]>
Commit | Line | Data |
---|---|---|
fa05b97b | 1 | /** @file\r |
2 | EFI IPsec Configuration Protocol Definition\r | |
9095d37b | 3 | The EFI_IPSEC_CONFIG_PROTOCOL provides the mechanism to set and retrieve security and\r |
fa05b97b | 4 | policy related information for the EFI IPsec protocol driver.\r |
5 | \r | |
9095d37b | 6 | Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>\r |
9344f092 | 7 | SPDX-License-Identifier: BSD-2-Clause-Patent\r |
fa05b97b | 8 | \r |
9095d37b | 9 | @par Revision Reference:\r |
fa05b97b | 10 | This Protocol is introduced in UEFI Specification 2.2\r |
11 | \r | |
12 | **/\r | |
13 | \r | |
14 | #ifndef __EFI_IPSE_CCONFIG_PROTOCOL_H__\r | |
15 | #define __EFI_IPSE_CCONFIG_PROTOCOL_H__\r | |
16 | \r | |
fa05b97b | 17 | #define EFI_IPSEC_CONFIG_PROTOCOL_GUID \\r |
18 | { \\r | |
3393e291 | 19 | 0xce5e5929, 0xc7a3, 0x4602, {0xad, 0x9e, 0xc9, 0xda, 0xf9, 0x4e, 0xbf, 0xcf } \\r |
fa05b97b | 20 | }\r |
21 | \r | |
22 | typedef struct _EFI_IPSEC_CONFIG_PROTOCOL EFI_IPSEC_CONFIG_PROTOCOL;\r | |
23 | \r | |
24 | ///\r | |
25 | /// EFI_IPSEC_CONFIG_DATA_TYPE\r | |
26 | ///\r | |
27 | typedef enum {\r | |
9095d37b LG |
28 | ///\r |
29 | /// The IPsec Security Policy Database (aka SPD) setting. In IPsec,\r | |
30 | /// an essential element of Security Association (SA) processing is\r | |
31 | /// underlying SPD that specifies what services are to be offered to\r | |
32 | /// IP datagram and in what fashion. The SPD must be consulted\r | |
33 | /// during the processing of all traffic (inbound and outbound),\r | |
34 | /// including traffic not protected by IPsec, that traverses the IPsec\r | |
35 | /// boundary. With this DataType, SetData() function is to set\r | |
36 | /// the SPD entry information, which may add one new entry, delete\r | |
37 | /// one existed entry or flush the whole database according to the\r | |
38 | /// parameter values. The corresponding Data is of type\r | |
fa05b97b | 39 | /// EFI_IPSEC_SPD_DATA\r |
9095d37b | 40 | ///\r |
fa05b97b | 41 | IPsecConfigDataTypeSpd,\r |
9095d37b LG |
42 | ///\r |
43 | /// The IPsec Security Association Database (aka SAD) setting. A\r | |
44 | /// SA is a simplex connection that affords security services to the\r | |
45 | /// traffic carried by it. Security services are afforded to an SA by the\r | |
46 | /// use of AH, or ESP, but not both. The corresponding Data is of\r | |
fa05b97b | 47 | /// type EFI_IPSEC_SAD_DATA.\r |
9095d37b | 48 | ///\r |
fa05b97b | 49 | IPsecConfigDataTypeSad,\r |
9095d37b LG |
50 | ///\r |
51 | /// The IPsec Peer Authorization Database (aka PAD) setting, which\r | |
52 | /// provides the link between the SPD and a security association\r | |
53 | /// management protocol. The PAD entry specifies the\r | |
54 | /// authentication protocol (e.g. IKEv1, IKEv2) method used and the\r | |
55 | /// authentication data. The corresponding Data is of type\r | |
fa05b97b | 56 | /// EFI_IPSEC_PAD_DATA.\r |
57 | ///\r | |
58 | IPsecConfigDataTypePad,\r | |
59 | IPsecConfigDataTypeMaximum\r | |
60 | } EFI_IPSEC_CONFIG_DATA_TYPE;\r | |
61 | \r | |
62 | ///\r | |
63 | /// EFI_IP_ADDRESS_INFO\r | |
64 | ///\r | |
65 | typedef struct _EFI_IP_ADDRESS_INFO {\r | |
2f88bd3a MK |
66 | EFI_IP_ADDRESS Address; ///< The IPv4 or IPv6 address\r |
67 | UINT8 PrefixLength; ///< The length of the prefix associated with the Address.\r | |
fa05b97b | 68 | } EFI_IP_ADDRESS_INFO;\r |
69 | \r | |
fa05b97b | 70 | ///\r |
71 | /// EFI_IPSEC_SPD_SELECTOR\r | |
72 | ///\r | |
73 | typedef struct _EFI_IPSEC_SPD_SELECTOR {\r | |
9095d37b | 74 | ///\r |
fa05b97b | 75 | /// Specifies the actual number of entries in LocalAddress.\r |
9095d37b | 76 | ///\r |
2f88bd3a | 77 | UINT32 LocalAddressCount;\r |
9095d37b LG |
78 | ///\r |
79 | /// A list of ranges of IPv4 or IPv6 addresses, which refers to the\r | |
fa05b97b | 80 | /// addresses being protected by IPsec policy.\r |
9095d37b | 81 | ///\r |
2f88bd3a | 82 | EFI_IP_ADDRESS_INFO *LocalAddress;\r |
9095d37b | 83 | ///\r |
fa05b97b | 84 | /// Specifies the actual number of entries in RemoteAddress.\r |
9095d37b | 85 | ///\r |
2f88bd3a | 86 | UINT32 RemoteAddressCount;\r |
9095d37b LG |
87 | ///\r |
88 | /// A list of ranges of IPv4 or IPv6 addresses, which are peer entities\r | |
89 | /// to LocalAddress.\r | |
90 | ///\r | |
2f88bd3a | 91 | EFI_IP_ADDRESS_INFO *RemoteAddress;\r |
9095d37b LG |
92 | ///\r |
93 | /// Next layer protocol. Obtained from the IPv4 Protocol or the IPv6\r | |
94 | /// Next Header fields. The next layer protocol is whatever comes\r | |
95 | /// after any IP extension headers that are present. A zero value is a\r | |
fa05b97b | 96 | /// wildcard that matches any value in NextLayerProtocol field.\r |
