rte_security.h

Go to the documentation of this file.

/* SPDX-License-Identifier: BSD-3-Clause
 * Copyright 2017,2019-2020 NXP
 * Copyright(c) 2017-2020 Intel Corporation.
 */

#ifndef _RTE_SECURITY_H_
#define _RTE_SECURITY_H_

#include <sys/types.h>

#include <rte_compat.h>
#include <rte_common.h>
#include <rte_crypto.h>
#include <rte_ip.h>
#include <rte_mbuf_dyn.h>

#ifdef __cplusplus
extern "C" {
#endif

enum rte_security_ipsec_sa_mode {
    RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT = 1,
    RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
};

enum rte_security_ipsec_sa_protocol {
    RTE_SECURITY_IPSEC_SA_PROTO_AH = 1,
    RTE_SECURITY_IPSEC_SA_PROTO_ESP,
};

enum rte_security_ipsec_tunnel_type {
    RTE_SECURITY_IPSEC_TUNNEL_IPV4 = 1,
    RTE_SECURITY_IPSEC_TUNNEL_IPV6,
};

#define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR     0x1
#define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR 0x2

#define RTE_SEC_CTX_F_FAST_SET_MDATA 0x00000001

struct rte_security_ipsec_tunnel_param {
    enum rte_security_ipsec_tunnel_type type;
    union {
        struct {
            struct in_addr src_ip;
            struct in_addr dst_ip;
            uint8_t dscp;
            uint8_t df;
            uint8_t ttl;
        } ipv4;
        struct {
            struct rte_ipv6_addr src_addr;
            struct rte_ipv6_addr dst_addr;
            uint8_t dscp;
            uint32_t flabel;
            uint8_t hlimit;
        } ipv6;
    };
};

struct rte_security_ipsec_udp_param {
    uint16_t sport;
    uint16_t dport;
};

struct rte_security_ipsec_sa_options {
    uint32_t esn : 1;

    uint32_t udp_encap : 1;

    uint32_t copy_dscp : 1;

    uint32_t copy_flabel : 1;

    uint32_t copy_df : 1;

    uint32_t dec_ttl : 1;

    uint32_t ecn : 1;

    uint32_t stats : 1;

    uint32_t iv_gen_disable : 1;

    uint32_t tunnel_hdr_verify : 2;

    uint32_t udp_ports_verify : 1;

    uint32_t ip_csum_enable : 1;

    uint32_t l4_csum_enable : 1;

    uint32_t ip_reassembly_en : 1;

    uint32_t ingress_oop : 1;
};

enum rte_security_ipsec_sa_direction {
    RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
    RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
};

struct rte_security_ipsec_lifetime {
    uint64_t packets_soft_limit;
    uint64_t bytes_soft_limit;
    uint64_t packets_hard_limit;
    uint64_t bytes_hard_limit;
};

struct rte_security_ipsec_xform {
    uint32_t spi;
    uint32_t salt;
    struct rte_security_ipsec_sa_options options;
    enum rte_security_ipsec_sa_direction direction;
    enum rte_security_ipsec_sa_protocol proto;
    enum rte_security_ipsec_sa_mode mode;
    struct rte_security_ipsec_tunnel_param tunnel;
    struct rte_security_ipsec_lifetime life;
    uint32_t replay_win_sz;
    union {
        uint64_t value;
        struct {
            uint32_t low;
            uint32_t hi;
        };
    } esn;
    struct rte_security_ipsec_udp_param udp;
};

enum rte_security_macsec_direction {
    RTE_SECURITY_MACSEC_DIR_TX,
    RTE_SECURITY_MACSEC_DIR_RX,
};

#define RTE_SECURITY_MACSEC_NUM_AN  4

#define RTE_SECURITY_MACSEC_SALT_LEN    12

struct rte_security_macsec_sa {
    enum rte_security_macsec_direction dir;
    struct {
        const uint8_t *data;    
        uint16_t length;    
    } key;
    uint8_t salt[RTE_SECURITY_MACSEC_SALT_LEN];
    uint8_t an : 2;
    uint32_t ssci;
    uint32_t xpn;
    uint32_t next_pn;
};

struct rte_security_macsec_sc {
    enum rte_security_macsec_direction dir;
    uint64_t pn_threshold;
    union {
        struct {
            uint16_t sa_id[RTE_SECURITY_MACSEC_NUM_AN];
            uint8_t sa_in_use[RTE_SECURITY_MACSEC_NUM_AN];
            uint8_t active : 1;
            uint8_t is_xpn : 1;
            uint8_t reserved : 6;
        } sc_rx;
        struct {
            uint16_t sa_id; 
            uint16_t sa_id_rekey; 
            uint64_t sci; 
            uint8_t active : 1; 
            uint8_t re_key_en : 1; 
            uint8_t is_xpn : 1;
            uint8_t reserved : 5;
        } sc_tx;
    };
};

enum rte_security_macsec_alg {
    RTE_SECURITY_MACSEC_ALG_GCM_128, 
    RTE_SECURITY_MACSEC_ALG_GCM_256, 
    RTE_SECURITY_MACSEC_ALG_GCM_XPN_128, 
    RTE_SECURITY_MACSEC_ALG_GCM_XPN_256, 
};

