DPDK  24.11.0-rc0
rte_security.h
Go to the documentation of this file.
1 /* SPDX-License-Identifier: BSD-3-Clause
2  * Copyright 2017,2019-2020 NXP
3  * Copyright(c) 2017-2020 Intel Corporation.
4  */
5 
6 #ifndef _RTE_SECURITY_H_
7 #define _RTE_SECURITY_H_
8 
15 #ifdef __cplusplus
16 extern "C" {
17 #endif
18 
19 #include <sys/types.h>
20 
21 #include <rte_compat.h>
22 #include <rte_common.h>
23 #include <rte_crypto.h>
24 #include <rte_ip.h>
25 #include <rte_mbuf_dyn.h>
26 
33 };
34 
41 };
42 
49 };
50 
56 #define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR 0x1
57 #define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR 0x2
58 
59 #define RTE_SEC_CTX_F_FAST_SET_MDATA 0x00000001
60 
73  union {
74  struct {
75  struct in_addr src_ip;
77  struct in_addr dst_ip;
79  uint8_t dscp;
81  uint8_t df;
83  uint8_t ttl;
85  } ipv4;
87  struct {
88  struct in6_addr src_addr;
90  struct in6_addr dst_addr;
92  uint8_t dscp;
94  uint32_t flabel;
96  uint8_t hlimit;
98  } ipv6;
100  };
101 };
102 
103 struct rte_security_ipsec_udp_param {
104  uint16_t sport;
105  uint16_t dport;
106 };
107 
117  uint32_t esn : 1;
118 
125  uint32_t udp_encap : 1;
126 
134  uint32_t copy_dscp : 1;
135 
142  uint32_t copy_flabel : 1;
143 
150  uint32_t copy_df : 1;
151 
159  uint32_t dec_ttl : 1;
160 
168  uint32_t ecn : 1;
169 
176  uint32_t stats : 1;
177 
190  uint32_t iv_gen_disable : 1;
191 
199  uint32_t tunnel_hdr_verify : 2;
200 
206  uint32_t udp_ports_verify : 1;
207 
221  uint32_t ip_csum_enable : 1;
222 
237  uint32_t l4_csum_enable : 1;
238 
250  uint32_t ip_reassembly_en : 1;
251 
261  uint32_t ingress_oop : 1;
262 };
263 
270 };
271 
294 };
295 
302  uint32_t spi;
304  uint32_t salt;
318  uint32_t replay_win_sz;
322  union {
323  uint64_t value;
324  struct {
325  uint32_t low;
326  uint32_t hi;
327  };
328  } esn;
330  struct rte_security_ipsec_udp_param udp;
332 };
333 
342 };
343 
345 #define RTE_SECURITY_MACSEC_NUM_AN 4
346 
347 #define RTE_SECURITY_MACSEC_SALT_LEN 12
348 
356  struct {
357  const uint8_t *data;
358  uint16_t length;
359  } key;
363  uint8_t an : 2;
365  uint32_t ssci;
367  uint32_t xpn;
369  uint32_t next_pn;
370 };
371 
379  uint64_t pn_threshold;
380  union {
381  struct {
383  uint16_t sa_id[RTE_SECURITY_MACSEC_NUM_AN];
385  uint8_t sa_in_use[RTE_SECURITY_MACSEC_NUM_AN];
387  uint8_t active : 1;
389  uint8_t is_xpn : 1;
391  uint8_t reserved : 6;
392  } sc_rx;
393  struct {
394  uint16_t sa_id;
395  uint16_t sa_id_rekey;
396  uint64_t sci;
397  uint8_t active : 1;
398  uint8_t re_key_en : 1;
400  uint8_t is_xpn : 1;
402  uint8_t reserved : 5;
403  } sc_tx;
404  };
405 };
406 
415 };
416 
418 #define RTE_SECURITY_MACSEC_VALIDATE_DISABLE 0
419 
420 #define RTE_SECURITY_MACSEC_VALIDATE_NO_DISCARD 1
421 
422 #define RTE_SECURITY_MACSEC_VALIDATE_STRICT 2
423 
424 #define RTE_SECURITY_MACSEC_VALIDATE_NO_OP 3
425 
435  uint8_t cipher_off;
440  uint64_t sci;
442  uint16_t sc_id;
443  union {
444  struct {
446  uint16_t mtu;
451  uint8_t sectag_off;
453  uint16_t protect_frames : 1;
