DPDK 21.11.9
Data Structures | Macros | Typedefs | Enumerations | Functions | Variables
rte_security.h File Reference
#include <sys/types.h>
#include <rte_compat.h>
#include <rte_common.h>
#include <rte_crypto.h>
#include <rte_ip.h>
#include <rte_mbuf.h>
#include <rte_mbuf_dyn.h>
#include <rte_memory.h>
#include <rte_mempool.h>

Go to the source code of this file.

Data Structures

struct  rte_security_ctx
 
struct  rte_security_ipsec_tunnel_param
 
struct  rte_security_ipsec_sa_options
 
struct  rte_security_ipsec_lifetime
 
struct  rte_security_ipsec_xform
 
struct  rte_security_macsec_xform
 
struct  rte_security_pdcp_xform
 
struct  rte_security_docsis_xform
 
struct  rte_security_session_conf
 
struct  rte_security_capability
 
struct  rte_security_capability_idx
 

Macros

#define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR   0x1
 
#define RTE_SEC_CTX_F_FAST_SET_MDATA   0x00000001
 
#define RTE_SEC_CTX_F_FAST_GET_UDATA   0x00000002
 
#define RTE_SECURITY_PDCP_ORDERING_CAP   0x00000001
 
#define RTE_SECURITY_PDCP_DUP_DETECT_CAP   0x00000002
 
#define RTE_SECURITY_TX_OLOAD_NEED_MDATA   0x00000001
 
#define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD   0x00000002
 
#define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD   0x00010000
 

Typedefs

typedef uint64_t rte_security_dynfield_t
 

Enumerations

enum  rte_security_ipsec_sa_mode { RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT = 1 , RTE_SECURITY_IPSEC_SA_MODE_TUNNEL }
 
enum  rte_security_ipsec_sa_protocol { RTE_SECURITY_IPSEC_SA_PROTO_AH = 1 , RTE_SECURITY_IPSEC_SA_PROTO_ESP }
 
enum  rte_security_ipsec_tunnel_type { RTE_SECURITY_IPSEC_TUNNEL_IPV4 = 1 , RTE_SECURITY_IPSEC_TUNNEL_IPV6 }
 
enum  rte_security_ipsec_sa_direction { RTE_SECURITY_IPSEC_SA_DIR_EGRESS , RTE_SECURITY_IPSEC_SA_DIR_INGRESS }
 
enum  rte_security_pdcp_domain { RTE_SECURITY_PDCP_MODE_CONTROL , RTE_SECURITY_PDCP_MODE_DATA , RTE_SECURITY_PDCP_MODE_SHORT_MAC }
 
enum  rte_security_pdcp_direction { RTE_SECURITY_PDCP_UPLINK , RTE_SECURITY_PDCP_DOWNLINK }
 
enum  rte_security_pdcp_sn_size {
  RTE_SECURITY_PDCP_SN_SIZE_5 = 5 , RTE_SECURITY_PDCP_SN_SIZE_7 = 7 , RTE_SECURITY_PDCP_SN_SIZE_12 = 12 , RTE_SECURITY_PDCP_SN_SIZE_15 = 15 ,
  RTE_SECURITY_PDCP_SN_SIZE_18 = 18
}
 
enum  rte_security_docsis_direction { RTE_SECURITY_DOCSIS_UPLINK , RTE_SECURITY_DOCSIS_DOWNLINK }
 
enum  rte_security_session_action_type {
  RTE_SECURITY_ACTION_TYPE_NONE , RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO , RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL , RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL ,
  RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO
}
 
enum  rte_security_session_protocol { RTE_SECURITY_PROTOCOL_IPSEC = 1 , RTE_SECURITY_PROTOCOL_MACSEC , RTE_SECURITY_PROTOCOL_PDCP , RTE_SECURITY_PROTOCOL_DOCSIS }
 

Functions

struct rte_security_session * rte_security_session_create (struct rte_security_ctx *instance, struct rte_security_session_conf *conf, struct rte_mempool *mp, struct rte_mempool *priv_mp)
 