#define RTE_SECURITY_MACSEC_VALIDATE_DISABLE    0

#define RTE_SECURITY_MACSEC_VALIDATE_NO_DISCARD 1

#define RTE_SECURITY_MACSEC_VALIDATE_STRICT 2

#define RTE_SECURITY_MACSEC_VALIDATE_NO_OP  3

struct rte_security_macsec_xform {
    enum rte_security_macsec_direction dir;
    enum rte_security_macsec_alg alg;
    uint8_t cipher_off;
    uint64_t sci;
    uint16_t sc_id;
    union {
        struct {
            uint16_t mtu;
            uint8_t sectag_off;
            uint16_t protect_frames : 1;
            uint16_t sectag_insert_mode : 1;
            uint16_t icv_include_da_sa : 1;
            uint16_t ctrl_port_enable : 1;
            uint16_t sectag_version : 1;
            uint16_t end_station : 1;
            uint16_t send_sci : 1;
            uint16_t scb : 1;
            uint16_t encrypt : 1;
            uint16_t reserved : 7;
        } tx_secy;
        struct {
            uint32_t replay_win_sz;
            uint16_t validate_frames : 2;
            uint16_t icv_include_da_sa : 1;
            uint16_t ctrl_port_enable : 1;
            uint16_t preserve_sectag : 1;
            uint16_t preserve_icv : 1;
            uint16_t replay_protect : 1;
            uint16_t reserved : 9;
        } rx_secy;
    };
};

enum rte_security_pdcp_domain {
    RTE_SECURITY_PDCP_MODE_CONTROL, 
    RTE_SECURITY_PDCP_MODE_DATA,    
    RTE_SECURITY_PDCP_MODE_SHORT_MAC,   
};

enum rte_security_pdcp_direction {
    RTE_SECURITY_PDCP_UPLINK,   
    RTE_SECURITY_PDCP_DOWNLINK, 
};

enum rte_security_pdcp_sn_size {
    RTE_SECURITY_PDCP_SN_SIZE_5 = 5,
    RTE_SECURITY_PDCP_SN_SIZE_7 = 7,
    RTE_SECURITY_PDCP_SN_SIZE_12 = 12,
    RTE_SECURITY_PDCP_SN_SIZE_15 = 15,
    RTE_SECURITY_PDCP_SN_SIZE_18 = 18
};

struct rte_security_pdcp_xform {
    int8_t bearer;  
    uint8_t en_ordering;
    uint8_t remove_duplicates;
    enum rte_security_pdcp_domain domain;
    enum rte_security_pdcp_direction pkt_dir;
    enum rte_security_pdcp_sn_size sn_size;
    uint32_t hfn;
    uint32_t hfn_threshold;
    uint8_t hfn_ovrd;
    uint8_t sdap_enabled;
    uint16_t reserved;
};

enum rte_security_docsis_direction {
    RTE_SECURITY_DOCSIS_UPLINK,
    RTE_SECURITY_DOCSIS_DOWNLINK,
};

struct rte_security_docsis_xform {
    enum rte_security_docsis_direction direction;
};

#define RTE_SECURITY_TLS_1_2_IMP_NONCE_LEN 4

#define RTE_SECURITY_TLS_1_3_IMP_NONCE_LEN 12

#define RTE_SECURITY_DTLS_1_2_IMP_NONCE_LEN 4

enum rte_security_tls_version {
    RTE_SECURITY_VERSION_TLS_1_2,   
    RTE_SECURITY_VERSION_TLS_1_3,   
    RTE_SECURITY_VERSION_DTLS_1_2,  
};

enum rte_security_tls_sess_type {
    RTE_SECURITY_TLS_SESS_TYPE_READ,
    RTE_SECURITY_TLS_SESS_TYPE_WRITE,
};

struct rte_security_tls_record_sess_options {
    uint32_t iv_gen_disable : 1;
    uint32_t extra_padding_enable : 1;
};

