verification.
618 : : */
619 : : RTE_SECURITY_TLS_SESS_TYPE_READ,
620 : : /** Record write session
621 : : * - Encrypt & digest generation.
622 : : */
623 : : RTE_SECURITY_TLS_SESS_TYPE_WRITE,
624 : : };
625 : :
626 : : /**
627 : : * TLS record session options
628 : : */
629 : : struct rte_security_tls_record_sess_options {
630 : : /** Disable IV generation in PMD.
631 : : *
632 : : * * 1: Disable IV generation in PMD. When disabled, IV provided in rte_crypto_op will be
633 : : * used by the PMD.
634 : : *
635 : : * * 0: Enable IV generation in PMD. When enabled, PMD generated random value would be used
636 : : * and application is not required to provide IV.
637 : : */
638 : : uint32_t iv_gen_disable : 1;
639 : : /** Enable extra padding
640 : : *
641 : : * TLS allows user to pad the plain text to hide the actual size of the record.
642 : : * This is required to achieve traffic flow confidentiality in case of TLS/DTLS flows.
643 : : * This padding is in addition to the default padding performed by PMD
644 : : * (which ensures ciphertext is aligned to block size).
645 : : *
646 : : * On supported devices, application may pass the required additional padding via
647 : : * ``rte_crypto_op.aux_flags`` field.
648 : : *
649 : : * 1 : Enable extra padding of the plain text provided. The extra padding value would be
650 : : * read from ``rte_crypto_op.aux_flags``.
651 : : *
652 : : * 0 : Disable extra padding
653 : : */
654 : : uint32_t extra_padding_enable : 1;
655 : : };
656 : :
657 : : /**
658 : : * Configure soft and hard lifetime of a TLS record session.
659 : : *
660 : : * Lifetime of a TLS record session would specify the maximum number of packets that can be
661 : : * processed. TLS record processing operations would start failing once hard limit is reached.
662 : : *
663 : : * Soft limits can be specified to generate notification when the TLS record session is approaching
664 : : * hard limits for lifetime. This would result in a warning returned in ``rte_crypto_op.aux_flags``.
665 : : */
666 : : struct rte_security_tls_record_lifetime {
667 : : /** Soft expiry limit in number of packets */
668 : : uint64_t packets_soft_limit;
669 : : /** Hard expiry limit in number of packets */
670 : : uint64_t packets_hard_limit;
671 : : };
672 : :
673 : : /**
674 : : * TLS record protocol session configuration.
675 : : *
676 : : * This structure contains data required to create a TLS record security session.
677 : : */
678 : : struct rte_security_tls_record_xform {
679 : : /** TLS record version. */
680 : : enum rte_security_tls_version ver;
681 : : /** TLS record session type. */
682 : : enum rte_security_tls_sess_type type;
683 : : /** TLS record session options. */
684 : : struct rte_security_tls_record_sess_options options;
685 : : /** TLS record session lifetime. */
686 : : struct rte_security_tls_record_lifetime life;
687 : : union {
688 : : /** TLS 1.2 parameters. */
689 : : struct {
690 : : /** Starting sequence number. */
691 : : uint64_t seq_no;
692 : : /** Implicit nonce to be used for AEAD algos. */
693 : : uint8_t imp_nonce[RTE_SECURITY_TLS_1_2_IMP_NONCE_LEN];
694 : : } tls_1_2;
695 : :
696 : : /** TLS 1.3 parameters. */
697 : : struct {
698 : : /** Starting sequence number. */
699 : : uint64_t seq_no;
700 : : /** Implicit nonce to be used for AEAD algos. */
701 : : uint8_t imp_nonce[RTE_SECURITY_TLS_1_3_IMP_NONCE_LEN];
702 : : /**
703 : : * Minimum payload length (in case of write sessions).
704 : : * For shorter inputs, the payload would be padded appropriately
705 : : * before performing crypto transformations.
706 : : */
707 : : uint32_t min_payload_len;
708 : : } tls_1_3;
709 : :
710 : : /** DTLS 1.2 parameters */
711 : : struct {
712 : : /** Epoch value to be used. */
713 : : uint16_t epoch;
714 : : /** 6B starting sequence number to be used. */
715 : : uint64_t seq_no;
716 : : /** Implicit nonce to be used for AEAD algos. */
717 : : uint8_t imp_nonce[RTE_SECURITY_DTLS_1_2_IMP_NONCE_LEN];
718 : : /**
719 : : * Anti replay window size to enable sequence replay attack handling.
720 : : * Anti replay check is disabled if the window size is 0.
721 : : */
722 : : uint32_t ar_win_sz;
723 : : } dtls_1_2;
724 : : };
725 : : };
726 : :
727 : : /**
728 : : * Security session action type.
