rte_security.h

Go to the documentation of this file.

/* SPDX-License-Identifier: BSD-3-Clause
 * Copyright 2017,2019-2020 NXP
 * Copyright(c) 2017-2020 Intel Corporation.
 */

#ifndef _RTE_SECURITY_H_
#define _RTE_SECURITY_H_

#ifdef __cplusplus
extern "C" {
#endif

#include <sys/types.h>

#include <rte_compat.h>
#include <rte_common.h>
#include <rte_crypto.h>
#include <rte_ip.h>
#include <rte_mbuf_dyn.h>

enum rte_security_ipsec_sa_mode {
    RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT = 1,
    RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
};

enum rte_security_ipsec_sa_protocol {
    RTE_SECURITY_IPSEC_SA_PROTO_AH = 1,
    RTE_SECURITY_IPSEC_SA_PROTO_ESP,
};

enum rte_security_ipsec_tunnel_type {
    RTE_SECURITY_IPSEC_TUNNEL_IPV4 = 1,
    RTE_SECURITY_IPSEC_TUNNEL_IPV6,
};

#define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR     0x1
#define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR 0x2

struct rte_security_ctx {
    void *device;
    const struct rte_security_ops *ops;
    uint16_t sess_cnt;
    uint32_t flags;
};

#define RTE_SEC_CTX_F_FAST_SET_MDATA 0x00000001

#define RTE_SEC_CTX_F_FAST_GET_UDATA 0x00000002

struct rte_security_ipsec_tunnel_param {
    enum rte_security_ipsec_tunnel_type type;
    RTE_STD_C11
    union {
        struct {
            struct in_addr src_ip;
            struct in_addr dst_ip;
            uint8_t dscp;
            uint8_t df;
            uint8_t ttl;
        } ipv4;
        struct {
            struct in6_addr src_addr;
            struct in6_addr dst_addr;
            uint8_t dscp;
            uint32_t flabel;
            uint8_t hlimit;
        } ipv6;
    };
};

struct rte_security_ipsec_udp_param {
    uint16_t sport;
    uint16_t dport;
};

struct rte_security_ipsec_sa_options {
    uint32_t esn : 1;

    uint32_t udp_encap : 1;

    uint32_t copy_dscp : 1;

    uint32_t copy_flabel : 1;

    uint32_t copy_df : 1;

    uint32_t dec_ttl : 1;

    uint32_t ecn : 1;

    uint32_t stats : 1;

    uint32_t iv_gen_disable : 1;

    uint32_t tunnel_hdr_verify : 2;

    uint32_t udp_ports_verify : 1;

    uint32_t ip_csum_enable : 1;

    uint32_t l4_csum_enable : 1;

    uint32_t ip_reassembly_en : 1;

    uint32_t reserved_opts : 17;
};

enum rte_security_ipsec_sa_direction {
    RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
    RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
};

struct rte_security_ipsec_lifetime {
    uint64_t packets_soft_limit;
    uint64_t bytes_soft_limit;
    uint64_t packets_hard_limit;
    uint64_t bytes_hard_limit;
};

struct rte_security_ipsec_xform {
    uint32_t spi;
    uint32_t salt;
    struct rte_security_ipsec_sa_options options;
    enum rte_security_ipsec_sa_direction direction;
    enum rte_security_ipsec_sa_protocol proto;
    enum rte_security_ipsec_sa_mode mode;
    struct rte_security_ipsec_tunnel_param tunnel;
    struct rte_security_ipsec_lifetime life;
    uint32_t replay_win_sz;
    union {
        uint64_t value;
        struct {
            uint32_t low;
            uint32_t hi;
        };
    } esn;
    struct rte_security_ipsec_udp_param udp;
};

struct rte_security_macsec_xform {
    int dummy;
};

enum rte_security_pdcp_domain {
    RTE_SECURITY_PDCP_MODE_CONTROL, 
    RTE_SECURITY_PDCP_MODE_DATA,    
    RTE_SECURITY_PDCP_MODE_SHORT_MAC,   
};

enum rte_security_pdcp_direction {
    RTE_SECURITY_PDCP_UPLINK,   
    RTE_SECURITY_PDCP_DOWNLINK, 
};

