DPDK  23.03.0
rte_security.h
Go to the documentation of this file.
1 /* SPDX-License-Identifier: BSD-3-Clause
2  * Copyright 2017,2019-2020 NXP
3  * Copyright(c) 2017-2020 Intel Corporation.
4  */
5 
6 #ifndef _RTE_SECURITY_H_
7 #define _RTE_SECURITY_H_
8 
16 #ifdef __cplusplus
17 extern "C" {
18 #endif
19 
20 #include <sys/types.h>
21 
22 #include <rte_compat.h>
23 #include <rte_common.h>
24 #include <rte_crypto.h>
25 #include <rte_ip.h>
26 #include <rte_mbuf_dyn.h>
27 
34 };
35 
42 };
43 
50 };
51 
57 #define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR 0x1
58 #define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR 0x2
59 
70  void *device;
72  const struct rte_security_ops *ops;
74  uint16_t sess_cnt;
76  uint16_t macsec_sc_cnt;
78  uint16_t macsec_sa_cnt;
80  uint32_t flags;
82 };
83 
84 #define RTE_SEC_CTX_F_FAST_SET_MDATA 0x00000001
85 
99  union {
100  struct {
101  struct in_addr src_ip;
103  struct in_addr dst_ip;
105  uint8_t dscp;
107  uint8_t df;
109  uint8_t ttl;
111  } ipv4;
113  struct {
114  struct in6_addr src_addr;
116  struct in6_addr dst_addr;
118  uint8_t dscp;
120  uint32_t flabel;
122  uint8_t hlimit;
124  } ipv6;
126  };
127 };
128 
129 struct rte_security_ipsec_udp_param {
130  uint16_t sport;
131  uint16_t dport;
132 };
133 
143  uint32_t esn : 1;
144 
151  uint32_t udp_encap : 1;
152 
160  uint32_t copy_dscp : 1;
161 
168  uint32_t copy_flabel : 1;
169 
176  uint32_t copy_df : 1;
177 
185  uint32_t dec_ttl : 1;
186 
194  uint32_t ecn : 1;
195 
202  uint32_t stats : 1;
203 
216  uint32_t iv_gen_disable : 1;
217 
225  uint32_t tunnel_hdr_verify : 2;
226 
232  uint32_t udp_ports_verify : 1;
233 
247  uint32_t ip_csum_enable : 1;
248 
263  uint32_t l4_csum_enable : 1;
264 
276  uint32_t ip_reassembly_en : 1;
277 
285  uint32_t reserved_opts : 17;
286 };
287 
294 };
295 
318 };
319 
326  uint32_t spi;
328  uint32_t salt;
342  uint32_t replay_win_sz;
346  union {
347  uint64_t value;
348  struct {
349  uint32_t low;
350  uint32_t hi;
351  };
352  } esn;
354  struct rte_security_ipsec_udp_param udp;
356 };
357 
366 };
367 
369 #define RTE_SECURITY_MACSEC_NUM_AN 4
370 
371 #define RTE_SECURITY_MACSEC_SALT_LEN 12
372 
380  struct {
381  const uint8_t *data;
382  uint16_t length;
383  } key;
387  uint8_t an : 2;
389  uint32_t ssci;
391  uint32_t xpn;
393  uint32_t next_pn;
394 };
395 
402  union {
403  struct {
405  uint16_t sa_id[RTE_SECURITY_MACSEC_NUM_AN];
407  uint8_t sa_in_use[RTE_SECURITY_MACSEC_NUM_AN];
409  uint8_t active : 1;
411  uint8_t reserved : 7;
412  } sc_rx;
413  struct {
414  uint16_t sa_id;
415  uint16_t sa_id_rekey;
416  uint64_t sci;
417  uint8_t active : 1;
418  uint8_t re_key_en : 1;
420  uint8_t reserved : 6;
421  } sc_tx;
422  };
423 };
424 
433 };
434 
436 #define RTE_SECURITY_MACSEC_VALIDATE_DISABLE 0
437 
438 #define RTE_SECURITY_MACSEC_VALIDATE_NO_DISCARD 1
439 
440 #define RTE_SECURITY_MACSEC_VALIDATE_STRICT 2
441 
442 #define RTE_SECURITY_MACSEC_VALIDATE_NO_OP 3
443 
453  uint8_t cipher_off;
458  uint64_t sci;
460  uint16_t sc_id;
461  union {
462  struct {
464  uint16_t mtu;
469  uint8_t sectag_off;
471  uint16_t protect_frames : 1;