__rte_experimental int rte_security_session_update (struct rte_security_ctx *instance, struct rte_security_session *sess, struct rte_security_session_conf *conf)
 
unsigned int rte_security_session_get_size (struct rte_security_ctx *instance)
 
int rte_security_session_destroy (struct rte_security_ctx *instance, struct rte_security_session *sess)
 
static __rte_experimental rte_security_dynfield_trte_security_dynfield (struct rte_mbuf *mbuf)
 
static __rte_experimental bool rte_security_dynfield_is_registered (void)
 
__rte_experimental int __rte_security_set_pkt_metadata (struct rte_security_ctx *instance, struct rte_security_session *sess, struct rte_mbuf *m, void *params)
 
static int rte_security_set_pkt_metadata (struct rte_security_ctx *instance, struct rte_security_session *sess, struct rte_mbuf *mb, void *params)
 
__rte_experimental void * __rte_security_get_userdata (struct rte_security_ctx *instance, uint64_t md)
 
static __rte_experimental void * rte_security_get_userdata (struct rte_security_ctx *instance, uint64_t md)
 
static int __rte_security_attach_session (struct rte_crypto_sym_op *sym_op, struct rte_security_session *sess)
 
static int rte_security_attach_session (struct rte_crypto_op *op, struct rte_security_session *sess)
 
__rte_experimental int rte_security_session_stats_get (struct rte_security_ctx *instance, struct rte_security_session *sess, struct rte_security_stats *stats)
 
const struct rte_security_capabilityrte_security_capabilities_get (struct rte_security_ctx *instance)
 
const struct rte_security_capabilityrte_security_capability_get (struct rte_security_ctx *instance, struct rte_security_capability_idx *idx)
 

Variables

int rte_security_dynfield_offset
 

Detailed Description

RTE Security Common Definitions

Definition in file rte_security.h.

Macro Definition Documentation

◆ RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR

#define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR   0x1

IPSEC tunnel header verification mode

Controls how outer IP header is verified in inbound.

Definition at line 60 of file rte_security.h.

◆ RTE_SEC_CTX_F_FAST_SET_MDATA

#define RTE_SEC_CTX_F_FAST_SET_MDATA   0x00000001

Driver uses fast metadata update without using driver specific callback

Definition at line 84 of file rte_security.h.

◆ RTE_SEC_CTX_F_FAST_GET_UDATA

#define RTE_SEC_CTX_F_FAST_GET_UDATA   0x00000002

Driver provides udata using fast method without using driver specific callback. For fast mdata and udata, mbuf dynamic field would be registered by driver via rte_security_dynfield_register().

Definition at line 90 of file rte_security.h.

◆ RTE_SECURITY_PDCP_ORDERING_CAP

#define RTE_SECURITY_PDCP_ORDERING_CAP   0x00000001

Underlying Hardware/driver which support PDCP may or may not support packet ordering. Set RTE_SECURITY_PDCP_ORDERING_CAP if it support. If it is not set, driver/HW assumes packets received are in order and it will be application's responsibility to maintain ordering.

Definition at line 857 of file rte_security.h.

◆ RTE_SECURITY_PDCP_DUP_DETECT_CAP

#define RTE_SECURITY_PDCP_DUP_DETECT_CAP   0x00000002

Underlying Hardware/driver which support PDCP may or may not detect duplicate packet. Set RTE_SECURITY_PDCP_DUP_DETECT_CAP if it support. If it is not set, driver/HW assumes there is no duplicate packet received.

Definition at line 863 of file rte_security.h.

◆ RTE_SECURITY_TX_OLOAD_NEED_MDATA

#define RTE_SECURITY_TX_OLOAD_NEED_MDATA   0x00000001

HW needs metadata update, see rte_security_set_pkt_metadata().

Examples
examples/ipsec-secgw/ipsec.c.

Definition at line 867 of file rte_security.h.

