| fa05b97b |
1 | /** @file\r |
| 2 | EFI IPsec Configuration Protocol Definition\r |
| 3 | The EFI_IPSEC_CONFIG_PROTOCOL provides the mechanism to set and retrieve security and \r |
| 4 | policy related information for the EFI IPsec protocol driver.\r |
| 5 | \r |
| 4f077902 |
6 | Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.<BR>\r |
| 9df063a0 |
7 | This program and the accompanying materials\r |
| fa05b97b |
8 | are licensed and made available under the terms and conditions of the BSD License\r |
| 9 | which accompanies this distribution. The full text of the license may be found at\r |
| 10 | http://opensource.org/licenses/bsd-license.php\r |
| 11 | \r |
| 12 | THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r |
| 13 | WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r |
| 14 | \r |
| 15 | @par Revision Reference: \r |
| 16 | This Protocol is introduced in UEFI Specification 2.2\r |
| 17 | \r |
| 18 | **/\r |
| 19 | \r |
| 20 | #ifndef __EFI_IPSE_CCONFIG_PROTOCOL_H__\r |
| 21 | #define __EFI_IPSE_CCONFIG_PROTOCOL_H__\r |
| 22 | \r |
| 23 | \r |
| 24 | #define EFI_IPSEC_CONFIG_PROTOCOL_GUID \\r |
| 25 | { \\r |
| 3393e291 |
26 | 0xce5e5929, 0xc7a3, 0x4602, {0xad, 0x9e, 0xc9, 0xda, 0xf9, 0x4e, 0xbf, 0xcf } \\r |
| fa05b97b |
27 | }\r |
| 28 | \r |
| 29 | typedef struct _EFI_IPSEC_CONFIG_PROTOCOL EFI_IPSEC_CONFIG_PROTOCOL;\r |
| 30 | \r |
| 31 | ///\r |
| 32 | /// EFI_IPSEC_CONFIG_DATA_TYPE\r |
| 33 | ///\r |
| 34 | typedef enum {\r |
| 35 | /// \r |
| 36 | /// The IPsec Security Policy Database (aka SPD) setting. In IPsec, \r |
| 37 | /// an essential element of Security Association (SA) processing is \r |
| 38 | /// underlying SPD that specifies what services are to be offered to \r |
| 39 | /// IP datagram and in what fashion. The SPD must be consulted \r |
| 40 | /// during the processing of all traffic (inbound and outbound), \r |
| 41 | /// including traffic not protected by IPsec, that traverses the IPsec \r |
| 42 | /// boundary. With this DataType, SetData() function is to set \r |
| 43 | /// the SPD entry information, which may add one new entry, delete \r |
| 44 | /// one existed entry or flush the whole database according to the \r |
| 45 | /// parameter values. The corresponding Data is of type \r |
| 46 | /// EFI_IPSEC_SPD_DATA\r |
| 47 | /// \r |
| 48 | IPsecConfigDataTypeSpd,\r |
| 49 | /// \r |
| 50 | /// The IPsec Security Association Database (aka SAD) setting. A \r |
| 51 | /// SA is a simplex connection that affords security services to the \r |
| 52 | /// traffic carried by it. Security services are afforded to an SA by the \r |
| 53 | /// use of AH, or ESP, but not both. The corresponding Data is of \r |
| 54 | /// type EFI_IPSEC_SAD_DATA.\r |
| 55 | /// \r |
| 56 | IPsecConfigDataTypeSad,\r |
| 57 | /// \r |
| 58 | /// The IPsec Peer Authorization Database (aka PAD) setting, which \r |
| 59 | /// provides the link between the SPD and a security association \r |
| 60 | /// management protocol. The PAD entry specifies the \r |
| 61 | /// authentication protocol (e.g. IKEv1, IKEv2) method used and the \r |
| 62 | /// authentication data. The corresponding Data is of type \r |
| 63 | /// EFI_IPSEC_PAD_DATA.\r |
| 64 | ///\r |
| 65 | IPsecConfigDataTypePad,\r |
| 66 | IPsecConfigDataTypeMaximum\r |
| 67 | } EFI_IPSEC_CONFIG_DATA_TYPE;\r |
| 68 | \r |
| 69 | ///\r |
| 70 | /// EFI_IP_ADDRESS_INFO\r |
| 71 | ///\r |
| 72 | typedef struct _EFI_IP_ADDRESS_INFO {\r |
| 73 | EFI_IP_ADDRESS Address; ///< The IPv4 or IPv6 address\r |
| 74 | UINT8 PrefixLength; ///< The length of the prefix associated with the Address.\r |
| 75 | } EFI_IP_ADDRESS_INFO;\r |
| 76 | \r |
| 77 | \r |
| 78 | ///\r |
| 79 | /// EFI_IPSEC_SPD_SELECTOR\r |
| 80 | ///\r |
| 81 | typedef struct _EFI_IPSEC_SPD_SELECTOR {\r |
| 82 | /// \r |
| 83 | /// Specifies the actual number of entries in LocalAddress.\r |
| 84 | /// \r |
| 85 | UINT32 LocalAddressCount;\r |
| 86 | /// \r |
| 87 | /// A list of ranges of IPv4 or IPv6 addresses, which refers to the \r |
| 88 | /// addresses being protected by IPsec policy.\r |
| 89 | /// \r |
| 90 | EFI_IP_ADDRESS_INFO *LocalAddress;\r |
| 91 | /// \r |
| 92 | /// Specifies the actual number of entries in RemoteAddress.\r |
| 93 | /// \r |
| 94 | UINT32 RemoteAddressCount;\r |
| 95 | /// \r |
| 96 | /// A list of ranges of IPv4 or IPv6 addresses, which are peer entities \r |