9095d37b | 97 | ///\r |
2f88bd3a | 98 | UINT16 NextLayerProtocol;\r |
9095d37b LG |
99 | ///\r |
100 | /// Local Port if the Next Layer Protocol uses two ports (as do TCP,\r | |
101 | /// UDP, and others). A zero value is a wildcard that matches any\r | |
fa05b97b | 102 | /// value in LocalPort field.\r |
9095d37b | 103 | ///\r |
2f88bd3a | 104 | UINT16 LocalPort;\r |
9095d37b LG |
105 | ///\r |
106 | /// A designed port range size. The start port is LocalPort, and\r | |
107 | /// the total number of ports is described by LocalPortRange.\r | |
108 | /// This field is ignored if NextLayerProtocol does not use\r | |
109 | /// ports.\r | |
110 | ///\r | |
2f88bd3a | 111 | UINT16 LocalPortRange;\r |
9095d37b LG |
112 | ///\r |
113 | /// Remote Port if the Next Layer Protocol uses two ports. A zero\r | |
fa05b97b | 114 | /// value is a wildcard that matches any value in RemotePort field.\r |
9095d37b | 115 | ///\r |
2f88bd3a | 116 | UINT16 RemotePort;\r |
9095d37b LG |
117 | ///\r |
118 | /// A designed port range size. The start port is RemotePort, and\r | |
119 | /// the total number of ports is described by RemotePortRange.\r | |
fa05b97b | 120 | /// This field is ignored if NextLayerProtocol does not use ports.\r |
9095d37b | 121 | ///\r |
2f88bd3a | 122 | UINT16 RemotePortRange;\r |
fa05b97b | 123 | } EFI_IPSEC_SPD_SELECTOR;\r |
9095d37b | 124 | \r |
fa05b97b | 125 | ///\r |
126 | /// EFI_IPSEC_TRAFFIC_DIR\r | |
127 | /// represents the directionality in an SPD entry.\r | |
128 | ///\r | |
129 | typedef enum {\r | |
130 | ///\r | |
9095d37b | 131 | /// The EfiIPsecInBound refers to traffic entering an IPsec implementation via\r |
fa05b97b | 132 | /// the unprotected interface or emitted by the implementation on the unprotected\r |
9095d37b | 133 | /// side of the boundary and directed towards the protected interface.\r |
fa05b97b | 134 | ///\r |
135 | EfiIPsecInBound,\r | |
136 | ///\r | |
9095d37b | 137 | /// The EfiIPsecOutBound refers to traffic entering the implementation via\r |
fa05b97b | 138 | /// the protected interface, or emitted by the implementation on the protected side\r |
139 | /// of the boundary and directed toward the unprotected interface.\r | |
140 | ///\r | |
141 | EfiIPsecOutBound\r | |
142 | } EFI_IPSEC_TRAFFIC_DIR;\r | |
143 | \r | |
144 | ///\r | |
145 | /// EFI_IPSEC_ACTION\r | |
146 | /// represents three possible processing choices.\r | |
147 | ///\r | |
148 | typedef enum {\r | |
9095d37b | 149 | ///\r |
fa05b97b | 150 | /// Refers to traffic that is not allowed to traverse the IPsec boundary.\r |
9095d37b | 151 | ///\r |
fa05b97b | 152 | EfiIPsecActionDiscard,\r |
9095d37b LG |
153 | ///\r |
154 | /// Refers to traffic that is allowed to cross the IPsec boundary\r | |
fa05b97b | 155 | /// without protection.\r |
9095d37b | 156 | ///\r |
fa05b97b | 157 | EfiIPsecActionBypass,\r |
9095d37b LG |
158 | ///\r |
159 | /// Refers to traffic that is afforded IPsec protection, and for such\r | |
160 | /// traffic the SPD must specify the security protocols to be\r | |
161 | /// employed, their mode, security service options, and the\r | |
162 | /// cryptographic algorithms to be used.\r | |
fa05b97b | 163 | ///\r |
164 | EfiIPsecActionProtect\r | |
165 | } EFI_IPSEC_ACTION;\r | |
166 | \r | |
167 | ///\r | |
168 | /// EFI_IPSEC_SA_LIFETIME\r | |
9095d37b LG |
169 | /// defines the lifetime of an SA, which represents when a SA must be\r |
170 | /// replaced or terminated. A value of all 0 for each field removes\r | |
fa05b97b | 171 | /// the limitation of a SA lifetime.\r |
172 | ///\r | |
173 | typedef struct _EFI_IPSEC_SA_LIFETIME {\r | |
9095d37b | 174 | ///\r |
fa05b97b | 175 | /// The number of bytes to which the IPsec cryptographic algorithm\r |
176 | /// can be applied. For ESP, this is the encryption algorithm and for\r | |
9095d37b | 177 | /// AH, this is the authentication algorithm. The ByteCount\r |
fa05b97b | 178 | /// includes pad bytes for cryptographic operations.\r |
9095d37b | 179 | ///\r |
2f88bd3a | 180 | UINT64 ByteCount;\r |
9095d37b LG |
181 | ///\r |
182 | /// A time interval in second that warns the implementation to\r | |
fa05b97b | 183 | /// initiate action such as setting up a replacement SA.\r |
9095d37b | 184 | ///\r |
2f88bd3a | 185 | UINT64 SoftLifetime;\r |
9095d37b LG |
186 | ///\r |
187 | /// A time interval in second when the current SA ends and is\r | |
fa05b97b | 188 | /// destroyed.\r |
9095d37b | 189 | ///\r |
2f88bd3a | 190 | UINT64 HardLifetime;\r |
fa05b97b | 191 | } EFI_IPSEC_SA_LIFETIME;\r |
192 | \r | |
193 | ///\r | |
194 | /// EFI_IPSEC_MODE\r | |
9095d37b LG |
195 | /// There are two modes of IPsec operation: transport mode and tunnel mode. In\r |
