DPDK  22.11.0-rc0
rte_security.h
Go to the documentation of this file.
1 /* SPDX-License-Identifier: BSD-3-Clause
2  * Copyright 2017,2019-2020 NXP
3  * Copyright(c) 2017-2020 Intel Corporation.
4  */
5 
6 #ifndef _RTE_SECURITY_H_
7 #define _RTE_SECURITY_H_
8 
16 #ifdef __cplusplus
17 extern "C" {
18 #endif
19 
20 #include <sys/types.h>
21 
22 #include <rte_compat.h>
23 #include <rte_common.h>
24 #include <rte_crypto.h>
25 #include <rte_ip.h>
26 #include <rte_mbuf_dyn.h>
27 
34 };
35 
42 };
43 
50 };
51 
57 #define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR 0x1
58 #define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR 0x2
59 
70  void *device;
72  const struct rte_security_ops *ops;
74  uint16_t sess_cnt;
76  uint16_t macsec_sc_cnt;
78  uint16_t macsec_sa_cnt;
80  uint32_t flags;
82 };
83 
84 #define RTE_SEC_CTX_F_FAST_SET_MDATA 0x00000001
85 
99  union {
100  struct {
101  struct in_addr src_ip;
103  struct in_addr dst_ip;
105  uint8_t dscp;
107  uint8_t df;
109  uint8_t ttl;
111  } ipv4;
113  struct {
114  struct in6_addr src_addr;
116  struct in6_addr dst_addr;
118  uint8_t dscp;
120  uint32_t flabel;
122  uint8_t hlimit;
124  } ipv6;
126  };
127 };
128 
129 struct rte_security_ipsec_udp_param {
130  uint16_t sport;
131  uint16_t dport;
132 };
133 
143  uint32_t esn : 1;
144 
151  uint32_t udp_encap : 1;
152 
160  uint32_t copy_dscp : 1;
161 
168  uint32_t copy_flabel : 1;
169 
176  uint32_t copy_df : 1;
177 
185  uint32_t dec_ttl : 1;
186 
194  uint32_t ecn : 1;
195 
202  uint32_t stats : 1;
203 
216  uint32_t iv_gen_disable : 1;
217 
225  uint32_t tunnel_hdr_verify : 2;
226 
232  uint32_t udp_ports_verify : 1;
233 
247  uint32_t ip_csum_enable : 1;
248 
263  uint32_t l4_csum_enable : 1;
264 
276  uint32_t ip_reassembly_en : 1;
277 
285  uint32_t reserved_opts : 17;
286 };
287 
294 };
295 
318 };
319 
326  uint32_t spi;
328  uint32_t salt;
342  uint32_t replay_win_sz;
346  union {
347  uint64_t value;
348  struct {
349  uint32_t low;
350  uint32_t hi;
351  };
352  } esn;
354  struct rte_security_ipsec_udp_param udp;
356 };
357 
366 };
367 
369 #define RTE_SECURITY_MACSEC_NUM_AN 4
370 
371 #define RTE_SECURITY_MACSEC_SALT_LEN 12
372 
380  struct {
381  const uint8_t *data;
382  uint16_t length;
383  } key;
387  uint8_t an : 2;
389  uint32_t ssci;
391  uint32_t xpn;
393  uint32_t next_pn;
394 };
395 
402  union {
403  struct {
405  uint16_t sa_id[RTE_SECURITY_MACSEC_NUM_AN];
407  uint8_t sa_in_use[RTE_SECURITY_MACSEC_NUM_AN];
409  uint8_t active : 1;
411  uint8_t reserved : 7;
412  } sc_rx;
413  struct {
414  uint16_t sa_id;
415  uint16_t sa_id_rekey;
416  uint64_t sci;
417  uint8_t active : 1;
418  uint8_t re_key_en : 1;
420  uint8_t reserved : 6;
421  } sc_tx;
422  };
423 };
424 
433 };
434 
436 #define RTE_SECURITY_MACSEC_VALIDATE_DISABLE 0
437 
438 #define RTE_SECURITY_MACSEC_VALIDATE_NO_DISCARD 1
439 
440 #define RTE_SECURITY_MACSEC_VALIDATE_STRICT 2
441 
442 #define RTE_SECURITY_MACSEC_VALIDATE_NO_OP 3
443 
453  uint8_t cipher_off;
458  uint64_t sci;
460  uint16_t sc_id;
461  union {
462  struct {
464  uint16_t mtu;