| 97 | /// to LocalAddress. \r |
| 98 | /// \r |
| 99 | EFI_IP_ADDRESS_INFO *RemoteAddress;\r |
| 100 | /// \r |
| 101 | /// Next layer protocol. Obtained from the IPv4 Protocol or the IPv6 \r |
| 102 | /// Next Header fields. The next layer protocol is whatever comes \r |
| 103 | /// after any IP extension headers that are present. A zero value is a \r |
| 104 | /// wildcard that matches any value in NextLayerProtocol field.\r |
| 105 | /// \r |
| 106 | UINT16 NextLayerProtocol; \r |
| 107 | /// \r |
| 108 | /// Local Port if the Next Layer Protocol uses two ports (as do TCP, \r |
| 109 | /// UDP, and others). A zero value is a wildcard that matches any \r |
| 110 | /// value in LocalPort field.\r |
| 111 | /// \r |
| 112 | UINT16 LocalPort;\r |
| 113 | /// \r |
| 114 | /// A designed port range size. The start port is LocalPort, and \r |
| 115 | /// the total number of ports is described by LocalPortRange. \r |
| 116 | /// This field is ignored if NextLayerProtocol does not use \r |
| 117 | /// ports. \r |
| 118 | /// \r |
| 119 | UINT16 LocalPortRange;\r |
| 120 | /// \r |
| 121 | /// Remote Port if the Next Layer Protocol uses two ports. A zero \r |
| 122 | /// value is a wildcard that matches any value in RemotePort field.\r |
| 123 | /// \r |
| 124 | UINT16 RemotePort;\r |
| 125 | /// \r |
| 126 | /// A designed port range size. The start port is RemotePort, and \r |
| 127 | /// the total number of ports is described by RemotePortRange. \r |
| 128 | /// This field is ignored if NextLayerProtocol does not use ports.\r |
| 129 | /// \r |
| 130 | UINT16 RemotePortRange;\r |
| 131 | } EFI_IPSEC_SPD_SELECTOR;\r |
| 132 | \r |
| 133 | ///\r |
| 134 | /// EFI_IPSEC_TRAFFIC_DIR\r |
| 135 | /// represents the directionality in an SPD entry.\r |
| 136 | ///\r |
| 137 | typedef enum {\r |
| 138 | ///\r |
| 139 | /// The EfiIPsecInBound refers to traffic entering an IPsec implementation via \r |
| 140 | /// the unprotected interface or emitted by the implementation on the unprotected\r |
| 141 | /// side of the boundary and directed towards the protected interface. \r |
| 142 | ///\r |
| 143 | EfiIPsecInBound,\r |
| 144 | ///\r |
| 145 | /// The EfiIPsecOutBound refers to traffic entering the implementation via \r |
| 146 | /// the protected interface, or emitted by the implementation on the protected side\r |
| 147 | /// of the boundary and directed toward the unprotected interface.\r |
| 148 | ///\r |
| 149 | EfiIPsecOutBound\r |
| 150 | } EFI_IPSEC_TRAFFIC_DIR;\r |
| 151 | \r |
| 152 | ///\r |
| 153 | /// EFI_IPSEC_ACTION\r |
| 154 | /// represents three possible processing choices.\r |
| 155 | ///\r |
| 156 | typedef enum {\r |
| 157 | /// \r |
| 158 | /// Refers to traffic that is not allowed to traverse the IPsec boundary.\r |
| 159 | /// \r |
| 160 | EfiIPsecActionDiscard,\r |
| 161 | /// \r |
| 162 | /// Refers to traffic that is allowed to cross the IPsec boundary \r |
| 163 | /// without protection.\r |
| 164 | /// \r |
| 165 | EfiIPsecActionBypass,\r |
| 166 | /// \r |
| 167 | /// Refers to traffic that is afforded IPsec protection, and for such \r |
| 168 | /// traffic the SPD must specify the security protocols to be \r |
| 169 | /// employed, their mode, security service options, and the \r |
| 170 | /// cryptographic algorithms to be used. \r |
| 171 | ///\r |
| 172 | EfiIPsecActionProtect\r |
| 173 | } EFI_IPSEC_ACTION;\r |
| 174 | \r |
| 175 | ///\r |
| 176 | /// EFI_IPSEC_SA_LIFETIME\r |
| 177 | /// defines the lifetime of an SA, which represents when a SA must be \r |
| 178 | /// replaced or terminated. A value of all 0 for each field removes \r |
| 179 | /// the limitation of a SA lifetime.\r |
| 180 | ///\r |
| 181 | typedef struct _EFI_IPSEC_SA_LIFETIME {\r |
| 182 | /// \r |
| 183 | /// The number of bytes to which the IPsec cryptographic algorithm\r |
| 184 | /// can be applied. For ESP, this is the encryption algorithm and for\r |
| 185 | /// AH, this is the authentication algorithm. The ByteCount \r |
| 186 | /// includes pad bytes for cryptographic operations.\r |
| 187 | /// \r |
| 188 | UINT64 ByteCount;\r |
| 189 | /// \r |
| 190 | /// A time interval in second that warns the implementation to \r |
| 191 | /// initiate action such as setting up a replacement SA.\r |
| 192 | /// \r |
| 193 | UINT64 SoftLifetime;\r |
| 194 | /// \r |
| 195 | /// A time interval in second when the current SA ends and is \r |
| 196 | /// destroyed.\r |