196 | /// EfiIPsecTransport mode, AH and ESP provide protection primarily for next layer protocols;\r | |
fa05b97b | 197 | /// In EfiIPsecTunnel mode, AH and ESP are applied to tunneled IP packets.\r |
198 | ///\r | |
199 | typedef enum {\r | |
200 | EfiIPsecTransport,\r | |
201 | EfiIPsecTunnel\r | |
202 | } EFI_IPSEC_MODE;\r | |
203 | \r | |
204 | ///\r | |
205 | /// EFI_IPSEC_TUNNEL_DF_OPTION\r | |
206 | /// The option of copying the DF bit from an outbound package to\r | |
207 | /// the tunnel mode header that it emits, when traffic is carried\r | |
208 | /// via a tunnel mode SA. This applies to SAs where both inner and\r | |
209 | /// outer headers are IPv4.\r | |
210 | ///\r | |
211 | typedef enum {\r | |
212 | EfiIPsecTunnelClearDf, ///< Clear DF bit from inner header.\r | |
213 | EfiIPsecTunnelSetDf, ///< Set DF bit from inner header.\r | |
214 | EfiIPsecTunnelCopyDf ///< Copy DF bit from inner header.\r | |
215 | } EFI_IPSEC_TUNNEL_DF_OPTION;\r | |
216 | \r | |
217 | ///\r | |
218 | /// EFI_IPSEC_TUNNEL_OPTION\r | |
219 | ///\r | |
220 | typedef struct _EFI_IPSEC_TUNNEL_OPTION {\r | |
9095d37b | 221 | ///\r |
fa05b97b | 222 | /// Local tunnel address when IPsec mode is EfiIPsecTunnel.\r |
9095d37b | 223 | ///\r |
2f88bd3a | 224 | EFI_IP_ADDRESS LocalTunnelAddress;\r |
9095d37b | 225 | ///\r |
fa05b97b | 226 | /// Remote tunnel address when IPsec mode is EfiIPsecTunnel.\r |
9095d37b | 227 | ///\r |
2f88bd3a | 228 | EFI_IP_ADDRESS RemoteTunnelAddress;\r |
9095d37b | 229 | ///\r |
fa05b97b | 230 | /// The option of copying the DF bit from an outbound package\r |
9095d37b LG |
231 | /// to the tunnel mode header that it emits, when traffic is\r |
232 | /// carried via a tunnel mode SA.\r | |
233 | ///\r | |
2f88bd3a | 234 | EFI_IPSEC_TUNNEL_DF_OPTION DF;\r |
fa05b97b | 235 | } EFI_IPSEC_TUNNEL_OPTION;\r |
236 | \r | |
237 | ///\r | |
238 | /// EFI_IPSEC_PROTOCOL_TYPE\r | |
239 | ///\r | |
240 | typedef enum {\r | |
241 | EfiIPsecAH, ///< IP Authentication Header protocol which is specified in RFC 4302.\r | |
9095d37b | 242 | EfiIPsecESP ///< IP Encapsulating Security Payload which is specified in RFC 4303.\r |
fa05b97b | 243 | } EFI_IPSEC_PROTOCOL_TYPE;\r |
244 | \r | |
245 | ///\r | |
246 | /// EFI_IPSEC_PROCESS_POLICY\r | |
247 | /// describes a policy list for traffic processing.\r | |
248 | ///\r | |
249 | typedef struct _EFI_IPSEC_PROCESS_POLICY {\r | |
9095d37b LG |
250 | ///\r |
251 | /// Extended Sequence Number. Is this SA using extended sequence\r | |
fa05b97b | 252 | /// numbers. 64 bit counter is used if TRUE.\r |
9095d37b | 253 | ///\r |
2f88bd3a | 254 | BOOLEAN ExtSeqNum;\r |
9095d37b LG |
255 | ///\r |
256 | /// A flag indicating whether overflow of the sequence number\r | |
257 | /// counter should generate an auditable event and prevent\r | |
258 | /// transmission of additional packets on the SA, or whether rollover\r | |
fa05b97b | 259 | /// is permitted.\r |
9095d37b | 260 | ///\r |
2f88bd3a | 261 | BOOLEAN SeqOverflow;\r |
9095d37b LG |
262 | ///\r |
263 | /// Is this SA using stateful fragment checking. TRUE represents\r | |
fa05b97b | 264 | /// stateful fragment checking.\r |
9095d37b | 265 | ///\r |
2f88bd3a | 266 | BOOLEAN FragCheck;\r |
9095d37b LG |
267 | ///\r |
268 | /// A time interval after which a SA must be replaced with a new SA\r | |
269 | /// (and new SPI) or terminated.\r | |
270 | ///\r | |
2f88bd3a | 271 | EFI_IPSEC_SA_LIFETIME SaLifetime;\r |
9095d37b | 272 | ///\r |
fa05b97b | 273 | /// IPsec mode: tunnel or transport.\r |
9095d37b | 274 | ///\r |
2f88bd3a | 275 | EFI_IPSEC_MODE Mode;\r |
9095d37b | 276 | ///\r |
fa05b97b | 277 | /// Tunnel Option. TunnelOption is ignored if Mode is EfiIPsecTransport.\r |
9095d37b | 278 | ///\r |
2f88bd3a | 279 | EFI_IPSEC_TUNNEL_OPTION *TunnelOption;\r |
9095d37b | 280 | ///\r |
fa05b97b | 281 | /// IPsec protocol: AH or ESP\r |
9095d37b | 282 | ///\r |
2f88bd3a | 283 | EFI_IPSEC_PROTOCOL_TYPE Proto;\r |
9095d37b | 284 | ///\r |
fa05b97b | 285 | /// Cryptographic algorithm type used for authentication.\r |
9095d37b | 286 | ///\r |
2f88bd3a | 287 | UINT8 AuthAlgoId;\r |
9095d37b LG |
288 | ///\r |
289 | /// Cryptographic algorithm type used for encryption. EncAlgo is\r | |
290 | /// NULL when IPsec protocol is AH. For ESP protocol, EncAlgo\r | |
291 | /// can also be used to describe the algorithm if a combined mode\r | |
fa05b97b | 292 | /// algorithm is used.\r |
293 | ///\r | |
2f88bd3a | 294 | UINT8 EncAlgoId;\r |
fa05b97b | 295 | } EFI_IPSEC_PROCESS_POLICY;\r |
296 | \r | |
fa05b97b | 297 | ///\r |
298 | /// EFI_IPSEC_SA_ID\r | |
299 | /// A triplet to identify an SA, consisting of the following members.\r | |
300 | ///\r | |
301 | typedef struct _EFI_IPSEC_SA_ID {\r | |
