]>
Commit | Line | Data |
---|---|---|
fa05b97b | 1 | /** @file\r |
2 | EFI IPSEC Protocol Definition\r | |
3 | The EFI_IPSEC_PROTOCOL is used to abstract the ability to deal with the individual\r | |
9095d37b | 4 | packets sent and received by the host and provide packet-level security for IP\r |
705f53a9 | 5 | datagram.\r |
6 | The EFI_IPSEC2_PROTOCOL is used to abstract the ability to deal with the individual\r | |
9095d37b LG |
7 | packets sent and received by the host and provide packet-level security for IP\r |
8 | datagram. In addition, it supports the Option (extension header) processing in\r | |
9 | IPsec which doesn't support in EFI_IPSEC_PROTOCOL. It is also recommended to\r | |
10 | use EFI_IPSEC2_PROTOCOL instead of EFI_IPSEC_PROTOCOL especially for IPsec Tunnel\r | |
705f53a9 | 11 | Mode.\r |
fa05b97b | 12 | \r |
9095d37b | 13 | Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>\r |
9344f092 | 14 | SPDX-License-Identifier: BSD-2-Clause-Patent\r |
fa05b97b | 15 | \r |
9095d37b | 16 | @par Revision Reference:\r |
6361c6d5 | 17 | The EFI_IPSEC2_PROTOCOL is introduced in UEFI Specification 2.3D.\r |
fa05b97b | 18 | \r |
19 | **/\r | |
20 | \r | |
21 | #ifndef __EFI_IPSEC_PROTOCOL_H__\r | |
22 | #define __EFI_IPSEC_PROTOCOL_H__\r | |
23 | \r | |
24 | #include <Protocol/IpSecConfig.h>\r | |
25 | \r | |
26 | #define EFI_IPSEC_PROTOCOL_GUID \\r | |
27 | { \\r | |
28 | 0xdfb386f7, 0xe100, 0x43ad, {0x9c, 0x9a, 0xed, 0x90, 0xd0, 0x8a, 0x5e, 0x12 } \\r | |
29 | }\r | |
30 | \r | |
705f53a9 | 31 | #define EFI_IPSEC2_PROTOCOL_GUID \\r |
32 | { \\r | |
33 | 0xa3979e64, 0xace8, 0x4ddc, {0xbc, 0x7, 0x4d, 0x66, 0xb8, 0xfd, 0x9, 0x77 } \\r | |
34 | }\r | |
35 | \r | |
2f88bd3a MK |
36 | typedef struct _EFI_IPSEC_PROTOCOL EFI_IPSEC_PROTOCOL;\r |
37 | typedef struct _EFI_IPSEC2_PROTOCOL EFI_IPSEC2_PROTOCOL;\r | |
fa05b97b | 38 | \r |
39 | ///\r | |
9095d37b | 40 | /// EFI_IPSEC_FRAGMENT_DATA\r |
fa05b97b | 41 | /// defines the instances of packet fragments.\r |
42 | ///\r | |
9095d37b | 43 | typedef struct _EFI_IPSEC_FRAGMENT_DATA {\r |
2f88bd3a MK |
44 | UINT32 FragmentLength;\r |
45 | VOID *FragmentBuffer;\r | |
9095d37b | 46 | } EFI_IPSEC_FRAGMENT_DATA;\r |
fa05b97b | 47 | \r |
fa05b97b | 48 | /**\r |
9095d37b | 49 | Handles IPsec packet processing for inbound and outbound IP packets.\r |
fa05b97b | 50 | \r |
51 | The EFI_IPSEC_PROCESS process routine handles each inbound or outbound packet.\r | |
9095d37b LG |
52 | The behavior is that it can perform one of the following actions:\r |
53 | bypass the packet, discard the packet, or protect the packet.\r | |
fa05b97b | 54 | \r |
55 | @param[in] This Pointer to the EFI_IPSEC_PROTOCOL instance.\r | |
56 | @param[in] NicHandle Instance of the network interface.\r | |
57 | @param[in] IpVer IPV4 or IPV6.\r | |
58 | @param[in, out] IpHead Pointer to the IP Header.\r | |
59 | @param[in] LastHead The protocol of the next layer to be processed by IPsec.\r | |
9095d37b | 60 | @param[in] OptionsBuffer Pointer to the options buffer.\r |
fa05b97b | 61 | @param[in] OptionsLength Length of the options buffer.\r |
9095d37b | 62 | @param[in, out] FragmentTable Pointer to a list of fragments.\r |
fa05b97b | 63 | @param[in] FragmentCount Number of fragments.\r |
64 | @param[in] TrafficDirection Traffic direction.\r | |
65 | @param[out] RecycleSignal Event for recycling of resources.\r | |
9095d37b | 66 | \r |
fa05b97b | 67 | @retval EFI_SUCCESS The packet was bypassed and all buffers remain the same.\r |
68 | @retval EFI_SUCCESS The packet was protected.\r | |
69 | @retval EFI_ACCESS_DENIED The packet was discarded.\r | |
70 | \r | |
71 | **/\r | |
72 | typedef\r | |
73 | EFI_STATUS\r | |
a1749b80 | 74 | (EFIAPI *EFI_IPSEC_PROCESS)(\r |