struct rte_security_tls_record_lifetime {
    uint64_t packets_soft_limit;
    uint64_t packets_hard_limit;
};

struct rte_security_tls_record_xform {
    enum rte_security_tls_version ver;
    enum rte_security_tls_sess_type type;
    struct rte_security_tls_record_sess_options options;
    struct rte_security_tls_record_lifetime life;
    union {
        struct {
            uint64_t seq_no;
            uint8_t imp_nonce[RTE_SECURITY_TLS_1_2_IMP_NONCE_LEN];
        } tls_1_2;

        struct {
            uint64_t seq_no;
            uint8_t imp_nonce[RTE_SECURITY_TLS_1_3_IMP_NONCE_LEN];
            uint32_t min_payload_len;
        } tls_1_3;

        struct {
            uint16_t epoch;
            uint64_t seq_no;
            uint8_t imp_nonce[RTE_SECURITY_DTLS_1_2_IMP_NONCE_LEN];
            uint32_t ar_win_sz;
        } dtls_1_2;
    };
};

/* Enumeration of rte_security_session_action_type 8<*/
enum rte_security_session_action_type {
    RTE_SECURITY_ACTION_TYPE_NONE,
    RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO,
    RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
    RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
    RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO
};
/* >8 End enumeration of rte_security_session_action_type. */

/* Enumeration of rte_security_session_protocol 8<*/
enum rte_security_session_protocol {
    RTE_SECURITY_PROTOCOL_IPSEC = 1,
    RTE_SECURITY_PROTOCOL_MACSEC,
    RTE_SECURITY_PROTOCOL_PDCP,
    RTE_SECURITY_PROTOCOL_DOCSIS,
    RTE_SECURITY_PROTOCOL_TLS_RECORD,
};
/* >8 End enumeration of rte_security_session_protocol. */

/* Structure rte_security_session_conf 8< */
struct rte_security_session_conf {
    enum rte_security_session_action_type action_type;
    enum rte_security_session_protocol protocol;
    union {
        struct rte_security_ipsec_xform ipsec;
        struct rte_security_macsec_xform macsec;
        struct rte_security_pdcp_xform pdcp;
        struct rte_security_docsis_xform docsis;
        struct rte_security_tls_record_xform tls_record;
    };
    struct rte_crypto_sym_xform *crypto_xform;
    void *userdata;
};
/* >8 End of structure rte_security_session_conf. */

void *
rte_security_session_create(void *instance,
                struct rte_security_session_conf *conf,
                struct rte_mempool *mp);

int
rte_security_session_update(void *instance,
                void *sess,
                struct rte_security_session_conf *conf);

unsigned int
rte_security_session_get_size(void *instance);

int
rte_security_session_destroy(void *instance, void *sess);

int
rte_security_macsec_sc_create(void *instance,
                  struct rte_security_macsec_sc *conf);

int
rte_security_macsec_sc_destroy(void *instance, uint16_t sc_id,
                   enum rte_security_macsec_direction dir);

int
rte_security_macsec_sa_create(void *instance,
                  struct rte_security_macsec_sa *conf);

int
rte_security_macsec_sa_destroy(void *instance, uint16_t sa_id,
                   enum rte_security_macsec_direction dir);

typedef uint64_t rte_security_dynfield_t;
extern int rte_security_dynfield_offset;

typedef struct rte_mbuf *rte_security_oop_dynfield_t;
extern int rte_security_oop_dynfield_offset;

static inline rte_security_dynfield_t *
rte_security_dynfield(struct rte_mbuf *mbuf)
{
    return RTE_MBUF_DYNFIELD(mbuf,
        rte_security_dynfield_offset,
        rte_security_dynfield_t *);
}

__rte_experimental
static inline rte_security_oop_dynfield_t *
rte_security_oop_dynfield(struct rte_mbuf *mbuf)
{
    return RTE_MBUF_DYNFIELD(mbuf,
            rte_security_oop_dynfield_offset,
            rte_security_oop_dynfield_t *);
}

static inline bool rte_security_dynfield_is_registered(void)
{
    return rte_security_dynfield_offset >= 0;
}

#define RTE_SECURITY_CTX_FLAGS_OFF      4

static inline uint32_t
rte_security_ctx_flags_get(void *ctx)
{
    return *((uint32_t *)ctx + RTE_SECURITY_CTX_FLAGS_OFF);
}

static inline void
rte_security_ctx_flags_set(void *ctx, uint32_t flags)
{
    uint32_t *data;
    data = (((uint32_t *)ctx) + RTE_SECURITY_CTX_FLAGS_OFF);
    *data = flags;
}