◆ RTE_SECURITY_TX_HW_TRAILER_OFFLOAD

#define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD   0x00000002

HW constructs trailer of packets Transmitted packets will have the trailer added to them by hardware. The next protocol field will be based on the mbuf->inner_esp_next_proto field.

Examples
examples/ipsec-secgw/esp.c, and examples/ipsec-secgw/ipsec.c.

Definition at line 874 of file rte_security.h.

◆ RTE_SECURITY_RX_HW_TRAILER_OFFLOAD

#define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD   0x00010000

HW removes trailer of packets Received packets have no trailer, the next protocol field is supplied in the mbuf->inner_esp_next_proto field. Inner packet is not modified.

Examples
examples/ipsec-secgw/esp.c.

Definition at line 880 of file rte_security.h.

Typedef Documentation

◆ rte_security_dynfield_t

typedef uint64_t rte_security_dynfield_t

Device-specific metadata field type

Definition at line 588 of file rte_security.h.

Enumeration Type Documentation

◆ rte_security_ipsec_sa_mode

IPSec protocol mode

Enumerator
RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT 

IPSec Transport mode

RTE_SECURITY_IPSEC_SA_MODE_TUNNEL 

IPSec Tunnel mode

Definition at line 32 of file rte_security.h.

◆ rte_security_ipsec_sa_protocol

IPSec Protocol

Enumerator
RTE_SECURITY_IPSEC_SA_PROTO_AH 

AH protocol

RTE_SECURITY_IPSEC_SA_PROTO_ESP 

ESP protocol

Definition at line 40 of file rte_security.h.

◆ rte_security_ipsec_tunnel_type

IPSEC tunnel type

Enumerator
RTE_SECURITY_IPSEC_TUNNEL_IPV4 

Outer header is IPv4

RTE_SECURITY_IPSEC_TUNNEL_IPV6 

Outer header is IPv6

Definition at line 48 of file rte_security.h.

◆ rte_security_ipsec_sa_direction

IPSec security association direction

Enumerator
RTE_SECURITY_IPSEC_SA_DIR_EGRESS 

Encrypt and generate digest

RTE_SECURITY_IPSEC_SA_DIR_INGRESS 

Verify digest and decrypt

Definition at line 278 of file rte_security.h.

◆ rte_security_pdcp_domain

PDCP Mode of session

Enumerator
RTE_SECURITY_PDCP_MODE_CONTROL 

PDCP control plane

RTE_SECURITY_PDCP_MODE_DATA 

PDCP data plane

RTE_SECURITY_PDCP_MODE_SHORT_MAC 

PDCP short mac

Definition at line 358 of file rte_security.h.

◆ rte_security_pdcp_direction

PDCP Frame direction

Enumerator
RTE_SECURITY_PDCP_UPLINK 

Uplink

RTE_SECURITY_PDCP_DOWNLINK 

Downlink

Definition at line 365 of file rte_security.h.

◆ rte_security_pdcp_sn_size

PDCP Sequence Number Size selectors

Enumerator
RTE_SECURITY_PDCP_SN_SIZE_5 

PDCP_SN_SIZE_5: 5bit sequence number

RTE_SECURITY_PDCP_SN_SIZE_7 

PDCP_SN_SIZE_7: 7bit sequence number

RTE_SECURITY_PDCP_SN_SIZE_12 

PDCP_SN_SIZE_12: 12bit sequence number

RTE_SECURITY_PDCP_SN_SIZE_15 

PDCP_SN_SIZE_15: 15bit sequence number

RTE_SECURITY_PDCP_SN_SIZE_18 

PDCP_SN_SIZE_18: 18bit sequence number

Definition at line 371 of file rte_security.h.

◆ rte_security_docsis_direction

DOCSIS direction

Enumerator
RTE_SECURITY_DOCSIS_UPLINK 

Uplink

  • Decryption, followed by CRC Verification
RTE_SECURITY_DOCSIS_DOWNLINK 

Downlink

  • CRC Generation, followed by Encryption

Definition at line 432 of file rte_security.h.

◆ rte_security_session_action_type

Security session action type.