460  uint16_t sectag_insert_mode : 1;
462  uint16_t icv_include_da_sa : 1;
464  uint16_t ctrl_port_enable : 1;
466  uint16_t sectag_version : 1;
468  uint16_t end_station : 1;
470  uint16_t send_sci : 1;
472  uint16_t scb : 1;
477  uint16_t encrypt : 1;
479  uint16_t reserved : 7;
480  } tx_secy;
481  struct {
483  uint32_t replay_win_sz;
485  uint16_t validate_frames : 2;
487  uint16_t icv_include_da_sa : 1;
489  uint16_t ctrl_port_enable : 1;
491  uint16_t preserve_sectag : 1;
493  uint16_t preserve_icv : 1;
495  uint16_t replay_protect : 1;
497  uint16_t reserved : 9;
498  } rx_secy;
499  };
500 };
501 
509 };
510 
515 };
516 
529 };
530 
537  int8_t bearer;
541  uint8_t en_ordering;
556  uint32_t hfn;
558  uint32_t hfn_threshold;
567  uint8_t hfn_ovrd;
573  uint8_t sdap_enabled;
575  uint16_t reserved;
576 };
577 
588 };
589 
598 };
599 
601 #define RTE_SECURITY_TLS_1_2_IMP_NONCE_LEN 4
602 
603 #define RTE_SECURITY_TLS_1_3_IMP_NONCE_LEN 12
604 
605 #define RTE_SECURITY_DTLS_1_2_IMP_NONCE_LEN 4
606 
612 };
613 
624 };
625 
638  uint32_t iv_gen_disable : 1;
654  uint32_t extra_padding_enable : 1;
655 };
656 
671 };
672 
687  union {
689  struct {
691  uint64_t seq_no;
694  } tls_1_2;
695 
697  struct {
699  uint64_t seq_no;
701  uint8_t imp_nonce[RTE_SECURITY_TLS_1_3_IMP_NONCE_LEN];
707  uint32_t min_payload_len;
708  } tls_1_3;
709 
711  struct {
713  uint16_t epoch;
715  uint64_t seq_no;
717  uint8_t imp_nonce[RTE_SECURITY_DTLS_1_2_IMP_NONCE_LEN];
722  uint32_t ar_win_sz;
723  } dtls_1_2;
724  };
725 };
726 
730 /* Enumeration of rte_security_session_action_type 8<*/
750 };
751 /* >8 End enumeration of rte_security_session_action_type. */
752 
754 /* Enumeration of rte_security_session_protocol 8<*/
766 };
767 /* >8 End enumeration of rte_security_session_protocol. */
768 
772 /* Structure rte_security_session_conf 8< */
778  union {
779  struct rte_security_ipsec_xform ipsec;
780  struct rte_security_macsec_xform macsec;
781  struct rte_security_pdcp_xform pdcp;
782  struct rte_security_docsis_xform docsis;
783  struct rte_security_tls_record_xform tls_record;
784  };
788  void *userdata;
790 };
791 /* >8 End of structure rte_security_session_conf. */
792 
803 void *
804 rte_security_session_create(void *instance,
805  struct rte_security_session_conf *conf,
806  struct rte_mempool *mp);
807 
818 int
819 rte_security_session_update(void *instance,
820  void *sess,
821  struct rte_security_session_conf *conf);
822 
832 unsigned int
833 rte_security_session_get_size(void *instance);
834 
849 int
850 rte_security_session_destroy(void *instance, void *sess);
851 
864 int
865 rte_security_macsec_sc_create(void *instance,
866  struct rte_security_macsec_sc *conf);
867 
879 int
880 rte_security_macsec_sc_destroy(void *instance, uint16_t sc_id,
882 
895 int
896 rte_security_macsec_sa_create(void *instance,
897  struct rte_security_macsec_sa *conf);
898 
910 int
911 rte_security_macsec_sa_destroy(void *instance, uint16_t sa_id,
913 
915 typedef uint64_t rte_security_dynfield_t;
918 
925 
936 static inline rte_security_dynfield_t *
