rte_security.h

Go to the documentation of this file.

/* SPDX-License-Identifier: BSD-3-Clause
 * Copyright 2017,2019-2020 NXP
 * Copyright(c) 2017-2020 Intel Corporation.
 */

#ifndef _RTE_SECURITY_H_
#define _RTE_SECURITY_H_

#ifdef __cplusplus
extern "C" {
#endif

#include <sys/types.h>

#include <rte_compat.h>
#include <rte_common.h>
#include <rte_crypto.h>
#include <rte_ip.h>
#include <rte_mbuf_dyn.h>

enum rte_security_ipsec_sa_mode {
    RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT = 1,
    RTE_SECURITY_IPSEC_SA_MODE_TUNNEL,
};

enum rte_security_ipsec_sa_protocol {
    RTE_SECURITY_IPSEC_SA_PROTO_AH = 1,
    RTE_SECURITY_IPSEC_SA_PROTO_ESP,
};

enum rte_security_ipsec_tunnel_type {
    RTE_SECURITY_IPSEC_TUNNEL_IPV4 = 1,
    RTE_SECURITY_IPSEC_TUNNEL_IPV6,
};

#define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR     0x1
#define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR 0x2

struct rte_security_ctx {
    void *device;
    const struct rte_security_ops *ops;
    uint16_t sess_cnt;
    uint16_t macsec_sc_cnt;
    uint16_t macsec_sa_cnt;
    uint32_t flags;
};

#define RTE_SEC_CTX_F_FAST_SET_MDATA 0x00000001

struct rte_security_ipsec_tunnel_param {
    enum rte_security_ipsec_tunnel_type type;
    RTE_STD_C11
    union {
        struct {
            struct in_addr src_ip;
            struct in_addr dst_ip;
            uint8_t dscp;
            uint8_t df;
            uint8_t ttl;
        } ipv4;
        struct {
            struct in6_addr src_addr;
            struct in6_addr dst_addr;
            uint8_t dscp;
            uint32_t flabel;
            uint8_t hlimit;
        } ipv6;
    };
};

struct rte_security_ipsec_udp_param {
    uint16_t sport;
    uint16_t dport;
};

struct rte_security_ipsec_sa_options {
    uint32_t esn : 1;

    uint32_t udp_encap : 1;

    uint32_t copy_dscp : 1;

    uint32_t copy_flabel : 1;

    uint32_t copy_df : 1;

    uint32_t dec_ttl : 1;

    uint32_t ecn : 1;

    uint32_t stats : 1;

    uint32_t iv_gen_disable : 1;

    uint32_t tunnel_hdr_verify : 2;

    uint32_t udp_ports_verify : 1;

    uint32_t ip_csum_enable : 1;

    uint32_t l4_csum_enable : 1;

    uint32_t ip_reassembly_en : 1;

    uint32_t reserved_opts : 17;
};

enum rte_security_ipsec_sa_direction {
    RTE_SECURITY_IPSEC_SA_DIR_EGRESS,
    RTE_SECURITY_IPSEC_SA_DIR_INGRESS,
};

struct rte_security_ipsec_lifetime {
    uint64_t packets_soft_limit;
    uint64_t bytes_soft_limit;
    uint64_t packets_hard_limit;
    uint64_t bytes_hard_limit;
};

struct rte_security_ipsec_xform {
    uint32_t spi;
    uint32_t salt;
    struct rte_security_ipsec_sa_options options;
    enum rte_security_ipsec_sa_direction direction;
    enum rte_security_ipsec_sa_protocol proto;
    enum rte_security_ipsec_sa_mode mode;
    struct rte_security_ipsec_tunnel_param tunnel;
    struct rte_security_ipsec_lifetime life;
    uint32_t replay_win_sz;
    union {
        uint64_t value;
        struct {
            uint32_t low;
            uint32_t hi;
        };
    } esn;
    struct rte_security_ipsec_udp_param udp;
};

enum rte_security_macsec_direction {
    RTE_SECURITY_MACSEC_DIR_TX,
    RTE_SECURITY_MACSEC_DIR_RX,
};