| 197 | /// \r |
| 198 | UINT64 HardLifetime;\r |
| 199 | } EFI_IPSEC_SA_LIFETIME;\r |
| 200 | \r |
| 201 | ///\r |
| 202 | /// EFI_IPSEC_MODE\r |
| 203 | /// There are two modes of IPsec operation: transport mode and tunnel mode. In \r |
| 204 | /// EfiIPsecTransport mode, AH and ESP provide protection primarily for next layer protocols; \r |
| 205 | /// In EfiIPsecTunnel mode, AH and ESP are applied to tunneled IP packets.\r |
| 206 | ///\r |
| 207 | typedef enum {\r |
| 208 | EfiIPsecTransport,\r |
| 209 | EfiIPsecTunnel\r |
| 210 | } EFI_IPSEC_MODE;\r |
| 211 | \r |
| 212 | ///\r |
| 213 | /// EFI_IPSEC_TUNNEL_DF_OPTION\r |
| 214 | /// The option of copying the DF bit from an outbound package to\r |
| 215 | /// the tunnel mode header that it emits, when traffic is carried\r |
| 216 | /// via a tunnel mode SA. This applies to SAs where both inner and\r |
| 217 | /// outer headers are IPv4.\r |
| 218 | ///\r |
| 219 | typedef enum {\r |
| 220 | EfiIPsecTunnelClearDf, ///< Clear DF bit from inner header.\r |
| 221 | EfiIPsecTunnelSetDf, ///< Set DF bit from inner header.\r |
| 222 | EfiIPsecTunnelCopyDf ///< Copy DF bit from inner header.\r |
| 223 | } EFI_IPSEC_TUNNEL_DF_OPTION;\r |
| 224 | \r |
| 225 | ///\r |
| 226 | /// EFI_IPSEC_TUNNEL_OPTION\r |
| 227 | ///\r |
| 228 | typedef struct _EFI_IPSEC_TUNNEL_OPTION {\r |
| 229 | /// \r |
| 230 | /// Local tunnel address when IPsec mode is EfiIPsecTunnel.\r |
| 231 | /// \r |
| 232 | EFI_IP_ADDRESS LocalTunnelAddress;\r |
| 233 | /// \r |
| 234 | /// Remote tunnel address when IPsec mode is EfiIPsecTunnel.\r |
| 235 | /// \r |
| 236 | EFI_IP_ADDRESS RemoteTunnelAddress;\r |
| 237 | /// \r |
| 238 | /// The option of copying the DF bit from an outbound package\r |
| 239 | /// to the tunnel mode header that it emits, when traffic is \r |
| 240 | /// carried via a tunnel mode SA. \r |
| 241 | /// \r |
| 242 | EFI_IPSEC_TUNNEL_DF_OPTION DF;\r |
| 243 | } EFI_IPSEC_TUNNEL_OPTION;\r |
| 244 | \r |
| 245 | ///\r |
| 246 | /// EFI_IPSEC_PROTOCOL_TYPE\r |
| 247 | ///\r |
| 248 | typedef enum {\r |
| 249 | EfiIPsecAH, ///< IP Authentication Header protocol which is specified in RFC 4302.\r |
| 250 | EfiIPsecESP ///< IP Encapsulating Security Payload which is specified in RFC 4303. \r |
| 251 | } EFI_IPSEC_PROTOCOL_TYPE;\r |
| 252 | \r |
| 253 | ///\r |
| 254 | /// EFI_IPSEC_PROCESS_POLICY\r |
| 255 | /// describes a policy list for traffic processing.\r |
| 256 | ///\r |
| 257 | typedef struct _EFI_IPSEC_PROCESS_POLICY {\r |
| 258 | /// \r |
| 259 | /// Extended Sequence Number. Is this SA using extended sequence \r |
| 260 | /// numbers. 64 bit counter is used if TRUE.\r |
| 261 | /// \r |
| 262 | BOOLEAN ExtSeqNum;\r |
| 263 | /// \r |
| 264 | /// A flag indicating whether overflow of the sequence number \r |
| 265 | /// counter should generate an auditable event and prevent \r |
| 266 | /// transmission of additional packets on the SA, or whether rollover \r |
| 267 | /// is permitted.\r |
| 268 | /// \r |
| 269 | BOOLEAN SeqOverflow;\r |
| 270 | /// \r |
| 271 | /// Is this SA using stateful fragment checking. TRUE represents \r |
| 272 | /// stateful fragment checking.\r |
| 273 | /// \r |
| 274 | BOOLEAN FragCheck;\r |
| 275 | /// \r |
| 276 | /// A time interval after which a SA must be replaced with a new SA \r |
| 277 | /// (and new SPI) or terminated. \r |
| 278 | /// \r |
| 279 | EFI_IPSEC_SA_LIFETIME SaLifetime;\r |
| 280 | /// \r |
| 281 | /// IPsec mode: tunnel or transport.\r |
| 282 | /// \r |
| 283 | EFI_IPSEC_MODE Mode;\r |
| 284 | /// \r |
| 285 | /// Tunnel Option. TunnelOption is ignored if Mode is EfiIPsecTransport.\r |
| 286 | /// \r |
| 287 | EFI_IPSEC_TUNNEL_OPTION *TunnelOption;\r |
| 288 | /// \r |
| 289 | /// IPsec protocol: AH or ESP\r |
| 290 | /// \r |
| 291 | EFI_IPSEC_PROTOCOL_TYPE Proto;\r |
| 292 | /// \r |
| 293 | /// Cryptographic algorithm type used for authentication.\r |
| 294 | /// \r |
| 295 | UINT8 AuthAlgoId;\r |
| 296 | /// \r |
| 297 | /// Cryptographic algorithm type used for encryption. EncAlgo is \r |
| 298 | /// NULL when IPsec protocol is AH. For ESP protocol, EncAlgo \r |
| 299 | /// can also be used to describe the algorithm if a combined mode \r |
| 300 | /// algorithm is used.\r |
| 301 | ///\r |
| 302 | UINT8 EncAlgoId;\r |
| 303 | } EFI_IPSEC_PROCESS_POLICY;\r |
| 304 | \r |
| fa05b97b |
305 | ///\r |
| 306 | /// EFI_IPSEC_SA_ID\r |
