]>
Commit | Line | Data |
---|---|---|
fa05b97b | 1 | /** @file\r |
2 | EFI IPsec Configuration Protocol Definition\r | |
9095d37b | 3 | The EFI_IPSEC_CONFIG_PROTOCOL provides the mechanism to set and retrieve security and\r |
fa05b97b | 4 | policy related information for the EFI IPsec protocol driver.\r |
5 | \r | |
9095d37b | 6 | Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>\r |
9df063a0 | 7 | This program and the accompanying materials\r |
fa05b97b | 8 | are licensed and made available under the terms and conditions of the BSD License\r |
9 | which accompanies this distribution. The full text of the license may be found at\r | |
10 | http://opensource.org/licenses/bsd-license.php\r | |
11 | \r | |
12 | THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r | |
13 | WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r | |
14 | \r | |
9095d37b | 15 | @par Revision Reference:\r |
fa05b97b | 16 | This Protocol is introduced in UEFI Specification 2.2\r |
17 | \r | |
18 | **/\r | |
19 | \r | |
20 | #ifndef __EFI_IPSE_CCONFIG_PROTOCOL_H__\r | |
21 | #define __EFI_IPSE_CCONFIG_PROTOCOL_H__\r | |
22 | \r | |
23 | \r | |
24 | #define EFI_IPSEC_CONFIG_PROTOCOL_GUID \\r | |
25 | { \\r | |
3393e291 | 26 | 0xce5e5929, 0xc7a3, 0x4602, {0xad, 0x9e, 0xc9, 0xda, 0xf9, 0x4e, 0xbf, 0xcf } \\r |
fa05b97b | 27 | }\r |
28 | \r | |
29 | typedef struct _EFI_IPSEC_CONFIG_PROTOCOL EFI_IPSEC_CONFIG_PROTOCOL;\r | |
30 | \r | |
31 | ///\r | |
32 | /// EFI_IPSEC_CONFIG_DATA_TYPE\r | |
33 | ///\r | |
34 | typedef enum {\r | |
9095d37b LG |
35 | ///\r |
36 | /// The IPsec Security Policy Database (aka SPD) setting. In IPsec,\r | |
37 | /// an essential element of Security Association (SA) processing is\r | |
38 | /// underlying SPD that specifies what services are to be offered to\r | |
39 | /// IP datagram and in what fashion. The SPD must be consulted\r | |
40 | /// during the processing of all traffic (inbound and outbound),\r | |
41 | /// including traffic not protected by IPsec, that traverses the IPsec\r | |
42 | /// boundary. With this DataType, SetData() function is to set\r | |
43 | /// the SPD entry information, which may add one new entry, delete\r | |
44 | /// one existed entry or flush the whole database according to the\r | |
45 | /// parameter values. The corresponding Data is of type\r | |
fa05b97b | 46 | /// EFI_IPSEC_SPD_DATA\r |
9095d37b | 47 | ///\r |
fa05b97b | 48 | IPsecConfigDataTypeSpd,\r |
9095d37b LG |
49 | ///\r |
50 | /// The IPsec Security Association Database (aka SAD) setting. A\r | |
51 | /// SA is a simplex connection that affords security services to the\r | |
52 | /// traffic carried by it. Security services are afforded to an SA by the\r | |
53 | /// use of AH, or ESP, but not both. The corresponding Data is of\r | |
fa05b97b | 54 | /// type EFI_IPSEC_SAD_DATA.\r |
9095d37b | 55 | ///\r |
fa05b97b | 56 | IPsecConfigDataTypeSad,\r |
9095d37b LG |
57 | ///\r |
58 | /// The IPsec Peer Authorization Database (aka PAD) setting, which\r | |
59 | /// provides the link between the SPD and a security association\r | |
60 | /// management protocol. The PAD entry specifies the\r | |