938 {
939  return RTE_MBUF_DYNFIELD(mbuf,
940  rte_security_dynfield_offset,
941  rte_security_dynfield_t *);
942 }
943 
954 __rte_experimental
955 static inline rte_security_oop_dynfield_t *
957 {
958  return RTE_MBUF_DYNFIELD(mbuf,
959  rte_security_oop_dynfield_offset,
960  rte_security_oop_dynfield_t *);
961 }
962 
968 static inline bool rte_security_dynfield_is_registered(void)
969 {
970  return rte_security_dynfield_offset >= 0;
971 }
972 
973 #define RTE_SECURITY_CTX_FLAGS_OFF 4
974 
977 static inline uint32_t
979 {
980  return *((uint32_t *)ctx + RTE_SECURITY_CTX_FLAGS_OFF);
981 }
982 
986 static inline void
987 rte_security_ctx_flags_set(void *ctx, uint32_t flags)
988 {
989  uint32_t *data;
990  data = (((uint32_t *)ctx) + RTE_SECURITY_CTX_FLAGS_OFF);
991  *data = flags;
992 }
993 
994 #define RTE_SECURITY_SESS_OPAQUE_DATA_OFF 0
995 #define RTE_SECURITY_SESS_FAST_MDATA_OFF 1
996 
999 static inline uint64_t
1001 {
1002  return *((uint64_t *)sess + RTE_SECURITY_SESS_OPAQUE_DATA_OFF);
1003 }
1004 
1008 static inline void
1009 rte_security_session_opaque_data_set(void *sess, uint64_t opaque)
1010 {
1011  uint64_t *data;
1012  data = (((uint64_t *)sess) + RTE_SECURITY_SESS_OPAQUE_DATA_OFF);
1013  *data = opaque;
1014 }
1015 
1019 static inline uint64_t
1021 {
1022  return *((uint64_t *)sess + RTE_SECURITY_SESS_FAST_MDATA_OFF);
1023 }
1024 
1028 static inline void
1029 rte_security_session_fast_mdata_set(void *sess, uint64_t fdata)
1030 {
1031  uint64_t *data;
1032  data = (((uint64_t *)sess) + RTE_SECURITY_SESS_FAST_MDATA_OFF);
1033  *data = fdata;
1034 }
1035 
1037 int __rte_security_set_pkt_metadata(void *instance,
1038  void *sess,
1039  struct rte_mbuf *m, void *params);
1040 
1054 static inline int
1056  void *sess,
1057  struct rte_mbuf *mb, void *params)
1058 {
1059  /* Fast Path */
1063  return 0;
1064  }
1065 
1066  /* Jump to PMD specific function pointer */
1067  return __rte_security_set_pkt_metadata(instance, sess, mb, params);
1068 }
1069 
1076 static inline int
1078 {
1079  sym_op->session = sess;
1080 
1081  return 0;
1082 }
1083 
1093 static inline int
1095  void *sess)
1096 {
1098  return -EINVAL;
1099 
1101 
1102  return __rte_security_attach_session(op->sym, sess);
1103 }
1104 
1105 struct rte_security_macsec_secy_stats {
1106  uint64_t ctl_pkt_bcast_cnt;
1107  uint64_t ctl_pkt_mcast_cnt;
1108  uint64_t ctl_pkt_ucast_cnt;
1109  uint64_t ctl_octet_cnt;
1110  uint64_t unctl_pkt_bcast_cnt;
1111  uint64_t unctl_pkt_mcast_cnt;
1112  uint64_t unctl_pkt_ucast_cnt;
1113  uint64_t unctl_octet_cnt;
1114  /* Valid only for Rx */
1115  uint64_t octet_decrypted_cnt;
1116  uint64_t octet_validated_cnt;
1117  uint64_t pkt_port_disabled_cnt;
1118  uint64_t pkt_badtag_cnt;
1119  uint64_t pkt_nosa_cnt;
1120  uint64_t pkt_nosaerror_cnt;
1121  uint64_t pkt_tagged_ctl_cnt;
1122  uint64_t pkt_untaged_cnt;
1123  uint64_t pkt_ctl_cnt;
1124  uint64_t pkt_notag_cnt;
1125  /* Valid only for Tx */
1126  uint64_t octet_encrypted_cnt;
1127  uint64_t octet_protected_cnt;
1128  uint64_t pkt_noactivesa_cnt;