729 : : */
730 : : /* Enumeration of rte_security_session_action_type 8<*/
731 : : enum rte_security_session_action_type {
732 : : RTE_SECURITY_ACTION_TYPE_NONE,
733 : : /**< No security actions */
734 : : RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO,
735 : : /**< Crypto processing for security protocol is processed inline
736 : : * during transmission
737 : : */
738 : : RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
739 : : /**< All security protocol processing is performed inline during
740 : : * transmission
741 : : */
742 : : RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
743 : : /**< All security protocol processing including crypto is performed
744 : : * on a lookaside accelerator
745 : : */
746 : : RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO
747 : : /**< Similar to ACTION_TYPE_NONE but crypto processing for security
748 : : * protocol is processed synchronously by a CPU.
749 : : */
750 : : };
751 : : /* >8 End enumeration of rte_security_session_action_type. */
752 : :
753 : : /** Security session protocol definition */
754 : : /* Enumeration of rte_security_session_protocol 8<*/
755 : : enum rte_security_session_protocol {
756 : : RTE_SECURITY_PROTOCOL_IPSEC = 1,
757 : : /**< IPsec Protocol */
758 : : RTE_SECURITY_PROTOCOL_MACSEC,
759 : : /**< MACSec Protocol */
760 : : RTE_SECURITY_PROTOCOL_PDCP,
761 : : /**< PDCP Protocol */
762 : : RTE_SECURITY_PROTOCOL_DOCSIS,
763 : : /**< DOCSIS Protocol */
764 : : RTE_SECURITY_PROTOCOL_TLS_RECORD,
765 : : /**< TLS Record Protocol */
766 : : };
767 : : /* >8 End enumeration of rte_security_session_protocol. */
768 : :
769 : : /**
770 : : * Security session configuration
771 : : */
772 : : /* Structure rte_security_session_conf 8< */
773 : : struct rte_security_session_conf {
774 : : enum rte_security_session_action_type action_type;
775 : : /**< Type of action to be performed on the session */
776 : : enum rte_security_session_protocol protocol;
777 : : /**< Security protocol to be configured */
778 : : union {
779 : : struct rte_security_ipsec_xform ipsec;
780 : : struct rte_security_macsec_xform macsec;
781 : : struct rte_security_pdcp_xform pdcp;
782 : : struct rte_security_docsis_xform docsis;
783 : : struct rte_security_tls_record_xform tls_record;
784 : : };
785 : : /**< Configuration parameters for security session */
786 : : struct rte_crypto_sym_xform *crypto_xform;
787 : : /**< Security Session Crypto Transformations. NULL in case of MACsec. */
788 : : void *userdata;
789 : : /**< Application specific userdata to be saved with session */
790 : : };
791 : : /* >8 End of structure rte_security_session_conf. */
792 : :
793 : : /**
794 : : * Create security session as specified by the session configuration
795 : : *
796 : : * @param instance security instance
797 : : * @param conf session configuration parameters
798 : : * @param mp mempool to allocate session objects from
799 : : * @return
800 : : * - On success, pointer to session
801 : : * - On failure, NULL
802 : : */
803 : : void *
804 : : rte_security_session_create(void *instance,
805 : : struct rte_security_session_conf *conf,
806 : : struct rte_mempool *mp);
807 : :
808 : : /**
809 : : * Update security session as specified by the session configuration
810 : : *
811 : : * @param instance security instance
812 : : * @param sess session to update parameters
813 : : * @param conf update configuration parameters
814 : : * @return
815 : : * - On success returns 0
816 : : * - On failure returns a negative errno value.
817 : : */
818 : : int
819 : : rte_security_session_update(void *instance,
820 : : void *sess,
821 : : struct rte_security_session_conf *conf);
822 : :
823 : : /**
824 : : * Get the size of the security session data for a device.
825 : : *
826 : : * @param instance security instance.
827 : : *
828 : : * @return
829 : : * - Size of the private data, if successful
830 : : * - 0 if device is invalid or does not support the operation.
831 : : */
832 : : unsigned int
833 : : rte_security_session_get_size(void *instance);
834 : :
835 : : /**
836 : : * Free security session header and the session private data and
837 : : * return it to its original mempool.
838 : : *
839 : : * @param instance security instance
840 : : * @param sess security session to be freed
841 : : *
842 : : * @return
843 : : * - 0 if successful.
844 : : * - -EINVAL if session or context instance is NULL.
845 : : * - -EBUSY if not all device private data has been freed.
846 : : * - -ENOTSUP if destroying private data is not supported.
847 : : * - other negative values in case of freeing private data errors.
848 : : */
849 : : int
850 : : rte_security_session_destroy(void *instance, void *sess);
851 : :
852 : : /**
853 : : * Create MACsec security channel (SC).
854 : : *
855 : : * @param instance security instance
856 : : * @param conf MACsec SC configuration params
857 : : * @return
858 : : * - secure channel ID if successful.
