X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=lib%2Flibrte_security%2Frte_security.h;h=e07b1328927523ef880cc8c820f1c2181d42ce97;hb=a4712f588e6e7f556698eea7fbc2514d175693a6;hp=c75c12183ab36662cd4816294feeaea0e9547dec;hpb=ca33590b6af032bff57d9cc70455660466a654b2;p=deb_dpdk.git diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h index c75c1218..e07b1328 100644 --- a/lib/librte_security/rte_security.h +++ b/lib/librte_security/rte_security.h @@ -1,34 +1,6 @@ -/*- - * BSD LICENSE - * - * Copyright 2017 NXP. - * Copyright(c) 2017 Intel Corporation. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * * Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * * Neither the name of NXP nor the names of its - * contributors may be used to endorse or promote products derived - * from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +/* SPDX-License-Identifier: BSD-3-Clause + * Copyright 2017 NXP. + * Copyright(c) 2017 Intel Corporation. */ #ifndef _RTE_SECURITY_H_ @@ -36,7 +8,6 @@ /** * @file rte_security.h - * @b EXPERIMENTAL: this API may change without prior notice * * RTE Security Common Definitions * @@ -222,6 +193,8 @@ struct rte_security_ipsec_xform { /**< IPsec SA Mode - transport/tunnel */ struct rte_security_ipsec_tunnel_param tunnel; /**< Tunnel parameters, NULL for transport mode */ + uint64_t esn_soft_limit; + /**< ESN for which the overflow event need to be raised */ }; /** @@ -232,6 +205,64 @@ struct rte_security_macsec_xform { int dummy; }; +/** + * PDCP Mode of session + */ +enum rte_security_pdcp_domain { + RTE_SECURITY_PDCP_MODE_CONTROL, /**< PDCP control plane */ + RTE_SECURITY_PDCP_MODE_DATA, /**< PDCP data plane */ +}; + +/** PDCP Frame direction */ +enum rte_security_pdcp_direction { + RTE_SECURITY_PDCP_UPLINK, /**< Uplink */ + RTE_SECURITY_PDCP_DOWNLINK, /**< Downlink */ +}; + +/** PDCP Sequence Number Size selectors */ +enum rte_security_pdcp_sn_size { + /** PDCP_SN_SIZE_5: 5bit sequence number */ + RTE_SECURITY_PDCP_SN_SIZE_5 = 5, + /** PDCP_SN_SIZE_7: 7bit sequence number */ + RTE_SECURITY_PDCP_SN_SIZE_7 = 7, + /** PDCP_SN_SIZE_12: 12bit sequence number */ + RTE_SECURITY_PDCP_SN_SIZE_12 = 12, + /** PDCP_SN_SIZE_15: 15bit sequence number */ + RTE_SECURITY_PDCP_SN_SIZE_15 = 15, + /** PDCP_SN_SIZE_18: 18bit sequence number */ + RTE_SECURITY_PDCP_SN_SIZE_18 = 18 +}; + +/** + * PDCP security association configuration data. + * + * This structure contains data required to create a PDCP security session. + */ +struct rte_security_pdcp_xform { + int8_t bearer; /**< PDCP bearer ID */ + /** Enable in order delivery, this field shall be set only if + * driver/HW is capable. See RTE_SECURITY_PDCP_ORDERING_CAP. + */ + uint8_t en_ordering; + /** Notify driver/HW to detect and remove duplicate packets. + * This field should be set only when driver/hw is capable. + * See RTE_SECURITY_PDCP_DUP_DETECT_CAP. + */ + uint8_t remove_duplicates; + /** PDCP mode of operation: Control or data */ + enum rte_security_pdcp_domain domain; + /** PDCP Frame Direction 0:UL 1:DL */ + enum rte_security_pdcp_direction pkt_dir; + /** Sequence number size, 5/7/12/15/18 */ + enum rte_security_pdcp_sn_size sn_size; + /** Starting Hyper Frame Number to be used together with the SN + * from the PDCP frames + */ + uint32_t hfn; + /** HFN Threshold for key renegotiation */ + uint32_t hfn_threshold; +}; + /** * Security session action type. */ @@ -258,6 +289,8 @@ enum rte_security_session_protocol { /**< IPsec Protocol */ RTE_SECURITY_PROTOCOL_MACSEC, /**< MACSec Protocol */ + RTE_SECURITY_PROTOCOL_PDCP, + /**< PDCP Protocol */ }; /** @@ -272,6 +305,7 @@ struct rte_security_session_conf { union { struct rte_security_ipsec_xform ipsec; struct rte_security_macsec_xform macsec; + struct rte_security_pdcp_xform pdcp; }; /**< Configuration parameters for security session */ struct rte_crypto_sym_xform *crypto_xform; @@ -295,7 +329,7 @@ struct rte_security_session { * - On success, pointer to session * - On failure, NULL */ -struct rte_security_session * __rte_experimental +struct rte_security_session * rte_security_session_create(struct rte_security_ctx *instance, struct rte_security_session_conf *conf, struct rte_mempool *mp); @@ -310,7 +344,7 @@ rte_security_session_create(struct rte_security_ctx *instance, * - On success returns 0 * - On failure return errno */ -int __rte_experimental +int rte_security_session_update(struct rte_security_ctx *instance, struct rte_security_session *sess, struct rte_security_session_conf *conf); @@ -324,7 +358,7 @@ rte_security_session_update(struct rte_security_ctx *instance, * - Size of the private data, if successful * - 0 if device is invalid or does not support the operation. */ -unsigned int __rte_experimental +unsigned int rte_security_session_get_size(struct rte_security_ctx *instance); /** @@ -339,7 +373,7 @@ rte_security_session_get_size(struct rte_security_ctx *instance); * - -EINVAL if session is NULL. * - -EBUSY if not all device private data has been freed. */ -int __rte_experimental +int rte_security_session_destroy(struct rte_security_ctx *instance, struct rte_security_session *sess); @@ -356,27 +390,29 @@ rte_security_session_destroy(struct rte_security_ctx *instance, * - On