Enumerator
RTE_SECURITY_ACTION_TYPE_NONE 

No security actions

RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO 

Crypto processing for security protocol is processed inline during transmission

RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL 

All security protocol processing is performed inline during transmission

RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL 

All security protocol processing including crypto is performed on a lookaside accelerator

RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO 

Similar to ACTION_TYPE_NONE but crypto processing for security protocol is processed synchronously by a CPU.

Definition at line 457 of file rte_security.h.

◆ rte_security_session_protocol

Security session protocol definition

Enumerator
RTE_SECURITY_PROTOCOL_IPSEC 

IPsec Protocol

RTE_SECURITY_PROTOCOL_MACSEC 

MACSec Protocol

RTE_SECURITY_PROTOCOL_PDCP 

PDCP Protocol

RTE_SECURITY_PROTOCOL_DOCSIS 

DOCSIS Protocol

Definition at line 481 of file rte_security.h.

Function Documentation

◆ rte_security_session_create()

struct rte_security_session * rte_security_session_create ( struct rte_security_ctx instance,
struct rte_security_session_conf conf,
struct rte_mempool mp,
struct rte_mempool priv_mp 
)

Create security session as specified by the session configuration

Parameters
instancesecurity instance
confsession configuration parameters
mpmempool to allocate session objects from
priv_mpmempool to allocate session private data objects from
Returns
  • On success, pointer to session
  • On failure, NULL
Examples
examples/ipsec-secgw/ipsec.c.

◆ rte_security_session_update()

__rte_experimental int rte_security_session_update ( struct rte_security_ctx instance,
struct rte_security_session *  sess,
struct rte_security_session_conf conf 
)

Update security session as specified by the session configuration

Parameters
instancesecurity instance
sesssession to update parameters
confupdate configuration parameters
Returns
  • On success returns 0
  • On failure returns a negative errno value.

◆ rte_security_session_get_size()

unsigned int rte_security_session_get_size ( struct rte_security_ctx instance)

Get the size of the security session data for a device.

Parameters
instancesecurity instance.
Returns
  • Size of the private data, if successful
  • 0 if device is invalid or does not support the operation.
Examples
examples/ipsec-secgw/ipsec-secgw.c.

◆ rte_security_session_destroy()

int rte_security_session_destroy ( struct rte_security_ctx instance,
struct rte_security_session *  sess 
)

Free security session header and the session private data and return it to its original mempool.

Parameters
instancesecurity instance
sesssecurity session to be freed
Returns
  • 0 if successful.
  • -EINVAL if session or context instance is NULL.
  • -EBUSY if not all device private data has been freed.
  • -ENOTSUP if destroying private data is not supported.
  • other negative values in case of freeing private data errors.
Examples
examples/ipsec-secgw/ipsec-secgw.c.

◆ rte_security_dynfield()

static __rte_experimental rte_security_dynfield_t * rte_security_dynfield ( struct rte_mbuf mbuf)
inlinestatic
Warning
EXPERIMENTAL: this API may change without prior notice

Get pointer to mbuf field for device-specific metadata.

For performance reason, no check is done, the dynamic field may not be registered.

See also
rte_security_dynfield_is_registered
Parameters
mbufpacket to access
Returns
pointer to mbuf field
Examples
examples/ipsec-secgw/ipsec-secgw.c, and examples/ipsec-secgw/ipsec_worker.c.

Definition at line 607 of file rte_security.h.

◆ rte_security_dynfield_is_registered()

static __rte_experimental bool rte_security_dynfield_is_registered ( void  )
inlinestatic
Warning
EXPERIMENTAL: this API may change without prior notice

Check whether the dynamic field is registered.

Returns
true if rte_security_dynfield_register() has been called.
Examples
examples/ipsec-secgw/ipsec-secgw.c.

Definition at line 623 of file rte_security.h.

