/** @file\r
EFI IPSEC Protocol Definition\r
The EFI_IPSEC_PROTOCOL is used to abstract the ability to deal with the individual\r
- packets sent and received by the host and provide packet-level security for IP datagram.\r
+ packets sent and received by the host and provide packet-level security for IP \r
+ datagram.\r
+ The EFI_IPSEC2_PROTOCOL is used to abstract the ability to deal with the individual\r
+ packets sent and received by the host and provide packet-level security for IP \r
+ datagram. In addition, it supports the Option (extension header) processing in \r
+ IPsec which doesn't support in EFI_IPSEC_PROTOCOL. It is also recommended to \r
+ use EFI_IPSEC2_PROTOCOL instead of EFI_IPSEC_PROTOCOL especially for IPsec Tunnel \r
+ Mode.\r
\r
Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>\r
This program and the accompanying materials\r
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
\r
@par Revision Reference: \r
- This Protocol is introduced in UEFI Specification 2.3\r
+ The EFI_IPSEC2_PROTOCOL is introduced in UEFI Specification 2.3D.\r
\r
**/\r
\r
0xdfb386f7, 0xe100, 0x43ad, {0x9c, 0x9a, 0xed, 0x90, 0xd0, 0x8a, 0x5e, 0x12 } \\r
}\r
\r
+#define EFI_IPSEC2_PROTOCOL_GUID \\r
+ { \\r
+ 0xa3979e64, 0xace8, 0x4ddc, {0xbc, 0x7, 0x4d, 0x66, 0xb8, 0xfd, 0x9, 0x77 } \\r
+ }\r
+\r
typedef struct _EFI_IPSEC_PROTOCOL EFI_IPSEC_PROTOCOL;\r
+typedef struct _EFI_IPSEC2_PROTOCOL EFI_IPSEC2_PROTOCOL;\r
\r
///\r
/// EFI_IPSEC_FRAGMENT_DATA \r
BOOLEAN DisabledFlag; ///< State of the interface.\r
};\r
\r
-extern EFI_GUID gEfiIpSecProtocolGuid;\r
+/**\r
+ Handles IPsec processing for both inbound and outbound IP packets. Compare with \r
+ Process() in EFI_IPSEC_PROTOCOL, this interface has the capability to process \r
+ Option(Extension Header). \r
+\r
+ The EFI_IPSEC2_PROCESS process routine handles each inbound or outbound packet.\r
+ The behavior is that it can perform one of the following actions: \r
+ bypass the packet, discard the packet, or protect the packet. \r
+\r
+ @param[in] This Pointer to the EFI_IPSEC2_PROTOCOL instance.\r
+ @param[in] NicHandle Instance of the network interface. \r
+ @param[in] IpVer IP version.IPv4 or IPv6.\r
+ @param[in, out] IpHead Pointer to the IP Header it is either \r
+ the EFI_IP4_HEADER or EFI_IP6_HEADER.\r
+ On input, it contains the IP header. \r
+ On output, 1) in tunnel mode and the \r
+ traffic direction is inbound, the buffer \r
+ will be reset to zero by IPsec; 2) in \r
+ tunnel mode and the traffic direction \r
+ is outbound, the buffer will reset to \r
+ be the tunnel IP header.3) in transport \r
+ mode, the related fielders (like payload \r
+ length, Next header) in IP header will \r
+ be modified according to the condition.\r
+ @param[in, out] LastHead For IP4, it is the next protocol in IP\r
+ header. For IP6 it is the Next Header \r
+ of the last extension header.\r
+ @param[in, out] OptionsBuffer On input, it contains the options \r
+ (extensions header) to be processed by \r
+ IPsec. On output, 1) in tunnel mode and\r
+ the traffic direction is outbound, it \r
+ will be set to NULL, and that means this \r
+ contents was wrapped after inner header \r
+ and should not be concatenated after \r
+ tunnel header again; 2) in transport \r
+ mode and the traffic direction is inbound, \r