#define RTE_SECURITY_SESS_OPAQUE_DATA_OFF   0
#define RTE_SECURITY_SESS_FAST_MDATA_OFF    1

static inline uint64_t
rte_security_session_opaque_data_get(void *sess)
{
    return *((uint64_t *)sess + RTE_SECURITY_SESS_OPAQUE_DATA_OFF);
}

static inline void
rte_security_session_opaque_data_set(void *sess, uint64_t opaque)
{
    uint64_t *data;
    data = (((uint64_t *)sess) + RTE_SECURITY_SESS_OPAQUE_DATA_OFF);
    *data = opaque;
}

static inline uint64_t
rte_security_session_fast_mdata_get(void *sess)
{
    return *((uint64_t *)sess + RTE_SECURITY_SESS_FAST_MDATA_OFF);
}

static inline void
rte_security_session_fast_mdata_set(void *sess, uint64_t fdata)
{
    uint64_t *data;
    data = (((uint64_t *)sess) + RTE_SECURITY_SESS_FAST_MDATA_OFF);
    *data = fdata;
}

int __rte_security_set_pkt_metadata(void *instance,
                    void *sess,
                    struct rte_mbuf *m, void *params);

static inline int
rte_security_set_pkt_metadata(void *instance,
                  void *sess,
                  struct rte_mbuf *mb, void *params)
{
    /* Fast Path */
    if (rte_security_ctx_flags_get(instance) & RTE_SEC_CTX_F_FAST_SET_MDATA) {
        *rte_security_dynfield(mb) = (rte_security_dynfield_t)
            rte_security_session_fast_mdata_get(sess);
        return 0;
    }

    /* Jump to PMD specific function pointer */
    return __rte_security_set_pkt_metadata(instance, sess, mb, params);
}

static inline int
__rte_security_attach_session(struct rte_crypto_sym_op *sym_op, void *sess)
{
    sym_op->session = sess;

    return 0;
}

static inline int
rte_security_attach_session(struct rte_crypto_op *op,
                void *sess)
{
    if (unlikely(op->type != RTE_CRYPTO_OP_TYPE_SYMMETRIC))
        return -EINVAL;

    op->sess_type =  RTE_CRYPTO_OP_SECURITY_SESSION;

    return __rte_security_attach_session(op->sym, sess);
}

struct rte_security_macsec_secy_stats {
    uint64_t ctl_pkt_bcast_cnt;
    uint64_t ctl_pkt_mcast_cnt;
    uint64_t ctl_pkt_ucast_cnt;
    uint64_t ctl_octet_cnt;
    uint64_t unctl_pkt_bcast_cnt;
    uint64_t unctl_pkt_mcast_cnt;
    uint64_t unctl_pkt_ucast_cnt;
    uint64_t unctl_octet_cnt;
    /* Valid only for Rx */
    uint64_t octet_decrypted_cnt;
    uint64_t octet_validated_cnt;
    uint64_t pkt_port_disabled_cnt;
    uint64_t pkt_badtag_cnt;
    uint64_t pkt_nosa_cnt;
    uint64_t pkt_nosaerror_cnt;
    uint64_t pkt_tagged_ctl_cnt;
    uint64_t pkt_untaged_cnt;
    uint64_t pkt_ctl_cnt;
    uint64_t pkt_notag_cnt;
    /* Valid only for Tx */
    uint64_t octet_encrypted_cnt;
    uint64_t octet_protected_cnt;
    uint64_t pkt_noactivesa_cnt;
    uint64_t pkt_toolong_cnt;
    uint64_t pkt_untagged_cnt;
};

struct rte_security_macsec_sc_stats {
    /* Rx */
    uint64_t hit_cnt;
    uint64_t pkt_invalid_cnt;
    uint64_t pkt_late_cnt;
    uint64_t pkt_notvalid_cnt;
    uint64_t pkt_unchecked_cnt;
    uint64_t pkt_delay_cnt;
    uint64_t pkt_ok_cnt;
    uint64_t octet_decrypt_cnt;
    uint64_t octet_validate_cnt;
    /* Tx */
    uint64_t pkt_encrypt_cnt;
    uint64_t pkt_protected_cnt;
    uint64_t octet_encrypt_cnt;
    uint64_t octet_protected_cnt;
};

struct rte_security_macsec_sa_stats {
    /* Rx */
    uint64_t pkt_invalid_cnt;
    uint64_t pkt_nosaerror_cnt;
    uint64_t pkt_notvalid_cnt;
    uint64_t pkt_ok_cnt;
    uint64_t pkt_nosa_cnt;
    /* Tx */
    uint64_t pkt_encrypt_cnt;
    uint64_t pkt_protected_cnt;
};

