DPDK: Data Plane Development Kit

18.08.0-rc0
rte_security.h File Reference
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip6.h>
#include <rte_compat.h>
#include <rte_common.h>
#include <rte_crypto.h>
#include <rte_mbuf.h>
#include <rte_memory.h>
#include <rte_mempool.h>

Go to the source code of this file.

Data Structures

struct  rte_security_ctx
struct  rte_security_ipsec_tunnel_param
struct  rte_security_ipsec_sa_options
struct  rte_security_ipsec_xform
struct  rte_security_macsec_xform
struct  rte_security_session_conf
struct  rte_security_capability
struct  rte_security_capability_idx

Macros

#define RTE_SECURITY_TX_OLOAD_NEED_MDATA   0x00000001
#define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD   0x00000002
#define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD   0x00010000

Enumerations

enum  rte_security_ipsec_sa_mode { RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT = 1, RTE_SECURITY_IPSEC_SA_MODE_TUNNEL }
enum  rte_security_ipsec_sa_protocol { RTE_SECURITY_IPSEC_SA_PROTO_AH = 1, RTE_SECURITY_IPSEC_SA_PROTO_ESP }
enum  rte_security_ipsec_tunnel_type { RTE_SECURITY_IPSEC_TUNNEL_IPV4 = 1, RTE_SECURITY_IPSEC_TUNNEL_IPV6 }
enum  rte_security_ipsec_sa_direction { RTE_SECURITY_IPSEC_SA_DIR_EGRESS, RTE_SECURITY_IPSEC_SA_DIR_INGRESS }
enum  rte_security_session_action_type { RTE_SECURITY_ACTION_TYPE_NONE, RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO, RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL, RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL }
enum  rte_security_session_protocol { RTE_SECURITY_PROTOCOL_IPSEC = 1, RTE_SECURITY_PROTOCOL_MACSEC }

Functions

struct rte_security_session
*__rte_experimental 
rte_security_session_create (struct rte_security_ctx *instance, struct rte_security_session_conf *conf, struct rte_mempool *mp)
int __rte_experimental rte_security_session_update (struct rte_security_ctx *instance, struct rte_security_session *sess, struct rte_security_session_conf *conf)
unsigned int __rte_experimental rte_security_session_get_size (struct rte_security_ctx *instance)
int __rte_experimental rte_security_session_destroy (struct rte_security_ctx *instance, struct rte_security_session *sess)
int __rte_experimental rte_security_set_pkt_metadata (struct rte_security_ctx *instance, struct rte_security_session *sess, struct rte_mbuf *mb, void *params)
void *__rte_experimental rte_security_get_userdata (struct rte_security_ctx *instance, uint64_t md)
static int __rte_experimental __rte_security_attach_session (struct rte_crypto_sym_op *sym_op, struct rte_security_session *sess)
static int __rte_experimental rte_security_attach_session (struct rte_crypto_op *op, struct rte_security_session *sess)
int __rte_experimental rte_security_session_stats_get (struct rte_security_ctx *instance, struct rte_security_session *sess, struct rte_security_stats *stats)
struct rte_security_capability
*__rte_experimental 
rte_security_capabilities_get (struct rte_security_ctx *instance)
struct rte_security_capability
*__rte_experimental 
rte_security_capability_get (struct rte_security_ctx *instance, struct rte_security_capability_idx *idx)

Detailed Description

EXPERIMENTAL: this API may change without prior notice

RTE Security Common Definitions

Definition in file rte_security.h.

Macro Definition Documentation

#define RTE_SECURITY_TX_OLOAD_NEED_MDATA   0x00000001

HW needs metadata update, see rte_security_set_pkt_metadata().

Examples:
examples/ipsec-secgw/ipsec.c.

Definition at line 505 of file rte_security.h.

#define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD   0x00000002

HW constructs trailer of packets Transmitted packets will have the trailer added to them by hardawre. The next protocol field will be based on the mbuf->inner_esp_next_proto field.

Examples:
examples/ipsec-secgw/esp.c, and examples/ipsec-secgw/ipsec.c.

Definition at line 509 of file rte_security.h.

#define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD   0x00010000

HW removes trailer of packets Received packets have no trailer, the next protocol field is supplied in the mbuf->inner_esp_next_proto field. Inner packet is not modified.

Examples:
examples/ipsec-secgw/esp.c.

Definition at line 515 of file rte_security.h.

Enumeration Type Documentation

IPSec protocol mode

Enumerator:
RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT 

IPSec Transport mode

RTE_SECURITY_IPSEC_SA_MODE_TUNNEL 

IPSec Tunnel mode

Definition at line 63 of file rte_security.h.

IPSec Protocol

Enumerator:
RTE_SECURITY_IPSEC_SA_PROTO_AH 

AH protocol

RTE_SECURITY_IPSEC_SA_PROTO_ESP 

ESP protocol

Definition at line 71 of file rte_security.h.

IPSEC tunnel type

Enumerator:
RTE_SECURITY_IPSEC_TUNNEL_IPV4 

Outer header is IPv4

RTE_SECURITY_IPSEC_TUNNEL_IPV6 

Outer header is IPv6

Definition at line 79 of file rte_security.h.

