DPDK 22.11.1
Loading...
Searching...
No Matches
rte_security.h
Go to the documentation of this file.
1/* SPDX-License-Identifier: BSD-3-Clause
2 * Copyright 2017,2019-2020 NXP
3 * Copyright(c) 2017-2020 Intel Corporation.
4 */
5
6#ifndef _RTE_SECURITY_H_
7#define _RTE_SECURITY_H_
8
16#ifdef __cplusplus
17extern "C" {
18#endif
19
20#include <sys/types.h>
21
22#include <rte_compat.h>
23#include <rte_common.h>
24#include <rte_crypto.h>
25#include <rte_ip.h>
26#include <rte_mbuf_dyn.h>
27
34};
35
42};
43
50};
51
57#define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_DST_ADDR 0x1
58#define RTE_SECURITY_IPSEC_TUNNEL_VERIFY_SRC_DST_ADDR 0x2
59
70 void *device;
72 const struct rte_security_ops *ops;
74 uint16_t sess_cnt;
76 uint16_t macsec_sc_cnt;
78 uint16_t macsec_sa_cnt;
80 uint32_t flags;
82};
83
84#define RTE_SEC_CTX_F_FAST_SET_MDATA 0x00000001
99 union {
100 struct {
101 struct in_addr src_ip;
103 struct in_addr dst_ip;
105 uint8_t dscp;
107 uint8_t df;
109 uint8_t ttl;
111 } ipv4;
113 struct {
114 struct in6_addr src_addr;
116 struct in6_addr dst_addr;
118 uint8_t dscp;
120 uint32_t flabel;
122 uint8_t hlimit;
124 } ipv6;
126 };
127};
128
129struct rte_security_ipsec_udp_param {
130 uint16_t sport;
131 uint16_t dport;
132};
133
143 uint32_t esn : 1;
144
151 uint32_t udp_encap : 1;
152
160 uint32_t copy_dscp : 1;
161
168 uint32_t copy_flabel : 1;
169
176 uint32_t copy_df : 1;
177
185 uint32_t dec_ttl : 1;
186
194 uint32_t ecn : 1;
195
202 uint32_t stats : 1;
203
216 uint32_t iv_gen_disable : 1;
217
225 uint32_t tunnel_hdr_verify : 2;
226
232 uint32_t udp_ports_verify : 1;
233
247 uint32_t ip_csum_enable : 1;
248
263 uint32_t l4_csum_enable : 1;
264
276 uint32_t ip_reassembly_en : 1;
277
285 uint32_t reserved_opts : 17;
286};
287
294};
295
318};
319
326 uint32_t spi;
328 uint32_t salt;
346 union {
347 uint64_t value;
348 struct {
349 uint32_t low;
350 uint32_t hi;
351 };
352 } esn;
354 struct rte_security_ipsec_udp_param udp;
356};
357
366};
367
369#define RTE_SECURITY_MACSEC_NUM_AN 4
371#define RTE_SECURITY_MACSEC_SALT_LEN 12
372
380 struct {
381 const uint8_t *data;
382 uint16_t length;
387 uint8_t an : 2;
389 uint32_t ssci;
391 uint32_t xpn;
393 uint32_t next_pn;
394};
395
402 union {
403 struct {
409 uint8_t active : 1;
411 uint8_t reserved : 7;
412 } sc_rx;
413 struct {
414 uint16_t sa_id;
415 uint16_t sa_id_rekey;
416 uint64_t sci;
417 uint8_t active : 1;
418 uint8_t re_key_en : 1;
420 uint8_t reserved : 6;
421 } sc_tx;
422 };
423};
424
433};
434
436#define RTE_SECURITY_MACSEC_VALIDATE_DISABLE 0
438#define RTE_SECURITY_MACSEC_VALIDATE_NO_DISCARD 1
440#define RTE_SECURITY_MACSEC_VALIDATE_STRICT 2
442#define RTE_SECURITY_MACSEC_VALIDATE_NO_OP 3
443
453 uint8_t cipher_off;
458 uint64_t sci;
460 uint16_t sc_id;
461 union {
462 struct {
464 uint16_t mtu;
469 uint8_t sectag_off;
471 uint16_t protect_frames : 1;
478 uint16_t sectag_insert_mode : 1;
480 uint16_t icv_include_da_sa : 1;
482 uint16_t ctrl_port_enable : 1;
484 uint16_t sectag_version : 1;
486 uint16_t end_station : 1;
488 uint16_t send_sci : 1;
490 uint16_t scb : 1;
495 uint16_t encrypt : 1;
497 uint16_t reserved : 7;
498 } tx_secy;
499 struct {
503 uint16_t validate_frames : 2;
505 uint16_t icv_include_da_sa : 1;
507 uint16_t ctrl_port_enable : 1;
509 uint16_t preserve_sectag : 1;