#define RTE_SECURITY_MACSEC_NUM_AN  4

#define RTE_SECURITY_MACSEC_SALT_LEN    12

struct rte_security_macsec_sa {
    enum rte_security_macsec_direction dir;
    struct {
        const uint8_t *data;    
        uint16_t length;    
    } key;
    uint8_t salt[RTE_SECURITY_MACSEC_SALT_LEN];
    uint8_t an : 2;
    uint32_t ssci;
    uint32_t xpn;
    uint32_t next_pn;
};

struct rte_security_macsec_sc {
    enum rte_security_macsec_direction dir;
    uint64_t pn_threshold;
    union {
        struct {
            uint16_t sa_id[RTE_SECURITY_MACSEC_NUM_AN];
            uint8_t sa_in_use[RTE_SECURITY_MACSEC_NUM_AN];
            uint8_t active : 1;
            uint8_t is_xpn : 1;
            uint8_t reserved : 6;
        } sc_rx;
        struct {
            uint16_t sa_id; 
            uint16_t sa_id_rekey; 
            uint64_t sci; 
            uint8_t active : 1; 
            uint8_t re_key_en : 1; 
            uint8_t is_xpn : 1;
            uint8_t reserved : 5;
        } sc_tx;
    };
};

enum rte_security_macsec_alg {
    RTE_SECURITY_MACSEC_ALG_GCM_128, 
    RTE_SECURITY_MACSEC_ALG_GCM_256, 
    RTE_SECURITY_MACSEC_ALG_GCM_XPN_128, 
    RTE_SECURITY_MACSEC_ALG_GCM_XPN_256, 
};

#define RTE_SECURITY_MACSEC_VALIDATE_DISABLE    0

#define RTE_SECURITY_MACSEC_VALIDATE_NO_DISCARD 1

#define RTE_SECURITY_MACSEC_VALIDATE_STRICT 2

#define RTE_SECURITY_MACSEC_VALIDATE_NO_OP  3

struct rte_security_macsec_xform {
    enum rte_security_macsec_direction dir;
    enum rte_security_macsec_alg alg;
    uint8_t cipher_off;
    uint64_t sci;
    uint16_t sc_id;
    union {
        struct {
            uint16_t mtu;
            uint8_t sectag_off;
            uint16_t protect_frames : 1;
            uint16_t sectag_insert_mode : 1;
            uint16_t icv_include_da_sa : 1;
            uint16_t ctrl_port_enable : 1;
            uint16_t sectag_version : 1;
            uint16_t end_station : 1;
            uint16_t send_sci : 1;
            uint16_t scb : 1;
            uint16_t encrypt : 1;
            uint16_t reserved : 7;
        } tx_secy;
        struct {
            uint32_t replay_win_sz;
            uint16_t validate_frames : 2;
            uint16_t icv_include_da_sa : 1;
            uint16_t ctrl_port_enable : 1;
            uint16_t preserve_sectag : 1;
            uint16_t preserve_icv : 1;
            uint16_t replay_protect : 1;
            uint16_t reserved : 9;
        } rx_secy;
    };
};

enum rte_security_pdcp_domain {
    RTE_SECURITY_PDCP_MODE_CONTROL, 
    RTE_SECURITY_PDCP_MODE_DATA,    
    RTE_SECURITY_PDCP_MODE_SHORT_MAC,   
};

enum rte_security_pdcp_direction {
    RTE_SECURITY_PDCP_UPLINK,   
    RTE_SECURITY_PDCP_DOWNLINK, 
};

enum rte_security_pdcp_sn_size {
    RTE_SECURITY_PDCP_SN_SIZE_5 = 5,
    RTE_SECURITY_PDCP_SN_SIZE_7 = 7,
    RTE_SECURITY_PDCP_SN_SIZE_12 = 12,
    RTE_SECURITY_PDCP_SN_SIZE_15 = 15,
    RTE_SECURITY_PDCP_SN_SIZE_18 = 18
};