61 | /// authentication protocol (e.g. IKEv1, IKEv2) method used and the\r | |
62 | /// authentication data. The corresponding Data is of type\r | |
fa05b97b | 63 | /// EFI_IPSEC_PAD_DATA.\r |
64 | ///\r | |
65 | IPsecConfigDataTypePad,\r | |
66 | IPsecConfigDataTypeMaximum\r | |
67 | } EFI_IPSEC_CONFIG_DATA_TYPE;\r | |
68 | \r | |
69 | ///\r | |
70 | /// EFI_IP_ADDRESS_INFO\r | |
71 | ///\r | |
72 | typedef struct _EFI_IP_ADDRESS_INFO {\r | |
73 | EFI_IP_ADDRESS Address; ///< The IPv4 or IPv6 address\r | |
74 | UINT8 PrefixLength; ///< The length of the prefix associated with the Address.\r | |
75 | } EFI_IP_ADDRESS_INFO;\r | |
76 | \r | |
77 | \r | |
78 | ///\r | |
79 | /// EFI_IPSEC_SPD_SELECTOR\r | |
80 | ///\r | |
81 | typedef struct _EFI_IPSEC_SPD_SELECTOR {\r | |
9095d37b | 82 | ///\r |
fa05b97b | 83 | /// Specifies the actual number of entries in LocalAddress.\r |
9095d37b | 84 | ///\r |
fa05b97b | 85 | UINT32 LocalAddressCount;\r |
9095d37b LG |
86 | ///\r |
87 | /// A list of ranges of IPv4 or IPv6 addresses, which refers to the\r | |
fa05b97b | 88 | /// addresses being protected by IPsec policy.\r |
9095d37b | 89 | ///\r |
fa05b97b | 90 | EFI_IP_ADDRESS_INFO *LocalAddress;\r |
9095d37b | 91 | ///\r |
fa05b97b | 92 | /// Specifies the actual number of entries in RemoteAddress.\r |
9095d37b | 93 | ///\r |
fa05b97b | 94 | UINT32 RemoteAddressCount;\r |
9095d37b LG |
95 | ///\r |
96 | /// A list of ranges of IPv4 or IPv6 addresses, which are peer entities\r | |
97 | /// to LocalAddress.\r | |
98 | ///\r | |
fa05b97b | 99 | EFI_IP_ADDRESS_INFO *RemoteAddress;\r |
9095d37b LG |
100 | ///\r |
101 | /// Next layer protocol. Obtained from the IPv4 Protocol or the IPv6\r | |
102 | /// Next Header fields. The next layer protocol is whatever comes\r | |
103 | /// after any IP extension headers that are present. A zero value is a\r | |
fa05b97b | 104 | /// wildcard that matches any value in NextLayerProtocol field.\r |
9095d37b LG |
105 | ///\r |
106 | UINT16 NextLayerProtocol;\r | |
107 | ///\r | |
108 | /// Local Port if the Next Layer Protocol uses two ports (as do TCP,\r | |
109 | /// UDP, and others). A zero value is a wildcard that matches any\r | |
fa05b97b | 110 | /// value in LocalPort field.\r |
9095d37b | 111 | ///\r |
fa05b97b | 112 | UINT16 LocalPort;\r |
9095d37b LG |
113 | ///\r |
114 | /// A designed port range size. The start port is LocalPort, and\r | |
115 | /// the total number of ports is described by LocalPortRange.\r | |
116 | /// This field is ignored if NextLayerProtocol does not use\r | |
117 | /// ports.\r | |
118 | ///\r | |
fa05b97b | 119 | UINT16 LocalPortRange;\r |
9095d37b LG |
120 | ///\r |
121 | /// Remote Port if the Next Layer Protocol uses two ports. A zero\r | |
fa05b97b | 122 | /// value is a wildcard that matches any value in RemotePort field.\r |
9095d37b | 123 | ///\r |
fa05b97b | 124 | UINT16 RemotePort;\r |
9095d37b LG |
125 | ///\r |
126 | /// A designed port range size. The start port is RemotePort, and\r | |
127 | /// the total number of ports is described by RemotePortRange.\r | |
fa05b97b | 128 | /// This field is ignored if NextLayerProtocol does not use ports.\r |
9095d37b | 129 | ///\r |