469  uint8_t sectag_off;
471  uint16_t protect_frames : 1;
478  uint16_t sectag_insert_mode : 1;
480  uint16_t icv_include_da_sa : 1;
482  uint16_t ctrl_port_enable : 1;
484  uint16_t sectag_version : 1;
486  uint16_t end_station : 1;
488  uint16_t send_sci : 1;
490  uint16_t scb : 1;
495  uint16_t encrypt : 1;
497  uint16_t reserved : 7;
498  } tx_secy;
499  struct {
501  uint32_t replay_win_sz;
503  uint16_t validate_frames : 2;
505  uint16_t icv_include_da_sa : 1;
507  uint16_t ctrl_port_enable : 1;
509  uint16_t preserve_sectag : 1;
511  uint16_t preserve_icv : 1;
513  uint16_t replay_protect : 1;
515  uint16_t reserved : 9;
516  } rx_secy;
517  };
518 };
519 
527 };
528 
533 };
534 
547 };
548 
555  int8_t bearer;
559  uint8_t en_ordering;
574  uint32_t hfn;
576  uint32_t hfn_threshold;
585  uint8_t hfn_ovrd;
591  uint8_t sdap_enabled;
593  uint16_t reserved;
594 };
595 
606 };
607 
616 };
617 
640 };
641 
652 };
653 
663  union {
664  struct rte_security_ipsec_xform ipsec;
665  struct rte_security_macsec_xform macsec;
666  struct rte_security_pdcp_xform pdcp;
667  struct rte_security_docsis_xform docsis;
668  };
672  void *userdata;
674 };
675 
676 struct rte_security_session {
677  void *sess_private_data;
679  uint64_t opaque_data;
681 };
682 
694 struct rte_security_session *
696  struct rte_security_session_conf *conf,
697  struct rte_mempool *mp,
698  struct rte_mempool *priv_mp);
699 
710 __rte_experimental
711 int
713  struct rte_security_session *sess,
714  struct rte_security_session_conf *conf);
715 
725 unsigned int
727 
742 int
744  struct rte_security_session *sess);
745 
761 __rte_experimental
762 int
764  struct rte_security_macsec_sc *conf);
765 
779 __rte_experimental
780 int
781 rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id);
782 
798 __rte_experimental
799 int
801  struct rte_security_macsec_sa *conf);
802 
816 __rte_experimental
817 int
818 rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id);
819 
821 typedef uint64_t rte_security_dynfield_t;
824 
838 __rte_experimental
839 static inline rte_security_dynfield_t *
841 {
842  return RTE_MBUF_DYNFIELD(mbuf,
843  rte_security_dynfield_offset,
844  rte_security_dynfield_t *);
845 }
846 
855 __rte_experimental
856 static inline bool rte_security_dynfield_is_registered(void)
857 {
858  return rte_security_dynfield_offset >= 0;
859 }
860 
862 __rte_experimental
863 extern int __rte_security_set_pkt_metadata(struct rte_security_ctx *instance,
864  struct rte_security_session *sess,
865  struct rte_mbuf *m, void *params);
866 
880 static inline int
882  struct rte_security_session *sess,
883  struct rte_mbuf *mb, void *params)
884 {
885  /* Fast Path */
886  if (instance->flags & RTE_SEC_CTX_F_FAST_SET_MDATA) {
887  *rte_security_dynfield(mb) =
888  (rte_security_dynfield_t)(sess->sess_private_data);
889  return 0;
890  }
891 
892  /* Jump to PMD specific function pointer */
893  return __rte_security_set_pkt_metadata(instance, sess, mb, params);
894 }
895 
902 static inline int
904  struct rte_security_session *sess)
905 {
906  sym_op->sec_session = sess;
907 
908  return 0;
