]>
Commit | Line | Data |
---|---|---|
fa05b97b | 1 | /** @file\r |
2 | EFI IPsec Configuration Protocol Definition\r | |
3 | The EFI_IPSEC_CONFIG_PROTOCOL provides the mechanism to set and retrieve security and \r | |
4 | policy related information for the EFI IPsec protocol driver.\r | |
5 | \r | |
a1749b80 | 6 | Copyright (c) 2009 - 2010, Intel Corporation\r |
fa05b97b | 7 | All rights reserved. This program and the accompanying materials\r |
8 | are licensed and made available under the terms and conditions of the BSD License\r | |
9 | which accompanies this distribution. The full text of the license may be found at\r | |
10 | http://opensource.org/licenses/bsd-license.php\r | |
11 | \r | |
12 | THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r | |
13 | WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r | |
14 | \r | |
15 | @par Revision Reference: \r | |
16 | This Protocol is introduced in UEFI Specification 2.2\r | |
17 | \r | |
18 | **/\r | |
19 | \r | |
20 | #ifndef __EFI_IPSE_CCONFIG_PROTOCOL_H__\r | |
21 | #define __EFI_IPSE_CCONFIG_PROTOCOL_H__\r | |
22 | \r | |
23 | \r | |
24 | #define EFI_IPSEC_CONFIG_PROTOCOL_GUID \\r | |
25 | { \\r | |
3393e291 | 26 | 0xce5e5929, 0xc7a3, 0x4602, {0xad, 0x9e, 0xc9, 0xda, 0xf9, 0x4e, 0xbf, 0xcf } \\r |
fa05b97b | 27 | }\r |
28 | \r | |
29 | typedef struct _EFI_IPSEC_CONFIG_PROTOCOL EFI_IPSEC_CONFIG_PROTOCOL;\r | |
30 | \r | |
31 | ///\r | |
32 | /// EFI_IPSEC_CONFIG_DATA_TYPE\r | |
33 | ///\r | |
34 | typedef enum {\r | |
35 | /// \r | |
36 | /// The IPsec Security Policy Database (aka SPD) setting. In IPsec, \r | |
37 | /// an essential element of Security Association (SA) processing is \r | |
38 | /// underlying SPD that specifies what services are to be offered to \r | |
39 | /// IP datagram and in what fashion. The SPD must be consulted \r | |
40 | /// during the processing of all traffic (inbound and outbound), \r | |
41 | /// including traffic not protected by IPsec, that traverses the IPsec \r | |
42 | /// boundary. With this DataType, SetData() function is to set \r | |
43 | /// the SPD entry information, which may add one new entry, delete \r | |
44 | /// one existed entry or flush the whole database according to the \r | |
45 | /// parameter values. The corresponding Data is of type \r | |
46 | /// EFI_IPSEC_SPD_DATA\r | |
47 | /// \r | |
48 | IPsecConfigDataTypeSpd,\r | |
49 | /// \r | |
50 | /// The IPsec Security Association Database (aka SAD) setting. A \r | |
51 | /// SA is a simplex connection that affords security services to the \r | |
52 | /// traffic carried by it. Security services are afforded to an SA by the \r | |
53 | /// use of AH, or ESP, but not both. The corresponding Data is of \r | |
54 | /// type EFI_IPSEC_SAD_DATA.\r | |
55 | /// \r | |
56 | IPsecConfigDataTypeSad,\r | |
57 | /// \r | |
58 | /// The IPsec Peer Authorization Database (aka PAD) setting, which \r | |
59 | /// provides the link between the SPD and a security association \r | |
60 | /// management protocol. The PAD entry specifies the \r | |
61 | /// authentication protocol (e.g. IKEv1, IKEv2) method used and the \r | |
62 | /// authentication data. The corresponding Data is of type \r | |
63 | /// EFI_IPSEC_PAD_DATA.\r | |
64 | ///\r | |
65 | IPsecConfigDataTypePad,\r | |
66 | IPsecConfigDataTypeMaximum\r | |
67 | } EFI_IPSEC_CONFIG_DATA_TYPE;\r | |
68 | \r | |
69 | ///\r | |
70 | /// EFI_IP_ADDRESS_INFO\r | |
71 | ///\r | |
72 | typedef struct _EFI_IP_ADDRESS_INFO {\r | |
73 | EFI_IP_ADDRESS Address; ///< The IPv4 or IPv6 address\r | |
74 | UINT8 PrefixLength; ///< The length of the prefix associated with the Address.\r | |
75 | } EFI_IP_ADDRESS_INFO;\r | |
76 | \r | |
77 | \r | |
78 | ///\r | |
79 | /// EFI_IPSEC_SPD_SELECTOR\r | |
80 | ///\r | |
81 | typedef struct _EFI_IPSEC_SPD_SELECTOR {\r | |
82 | /// \r | |
83 | /// Specifies the actual number of entries in LocalAddress.\r | |
84 | /// \r | |
85 | UINT32 LocalAddressCount;\r | |
86 | /// \r | |
87 | /// A list of ranges of IPv4 or IPv6 addresses, which refers to the \r | |
88 | /// addresses being protected by IPsec policy.\r | |
89 | /// \r | |
90 | EFI_IP_ADDRESS_INFO *LocalAddress;\r | |
91 | /// \r | |
92 | /// Specifies the actual number of entries in RemoteAddress.\r | |
93 | /// \r | |
94 | UINT32 RemoteAddressCount;\r | |
95 | /// \r | |