struct rte_security_ipsec_stats {
    uint64_t ipackets;  
    uint64_t opackets;  
    uint64_t ibytes;    
    uint64_t obytes;    
    uint64_t ierrors;   
    uint64_t oerrors;   
    uint64_t reserved1; 
    uint64_t reserved2; 
};

struct rte_security_pdcp_stats {
    uint64_t reserved;
};

struct rte_security_docsis_stats {
    uint64_t reserved;
};

struct rte_security_stats {
    enum rte_security_session_protocol protocol;
    union {
        struct rte_security_macsec_secy_stats macsec;
        struct rte_security_ipsec_stats ipsec;
        struct rte_security_pdcp_stats pdcp;
        struct rte_security_docsis_stats docsis;
    };
};

int
rte_security_session_stats_get(void *instance,
                   void *sess,
                   struct rte_security_stats *stats);

int
rte_security_macsec_sa_stats_get(void *instance,
                 uint16_t sa_id, enum rte_security_macsec_direction dir,
                 struct rte_security_macsec_sa_stats *stats);

int
rte_security_macsec_sc_stats_get(void *instance,
                 uint16_t sc_id, enum rte_security_macsec_direction dir,
                 struct rte_security_macsec_sc_stats *stats);

struct rte_security_capability {
    enum rte_security_session_action_type action;
    enum rte_security_session_protocol protocol;
    union {
        struct {
            enum rte_security_ipsec_sa_protocol proto;
            enum rte_security_ipsec_sa_mode mode;
            enum rte_security_ipsec_sa_direction direction;
            struct rte_security_ipsec_sa_options options;
            uint32_t replay_win_sz_max;
        } ipsec;
        struct {
            uint16_t mtu;
            enum rte_security_macsec_alg alg;
            uint16_t max_nb_sc;
            uint16_t max_nb_sa;
            uint16_t max_nb_sess;
            uint32_t replay_win_sz;
            uint16_t relative_sectag_insert : 1;
            uint16_t fixed_sectag_insert : 1;
            uint16_t icv_include_da_sa : 1;
            uint16_t ctrl_port_enable : 1;
            uint16_t preserve_sectag : 1;
            uint16_t preserve_icv : 1;
            uint16_t validate_frames : 1;
            uint16_t re_key : 1;
            uint16_t anti_replay : 1;
            uint16_t reserved : 7;
        } macsec;
        struct {
            enum rte_security_pdcp_domain domain;
            uint32_t capa_flags;
        } pdcp;
        struct {
            enum rte_security_docsis_direction direction;
        } docsis;
        struct {
            enum rte_security_tls_version ver;
            enum rte_security_tls_sess_type type;
            uint32_t ar_win_size;
        } tls_record;
    };

    const struct rte_cryptodev_capabilities *crypto_capabilities;
    uint32_t ol_flags;
};

#define RTE_SECURITY_PDCP_ORDERING_CAP      0x00000001

#define RTE_SECURITY_PDCP_DUP_DETECT_CAP    0x00000002

#define RTE_SECURITY_TX_OLOAD_NEED_MDATA    0x00000001

#define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD  0x00000002

#define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD  0x00010000

struct rte_security_capability_idx {
    enum rte_security_session_action_type action;
    enum rte_security_session_protocol protocol;

    union {
        struct {
            enum rte_security_ipsec_sa_protocol proto;
            enum rte_security_ipsec_sa_mode mode;
            enum rte_security_ipsec_sa_direction direction;
        } ipsec;
        struct {
            enum rte_security_pdcp_domain domain;
            uint32_t capa_flags;
        } pdcp;
        struct {
            enum rte_security_docsis_direction direction;
        } docsis;
        struct {
            enum rte_security_macsec_alg alg;
        } macsec;
        struct {
            enum rte_security_tls_version ver;
            enum rte_security_tls_sess_type type;
        } tls_record;
    };
};

const struct rte_security_capability *
rte_security_capabilities_get(void *instance);

const struct rte_security_capability *
rte_security_capability_get(void *instance,
                struct rte_security_capability_idx *idx);

__rte_experimental
int
rte_security_rx_inject_configure(void *ctx, uint16_t port_id, bool enable);

__rte_experimental
uint16_t
rte_security_inb_pkt_rx_inject(void *ctx, struct rte_mbuf **pkts, void **sess,
                   uint16_t nb_pkts);

#ifdef __cplusplus
}
#endif

#endif /* _RTE_SECURITY_H_ */