909 }
910 
911 static inline void *
912 get_sec_session_private_data(const struct rte_security_session *sess)
913 {
914  return sess->sess_private_data;
915 }
916 
917 static inline void
918 set_sec_session_private_data(struct rte_security_session *sess,
919  void *private_data)
920 {
921  sess->sess_private_data = private_data;
922 }
923 
933 static inline int
935  struct rte_security_session *sess)
936 {
938  return -EINVAL;
939 
941 
942  return __rte_security_attach_session(op->sym, sess);
943 }
944 
945 struct rte_security_macsec_secy_stats {
946  uint64_t ctl_pkt_bcast_cnt;
947  uint64_t ctl_pkt_mcast_cnt;
948  uint64_t ctl_pkt_ucast_cnt;
949  uint64_t ctl_octet_cnt;
950  uint64_t unctl_pkt_bcast_cnt;
951  uint64_t unctl_pkt_mcast_cnt;
952  uint64_t unctl_pkt_ucast_cnt;
953  uint64_t unctl_octet_cnt;
954  /* Valid only for Rx */
955  uint64_t octet_decrypted_cnt;
956  uint64_t octet_validated_cnt;
957  uint64_t pkt_port_disabled_cnt;
958  uint64_t pkt_badtag_cnt;
959  uint64_t pkt_nosa_cnt;
960  uint64_t pkt_nosaerror_cnt;
961  uint64_t pkt_tagged_ctl_cnt;
962  uint64_t pkt_untaged_cnt;
963  uint64_t pkt_ctl_cnt;
964  uint64_t pkt_notag_cnt;
965  /* Valid only for Tx */
966  uint64_t octet_encrypted_cnt;
967  uint64_t octet_protected_cnt;
968  uint64_t pkt_noactivesa_cnt;
969  uint64_t pkt_toolong_cnt;
970  uint64_t pkt_untagged_cnt;
971 };
972 
973 struct rte_security_macsec_sc_stats {
974  /* Rx */
975  uint64_t hit_cnt;
976  uint64_t pkt_invalid_cnt;
977  uint64_t pkt_late_cnt;
978  uint64_t pkt_notvalid_cnt;
979  uint64_t pkt_unchecked_cnt;
980  uint64_t pkt_delay_cnt;
981  uint64_t pkt_ok_cnt;
982  uint64_t octet_decrypt_cnt;
983  uint64_t octet_validate_cnt;
984  /* Tx */
985  uint64_t pkt_encrypt_cnt;
986  uint64_t pkt_protected_cnt;
987  uint64_t octet_encrypt_cnt;
988  uint64_t octet_protected_cnt;
989 };
990 
991 struct rte_security_macsec_sa_stats {
992  /* Rx */
993  uint64_t pkt_invalid_cnt;
994  uint64_t pkt_nosaerror_cnt;
995  uint64_t pkt_notvalid_cnt;
996  uint64_t pkt_ok_cnt;
997  uint64_t pkt_nosa_cnt;
998  /* Tx */
999  uint64_t pkt_encrypt_cnt;
1000  uint64_t pkt_protected_cnt;
1001 };
1002 
1003 struct rte_security_ipsec_stats {
1004  uint64_t ipackets;
1005  uint64_t opackets;
1006  uint64_t ibytes;
1007  uint64_t obytes;
1008  uint64_t ierrors;
1009  uint64_t oerrors;
1010  uint64_t reserved1;
1011  uint64_t reserved2;
1012 };
1013 
1014 struct rte_security_pdcp_stats {
1015  uint64_t reserved;
1016 };
1017 
1018 struct rte_security_docsis_stats {
1019  uint64_t reserved;
1020 };
1021 
1022 struct rte_security_stats {
1023  enum rte_security_session_protocol protocol;
1026  RTE_STD_C11
1027  union {
1028  struct rte_security_macsec_secy_stats macsec;
1029  struct rte_security_ipsec_stats ipsec;
1030  struct rte_security_pdcp_stats pdcp;
1031  struct rte_security_docsis_stats docsis;
1032  };
1033 };
1034 
1048 __rte_experimental
1049 int
1051  struct rte_security_session *sess,
1052  struct rte_security_stats *stats);
1053 
1067 __rte_experimental
1068 int
1070  uint16_t sa_id,
1071  struct rte_security_macsec_sa_stats *stats);