478  uint16_t sectag_insert_mode : 1;
480  uint16_t icv_include_da_sa : 1;
482  uint16_t ctrl_port_enable : 1;
484  uint16_t sectag_version : 1;
486  uint16_t end_station : 1;
488  uint16_t send_sci : 1;
490  uint16_t scb : 1;
495  uint16_t encrypt : 1;
497  uint16_t reserved : 7;
498  } tx_secy;
499  struct {
501  uint32_t replay_win_sz;
503  uint16_t validate_frames : 2;
505  uint16_t icv_include_da_sa : 1;
507  uint16_t ctrl_port_enable : 1;
509  uint16_t preserve_sectag : 1;
511  uint16_t preserve_icv : 1;
513  uint16_t replay_protect : 1;
515  uint16_t reserved : 9;
516  } rx_secy;
517  };
518 };
519 
527 };
528 
533 };
534 
547 };
548 
555  int8_t bearer;
559  uint8_t en_ordering;
574  uint32_t hfn;
576  uint32_t hfn_threshold;
585  uint8_t hfn_ovrd;
591  uint8_t sdap_enabled;
593  uint16_t reserved;
594 };
595 
606 };
607 
616 };
617 
640 };
641 
652 };
653 
663  union {
664  struct rte_security_ipsec_xform ipsec;
665  struct rte_security_macsec_xform macsec;
666  struct rte_security_pdcp_xform pdcp;
667  struct rte_security_docsis_xform docsis;
668  };
672  void *userdata;
674 };
675 
686 void *
688  struct rte_security_session_conf *conf,
689  struct rte_mempool *mp);
690 
701 __rte_experimental
702 int
704  void *sess,
705  struct rte_security_session_conf *conf);
706 
716 unsigned int
718 
733 int
734 rte_security_session_destroy(struct rte_security_ctx *instance, void *sess);
735 
751 __rte_experimental
752 int
754  struct rte_security_macsec_sc *conf);
755 
769 __rte_experimental
770 int
771 rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id);
772 
788 __rte_experimental
789 int
791  struct rte_security_macsec_sa *conf);
792 
806 __rte_experimental
807 int
808 rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id);
809 
811 typedef uint64_t rte_security_dynfield_t;
814 
828 __rte_experimental
829 static inline rte_security_dynfield_t *
831 {
832  return RTE_MBUF_DYNFIELD(mbuf,
833  rte_security_dynfield_offset,
834  rte_security_dynfield_t *);
835 }
836 
845 __rte_experimental
846 static inline bool rte_security_dynfield_is_registered(void)
847 {
848  return rte_security_dynfield_offset >= 0;
849 }
850 
851 #define RTE_SECURITY_SESS_OPAQUE_DATA_OFF 0
852 #define RTE_SECURITY_SESS_FAST_MDATA_OFF 1
853 
856 static inline uint64_t
858 {
859  return *((uint64_t *)sess + RTE_SECURITY_SESS_OPAQUE_DATA_OFF);
860 }
861 
865 static inline void
866 rte_security_session_opaque_data_set(void *sess, uint64_t opaque)
867 {
868  uint64_t *data;
869  data = (((uint64_t *)sess) + RTE_SECURITY_SESS_OPAQUE_DATA_OFF);
870  *data = opaque;
871 }
872 
876 static inline uint64_t
878 {
879  return *((uint64_t *)sess + RTE_SECURITY_SESS_FAST_MDATA_OFF);
880 }
881 
885 static inline void
886 rte_security_session_fast_mdata_set(void *sess, uint64_t fdata)
887 {
888  uint64_t *data;
889  data = (((uint64_t *)sess) + RTE_SECURITY_SESS_FAST_MDATA_OFF);
890  *data = fdata;
891 }
892 
894 __rte_experimental
895 extern int __rte_security_set_pkt_metadata(struct rte_security_ctx *instance,
896  void *sess,
897  struct rte_mbuf *m, void *params);
898 
912 static inline int
914  void *sess,