struct rte_security_pdcp_xform {
    int8_t bearer;  
    uint8_t en_ordering;
    uint8_t remove_duplicates;
    enum rte_security_pdcp_domain domain;
    enum rte_security_pdcp_direction pkt_dir;
    enum rte_security_pdcp_sn_size sn_size;
    uint32_t hfn;
    uint32_t hfn_threshold;
    uint8_t hfn_ovrd;
    uint8_t sdap_enabled;
    uint16_t reserved;
};

enum rte_security_docsis_direction {
    RTE_SECURITY_DOCSIS_UPLINK,
    RTE_SECURITY_DOCSIS_DOWNLINK,
};

struct rte_security_docsis_xform {
    enum rte_security_docsis_direction direction;
};

enum rte_security_session_action_type {
    RTE_SECURITY_ACTION_TYPE_NONE,
    RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO,
    RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,
    RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL,
    RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO
};

enum rte_security_session_protocol {
    RTE_SECURITY_PROTOCOL_IPSEC = 1,
    RTE_SECURITY_PROTOCOL_MACSEC,
    RTE_SECURITY_PROTOCOL_PDCP,
    RTE_SECURITY_PROTOCOL_DOCSIS,
};

struct rte_security_session_conf {
    enum rte_security_session_action_type action_type;
    enum rte_security_session_protocol protocol;
    RTE_STD_C11
    union {
        struct rte_security_ipsec_xform ipsec;
        struct rte_security_macsec_xform macsec;
        struct rte_security_pdcp_xform pdcp;
        struct rte_security_docsis_xform docsis;
    };
    struct rte_crypto_sym_xform *crypto_xform;
    void *userdata;
};

void *
rte_security_session_create(struct rte_security_ctx *instance,
                struct rte_security_session_conf *conf,
                struct rte_mempool *mp);

__rte_experimental
int
rte_security_session_update(struct rte_security_ctx *instance,
                void *sess,
                struct rte_security_session_conf *conf);

unsigned int
rte_security_session_get_size(struct rte_security_ctx *instance);

int
rte_security_session_destroy(struct rte_security_ctx *instance, void *sess);

__rte_experimental
int
rte_security_macsec_sc_create(struct rte_security_ctx *instance,
                  struct rte_security_macsec_sc *conf);

__rte_experimental
int
rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id,
                   enum rte_security_macsec_direction dir);

__rte_experimental
int
rte_security_macsec_sa_create(struct rte_security_ctx *instance,
                  struct rte_security_macsec_sa *conf);

__rte_experimental
int
rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id,
                   enum rte_security_macsec_direction dir);

typedef uint64_t rte_security_dynfield_t;
extern int rte_security_dynfield_offset;

__rte_experimental
static inline rte_security_dynfield_t *
rte_security_dynfield(struct rte_mbuf *mbuf)
{
    return RTE_MBUF_DYNFIELD(mbuf,
        rte_security_dynfield_offset,
        rte_security_dynfield_t *);
}

__rte_experimental
static inline bool rte_security_dynfield_is_registered(void)
{
    return rte_security_dynfield_offset >= 0;
}

#define RTE_SECURITY_SESS_OPAQUE_DATA_OFF   0
#define RTE_SECURITY_SESS_FAST_MDATA_OFF    1

static inline uint64_t
rte_security_session_opaque_data_get(void *sess)
{
    return *((uint64_t *)sess + RTE_SECURITY_SESS_OPAQUE_DATA_OFF);
}

static inline void
rte_security_session_opaque_data_set(void *sess, uint64_t opaque)
{
    uint64_t *data;
    data = (((uint64_t *)sess) + RTE_SECURITY_SESS_OPAQUE_DATA_OFF);
    *data = opaque;
}

static inline uint64_t
rte_security_session_fast_mdata_get(void *sess)
{
    return *((uint64_t *)sess + RTE_SECURITY_SESS_FAST_MDATA_OFF);
}

static inline void
rte_security_session_fast_mdata_set(void *sess, uint64_t fdata)
{
    uint64_t *data;
    data = (((uint64_t *)sess) + RTE_SECURITY_SESS_FAST_MDATA_OFF);
    *data = fdata;
}