1129  uint64_t pkt_toolong_cnt;
1130  uint64_t pkt_untagged_cnt;
1131 };
1132 
1133 struct rte_security_macsec_sc_stats {
1134  /* Rx */
1135  uint64_t hit_cnt;
1136  uint64_t pkt_invalid_cnt;
1137  uint64_t pkt_late_cnt;
1138  uint64_t pkt_notvalid_cnt;
1139  uint64_t pkt_unchecked_cnt;
1140  uint64_t pkt_delay_cnt;
1141  uint64_t pkt_ok_cnt;
1142  uint64_t octet_decrypt_cnt;
1143  uint64_t octet_validate_cnt;
1144  /* Tx */
1145  uint64_t pkt_encrypt_cnt;
1146  uint64_t pkt_protected_cnt;
1147  uint64_t octet_encrypt_cnt;
1148  uint64_t octet_protected_cnt;
1149 };
1150 
1151 struct rte_security_macsec_sa_stats {
1152  /* Rx */
1153  uint64_t pkt_invalid_cnt;
1154  uint64_t pkt_nosaerror_cnt;
1155  uint64_t pkt_notvalid_cnt;
1156  uint64_t pkt_ok_cnt;
1157  uint64_t pkt_nosa_cnt;
1158  /* Tx */
1159  uint64_t pkt_encrypt_cnt;
1160  uint64_t pkt_protected_cnt;
1161 };
1162 
1163 struct rte_security_ipsec_stats {
1164  uint64_t ipackets;
1165  uint64_t opackets;
1166  uint64_t ibytes;
1167  uint64_t obytes;
1168  uint64_t ierrors;
1169  uint64_t oerrors;
1170  uint64_t reserved1;
1171  uint64_t reserved2;
1172 };
1173 
1174 struct rte_security_pdcp_stats {
1175  uint64_t reserved;
1176 };
1177 
1178 struct rte_security_docsis_stats {
1179  uint64_t reserved;
1180 };
1181 
1182 struct rte_security_stats {
1183  enum rte_security_session_protocol protocol;
1186  union {
1187  struct rte_security_macsec_secy_stats macsec;
1188  struct rte_security_ipsec_stats ipsec;
1189  struct rte_security_pdcp_stats pdcp;
1190  struct rte_security_docsis_stats docsis;
1191  };
1192 };
1193 
1207 int
1208 rte_security_session_stats_get(void *instance,
1209  void *sess,
1210  struct rte_security_stats *stats);
1211 
1223 int
1224 rte_security_macsec_sa_stats_get(void *instance,
1225  uint16_t sa_id, enum rte_security_macsec_direction dir,
1226  struct rte_security_macsec_sa_stats *stats);
1227 
1239 int
1240 rte_security_macsec_sc_stats_get(void *instance,
1241  uint16_t sc_id, enum rte_security_macsec_direction dir,
1242  struct rte_security_macsec_sc_stats *stats);
1243 
1252  union {
1253  struct {
1266  } ipsec;
1268  struct {
1270  uint16_t mtu;
1274  uint16_t max_nb_sc;
1276  uint16_t max_nb_sa;
1278  uint16_t max_nb_sess;
1280  uint32_t replay_win_sz;
1284  uint16_t fixed_sectag_insert : 1;
1286  uint16_t icv_include_da_sa : 1;
1288  uint16_t ctrl_port_enable : 1;
1290  uint16_t preserve_sectag : 1;
1292  uint16_t preserve_icv : 1;
1294  uint16_t validate_frames : 1;
1296  uint16_t re_key : 1;
1298  uint16_t anti_replay : 1;
1300  uint16_t reserved : 7;
1301  } macsec;
1303  struct {
1306  uint32_t capa_flags;
1308  } pdcp;
1310  struct {
1313  } docsis;
1315  struct {
1320  uint32_t ar_win_size;
1324  } tls_record;
1326  };
1327 
1331  uint32_t ol_flags;
1333 };
1334 
1340 #define RTE_SECURITY_PDCP_ORDERING_CAP 0x00000001
1341 
1346 #define RTE_SECURITY_PDCP_DUP_DETECT_CAP 0x00000002
1347 
1348 #define RTE_SECURITY_TX_OLOAD_NEED_MDATA 0x00000001
1349 
1352 #define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD 0x00000002