IPSec security association direction

Enumerator:
RTE_SECURITY_IPSEC_SA_DIR_EGRESS 

Encrypt and generate digest

RTE_SECURITY_IPSEC_SA_DIR_INGRESS 

Verify digest and decrypt

Definition at line 198 of file rte_security.h.

Security session action type.

Enumerator:
RTE_SECURITY_ACTION_TYPE_NONE 

No security actions

RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO 

Crypto processing for security protocol is processed inline during transmission

RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL 

All security protocol processing is performed inline during transmission

RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL 

All security protocol processing including crypto is performed on a lookaside accelerator

Definition at line 240 of file rte_security.h.

Security session protocol definition

Enumerator:
RTE_SECURITY_PROTOCOL_IPSEC 

IPsec Protocol

RTE_SECURITY_PROTOCOL_MACSEC 

MACSec Protocol

Definition at line 258 of file rte_security.h.

Function Documentation

struct rte_security_session* __rte_experimental rte_security_session_create ( struct rte_security_ctx instance,
struct rte_security_session_conf conf,
struct rte_mempool mp 
)
read

Create security session as specified by the session configuration

Parameters
instancesecurity instance
confsession configuration parameters
mpmempool to allocate session objects from
Returns
  • On success, pointer to session
  • On failure, NULL
Examples:
examples/ipsec-secgw/ipsec.c.
int __rte_experimental rte_security_session_update ( struct rte_security_ctx instance,
struct rte_security_session *  sess,
struct rte_security_session_conf conf 
)

Update security session as specified by the session configuration

Parameters
instancesecurity instance
sesssession to update parameters
confupdate configuration parameters
Returns
  • On success returns 0
  • On failure return errno
unsigned int __rte_experimental rte_security_session_get_size ( struct rte_security_ctx instance)

Get the size of the security session data for a device.

Parameters
instancesecurity instance.
Returns
  • Size of the private data, if successful
  • 0 if device is invalid or does not support the operation.
Examples:
examples/ipsec-secgw/ipsec-secgw.c.
int __rte_experimental rte_security_session_destroy ( struct rte_security_ctx instance,
struct rte_security_session *  sess 
)

Free security session header and the session private data and return it to its original mempool.

Parameters
instancesecurity instance
sesssecurity session to freed
Returns
  • 0 if successful.
  • -EINVAL if session is NULL.
  • -EBUSY if not all device private data has been freed.
int __rte_experimental rte_security_set_pkt_metadata ( struct rte_security_ctx instance,
struct rte_security_session *  sess,
struct rte_mbuf mb,
void *  params 
)

Updates the buffer with device-specific defined metadata

Parameters
instancesecurity instance
sesssecurity session
mbpacket mbuf to set metadata on.
paramsdevice-specific defined parameters required for metadata
Returns
  • On success, zero.
  • On failure, a negative value.
Examples:
examples/ipsec-secgw/ipsec.c.
void* __rte_experimental rte_security_get_userdata ( struct rte_security_ctx instance,
uint64_t  md 
)

Get userdata associated with the security session. Device specific metadata provided would be used to uniquely identify the security session being referred to. This userdata would be registered while creating the session, and application can use this to identify the SA etc.

Device specific metadata would be set in mbuf for inline processed inbound packets. In addition, the same metadata would be set for IPsec events reported by rte_eth_event framework.

Parameters
instancesecurity instance
mddevice-specific metadata
Returns
  • On success, userdata
  • On failure, NULL
Examples:
examples/ipsec-secgw/ipsec-secgw.c.
static int __rte_experimental __rte_security_attach_session ( struct rte_crypto_sym_op sym_op,
struct rte_security_session *  sess 
)
inlinestatic

Attach a session to a symmetric crypto operation

Parameters
sym_opcrypto operation
sesssecurity session

Definition at line 393 of file rte_security.h.

static int __rte_experimental rte_security_attach_session ( struct rte_crypto_op op,
struct rte_security_session *  sess 
)
inlinestatic

Attach a session to a crypto operation. This API is needed only in case of RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD For other rte_security_session_action_type, ol_flags in rte_mbuf may be defined to perform security operations.

Parameters
opcrypto operation
sesssecurity session
Examples:
examples/ipsec-secgw/ipsec.c.

Definition at line 424 of file rte_security.h.

int __rte_experimental rte_security_session_stats_get ( struct rte_security_ctx instance,
struct rte_security_session *  sess,
struct rte_security_stats *  stats 
)

Get security session statistics

Parameters
instancesecurity instance
sesssecurity session
statsstatistics
Returns
  • On success return 0
  • On failure errno
struct rte_security_capability* __rte_experimental rte_security_capabilities_get ( struct rte_security_ctx instance)
read

Returns array of security instance capabilities

Parameters
instanceSecurity instance.
Returns
  • Returns array of security capabilities.
  • Return NULL if no capabilities available.
Examples:
examples/ipsec-secgw/ipsec.c.
struct rte_security_capability* __rte_experimental rte_security_capability_get ( struct rte_security_ctx instance,
struct rte_security_capability_idx idx 
)
read

Query if a specific capability is available on security instance

Parameters
instancesecurity instance.
idxsecurity capability index to match against
Returns
  • Returns pointer to security capability on match of capability index criteria.
  • Return NULL if the capability not matched on security instance.