859 : : * - -EINVAL if configuration params are invalid of instance is NULL.
860 : : * - -ENOTSUP if device does not support MACsec.
861 : : * - -ENOMEM if PMD is not capable to create more SC.
862 : : * - other negative value for other errors.
863 : : */
864 : : int
865 : : rte_security_macsec_sc_create(void *instance,
866 : : struct rte_security_macsec_sc *conf);
867 : :
868 : : /**
869 : : * Destroy MACsec security channel (SC).
870 : : *
871 : : * @param instance security instance
872 : : * @param sc_id SC ID to be destroyed
873 : : * @param dir direction of the SC
874 : : * @return
875 : : * - 0 if successful.
876 : : * - -EINVAL if sc_id is invalid or instance is NULL.
877 : : * - -EBUSY if sc is being used by some session.
878 : : */
879 : : int
880 : : rte_security_macsec_sc_destroy(void *instance, uint16_t sc_id,
881 : : enum rte_security_macsec_direction dir);
882 : :
883 : : /**
884 : : * Create MACsec security association (SA).
885 : : *
886 : : * @param instance security instance
887 : : * @param conf MACsec SA configuration params
888 : : * @return
889 : : * - positive SA ID if successful.
890 : : * - -EINVAL if configuration params are invalid of instance is NULL.
891 : : * - -ENOTSUP if device does not support MACsec.
892 : : * - -ENOMEM if PMD is not capable to create more SAs.
893 : : * - other negative value for other errors.
894 : : */
895 : : int
896 : : rte_security_macsec_sa_create(void *instance,
897 : : struct rte_security_macsec_sa *conf);
898 : :
899 : : /**
900 : : * Destroy MACsec security association (SA).
901 : : *
902 : : * @param instance security instance
903 : : * @param sa_id SA ID to be destroyed
904 : : * @param dir direction of the SA
905 : : * @return
906 : : * - 0 if successful.
907 : : * - -EINVAL if sa_id is invalid or instance is NULL.
908 : : * - -EBUSY if sa is being used by some session.
909 : : */
910 : : int
911 : : rte_security_macsec_sa_destroy(void *instance, uint16_t sa_id,
912 : : enum rte_security_macsec_direction dir);
913 : :
914 : : /** Device-specific metadata field type */
915 : : typedef uint64_t rte_security_dynfield_t;
916 : : /** Dynamic mbuf field for device-specific metadata */
917 : : extern int rte_security_dynfield_offset;
918 : :
919 : : /** Out-of-Place(OOP) processing field type */
920 : : typedef struct rte_mbuf *rte_security_oop_dynfield_t;
921 : : /** Dynamic mbuf field for pointer to original mbuf for
922 : : * OOP processing session.
923 : : */
924 : : extern int rte_security_oop_dynfield_offset;
925 : :
926 : : /**
927 : : * Get pointer to mbuf field for device-specific metadata.
928 : : *
929 : : * For performance reason, no check is done,
930 : : * the dynamic field may not be registered.
931 : : * @see rte_security_dynfield_is_registered
932 : : *
933 : : * @param mbuf packet to access
934 : : * @return pointer to mbuf field
935 : : */
936 : : static inline rte_security_dynfield_t *
937 : : rte_security_dynfield(struct rte_mbuf *mbuf)
938 : : {
939 [ # # # # ]: 0 : return RTE_MBUF_DYNFIELD(mbuf,
940 : : rte_security_dynfield_offset,
941 : : rte_security_dynfield_t *);
942 : : }
943 : :
944 : : /**
945 : : * @warning
946 : : * @b EXPERIMENTAL: this API may change without prior notice
947 : : *
948 : : * Get pointer to mbuf field for original mbuf pointer when
949 : : * Out-Of-Place(OOP) processing is enabled in security session.
950 : : *
951 : : * @param mbuf packet to access
952 : : * @return pointer to mbuf field
953 : : */
954 : : __rte_experimental
955 : : static inline rte_security_oop_dynfield_t *
956 : : rte_security_oop_dynfield(struct rte_mbuf *mbuf)
957 : : {
958 [ # # ]: 0 : return RTE_MBUF_DYNFIELD(mbuf,
959 : : rte_security_oop_dynfield_offset,
960 : : rte_security_oop_dynfield_t *);
961 : : }
962 : :
963 : : /**
964 : : * Check whether the dynamic field is registered.
965 : : *
966 : : * @return true if rte_security_dynfield_register() has been called.
967 : : */
968 : : static inline bool rte_security_dynfield_is_registered(void)
969 : : {
970 : : return rte_security_dynfield_offset >= 0;
971 : : }
972 : :
973 : : #define RTE_SECURITY_CTX_FLAGS_OFF 4
974 : : /**
975 : : * Get security flags from security instance.