96 | /// A list of ranges of IPv4 or IPv6 addresses, which are peer entities \r | |
97 | /// to LocalAddress. \r | |
98 | /// \r | |
99 | EFI_IP_ADDRESS_INFO *RemoteAddress;\r | |
100 | /// \r | |
101 | /// Next layer protocol. Obtained from the IPv4 Protocol or the IPv6 \r | |
102 | /// Next Header fields. The next layer protocol is whatever comes \r | |
103 | /// after any IP extension headers that are present. A zero value is a \r | |
104 | /// wildcard that matches any value in NextLayerProtocol field.\r | |
105 | /// \r | |
106 | UINT16 NextLayerProtocol; \r | |
107 | /// \r | |
108 | /// Local Port if the Next Layer Protocol uses two ports (as do TCP, \r | |
109 | /// UDP, and others). A zero value is a wildcard that matches any \r | |
110 | /// value in LocalPort field.\r | |
111 | /// \r | |
112 | UINT16 LocalPort;\r | |
113 | /// \r | |
114 | /// A designed port range size. The start port is LocalPort, and \r | |
115 | /// the total number of ports is described by LocalPortRange. \r | |
116 | /// This field is ignored if NextLayerProtocol does not use \r | |
117 | /// ports. \r | |
118 | /// \r | |
119 | UINT16 LocalPortRange;\r | |
120 | /// \r | |
121 | /// Remote Port if the Next Layer Protocol uses two ports. A zero \r | |
122 | /// value is a wildcard that matches any value in RemotePort field.\r | |
123 | /// \r | |
124 | UINT16 RemotePort;\r | |
125 | /// \r | |
126 | /// A designed port range size. The start port is RemotePort, and \r | |
127 | /// the total number of ports is described by RemotePortRange. \r | |
128 | /// This field is ignored if NextLayerProtocol does not use ports.\r | |
129 | /// \r | |
130 | UINT16 RemotePortRange;\r | |
131 | } EFI_IPSEC_SPD_SELECTOR;\r | |
132 | \r | |
133 | ///\r | |
134 | /// EFI_IPSEC_TRAFFIC_DIR\r | |
135 | /// represents the directionality in an SPD entry.\r | |
136 | ///\r | |
137 | typedef enum {\r | |
138 | ///\r | |
139 | /// The EfiIPsecInBound refers to traffic entering an IPsec implementation via \r | |
140 | /// the unprotected interface or emitted by the implementation on the unprotected\r | |
141 | /// side of the boundary and directed towards the protected interface. \r | |
142 | ///\r | |
143 | EfiIPsecInBound,\r | |
144 | ///\r | |
145 | /// The EfiIPsecOutBound refers to traffic entering the implementation via \r | |
146 | /// the protected interface, or emitted by the implementation on the protected side\r | |
147 | /// of the boundary and directed toward the unprotected interface.\r | |
148 | ///\r | |
149 | EfiIPsecOutBound\r | |
150 | } EFI_IPSEC_TRAFFIC_DIR;\r | |
151 | \r | |
152 | ///\r | |
153 | /// EFI_IPSEC_ACTION\r | |
154 | /// represents three possible processing choices.\r | |
155 | ///\r | |
156 | typedef enum {\r | |
157 | /// \r | |
158 | /// Refers to traffic that is not allowed to traverse the IPsec boundary.\r | |
159 | /// \r | |
160 | EfiIPsecActionDiscard,\r | |
161 | /// \r | |
162 | /// Refers to traffic that is allowed to cross the IPsec boundary \r | |
163 | /// without protection.\r | |
164 | /// \r | |
165 | EfiIPsecActionBypass,\r | |
166 | /// \r | |
167 | /// Refers to traffic that is afforded IPsec protection, and for such \r | |
168 | /// traffic the SPD must specify the security protocols to be \r | |
169 | /// employed, their mode, security service options, and the \r | |
170 | /// cryptographic algorithms to be used. \r | |
171 | ///\r | |
172 | EfiIPsecActionProtect\r | |
173 | } EFI_IPSEC_ACTION;\r | |
174 | \r | |
175 | ///\r | |
176 | /// EFI_IPSEC_SA_LIFETIME\r | |
177 | /// defines the lifetime of an SA, which represents when a SA must be \r | |
178 | /// replaced or terminated. A value of all 0 for each field removes \r | |
179 | /// the limitation of a SA lifetime.\r | |
180 | ///\r | |
181 | typedef struct _EFI_IPSEC_SA_LIFETIME {\r | |
182 | /// \r | |
183 | /// The number of bytes to which the IPsec cryptographic algorithm\r | |
184 | /// can be applied. For ESP, this is the encryption algorithm and for\r | |
185 | /// AH, this is the authentication algorithm. The ByteCount \r | |
186 | /// includes pad bytes for cryptographic operations.\r | |
187 | /// \r | |
188 | UINT64 ByteCount;\r | |
189 | /// \r | |
190 | /// A time interval in second that warns the implementation to \r | |
191 | /// initiate action such as setting up a replacement SA.\r | |