+ if there are IP options (extension headers) \r
+ protected by IPsec, IPsec will concatenate \r
+ the those options after the input options \r
+ (extension headers); 3) on other situations, \r
+ the output of contents of OptionsBuffer \r
+ might be same with input's. The caller \r
+ should take the responsibility to free \r
+ the buffer both on input and on output.\r
+ @param[in, out] OptionsLength On input, the input length of the options \r
+ buffer. On output, the output length of \r
+ the options buffer.\r
+ @param[in, out] FragmentTable Pointer to a list of fragments. On input, \r
+ these fragments contain the IP payload. \r
+ On output, 1) in tunnel mode and the traffic \r
+ direction is inbound, the fragments contain \r
+ the whole IP payload which is from the \r
+ IP inner header to the last byte of the \r
+ packet; 2) in tunnel mode and the traffic \r
+ direction is the outbound, the fragments \r
+ contains the whole encapsulated payload \r
+ which encapsulates the whole IP payload \r
+ between the encapsulated header and \r
+ encapsulated trailer fields. 3) in transport \r
+ mode and the traffic direction is inbound, \r
+ the fragments contains the IP payload \r
+ which is from the next layer protocol to \r
+ the last byte of the packet; 4) in transport \r
+ mode and the traffic direction is outbound, \r
+ the fragments contains the whole encapsulated \r
+ payload which encapsulates the next layer \r
+ protocol information between the encapsulated \r
+ header and encapsulated trailer fields.\r
+ @param[in, out] FragmentCount Number of fragments.\r
+ @param[in] TrafficDirection Traffic direction.\r
+ @param[out] RecycleSignal Event for recycling of resources.\r
+\r
+ @retval EFI_SUCCESS The packet was processed by IPsec successfully.\r
+ @retval EFI_ACCESS_DENIED The packet was discarded.\r
+ @retval EFI_NOT_READY The IKE negotiation is invoked and the packet \r
+ was discarded.\r
+ @retval EFI_INVALID_PARAMETER One or more of following are TRUE:\r
+ If OptionsBuffer is NULL;\r
+ If OptionsLength is NULL;\r
+ If FragmentTable is NULL;\r
+ If FragmentCount is NULL.\r
+\r
+**/\r
+typedef \r
+EFI_STATUS\r
+(EFIAPI *EFI_IPSEC_PROCESSEXT) ( \r
+ IN EFI_IPSEC2_PROTOCOL *This, \r
+ IN EFI_HANDLE NicHandle, \r
+ IN UINT8 IpVer, \r
+ IN OUT VOID *IpHead, \r
+ IN OUT UINT8 *LastHead, \r
+ IN OUT VOID **OptionsBuffer, \r
+ IN OUT UINT32 *OptionsLength, \r
+ IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable, \r
+ IN OUT UINT32 *FragmentCount, \r
+ IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection, \r
+ OUT EFI_EVENT *RecycleSignal\r
+ );\r
\r
+/// \r
+/// EFI_IPSEC2_PROTOCOL\r
+/// supports the Option (extension header) processing in IPsec which doesn't support\r
+/// in EFI_IPSEC_PROTOCOL. It is also recommended to use EFI_IPSEC2_PROTOCOL instead\r
+/// of EFI_IPSEC_PROTOCOL especially for IPsec Tunnel Mode.\r
+/// provides the ability for securing IP communications by authenticating and/or\r
+/// encrypting each IP packet in a data stream.\r
+///\r
+struct _EFI_IPSEC2_PROTOCOL { \r
+EFI_IPSEC_PROCESSEXT ProcessExt;\r
+EFI_EVENT DisabledEvent; \r
+BOOLEAN DisabledFlag; \r
+};\r
+\r
+extern EFI_GUID gEfiIpSecProtocolGuid;\r
+extern EFI_GUID gEfiIpSec2ProtocolGuid;\r
#endif\r