976 : : */
977 : : static inline uint32_t
978 : : rte_security_ctx_flags_get(void *ctx)
979 : : {
980 : 3 : return *((uint32_t *)ctx + RTE_SECURITY_CTX_FLAGS_OFF);
981 : : }
982 : :
983 : : /**
984 : : * Set security flags in security instance.
985 : : */
986 : : static inline void
987 : : rte_security_ctx_flags_set(void *ctx, uint32_t flags)
988 : : {
989 : : uint32_t *data;
990 : : data = (((uint32_t *)ctx) + RTE_SECURITY_CTX_FLAGS_OFF);
991 : : *data = flags;
992 : : }
993 : :
994 : : #define RTE_SECURITY_SESS_OPAQUE_DATA_OFF 0
995 : : #define RTE_SECURITY_SESS_FAST_MDATA_OFF 1
996 : : /**
997 : : * Get opaque data from session handle
998 : : */
999 : : static inline uint64_t
1000 : : rte_security_session_opaque_data_get(void *sess)
1001 : : {
1002 : 0 : return *((uint64_t *)sess + RTE_SECURITY_SESS_OPAQUE_DATA_OFF);
1003 : : }
1004 : :
1005 : : /**
1006 : : * Set opaque data in session handle
1007 : : */
1008 : : static inline void
1009 : : rte_security_session_opaque_data_set(void *sess, uint64_t opaque)
1010 : : {
1011 : : uint64_t *data;
1012 : : data = (((uint64_t *)sess) + RTE_SECURITY_SESS_OPAQUE_DATA_OFF);
1013 : 0 : *data = opaque;
1014 : 0 : }
1015 : :
1016 : : /**
1017 : : * Get fast mdata from session handle
1018 : : */
1019 : : static inline uint64_t
1020 : : rte_security_session_fast_mdata_get(void *sess)
1021 : : {
1022 : 0 : return *((uint64_t *)sess + RTE_SECURITY_SESS_FAST_MDATA_OFF);
1023 : : }
1024 : :
1025 : : /**
1026 : : * Set fast mdata in session handle
1027 : : */
1028 : : static inline void
1029 : : rte_security_session_fast_mdata_set(void *sess, uint64_t fdata)
1030 : : {
1031 : : uint64_t *data;
1032 : : data = (((uint64_t *)sess) + RTE_SECURITY_SESS_FAST_MDATA_OFF);
1033 : : *data = fdata;
1034 : : }
1035 : :
1036 : : /** Function to call PMD specific function pointer set_pkt_metadata() */
1037 : : int __rte_security_set_pkt_metadata(void *instance,
1038 : : void *sess,
1039 : : struct rte_mbuf *m, void *params);
1040 : :
1041 : : /**
1042 : : * Updates the buffer with device-specific defined metadata
1043 : : *
1044 : : * @param instance security instance
1045 : : * @param sess security session
1046 : : * @param mb packet mbuf to set metadata on.
1047 : : * @param params device-specific defined parameters
1048 : : * required for metadata
1049 : : *
1050 : : * @return
1051 : : * - On success, zero.
1052 : : * - On failure, a negative value.
1053 : : */
1054 : : static inline int
1055 : 0 : rte_security_set_pkt_metadata(void *instance,
1056 : : void *sess,
1057 : : struct rte_mbuf *mb, void *params)
1058 : : {
1059 : : /* Fast Path */
1060 [ - + - + : 3 : if (rte_security_ctx_flags_get(instance) & RTE_SEC_CTX_F_FAST_SET_MDATA) {
- + ]
1061 : 0 : *rte_security_dynfield(mb) = (rte_security_dynfield_t)
1062 : : rte_security_session_fast_mdata_get(sess);
1063 : 0 : return 0;
1064 : : }
1065 : :
1066 : : /* Jump to PMD specific function pointer */
1067 : 3 : return __rte_security_set_pkt_metadata(instance, sess, mb, params);
1068 : : }
1069 : :
1070 : : /**
1071 : : * Attach a session to a symmetric crypto operation
1072 : : *
1073 : : * @param sym_op crypto operation
1074 : : * @param sess security session
1075 : : */
1076 : : static inline int
1077 : : __rte_security_attach_session(struct rte_crypto_sym_op *sym_op, void *sess)
1078 : : {
1079 : 0 : sym_op->session = sess;
1080 : :
1081 : : return 0;
1082 : : }
1083 : :
1084 : : /**
1085 : : * Attach a session to a crypto operation.
1086 : : * This API is needed only in case of RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD
1087 : : * For other rte_security_session_action_type, ol_flags in rte_mbuf may be
1088 : : * defined to perform security operations.