192 | /// \r | |
193 | UINT64 SoftLifetime;\r | |
194 | /// \r | |
195 | /// A time interval in second when the current SA ends and is \r | |
196 | /// destroyed.\r | |
197 | /// \r | |
198 | UINT64 HardLifetime;\r | |
199 | } EFI_IPSEC_SA_LIFETIME;\r | |
200 | \r | |
201 | ///\r | |
202 | /// EFI_IPSEC_MODE\r | |
203 | /// There are two modes of IPsec operation: transport mode and tunnel mode. In \r | |
204 | /// EfiIPsecTransport mode, AH and ESP provide protection primarily for next layer protocols; \r | |
205 | /// In EfiIPsecTunnel mode, AH and ESP are applied to tunneled IP packets.\r | |
206 | ///\r | |
207 | typedef enum {\r | |
208 | EfiIPsecTransport,\r | |
209 | EfiIPsecTunnel\r | |
210 | } EFI_IPSEC_MODE;\r | |
211 | \r | |
212 | ///\r | |
213 | /// EFI_IPSEC_TUNNEL_DF_OPTION\r | |
214 | /// The option of copying the DF bit from an outbound package to\r | |
215 | /// the tunnel mode header that it emits, when traffic is carried\r | |
216 | /// via a tunnel mode SA. This applies to SAs where both inner and\r | |
217 | /// outer headers are IPv4.\r | |
218 | ///\r | |
219 | typedef enum {\r | |
220 | EfiIPsecTunnelClearDf, ///< Clear DF bit from inner header.\r | |
221 | EfiIPsecTunnelSetDf, ///< Set DF bit from inner header.\r | |
222 | EfiIPsecTunnelCopyDf ///< Copy DF bit from inner header.\r | |
223 | } EFI_IPSEC_TUNNEL_DF_OPTION;\r | |
224 | \r | |
225 | ///\r | |
226 | /// EFI_IPSEC_TUNNEL_OPTION\r | |
227 | ///\r | |
228 | typedef struct _EFI_IPSEC_TUNNEL_OPTION {\r | |
229 | /// \r | |
230 | /// Local tunnel address when IPsec mode is EfiIPsecTunnel.\r | |
231 | /// \r | |
232 | EFI_IP_ADDRESS LocalTunnelAddress;\r | |
233 | /// \r | |
234 | /// Remote tunnel address when IPsec mode is EfiIPsecTunnel.\r | |
235 | /// \r | |
236 | EFI_IP_ADDRESS RemoteTunnelAddress;\r | |
237 | /// \r | |
238 | /// The option of copying the DF bit from an outbound package\r | |
239 | /// to the tunnel mode header that it emits, when traffic is \r | |
240 | /// carried via a tunnel mode SA. \r | |
241 | /// \r | |
242 | EFI_IPSEC_TUNNEL_DF_OPTION DF;\r | |
243 | } EFI_IPSEC_TUNNEL_OPTION;\r | |
244 | \r | |
245 | ///\r | |
246 | /// EFI_IPSEC_PROTOCOL_TYPE\r | |
247 | ///\r | |
248 | typedef enum {\r | |
249 | EfiIPsecAH, ///< IP Authentication Header protocol which is specified in RFC 4302.\r | |
250 | EfiIPsecESP ///< IP Encapsulating Security Payload which is specified in RFC 4303. \r | |
251 | } EFI_IPSEC_PROTOCOL_TYPE;\r | |
252 | \r | |
253 | ///\r | |
254 | /// EFI_IPSEC_PROCESS_POLICY\r | |
255 | /// describes a policy list for traffic processing.\r | |
256 | ///\r | |
257 | typedef struct _EFI_IPSEC_PROCESS_POLICY {\r | |
258 | /// \r | |
259 | /// Extended Sequence Number. Is this SA using extended sequence \r | |
260 | /// numbers. 64 bit counter is used if TRUE.\r | |
261 | /// \r | |
262 | BOOLEAN ExtSeqNum;\r | |
263 | /// \r | |
264 | /// A flag indicating whether overflow of the sequence number \r | |
265 | /// counter should generate an auditable event and prevent \r | |
266 | /// transmission of additional packets on the SA, or whether rollover \r | |
267 | /// is permitted.\r | |
268 | /// \r | |
269 | BOOLEAN SeqOverflow;\r | |
270 | /// \r | |
271 | /// Is this SA using stateful fragment checking. TRUE represents \r | |
272 | /// stateful fragment checking.\r | |
273 | /// \r | |
274 | BOOLEAN FragCheck;\r | |
275 | /// \r | |
276 | /// A time interval after which a SA must be replaced with a new SA \r | |
277 | /// (and new SPI) or terminated. \r | |
278 | /// \r | |
279 | EFI_IPSEC_SA_LIFETIME SaLifetime;\r | |
280 | /// \r | |
281 | /// IPsec mode: tunnel or transport.\r | |
282 | /// \r | |
283 | EFI_IPSEC_MODE Mode;\r | |
284 | /// \r | |
285 | /// Tunnel Option. TunnelOption is ignored if Mode is EfiIPsecTransport.\r | |
286 | /// \r | |
287 | EFI_IPSEC_TUNNEL_OPTION *TunnelOption;\r | |
288 | /// \r | |
289 | /// IPsec protocol: AH or ESP\r | |
290 | /// \r | |
291 | EFI_IPSEC_PROTOCOL_TYPE Proto;\r | |
292 | /// \r | |
293 | /// Cryptographic algorithm type used for authentication.\r | |
294 | /// \r | |
295 | UINT8 AuthAlgoId;\r | |
296 | /// \r | |
297 | /// Cryptographic algorithm type used for encryption. EncAlgo is \r | |
298 | /// NULL when IPsec protocol is AH. For ESP protocol, EncAlgo \r | |
299 | /// can also be used to describe the algorithm if a combined mode \r | |