fa05b97b | 75 | IN EFI_IPSEC_PROTOCOL *This,\r |
76 | IN EFI_HANDLE NicHandle,\r | |
77 | IN UINT8 IpVer,\r | |
78 | IN OUT VOID *IpHead,\r | |
79 | IN UINT8 *LastHead,\r | |
80 | IN VOID *OptionsBuffer,\r | |
81 | IN UINT32 OptionsLength,\r | |
82 | IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,\r | |
83 | IN UINT32 *FragmentCount,\r | |
84 | IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection,\r | |
2f88bd3a | 85 | OUT EFI_EVENT *RecycleSignal\r |
fa05b97b | 86 | );\r |
87 | \r | |
88 | ///\r | |
9095d37b | 89 | /// EFI_IPSEC_PROTOCOL\r |
fa05b97b | 90 | /// provides the ability for securing IP communications by authenticating\r |
9095d37b | 91 | /// and/or encrypting each IP packet in a data stream.\r |
fa05b97b | 92 | // EFI_IPSEC_PROTOCOL can be consumed by both the IPv4 and IPv6 stack.\r |
93 | // A user can employ this protocol for IPsec package handling in both IPv4\r | |
94 | // and IPv6 environment.\r | |
95 | ///\r | |
96 | struct _EFI_IPSEC_PROTOCOL {\r | |
2f88bd3a MK |
97 | EFI_IPSEC_PROCESS Process; ///< Handle the IPsec message.\r |
98 | EFI_EVENT DisabledEvent; ///< Event signaled when the interface is disabled.\r | |
99 | BOOLEAN DisabledFlag; ///< State of the interface.\r | |
fa05b97b | 100 | };\r |
101 | \r | |
705f53a9 | 102 | /**\r |
9095d37b LG |
103 | Handles IPsec processing for both inbound and outbound IP packets. Compare with\r |
104 | Process() in EFI_IPSEC_PROTOCOL, this interface has the capability to process\r | |
105 | Option(Extension Header).\r | |
705f53a9 | 106 | \r |
107 | The EFI_IPSEC2_PROCESS process routine handles each inbound or outbound packet.\r | |
9095d37b LG |
108 | The behavior is that it can perform one of the following actions:\r |
109 | bypass the packet, discard the packet, or protect the packet.\r | |
705f53a9 | 110 | \r |
111 | @param[in] This Pointer to the EFI_IPSEC2_PROTOCOL instance.\r | |
9095d37b | 112 | @param[in] NicHandle Instance of the network interface.\r |
705f53a9 | 113 | @param[in] IpVer IP version.IPv4 or IPv6.\r |
9095d37b | 114 | @param[in, out] IpHead Pointer to the IP Header it is either\r |
705f53a9 | 115 | the EFI_IP4_HEADER or EFI_IP6_HEADER.\r |
9095d37b LG |
116 | On input, it contains the IP header.\r |
117 | On output, 1) in tunnel mode and the\r | |
118 | traffic direction is inbound, the buffer\r | |
119 | will be reset to zero by IPsec; 2) in\r | |
120 | tunnel mode and the traffic direction\r | |
121 | is outbound, the buffer will reset to\r | |
122 | be the tunnel IP header.3) in transport\r | |
123 | mode, the related fielders (like payload\r | |
124 | length, Next header) in IP header will\r | |
705f53a9 | 125 | be modified according to the condition.\r |
126 | @param[in, out] LastHead For IP4, it is the next protocol in IP\r | |
9095d37b | 127 | header. For IP6 it is the Next Header\r |
705f53a9 | 128 | of the last extension header.\r |
9095d37b LG |
129 | @param[in, out] OptionsBuffer On input, it contains the options\r |
130 | (extensions header) to be processed by\r | |
705f53a9 | 131 | IPsec. On output, 1) in tunnel mode and\r |
9095d37b LG |
132 | the traffic direction is outbound, it\r |
133 | will be set to NULL, and that means this\r | |
134 | contents was wrapped after inner header\r | |
135 | and should not be concatenated after\r | |
136 | tunnel header again; 2) in transport\r | |
137 | mode and the traffic direction is inbound,\r | |
138 | if there are IP options (extension headers)\r | |
139 | protected by IPsec, IPsec will concatenate\r | |
140 | the those options after the input options\r | |
141 | (extension headers); 3) on other situations,\r | |
142 | the output of contents of OptionsBuffer\r | |
143 | might be same with input's. The caller\r | |
