DPDK  22.11.7-rc1
rte_security.h
Go to the documentation of this file.
1 /* SPDX-License-Identifier: BSD-3-Clause
2  * Copyright 2017,2019-2020 NXP
3  * Copyright(c) 2017-2020 Intel Corporation.
4  */
5 
6 #ifndef _RTE_SECURITY_H_
7 #define _RTE_SECURITY_H_
8 
16 #ifdef __cplusplus
17 extern "C" {
18 #endif
19 
20 #include <sys/types.h>
21 
22 #include <rte_compat.h>
23 #include <rte_common.h>
24 #include <rte_crypto.h>
25 #include <rte_ip.h>
26 #include <rte_mbuf_dyn.h>
27 
34 };
35 
42 };
43 
50 };
51 
57 #define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR 0x1
58 #define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR 0x2
59 
70  void *device;
72  const struct rte_security_ops *ops;
74  uint16_t sess_cnt;
76  uint16_t macsec_sc_cnt;
78  uint16_t macsec_sa_cnt;
80  uint32_t flags;
82 };
83 
84 #define RTE_SEC_CTX_F_FAST_SET_MDATA 0x00000001
85 
99  union {
100  struct {
101  struct in_addr src_ip;
103  struct in_addr dst_ip;
105  uint8_t dscp;
107  uint8_t df;
109  uint8_t ttl;
111  } ipv4;
113  struct {
114  struct in6_addr src_addr;
116  struct in6_addr dst_addr;
118  uint8_t dscp;
120  uint32_t flabel;
122  uint8_t hlimit;
124  } ipv6;
126  };
127 };
128 
129 struct rte_security_ipsec_udp_param {
130  uint16_t sport;
131  uint16_t dport;
132 };
133 
143  uint32_t esn : 1;
144 
151  uint32_t udp_encap : 1;
152 
160  uint32_t copy_dscp : 1;
161 
168  uint32_t copy_flabel : 1;
169 
176  uint32_t copy_df : 1;
177 
185  uint32_t dec_ttl : 1;
186 
194  uint32_t ecn : 1;
195 
202  uint32_t stats : 1;
203 
216  uint32_t iv_gen_disable : 1;
217 
225  uint32_t tunnel_hdr_verify : 2;
226 
232  uint32_t udp_ports_verify : 1;
233 
247  uint32_t ip_csum_enable : 1;
248 
263  uint32_t l4_csum_enable : 1;
264 
276  uint32_t ip_reassembly_en : 1;
277 
285  uint32_t reserved_opts : 17;
286 };
287 
294 };
295 
318 };
319 
326  uint32_t spi;
328  uint32_t salt;
342  uint32_t replay_win_sz;
346  union {
347  uint64_t value;
348  struct {
349  uint32_t low;
350  uint32_t hi;
351  };
352  } esn;
354  struct rte_security_ipsec_udp_param udp;
356 };
357 
366 };
367 
369 #define RTE_SECURITY_MACSEC_NUM_AN 4
370 
371 #define RTE_SECURITY_MACSEC_SALT_LEN 12
372 
380  struct {
381  const uint8_t *data;
382  uint16_t length;
383  } key;
387  uint8_t an : 2;
389  uint32_t ssci;
391  uint32_t xpn;
393  uint32_t next_pn;
394 };
395 
402  union {
403  struct {
405  uint16_t sa_id[RTE_SECURITY_MACSEC_NUM_AN];
407  uint8_t sa_in_use[RTE_SECURITY_MACSEC_NUM_AN];
409  uint8_t active : 1;
411  uint8_t reserved : 7;
412  } sc_rx;
413  struct {
414  uint16_t sa_id;
415  uint16_t sa_id_rekey;
416  uint64_t sci;
417  uint8_t active : 1;
418  uint8_t re_key_en : 1;
420  uint8_t reserved : 6;
421  } sc_tx;
422  };
423 };
424 
433 };
434 
436 #define RTE_SECURITY_MACSEC_VALIDATE_DISABLE 0
437 
438 #define RTE_SECURITY_MACSEC_VALIDATE_NO_DISCARD 1
439 
440 #define RTE_SECURITY_MACSEC_VALIDATE_STRICT 2
441 
442 #define RTE_SECURITY_MACSEC_VALIDATE_NO_OP 3
443 
453  uint8_t cipher_off;
458  uint64_t sci;
460  uint16_t sc_id;
461  union {
462  struct {
464  uint16_t mtu;
469  uint8_t sectag_off;
471  uint16_t protect_frames : 1;
478  uint16_t sectag_insert_mode : 1;
480  uint16_t icv_include_da_sa : 1;