fa05b97b | 130 | UINT16 RemotePortRange;\r |
131 | } EFI_IPSEC_SPD_SELECTOR;\r | |
9095d37b | 132 | \r |
fa05b97b | 133 | ///\r |
134 | /// EFI_IPSEC_TRAFFIC_DIR\r | |
135 | /// represents the directionality in an SPD entry.\r | |
136 | ///\r | |
137 | typedef enum {\r | |
138 | ///\r | |
9095d37b | 139 | /// The EfiIPsecInBound refers to traffic entering an IPsec implementation via\r |
fa05b97b | 140 | /// the unprotected interface or emitted by the implementation on the unprotected\r |
9095d37b | 141 | /// side of the boundary and directed towards the protected interface.\r |
fa05b97b | 142 | ///\r |
143 | EfiIPsecInBound,\r | |
144 | ///\r | |
9095d37b | 145 | /// The EfiIPsecOutBound refers to traffic entering the implementation via\r |
fa05b97b | 146 | /// the protected interface, or emitted by the implementation on the protected side\r |
147 | /// of the boundary and directed toward the unprotected interface.\r | |
148 | ///\r | |
149 | EfiIPsecOutBound\r | |
150 | } EFI_IPSEC_TRAFFIC_DIR;\r | |
151 | \r | |
152 | ///\r | |
153 | /// EFI_IPSEC_ACTION\r | |
154 | /// represents three possible processing choices.\r | |
155 | ///\r | |
156 | typedef enum {\r | |
9095d37b | 157 | ///\r |
fa05b97b | 158 | /// Refers to traffic that is not allowed to traverse the IPsec boundary.\r |
9095d37b | 159 | ///\r |
fa05b97b | 160 | EfiIPsecActionDiscard,\r |
9095d37b LG |
161 | ///\r |
162 | /// Refers to traffic that is allowed to cross the IPsec boundary\r | |
fa05b97b | 163 | /// without protection.\r |
9095d37b | 164 | ///\r |
fa05b97b | 165 | EfiIPsecActionBypass,\r |
9095d37b LG |
166 | ///\r |
167 | /// Refers to traffic that is afforded IPsec protection, and for such\r | |
168 | /// traffic the SPD must specify the security protocols to be\r | |
169 | /// employed, their mode, security service options, and the\r | |
170 | /// cryptographic algorithms to be used.\r | |
fa05b97b | 171 | ///\r |
172 | EfiIPsecActionProtect\r | |
173 | } EFI_IPSEC_ACTION;\r | |
174 | \r | |
175 | ///\r | |
176 | /// EFI_IPSEC_SA_LIFETIME\r | |
9095d37b LG |
177 | /// defines the lifetime of an SA, which represents when a SA must be\r |
178 | /// replaced or terminated. A value of all 0 for each field removes\r | |
fa05b97b | 179 | /// the limitation of a SA lifetime.\r |
180 | ///\r | |
181 | typedef struct _EFI_IPSEC_SA_LIFETIME {\r | |
9095d37b | 182 | ///\r |
fa05b97b | 183 | /// The number of bytes to which the IPsec cryptographic algorithm\r |
184 | /// can be applied. For ESP, this is the encryption algorithm and for\r | |
9095d37b | 185 | /// AH, this is the authentication algorithm. The ByteCount\r |
fa05b97b | 186 | /// includes pad bytes for cryptographic operations.\r |
9095d37b | 187 | ///\r |
fa05b97b | 188 | UINT64 ByteCount;\r |
9095d37b LG |
189 | ///\r |
190 | /// A time interval in second that warns the implementation to\r | |
fa05b97b | 191 | /// initiate action such as setting up a replacement SA.\r |
9095d37b | 192 | ///\r |
fa05b97b | 193 | UINT64 SoftLifetime;\r |
9095d37b LG |
194 | ///\r |
195 | /// A time interval in second when the current SA ends and is\r | |
fa05b97b | 196 | /// destroyed.\r |
9095d37b | 197 | ///\r |