511 uint16_t preserve_icv : 1;
513 uint16_t replay_protect : 1;
515 uint16_t reserved : 9;
516 } rx_secy;
517 };
518};
519
527};
528
533};
534
548
555 int8_t bearer;
559 uint8_t en_ordering;
574 uint32_t hfn;
585 uint8_t hfn_ovrd;
593 uint16_t reserved;
594};
595
606};
607
616};
617
641
652};
653
663 union {
664 struct rte_security_ipsec_xform ipsec;
665 struct rte_security_macsec_xform macsec;
666 struct rte_security_pdcp_xform pdcp;
667 struct rte_security_docsis_xform docsis;
668 };
672 void *userdata;
674};
675
686void *
688 struct rte_security_session_conf *conf,
689 struct rte_mempool *mp);
690
701__rte_experimental
702int
704 void *sess,
705 struct rte_security_session_conf *conf);
706
716unsigned int
718
733int
734rte_security_session_destroy(struct rte_security_ctx *instance, void *sess);
735
751__rte_experimental
752int
754 struct rte_security_macsec_sc *conf);
755
769__rte_experimental
770int
771rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id);
772
788__rte_experimental
789int
791 struct rte_security_macsec_sa *conf);
792
806__rte_experimental
807int
808rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id);
809
811typedef uint64_t rte_security_dynfield_t;
814
828__rte_experimental
829static inline rte_security_dynfield_t *
831{
832 return RTE_MBUF_DYNFIELD(mbuf,
835}
836
845__rte_experimental
847{
849}
850
851#define RTE_SECURITY_SESS_OPAQUE_DATA_OFF 0
852#define RTE_SECURITY_SESS_FAST_MDATA_OFF 1
856static inline uint64_t
858{
859 return *((uint64_t *)sess + RTE_SECURITY_SESS_OPAQUE_DATA_OFF);
860}
861
865static inline void
866rte_security_session_opaque_data_set(void *sess, uint64_t opaque)
867{
868 uint64_t *data;
869 data = (((uint64_t *)sess) + RTE_SECURITY_SESS_OPAQUE_DATA_OFF);
870 *data = opaque;
871}
872
876static inline uint64_t
878{
879 return *((uint64_t *)sess + RTE_SECURITY_SESS_FAST_MDATA_OFF);
880}
881
885static inline void
886rte_security_session_fast_mdata_set(void *sess, uint64_t fdata)
887{
888 uint64_t *data;
889 data = (((uint64_t *)sess) + RTE_SECURITY_SESS_FAST_MDATA_OFF);
890 *data = fdata;
891}
892
894__rte_experimental
896 void *sess,
897 struct rte_mbuf *m, void *params);
898
912static inline int
914 void *sess,
915 struct rte_mbuf *mb, void *params)
916{
917 /* Fast Path */
918 if (instance->flags & RTE_SEC_CTX_F_FAST_SET_MDATA) {
921 return 0;
922 }
923
924 /* Jump to PMD specific function pointer */
925 return __rte_security_set_pkt_metadata(instance, sess, mb, params);
926}
927
934static inline int
936{
937 sym_op->session = sess;
938
939 return 0;
940}
941
951static inline int
953 void *sess)
954{
956 return -EINVAL;
957
959
960 return __rte_security_attach_session(op->sym, sess);
961}
962
963struct rte_security_macsec_secy_stats {
964 uint64_t ctl_pkt_bcast_cnt;
965 uint64_t ctl_pkt_mcast_cnt;
966 uint64_t ctl_pkt_ucast_cnt;
967 uint64_t ctl_octet_cnt;
968 uint64_t unctl_pkt_bcast_cnt;
969 uint64_t unctl_pkt_mcast_cnt;
970 uint64_t unctl_pkt_ucast_cnt;
971 uint64_t unctl_octet_cnt;
972 /* Valid only for Rx */
973 uint64_t octet_decrypted_cnt;
974 uint64_t octet_validated_cnt;
975 uint64_t pkt_port_disabled_cnt;
976 uint64_t pkt_badtag_cnt;
977 uint64_t pkt_nosa_cnt;
978 uint64_t pkt_nosaerror_cnt;
979 uint64_t pkt_tagged_ctl_cnt;
980 uint64_t pkt_untaged_cnt;