1089 : : *
1090 : : * @param op crypto operation
1091 : : * @param sess security session
1092 : : */
1093 : : static inline int
1094 : : rte_security_attach_session(struct rte_crypto_op *op,
1095 : : void *sess)
1096 : : {
1097 [ # # # # : 0 : if (unlikely(op->type != RTE_CRYPTO_OP_TYPE_SYMMETRIC))
# # # # #
# # # ]
1098 : : return -EINVAL;
1099 : :
1100 : 0 : op->sess_type = RTE_CRYPTO_OP_SECURITY_SESSION;
1101 : :
1102 : 0 : return __rte_security_attach_session(op->sym, sess);
1103 : : }
1104 : :
1105 : : struct rte_security_macsec_secy_stats {
1106 : : uint64_t ctl_pkt_bcast_cnt;
1107 : : uint64_t ctl_pkt_mcast_cnt;
1108 : : uint64_t ctl_pkt_ucast_cnt;
1109 : : uint64_t ctl_octet_cnt;
1110 : : uint64_t unctl_pkt_bcast_cnt;
1111 : : uint64_t unctl_pkt_mcast_cnt;
1112 : : uint64_t unctl_pkt_ucast_cnt;
1113 : : uint64_t unctl_octet_cnt;
1114 : : /* Valid only for Rx */
1115 : : uint64_t octet_decrypted_cnt;
1116 : : uint64_t octet_validated_cnt;
1117 : : uint64_t pkt_port_disabled_cnt;
1118 : : uint64_t pkt_badtag_cnt;
1119 : : uint64_t pkt_nosa_cnt;
1120 : : uint64_t pkt_nosaerror_cnt;
1121 : : uint64_t pkt_tagged_ctl_cnt;
1122 : : uint64_t pkt_untaged_cnt;
1123 : : uint64_t pkt_ctl_cnt;
1124 : : uint64_t pkt_notag_cnt;
1125 : : /* Valid only for Tx */
1126 : : uint64_t octet_encrypted_cnt;
1127 : : uint64_t octet_protected_cnt;
1128 : : uint64_t pkt_noactivesa_cnt;
1129 : : uint64_t pkt_toolong_cnt;
1130 : : uint64_t pkt_untagged_cnt;
1131 : : };
1132 : :
1133 : : struct rte_security_macsec_sc_stats {
1134 : : /* Rx */
1135 : : uint64_t hit_cnt;
1136 : : uint64_t pkt_invalid_cnt;
1137 : : uint64_t pkt_late_cnt;
1138 : : uint64_t pkt_notvalid_cnt;
1139 : : uint64_t pkt_unchecked_cnt;
1140 : : uint64_t pkt_delay_cnt;
1141 : : uint64_t pkt_ok_cnt;
1142 : : uint64_t octet_decrypt_cnt;
1143 : : uint64_t octet_validate_cnt;
1144 : : /* Tx */
1145 : : uint64_t pkt_encrypt_cnt;
1146 : : uint64_t pkt_protected_cnt;
1147 : : uint64_t octet_encrypt_cnt;
1148 : : uint64_t octet_protected_cnt;
1149 : : };
1150 : :
1151 : : struct rte_security_macsec_sa_stats {
1152 : : /* Rx */
1153 : : uint64_t pkt_invalid_cnt;
1154 : : uint64_t pkt_nosaerror_cnt;
1155 : : uint64_t pkt_notvalid_cnt;
1156 : : uint64_t pkt_ok_cnt;
1157 : : uint64_t pkt_nosa_cnt;
1158 : : /* Tx */
1159 : : uint64_t pkt_encrypt_cnt;
1160 : : uint64_t pkt_protected_cnt;
1161 : : };
1162 : :
1163 : : struct rte_security_ipsec_stats {
1164 : : uint64_t ipackets; /**< Successfully received IPsec packets. */
1165 : : uint64_t opackets; /**< Successfully transmitted IPsec packets.*/
1166 : : uint64_t ibytes; /**< Successfully received IPsec bytes. */
1167 : : uint64_t obytes; /**< Successfully transmitted IPsec bytes. */
1168 : : uint64_t ierrors; /**< IPsec packets receive/decrypt errors. */
1169 : : uint64_t oerrors; /**< IPsec packets transmit/encrypt errors. */
1170 : : uint64_t reserved1; /**< Reserved for future use. */
1171 : : uint64_t reserved2; /**< Reserved for future use. */
1172 : : };
1173 : :
1174 : : struct rte_security_pdcp_stats {
1175 : : uint64_t reserved;
1176 : : };
1177 : :
1178 : : struct rte_security_docsis_stats {
1179 : : uint64_t reserved;
1180 : : };
1181 : :
1182 : : struct rte_security_stats {
1183 : : enum rte_security_session_protocol protocol;
1184 : : /**< Security protocol to be configured */
1185 : :
1186 : : union {
1187 : : struct rte_security_macsec_secy_stats macsec;
1188 : : struct rte_security_ipsec_stats ipsec;
1189 : : struct rte_security_pdcp_stats pdcp;
1190 : : struct rte_security_docsis_stats docsis;
1191 : : };
1192 : : };
1193 : :
1194 : : /**
1195 : : * Get security session statistics
1196 : : *
1197 : : * @param instance security instance
1198 : : * @param sess security session
1199 : : * If security session is NULL then global (per security instance) statistics
1200 : : * will be retrieved, if supported. Global statistics collection is not
1201 : : * dependent on the per session statistics configuration.