fa05b97b | 198 | UINT64 HardLifetime;\r |
199 | } EFI_IPSEC_SA_LIFETIME;\r | |
200 | \r | |
201 | ///\r | |
202 | /// EFI_IPSEC_MODE\r | |
9095d37b LG |
203 | /// There are two modes of IPsec operation: transport mode and tunnel mode. In\r |
204 | /// EfiIPsecTransport mode, AH and ESP provide protection primarily for next layer protocols;\r | |
fa05b97b | 205 | /// In EfiIPsecTunnel mode, AH and ESP are applied to tunneled IP packets.\r |
206 | ///\r | |
207 | typedef enum {\r | |
208 | EfiIPsecTransport,\r | |
209 | EfiIPsecTunnel\r | |
210 | } EFI_IPSEC_MODE;\r | |
211 | \r | |
212 | ///\r | |
213 | /// EFI_IPSEC_TUNNEL_DF_OPTION\r | |
214 | /// The option of copying the DF bit from an outbound package to\r | |
215 | /// the tunnel mode header that it emits, when traffic is carried\r | |
216 | /// via a tunnel mode SA. This applies to SAs where both inner and\r | |
217 | /// outer headers are IPv4.\r | |
218 | ///\r | |
219 | typedef enum {\r | |
220 | EfiIPsecTunnelClearDf, ///< Clear DF bit from inner header.\r | |
221 | EfiIPsecTunnelSetDf, ///< Set DF bit from inner header.\r | |
222 | EfiIPsecTunnelCopyDf ///< Copy DF bit from inner header.\r | |
223 | } EFI_IPSEC_TUNNEL_DF_OPTION;\r | |
224 | \r | |
225 | ///\r | |
226 | /// EFI_IPSEC_TUNNEL_OPTION\r | |
227 | ///\r | |
228 | typedef struct _EFI_IPSEC_TUNNEL_OPTION {\r | |
9095d37b | 229 | ///\r |
fa05b97b | 230 | /// Local tunnel address when IPsec mode is EfiIPsecTunnel.\r |
9095d37b | 231 | ///\r |
fa05b97b | 232 | EFI_IP_ADDRESS LocalTunnelAddress;\r |
9095d37b | 233 | ///\r |
fa05b97b | 234 | /// Remote tunnel address when IPsec mode is EfiIPsecTunnel.\r |
9095d37b | 235 | ///\r |
fa05b97b | 236 | EFI_IP_ADDRESS RemoteTunnelAddress;\r |
9095d37b | 237 | ///\r |
fa05b97b | 238 | /// The option of copying the DF bit from an outbound package\r |
9095d37b LG |
239 | /// to the tunnel mode header that it emits, when traffic is\r |
240 | /// carried via a tunnel mode SA.\r | |
241 | ///\r | |
fa05b97b | 242 | EFI_IPSEC_TUNNEL_DF_OPTION DF;\r |
243 | } EFI_IPSEC_TUNNEL_OPTION;\r | |
244 | \r | |
245 | ///\r | |
246 | /// EFI_IPSEC_PROTOCOL_TYPE\r | |
247 | ///\r | |
248 | typedef enum {\r | |
249 | EfiIPsecAH, ///< IP Authentication Header protocol which is specified in RFC 4302.\r | |
9095d37b | 250 | EfiIPsecESP ///< IP Encapsulating Security Payload which is specified in RFC 4303.\r |
fa05b97b | 251 | } EFI_IPSEC_PROTOCOL_TYPE;\r |
252 | \r | |
253 | ///\r | |
254 | /// EFI_IPSEC_PROCESS_POLICY\r | |
255 | /// describes a policy list for traffic processing.\r | |
256 | ///\r | |
257 | typedef struct _EFI_IPSEC_PROCESS_POLICY {\r | |
9095d37b LG |
258 | ///\r |
259 | /// Extended Sequence Number. Is this SA using extended sequence\r | |
fa05b97b | 260 | /// numbers. 64 bit counter is used if TRUE.\r |
9095d37b | 261 | ///\r |
fa05b97b | 262 | BOOLEAN ExtSeqNum;\r |
9095d37b LG |
263 | ///\r |
264 | /// A flag indicating whether overflow of the sequence number\r | |
265 | /// counter should generate an auditable event and prevent\r | |
266 | /// transmission of additional packets on the SA, or whether rollover\r | |
fa05b97b | 267 | /// is permitted.\r |