◆ __rte_security_set_pkt_metadata()

__rte_experimental int __rte_security_set_pkt_metadata ( struct rte_security_ctx instance,
struct rte_security_session *  sess,
struct rte_mbuf m,
void *  params 
)

Function to call PMD specific function pointer set_pkt_metadata()

◆ rte_security_set_pkt_metadata()

static int rte_security_set_pkt_metadata ( struct rte_security_ctx instance,
struct rte_security_session *  sess,
struct rte_mbuf mb,
void *  params 
)
inlinestatic

Updates the buffer with device-specific defined metadata

Parameters
instancesecurity instance
sesssecurity session
mbpacket mbuf to set metadata on.
paramsdevice-specific defined parameters required for metadata
Returns
  • On success, zero.
  • On failure, a negative value.
Examples
examples/ipsec-secgw/ipsec.c, and examples/ipsec-secgw/ipsec_worker.c.

Definition at line 648 of file rte_security.h.

◆ __rte_security_get_userdata()

__rte_experimental void * __rte_security_get_userdata ( struct rte_security_ctx instance,
uint64_t  md 
)

Function to call PMD specific function pointer get_userdata()

◆ rte_security_get_userdata()

static __rte_experimental void * rte_security_get_userdata ( struct rte_security_ctx instance,
uint64_t  md 
)
inlinestatic

Get userdata associated with the security session. Device specific metadata provided would be used to uniquely identify the security session being referred to. This userdata would be registered while creating the session, and application can use this to identify the SA etc.

Device specific metadata would be set in mbuf for inline processed inbound packets. In addition, the same metadata would be set for IPsec events reported by rte_eth_event framework.

Parameters
instancesecurity instance
mddevice-specific metadata
Returns
  • On success, userdata
  • On failure, NULL
Examples
examples/ipsec-secgw/ipsec-secgw.c.

Definition at line 687 of file rte_security.h.

◆ __rte_security_attach_session()

static int __rte_security_attach_session ( struct rte_crypto_sym_op sym_op,
struct rte_security_session *  sess 
)
inlinestatic

Attach a session to a symmetric crypto operation

Parameters
sym_opcrypto operation
sesssecurity session

Definition at line 704 of file rte_security.h.

◆ rte_security_attach_session()

static int rte_security_attach_session ( struct rte_crypto_op op,
struct rte_security_session *  sess 
)
inlinestatic

Attach a session to a crypto operation. This API is needed only in case of RTE_SECURITY_SESS_CRYPTO_PROTO_OFFLOAD For other rte_security_session_action_type, ol_flags in rte_mbuf may be defined to perform security operations.

Parameters
opcrypto operation
sesssecurity session
Examples
examples/ipsec-secgw/ipsec.c.

Definition at line 735 of file rte_security.h.

◆ rte_security_session_stats_get()

__rte_experimental int rte_security_session_stats_get ( struct rte_security_ctx instance,
struct rte_security_session *  sess,
struct rte_security_stats *  stats 
)

Get security session statistics

Parameters
instancesecurity instance
sesssecurity session If security session is NULL then global (per security instance) statistics will be retrieved, if supported. Global statistics collection is not dependent on the per session statistics configuration.
statsstatistics
Returns
  • On success, return 0
  • On failure, a negative value

◆ rte_security_capabilities_get()

const struct rte_security_capability * rte_security_capabilities_get ( struct rte_security_ctx instance)

Returns array of security instance capabilities

Parameters
instanceSecurity instance.
Returns
  • Returns array of security capabilities.
  • Return NULL if no capabilities available.
Examples
examples/ipsec-secgw/ipsec.c.

◆ rte_security_capability_get()

const struct rte_security_capability * rte_security_capability_get ( struct rte_security_ctx instance,
struct rte_security_capability_idx idx 
)

Query if a specific capability is available on security instance

Parameters
instancesecurity instance.
idxsecurity capability index to match against
Returns
  • Returns pointer to security capability on match of capability index criteria.
  • Return NULL if the capability not matched on security instance.

Variable Documentation

◆ rte_security_dynfield_offset

int rte_security_dynfield_offset
extern

Dynamic mbuf field for device-specific metadata