300 | /// algorithm is used.\r | |
301 | ///\r | |
302 | UINT8 EncAlgoId;\r | |
303 | } EFI_IPSEC_PROCESS_POLICY;\r | |
304 | \r | |
305 | ///\r | |
306 | /// IPsec Authentication Algorithm Definition\r | |
307 | /// The number value definition is aligned to IANA assignment\r | |
308 | ///\r | |
309 | #define EFI_IPSEC_AALG_NONE 0x00\r | |
310 | #define EFI_IPSEC_AALG_MD5HMAC 0x02\r | |
311 | #define EFI_IPSEC_AALG_SHA1HMAC 0x03\r | |
312 | #define EFI_IPSEC_AALG_SHA2_256HMAC 0x05\r | |
313 | #define EFI_IPSEC_AALG_SHA2_384HMAC 0x06\r | |
314 | #define EFI_IPSEC_AALG_SHA2_512HMAC 0x07\r | |
315 | #define EFI_IPSEC_AALG_AES_XCBC_MAC 0x09\r | |
316 | #define EFI_IPSEC_AALG_NULL 0xFB\r | |
317 | \r | |
318 | ///\r | |
319 | /// IPsec Encryption Algorithm Definition\r | |
320 | /// The number value definition is aligned to IANA assignment\r | |
321 | ///\r | |
322 | #define EFI_IPSEC_EALG_NONE 0x00\r | |
323 | #define EFI_IPSEC_EALG_DESCBC 0x02\r | |
324 | #define EFI_IPSEC_EALG_3DESCBC 0x03\r | |
325 | #define EFI_IPSEC_EALG_CASTCBC 0x06\r | |
326 | #define EFI_IPSEC_EALG_BLOWFISHCBC 0x07\r | |
327 | #define EFI_IPSEC_EALG_NULL 0x0B\r | |
328 | #define EFI_IPSEC_EALG_AESCBC 0x0C\r | |
329 | #define EFI_IPSEC_EALG_AESCTR 0x0D\r | |
330 | #define EFI_IPSEC_EALG_AES_CCM_ICV8 0x0E\r | |
331 | #define EFI_IPSEC_EALG_AES_CCM_ICV12 0x0F\r | |
332 | #define EFI_IPSEC_EALG_AES_CCM_ICV16 0x10\r | |
333 | #define EFI_IPSEC_EALG_AES_GCM_ICV8 0x12\r | |
334 | #define EFI_IPSEC_EALG_AES_GCM_ICV12 0x13\r | |
335 | #define EFI_IPSEC_EALG_AES_GCM_ICV16 0x14\r | |
336 | \r | |
337 | ///\r | |
338 | /// EFI_IPSEC_SA_ID\r | |
339 | /// A triplet to identify an SA, consisting of the following members.\r | |
340 | ///\r | |
341 | typedef struct _EFI_IPSEC_SA_ID {\r | |
342 | /// \r | |
343 | /// Security Parameter Index (aka SPI). An arbitrary 32-bit value \r | |
344 | /// that is used by a receiver to identity the SA to which an incoming \r | |
345 | /// package should be bound.\r | |
346 | /// \r | |
347 | UINT32 Spi;\r | |
348 | /// \r | |
349 | /// IPsec protocol: AH or ESP\r | |
350 | /// \r | |
351 | EFI_IPSEC_PROTOCOL_TYPE Proto;\r | |
352 | /// \r | |
353 | /// Destination IP address. \r | |
354 | /// \r | |
355 | EFI_IP_ADDRESS DestAddress;\r | |
356 | } EFI_IPSEC_SA_ID;\r | |
357 | \r | |
358 | \r | |
359 | #define MAX_PEERID_LEN 128\r | |
360 | \r | |
361 | ///\r | |
362 | /// EFI_IPSEC_SPD_DATA\r | |
363 | ///\r | |
364 | typedef struct _EFI_IPSEC_SPD_DATA {\r | |
365 | /// \r | |
366 | /// A null-terminated name string which is used as a symbolic \r | |
367 | /// identifier for an IPsec Local or Remote address.\r | |
368 | /// \r | |
369 | UINT8 Name[MAX_PEERID_LEN];\r | |
370 | /// \r | |
371 | /// Bit-mapped list describing Populate from Packet flags. When \r | |
372 | /// creating a SA, if PackageFlag bit is set to TRUE, instantiate \r | |
373 | /// the selector from the corresponding field in the package that \r | |
374 | /// triggered the creation of the SA, else from the value(s) in the \r | |
375 | /// corresponding SPD entry. The PackageFlag bit setting for \r | |
376 | /// corresponding selector field of EFI_IPSEC_SPD_SELECTOR:\r | |
377 | /// Bit 0: EFI_IPSEC_SPD_SELECTOR.LocalAddress \r | |
378 | /// Bit 1: EFI_IPSEC_SPD_SELECTOR.RemoteAddress \r | |
379 | /// Bit 2: \r | |
380 | /// EFI_IPSEC_SPD_SELECTOR.NextLayerProtocol \r | |
381 | /// Bit 3: EFI_IPSEC_SPD_SELECTOR.LocalPort \r | |
382 | /// Bit 4: EFI_IPSEC_SPD_SELECTOR.RemotePort \r | |
383 | /// Others: Reserved.\r | |
384 | ///\r | |
385 | UINT32 PackageFlag;\r | |
386 | /// \r | |
387 | /// The traffic direction of data gram.\r | |
388 | /// \r | |
389 | EFI_IPSEC_TRAFFIC_DIR TrafficDirection;\r | |
390 | /// \r | |
391 | /// Processing choices to indicate which action is required by this \r | |
392 | /// policy. \r | |
393 | /// \r | |
394 | EFI_IPSEC_ACTION Action;\r | |
395 | /// \r | |
396 | /// The policy and rule information for a SPD entry.\r | |
397 | /// \r | |
398 | EFI_IPSEC_PROCESS_POLICY *ProcessingPolicy;\r | |
399 | /// \r | |
400 | /// Specifies the actual number of entries in SaId list.\r | |
401 | /// \r | |
402 | UINTN SaIdCount;\r | |
403 | /// \r | |
404 | /// The SAD entry used for the traffic processing. The \r | |
405 | /// existed SAD entry links indicate this is the manual key case.\r | |