1353 
1358 #define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD 0x00010000
1359 
1371  enum rte_security_session_protocol protocol;
1372 
1373  union {
1374  struct {
1375  enum rte_security_ipsec_sa_protocol proto;
1376  enum rte_security_ipsec_sa_mode mode;
1377  enum rte_security_ipsec_sa_direction direction;
1378  } ipsec;
1379  struct {
1380  enum rte_security_pdcp_domain domain;
1381  uint32_t capa_flags;
1382  } pdcp;
1383  struct {
1384  enum rte_security_docsis_direction direction;
1385  } docsis;
1386  struct {
1387  enum rte_security_macsec_alg alg;
1388  } macsec;
1389  struct {
1390  enum rte_security_tls_version ver;
1392  } tls_record;
1393  };
1394 };
1395 
1405 const struct rte_security_capability *
1406 rte_security_capabilities_get(void *instance);
1407 
1419 const struct rte_security_capability *
1420 rte_security_capability_get(void *instance,
1421  struct rte_security_capability_idx *idx);
1422 
1446 __rte_experimental
1447 int
1448 rte_security_rx_inject_configure(void *ctx, uint16_t port_id, bool enable);
1449 
1502 __rte_experimental
1503 uint16_t
1504 rte_security_inb_pkt_rx_inject(void *ctx, struct rte_mbuf **pkts, void **sess,
1505  uint16_t nb_pkts);
1506 
1507 #ifdef __cplusplus
1508 }
1509 #endif
1510 
1511 #endif /* _RTE_SECURITY_H_ */
rte_security_pdcp_sn_size
Definition: rte_security.h:518
rte_security_ipsec_sa_protocol
Definition: rte_security.h:36
rte_security_tls_sess_type
Definition: rte_security.h:615
rte_security_session_action_type
Definition: rte_security.h:731
const uint8_t * data
Definition: rte_security.h:357
rte_security_pdcp_direction
Definition: rte_security.h:512
int rte_security_macsec_sa_create(void *instance, struct rte_security_macsec_sa *conf)
int rte_security_macsec_sc_create(void *instance, struct rte_security_macsec_sc *conf)
#define RTE_SECURITY_TLS_1_2_IMP_NONCE_LEN
Definition: rte_security.h:601
uint8_t type
Definition: rte_crypto.h:97
struct rte_crypto_sym_xform * crypto_xform
Definition: rte_security.h:786
const struct rte_security_capability * rte_security_capability_get(void *instance, struct rte_security_capability_idx *idx)
static __rte_experimental rte_security_oop_dynfield_t * rte_security_oop_dynfield(struct rte_mbuf *mbuf)
Definition: rte_security.h:956
rte_security_ipsec_sa_mode
Definition: rte_security.h:28
static void rte_security_session_fast_mdata_set(void *sess, uint64_t fdata)
static uint64_t rte_security_session_opaque_data_get(void *sess)
int rte_security_dynfield_offset
rte_security_ipsec_sa_direction
Definition: rte_security.h:265
rte_security_ipsec_tunnel_type
Definition: rte_security.h:44
int rte_security_macsec_sa_destroy(void *instance, uint16_t sa_id, enum rte_security_macsec_direction dir)
#define RTE_SECURITY_MACSEC_NUM_AN
Definition: rte_security.h:345
#define RTE_MBUF_DYNFIELD(m, offset, type)
Definition: rte_mbuf_dyn.h:227
int rte_security_oop_dynfield_offset
static int rte_security_set_pkt_metadata(void *instance, void *sess, struct rte_mbuf *mb, void *params)
#define RTE_SEC_CTX_F_FAST_SET_MDATA