981 uint64_t pkt_ctl_cnt;
982 uint64_t pkt_notag_cnt;
983 /* Valid only for Tx */
984 uint64_t octet_encrypted_cnt;
985 uint64_t octet_protected_cnt;
986 uint64_t pkt_noactivesa_cnt;
987 uint64_t pkt_toolong_cnt;
988 uint64_t pkt_untagged_cnt;
989};
990
991struct rte_security_macsec_sc_stats {
992 /* Rx */
993 uint64_t hit_cnt;
994 uint64_t pkt_invalid_cnt;
995 uint64_t pkt_late_cnt;
996 uint64_t pkt_notvalid_cnt;
997 uint64_t pkt_unchecked_cnt;
998 uint64_t pkt_delay_cnt;
999 uint64_t pkt_ok_cnt;
1000 uint64_t octet_decrypt_cnt;
1001 uint64_t octet_validate_cnt;
1002 /* Tx */
1003 uint64_t pkt_encrypt_cnt;
1004 uint64_t pkt_protected_cnt;
1005 uint64_t octet_encrypt_cnt;
1006 uint64_t octet_protected_cnt;
1007};
1008
1009struct rte_security_macsec_sa_stats {
1010 /* Rx */
1011 uint64_t pkt_invalid_cnt;
1012 uint64_t pkt_nosaerror_cnt;
1013 uint64_t pkt_notvalid_cnt;
1014 uint64_t pkt_ok_cnt;
1015 uint64_t pkt_nosa_cnt;
1016 /* Tx */
1017 uint64_t pkt_encrypt_cnt;
1018 uint64_t pkt_protected_cnt;
1019};
1020
1021struct rte_security_ipsec_stats {
1022 uint64_t ipackets;
1023 uint64_t opackets;
1024 uint64_t ibytes;
1025 uint64_t obytes;
1026 uint64_t ierrors;
1027 uint64_t oerrors;
1028 uint64_t reserved1;
1029 uint64_t reserved2;
1030};
1031
1032struct rte_security_pdcp_stats {
1033 uint64_t reserved;
1034};
1035
1036struct rte_security_docsis_stats {
1037 uint64_t reserved;
1038};
1039
1040struct rte_security_stats {
1041 enum rte_security_session_protocol protocol;
1045 union {
1046 struct rte_security_macsec_secy_stats macsec;
1047 struct rte_security_ipsec_stats ipsec;
1048 struct rte_security_pdcp_stats pdcp;
1049 struct rte_security_docsis_stats docsis;
1050 };
1051};
1052
1066__rte_experimental
1067int
1069 void *sess,
1070 struct rte_security_stats *stats);
1071
1085__rte_experimental
1086int
1088 uint16_t sa_id,
1089 struct rte_security_macsec_sa_stats *stats);
1090
1104__rte_experimental
1105int
1107 uint16_t sc_id,
1108 struct rte_security_macsec_sc_stats *stats);
1109
1119 union {
1120 struct {
1133 } ipsec;
1135 struct {
1137 uint16_t mtu;
1141 uint16_t max_nb_sc;
1143 uint16_t max_nb_sa;
1145 uint16_t max_nb_sess;
1153 uint16_t icv_include_da_sa : 1;
1155 uint16_t ctrl_port_enable : 1;
1157 uint16_t preserve_sectag : 1;
1159 uint16_t preserve_icv : 1;
1161 uint16_t validate_frames : 1;
1163 uint16_t re_key : 1;
1165 uint16_t anti_replay : 1;
1167 uint16_t reserved : 7;
1168 } macsec;
1170 struct {
1173 uint32_t capa_flags;
1175 } pdcp;
1177 struct {
1180 } docsis;
1182 };
1183
1187 uint32_t ol_flags;
1189};
1190
1196#define RTE_SECURITY_PDCP_ORDERING_CAP 0x00000001
1197
1202#define RTE_SECURITY_PDCP_DUP_DETECT_CAP 0x00000002
1203
1204#define RTE_SECURITY_TX_OLOAD_NEED_MDATA 0x00000001
1208#define RTE_SECURITY_TX_HW_TRAILER_OFFLOAD 0x00000002
1214#define RTE_SECURITY_RX_HW_TRAILER_OFFLOAD 0x00010000
1227 enum rte_security_session_protocol protocol;
1228
1230 union {
1231 struct {
1234 enum rte_security_ipsec_sa_direction direction;
1235 } ipsec;
1236 struct {
1237 enum rte_security_pdcp_domain domain;
1238 uint32_t capa_flags;
1239 } pdcp;
1240 struct {
1241 enum rte_security_docsis_direction direction;
1242 } docsis;
1243 };
1244};
1245
1255const struct rte_security_capability *
1257
1269const struct rte_security_capability *