915  struct rte_mbuf *mb, void *params)
916 {
917  /* Fast Path */
918  if (instance->flags & RTE_SEC_CTX_F_FAST_SET_MDATA) {
921  return 0;
922  }
923 
924  /* Jump to PMD specific function pointer */
925  return __rte_security_set_pkt_metadata(instance, sess, mb, params);
926 }
927 
934 static inline int
936 {
937  sym_op->session = sess;
938 
939  return 0;
940 }
941 
951 static inline int
953  void *sess)
954 {
956  return -EINVAL;
957 
959 
960  return __rte_security_attach_session(op->sym, sess);
961 }
962 
963 struct rte_security_macsec_secy_stats {
964  uint64_t ctl_pkt_bcast_cnt;
965  uint64_t ctl_pkt_mcast_cnt;
966  uint64_t ctl_pkt_ucast_cnt;
967  uint64_t ctl_octet_cnt;
968  uint64_t unctl_pkt_bcast_cnt;
969  uint64_t unctl_pkt_mcast_cnt;
970  uint64_t unctl_pkt_ucast_cnt;
971  uint64_t unctl_octet_cnt;
972  /* Valid only for Rx */
973  uint64_t octet_decrypted_cnt;
974  uint64_t octet_validated_cnt;
975  uint64_t pkt_port_disabled_cnt;
976  uint64_t pkt_badtag_cnt;
977  uint64_t pkt_nosa_cnt;
978  uint64_t pkt_nosaerror_cnt;
979  uint64_t pkt_tagged_ctl_cnt;
980  uint64_t pkt_untaged_cnt;
981  uint64_t pkt_ctl_cnt;
982  uint64_t pkt_notag_cnt;
983  /* Valid only for Tx */
984  uint64_t octet_encrypted_cnt;
985  uint64_t octet_protected_cnt;
986  uint64_t pkt_noactivesa_cnt;
987  uint64_t pkt_toolong_cnt;
988  uint64_t pkt_untagged_cnt;
989 };
990 
991 struct rte_security_macsec_sc_stats {
992  /* Rx */
993  uint64_t hit_cnt;
994  uint64_t pkt_invalid_cnt;
995  uint64_t pkt_late_cnt;
996  uint64_t pkt_notvalid_cnt;
997  uint64_t pkt_unchecked_cnt;
998  uint64_t pkt_delay_cnt;
999  uint64_t pkt_ok_cnt;
1000  uint64_t octet_decrypt_cnt;
1001  uint64_t octet_validate_cnt;
1002  /* Tx */
1003  uint64_t pkt_encrypt_cnt;
1004  uint64_t pkt_protected_cnt;
1005  uint64_t octet_encrypt_cnt;
1006  uint64_t octet_protected_cnt;
1007 };
1008 
1009 struct rte_security_macsec_sa_stats {
1010  /* Rx */
1011  uint64_t pkt_invalid_cnt;
1012  uint64_t pkt_nosaerror_cnt;
1013  uint64_t pkt_notvalid_cnt;
1014  uint64_t pkt_ok_cnt;
1015  uint64_t pkt_nosa_cnt;
1016  /* Tx */
1017  uint64_t pkt_encrypt_cnt;
1018  uint64_t pkt_protected_cnt;
1019 };
1020 
1021 struct rte_security_ipsec_stats {
1022  uint64_t ipackets;
1023  uint64_t opackets;
1024  uint64_t ibytes;
1025  uint64_t obytes;
1026  uint64_t ierrors;
1027  uint64_t oerrors;
1028  uint64_t reserved1;
1029  uint64_t reserved2;
1030 };
1031 
1032 struct rte_security_pdcp_stats {
1033  uint64_t reserved;
1034 };
1035 
1036 struct rte_security_docsis_stats {
1037  uint64_t reserved;
1038 };
1039 
1040 struct rte_security_stats {
1041  enum rte_security_session_protocol protocol;
1044  RTE_STD_C11
1045  union {
1046  struct rte_security_macsec_secy_stats macsec;
1047  struct rte_security_ipsec_stats ipsec;
1048  struct rte_security_pdcp_stats pdcp;
1049  struct rte_security_docsis_stats docsis;
1050  };
1051 };
1052 
1066 __rte_experimental
1067 int
1069  void *sess,
1070  struct rte_security_stats *stats);
1071 
1085 __rte_experimental
1086 int
1088  uint16_t sa_id,
1089  struct rte_security_macsec_sa_stats *stats);
1090 
1104 __rte_experimental
1105 int
1107  uint16_t sc_id,