406 | /// \r | |
407 | EFI_IPSEC_SA_ID SaId[1];\r | |
408 | } EFI_IPSEC_SPD_DATA;\r | |
409 | \r | |
410 | ///\r | |
411 | /// EFI_IPSEC_AH_ALGO_INFO\r | |
412 | /// The security algorithm selection for IPsec AH authentication.\r | |
413 | /// The required authentication algorithm is specified in RFC 4305.\r | |
414 | ///\r | |
415 | typedef struct _EFI_IPSEC_AH_ALGO_INFO {\r | |
416 | UINT8 AuthAlgoId;\r | |
417 | UINTN AuthKeyLength;\r | |
418 | VOID *AuthKey;\r | |
419 | } EFI_IPSEC_AH_ALGO_INFO;\r | |
420 | \r | |
421 | ///\r | |
422 | /// EFI_IPSEC_ESP_ALGO_INFO\r | |
423 | /// The security algorithm selection for IPsec ESP encryption and authentication.\r | |
424 | /// The required authentication algorithm is specified in RFC 4305. \r | |
425 | /// EncAlgoId fields can also specify an ESP combined mode algorithm \r | |
426 | /// (e.g. AES with CCM mode, specified in RFC 4309), which provides both \r | |
427 | /// confidentiality and authentication services.\r | |
428 | ///\r | |
429 | typedef struct _EFI_IPSEC_ESP_ALGO_INFO {\r | |
430 | UINT8 EncAlgoId;\r | |
431 | UINTN EncKeyLength;\r | |
432 | VOID *EncKey;\r | |
433 | UINT8 AuthAlgoId;\r | |
434 | UINTN AuthKeyLength;\r | |
435 | VOID *AuthKey;\r | |
436 | } EFI_IPSEC_ESP_ALGO_INFO;\r | |
437 | \r | |
438 | ///\r | |
439 | /// EFI_IPSEC_ALGO_INFO\r | |
440 | ///\r | |
441 | typedef union {\r | |
442 | EFI_IPSEC_AH_ALGO_INFO AhAlgoInfo;\r | |
443 | EFI_IPSEC_ESP_ALGO_INFO EspAlgoInfo;\r | |
444 | } EFI_IPSEC_ALGO_INFO;\r | |
445 | \r | |
446 | ///\r | |
447 | /// EFI_IPSEC_SA_DATA\r | |
448 | ///\r | |
449 | typedef struct _EFI_IPSEC_SA_DATA {\r | |
450 | /// \r | |
451 | /// IPsec mode: tunnel or transport.\r | |
452 | /// \r | |
453 | EFI_IPSEC_MODE Mode;\r | |
454 | /// \r | |
455 | /// Sequence Number Counter. A 64-bit counter used to generate the \r | |
456 | /// sequence number field in AH or ESP headers.\r | |
457 | /// \r | |
458 | UINT64 SNCount;\r | |
459 | /// \r | |
460 | /// Anti-Replay Window. A 64-bit counter and a bit-map used to \r | |
461 | /// determine whether an inbound AH or ESP packet is a replay.\r | |
462 | /// \r | |
463 | UINT8 AntiReplayWindows;\r | |
464 | /// \r | |
465 | /// AH/ESP cryptographic algorithm, key and parameters. \r | |
466 | /// \r | |
467 | EFI_IPSEC_ALGO_INFO AlgoInfo;\r | |
468 | /// \r | |
469 | /// Lifetime of this SA. \r | |
470 | /// \r | |
471 | EFI_IPSEC_SA_LIFETIME SaLifetime;\r | |
472 | /// \r | |
473 | /// Any observed path MTU and aging variables. The Path MTU \r | |
474 | /// processing is defined in section 8 of RFC 4301.\r | |
475 | /// \r | |
476 | UINT32 PathMTU;\r | |
477 | /// \r | |
478 | /// Link to one SPD entry.\r | |
479 | /// \r | |
480 | EFI_IPSEC_SPD_SELECTOR *SpdSelector;\r | |
481 | /// \r | |
3227f995 | 482 | /// Indication of whether it's manually set or negotiated automatically. \r |
fa05b97b | 483 | /// If ManualSet is FALSE, the corresponding SA entry is inserted through \r |
484 | /// IKE protocol negotiation.\r | |
485 | ///\r | |
486 | BOOLEAN ManualSet;\r | |
487 | } EFI_IPSEC_SA_DATA;\r | |
488 | \r | |
489 | ///\r | |
490 | /// EFI_IPSEC_PAD_ID\r | |
491 | /// specifies the identifier for PAD entry, which is also used for SPD lookup.\r | |
492 | /// IpAddress Pointer to the IPv4 or IPv6 address range.\r | |
493 | ///\r | |
494 | typedef struct _EFI_IPSEC_PAD_ID {\r | |
495 | ///\r | |
496 | /// Flag to identify which type of PAD Id is used.\r | |
497 | /// \r | |
498 | BOOLEAN PeerIdValid; \r | |
499 | union {\r | |
500 | ///\r | |
501 | /// Pointer to the IPv4 or IPv6 address range.\r | |
502 | ///\r | |
503 | EFI_IP_ADDRESS_INFO IpAddress;\r | |
504 | ///\r | |
505 | /// Pointer to a null terminated string (8-bit ASCII character) \r | |
506 | /// representing the symbolic names. A PeerId can be a DNS \r | |
507 | /// name, Distinguished Name, RFC 822 email address or Key ID \r | |
508 | /// (specified in section 4.4.3.1 of RFC 4301)\r | |
509 | ///\r | |
510 | UINT8 PeerId[MAX_PEERID_LEN];\r | |
511 | } Id;\r | |
512 | } EFI_IPSEC_PAD_ID;\r | |
513 | \r | |
514 | ///\r | |
515 | /// EFI_IPSEC_CONFIG_SELECTOR\r | |
516 | /// describes the expected IPsec configuration data selector \r | |
517 | /// of type EFI_IPSEC_CONFIG_DATA_TYPE.\r | |
518 | ///\r | |
519 | typedef union {\r | |