1202 : : * @param stats statistics
1203 : : * @return
1204 : : * - On success, return 0
1205 : : * - On failure, a negative value
1206 : : */
1207 : : int
1208 : : rte_security_session_stats_get(void *instance,
1209 : : void *sess,
1210 : : struct rte_security_stats *stats);
1211 : :
1212 : : /**
1213 : : * Get MACsec SA statistics.
1214 : : *
1215 : : * @param instance security instance
1216 : : * @param sa_id SA ID for which stats are needed
1217 : : * @param dir direction of the SA
1218 : : * @param stats statistics
1219 : : * @return
1220 : : * - On success, return 0.
1221 : : * - On failure, a negative value.
1222 : : */
1223 : : int
1224 : : rte_security_macsec_sa_stats_get(void *instance,
1225 : : uint16_t sa_id, enum rte_security_macsec_direction dir,
1226 : : struct rte_security_macsec_sa_stats *stats);
1227 : :
1228 : : /**
1229 : : * Get MACsec SC statistics.
1230 : : *
1231 : : * @param instance security instance
1232 : : * @param sc_id SC ID for which stats are needed
1233 : : * @param dir direction of the SC
1234 : : * @param stats SC statistics
1235 : : * @return
1236 : : * - On success, return 0.
1237 : : * - On failure, a negative value.
1238 : : */
1239 : : int
1240 : : rte_security_macsec_sc_stats_get(void *instance,
1241 : : uint16_t sc_id, enum rte_security_macsec_direction dir,
1242 : : struct rte_security_macsec_sc_stats *stats);
1243 : :
1244 : : /**
1245 : : * Security capability definition
1246 : : */
1247 : : struct rte_security_capability {
1248 : : enum rte_security_session_action_type action;
1249 : : /**< Security action type*/
1250 : : enum rte_security_session_protocol protocol;
1251 : : /**< Security protocol */
1252 : : union {
1253 : : struct {
1254 : : enum rte_security_ipsec_sa_protocol proto;
1255 : : /**< IPsec SA protocol */
1256 : : enum rte_security_ipsec_sa_mode mode;
1257 : : /**< IPsec SA mode */
1258 : : enum rte_security_ipsec_sa_direction direction;
1259 : : /**< IPsec SA direction */
1260 : : struct rte_security_ipsec_sa_options options;
1261 : : /**< IPsec SA supported options */
1262 : : uint32_t replay_win_sz_max;
1263 : : /**< IPsec Anti Replay Window Size. A '0' value
1264 : : * indicates that Anti Replay is not supported.
1265 : : */
1266 : : } ipsec;
1267 : : /**< IPsec capability */
1268 : : struct {
1269 : : /** MTU supported for inline TX */
1270 : : uint16_t mtu;
1271 : : /** MACsec algorithm to be used */
1272 : : enum rte_security_macsec_alg alg;
1273 : : /** Maximum number of secure channels supported */
1274 : : uint16_t max_nb_sc;
1275 : : /** Maximum number of SAs supported */
1276 : : uint16_t max_nb_sa;
1277 : : /** Maximum number of SAs supported */
1278 : : uint16_t max_nb_sess;
1279 : : /** MACsec anti replay window size */
1280 : : uint32_t replay_win_sz;
1281 : : /** Support Sectag insertion at relative offset */
1282 : : uint16_t relative_sectag_insert : 1;
1283 : : /** Support Sectag insertion at fixed offset */
1284 : : uint16_t fixed_sectag_insert : 1;
1285 : : /** ICV includes source and destination MAC addresses */
1286 : : uint16_t icv_include_da_sa : 1;
1287 : : /** Control port traffic is supported */
1288 : : uint16_t ctrl_port_enable : 1;
1289 : : /** Do not strip SecTAG after processing */
1290 : : uint16_t preserve_sectag : 1;
1291 : : /** Do not strip ICV from the packet after processing */
1292 : : uint16_t preserve_icv : 1;
1293 : : /** Support frame validation as per RTE_SECURITY_MACSEC_VALIDATE_* */
1294 : : uint16_t validate_frames : 1;
1295 : : /** support re-keying on SA expiry */
1296 : : uint16_t re_key : 1;
1297 : : /** support anti replay */
1298 : : uint16_t anti_replay : 1;
1299 : : /** Reserved bitfields for future capabilities */
1300 : : uint16_t reserved : 7;
1301 : : } macsec;
1302 : : /**< MACsec capability */
1303 : : struct {
1304 : : enum rte_security_pdcp_domain domain;
1305 : : /**< PDCP mode of operation: Control or data */
1306 : : uint32_t capa_flags;
1307 : : /**< Capability flags, see RTE_SECURITY_PDCP_* */
1308 : : } pdcp;
1309 : : /**< PDCP capability */
1310 : : struct {
1311 : : enum rte_security_docsis_direction direction;
1312 : : /**< DOCSIS direction */
1313 : : } docsis;
1314 : : /**< DOCSIS capability */
1315 : : struct {
1316 : : enum rte_security_tls_version ver;
1317 : : /**< TLS record version. */
1318 : : enum rte_security_tls_sess_type type;
1319 : : /**< TLS record session type. */
1320 : : uint32_t ar_win_size;
1321 : : /**< Maximum anti replay window size supported for DTLS 1.2 record read
1322 : : * operation. Value of 0 means anti replay check is not supported.