| 307 | /// A triplet to identify an SA, consisting of the following members.\r |
| 308 | ///\r |
| 309 | typedef struct _EFI_IPSEC_SA_ID {\r |
| 310 | /// \r |
| 311 | /// Security Parameter Index (aka SPI). An arbitrary 32-bit value \r |
| 312 | /// that is used by a receiver to identity the SA to which an incoming \r |
| 313 | /// package should be bound.\r |
| 314 | /// \r |
| 315 | UINT32 Spi;\r |
| 316 | /// \r |
| 317 | /// IPsec protocol: AH or ESP\r |
| 318 | /// \r |
| 319 | EFI_IPSEC_PROTOCOL_TYPE Proto;\r |
| 320 | /// \r |
| 321 | /// Destination IP address. \r |
| 322 | /// \r |
| 323 | EFI_IP_ADDRESS DestAddress;\r |
| 324 | } EFI_IPSEC_SA_ID;\r |
| 325 | \r |
| 326 | \r |
| 327 | #define MAX_PEERID_LEN 128\r |
| 328 | \r |
| 329 | ///\r |
| 330 | /// EFI_IPSEC_SPD_DATA\r |
| 331 | ///\r |
| 332 | typedef struct _EFI_IPSEC_SPD_DATA {\r |
| 333 | /// \r |
| 4f077902 |
334 | /// A null-terminated ASCII name string which is used as a symbolic \r |
| fa05b97b |
335 | /// identifier for an IPsec Local or Remote address.\r |
| 336 | /// \r |
| 337 | UINT8 Name[MAX_PEERID_LEN];\r |
| 338 | /// \r |
| 339 | /// Bit-mapped list describing Populate from Packet flags. When \r |
| 340 | /// creating a SA, if PackageFlag bit is set to TRUE, instantiate \r |
| 341 | /// the selector from the corresponding field in the package that \r |
| 342 | /// triggered the creation of the SA, else from the value(s) in the \r |
| 343 | /// corresponding SPD entry. The PackageFlag bit setting for \r |
| 344 | /// corresponding selector field of EFI_IPSEC_SPD_SELECTOR:\r |
| 345 | /// Bit 0: EFI_IPSEC_SPD_SELECTOR.LocalAddress \r |
| 346 | /// Bit 1: EFI_IPSEC_SPD_SELECTOR.RemoteAddress \r |
| 347 | /// Bit 2: \r |
| 348 | /// EFI_IPSEC_SPD_SELECTOR.NextLayerProtocol \r |
| 349 | /// Bit 3: EFI_IPSEC_SPD_SELECTOR.LocalPort \r |
| 350 | /// Bit 4: EFI_IPSEC_SPD_SELECTOR.RemotePort \r |
| 351 | /// Others: Reserved.\r |
| 352 | ///\r |
| 353 | UINT32 PackageFlag;\r |
| 354 | /// \r |
| 355 | /// The traffic direction of data gram.\r |
| 356 | /// \r |
| 357 | EFI_IPSEC_TRAFFIC_DIR TrafficDirection;\r |
| 358 | /// \r |
| 359 | /// Processing choices to indicate which action is required by this \r |
| 360 | /// policy. \r |
| 361 | /// \r |
| 362 | EFI_IPSEC_ACTION Action;\r |
| 363 | /// \r |
| 364 | /// The policy and rule information for a SPD entry.\r |
| 365 | /// \r |
| 366 | EFI_IPSEC_PROCESS_POLICY *ProcessingPolicy;\r |
| 367 | /// \r |
| 368 | /// Specifies the actual number of entries in SaId list.\r |
| 369 | /// \r |
| 370 | UINTN SaIdCount;\r |
| 371 | /// \r |
| 372 | /// The SAD entry used for the traffic processing. The \r |
| 373 | /// existed SAD entry links indicate this is the manual key case.\r |
| 374 | /// \r |
| 375 | EFI_IPSEC_SA_ID SaId[1];\r |
| 376 | } EFI_IPSEC_SPD_DATA;\r |
| 377 | \r |
| 378 | ///\r |
| 379 | /// EFI_IPSEC_AH_ALGO_INFO\r |
| 380 | /// The security algorithm selection for IPsec AH authentication.\r |
| 381 | /// The required authentication algorithm is specified in RFC 4305.\r |
| 382 | ///\r |
| 383 | typedef struct _EFI_IPSEC_AH_ALGO_INFO {\r |
| 384 | UINT8 AuthAlgoId;\r |
| 385 | UINTN AuthKeyLength;\r |
| 386 | VOID *AuthKey;\r |
| 387 | } EFI_IPSEC_AH_ALGO_INFO;\r |
| 388 | \r |
| 389 | ///\r |
| 390 | /// EFI_IPSEC_ESP_ALGO_INFO\r |
| 391 | /// The security algorithm selection for IPsec ESP encryption and authentication.\r |
| 392 | /// The required authentication algorithm is specified in RFC 4305. \r |
| 393 | /// EncAlgoId fields can also specify an ESP combined mode algorithm \r |
| 394 | /// (e.g. AES with CCM mode, specified in RFC 4309), which provides both \r |
| 395 | /// confidentiality and authentication services.\r |
| 396 | ///\r |
| 397 | typedef struct _EFI_IPSEC_ESP_ALGO_INFO {\r |
| 398 | UINT8 EncAlgoId;\r |
| 399 | UINTN EncKeyLength;\r |
| 400 | VOID *EncKey;\r |
| 401 | UINT8 AuthAlgoId;\r |
| 402 | UINTN AuthKeyLength;\r |
| 403 | VOID *AuthKey;\r |
| 404 | } EFI_IPSEC_ESP_ALGO_INFO;\r |
| 405 | \r |
| 406 | ///\r |
| 407 | /// EFI_IPSEC_ALGO_INFO\r |
| 408 | ///\r |
| 409 | typedef union {\r |
| 410 | EFI_IPSEC_AH_ALGO_INFO AhAlgoInfo;\r |
| 411 | EFI_IPSEC_ESP_ALGO_INFO EspAlgoInfo;\r |
| 412 | } EFI_IPSEC_ALGO_INFO;\r |
| 413 | \r |
| 414 | ///\r |
| 415 | /// EFI_IPSEC_SA_DATA\r |
| 416 | ///\r |
| 417 | typedef struct _EFI_IPSEC_SA_DATA {\r |
| 418 | /// \r |