520 | EFI_IPSEC_SPD_SELECTOR SpdSelector;\r | |
521 | EFI_IPSEC_SA_ID SaId;\r | |
522 | EFI_IPSEC_PAD_ID PadId;\r | |
523 | } EFI_IPSEC_CONFIG_SELECTOR;\r | |
524 | \r | |
525 | ///\r | |
526 | /// EFI_IPSEC_AUTH_PROTOCOL_TYPE\r | |
527 | /// defines the possible authentication protocol for IPsec \r | |
528 | /// security association management.\r | |
529 | ///\r | |
530 | typedef enum {\r | |
531 | EfiIPsecAuthProtocolIKEv1,\r | |
532 | EfiIPsecAuthProtocolIKEv2,\r | |
533 | EfiIPsecAuthProtocolMaximum\r | |
534 | } EFI_IPSEC_AUTH_PROTOCOL_TYPE;\r | |
535 | \r | |
536 | ///\r | |
537 | /// EFI_IPSEC_AUTH_METHOD\r | |
538 | ///\r | |
539 | typedef enum {\r | |
540 | ///\r | |
541 | /// Using Pre-shared Keys for manual security associations.\r | |
542 | ///\r | |
543 | EfiIPsecAuthMethodPreSharedSecret,\r | |
544 | ///\r | |
545 | /// IKE employs X.509 certificates for SA establishment.\r | |
546 | ///\r | |
547 | EfiIPsecAuthMethodCertificates,\r | |
548 | EfiIPsecAuthMethodMaximum\r | |
549 | } EFI_IPSEC_AUTH_METHOD;\r | |
550 | \r | |
551 | ///\r | |
552 | /// EFI_IPSEC_PAD_DATA\r | |
553 | ///\r | |
554 | typedef struct _EFI_IPSEC_PAD_DATA {\r | |
555 | /// \r | |
556 | /// Authentication Protocol for IPsec security association management.\r | |
557 | /// \r | |
558 | EFI_IPSEC_AUTH_PROTOCOL_TYPE AuthProtocol;\r | |
559 | /// \r | |
560 | /// Authentication method used.\r | |
561 | /// \r | |
562 | EFI_IPSEC_AUTH_METHOD AuthMethod;\r | |
563 | /// \r | |
564 | /// The IKE ID payload will be used as a symbolic name for SPD \r | |
565 | /// lookup if IkeIdFlag is TRUE. Otherwise, the remote IP \r | |
566 | /// address provided in traffic selector playloads will be used.\r | |
567 | /// \r | |
568 | BOOLEAN IkeIdFlag;\r | |
569 | /// \r | |
570 | /// The size of Authentication data buffer, in bytes.\r | |
571 | /// \r | |
572 | UINTN AuthDataSize;\r | |
573 | /// \r | |
574 | /// Buffer for Authentication data, (e.g., the pre-shared secret or the \r | |
575 | /// trust anchor relative to which the peer's certificate will be \r | |
576 | /// validated).\r | |
577 | /// \r | |
578 | VOID *AuthData;\r | |
579 | /// \r | |
580 | /// The size of RevocationData, in bytes\r | |
581 | /// \r | |
582 | UINTN RevocationDataSize;\r | |
583 | /// \r | |
584 | /// Pointer to CRL or OCSP data, if certificates are used for \r | |
585 | /// authentication method.\r | |
586 | /// \r | |
587 | VOID *RevocationData;\r | |
588 | } EFI_IPSEC_PAD_DATA;\r | |
589 | \r | |
590 | \r | |
591 | /**\r | |
592 | Set the security association, security policy and peer authorization configuration\r | |
593 | information for the EFI IPsec driver. \r | |
594 | \r | |
595 | This function is used to set the IPsec configuration information of type DataType for\r | |
596 | the EFI IPsec driver.\r | |
597 | The IPsec configuration data has a unique selector/identifier separately to identify\r | |
3227f995 | 598 | a data entry. The selector structure depends on DataType's definition.\r |
fa05b97b | 599 | Using SetData() with a Data of NULL causes the IPsec configuration data entry identified\r |
600 | by DataType and Selector to be deleted. \r | |
601 | \r | |
602 | @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r | |
603 | @param[in] DataType The type of data to be set.\r | |
604 | @param[in] Selector Pointer to an entry selector on operated configuration data \r | |
605 | specified by DataType. A NULL Selector causes the entire \r | |
606 | specified-type configuration information to be flushed.\r | |
607 | @param[in] Data The data buffer to be set. The structure of the data buffer is \r | |
608 | associated with the DataType.\r | |
609 | @param[in] InsertBefore Pointer to one entry selector which describes the expected\r | |
610 | position the new data entry will be added. If InsertBefore is NULL,\r | |
611 | the new entry will be appended the end of database.\r | |
612 | \r | |
613 | @retval EFI_SUCCESS The specified configuration entry data is set successfully.\r | |
614 | @retval EFI_INVALID_PARAMETER One or more of the following are TRUE:\r | |
615 | - This is NULL.\r | |
616 | @retval EFI_UNSUPPORTED The specified DataType is not supported.\r | |
617 | @retval EFI_OUT_OF_RESOURCED The required system resource could not be allocated.\r | |
618 | \r | |
619 | **/\r | |
620 | typedef\r | |