1323 : : */
1324 : : } tls_record;
1325 : : /**< TLS record capability */
1326 : : };
1327 : :
1328 : : const struct rte_cryptodev_capabilities *crypto_capabilities;
1329 : : /**< Corresponding crypto capabilities for security capability */
1330 : :
1331 : : uint32_t ol_flags;
1332 : : /**< Device offload flags */
1333 : : };
1334 : :
1335 : : /** Underlying Hardware/driver which support PDCP may or may not support
1336 : : * packet ordering. Set RTE_SECURITY_PDCP_ORDERING_CAP if it support.
1337 : : * If it is not set, driver/HW assumes packets received are in order
1338 : : * and it will be application's responsibility to maintain ordering.
1339 : : */
1340 : : #define RTE_SECURITY_PDCP_ORDERING_CAP 0x00000001
1341 : :
1342 : : /** Underlying Hardware/driver which support PDCP may or may not detect
1343 : : * duplicate packet. Set RTE_SECURITY_PDCP_DUP_DETECT_CAP if it support.
1344 : : * If it is not set, driver/HW assumes there is no duplicate packet received.
1345 : : */
1346 : : #define RTE_SECURITY_PDCP_DUP_DETECT_CAP 0x00000002
1347 : :
1348 : : #define RTE_SECURITY_TX_OLOAD_NEED_MDATA 0x00000001
1349 : : /**< HW needs metadata update, see rte_security_set_pkt_metadata().
1350 : : */
1351 : :
1352 : : #define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD 0x00000002
1353 : : /**< HW constructs trailer of packets
1354 : : * Transmitted packets will have the trailer added to them
1355 : : * by hardware. The next protocol field will be based on
1356 : : * the mbuf->inner_esp_next_proto field.
1357 : : */
1358 : : #define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD 0x00010000
1359 : : /**< HW removes trailer of packets
1360 : : * Received packets have no trailer, the next protocol field
1361 : : * is supplied in the mbuf->inner_esp_next_proto field.
1362 : : * Inner packet is not modified.
1363 : : */
1364 : :
1365 : : /**
1366 : : * Security capability index used to query a security instance for a specific
1367 : : * security capability
1368 : : */
1369 : : struct rte_security_capability_idx {
1370 : : enum rte_security_session_action_type action;
1371 : : enum rte_security_session_protocol protocol;
1372 : :
1373 : : union {
1374 : : struct {
1375 : : enum rte_security_ipsec_sa_protocol proto;
1376 : : enum rte_security_ipsec_sa_mode mode;
1377 : : enum rte_security_ipsec_sa_direction direction;
1378 : : } ipsec;
1379 : : struct {
1380 : : enum rte_security_pdcp_domain domain;
1381 : : uint32_t capa_flags;
1382 : : } pdcp;
1383 : : struct {
1384 : : enum rte_security_docsis_direction direction;
1385 : : } docsis;
1386 : : struct {
1387 : : enum rte_security_macsec_alg alg;
1388 : : } macsec;
1389 : : struct {
1390 : : enum rte_security_tls_version ver;
1391 : : enum rte_security_tls_sess_type type;
1392 : : } tls_record;
1393 : : };
1394 : : };
1395 : :
1396 : : /**
1397 : : * Returns array of security instance capabilities
1398 : : *
1399 : : * @param instance Security instance.
1400 : : *
1401 : : * @return
1402 : : * - Returns array of security capabilities.
1403 : : * - Return NULL if no capabilities available.
1404 : : */
1405 : : const struct rte_security_capability *
1406 : : rte_security_capabilities_get(void *instance);
1407 : :
1408 : : /**
1409 : : * Query if a specific capability is available on security instance
1410 : : *
1411 : : * @param instance security instance.