enum rte_security_pdcp_sn_size {
    RTE_SECURITY_PDCP_SN_SIZE_5 = 5,
    RTE_SECURITY_PDCP_SN_SIZE_7 = 7,
    RTE_SECURITY_PDCP_SN_SIZE_12 = 12,
    RTE_SECURITY_PDCP_SN_SIZE_15 = 15,
    RTE_SECURITY_PDCP_SN_SIZE_18 = 18
};

struct rte_security_pdcp_xform {
    int8_t bearer;  
    uint8_t en_ordering;
    uint8_t remove_duplicates;
    enum rte_security_pdcp_domain domain;
    enum rte_security_pdcp_direction pkt_dir;
    enum rte_security_pdcp_sn_size sn_size;
    uint32_t hfn;
    uint32_t hfn_threshold;
    uint8_t hfn_ovrd;
    uint8_t sdap_enabled;
    uint16_t reserved;
};

enum rte_security_docsis_direction {
    RTE_SECURITY_DOCSIS_UPLINK,
    RTE_SECURITY_DOCSIS_DOWNLINK,
};

struct rte_security_docsis_xform {
    enum rte_security_docsis_direction direction;
};

enum rte_security_session_action_type {
    RTE_SECURITY_ACTION_TYPE_NONE,
    RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO,
    RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
    RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
    RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO
};

enum rte_security_session_protocol {
    RTE_SECURITY_PROTOCOL_IPSEC = 1,
    RTE_SECURITY_PROTOCOL_MACSEC,
    RTE_SECURITY_PROTOCOL_PDCP,
    RTE_SECURITY_PROTOCOL_DOCSIS,
};

struct rte_security_session_conf {
    enum rte_security_session_action_type action_type;
    enum rte_security_session_protocol protocol;
    RTE_STD_C11
    union {
        struct rte_security_ipsec_xform ipsec;
        struct rte_security_macsec_xform macsec;
        struct rte_security_pdcp_xform pdcp;
        struct rte_security_docsis_xform docsis;
    };
    struct rte_crypto_sym_xform *crypto_xform;
    void *userdata;
};

struct rte_security_session {
    void *sess_private_data;
    uint64_t opaque_data;
};

struct rte_security_session *
rte_security_session_create(struct rte_security_ctx *instance,
                struct rte_security_session_conf *conf,
                struct rte_mempool *mp,
                struct rte_mempool *priv_mp);

__rte_experimental
int
rte_security_session_update(struct rte_security_ctx *instance,
                struct rte_security_session *sess,
                struct rte_security_session_conf *conf);

unsigned int
rte_security_session_get_size(struct rte_security_ctx *instance);

int
rte_security_session_destroy(struct rte_security_ctx *instance,
                 struct rte_security_session *sess);

typedef uint64_t rte_security_dynfield_t;
extern int rte_security_dynfield_offset;

__rte_experimental
static inline rte_security_dynfield_t *
rte_security_dynfield(struct rte_mbuf *mbuf)
{
    return RTE_MBUF_DYNFIELD(mbuf,
        rte_security_dynfield_offset,
        rte_security_dynfield_t *);
}

__rte_experimental
static inline bool rte_security_dynfield_is_registered(void)
{
    return rte_security_dynfield_offset >= 0;
}

__rte_experimental
extern int __rte_security_set_pkt_metadata(struct rte_security_ctx *instance,
                       struct rte_security_session *sess,
                       struct rte_mbuf *m, void *params);

static inline int
rte_security_set_pkt_metadata(struct rte_security_ctx *instance,
                  struct rte_security_session *sess,
                  struct rte_mbuf *mb, void *params)
{
    /* Fast Path */
    if (instance->flags & RTE_SEC_CTX_F_FAST_SET_MDATA) {
        *rte_security_dynfield(mb) =
            (rte_security_dynfield_t)(sess->sess_private_data);
        return 0;
    }

    /* Jump to PMD specific function pointer */
    return __rte_security_set_pkt_metadata(instance, sess, mb, params);
}

__rte_experimental
extern void *__rte_security_get_userdata(struct rte_security_ctx *instance,
                     uint64_t md);