9095d37b LG |
302 | ///\r |
303 | /// Security Parameter Index (aka SPI). An arbitrary 32-bit value\r | |
304 | /// that is used by a receiver to identity the SA to which an incoming\r | |
fa05b97b | 305 | /// package should be bound.\r |
9095d37b | 306 | ///\r |
2f88bd3a | 307 | UINT32 Spi;\r |
9095d37b | 308 | ///\r |
fa05b97b | 309 | /// IPsec protocol: AH or ESP\r |
9095d37b | 310 | ///\r |
2f88bd3a | 311 | EFI_IPSEC_PROTOCOL_TYPE Proto;\r |
9095d37b LG |
312 | ///\r |
313 | /// Destination IP address.\r | |
314 | ///\r | |
2f88bd3a | 315 | EFI_IP_ADDRESS DestAddress;\r |
fa05b97b | 316 | } EFI_IPSEC_SA_ID;\r |
317 | \r | |
2f88bd3a | 318 | #define MAX_PEERID_LEN 128\r |
fa05b97b | 319 | \r |
320 | ///\r | |
321 | /// EFI_IPSEC_SPD_DATA\r | |
322 | ///\r | |
323 | typedef struct _EFI_IPSEC_SPD_DATA {\r | |
9095d37b LG |
324 | ///\r |
325 | /// A null-terminated ASCII name string which is used as a symbolic\r | |
fa05b97b | 326 | /// identifier for an IPsec Local or Remote address.\r |
9095d37b | 327 | ///\r |
2f88bd3a | 328 | UINT8 Name[MAX_PEERID_LEN];\r |
9095d37b LG |
329 | ///\r |
330 | /// Bit-mapped list describing Populate from Packet flags. When\r | |
331 | /// creating a SA, if PackageFlag bit is set to TRUE, instantiate\r | |
332 | /// the selector from the corresponding field in the package that\r | |
333 | /// triggered the creation of the SA, else from the value(s) in the\r | |
334 | /// corresponding SPD entry. The PackageFlag bit setting for\r | |
fa05b97b | 335 | /// corresponding selector field of EFI_IPSEC_SPD_SELECTOR:\r |
9095d37b LG |
336 | /// Bit 0: EFI_IPSEC_SPD_SELECTOR.LocalAddress\r |
337 | /// Bit 1: EFI_IPSEC_SPD_SELECTOR.RemoteAddress\r | |
338 | /// Bit 2:\r | |
339 | /// EFI_IPSEC_SPD_SELECTOR.NextLayerProtocol\r | |
340 | /// Bit 3: EFI_IPSEC_SPD_SELECTOR.LocalPort\r | |
341 | /// Bit 4: EFI_IPSEC_SPD_SELECTOR.RemotePort\r | |
fa05b97b | 342 | /// Others: Reserved.\r |
343 | ///\r | |
2f88bd3a | 344 | UINT32 PackageFlag;\r |
9095d37b | 345 | ///\r |
fa05b97b | 346 | /// The traffic direction of data gram.\r |
9095d37b | 347 | ///\r |
2f88bd3a | 348 | EFI_IPSEC_TRAFFIC_DIR TrafficDirection;\r |
9095d37b LG |
349 | ///\r |
350 | /// Processing choices to indicate which action is required by this\r | |
351 | /// policy.\r | |
352 | ///\r | |
2f88bd3a | 353 | EFI_IPSEC_ACTION Action;\r |
9095d37b | 354 | ///\r |
fa05b97b | 355 | /// The policy and rule information for a SPD entry.\r |
9095d37b | 356 | ///\r |
2f88bd3a | 357 | EFI_IPSEC_PROCESS_POLICY *ProcessingPolicy;\r |
9095d37b | 358 | ///\r |
fa05b97b | 359 | /// Specifies the actual number of entries in SaId list.\r |
9095d37b | 360 | ///\r |
2f88bd3a | 361 | UINTN SaIdCount;\r |
9095d37b LG |
362 | ///\r |
363 | /// The SAD entry used for the traffic processing. The\r | |
fa05b97b | 364 | /// existed SAD entry links indicate this is the manual key case.\r |
9095d37b | 365 | ///\r |
2f88bd3a | 366 | EFI_IPSEC_SA_ID SaId[1];\r |
fa05b97b | 367 | } EFI_IPSEC_SPD_DATA;\r |
368 | \r | |
369 | ///\r | |
370 | /// EFI_IPSEC_AH_ALGO_INFO\r | |
371 | /// The security algorithm selection for IPsec AH authentication.\r | |
372 | /// The required authentication algorithm is specified in RFC 4305.\r | |
373 | ///\r | |
374 | typedef struct _EFI_IPSEC_AH_ALGO_INFO {\r | |
2f88bd3a MK |
375 | UINT8 AuthAlgoId;\r |
376 | UINTN AuthKeyLength;\r | |
377 | VOID *AuthKey;\r | |
fa05b97b | 378 | } EFI_IPSEC_AH_ALGO_INFO;\r |
379 | \r | |
380 | ///\r | |
381 | /// EFI_IPSEC_ESP_ALGO_INFO\r | |
382 | /// The security algorithm selection for IPsec ESP encryption and authentication.\r | |
9095d37b LG |
383 | /// The required authentication algorithm is specified in RFC 4305.\r |
384 | /// EncAlgoId fields can also specify an ESP combined mode algorithm\r | |
385 | /// (e.g. AES with CCM mode, specified in RFC 4309), which provides both\r | |
fa05b97b | 386 | /// confidentiality and authentication services.\r |
387 | ///\r | |
388 | typedef struct _EFI_IPSEC_ESP_ALGO_INFO {\r | |
2f88bd3a MK |
389 | UINT8 EncAlgoId;\r |
390 | UINTN EncKeyLength;\r | |
391 | VOID *EncKey;\r | |
392 | UINT8 AuthAlgoId;\r | |
393 | UINTN AuthKeyLength;\r | |
394 | VOID *AuthKey;\r | |
fa05b97b | 395 | } EFI_IPSEC_ESP_ALGO_INFO;\r |
396 | \r | |
397 | ///\r | |
398 | /// EFI_IPSEC_ALGO_INFO\r | |
399 | ///\r | |
400 | typedef union {\r | |
2f88bd3a MK |
401 | EFI_IPSEC_AH_ALGO_INFO AhAlgoInfo;\r |
402 | EFI_IPSEC_ESP_ALGO_INFO EspAlgoInfo;\r | |
fa05b97b | 403 | } EFI_IPSEC_ALGO_INFO;\r |
404 | \r | |
405 | ///\r | |
406 | /// EFI_IPSEC_SA_DATA\r | |
407 | ///\r | |
408 | typedef struct _EFI_IPSEC_SA_DATA {\r | |
9095d37b | 409 | ///\r |
fa05b97b | 410 | /// IPsec mode: tunnel or transport.\r |