| 419 | /// IPsec mode: tunnel or transport.\r |
| 420 | /// \r |
| 421 | EFI_IPSEC_MODE Mode;\r |
| 422 | /// \r |
| 423 | /// Sequence Number Counter. A 64-bit counter used to generate the \r |
| 424 | /// sequence number field in AH or ESP headers.\r |
| 425 | /// \r |
| 426 | UINT64 SNCount;\r |
| 427 | /// \r |
| 428 | /// Anti-Replay Window. A 64-bit counter and a bit-map used to \r |
| 429 | /// determine whether an inbound AH or ESP packet is a replay.\r |
| 430 | /// \r |
| 431 | UINT8 AntiReplayWindows;\r |
| 432 | /// \r |
| 433 | /// AH/ESP cryptographic algorithm, key and parameters. \r |
| 434 | /// \r |
| 435 | EFI_IPSEC_ALGO_INFO AlgoInfo;\r |
| 436 | /// \r |
| 437 | /// Lifetime of this SA. \r |
| 438 | /// \r |
| 439 | EFI_IPSEC_SA_LIFETIME SaLifetime;\r |
| 440 | /// \r |
| 441 | /// Any observed path MTU and aging variables. The Path MTU \r |
| 442 | /// processing is defined in section 8 of RFC 4301.\r |
| 443 | /// \r |
| 444 | UINT32 PathMTU;\r |
| 445 | /// \r |
| 446 | /// Link to one SPD entry.\r |
| 447 | /// \r |
| 448 | EFI_IPSEC_SPD_SELECTOR *SpdSelector;\r |
| 449 | /// \r |
| 3227f995 |
450 | /// Indication of whether it's manually set or negotiated automatically. \r |
| fa05b97b |
451 | /// If ManualSet is FALSE, the corresponding SA entry is inserted through \r |
| 452 | /// IKE protocol negotiation.\r |
| 453 | ///\r |
| 454 | BOOLEAN ManualSet;\r |
| 455 | } EFI_IPSEC_SA_DATA;\r |
| 456 | \r |
| 705f53a9 |
457 | ///\r |
| 458 | /// EFI_IPSEC_SA_DATA2\r |
| 459 | ///\r |
| 460 | typedef struct _EFI_IPSEC_SA_DATA2 { \r |
| 461 | ///\r |
| 462 | /// IPsec mode: tunnel or transport\r |
| 463 | ///\r |
| 464 | EFI_IPSEC_MODE Mode; \r |
| 465 | ///\r |
| 466 | /// Sequence Number Counter. A 64-bit counter used to generate the sequence \r |
| 467 | /// number field in AH or ESP headers. \r |
| 468 | ///\r |
| 469 | UINT64 SNCount; \r |
| 470 | ///\r |
| 471 | /// Anti-Replay Window. A 64-bit counter and a bit-map used to determine \r |
| 472 | /// whether an inbound AH or ESP packet is a replay.\r |
| 473 | ///\r |
| 474 | UINT8 AntiReplayWindows; \r |
| 475 | ///\r |
| 476 | /// AH/ESP cryptographic algorithm, key and parameters.\r |
| 477 | ///\r |
| 478 | EFI_IPSEC_ALGO_INFO AlgoInfo; \r |
| 479 | ///\r |
| 480 | /// Lifetime of this SA.\r |
| 481 | ///\r |
| 482 | EFI_IPSEC_SA_LIFETIME SaLifetime; \r |
| 483 | ///\r |
| 484 | /// Any observed path MTU and aging variables. The Path MTU processing is \r |
| 485 | /// defined in section 8 of RFC 4301.\r |
| 486 | ///\r |
| 487 | UINT32 PathMTU; \r |
| 488 | ///\r |
| 489 | /// Link to one SPD entry\r |
| 490 | ///\r |
| 491 | EFI_IPSEC_SPD_SELECTOR *SpdSelector; \r |
| 492 | ///\r |
| 493 | /// Indication of whether it's manually set or negotiated automatically. \r |
| 494 | /// If ManualSet is FALSE, the corresponding SA entry is inserted through IKE \r |
| 495 | /// protocol negotiation\r |
| 496 | ///\r |
| 497 | BOOLEAN ManualSet;\r |
| 498 | ///\r |
| 499 | /// The tunnel header IP source address.\r |
| 500 | ///\r |
| 501 | EFI_IP_ADDRESS TunnelSourceAddress;\r |
| 502 | ///\r |
| 503 | /// The tunnel header IP destination address.\r |
| 504 | ///\r |
| 505 | EFI_IP_ADDRESS TunnelDestinationAddress;\r |
| 506 | } EFI_IPSEC_SA_DATA2; \r |
| 507 | \r |
| 508 | \r |
| fa05b97b |
509 | ///\r |
| 510 | /// EFI_IPSEC_PAD_ID\r |
| 511 | /// specifies the identifier for PAD entry, which is also used for SPD lookup.\r |
| 512 | /// IpAddress Pointer to the IPv4 or IPv6 address range.\r |
| 513 | ///\r |
| 514 | typedef struct _EFI_IPSEC_PAD_ID {\r |
| 515 | ///\r |
| 516 | /// Flag to identify which type of PAD Id is used.\r |
| 517 | /// \r |
| 518 | BOOLEAN PeerIdValid; \r |
| 519 | union {\r |
| 520 | ///\r |
| 521 | /// Pointer to the IPv4 or IPv6 address range.\r |
| 522 | ///\r |
| 523 | EFI_IP_ADDRESS_INFO IpAddress;\r |
| 524 | ///\r |
| 4f077902 |
525 | /// Pointer to a null terminated ASCII string\r |
| fa05b97b |
526 | /// representing the symbolic names. A PeerId can be a DNS \r |
| 527 | /// name, Distinguished Name, RFC 822 email address or Key ID \r |
| 528 | /// (specified in section 4.4.3.1 of RFC 4301)\r |
| 529 | ///\r |
| 530 | UINT8 PeerId[MAX_PEERID_LEN];\r |
| 531 | } Id;\r |
| 532 | } EFI_IPSEC_PAD_ID;\r |
| 533 | \r |
| 534 | ///\r |
| 535 | /// EFI_IPSEC_CONFIG_SELECTOR\r |
| 536 | /// describes the expected IPsec configuration data selector \r |