1271 struct rte_security_capability_idx *idx);
1272
1273#ifdef __cplusplus
1274}
1275#endif
1276
1277#endif /* _RTE_SECURITY_H_ */
#define unlikely(x)
#define RTE_STD_C11
Definition rte_common.h:39
@ RTE_CRYPTO_OP_SECURITY_SESSION
Definition rte_crypto.h:65
@ RTE_CRYPTO_OP_TYPE_SYMMETRIC
Definition rte_crypto.h:32
struct rte_ether_addr src_addr
Definition rte_ether.h:1
struct rte_ether_addr dst_addr
Definition rte_ether.h:0
#define RTE_MBUF_DYNFIELD(m, offset, type)
rte_security_session_protocol
@ RTE_SECURITY_PROTOCOL_PDCP
@ RTE_SECURITY_PROTOCOL_DOCSIS
@ RTE_SECURITY_PROTOCOL_IPSEC
@ RTE_SECURITY_PROTOCOL_MACSEC
const struct rte_security_capability * rte_security_capability_get(struct rte_security_ctx *instance, struct rte_security_capability_idx *idx)
const struct rte_security_capability * rte_security_capabilities_get(struct rte_security_ctx *instance)
static void rte_security_session_fast_mdata_set(void *sess, uint64_t fdata)
rte_security_macsec_direction
@ RTE_SECURITY_MACSEC_DIR_TX
@ RTE_SECURITY_MACSEC_DIR_RX
__rte_experimental int rte_security_macsec_sa_create(struct rte_security_ctx *instance, struct rte_security_macsec_sa *conf)
#define RTE_SEC_CTX_F_FAST_SET_MDATA
#define RTE_SECURITY_MACSEC_SALT_LEN
static uint64_t rte_security_session_fast_mdata_get(void *sess)
rte_security_pdcp_direction
@ RTE_SECURITY_PDCP_UPLINK
@ RTE_SECURITY_PDCP_DOWNLINK
rte_security_ipsec_sa_protocol
@ RTE_SECURITY_IPSEC_SA_PROTO_AH
@ RTE_SECURITY_IPSEC_SA_PROTO_ESP
void * rte_security_session_create(struct rte_security_ctx *instance, struct rte_security_session_conf *conf, struct rte_mempool *mp)
rte_security_session_action_type
@ RTE_SECURITY_ACTION_TYPE_CPU_CRYPTO
@ RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL
@ RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL
@ RTE_SECURITY_ACTION_TYPE_NONE
@ RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO
static int rte_security_attach_session(struct rte_crypto_op *op, void *sess)
__rte_experimental int rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id)
rte_security_ipsec_sa_direction
@ RTE_SECURITY_IPSEC_SA_DIR_INGRESS
@ RTE_SECURITY_IPSEC_SA_DIR_EGRESS
static void rte_security_session_opaque_data_set(void *sess, uint64_t opaque)
rte_security_ipsec_sa_mode
@ RTE_SECURITY_IPSEC_SA_MODE_TUNNEL
@ RTE_SECURITY_IPSEC_SA_MODE_TRANSPORT
rte_security_pdcp_domain
@ RTE_SECURITY_PDCP_MODE_CONTROL
@ RTE_SECURITY_PDCP_MODE_SHORT_MAC
@ RTE_SECURITY_PDCP_MODE_DATA
#define RTE_SECURITY_MACSEC_NUM_AN
rte_security_docsis_direction
@ RTE_SECURITY_DOCSIS_UPLINK
@ RTE_SECURITY_DOCSIS_DOWNLINK
static int rte_security_set_pkt_metadata(struct rte_security_ctx *instance, void *sess, struct rte_mbuf *mb, void *params)
static int __rte_security_attach_session(struct rte_crypto_sym_op *sym_op, void *sess)
unsigned int rte_security_session_get_size(struct rte_security_ctx *instance)
int rte_security_dynfield_offset
int rte_security_session_destroy(struct rte_security_ctx *instance, void *sess)
__rte_experimental int rte_security_macsec_sc_stats_get(struct rte_security_ctx *instance, uint16_t sc_id, struct rte_security_macsec_sc_stats *stats)
static uint64_t rte_security_session_opaque_data_get(void *sess)
__rte_experimental int rte_security_session_update(struct rte_security_ctx *instance, void *sess, struct rte_security_session_conf *conf)
static __rte_experimental bool rte_security_dynfield_is_registered(void)