482  uint16_t ctrl_port_enable : 1;
484  uint16_t sectag_version : 1;
486  uint16_t end_station : 1;
488  uint16_t send_sci : 1;
490  uint16_t scb : 1;
495  uint16_t encrypt : 1;
497  uint16_t reserved : 7;
498  } tx_secy;
499  struct {
501  uint32_t replay_win_sz;
503  uint16_t validate_frames : 2;
505  uint16_t icv_include_da_sa : 1;
507  uint16_t ctrl_port_enable : 1;
509  uint16_t preserve_sectag : 1;
511  uint16_t preserve_icv : 1;
513  uint16_t replay_protect : 1;
515  uint16_t reserved : 9;
516  } rx_secy;
517  };
518 };
519 
527 };
528 
533 };
534 
547 };
548 
555  int8_t bearer;
559  uint8_t en_ordering;
574  uint32_t hfn;
576  uint32_t hfn_threshold;
585  uint8_t hfn_ovrd;
591  uint8_t sdap_enabled;
593  uint16_t reserved;
594 };
595 
606 };
607 
616 };
617 
621 /* Enumeration of rte_security_session_action_type 8<*/
641 };
642 /* >8 End enumeration of rte_security_session_action_type. */
643 
645 /* Enumeration of rte_security_session_protocol 8<*/
655 };
656 /* >8 End enumeration of rte_security_session_protocol. */
657 
661 /* Structure rte_security_session_conf 8< */
668  union {
669  struct rte_security_ipsec_xform ipsec;
670  struct rte_security_macsec_xform macsec;
671  struct rte_security_pdcp_xform pdcp;
672  struct rte_security_docsis_xform docsis;
673  };
677  void *userdata;
679 };
680 /* >8 End of structure rte_security_session_conf. */
681 
692 void *
694  struct rte_security_session_conf *conf,
695  struct rte_mempool *mp);
696 
707 __rte_experimental
708 int
710  void *sess,
711  struct rte_security_session_conf *conf);
712 
722 unsigned int
724 
739 int
740 rte_security_session_destroy(struct rte_security_ctx *instance, void *sess);
741 
757 __rte_experimental
758 int
760  struct rte_security_macsec_sc *conf);
761 
775 __rte_experimental
776 int
777 rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id);
778 
794 __rte_experimental
795 int
797  struct rte_security_macsec_sa *conf);
798 
812 __rte_experimental
813 int
814 rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id);
815 
817 typedef uint64_t rte_security_dynfield_t;
820 
834 __rte_experimental
835 static inline rte_security_dynfield_t *
837 {
838  return RTE_MBUF_DYNFIELD(mbuf,
839  rte_security_dynfield_offset,
840  rte_security_dynfield_t *);
841 }
842 
851 __rte_experimental
852 static inline bool rte_security_dynfield_is_registered(void)
853 {
854  return rte_security_dynfield_offset >= 0;
855 }
856 
857 #define RTE_SECURITY_SESS_OPAQUE_DATA_OFF 0
858 #define RTE_SECURITY_SESS_FAST_MDATA_OFF 1
859 
862 static inline uint64_t
864 {
865  return *((uint64_t *)sess + RTE_SECURITY_SESS_OPAQUE_DATA_OFF);
866 }
867 
871 static inline void
872 rte_security_session_opaque_data_set(void *sess, uint64_t opaque)
873 {
874  uint64_t *data;
875  data = (((uint64_t *)sess) + RTE_SECURITY_SESS_OPAQUE_DATA_OFF);
876  *data = opaque;
877 }
878 
882 static inline uint64_t
884 {
885  return *((uint64_t *)sess + RTE_SECURITY_SESS_FAST_MDATA_OFF);
886 }
887 
891 static inline void
892 rte_security_session_fast_mdata_set(void *sess, uint64_t fdata)
893 {
894  uint64_t *data;
895  data = (((uint64_t *)sess) + RTE_SECURITY_SESS_FAST_MDATA_OFF);
896  *data = fdata;
897 }
898 
900 __rte_experimental
