rte_security.h

Go to the documentation of this file.

/*-
 *   BSD LICENSE
 *
 *   Copyright 2017 NXP.
 *   Copyright(c) 2017 Intel Corporation. All rights reserved.
 *
 *   Redistribution and use in source and binary forms, with or without
 *   modification, are permitted provided that the following conditions
 *   are met:
 *
 *     * Redistributions of source code must retain the above copyright
 *       notice, this list of conditions and the following disclaimer.
 *     * Redistributions in binary form must reproduce the above copyright
 *       notice, this list of conditions and the following disclaimer in
 *       the documentation and/or other materials provided with the
 *       distribution.
 *     * Neither the name of NXP nor the names of its
 *       contributors may be used to endorse or promote products derived
 *       from this software without specific prior written permission.
 *
 *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 *   A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 *   OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 *   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 *   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 *   DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 *   THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 *   (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 *   OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#ifndef _RTE_SECURITY_H_
#define _RTE_SECURITY_H_

#ifdef __cplusplus
extern "C" {
#endif

#include <sys/types.h>

#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip6.h>

#include <rte_common.h>
#include <rte_crypto.h>
#include <rte_mbuf.h>
#include <rte_memory.h>
#include <rte_mempool.h>

enum rte_security_ipsec_sa_mode {
    RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT = 1,
    RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
};

enum rte_security_ipsec_sa_protocol {
    RTE_SECURITY_IPSEC_SA_PROTO_AH = 1,
    RTE_SECURITY_IPSEC_SA_PROTO_ESP,
};

enum rte_security_ipsec_tunnel_type {
    RTE_SECURITY_IPSEC_TUNNEL_IPV4 = 1,
    RTE_SECURITY_IPSEC_TUNNEL_IPV6,
};

struct rte_security_ctx {
    void *device;
    const struct rte_security_ops *ops;
    uint16_t sess_cnt;
};

struct rte_security_ipsec_tunnel_param {
    enum rte_security_ipsec_tunnel_type type;
    RTE_STD_C11
    union {
        struct {
            struct in_addr src_ip;
            struct in_addr dst_ip;
            uint8_t dscp;
            uint8_t df;
            uint8_t ttl;
        } ipv4;
        struct {
            struct in6_addr src_addr;
            struct in6_addr dst_addr;
            uint8_t dscp;
            uint32_t flabel;
            uint8_t hlimit;
        } ipv6;
    };
};

struct rte_security_ipsec_sa_options {
    uint32_t esn : 1;

    uint32_t udp_encap : 1;

    uint32_t copy_dscp : 1;

    uint32_t copy_flabel : 1;

    uint32_t copy_df : 1;

    uint32_t dec_ttl : 1;
};

enum rte_security_ipsec_sa_direction {
    RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
    RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
};

struct rte_security_ipsec_xform {
    uint32_t spi;
    uint32_t salt;
    struct rte_security_ipsec_sa_options options;
    enum rte_security_ipsec_sa_direction direction;
    enum rte_security_ipsec_sa_protocol proto;
    enum rte_security_ipsec_sa_mode mode;
    struct rte_security_ipsec_tunnel_param tunnel;
};

struct rte_security_macsec_xform {
    int dummy;
};

enum rte_security_session_action_type {
    RTE_SECURITY_ACTION_TYPE_NONE,
    RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO,
    RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
    RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL
};

enum rte_security_session_protocol {
    RTE_SECURITY_PROTOCOL_IPSEC = 1,
    RTE_SECURITY_PROTOCOL_MACSEC,
};

struct rte_security_session_conf {
    enum rte_security_session_action_type action_type;
    enum rte_security_session_protocol protocol;
    RTE_STD_C11
    union {
        struct rte_security_ipsec_xform ipsec;
        struct rte_security_macsec_xform macsec;
    };
    struct rte_crypto_sym_xform *crypto_xform;
};

struct rte_security_session {
    void *sess_private_data;
};

struct rte_security_session *
rte_security_session_create(struct rte_security_ctx *instance,
                struct rte_security_session_conf *conf,
                struct rte_mempool *mp);

int
rte_security_session_update(struct rte_security_ctx *instance,
                struct rte_security_session *sess,
                struct rte_security_session_conf *conf);

int
rte_security_session_destroy(struct rte_security_ctx *instance,
                 struct rte_security_session *sess);

int
rte_security_set_pkt_metadata(struct rte_security_ctx *instance,
                  struct rte_security_session *sess,
                  struct rte_mbuf *mb, void *params);

static inline int
__rte_security_attach_session(struct rte_crypto_sym_op *sym_op,
                  struct rte_security_session *sess)
{
    sym_op->sec_session = sess;

    return 0;
}

static inline void *
get_sec_session_private_data(const struct rte_security_session *sess)
{
    return sess->sess_private_data;
}

static inline void
set_sec_session_private_data(struct rte_security_session *sess,
                 void *private_data)
{
    sess->sess_private_data = private_data;
}

static inline int
rte_security_attach_session(struct rte_crypto_op *op,
                struct rte_security_session *sess)
{
    if (unlikely(op->type != RTE_CRYPTO_OP_TYPE_SYMMETRIC))
        return -EINVAL;

    op->sess_type =  RTE_CRYPTO_OP_SECURITY_SESSION;

    return __rte_security_attach_session(op->sym, sess);
}

struct rte_security_macsec_stats {
    uint64_t reserved;
};

struct rte_security_ipsec_stats {
    uint64_t reserved;

};

struct rte_security_stats {
    enum rte_security_session_protocol protocol;
    RTE_STD_C11
    union {
        struct rte_security_macsec_stats macsec;
        struct rte_security_ipsec_stats ipsec;
    };
};

int
rte_security_session_stats_get(struct rte_security_ctx *instance,
                   struct rte_security_session *sess,
                   struct rte_security_stats *stats);

struct rte_security_capability {
    enum rte_security_session_action_type action;
    enum rte_security_session_protocol protocol;
    RTE_STD_C11
    union {
        struct {
            enum rte_security_ipsec_sa_protocol proto;
            enum rte_security_ipsec_sa_mode mode;
            enum rte_security_ipsec_sa_direction direction;
            struct rte_security_ipsec_sa_options options;
        } ipsec;
        struct {
            /* To be Filled */
            int dummy;
        } macsec;
    };

    const struct rte_cryptodev_capabilities *crypto_capabilities;
    uint32_t ol_flags;
};

#define RTE_SECURITY_TX_OLOAD_NEED_MDATA    0x00000001

#define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD  0x00000002

#define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD  0x00010000

struct rte_security_capability_idx {
    enum rte_security_session_action_type action;
    enum rte_security_session_protocol protocol;

    RTE_STD_C11
    union {
        struct {
            enum rte_security_ipsec_sa_protocol proto;
            enum rte_security_ipsec_sa_mode mode;
            enum rte_security_ipsec_sa_direction direction;
        } ipsec;
    };
};

const struct rte_security_capability *
rte_security_capabilities_get(struct rte_security_ctx *instance);

const struct rte_security_capability *
rte_security_capability_get(struct rte_security_ctx *instance,
                struct rte_security_capability_idx *idx);

#ifdef __cplusplus
}
#endif

#endif /* _RTE_SECURITY_H_ */