1108  struct rte_security_macsec_sc_stats *stats);
1109 
1118  RTE_STD_C11
1119  union {
1120  struct {
1133  } ipsec;
1135  struct {
1137  uint16_t mtu;
1141  uint16_t max_nb_sc;
1143  uint16_t max_nb_sa;
1145  uint16_t max_nb_sess;
1147  uint32_t replay_win_sz;
1151  uint16_t fixed_sectag_insert : 1;
1153  uint16_t icv_include_da_sa : 1;
1155  uint16_t ctrl_port_enable : 1;
1157  uint16_t preserve_sectag : 1;
1159  uint16_t preserve_icv : 1;
1161  uint16_t validate_frames : 1;
1163  uint16_t re_key : 1;
1165  uint16_t anti_replay : 1;
1167  uint16_t reserved : 7;
1168  } macsec;
1170  struct {
1173  uint32_t capa_flags;
1175  } pdcp;
1177  struct {
1180  } docsis;
1182  };
1183 
1187  uint32_t ol_flags;
1189 };
1190 
1196 #define RTE_SECURITY_PDCP_ORDERING_CAP 0x00000001
1197 
1202 #define RTE_SECURITY_PDCP_DUP_DETECT_CAP 0x00000002
1203 
1204 #define RTE_SECURITY_TX_OLOAD_NEED_MDATA 0x00000001
1205 
1208 #define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD 0x00000002
1209 
1214 #define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD 0x00010000
1215 
1227  enum rte_security_session_protocol protocol;
1228 
1229  RTE_STD_C11
1230  union {
1231  struct {
1232  enum rte_security_ipsec_sa_protocol proto;
1233  enum rte_security_ipsec_sa_mode mode;
1234  enum rte_security_ipsec_sa_direction direction;
1235  } ipsec;
1236  struct {
1237  enum rte_security_pdcp_domain domain;
1238  uint32_t capa_flags;
1239  } pdcp;
1240  struct {
1241  enum rte_security_docsis_direction direction;
1242  } docsis;
1243  };
1244 };
1245 
1255 const struct rte_security_capability *
1257 
1269 const struct rte_security_capability *
1271  struct rte_security_capability_idx *idx);
1272 
1273 #ifdef __cplusplus
1274 }
1275 #endif
1276 
1277 #endif /* _RTE_SECURITY_H_ */
rte_security_pdcp_sn_size
Definition: rte_security.h:536
rte_security_ipsec_sa_protocol
Definition: rte_security.h:37
struct rte_ether_addr src_addr
Definition: rte_ether.h:269
rte_security_session_action_type
Definition: rte_security.h:621
const uint8_t * data
Definition: rte_security.h:381
rte_security_pdcp_direction
Definition: rte_security.h:530
__rte_experimental int rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id)
__rte_experimental int rte_security_macsec_sa_create(struct rte_security_ctx *instance, struct rte_security_macsec_sa *conf)
const struct rte_security_capability * rte_security_capabilities_get(struct rte_security_ctx *instance)
unsigned int rte_security_session_get_size(struct rte_security_ctx *instance)
static int rte_security_set_pkt_metadata(struct rte_security_ctx *instance, void *sess, struct rte_mbuf *mb, void *params)
Definition: rte_security.h:913
uint8_t type
Definition: rte_crypto.h:89
struct rte_crypto_sym_xform * crypto_xform
Definition: rte_security.h:670
uint16_t macsec_sc_cnt
Definition: rte_security.h:76
static __rte_experimental rte_security_dynfield_t * rte_security_dynfield(struct rte_mbuf *mbuf)
Definition: rte_security.h:830
rte_security_ipsec_sa_mode
Definition: rte_security.h:29
static void rte_security_session_fast_mdata_set(void *sess, uint64_t fdata)
Definition: rte_security.h:886