__rte_experimental
static inline void *
rte_security_get_userdata(struct rte_security_ctx *instance, uint64_t md)
{
    /* Fast Path */
    if (instance->flags & RTE_SEC_CTX_F_FAST_GET_UDATA)
        return (void *)(uintptr_t)md;

    /* Jump to PMD specific function pointer */
    return __rte_security_get_userdata(instance, md);
}

static inline int
__rte_security_attach_session(struct rte_crypto_sym_op *sym_op,
                  struct rte_security_session *sess)
{
    sym_op->sec_session = sess;

    return 0;
}

static inline void *
get_sec_session_private_data(const struct rte_security_session *sess)
{
    return sess->sess_private_data;
}

static inline void
set_sec_session_private_data(struct rte_security_session *sess,
                 void *private_data)
{
    sess->sess_private_data = private_data;
}

static inline int
rte_security_attach_session(struct rte_crypto_op *op,
                struct rte_security_session *sess)
{
    if (unlikely(op->type != RTE_CRYPTO_OP_TYPE_SYMMETRIC))
        return -EINVAL;

    op->sess_type =  RTE_CRYPTO_OP_SECURITY_SESSION;

    return __rte_security_attach_session(op->sym, sess);
}

struct rte_security_macsec_stats {
    uint64_t reserved;
};

struct rte_security_ipsec_stats {
    uint64_t ipackets;  
    uint64_t opackets;  
    uint64_t ibytes;    
    uint64_t obytes;    
    uint64_t ierrors;   
    uint64_t oerrors;   
    uint64_t reserved1; 
    uint64_t reserved2; 
};

struct rte_security_pdcp_stats {
    uint64_t reserved;
};

struct rte_security_docsis_stats {
    uint64_t reserved;
};

struct rte_security_stats {
    enum rte_security_session_protocol protocol;
    RTE_STD_C11
    union {
        struct rte_security_macsec_stats macsec;
        struct rte_security_ipsec_stats ipsec;
        struct rte_security_pdcp_stats pdcp;
        struct rte_security_docsis_stats docsis;
    };
};

__rte_experimental
int
rte_security_session_stats_get(struct rte_security_ctx *instance,
                   struct rte_security_session *sess,
                   struct rte_security_stats *stats);

struct rte_security_capability {
    enum rte_security_session_action_type action;
    enum rte_security_session_protocol protocol;
    RTE_STD_C11
    union {
        struct {
            enum rte_security_ipsec_sa_protocol proto;
            enum rte_security_ipsec_sa_mode mode;
            enum rte_security_ipsec_sa_direction direction;
            struct rte_security_ipsec_sa_options options;
            uint32_t replay_win_sz_max;
        } ipsec;
        struct {
            /* To be Filled */
            int dummy;
        } macsec;
        struct {
            enum rte_security_pdcp_domain domain;
            uint32_t capa_flags;
        } pdcp;
        struct {
            enum rte_security_docsis_direction direction;
        } docsis;
    };

    const struct rte_cryptodev_capabilities *crypto_capabilities;
    uint32_t ol_flags;
};

#define RTE_SECURITY_PDCP_ORDERING_CAP      0x00000001

#define RTE_SECURITY_PDCP_DUP_DETECT_CAP    0x00000002

#define RTE_SECURITY_TX_OLOAD_NEED_MDATA    0x00000001

#define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD  0x00000002

#define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD  0x00010000

struct rte_security_capability_idx {
    enum rte_security_session_action_type action;
    enum rte_security_session_protocol protocol;

    RTE_STD_C11
    union {
        struct {
            enum rte_security_ipsec_sa_protocol proto;
            enum rte_security_ipsec_sa_mode mode;
            enum rte_security_ipsec_sa_direction direction;
        } ipsec;
        struct {
            enum rte_security_pdcp_domain domain;
            uint32_t capa_flags;
        } pdcp;
        struct {
            enum rte_security_docsis_direction direction;
        } docsis;
    };
};

const struct rte_security_capability *
rte_security_capabilities_get(struct rte_security_ctx *instance);

const struct rte_security_capability *
rte_security_capability_get(struct rte_security_ctx *instance,
                struct rte_security_capability_idx *idx);

#ifdef __cplusplus
}
#endif

#endif /* _RTE_SECURITY_H_ */