621 | EFI_STATUS\r | |
a1749b80 | 622 | (EFIAPI *EFI_IPSEC_CONFIG_SET_DATA)(\r |
fa05b97b | 623 | IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r |
624 | IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r | |
625 | IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r | |
626 | IN VOID *Data,\r | |
627 | IN EFI_IPSEC_CONFIG_SELECTOR *InsertBefore OPTIONAL\r | |
628 | );\r | |
629 | \r | |
630 | /**\r | |
631 | Return the configuration value for the EFI IPsec driver. \r | |
632 | \r | |
633 | This function lookup the data entry from IPsec database or IKEv2 configuration\r | |
634 | information. The expected data type and unique identification are described in\r | |
635 | DataType and Selector parameters. \r | |
636 | \r | |
637 | @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r | |
638 | @param[in] DataType The type of data to retrieve.\r | |
639 | @param[in] Selector Pointer to an entry selector which is an identifier of the IPsec \r | |
640 | configuration data entry.\r | |
641 | @param[in, out] DataSize On output the size of data returned in Data.\r | |
642 | @param[out] Data The buffer to return the contents of the IPsec configuration data. \r | |
643 | The type of the data buffer is associated with the DataType. \r | |
644 | \r | |
645 | @retval EFI_SUCCESS The specified configuration data is got successfully.\r | |
646 | @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE:\r | |
647 | - This is NULL.\r | |
648 | - Selector is NULL.\r | |
649 | - DataSize is NULL.\r | |
650 | - Data is NULL and *DataSize is not zero\r | |
651 | @retval EFI_NOT_FOUND The configuration data specified by Selector is not found.\r | |
652 | @retval EFI_UNSUPPORTED The specified DataType is not supported.\r | |
653 | @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. DataSize has been\r | |
654 | updated with the size needed to complete the request.\r | |
655 | \r | |
656 | **/\r | |
657 | typedef\r | |
658 | EFI_STATUS\r | |
a1749b80 | 659 | (EFIAPI *EFI_IPSEC_CONFIG_GET_DATA)(\r |
fa05b97b | 660 | IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r |
661 | IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r | |
662 | IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r | |
663 | IN OUT UINTN *DataSize,\r | |
664 | OUT VOID *Data\r | |
665 | );\r | |
666 | \r | |
667 | /**\r | |
668 | Enumerates the current selector for IPsec configuration data entry. \r | |
669 | \r | |
670 | This function is called multiple times to retrieve the entry Selector in IPsec\r | |
671 | configuration database. On each call to GetNextSelector(), the next entry \r | |
672 | Selector are retrieved into the output interface.\r | |
673 | \r | |
674 | If the entire IPsec configuration database has been iterated, the error \r | |
675 | EFI_NOT_FOUND is returned.\r | |
676 | If the Selector buffer is too small for the next Selector copy, an \r | |
677 | EFI_BUFFER_TOO_SMALL error is returned, and SelectorSize is updated to reflect \r | |
678 | the size of buffer needed.\r | |
679 | \r | |
680 | On the initial call to GetNextSelector() to start the IPsec configuration database\r | |
681 | search, a pointer to the buffer with all zero value is passed in Selector. Calls \r | |
682 | to SetData() between calls to GetNextSelector may produce unpredictable results. \r | |
683 | \r | |
684 | @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r | |
685 | @param[in] DataType The type of IPsec configuration data to retrieve.\r | |
686 | @param[in, out] SelectorSize The size of the Selector buffer.\r | |
687 | @param[in, out] Selector On input, supplies the pointer to last Selector that was \r | |
688 | returned by GetNextSelector().\r | |
689 | On output, returns one copy of the current entry Selector\r | |
690 | of a given DataType. \r | |
691 | \r | |
692 | @retval EFI_SUCCESS The specified configuration data is got successfully.\r | |
693 | @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE:\r | |
694 | - This is NULL.\r | |
695 | - SelectorSize is NULL.\r | |
696 | - Selector is NULL.\r | |
697 | @retval EFI_NOT_FOUND The next configuration data entry was not found.\r | |
698 | @retval EFI_UNSUPPORTED The specified DataType is not supported.\r | |
699 | @retval EFI_BUFFER_TOO_SMALL The SelectorSize is too small for the result. This parameter\r | |