__rte_experimental
int __rte_security_set_pkt_metadata(struct rte_security_ctx *instance,
                    void *sess,
                    struct rte_mbuf *m, void *params);

static inline int
rte_security_set_pkt_metadata(struct rte_security_ctx *instance,
                  void *sess,
                  struct rte_mbuf *mb, void *params)
{
    /* Fast Path */
    if (instance->flags & RTE_SEC_CTX_F_FAST_SET_MDATA) {
        *rte_security_dynfield(mb) = (rte_security_dynfield_t)
            rte_security_session_fast_mdata_get(sess);
        return 0;
    }

    /* Jump to PMD specific function pointer */
    return __rte_security_set_pkt_metadata(instance, sess, mb, params);
}

static inline int
__rte_security_attach_session(struct rte_crypto_sym_op *sym_op, void *sess)
{
    sym_op->session = sess;

    return 0;
}

static inline int
rte_security_attach_session(struct rte_crypto_op *op,
                void *sess)
{
    if (unlikely(op->type != RTE_CRYPTO_OP_TYPE_SYMMETRIC))
        return -EINVAL;

    op->sess_type =  RTE_CRYPTO_OP_SECURITY_SESSION;

    return __rte_security_attach_session(op->sym, sess);
}

struct rte_security_macsec_secy_stats {
    uint64_t ctl_pkt_bcast_cnt;
    uint64_t ctl_pkt_mcast_cnt;
    uint64_t ctl_pkt_ucast_cnt;
    uint64_t ctl_octet_cnt;
    uint64_t unctl_pkt_bcast_cnt;
    uint64_t unctl_pkt_mcast_cnt;
    uint64_t unctl_pkt_ucast_cnt;
    uint64_t unctl_octet_cnt;
    /* Valid only for Rx */
    uint64_t octet_decrypted_cnt;
    uint64_t octet_validated_cnt;
    uint64_t pkt_port_disabled_cnt;
    uint64_t pkt_badtag_cnt;
    uint64_t pkt_nosa_cnt;
    uint64_t pkt_nosaerror_cnt;
    uint64_t pkt_tagged_ctl_cnt;
    uint64_t pkt_untaged_cnt;
    uint64_t pkt_ctl_cnt;
    uint64_t pkt_notag_cnt;
    /* Valid only for Tx */
    uint64_t octet_encrypted_cnt;
    uint64_t octet_protected_cnt;
    uint64_t pkt_noactivesa_cnt;
    uint64_t pkt_toolong_cnt;
    uint64_t pkt_untagged_cnt;
};

struct rte_security_macsec_sc_stats {
    /* Rx */
    uint64_t hit_cnt;
    uint64_t pkt_invalid_cnt;
    uint64_t pkt_late_cnt;
    uint64_t pkt_notvalid_cnt;
    uint64_t pkt_unchecked_cnt;
    uint64_t pkt_delay_cnt;
    uint64_t pkt_ok_cnt;
    uint64_t octet_decrypt_cnt;
    uint64_t octet_validate_cnt;
    /* Tx */
    uint64_t pkt_encrypt_cnt;
    uint64_t pkt_protected_cnt;
    uint64_t octet_encrypt_cnt;
    uint64_t octet_protected_cnt;
};

struct rte_security_macsec_sa_stats {
    /* Rx */
    uint64_t pkt_invalid_cnt;
    uint64_t pkt_nosaerror_cnt;
    uint64_t pkt_notvalid_cnt;
    uint64_t pkt_ok_cnt;
    uint64_t pkt_nosa_cnt;
    /* Tx */
    uint64_t pkt_encrypt_cnt;
    uint64_t pkt_protected_cnt;
};