Definition: rte_security.h:59
#define unlikely(x)
unsigned int rte_security_session_get_size(void *instance)
__rte_experimental int rte_security_rx_inject_configure(void *ctx, uint16_t port_id, bool enable)
struct rte_security_ipsec_tunnel_param::@437::@439 ipv4
const struct rte_security_capability * rte_security_capabilities_get(void *instance)
static rte_security_dynfield_t * rte_security_dynfield(struct rte_mbuf *mbuf)
Definition: rte_security.h:937
static int __rte_security_attach_session(struct rte_crypto_sym_op *sym_op, void *sess)
rte_security_macsec_direction
Definition: rte_security.h:337
static void rte_security_session_opaque_data_set(void *sess, uint64_t opaque)
static uint32_t rte_security_ctx_flags_get(void *ctx)
Definition: rte_security.h:978
int rte_security_macsec_sc_destroy(void *instance, uint16_t sc_id, enum rte_security_macsec_direction dir)
static bool rte_security_dynfield_is_registered(void)
Definition: rte_security.h:968
static int rte_security_attach_session(struct rte_crypto_op *op, void *sess)
rte_security_tls_version
Definition: rte_security.h:608
static uint64_t rte_security_session_fast_mdata_get(void *sess)
static void rte_security_ctx_flags_set(void *ctx, uint32_t flags)
Definition: rte_security.h:987
rte_security_docsis_direction
Definition: rte_security.h:579
uint64_t rte_security_dynfield_t
Definition: rte_security.h:915
#define RTE_SECURITY_MACSEC_SALT_LEN
Definition: rte_security.h:347
int rte_security_session_stats_get(void *instance, void *sess, struct rte_security_stats *stats)
const struct rte_cryptodev_capabilities * crypto_capabilities
enum rte_security_ipsec_tunnel_type type
Definition: rte_security.h:71
rte_security_macsec_alg
Definition: rte_security.h:410
void * rte_security_session_create(void *instance, struct rte_security_session_conf *conf, struct rte_mempool *mp)
uint8_t sess_type
Definition: rte_crypto.h:107
int rte_security_session_update(void *instance, void *sess, struct rte_security_session_conf *conf)
int rte_security_session_destroy(void *instance, void *sess)
__rte_experimental uint16_t rte_security_inb_pkt_rx_inject(void *ctx, struct rte_mbuf **pkts, void **sess, uint16_t nb_pkts)
rte_security_session_protocol
Definition: rte_security.h:755
rte_security_pdcp_domain
Definition: rte_security.h:505
#define RTE_SECURITY_TLS_1_3_IMP_NONCE_LEN
Definition: rte_security.h:603
int rte_security_macsec_sc_stats_get(void *instance, uint16_t sc_id, enum rte_security_macsec_direction dir, struct rte_security_macsec_sc_stats *stats)
struct rte_mbuf * rte_security_oop_dynfield_t
Definition: rte_security.h:920
int rte_security_macsec_sa_stats_get(void *instance, uint16_t sa_id, enum rte_security_macsec_direction dir, struct rte_security_macsec_sa_stats *stats)
struct rte_security_ipsec_tunnel_param::@437::@440 ipv6
#define RTE_SECURITY_DTLS_1_2_IMP_NONCE_LEN
Definition: rte_security.h:605
struct rte_crypto_sym_op sym[0]
Definition: rte_crypto.h:178
int __rte_security_set_pkt_metadata(void *instance, void *sess, struct rte_mbuf *m, void *params)