901 extern int __rte_security_set_pkt_metadata(struct rte_security_ctx *instance,
902  void *sess,
903  struct rte_mbuf *m, void *params);
904 
918 static inline int
920  void *sess,
921  struct rte_mbuf *mb, void *params)
922 {
923  /* Fast Path */
924  if (instance->flags & RTE_SEC_CTX_F_FAST_SET_MDATA) {
927  return 0;
928  }
929 
930  /* Jump to PMD specific function pointer */
931  return __rte_security_set_pkt_metadata(instance, sess, mb, params);
932 }
933 
940 static inline int
942 {
943  sym_op->session = sess;
944 
945  return 0;
946 }
947 
957 static inline int
959  void *sess)
960 {
962  return -EINVAL;
963 
965 
966  return __rte_security_attach_session(op->sym, sess);
967 }
968 
969 struct rte_security_macsec_secy_stats {
970  uint64_t ctl_pkt_bcast_cnt;
971  uint64_t ctl_pkt_mcast_cnt;
972  uint64_t ctl_pkt_ucast_cnt;
973  uint64_t ctl_octet_cnt;
974  uint64_t unctl_pkt_bcast_cnt;
975  uint64_t unctl_pkt_mcast_cnt;
976  uint64_t unctl_pkt_ucast_cnt;
977  uint64_t unctl_octet_cnt;
978  /* Valid only for Rx */
979  uint64_t octet_decrypted_cnt;
980  uint64_t octet_validated_cnt;
981  uint64_t pkt_port_disabled_cnt;
982  uint64_t pkt_badtag_cnt;
983  uint64_t pkt_nosa_cnt;
984  uint64_t pkt_nosaerror_cnt;
985  uint64_t pkt_tagged_ctl_cnt;
986  uint64_t pkt_untaged_cnt;
987  uint64_t pkt_ctl_cnt;
988  uint64_t pkt_notag_cnt;
989  /* Valid only for Tx */
990  uint64_t octet_encrypted_cnt;
991  uint64_t octet_protected_cnt;
992  uint64_t pkt_noactivesa_cnt;
993  uint64_t pkt_toolong_cnt;
994  uint64_t pkt_untagged_cnt;
995 };
996 
997 struct rte_security_macsec_sc_stats {
998  /* Rx */
999  uint64_t hit_cnt;
1000  uint64_t pkt_invalid_cnt;
1001  uint64_t pkt_late_cnt;
1002  uint64_t pkt_notvalid_cnt;
1003  uint64_t pkt_unchecked_cnt;
1004  uint64_t pkt_delay_cnt;
1005  uint64_t pkt_ok_cnt;
1006  uint64_t octet_decrypt_cnt;
1007  uint64_t octet_validate_cnt;
1008  /* Tx */
1009  uint64_t pkt_encrypt_cnt;
1010  uint64_t pkt_protected_cnt;
1011  uint64_t octet_encrypt_cnt;
1012  uint64_t octet_protected_cnt;
1013 };
1014 
1015 struct rte_security_macsec_sa_stats {
1016  /* Rx */
1017  uint64_t pkt_invalid_cnt;
1018  uint64_t pkt_nosaerror_cnt;
1019  uint64_t pkt_notvalid_cnt;
1020  uint64_t pkt_ok_cnt;
1021  uint64_t pkt_nosa_cnt;
1022  /* Tx */
1023  uint64_t pkt_encrypt_cnt;
1024  uint64_t pkt_protected_cnt;
1025 };
1026 
1027 struct rte_security_ipsec_stats {
1028  uint64_t ipackets;
1029  uint64_t opackets;
1030  uint64_t ibytes;
1031  uint64_t obytes;
1032  uint64_t ierrors;
1033  uint64_t oerrors;
1034  uint64_t reserved1;
1035  uint64_t reserved2;
1036 };
1037 
1038 struct rte_security_pdcp_stats {
1039  uint64_t reserved;
1040 };
1041 
1042 struct rte_security_docsis_stats {
1043  uint64_t reserved;
1044 };
1045 
1046 struct rte_security_stats {
1047  enum rte_security_session_protocol protocol;
1050  RTE_STD_C11
1051  union {
1052  struct rte_security_macsec_secy_stats macsec;
1053  struct rte_security_ipsec_stats ipsec;
1054  struct rte_security_pdcp_stats pdcp;
1055  struct rte_security_docsis_stats docsis;
1056  };
1057 };
1058 
1072 __rte_experimental
1073 int
1075  void *sess,
1076  struct rte_security_stats *stats);
1077 
1091 __rte_experimental