| 537 | /// of type EFI_IPSEC_CONFIG_DATA_TYPE.\r |
| 538 | ///\r |
| 539 | typedef union {\r |
| 540 | EFI_IPSEC_SPD_SELECTOR SpdSelector;\r |
| 541 | EFI_IPSEC_SA_ID SaId;\r |
| 542 | EFI_IPSEC_PAD_ID PadId;\r |
| 543 | } EFI_IPSEC_CONFIG_SELECTOR;\r |
| 544 | \r |
| 545 | ///\r |
| 546 | /// EFI_IPSEC_AUTH_PROTOCOL_TYPE\r |
| 547 | /// defines the possible authentication protocol for IPsec \r |
| 548 | /// security association management.\r |
| 549 | ///\r |
| 550 | typedef enum {\r |
| 551 | EfiIPsecAuthProtocolIKEv1,\r |
| 552 | EfiIPsecAuthProtocolIKEv2,\r |
| 553 | EfiIPsecAuthProtocolMaximum\r |
| 554 | } EFI_IPSEC_AUTH_PROTOCOL_TYPE;\r |
| 555 | \r |
| 556 | ///\r |
| 557 | /// EFI_IPSEC_AUTH_METHOD\r |
| 558 | ///\r |
| 559 | typedef enum {\r |
| 560 | ///\r |
| 561 | /// Using Pre-shared Keys for manual security associations.\r |
| 562 | ///\r |
| 563 | EfiIPsecAuthMethodPreSharedSecret,\r |
| 564 | ///\r |
| 565 | /// IKE employs X.509 certificates for SA establishment.\r |
| 566 | ///\r |
| 567 | EfiIPsecAuthMethodCertificates,\r |
| 568 | EfiIPsecAuthMethodMaximum\r |
| 569 | } EFI_IPSEC_AUTH_METHOD;\r |
| 570 | \r |
| 571 | ///\r |
| 572 | /// EFI_IPSEC_PAD_DATA\r |
| 573 | ///\r |
| 574 | typedef struct _EFI_IPSEC_PAD_DATA {\r |
| 575 | /// \r |
| 576 | /// Authentication Protocol for IPsec security association management.\r |
| 577 | /// \r |
| 578 | EFI_IPSEC_AUTH_PROTOCOL_TYPE AuthProtocol;\r |
| 579 | /// \r |
| 580 | /// Authentication method used.\r |
| 581 | /// \r |
| 582 | EFI_IPSEC_AUTH_METHOD AuthMethod;\r |
| 583 | /// \r |
| 584 | /// The IKE ID payload will be used as a symbolic name for SPD \r |
| 585 | /// lookup if IkeIdFlag is TRUE. Otherwise, the remote IP \r |
| 586 | /// address provided in traffic selector playloads will be used.\r |
| 587 | /// \r |
| 588 | BOOLEAN IkeIdFlag;\r |
| 589 | /// \r |
| 590 | /// The size of Authentication data buffer, in bytes.\r |
| 591 | /// \r |
| 592 | UINTN AuthDataSize;\r |
| 593 | /// \r |
| 594 | /// Buffer for Authentication data, (e.g., the pre-shared secret or the \r |
| 595 | /// trust anchor relative to which the peer's certificate will be \r |
| 596 | /// validated).\r |
| 597 | /// \r |
| 598 | VOID *AuthData;\r |
| 599 | /// \r |
| 600 | /// The size of RevocationData, in bytes\r |
| 601 | /// \r |
| 602 | UINTN RevocationDataSize;\r |
| 603 | /// \r |
| 604 | /// Pointer to CRL or OCSP data, if certificates are used for \r |
| 605 | /// authentication method.\r |
| 606 | /// \r |
| 607 | VOID *RevocationData;\r |
| 608 | } EFI_IPSEC_PAD_DATA;\r |
| 609 | \r |
| 610 | \r |
| 611 | /**\r |
| 612 | Set the security association, security policy and peer authorization configuration\r |
| 613 | information for the EFI IPsec driver. \r |
| 614 | \r |
| 615 | This function is used to set the IPsec configuration information of type DataType for\r |
| 616 | the EFI IPsec driver.\r |
| 617 | The IPsec configuration data has a unique selector/identifier separately to identify\r |
| 3227f995 |
618 | a data entry. The selector structure depends on DataType's definition.\r |
| fa05b97b |
619 | Using SetData() with a Data of NULL causes the IPsec configuration data entry identified\r |
| 620 | by DataType and Selector to be deleted. \r |
| 621 | \r |
| 622 | @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r |
| 623 | @param[in] DataType The type of data to be set.\r |
| 624 | @param[in] Selector Pointer to an entry selector on operated configuration data \r |
| 625 | specified by DataType. A NULL Selector causes the entire \r |
| 626 | specified-type configuration information to be flushed.\r |
| 627 | @param[in] Data The data buffer to be set. The structure of the data buffer is \r |
| 628 | associated with the DataType.\r |
| 629 | @param[in] InsertBefore Pointer to one entry selector which describes the expected\r |
| 630 | position the new data entry will be added. If InsertBefore is NULL,\r |
| 631 | the new entry will be appended the end of database.\r |
| 632 | \r |
| 633 | @retval EFI_SUCCESS The specified configuration entry data is set successfully.\r |
| 634 | @retval EFI_INVALID_PARAMETER One or more of the following are TRUE:\r |
| 635 | - This is NULL.\r |
| 636 | @retval EFI_UNSUPPORTED The specified DataType is not supported.\r |
| 637 | @retval EFI_OUT_OF_RESOURCED The required system resource could not be allocated.\r |