1072 
1086 __rte_experimental
1087 int
1089  uint16_t sc_id,
1090  struct rte_security_macsec_sc_stats *stats);
1091 
1100  RTE_STD_C11
1101  union {
1102  struct {
1115  } ipsec;
1117  struct {
1119  uint16_t mtu;
1123  uint16_t max_nb_sc;
1125  uint16_t max_nb_sa;
1127  uint16_t max_nb_sess;
1129  uint32_t replay_win_sz;
1133  uint16_t fixed_sectag_insert : 1;
1135  uint16_t icv_include_da_sa : 1;
1137  uint16_t ctrl_port_enable : 1;
1139  uint16_t preserve_sectag : 1;
1141  uint16_t preserve_icv : 1;
1143  uint16_t validate_frames : 1;
1145  uint16_t re_key : 1;
1147  uint16_t anti_replay : 1;
1149  uint16_t reserved : 7;
1150  } macsec;
1152  struct {
1155  uint32_t capa_flags;
1157  } pdcp;
1159  struct {
1162  } docsis;
1164  };
1165 
1169  uint32_t ol_flags;
1171 };
1172 
1178 #define RTE_SECURITY_PDCP_ORDERING_CAP 0x00000001
1179 
1184 #define RTE_SECURITY_PDCP_DUP_DETECT_CAP 0x00000002
1185 
1186 #define RTE_SECURITY_TX_OLOAD_NEED_MDATA 0x00000001
1187 
1190 #define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD 0x00000002
1191 
1196 #define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD 0x00010000
1197 
1209  enum rte_security_session_protocol protocol;
1210 
1211  RTE_STD_C11
1212  union {
1213  struct {
1214  enum rte_security_ipsec_sa_protocol proto;
1215  enum rte_security_ipsec_sa_mode mode;
1216  enum rte_security_ipsec_sa_direction direction;
1217  } ipsec;
1218  struct {
1219  enum rte_security_pdcp_domain domain;
1220  uint32_t capa_flags;
1221  } pdcp;
1222  struct {
1223  enum rte_security_docsis_direction direction;
1224  } docsis;
1225  };
1226 };
1227 
1237 const struct rte_security_capability *
1239 
1251 const struct rte_security_capability *
1253  struct rte_security_capability_idx *idx);
1254 
1255 #ifdef __cplusplus
1256 }
1257 #endif
1258 
1259 #endif /* _RTE_SECURITY_H_ */
rte_security_pdcp_sn_size
Definition: rte_security.h:536
rte_security_ipsec_sa_protocol
Definition: rte_security.h:37
static int rte_security_attach_session(struct rte_crypto_op *op, struct rte_security_session *sess)
Definition: rte_security.h:934
struct rte_ether_addr src_addr
Definition: rte_ether.h:269
rte_security_session_action_type
Definition: rte_security.h:621
const uint8_t * data
Definition: rte_security.h:381
__rte_experimental int __rte_security_set_pkt_metadata(struct rte_security_ctx *instance, struct rte_security_session *sess, struct rte_mbuf *m, void *params)
rte_security_pdcp_direction
Definition: rte_security.h:530
static int rte_security_set_pkt_metadata(struct rte_security_ctx *instance, struct rte_security_session *sess, struct rte_mbuf *mb, void *params)
Definition: rte_security.h:881
__rte_experimental int rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id)
__rte_experimental int rte_security_macsec_sa_create(struct rte_security_ctx *instance, struct rte_security_macsec_sa *conf)
int rte_security_session_destroy(struct rte_security_ctx *instance, struct rte_security_session *sess)
struct rte_security_session * sec_session
const struct rte_security_capability * rte_security_capabilities_get(struct rte_security_ctx *instance)