success, zero. * - On failure, a negative value. */ -int __rte_experimental +int rte_security_set_pkt_metadata(struct rte_security_ctx *instance, struct rte_security_session *sess, struct rte_mbuf *mb, void *params); /** - * Get userdata associated with the security session which processed the - * packet. This userdata would be registered while creating the session, and - * application can use this to identify the SA etc. Device-specific metadata - * in the mbuf would be used for this. + * Get userdata associated with the security session. Device specific metadata + * provided would be used to uniquely identify the security session being + * referred to. This userdata would be registered while creating the session, + * and application can use this to identify the SA etc. * - * This is valid only for inline processed ingress packets. + * Device specific metadata would be set in mbuf for inline processed inbound + * packets. In addition, the same metadata would be set for IPsec events + * reported by rte_eth_event framework. * * @param instance security instance - * @param md device-specific metadata set in mbuf + * @param md device-specific metadata * * @return * - On success, userdata * - On failure, NULL */ -void * __rte_experimental +void * rte_security_get_userdata(struct rte_security_ctx *instance, uint64_t md); /** @@ -385,7 +421,7 @@ rte_security_get_userdata(struct rte_security_ctx *instance, uint64_t md); * @param sym_op crypto operation * @param sess security session */ -static inline int __rte_experimental +static inline int __rte_security_attach_session(struct rte_crypto_sym_op *sym_op, struct rte_security_session *sess) { @@ -394,13 +430,13 @@ __rte_security_attach_session(struct rte_crypto_sym_op *sym_op, return 0; } -static inline void * __rte_experimental +static inline void * get_sec_session_private_data(const struct rte_security_session *sess) { return sess->sess_private_data; } -static inline void __rte_experimental +static inline void set_sec_session_private_data(struct rte_security_session *sess, void *private_data) { @@ -416,7 +452,7 @@ set_sec_session_private_data(struct rte_security_session *sess, * @param op crypto operation * @param sess security session */ -static inline int __rte_experimental +static inline int rte_security_attach_session(struct rte_crypto_op *op, struct rte_security_session *sess) { @@ -437,6 +473,10 @@ struct rte_security_ipsec_stats { }; +struct rte_security_pdcp_stats { + uint64_t reserved; +}; + struct rte_security_stats { enum rte_security_session_protocol protocol; /**< Security protocol to be configured */ @@ -445,6 +485,7 @@ struct rte_security_stats { union { struct rte_security_macsec_stats macsec; struct rte_security_ipsec_stats ipsec; + struct rte_security_pdcp_stats pdcp; }; }; @@ -458,7 +499,7 @@ struct rte_security_stats { * - On success return 0 * - On failure errno */ -int __rte_experimental +int rte_security_session_stats_get(struct rte_security_ctx *instance, struct rte_security_session *sess, struct rte_security_stats *stats); @@ -489,6 +530,13 @@ struct rte_security_capability { int dummy; } macsec; /**< MACsec capability */ + struct { + enum rte_security_pdcp_domain domain; + /**< PDCP mode of operation: Control or data */ + uint32_t capa_flags; + /**< Capabilitity flags, see RTE_SECURITY_PDCP_* */ + } pdcp; + /**< PDCP capability */ }; const struct rte_cryptodev_capabilities *crypto_capabilities; @@ -498,6 +546,19 @@ struct rte_security_capability { /**< Device offload flags */ }; +/** Underlying Hardware/driver which support PDCP may or may not support + * packet ordering. Set RTE_SECURITY_PDCP_ORDERING_CAP if it support. + * If it is not set, driver/HW assumes packets received are in order + * and it will be application's responsibility to maintain ordering. + */ +#define RTE_SECURITY_PDCP_ORDERING_CAP 0x00000001 + +/** Underlying Hardware/driver which support PDCP may or may not detect + * duplicate packet. Set RTE_SECURITY_PDCP_DUP_DETECT_CAP if it support. + * If it is not set, driver/HW assumes there is no duplicate packet received. + */ +#define RTE_SECURITY_PDCP_DUP_DETECT_CAP 0x00000002 + #define RTE_SECURITY_TX_OLOAD_NEED_MDATA 0x00000001 /**< HW needs metadata update, see rte_security_set_pkt_metadata(). */ @@ -530,6 +591,10 @@ struct rte_security_capability_idx { enum rte_security_ipsec_sa_mode mode; enum rte_security_ipsec_sa_direction direction; } ipsec; + struct { + enum rte_security_pdcp_domain domain; + uint32_t capa_flags; + } pdcp; }; }; @@ -542,7 +607,7 @@ struct rte_security_capability_idx { * - Returns array of security capabilities. * - Return NULL if no capabilities available. */ -const struct rte_security_capability * __rte_experimental +const struct rte_security_capability * rte_security_capabilities_get(struct rte_security_ctx *instance); /** @@ -556,7 +621,7 @@ rte_security_capabilities_get(struct rte_security_ctx *instance); * index criteria. * - Return NULL if the capability not matched on security instance. */ -const struct rte_security_capability * __rte_experimental +const struct rte_security_capability * rte_security_capability_get(struct rte_security_ctx *instance, struct rte_security_capability_idx *idx);