9095d37b | 411 | ///\r |
2f88bd3a | 412 | EFI_IPSEC_MODE Mode;\r |
9095d37b LG |
413 | ///\r |
414 | /// Sequence Number Counter. A 64-bit counter used to generate the\r | |
fa05b97b | 415 | /// sequence number field in AH or ESP headers.\r |
9095d37b | 416 | ///\r |
2f88bd3a | 417 | UINT64 SNCount;\r |
9095d37b LG |
418 | ///\r |
419 | /// Anti-Replay Window. A 64-bit counter and a bit-map used to\r | |
fa05b97b | 420 | /// determine whether an inbound AH or ESP packet is a replay.\r |
9095d37b | 421 | ///\r |
2f88bd3a | 422 | UINT8 AntiReplayWindows;\r |
9095d37b LG |
423 | ///\r |
424 | /// AH/ESP cryptographic algorithm, key and parameters.\r | |
425 | ///\r | |
2f88bd3a | 426 | EFI_IPSEC_ALGO_INFO AlgoInfo;\r |
9095d37b LG |
427 | ///\r |
428 | /// Lifetime of this SA.\r | |
429 | ///\r | |
2f88bd3a | 430 | EFI_IPSEC_SA_LIFETIME SaLifetime;\r |
9095d37b LG |
431 | ///\r |
432 | /// Any observed path MTU and aging variables. The Path MTU\r | |
fa05b97b | 433 | /// processing is defined in section 8 of RFC 4301.\r |
9095d37b | 434 | ///\r |
2f88bd3a | 435 | UINT32 PathMTU;\r |
9095d37b | 436 | ///\r |
fa05b97b | 437 | /// Link to one SPD entry.\r |
9095d37b | 438 | ///\r |
2f88bd3a | 439 | EFI_IPSEC_SPD_SELECTOR *SpdSelector;\r |
9095d37b LG |
440 | ///\r |
441 | /// Indication of whether it's manually set or negotiated automatically.\r | |
442 | /// If ManualSet is FALSE, the corresponding SA entry is inserted through\r | |
fa05b97b | 443 | /// IKE protocol negotiation.\r |
444 | ///\r | |
2f88bd3a | 445 | BOOLEAN ManualSet;\r |
fa05b97b | 446 | } EFI_IPSEC_SA_DATA;\r |
447 | \r | |
705f53a9 | 448 | ///\r |
449 | /// EFI_IPSEC_SA_DATA2\r | |
450 | ///\r | |
9095d37b | 451 | typedef struct _EFI_IPSEC_SA_DATA2 {\r |
705f53a9 | 452 | ///\r |
453 | /// IPsec mode: tunnel or transport\r | |
454 | ///\r | |
2f88bd3a | 455 | EFI_IPSEC_MODE Mode;\r |
705f53a9 | 456 | ///\r |
9095d37b LG |
457 | /// Sequence Number Counter. A 64-bit counter used to generate the sequence\r |
458 | /// number field in AH or ESP headers.\r | |
705f53a9 | 459 | ///\r |
2f88bd3a | 460 | UINT64 SNCount;\r |
705f53a9 | 461 | ///\r |
9095d37b | 462 | /// Anti-Replay Window. A 64-bit counter and a bit-map used to determine\r |
705f53a9 | 463 | /// whether an inbound AH or ESP packet is a replay.\r |
464 | ///\r | |
2f88bd3a | 465 | UINT8 AntiReplayWindows;\r |
705f53a9 | 466 | ///\r |
467 | /// AH/ESP cryptographic algorithm, key and parameters.\r | |
468 | ///\r | |
2f88bd3a | 469 | EFI_IPSEC_ALGO_INFO AlgoInfo;\r |
705f53a9 | 470 | ///\r |
471 | /// Lifetime of this SA.\r | |
472 | ///\r | |
2f88bd3a | 473 | EFI_IPSEC_SA_LIFETIME SaLifetime;\r |
705f53a9 | 474 | ///\r |
9095d37b | 475 | /// Any observed path MTU and aging variables. The Path MTU processing is\r |
705f53a9 | 476 | /// defined in section 8 of RFC 4301.\r |
477 | ///\r | |
2f88bd3a | 478 | UINT32 PathMTU;\r |
705f53a9 | 479 | ///\r |
480 | /// Link to one SPD entry\r | |
481 | ///\r | |
2f88bd3a | 482 | EFI_IPSEC_SPD_SELECTOR *SpdSelector;\r |
705f53a9 | 483 | ///\r |
9095d37b LG |
484 | /// Indication of whether it's manually set or negotiated automatically.\r |
485 | /// If ManualSet is FALSE, the corresponding SA entry is inserted through IKE\r | |
705f53a9 | 486 | /// protocol negotiation\r |
487 | ///\r | |
2f88bd3a | 488 | BOOLEAN ManualSet;\r |
705f53a9 | 489 | ///\r |
490 | /// The tunnel header IP source address.\r | |
491 | ///\r | |
2f88bd3a | 492 | EFI_IP_ADDRESS TunnelSourceAddress;\r |
705f53a9 | 493 | ///\r |
494 | /// The tunnel header IP destination address.\r | |
495 | ///\r | |
2f88bd3a | 496 | EFI_IP_ADDRESS TunnelDestinationAddress;\r |
9095d37b | 497 | } EFI_IPSEC_SA_DATA2;\r |
705f53a9 | 498 | \r |
fa05b97b | 499 | ///\r |
500 | /// EFI_IPSEC_PAD_ID\r | |
501 | /// specifies the identifier for PAD entry, which is also used for SPD lookup.\r | |
502 | /// IpAddress Pointer to the IPv4 or IPv6 address range.\r | |
503 | ///\r | |
504 | typedef struct _EFI_IPSEC_PAD_ID {\r | |
505 | ///\r | |
506 | /// Flag to identify which type of PAD Id is used.\r | |
9095d37b | 507 | ///\r |
2f88bd3a | 508 | BOOLEAN PeerIdValid;\r |
fa05b97b | 509 | union {\r |
510 | ///\r | |
511 | /// Pointer to the IPv4 or IPv6 address range.\r | |
512 | ///\r | |
2f88bd3a | 513 | EFI_IP_ADDRESS_INFO IpAddress;\r |
fa05b97b | 514 | ///\r |
4f077902 | 515 | /// Pointer to a null terminated ASCII string\r |
9095d37b LG |
516 | /// representing the symbolic names. A PeerId can be a DNS\r |
517 | /// name, Distinguished Name, RFC 822 email address or Key ID\r | |
fa05b97b | 518 | /// (specified in section 4.4.3.1 of RFC 4301)\r |
519 | ///\r | |
2f88bd3a | 520 | UINT8 PeerId[MAX_PEERID_LEN];\r |
fa05b97b | 521 | } Id;\r |