| 638 | \r |
| 639 | **/\r |
| 640 | typedef\r |
| 641 | EFI_STATUS\r |
| a1749b80 |
642 | (EFIAPI *EFI_IPSEC_CONFIG_SET_DATA)(\r |
| fa05b97b |
643 | IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r |
| 644 | IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r |
| 645 | IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r |
| 646 | IN VOID *Data,\r |
| 647 | IN EFI_IPSEC_CONFIG_SELECTOR *InsertBefore OPTIONAL\r |
| 648 | );\r |
| 649 | \r |
| 650 | /**\r |
| 651 | Return the configuration value for the EFI IPsec driver. \r |
| 652 | \r |
| 653 | This function lookup the data entry from IPsec database or IKEv2 configuration\r |
| 654 | information. The expected data type and unique identification are described in\r |
| 655 | DataType and Selector parameters. \r |
| 656 | \r |
| 657 | @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r |
| 658 | @param[in] DataType The type of data to retrieve.\r |
| 659 | @param[in] Selector Pointer to an entry selector which is an identifier of the IPsec \r |
| 660 | configuration data entry.\r |
| 661 | @param[in, out] DataSize On output the size of data returned in Data.\r |
| 662 | @param[out] Data The buffer to return the contents of the IPsec configuration data. \r |
| 663 | The type of the data buffer is associated with the DataType. \r |
| 664 | \r |
| 665 | @retval EFI_SUCCESS The specified configuration data is got successfully.\r |
| 666 | @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE:\r |
| 667 | - This is NULL.\r |
| 668 | - Selector is NULL.\r |
| 669 | - DataSize is NULL.\r |
| 670 | - Data is NULL and *DataSize is not zero\r |
| 671 | @retval EFI_NOT_FOUND The configuration data specified by Selector is not found.\r |
| 672 | @retval EFI_UNSUPPORTED The specified DataType is not supported.\r |
| 673 | @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. DataSize has been\r |
| 674 | updated with the size needed to complete the request.\r |
| 675 | \r |
| 676 | **/\r |
| 677 | typedef\r |
| 678 | EFI_STATUS\r |
| a1749b80 |
679 | (EFIAPI *EFI_IPSEC_CONFIG_GET_DATA)(\r |
| fa05b97b |
680 | IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r |
| 681 | IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r |
| 682 | IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r |
| 683 | IN OUT UINTN *DataSize,\r |
| 684 | OUT VOID *Data\r |
| 685 | );\r |
| 686 | \r |
| 687 | /**\r |
| 688 | Enumerates the current selector for IPsec configuration data entry. \r |
| 689 | \r |
| 690 | This function is called multiple times to retrieve the entry Selector in IPsec\r |
| 691 | configuration database. On each call to GetNextSelector(), the next entry \r |
| 692 | Selector are retrieved into the output interface.\r |
| 693 | \r |
| 694 | If the entire IPsec configuration database has been iterated, the error \r |
| 695 | EFI_NOT_FOUND is returned.\r |
| 696 | If the Selector buffer is too small for the next Selector copy, an \r |
| 697 | EFI_BUFFER_TOO_SMALL error is returned, and SelectorSize is updated to reflect \r |
| 698 | the size of buffer needed.\r |
| 699 | \r |
| 700 | On the initial call to GetNextSelector() to start the IPsec configuration database\r |
| 701 | search, a pointer to the buffer with all zero value is passed in Selector. Calls \r |
| 702 | to SetData() between calls to GetNextSelector may produce unpredictable results. \r |
| 703 | \r |
| 704 | @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r |
| 705 | @param[in] DataType The type of IPsec configuration data to retrieve.\r |
| 706 | @param[in, out] SelectorSize The size of the Selector buffer.\r |
| 707 | @param[in, out] Selector On input, supplies the pointer to last Selector that was \r |
| 708 | returned by GetNextSelector().\r |
| 709 | On output, returns one copy of the current entry Selector\r |
| 710 | of a given DataType. \r |
| 711 | \r |
| 712 | @retval EFI_SUCCESS The specified configuration data is got successfully.\r |
| 713 | @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE:\r |
| 714 | - This is NULL.\r |
| 715 | - SelectorSize is NULL.\r |
| 716 | - Selector is NULL.\r |
| 717 | @retval EFI_NOT_FOUND The next configuration data entry was not found.\r |
| 718 | @retval EFI_UNSUPPORTED The specified DataType is not supported.\r |
| 719 | @retval EFI_BUFFER_TOO_SMALL The SelectorSize is too small for the result. This parameter\r |