1412 : : * @param idx security capability index to match against
1413 : : *
1414 : : * @return
1415 : : * - Returns pointer to security capability on match of capability
1416 : : * index criteria.
1417 : : * - Return NULL if the capability not matched on security instance.
1418 : : */
1419 : : const struct rte_security_capability *
1420 : : rte_security_capability_get(void *instance,
1421 : : struct rte_security_capability_idx *idx);
1422 : :
1423 : : /**
1424 : : * @warning
1425 : : * @b EXPERIMENTAL: this API may change, or be removed, without prior notice
1426 : : *
1427 : : * Configure security device to inject packets to an ethdev port.
1428 : : *
1429 : : * This API must be called only when both security device and the ethdev is in
1430 : : * stopped state. The security device need to be configured before any packets
1431 : : * are submitted to ``rte_security_inb_pkt_rx_inject`` API.
1432 : : *
1433 : : * @param ctx Security ctx
1434 : : * @param port_id Port identifier of the ethernet device to which
1435 : : * packets need to be injected.
1436 : : * @param enable Flag to enable and disable connection between a
1437 : : * security device and an ethdev port.
1438 : : * @return
1439 : : * - 0 if successful.
1440 : : * - -EINVAL if context NULL or port_id is invalid.
1441 : : * - -EBUSY if devices are not in stopped state.
1442 : : * - -ENOTSUP if security device does not support injecting to ethdev port.
1443 : : *
1444 : : * @see rte_security_inb_pkt_rx_inject
1445 : : */
1446 : : __rte_experimental
1447 : : int
1448 : : rte_security_rx_inject_configure(void *ctx, uint16_t port_id, bool enable);
1449 : :
1450 : : /**
1451 : : * @warning
1452 : : * @b EXPERIMENTAL: this API may change, or be removed, without prior notice
1453 : : *
1454 : : * Perform security processing of packets and inject the processed packet to
1455 : : * ethdev Rx.
1456 : : *
1457 : : * Rx inject would behave similarly to ethdev loopback but with the additional
1458 : : * security processing. In case of ethdev loopback, application would be
1459 : : * submitting packets to ethdev Tx queues and would be received as is from
1460 : : * ethdev Rx queues. With Rx inject, packets would be received after security
1461 : : * processing from ethdev Rx queues.
1462 : : *
1463 : : * With inline protocol offload capable ethdevs, Rx injection can be used to
1464 : : * handle packets which failed the regular security Rx path. This can be due to
1465 : : * cases such as outer fragmentation, in which case applications can reassemble
1466 : : * the fragments and then subsequently submit for inbound processing and Rx
1467 : : * injection, so that packets are received as regular security processed
1468 : : * packets.
1469 : : *
1470 : : * With lookaside protocol offload capable cryptodevs, Rx injection can be used
1471 : : * to perform packet parsing after security processing. This would allow for
1472 : : * re-classification after security protocol processing is done (ie, inner
1473 : : * packet parsing). The ethdev queue on which the packet would be received would
1474 : : * be based on rte_flow rules matching the packet after security processing.
1475 : : *
1476 : : * The security device which is injecting packets to ethdev Rx need to be
1477 : : * configured using ``rte_security_rx_inject_configure`` with enable flag set
1478 : : * to `true` before any packets are submitted.
1479 : : *
1480 : : * If `hash.fdir.h` field is set in mbuf, it would be treated as the value for
1481 : : * `MARK` pattern for the subsequent rte_flow parsing. The packet would appear
1482 : : * as if it is received from `port` field in mbuf.
1483 : : *
1484 : : * Since the packet would be received back from ethdev Rx queues,
1485 : : * it is expected that application retains/adds L2 header with the
1486 : : * mbuf field 'l2_len' reflecting the size of L2 header in the packet.
1487 : : *
1488 : : * @param ctx Security ctx
1489 : : * @param pkts The address of an array of *nb_pkts* pointers to
1490 : : * *rte_mbuf* structures which contain the packets.
1491 : : * @param sess The address of an array of *nb_pkts* pointers to
1492 : : * security sessions corresponding to each packet.
1493 : : * @param nb_pkts The maximum number of packets to process.
1494 : : *
1495 : : * @return
1496 : : * The number of packets successfully injected to ethdev Rx.
1497 : : * The return value can be less than the value of the *nb_pkts* parameter
1498 : : * when the PMD internal queues have been filled up.
1499 : : *
1500 : : * @see rte_security_rx_inject_configure
1501 : : */
1502 : : __rte_experimental
1503 : : uint16_t
1504 : : rte_security_inb_pkt_rx_inject(void *ctx, struct rte_mbuf **pkts, void **sess,
1505 : : uint16_t nb_pkts);
1506 : :
1507 : : #ifdef __cplusplus
1508 : : }
1509 : : #endif
1510 : :
1511 : : #endif /* _RTE_SECURITY_H_ */
|