522 | } EFI_IPSEC_PAD_ID;\r | |
523 | \r | |
524 | ///\r | |
525 | /// EFI_IPSEC_CONFIG_SELECTOR\r | |
9095d37b | 526 | /// describes the expected IPsec configuration data selector\r |
fa05b97b | 527 | /// of type EFI_IPSEC_CONFIG_DATA_TYPE.\r |
528 | ///\r | |
529 | typedef union {\r | |
2f88bd3a MK |
530 | EFI_IPSEC_SPD_SELECTOR SpdSelector;\r |
531 | EFI_IPSEC_SA_ID SaId;\r | |
532 | EFI_IPSEC_PAD_ID PadId;\r | |
fa05b97b | 533 | } EFI_IPSEC_CONFIG_SELECTOR;\r |
534 | \r | |
535 | ///\r | |
536 | /// EFI_IPSEC_AUTH_PROTOCOL_TYPE\r | |
9095d37b | 537 | /// defines the possible authentication protocol for IPsec\r |
fa05b97b | 538 | /// security association management.\r |
539 | ///\r | |
540 | typedef enum {\r | |
541 | EfiIPsecAuthProtocolIKEv1,\r | |
542 | EfiIPsecAuthProtocolIKEv2,\r | |
543 | EfiIPsecAuthProtocolMaximum\r | |
544 | } EFI_IPSEC_AUTH_PROTOCOL_TYPE;\r | |
545 | \r | |
546 | ///\r | |
547 | /// EFI_IPSEC_AUTH_METHOD\r | |
548 | ///\r | |
549 | typedef enum {\r | |
550 | ///\r | |
551 | /// Using Pre-shared Keys for manual security associations.\r | |
552 | ///\r | |
553 | EfiIPsecAuthMethodPreSharedSecret,\r | |
554 | ///\r | |
555 | /// IKE employs X.509 certificates for SA establishment.\r | |
556 | ///\r | |
557 | EfiIPsecAuthMethodCertificates,\r | |
558 | EfiIPsecAuthMethodMaximum\r | |
559 | } EFI_IPSEC_AUTH_METHOD;\r | |
560 | \r | |
561 | ///\r | |
562 | /// EFI_IPSEC_PAD_DATA\r | |
563 | ///\r | |
564 | typedef struct _EFI_IPSEC_PAD_DATA {\r | |
9095d37b | 565 | ///\r |
fa05b97b | 566 | /// Authentication Protocol for IPsec security association management.\r |
9095d37b | 567 | ///\r |
2f88bd3a | 568 | EFI_IPSEC_AUTH_PROTOCOL_TYPE AuthProtocol;\r |
9095d37b | 569 | ///\r |
fa05b97b | 570 | /// Authentication method used.\r |
9095d37b | 571 | ///\r |
2f88bd3a | 572 | EFI_IPSEC_AUTH_METHOD AuthMethod;\r |
9095d37b LG |
573 | ///\r |
574 | /// The IKE ID payload will be used as a symbolic name for SPD\r | |
575 | /// lookup if IkeIdFlag is TRUE. Otherwise, the remote IP\r | |
fa05b97b | 576 | /// address provided in traffic selector playloads will be used.\r |
9095d37b | 577 | ///\r |
2f88bd3a | 578 | BOOLEAN IkeIdFlag;\r |
9095d37b | 579 | ///\r |
fa05b97b | 580 | /// The size of Authentication data buffer, in bytes.\r |
9095d37b | 581 | ///\r |
2f88bd3a | 582 | UINTN AuthDataSize;\r |
9095d37b LG |
583 | ///\r |
584 | /// Buffer for Authentication data, (e.g., the pre-shared secret or the\r | |
585 | /// trust anchor relative to which the peer's certificate will be\r | |
fa05b97b | 586 | /// validated).\r |
9095d37b | 587 | ///\r |
2f88bd3a | 588 | VOID *AuthData;\r |
9095d37b | 589 | ///\r |
fa05b97b | 590 | /// The size of RevocationData, in bytes\r |
9095d37b | 591 | ///\r |
2f88bd3a | 592 | UINTN RevocationDataSize;\r |
9095d37b LG |
593 | ///\r |
594 | /// Pointer to CRL or OCSP data, if certificates are used for\r | |
fa05b97b | 595 | /// authentication method.\r |
9095d37b | 596 | ///\r |
2f88bd3a | 597 | VOID *RevocationData;\r |
fa05b97b | 598 | } EFI_IPSEC_PAD_DATA;\r |
599 | \r | |
fa05b97b | 600 | /**\r |
601 | Set the security association, security policy and peer authorization configuration\r | |
9095d37b | 602 | information for the EFI IPsec driver.\r |
fa05b97b | 603 | \r |
604 | This function is used to set the IPsec configuration information of type DataType for\r | |
605 | the EFI IPsec driver.\r | |
606 | The IPsec configuration data has a unique selector/identifier separately to identify\r | |
3227f995 | 607 | a data entry. The selector structure depends on DataType's definition.\r |
fa05b97b | 608 | Using SetData() with a Data of NULL causes the IPsec configuration data entry identified\r |
9095d37b | 609 | by DataType and Selector to be deleted.\r |
fa05b97b | 610 | \r |
611 | @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r | |
612 | @param[in] DataType The type of data to be set.\r | |
9095d37b LG |
613 | @param[in] Selector Pointer to an entry selector on operated configuration data\r |
614 | specified by DataType. A NULL Selector causes the entire\r | |
fa05b97b | 615 | specified-type configuration information to be flushed.\r |
9095d37b | 616 | @param[in] Data The data buffer to be set. The structure of the data buffer is\r |
fa05b97b | 617 | associated with the DataType.\r |
618 | @param[in] InsertBefore Pointer to one entry selector which describes the expected\r | |
619 | position the new data entry will be added. If InsertBefore is NULL,\r | |
620 | the new entry will be appended the end of database.\r | |
9095d37b | 621 | \r |
fa05b97b | 622 | @retval EFI_SUCCESS The specified configuration entry data is set successfully.\r |