1092 int
1094  uint16_t sa_id,
1095  struct rte_security_macsec_sa_stats *stats);
1096 
1110 __rte_experimental
1111 int
1113  uint16_t sc_id,
1114  struct rte_security_macsec_sc_stats *stats);
1115 
1124  RTE_STD_C11
1125  union {
1126  struct {
1139  } ipsec;
1141  struct {
1143  uint16_t mtu;
1147  uint16_t max_nb_sc;
1149  uint16_t max_nb_sa;
1151  uint16_t max_nb_sess;
1153  uint32_t replay_win_sz;
1157  uint16_t fixed_sectag_insert : 1;
1159  uint16_t icv_include_da_sa : 1;
1161  uint16_t ctrl_port_enable : 1;
1163  uint16_t preserve_sectag : 1;
1165  uint16_t preserve_icv : 1;
1167  uint16_t validate_frames : 1;
1169  uint16_t re_key : 1;
1171  uint16_t anti_replay : 1;
1173  uint16_t reserved : 7;
1174  } macsec;
1176  struct {
1179  uint32_t capa_flags;
1181  } pdcp;
1183  struct {
1186  } docsis;
1188  };
1189 
1193  uint32_t ol_flags;
1195 };
1196 
1202 #define RTE_SECURITY_PDCP_ORDERING_CAP 0x00000001
1203 
1208 #define RTE_SECURITY_PDCP_DUP_DETECT_CAP 0x00000002
1209 
1210 #define RTE_SECURITY_TX_OLOAD_NEED_MDATA 0x00000001
1211 
1214 #define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD 0x00000002
1215 
1220 #define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD 0x00010000
1221 
1233  enum rte_security_session_protocol protocol;
1234 
1235  RTE_STD_C11
1236  union {
1237  struct {
1238  enum rte_security_ipsec_sa_protocol proto;
1239  enum rte_security_ipsec_sa_mode mode;
1240  enum rte_security_ipsec_sa_direction direction;
1241  } ipsec;
1242  struct {
1243  enum rte_security_pdcp_domain domain;
1244  uint32_t capa_flags;
1245  } pdcp;
1246  struct {
1247  enum rte_security_docsis_direction direction;
1248  } docsis;
1249  };
1250 };
1251 
1261 const struct rte_security_capability *
1263 
1275 const struct rte_security_capability *
1277  struct rte_security_capability_idx *idx);
1278 
1279 #ifdef __cplusplus
1280 }
1281 #endif
1282 
1283 #endif /* _RTE_SECURITY_H_ */
rte_security_pdcp_sn_size
Definition: rte_security.h:536
rte_security_ipsec_sa_protocol
Definition: rte_security.h:37
struct rte_ether_addr src_addr
Definition: rte_ether.h:283
rte_security_session_action_type
Definition: rte_security.h:622
const uint8_t * data
Definition: rte_security.h:381
rte_security_pdcp_direction
Definition: rte_security.h:530
__rte_experimental int rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id)
__rte_experimental int rte_security_macsec_sa_create(struct rte_security_ctx *instance, struct rte_security_macsec_sa *conf)
const struct rte_security_capability * rte_security_capabilities_get(struct rte_security_ctx *instance)
unsigned int rte_security_session_get_size(struct rte_security_ctx *instance)
static int rte_security_set_pkt_metadata(struct rte_security_ctx *instance, void *sess, struct rte_mbuf *mb, void *params)
Definition: rte_security.h:919
uint8_t type
Definition: rte_crypto.h:89
struct rte_crypto_sym_xform * crypto_xform
Definition: rte_security.h:675
uint16_t macsec_sc_cnt
Definition: rte_security.h:76
static __rte_experimental rte_security_dynfield_t * rte_security_dynfield(struct rte_mbuf *mbuf)
Definition: rte_security.h:836
rte_security_ipsec_sa_mode
Definition: rte_security.h:29