__rte_experimental int rte_security_session_stats_get(struct rte_security_ctx *instance, void *sess, struct rte_security_stats *stats)
rte_security_macsec_alg
@ RTE_SECURITY_MACSEC_ALG_GCM_256
@ RTE_SECURITY_MACSEC_ALG_GCM_128
@ RTE_SECURITY_MACSEC_ALG_GCM_XPN_128
@ RTE_SECURITY_MACSEC_ALG_GCM_XPN_256
uint64_t rte_security_dynfield_t
static __rte_experimental rte_security_dynfield_t * rte_security_dynfield(struct rte_mbuf *mbuf)
__rte_experimental int rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id)
__rte_experimental int rte_security_macsec_sa_stats_get(struct rte_security_ctx *instance, uint16_t sa_id, struct rte_security_macsec_sa_stats *stats)
rte_security_pdcp_sn_size
@ RTE_SECURITY_PDCP_SN_SIZE_12
@ RTE_SECURITY_PDCP_SN_SIZE_18
@ RTE_SECURITY_PDCP_SN_SIZE_15
@ RTE_SECURITY_PDCP_SN_SIZE_7
@ RTE_SECURITY_PDCP_SN_SIZE_5
__rte_experimental int __rte_security_set_pkt_metadata(struct rte_security_ctx *instance, void *sess, struct rte_mbuf *m, void *params)
rte_security_ipsec_tunnel_type
@ RTE_SECURITY_IPSEC_TUNNEL_IPV6
@ RTE_SECURITY_IPSEC_TUNNEL_IPV4
__rte_experimental int rte_security_macsec_sc_create(struct rte_security_ctx *instance, struct rte_security_macsec_sc *conf)
uint8_t type
Definition rte_crypto.h:89
struct rte_crypto_sym_op sym[0]
Definition rte_crypto.h:135
uint8_t sess_type
Definition rte_crypto.h:99
enum rte_security_ipsec_sa_protocol proto
enum rte_security_session_action_type action
enum rte_security_ipsec_sa_direction direction
enum rte_security_macsec_alg alg
struct rte_security_capability::@356::@360 pdcp
struct rte_security_ipsec_sa_options options
enum rte_security_pdcp_domain domain
struct rte_security_capability::@356::@358 ipsec
enum rte_security_session_protocol protocol
enum rte_security_ipsec_sa_mode mode
struct rte_security_capability::@356::@361 docsis
enum rte_security_docsis_direction direction
const struct rte_cryptodev_capabilities * crypto_capabilities
struct rte_security_capability::@356::@359 macsec
uint16_t macsec_sc_cnt
const struct rte_security_ops * ops
uint16_t macsec_sa_cnt
enum rte_security_docsis_direction direction
struct rte_security_ipsec_tunnel_param::@336::@339 ipv6
struct rte_security_ipsec_tunnel_param::@336::@338 ipv4
enum rte_security_ipsec_tunnel_type type
struct rte_security_ipsec_lifetime life
struct rte_security_ipsec_tunnel_param tunnel
enum rte_security_ipsec_sa_protocol proto
enum rte_security_ipsec_sa_direction direction
union rte_security_ipsec_xform::@340 esn
struct rte_security_ipsec_sa_options options
enum rte_security_ipsec_sa_mode mode
struct rte_security_ipsec_udp_param udp
const uint8_t * data
struct rte_security_macsec_sa::@343 key
uint8_t salt[RTE_SECURITY_MACSEC_SALT_LEN]
enum rte_security_macsec_direction dir
uint16_t sa_id[RTE_SECURITY_MACSEC_NUM_AN]
uint8_t sa_in_use[RTE_SECURITY_MACSEC_NUM_AN]
enum rte_security_macsec_direction dir
enum rte_security_macsec_alg alg
enum rte_security_macsec_direction dir
enum rte_security_pdcp_sn_size sn_size
enum rte_security_pdcp_direction pkt_dir
enum rte_security_pdcp_domain domain
struct rte_crypto_sym_xform * crypto_xform
enum rte_security_session_action_type action_type
enum rte_security_session_protocol protocol