| 720 | has been updated with the size needed to complete the search \r |
| 721 | request.\r |
| 722 | \r |
| 723 | **/\r |
| 724 | typedef\r |
| 725 | EFI_STATUS\r |
| a1749b80 |
726 | (EFIAPI *EFI_IPSEC_CONFIG_GET_NEXT_SELECTOR)(\r |
| fa05b97b |
727 | IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r |
| 728 | IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r |
| 729 | IN OUT UINTN *SelectorSize,\r |
| 730 | IN OUT EFI_IPSEC_CONFIG_SELECTOR *Selector\r |
| 731 | );\r |
| 732 | \r |
| 733 | /**\r |
| 734 | Register an event that is to be signaled whenever a configuration process on the\r |
| 735 | specified IPsec configuration information is done. \r |
| 736 | \r |
| 737 | This function registers an event that is to be signaled whenever a configuration\r |
| 738 | process on the specified IPsec configuration data is done (e.g. IPsec security \r |
| 739 | policy database configuration is ready). An event can be registered for different\r |
| 740 | DataType simultaneously and the caller is responsible for determining which type \r |
| 741 | of configuration data causes the signaling of the event in such case. \r |
| 742 | \r |
| 743 | @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r |
| 744 | @param[in] DataType The type of data to be registered the event for.\r |
| 745 | @param[in] Event The event to be registered.\r |
| 746 | \r |
| 747 | @retval EFI_SUCCESS The event is registered successfully.\r |
| 748 | @retval EFI_INVALID_PARAMETER This is NULL or Event is NULL.\r |
| 749 | @retval EFI_ACCESS_DENIED The Event is already registered for the DataType.\r |
| 750 | @retval EFI_UNSUPPORTED The notify registration unsupported or the specified\r |
| 751 | DataType is not supported.\r |
| 752 | \r |
| 753 | **/\r |
| 754 | typedef\r |
| 755 | EFI_STATUS\r |
| a1749b80 |
756 | (EFIAPI *EFI_IPSEC_CONFIG_REGISTER_NOTIFY)(\r |
| fa05b97b |
757 | IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r |
| 758 | IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r |
| 759 | IN EFI_EVENT Event\r |
| 760 | );\r |
| 761 | \r |
| 762 | /**\r |
| 763 | Remove the specified event that is previously registered on the specified IPsec\r |
| 764 | configuration data. \r |
| 765 | \r |
| 766 | This function removes a previously registered event for the specified configuration data. \r |
| 767 | \r |
| 768 | @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r |
| 769 | @param[in] DataType The configuration data type to remove the registered event for.\r |
| 770 | @param[in] Event The event to be unregistered.\r |
| 771 | \r |
| 772 | @retval EFI_SUCCESS The event is removed successfully.\r |
| 773 | @retval EFI_NOT_FOUND The Event specified by DataType could not be found in the \r |
| 774 | database.\r |
| 775 | @retval EFI_INVALID_PARAMETER This is NULL or Event is NULL.\r |
| 776 | @retval EFI_UNSUPPORTED The notify registration unsupported or the specified\r |
| 777 | DataType is not supported.\r |
| 778 | \r |
| 779 | **/\r |
| 780 | typedef\r |
| 781 | EFI_STATUS\r |
| a1749b80 |
782 | (EFIAPI *EFI_IPSEC_CONFIG_UNREGISTER_NOTIFY)(\r |
| fa05b97b |
783 | IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r |
| 784 | IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r |
| 785 | IN EFI_EVENT Event\r |
| 786 | );\r |
| 787 | \r |
| 788 | ///\r |
| 789 | /// EFI_IPSEC_CONFIG_PROTOCOL\r |
| 790 | /// provides the ability to set and lookup the IPsec SAD (Security Association Database),\r |
| 791 | /// SPD (Security Policy Database) data entry and configure the security association \r |
| 792 | /// management protocol such as IKEv2. This protocol is used as the central \r |
| 793 | /// repository of any policy-specific configuration for EFI IPsec driver.\r |
| 794 | /// EFI_IPSEC_CONFIG_PROTOCOL can be bound to both IPv4 and IPv6 stack. User can use this \r |
| 795 | /// protocol for IPsec configuration in both IPv4 and IPv6 environment.\r |
| 796 | /// \r |
| 797 | struct _EFI_IPSEC_CONFIG_PROTOCOL {\r |
| 798 | EFI_IPSEC_CONFIG_SET_DATA SetData;\r |
| 799 | EFI_IPSEC_CONFIG_GET_DATA GetData;\r |
| 800 | EFI_IPSEC_CONFIG_GET_NEXT_SELECTOR GetNextSelector;\r |
| 801 | EFI_IPSEC_CONFIG_REGISTER_NOTIFY RegisterDataNotify;\r |
| 802 | EFI_IPSEC_CONFIG_UNREGISTER_NOTIFY UnregisterDataNotify;\r |
| 803 | };\r |
| 804 | \r |
| 805 | extern EFI_GUID gEfiIpSecConfigProtocolGuid;\r |
| 806 | \r |
| 807 | #endif\r |
projects / mirror_edk2.git / blame