700 | has been updated with the size needed to complete the search \r | |
701 | request.\r | |
702 | \r | |
703 | **/\r | |
704 | typedef\r | |
705 | EFI_STATUS\r | |
a1749b80 | 706 | (EFIAPI *EFI_IPSEC_CONFIG_GET_NEXT_SELECTOR)(\r |
fa05b97b | 707 | IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r |
708 | IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r | |
709 | IN OUT UINTN *SelectorSize,\r | |
710 | IN OUT EFI_IPSEC_CONFIG_SELECTOR *Selector\r | |
711 | );\r | |
712 | \r | |
713 | /**\r | |
714 | Register an event that is to be signaled whenever a configuration process on the\r | |
715 | specified IPsec configuration information is done. \r | |
716 | \r | |
717 | This function registers an event that is to be signaled whenever a configuration\r | |
718 | process on the specified IPsec configuration data is done (e.g. IPsec security \r | |
719 | policy database configuration is ready). An event can be registered for different\r | |
720 | DataType simultaneously and the caller is responsible for determining which type \r | |
721 | of configuration data causes the signaling of the event in such case. \r | |
722 | \r | |
723 | @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r | |
724 | @param[in] DataType The type of data to be registered the event for.\r | |
725 | @param[in] Event The event to be registered.\r | |
726 | \r | |
727 | @retval EFI_SUCCESS The event is registered successfully.\r | |
728 | @retval EFI_INVALID_PARAMETER This is NULL or Event is NULL.\r | |
729 | @retval EFI_ACCESS_DENIED The Event is already registered for the DataType.\r | |
730 | @retval EFI_UNSUPPORTED The notify registration unsupported or the specified\r | |
731 | DataType is not supported.\r | |
732 | \r | |
733 | **/\r | |
734 | typedef\r | |
735 | EFI_STATUS\r | |
a1749b80 | 736 | (EFIAPI *EFI_IPSEC_CONFIG_REGISTER_NOTIFY)(\r |
fa05b97b | 737 | IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r |
738 | IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r | |
739 | IN EFI_EVENT Event\r | |
740 | );\r | |
741 | \r | |
742 | /**\r | |
743 | Remove the specified event that is previously registered on the specified IPsec\r | |
744 | configuration data. \r | |
745 | \r | |
746 | This function removes a previously registered event for the specified configuration data. \r | |
747 | \r | |
748 | @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r | |
749 | @param[in] DataType The configuration data type to remove the registered event for.\r | |
750 | @param[in] Event The event to be unregistered.\r | |
751 | \r | |
752 | @retval EFI_SUCCESS The event is removed successfully.\r | |
753 | @retval EFI_NOT_FOUND The Event specified by DataType could not be found in the \r | |
754 | database.\r | |
755 | @retval EFI_INVALID_PARAMETER This is NULL or Event is NULL.\r | |
756 | @retval EFI_UNSUPPORTED The notify registration unsupported or the specified\r | |
757 | DataType is not supported.\r | |
758 | \r | |
759 | **/\r | |
760 | typedef\r | |
761 | EFI_STATUS\r | |
a1749b80 | 762 | (EFIAPI *EFI_IPSEC_CONFIG_UNREGISTER_NOTIFY)(\r |
fa05b97b | 763 | IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r |
764 | IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r | |
765 | IN EFI_EVENT Event\r | |
766 | );\r | |
767 | \r | |
768 | ///\r | |
769 | /// EFI_IPSEC_CONFIG_PROTOCOL\r | |
770 | /// provides the ability to set and lookup the IPsec SAD (Security Association Database),\r | |
771 | /// SPD (Security Policy Database) data entry and configure the security association \r | |
772 | /// management protocol such as IKEv2. This protocol is used as the central \r | |
773 | /// repository of any policy-specific configuration for EFI IPsec driver.\r | |
774 | /// EFI_IPSEC_CONFIG_PROTOCOL can be bound to both IPv4 and IPv6 stack. User can use this \r | |
775 | /// protocol for IPsec configuration in both IPv4 and IPv6 environment.\r | |
776 | /// \r | |
777 | struct _EFI_IPSEC_CONFIG_PROTOCOL {\r | |
778 | EFI_IPSEC_CONFIG_SET_DATA SetData;\r | |
779 | EFI_IPSEC_CONFIG_GET_DATA GetData;\r | |
780 | EFI_IPSEC_CONFIG_GET_NEXT_SELECTOR GetNextSelector;\r | |
781 | EFI_IPSEC_CONFIG_REGISTER_NOTIFY RegisterDataNotify;\r | |
782 | EFI_IPSEC_CONFIG_UNREGISTER_NOTIFY UnregisterDataNotify;\r | |
783 | };\r | |
784 | \r | |
785 | extern EFI_GUID gEfiIpSecConfigProtocolGuid;\r | |
786 | \r | |
787 | #endif\r |