9095d37b | 268 | ///\r |
fa05b97b | 269 | BOOLEAN SeqOverflow;\r |
9095d37b LG |
270 | ///\r |
271 | /// Is this SA using stateful fragment checking. TRUE represents\r | |
fa05b97b | 272 | /// stateful fragment checking.\r |
9095d37b | 273 | ///\r |
fa05b97b | 274 | BOOLEAN FragCheck;\r |
9095d37b LG |
275 | ///\r |
276 | /// A time interval after which a SA must be replaced with a new SA\r | |
277 | /// (and new SPI) or terminated.\r | |
278 | ///\r | |
fa05b97b | 279 | EFI_IPSEC_SA_LIFETIME SaLifetime;\r |
9095d37b | 280 | ///\r |
fa05b97b | 281 | /// IPsec mode: tunnel or transport.\r |
9095d37b | 282 | ///\r |
fa05b97b | 283 | EFI_IPSEC_MODE Mode;\r |
9095d37b | 284 | ///\r |
fa05b97b | 285 | /// Tunnel Option. TunnelOption is ignored if Mode is EfiIPsecTransport.\r |
9095d37b | 286 | ///\r |
fa05b97b | 287 | EFI_IPSEC_TUNNEL_OPTION *TunnelOption;\r |
9095d37b | 288 | ///\r |
fa05b97b | 289 | /// IPsec protocol: AH or ESP\r |
9095d37b | 290 | ///\r |
fa05b97b | 291 | EFI_IPSEC_PROTOCOL_TYPE Proto;\r |
9095d37b | 292 | ///\r |
fa05b97b | 293 | /// Cryptographic algorithm type used for authentication.\r |
9095d37b | 294 | ///\r |
fa05b97b | 295 | UINT8 AuthAlgoId;\r |
9095d37b LG |
296 | ///\r |
297 | /// Cryptographic algorithm type used for encryption. EncAlgo is\r | |
298 | /// NULL when IPsec protocol is AH. For ESP protocol, EncAlgo\r | |
299 | /// can also be used to describe the algorithm if a combined mode\r | |
fa05b97b | 300 | /// algorithm is used.\r |
301 | ///\r | |
302 | UINT8 EncAlgoId;\r | |
303 | } EFI_IPSEC_PROCESS_POLICY;\r | |
304 | \r | |
fa05b97b | 305 | ///\r |
306 | /// EFI_IPSEC_SA_ID\r | |
307 | /// A triplet to identify an SA, consisting of the following members.\r | |
308 | ///\r | |
309 | typedef struct _EFI_IPSEC_SA_ID {\r | |
9095d37b LG |
310 | ///\r |
311 | /// Security Parameter Index (aka SPI). An arbitrary 32-bit value\r | |
312 | /// that is used by a receiver to identity the SA to which an incoming\r | |
fa05b97b | 313 | /// package should be bound.\r |
9095d37b | 314 | ///\r |
fa05b97b | 315 | UINT32 Spi;\r |
9095d37b | 316 | ///\r |
fa05b97b | 317 | /// IPsec protocol: AH or ESP\r |
9095d37b | 318 | ///\r |
fa05b97b | 319 | EFI_IPSEC_PROTOCOL_TYPE Proto;\r |
9095d37b LG |
320 | ///\r |
321 | /// Destination IP address.\r | |
322 | ///\r | |
fa05b97b | 323 | EFI_IP_ADDRESS DestAddress;\r |
324 | } EFI_IPSEC_SA_ID;\r | |
325 | \r | |
326 | \r | |
327 | #define MAX_PEERID_LEN 128\r | |
328 | \r | |
329 | ///\r | |
330 | /// EFI_IPSEC_SPD_DATA\r | |
331 | ///\r | |
332 | typedef struct _EFI_IPSEC_SPD_DATA {\r | |
9095d37b LG |
333 | ///\r |
334 | /// A null-terminated ASCII name string which is used as a symbolic\r | |
fa05b97b | 335 | /// identifier for an IPsec Local or Remote address.\r |
9095d37b | 336 | ///\r |
fa05b97b | 337 | UINT8 Name[MAX_PEERID_LEN];\r |
9095d37b LG |
338 | ///\r |
339 | /// Bit-mapped list describing Populate from Packet flags. When\r | |
340 | /// creating a SA, if PackageFlag bit is set to TRUE, instantiate\r | |
341 | /// the selector from the corresponding field in the package that\r | |
342 | /// triggered the creation of the SA, else from the value(s) in the\r | |