static void rte_security_session_fast_mdata_set(void *sess, uint64_t fdata)
Definition: rte_security.h:892
uint16_t sess_cnt
Definition: rte_security.h:74
static uint64_t rte_security_session_opaque_data_get(void *sess)
Definition: rte_security.h:863
void * rte_security_session_create(struct rte_security_ctx *instance, struct rte_security_session_conf *conf, struct rte_mempool *mp)
int rte_security_dynfield_offset
rte_security_ipsec_sa_direction
Definition: rte_security.h:289
rte_security_ipsec_tunnel_type
Definition: rte_security.h:45
struct rte_ether_addr dst_addr
Definition: rte_ether.h:282
#define RTE_SECURITY_MACSEC_NUM_AN
Definition: rte_security.h:369
#define RTE_MBUF_DYNFIELD(m, offset, type)
Definition: rte_mbuf_dyn.h:227
int rte_security_session_destroy(struct rte_security_ctx *instance, void *sess)
__rte_experimental int rte_security_session_update(struct rte_security_ctx *instance, void *sess, struct rte_security_session_conf *conf)
#define RTE_SEC_CTX_F_FAST_SET_MDATA
Definition: rte_security.h:84
#define unlikely(x)
__rte_experimental int rte_security_macsec_sc_stats_get(struct rte_security_ctx *instance, uint16_t sc_id, struct rte_security_macsec_sc_stats *stats)
__rte_experimental int rte_security_macsec_sa_stats_get(struct rte_security_ctx *instance, uint16_t sa_id, struct rte_security_macsec_sa_stats *stats)
__rte_experimental int rte_security_macsec_sc_create(struct rte_security_ctx *instance, struct rte_security_macsec_sc *conf)
static int __rte_security_attach_session(struct rte_crypto_sym_op *sym_op, void *sess)
Definition: rte_security.h:941
rte_security_macsec_direction
Definition: rte_security.h:361
#define RTE_STD_C11
Definition: rte_common.h:39
static void rte_security_session_opaque_data_set(void *sess, uint64_t opaque)
Definition: rte_security.h:872
static __rte_experimental bool rte_security_dynfield_is_registered(void)
Definition: rte_security.h:852
uint16_t macsec_sa_cnt
Definition: rte_security.h:78
static int rte_security_attach_session(struct rte_crypto_op *op, void *sess)
Definition: rte_security.h:958
static uint64_t rte_security_session_fast_mdata_get(void *sess)
Definition: rte_security.h:883
__rte_experimental int rte_security_session_stats_get(struct rte_security_ctx *instance, void *sess, struct rte_security_stats *stats)
rte_security_docsis_direction
Definition: rte_security.h:597
uint64_t rte_security_dynfield_t
Definition: rte_security.h:817
#define RTE_SECURITY_MACSEC_SALT_LEN
Definition: rte_security.h:371
const struct rte_security_capability * rte_security_capability_get(struct rte_security_ctx *instance, struct rte_security_capability_idx *idx)
const struct rte_cryptodev_capabilities * crypto_capabilities
rte_security_macsec_alg
Definition: rte_security.h:428
uint8_t sess_type
Definition: rte_crypto.h:99
rte_security_session_protocol
Definition: rte_security.h:646
rte_security_pdcp_domain
Definition: rte_security.h:523
__rte_experimental int __rte_security_set_pkt_metadata(struct rte_security_ctx *instance, void *sess, struct rte_mbuf *m, void *params)
__rte_experimental int rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id)
const struct rte_security_ops * ops
Definition: rte_security.h:72
struct rte_crypto_sym_op sym[0]
Definition: rte_crypto.h:135