unsigned int rte_security_session_get_size(struct rte_security_ctx *instance)
uint8_t type
Definition: rte_crypto.h:89
struct rte_crypto_sym_xform * crypto_xform
Definition: rte_security.h:670
uint16_t macsec_sc_cnt
Definition: rte_security.h:76
static __rte_experimental rte_security_dynfield_t * rte_security_dynfield(struct rte_mbuf *mbuf)
Definition: rte_security.h:840
rte_security_ipsec_sa_mode
Definition: rte_security.h:29
uint16_t sess_cnt
Definition: rte_security.h:74
struct rte_security_session * rte_security_session_create(struct rte_security_ctx *instance, struct rte_security_session_conf *conf, struct rte_mempool *mp, struct rte_mempool *priv_mp)
static int __rte_security_attach_session(struct rte_crypto_sym_op *sym_op, struct rte_security_session *sess)
Definition: rte_security.h:903
int rte_security_dynfield_offset
rte_security_ipsec_sa_direction
Definition: rte_security.h:289
rte_security_ipsec_tunnel_type
Definition: rte_security.h:45
struct rte_ether_addr dst_addr
Definition: rte_ether.h:268
__rte_experimental int rte_security_session_stats_get(struct rte_security_ctx *instance, struct rte_security_session *sess, struct rte_security_stats *stats)
#define RTE_SECURITY_MACSEC_NUM_AN
Definition: rte_security.h:369
#define RTE_MBUF_DYNFIELD(m, offset, type)
Definition: rte_mbuf_dyn.h:227
#define RTE_SEC_CTX_F_FAST_SET_MDATA
Definition: rte_security.h:84
#define unlikely(x)
__rte_experimental int rte_security_macsec_sc_stats_get(struct rte_security_ctx *instance, uint16_t sc_id, struct rte_security_macsec_sc_stats *stats)
__rte_experimental int rte_security_session_update(struct rte_security_ctx *instance, struct rte_security_session *sess, struct rte_security_session_conf *conf)
__rte_experimental int rte_security_macsec_sa_stats_get(struct rte_security_ctx *instance, uint16_t sa_id, struct rte_security_macsec_sa_stats *stats)
__rte_experimental int rte_security_macsec_sc_create(struct rte_security_ctx *instance, struct rte_security_macsec_sc *conf)
rte_security_macsec_direction
Definition: rte_security.h:361
#define RTE_STD_C11
Definition: rte_common.h:39
static __rte_experimental bool rte_security_dynfield_is_registered(void)
Definition: rte_security.h:856
uint16_t macsec_sa_cnt
Definition: rte_security.h:78
rte_security_docsis_direction
Definition: rte_security.h:597
uint64_t rte_security_dynfield_t
Definition: rte_security.h:821
#define RTE_SECURITY_MACSEC_SALT_LEN
Definition: rte_security.h:371
const struct rte_security_capability * rte_security_capability_get(struct rte_security_ctx *instance, struct rte_security_capability_idx *idx)
const struct rte_cryptodev_capabilities * crypto_capabilities
rte_security_macsec_alg
Definition: rte_security.h:428
uint8_t sess_type
Definition: rte_crypto.h:99
rte_security_session_protocol
Definition: rte_security.h:643
rte_security_pdcp_domain
Definition: rte_security.h:523
__rte_experimental int rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id)
const struct rte_security_ops * ops
Definition: rte_security.h:72
struct rte_crypto_sym_op sym[0]
Definition: rte_crypto.h:135