struct rte_security_ipsec_stats {
    uint64_t ipackets;  
    uint64_t opackets;  
    uint64_t ibytes;    
    uint64_t obytes;    
    uint64_t ierrors;   
    uint64_t oerrors;   
    uint64_t reserved1; 
    uint64_t reserved2; 
};

struct rte_security_pdcp_stats {
    uint64_t reserved;
};

struct rte_security_docsis_stats {
    uint64_t reserved;
};

struct rte_security_stats {
    enum rte_security_session_protocol protocol;
    RTE_STD_C11
    union {
        struct rte_security_macsec_secy_stats macsec;
        struct rte_security_ipsec_stats ipsec;
        struct rte_security_pdcp_stats pdcp;
        struct rte_security_docsis_stats docsis;
    };
};

__rte_experimental
int
rte_security_session_stats_get(struct rte_security_ctx *instance,
                   void *sess,
                   struct rte_security_stats *stats);

__rte_experimental
int
rte_security_macsec_sa_stats_get(struct rte_security_ctx *instance,
                 uint16_t sa_id, enum rte_security_macsec_direction dir,
                 struct rte_security_macsec_sa_stats *stats);

__rte_experimental
int
rte_security_macsec_sc_stats_get(struct rte_security_ctx *instance,
                 uint16_t sc_id, enum rte_security_macsec_direction dir,
                 struct rte_security_macsec_sc_stats *stats);

struct rte_security_capability {
    enum rte_security_session_action_type action;
    enum rte_security_session_protocol protocol;
    RTE_STD_C11
    union {
        struct {
            enum rte_security_ipsec_sa_protocol proto;
            enum rte_security_ipsec_sa_mode mode;
            enum rte_security_ipsec_sa_direction direction;
            struct rte_security_ipsec_sa_options options;
            uint32_t replay_win_sz_max;
        } ipsec;
        struct {
            uint16_t mtu;
            enum rte_security_macsec_alg alg;
            uint16_t max_nb_sc;
            uint16_t max_nb_sa;
            uint16_t max_nb_sess;
            uint32_t replay_win_sz;
            uint16_t relative_sectag_insert : 1;
            uint16_t fixed_sectag_insert : 1;
            uint16_t icv_include_da_sa : 1;
            uint16_t ctrl_port_enable : 1;
            uint16_t preserve_sectag : 1;
            uint16_t preserve_icv : 1;
            uint16_t validate_frames : 1;
            uint16_t re_key : 1;
            uint16_t anti_replay : 1;
            uint16_t reserved : 7;
        } macsec;
        struct {
            enum rte_security_pdcp_domain domain;
            uint32_t capa_flags;
        } pdcp;
        struct {
            enum rte_security_docsis_direction direction;
        } docsis;
    };

    const struct rte_cryptodev_capabilities *crypto_capabilities;
    uint32_t ol_flags;
};

#define RTE_SECURITY_PDCP_ORDERING_CAP      0x00000001

#define RTE_SECURITY_PDCP_DUP_DETECT_CAP    0x00000002

#define RTE_SECURITY_TX_OLOAD_NEED_MDATA    0x00000001

#define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD  0x00000002

#define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD  0x00010000

struct rte_security_capability_idx {
    enum rte_security_session_action_type action;
    enum rte_security_session_protocol protocol;

    RTE_STD_C11
    union {
        struct {
            enum rte_security_ipsec_sa_protocol proto;
            enum rte_security_ipsec_sa_mode mode;
            enum rte_security_ipsec_sa_direction direction;
        } ipsec;
        struct {
            enum rte_security_pdcp_domain domain;
            uint32_t capa_flags;
        } pdcp;
        struct {
            enum rte_security_docsis_direction direction;
        } docsis;
    };
};

const struct rte_security_capability *
rte_security_capabilities_get(struct rte_security_ctx *instance);

const struct rte_security_capability *
rte_security_capability_get(struct rte_security_ctx *instance,
                struct rte_security_capability_idx *idx);

#ifdef __cplusplus
}
#endif

#endif /* _RTE_SECURITY_H_ */