#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip6.h>
#include <rte_compat.h>
#include <rte_common.h>
#include <rte_crypto.h>
#include <rte_mbuf.h>
#include <rte_memory.h>
#include <rte_mempool.h>

Data Structures
struct	rte_security_ctx
struct	rte_security_ipsec_tunnel_param
struct	rte_security_ipsec_sa_options
struct	rte_security_ipsec_xform
struct	rte_security_macsec_xform
struct	rte_security_session_conf
struct	rte_security_capability
struct	rte_security_capability_idx

Macros
#define	RTE_SECURITY_TX_OLOAD_NEED_MDATA 0x00000001
#define	RTE_SECURITY_TX_HW_TRAILER_OFFLOAD 0x00000002
#define	RTE_SECURITY_RX_HW_TRAILER_OFFLOAD 0x00010000

Functions
struct rte_security_session *__rte_experimental	rte_security_session_create (struct rte_security_ctx instance, struct rte_security_session_conf conf, struct rte_mempool *mp)
int __rte_experimental	rte_security_session_update (struct rte_security_ctx instance, struct rte_security_session sess, struct rte_security_session_conf *conf)
unsigned int __rte_experimental	rte_security_session_get_size (struct rte_security_ctx *instance)
int __rte_experimental	rte_security_session_destroy (struct rte_security_ctx instance, struct rte_security_session sess)
int __rte_experimental	rte_security_set_pkt_metadata (struct rte_security_ctx instance, struct rte_security_session sess, struct rte_mbuf mb, void params)
void *__rte_experimental	rte_security_get_userdata (struct rte_security_ctx *instance, uint64_t md)
static int __rte_experimental	__rte_security_attach_session (struct rte_crypto_sym_op sym_op, struct rte_security_session sess)
static int __rte_experimental	rte_security_attach_session (struct rte_crypto_op op, struct rte_security_session sess)
int __rte_experimental	rte_security_session_stats_get (struct rte_security_ctx instance, struct rte_security_session sess, struct rte_security_stats *stats)
struct rte_security_capability *__rte_experimental	rte_security_capabilities_get (struct rte_security_ctx *instance)
struct rte_security_capability *__rte_experimental	rte_security_capability_get (struct rte_security_ctx instance, struct rte_security_capability_idx idx)

Detailed Description

EXPERIMENTAL: this API may change without prior notice

RTE Security Common Definitions

Definition in file rte_security.h.

Macro Definition Documentation

#define RTE_SECURITY_TX_OLOAD_NEED_MDATA 0x00000001

HW needs metadata update, see rte_security_set_pkt_metadata().

Examples:: examples/ipsec-secgw/ipsec.c.

Definition at line 501 of file rte_security.h.

#define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD 0x00000002

HW constructs trailer of packets Transmitted packets will have the trailer added to them by hardawre. The next protocol field will be based on the mbuf->inner_esp_next_proto field.

Examples:: examples/ipsec-secgw/esp.c, and examples/ipsec-secgw/ipsec.c.

Definition at line 505 of file rte_security.h.

#define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD 0x00010000

HW removes trailer of packets Received packets have no trailer, the next protocol field is supplied in the mbuf->inner_esp_next_proto field. Inner packet is not modified.

Examples:: examples/ipsec-secgw/esp.c.

Definition at line 511 of file rte_security.h.

Enumeration Type Documentation

enum rte_security_ipsec_sa_mode

IPSec protocol mode

Enumerator:

RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT	IPSec Transport mode
RTE_SECURITY_IPSEC_SA_MODE_TUNNEL	IPSec Tunnel mode

Definition at line 63 of file rte_security.h.

enum rte_security_ipsec_sa_protocol

IPSec Protocol

Enumerator:

RTE_SECURITY_IPSEC_SA_PROTO_AH	AH protocol
RTE_SECURITY_IPSEC_SA_PROTO_ESP	ESP protocol

Definition at line 71 of file rte_security.h.

enum rte_security_ipsec_tunnel_type

IPSEC tunnel type

Enumerator:

RTE_SECURITY_IPSEC_TUNNEL_IPV4	Outer header is IPv4
RTE_SECURITY_IPSEC_TUNNEL_IPV6	Outer header is IPv6

Definition at line 79 of file rte_security.h.

enum rte_security_ipsec_sa_direction

IPSec security association direction

Enumerator:

RTE_SECURITY_IPSEC_SA_DIR_EGRESS	Encrypt and generate digest
RTE_SECURITY_IPSEC_SA_DIR_INGRESS	Verify digest and decrypt

Definition at line 198 of file rte_security.h.

enum rte_security_session_action_type

Security session action type.

Enumerator:

RTE_SECURITY_ACTION_TYPE_NONE	No security actions
RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO	Crypto processing for security protocol is processed inline during transmission
RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL	All security protocol processing is performed inline during transmission
RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL	All security protocol processing including crypto is performed on a lookaside accelerator

Definition at line 238 of file rte_security.h.

enum rte_security_session_protocol

Security session protocol definition

Enumerator:

RTE_SECURITY_PROTOCOL_IPSEC	IPsec Protocol
RTE_SECURITY_PROTOCOL_MACSEC	MACSec Protocol

Definition at line 256 of file rte_security.h.