623 | @retval EFI_INVALID_PARAMETER One or more of the following are TRUE:\r | |
624 | - This is NULL.\r | |
625 | @retval EFI_UNSUPPORTED The specified DataType is not supported.\r | |
626 | @retval EFI_OUT_OF_RESOURCED The required system resource could not be allocated.\r | |
627 | \r | |
628 | **/\r | |
629 | typedef\r | |
630 | EFI_STATUS\r | |
a1749b80 | 631 | (EFIAPI *EFI_IPSEC_CONFIG_SET_DATA)(\r |
fa05b97b | 632 | IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r |
633 | IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r | |
634 | IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r | |
635 | IN VOID *Data,\r | |
636 | IN EFI_IPSEC_CONFIG_SELECTOR *InsertBefore OPTIONAL\r | |
637 | );\r | |
638 | \r | |
639 | /**\r | |
9095d37b | 640 | Return the configuration value for the EFI IPsec driver.\r |
fa05b97b | 641 | \r |
642 | This function lookup the data entry from IPsec database or IKEv2 configuration\r | |
643 | information. The expected data type and unique identification are described in\r | |
9095d37b | 644 | DataType and Selector parameters.\r |
fa05b97b | 645 | \r |
646 | @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r | |
647 | @param[in] DataType The type of data to retrieve.\r | |
9095d37b | 648 | @param[in] Selector Pointer to an entry selector which is an identifier of the IPsec\r |
fa05b97b | 649 | configuration data entry.\r |
650 | @param[in, out] DataSize On output the size of data returned in Data.\r | |
9095d37b LG |
651 | @param[out] Data The buffer to return the contents of the IPsec configuration data.\r |
652 | The type of the data buffer is associated with the DataType.\r | |
653 | \r | |
fa05b97b | 654 | @retval EFI_SUCCESS The specified configuration data is got successfully.\r |
655 | @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE:\r | |
656 | - This is NULL.\r | |
657 | - Selector is NULL.\r | |
658 | - DataSize is NULL.\r | |
659 | - Data is NULL and *DataSize is not zero\r | |
660 | @retval EFI_NOT_FOUND The configuration data specified by Selector is not found.\r | |
661 | @retval EFI_UNSUPPORTED The specified DataType is not supported.\r | |
662 | @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. DataSize has been\r | |
663 | updated with the size needed to complete the request.\r | |
664 | \r | |
665 | **/\r | |
666 | typedef\r | |
667 | EFI_STATUS\r | |
a1749b80 | 668 | (EFIAPI *EFI_IPSEC_CONFIG_GET_DATA)(\r |
fa05b97b | 669 | IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r |
670 | IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r | |
671 | IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r | |
672 | IN OUT UINTN *DataSize,\r | |
673 | OUT VOID *Data\r | |
674 | );\r | |
675 | \r | |
676 | /**\r | |
9095d37b | 677 | Enumerates the current selector for IPsec configuration data entry.\r |
fa05b97b | 678 | \r |
679 | This function is called multiple times to retrieve the entry Selector in IPsec\r | |
9095d37b | 680 | configuration database. On each call to GetNextSelector(), the next entry\r |
fa05b97b | 681 | Selector are retrieved into the output interface.\r |
9095d37b LG |
682 | \r |
683 | If the entire IPsec configuration database has been iterated, the error\r | |
fa05b97b | 684 | EFI_NOT_FOUND is returned.\r |
9095d37b LG |
685 | If the Selector buffer is too small for the next Selector copy, an\r |
686 | EFI_BUFFER_TOO_SMALL error is returned, and SelectorSize is updated to reflect\r | |
fa05b97b | 687 | the size of buffer needed.\r |
688 | \r | |
689 | On the initial call to GetNextSelector() to start the IPsec configuration database\r | |
9095d37b LG |
690 | search, a pointer to the buffer with all zero value is passed in Selector. Calls\r |
691 | to SetData() between calls to GetNextSelector may produce unpredictable results.\r | |
fa05b97b | 692 | \r |
693 | @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r | |
694 | @param[in] DataType The type of IPsec configuration data to retrieve.\r | |
695 | @param[in, out] SelectorSize The size of the Selector buffer.\r | |
9095d37b | 696 | @param[in, out] Selector On input, supplies the pointer to last Selector that was\r |
fa05b97b | 697 | returned by GetNextSelector().\r |
698 | On output, returns one copy of the current entry Selector\r | |
9095d37b LG |
699 | of a given DataType.\r |
700 | \r | |
fa05b97b | 701 | @retval EFI_SUCCESS The specified configuration data is got successfully.\r |
702 | @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE:\r | |
703 | - This is NULL.\r | |
704 | - SelectorSize is NULL.\r | |
705 | - Selector is NULL.\r | |
706 | @retval EFI_NOT_FOUND The next configuration data entry was not found.\r | |
707 | @retval EFI_UNSUPPORTED The specified DataType is not supported.\r | |