uint16_t sess_cnt
Definition: rte_security.h:74
static uint64_t rte_security_session_opaque_data_get(void *sess)
Definition: rte_security.h:857
void * rte_security_session_create(struct rte_security_ctx *instance, struct rte_security_session_conf *conf, struct rte_mempool *mp)
int rte_security_dynfield_offset
rte_security_ipsec_sa_direction
Definition: rte_security.h:289
rte_security_ipsec_tunnel_type
Definition: rte_security.h:45
struct rte_ether_addr dst_addr
Definition: rte_ether.h:268
#define RTE_SECURITY_MACSEC_NUM_AN
Definition: rte_security.h:369
#define RTE_MBUF_DYNFIELD(m, offset, type)
Definition: rte_mbuf_dyn.h:227
int rte_security_session_destroy(struct rte_security_ctx *instance, void *sess)
__rte_experimental int rte_security_session_update(struct rte_security_ctx *instance, void *sess, struct rte_security_session_conf *conf)
#define RTE_SEC_CTX_F_FAST_SET_MDATA
Definition: rte_security.h:84
#define unlikely(x)
__rte_experimental int rte_security_macsec_sc_stats_get(struct rte_security_ctx *instance, uint16_t sc_id, struct rte_security_macsec_sc_stats *stats)
__rte_experimental int rte_security_macsec_sa_stats_get(struct rte_security_ctx *instance, uint16_t sa_id, struct rte_security_macsec_sa_stats *stats)
__rte_experimental int rte_security_macsec_sc_create(struct rte_security_ctx *instance, struct rte_security_macsec_sc *conf)
static int __rte_security_attach_session(struct rte_crypto_sym_op *sym_op, void *sess)
Definition: rte_security.h:935
rte_security_macsec_direction
Definition: rte_security.h:361
#define RTE_STD_C11
Definition: rte_common.h:39
static void rte_security_session_opaque_data_set(void *sess, uint64_t opaque)
Definition: rte_security.h:866
static __rte_experimental bool rte_security_dynfield_is_registered(void)
Definition: rte_security.h:846
uint16_t macsec_sa_cnt
Definition: rte_security.h:78
static int rte_security_attach_session(struct rte_crypto_op *op, void *sess)
Definition: rte_security.h:952
static uint64_t rte_security_session_fast_mdata_get(void *sess)
Definition: rte_security.h:877
__rte_experimental int rte_security_session_stats_get(struct rte_security_ctx *instance, void *sess, struct rte_security_stats *stats)
rte_security_docsis_direction
Definition: rte_security.h:597
uint64_t rte_security_dynfield_t
Definition: rte_security.h:811
#define RTE_SECURITY_MACSEC_SALT_LEN
Definition: rte_security.h:371
const struct rte_security_capability * rte_security_capability_get(struct rte_security_ctx *instance, struct rte_security_capability_idx *idx)
const struct rte_cryptodev_capabilities * crypto_capabilities
rte_security_macsec_alg
Definition: rte_security.h:428
uint8_t sess_type
Definition: rte_crypto.h:99
rte_security_session_protocol
Definition: rte_security.h:643
rte_security_pdcp_domain
Definition: rte_security.h:523
__rte_experimental int __rte_security_set_pkt_metadata(struct rte_security_ctx *instance, void *sess, struct rte_mbuf *m, void *params)
__rte_experimental int rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id)
const struct rte_security_ops * ops
Definition: rte_security.h:72
struct rte_crypto_sym_op sym[0]
Definition: rte_crypto.h:135