Function Documentation

struct rte_security_session* __rte_experimental rte_security_session_create	(	struct rte_security_ctx *	instance,
		struct rte_security_session_conf *	conf,
		struct rte_mempool *	mp
	)

read

Create security session as specified by the session configuration

Parameters

instance	security instance
conf	session configuration parameters
mp	mempool to allocate session objects from

Returns

On success, pointer to session
On failure, NULL

Examples:: examples/ipsec-secgw/ipsec.c.

int __rte_experimental rte_security_session_update	(	struct rte_security_ctx *	instance,
		struct rte_security_session *	sess,
		struct rte_security_session_conf *	conf
	)

Update security session as specified by the session configuration

Parameters

instance	security instance
sess	session to update parameters
conf	update configuration parameters

Returns

On success returns 0
On failure return errno

unsigned int __rte_experimental rte_security_session_get_size ( struct rte_security_ctx * instance )

Get the size of the security session data for a device.

Parameters

instance security instance.

Returns

Size of the private data, if successful
0 if device is invalid or does not support the operation.

Examples:: examples/ipsec-secgw/ipsec-secgw.c.

int __rte_experimental rte_security_session_destroy	(	struct rte_security_ctx *	instance,
		struct rte_security_session *	sess
	)

Free security session header and the session private data and return it to its original mempool.

Parameters

instance	security instance
sess	security session to freed

Returns

0 if successful.
-EINVAL if session is NULL.
-EBUSY if not all device private data has been freed.

int __rte_experimental rte_security_set_pkt_metadata	(	struct rte_security_ctx *	instance,
		struct rte_security_session *	sess,
		struct rte_mbuf *	mb,
		void *	params
	)

Updates the buffer with device-specific defined metadata

Parameters

instance	security instance
sess	security session
mb	packet mbuf to set metadata on.
params	device-specific defined parameters required for metadata

Returns

On success, zero.
On failure, a negative value.

Examples:: examples/ipsec-secgw/ipsec.c.

void* __rte_experimental rte_security_get_userdata	(	struct rte_security_ctx *	instance,
		uint64_t	md
	)

Get userdata associated with the security session which processed the packet. This userdata would be registered while creating the session, and application can use this to identify the SA etc. Device-specific metadata in the mbuf would be used for this.

This is valid only for inline processed ingress packets.

Parameters

instance	security instance
md	device-specific metadata set in mbuf

Returns

On success, userdata
On failure, NULL

Examples:: examples/ipsec-secgw/ipsec-secgw.c.

static int __rte_experimental __rte_security_attach_session	(	struct rte_crypto_sym_op *	sym_op,
		struct rte_security_session *	sess
	)

inlinestatic

Attach a session to a symmetric crypto operation

Parameters

sym_op	crypto operation
sess	security session

Definition at line 389 of file rte_security.h.

static int __rte_experimental rte_security_attach_session	(	struct rte_crypto_op *	op,
		struct rte_security_session *	sess
	)

inlinestatic

Attach a session to a crypto operation. This API is needed only in case of RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD For other rte_security_session_action_type, ol_flags in rte_mbuf may be defined to perform security operations.

Parameters

op	crypto operation
sess	security session

Examples:: examples/ipsec-secgw/ipsec.c.

Definition at line 420 of file rte_security.h.

int __rte_experimental rte_security_session_stats_get	(	struct rte_security_ctx *	instance,
		struct rte_security_session *	sess,
		struct rte_security_stats *	stats
	)

Get security session statistics

Parameters

instance	security instance
sess	security session
stats	statistics

Returns

On success return 0
On failure errno

struct rte_security_capability* __rte_experimental rte_security_capabilities_get ( struct rte_security_ctx * instance )

read

Returns array of security instance capabilities

Parameters

instance Security instance.

Returns

Returns array of security capabilities.
Return NULL if no capabilities available.

Examples:: examples/ipsec-secgw/ipsec.c.

struct rte_security_capability* __rte_experimental rte_security_capability_get	(	struct rte_security_ctx *	instance,
		struct rte_security_capability_idx *	idx
	)

read

Query if a specific capability is available on security instance

Parameters

instance	security instance.
idx	security capability index to match against

Returns

Returns pointer to security capability on match of capability index criteria.
Return NULL if the capability not matched on security instance.

Enumerations
enum	rte_security_ipsec_sa_mode { RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT = 1, RTE_SECURITY_IPSEC_SA_MODE_TUNNEL }
enum	rte_security_ipsec_sa_protocol { RTE_SECURITY_IPSEC_SA_PROTO_AH = 1, RTE_SECURITY_IPSEC_SA_PROTO_ESP }
enum	rte_security_ipsec_tunnel_type { RTE_SECURITY_IPSEC_TUNNEL_IPV4 = 1, RTE_SECURITY_IPSEC_TUNNEL_IPV6 }
enum	rte_security_ipsec_sa_direction { RTE_SECURITY_IPSEC_SA_DIR_EGRESS, RTE_SECURITY_IPSEC_SA_DIR_INGRESS }
enum	rte_security_session_action_type { RTE_SECURITY_ACTION_TYPE_NONE, RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO, RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL, RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL }
enum	rte_security_session_protocol { RTE_SECURITY_PROTOCOL_IPSEC = 1, RTE_SECURITY_PROTOCOL_MACSEC }

Data Structures

Macros

Enumerations

Functions

Detailed Description

Macro Definition Documentation

Enumeration Type Documentation

Function Documentation