708 | @retval EFI_BUFFER_TOO_SMALL The SelectorSize is too small for the result. This parameter\r | |
9095d37b | 709 | has been updated with the size needed to complete the search\r |
fa05b97b | 710 | request.\r |
711 | \r | |
712 | **/\r | |
713 | typedef\r | |
714 | EFI_STATUS\r | |
a1749b80 | 715 | (EFIAPI *EFI_IPSEC_CONFIG_GET_NEXT_SELECTOR)(\r |
fa05b97b | 716 | IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r |
717 | IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r | |
718 | IN OUT UINTN *SelectorSize,\r | |
719 | IN OUT EFI_IPSEC_CONFIG_SELECTOR *Selector\r | |
720 | );\r | |
721 | \r | |
722 | /**\r | |
723 | Register an event that is to be signaled whenever a configuration process on the\r | |
9095d37b | 724 | specified IPsec configuration information is done.\r |
fa05b97b | 725 | \r |
726 | This function registers an event that is to be signaled whenever a configuration\r | |
9095d37b | 727 | process on the specified IPsec configuration data is done (e.g. IPsec security\r |
fa05b97b | 728 | policy database configuration is ready). An event can be registered for different\r |
9095d37b LG |
729 | DataType simultaneously and the caller is responsible for determining which type\r |
730 | of configuration data causes the signaling of the event in such case.\r | |
fa05b97b | 731 | \r |
732 | @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r | |
733 | @param[in] DataType The type of data to be registered the event for.\r | |
734 | @param[in] Event The event to be registered.\r | |
9095d37b | 735 | \r |
fa05b97b | 736 | @retval EFI_SUCCESS The event is registered successfully.\r |
737 | @retval EFI_INVALID_PARAMETER This is NULL or Event is NULL.\r | |
738 | @retval EFI_ACCESS_DENIED The Event is already registered for the DataType.\r | |
739 | @retval EFI_UNSUPPORTED The notify registration unsupported or the specified\r | |
740 | DataType is not supported.\r | |
741 | \r | |
742 | **/\r | |
743 | typedef\r | |
744 | EFI_STATUS\r | |
a1749b80 | 745 | (EFIAPI *EFI_IPSEC_CONFIG_REGISTER_NOTIFY)(\r |
fa05b97b | 746 | IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r |
747 | IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r | |
748 | IN EFI_EVENT Event\r | |
749 | );\r | |
750 | \r | |
751 | /**\r | |
752 | Remove the specified event that is previously registered on the specified IPsec\r | |
9095d37b | 753 | configuration data.\r |
fa05b97b | 754 | \r |
9095d37b | 755 | This function removes a previously registered event for the specified configuration data.\r |
fa05b97b | 756 | \r |
757 | @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r | |
758 | @param[in] DataType The configuration data type to remove the registered event for.\r | |
759 | @param[in] Event The event to be unregistered.\r | |
9095d37b | 760 | \r |
fa05b97b | 761 | @retval EFI_SUCCESS The event is removed successfully.\r |
9095d37b | 762 | @retval EFI_NOT_FOUND The Event specified by DataType could not be found in the\r |
fa05b97b | 763 | database.\r |
764 | @retval EFI_INVALID_PARAMETER This is NULL or Event is NULL.\r | |
765 | @retval EFI_UNSUPPORTED The notify registration unsupported or the specified\r | |
766 | DataType is not supported.\r | |
767 | \r | |
768 | **/\r | |
769 | typedef\r | |
770 | EFI_STATUS\r | |
a1749b80 | 771 | (EFIAPI *EFI_IPSEC_CONFIG_UNREGISTER_NOTIFY)(\r |
fa05b97b | 772 | IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r |
773 | IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r | |
774 | IN EFI_EVENT Event\r | |
775 | );\r | |
776 | \r | |
777 | ///\r | |
778 | /// EFI_IPSEC_CONFIG_PROTOCOL\r | |
779 | /// provides the ability to set and lookup the IPsec SAD (Security Association Database),\r | |
9095d37b LG |
780 | /// SPD (Security Policy Database) data entry and configure the security association\r |
781 | /// management protocol such as IKEv2. This protocol is used as the central\r | |
fa05b97b | 782 | /// repository of any policy-specific configuration for EFI IPsec driver.\r |
9095d37b | 783 | /// EFI_IPSEC_CONFIG_PROTOCOL can be bound to both IPv4 and IPv6 stack. User can use this\r |
fa05b97b | 784 | /// protocol for IPsec configuration in both IPv4 and IPv6 environment.\r |
9095d37b | 785 | ///\r |
fa05b97b | 786 | struct _EFI_IPSEC_CONFIG_PROTOCOL {\r |
2f88bd3a MK |
787 | EFI_IPSEC_CONFIG_SET_DATA SetData;\r |
788 | EFI_IPSEC_CONFIG_GET_DATA GetData;\r | |
789 | EFI_IPSEC_CONFIG_GET_NEXT_SELECTOR GetNextSelector;\r | |
790 | EFI_IPSEC_CONFIG_REGISTER_NOTIFY RegisterDataNotify;\r | |
791 | EFI_IPSEC_CONFIG_UNREGISTER_NOTIFY UnregisterDataNotify;\r | |
fa05b97b | 792 | };\r |
793 | \r | |
2f88bd3a | 794 | extern EFI_GUID gEfiIpSecConfigProtocolGuid;\r |
fa05b97b | 795 | \r |
796 | #endif\r |