144 | should take the responsibility to free\r | |
705f53a9 | 145 | the buffer both on input and on output.\r |
9095d37b LG |
146 | @param[in, out] OptionsLength On input, the input length of the options\r |
147 | buffer. On output, the output length of\r | |
705f53a9 | 148 | the options buffer.\r |
9095d37b LG |
149 | @param[in, out] FragmentTable Pointer to a list of fragments. On input,\r |
150 | these fragments contain the IP payload.\r | |
151 | On output, 1) in tunnel mode and the traffic\r | |
152 | direction is inbound, the fragments contain\r | |
153 | the whole IP payload which is from the\r | |
154 | IP inner header to the last byte of the\r | |
155 | packet; 2) in tunnel mode and the traffic\r | |
156 | direction is the outbound, the fragments\r | |
157 | contains the whole encapsulated payload\r | |
158 | which encapsulates the whole IP payload\r | |
159 | between the encapsulated header and\r | |
160 | encapsulated trailer fields. 3) in transport\r | |
161 | mode and the traffic direction is inbound,\r | |
162 | the fragments contains the IP payload\r | |
163 | which is from the next layer protocol to\r | |
164 | the last byte of the packet; 4) in transport\r | |
165 | mode and the traffic direction is outbound,\r | |
166 | the fragments contains the whole encapsulated\r | |
167 | payload which encapsulates the next layer\r | |
168 | protocol information between the encapsulated\r | |
705f53a9 | 169 | header and encapsulated trailer fields.\r |
170 | @param[in, out] FragmentCount Number of fragments.\r | |
171 | @param[in] TrafficDirection Traffic direction.\r | |
172 | @param[out] RecycleSignal Event for recycling of resources.\r | |
173 | \r | |
174 | @retval EFI_SUCCESS The packet was processed by IPsec successfully.\r | |
175 | @retval EFI_ACCESS_DENIED The packet was discarded.\r | |
9095d37b | 176 | @retval EFI_NOT_READY The IKE negotiation is invoked and the packet\r |
705f53a9 | 177 | was discarded.\r |
178 | @retval EFI_INVALID_PARAMETER One or more of following are TRUE:\r | |
179 | If OptionsBuffer is NULL;\r | |
180 | If OptionsLength is NULL;\r | |
181 | If FragmentTable is NULL;\r | |
182 | If FragmentCount is NULL.\r | |
183 | \r | |
184 | **/\r | |
9095d37b | 185 | typedef\r |
705f53a9 | 186 | EFI_STATUS\r |
2f88bd3a | 187 | (EFIAPI *EFI_IPSEC_PROCESSEXT)(\r |
9095d37b LG |
188 | IN EFI_IPSEC2_PROTOCOL *This,\r |
189 | IN EFI_HANDLE NicHandle,\r | |
190 | IN UINT8 IpVer,\r | |
191 | IN OUT VOID *IpHead,\r | |
192 | IN OUT UINT8 *LastHead,\r | |
193 | IN OUT VOID **OptionsBuffer,\r | |
194 | IN OUT UINT32 *OptionsLength,\r | |
195 | IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,\r | |
196 | IN OUT UINT32 *FragmentCount,\r | |
197 | IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection,\r | |
2f88bd3a | 198 | OUT EFI_EVENT *RecycleSignal\r |
705f53a9 | 199 | );\r |
fa05b97b | 200 | \r |
9095d37b | 201 | ///\r |
705f53a9 | 202 | /// EFI_IPSEC2_PROTOCOL\r |
203 | /// supports the Option (extension header) processing in IPsec which doesn't support\r | |
204 | /// in EFI_IPSEC_PROTOCOL. It is also recommended to use EFI_IPSEC2_PROTOCOL instead\r | |
205 | /// of EFI_IPSEC_PROTOCOL especially for IPsec Tunnel Mode.\r | |
206 | /// provides the ability for securing IP communications by authenticating and/or\r | |
207 | /// encrypting each IP packet in a data stream.\r | |
208 | ///\r | |
9095d37b | 209 | struct _EFI_IPSEC2_PROTOCOL {\r |
2f88bd3a MK |
210 | EFI_IPSEC_PROCESSEXT ProcessExt;\r |
211 | EFI_EVENT DisabledEvent;\r | |
212 | BOOLEAN DisabledFlag;\r | |
705f53a9 | 213 | };\r |
214 | \r | |
2f88bd3a MK |
215 | extern EFI_GUID gEfiIpSecProtocolGuid;\r |
216 | extern EFI_GUID gEfiIpSec2ProtocolGuid;\r | |
fa05b97b | 217 | #endif\r |