343 | /// corresponding SPD entry. The PackageFlag bit setting for\r | |
fa05b97b | 344 | /// corresponding selector field of EFI_IPSEC_SPD_SELECTOR:\r |
9095d37b LG |
345 | /// Bit 0: EFI_IPSEC_SPD_SELECTOR.LocalAddress\r |
346 | /// Bit 1: EFI_IPSEC_SPD_SELECTOR.RemoteAddress\r | |
347 | /// Bit 2:\r | |
348 | /// EFI_IPSEC_SPD_SELECTOR.NextLayerProtocol\r | |
349 | /// Bit 3: EFI_IPSEC_SPD_SELECTOR.LocalPort\r | |
350 | /// Bit 4: EFI_IPSEC_SPD_SELECTOR.RemotePort\r | |
fa05b97b | 351 | /// Others: Reserved.\r |
352 | ///\r | |
353 | UINT32 PackageFlag;\r | |
9095d37b | 354 | ///\r |
fa05b97b | 355 | /// The traffic direction of data gram.\r |
9095d37b | 356 | ///\r |
fa05b97b | 357 | EFI_IPSEC_TRAFFIC_DIR TrafficDirection;\r |
9095d37b LG |
358 | ///\r |
359 | /// Processing choices to indicate which action is required by this\r | |
360 | /// policy.\r | |
361 | ///\r | |
fa05b97b | 362 | EFI_IPSEC_ACTION Action;\r |
9095d37b | 363 | ///\r |
fa05b97b | 364 | /// The policy and rule information for a SPD entry.\r |
9095d37b | 365 | ///\r |
fa05b97b | 366 | EFI_IPSEC_PROCESS_POLICY *ProcessingPolicy;\r |
9095d37b | 367 | ///\r |
fa05b97b | 368 | /// Specifies the actual number of entries in SaId list.\r |
9095d37b | 369 | ///\r |
fa05b97b | 370 | UINTN SaIdCount;\r |
9095d37b LG |
371 | ///\r |
372 | /// The SAD entry used for the traffic processing. The\r | |
fa05b97b | 373 | /// existed SAD entry links indicate this is the manual key case.\r |
9095d37b | 374 | ///\r |
fa05b97b | 375 | EFI_IPSEC_SA_ID SaId[1];\r |
376 | } EFI_IPSEC_SPD_DATA;\r | |
377 | \r | |
378 | ///\r | |
379 | /// EFI_IPSEC_AH_ALGO_INFO\r | |
380 | /// The security algorithm selection for IPsec AH authentication.\r | |
381 | /// The required authentication algorithm is specified in RFC 4305.\r | |
382 | ///\r | |
383 | typedef struct _EFI_IPSEC_AH_ALGO_INFO {\r | |
384 | UINT8 AuthAlgoId;\r | |
385 | UINTN AuthKeyLength;\r | |
386 | VOID *AuthKey;\r | |
387 | } EFI_IPSEC_AH_ALGO_INFO;\r | |
388 | \r | |
389 | ///\r | |
390 | /// EFI_IPSEC_ESP_ALGO_INFO\r | |
391 | /// The security algorithm selection for IPsec ESP encryption and authentication.\r | |
9095d37b LG |
392 | /// The required authentication algorithm is specified in RFC 4305.\r |
393 | /// EncAlgoId fields can also specify an ESP combined mode algorithm\r | |
394 | /// (e.g. AES with CCM mode, specified in RFC 4309), which provides both\r | |
fa05b97b | 395 | /// confidentiality and authentication services.\r |
396 | ///\r | |
397 | typedef struct _EFI_IPSEC_ESP_ALGO_INFO {\r | |
398 | UINT8 EncAlgoId;\r | |
399 | UINTN EncKeyLength;\r | |
400 | VOID *EncKey;\r | |
401 | UINT8 AuthAlgoId;\r | |
402 | UINTN AuthKeyLength;\r | |
403 | VOID *AuthKey;\r | |
404 | } EFI_IPSEC_ESP_ALGO_INFO;\r | |
405 | \r | |
406 | ///\r | |
407 | /// EFI_IPSEC_ALGO_INFO\r | |
408 | ///\r | |
409 | typedef union {\r | |
410 | EFI_IPSEC_AH_ALGO_INFO AhAlgoInfo;\r | |
411 | EFI_IPSEC_ESP_ALGO_INFO EspAlgoInfo;\r | |
412 | } EFI_IPSEC_ALGO_INFO;\r | |
413 | \r | |
414 | ///\r | |
415 | /// EFI_IPSEC_SA_DATA\r | |
416 | ///\r | |
417 | typedef struct _EFI_IPSEC_SA_DATA {\r | |
9095d37b | 418 | ///\r |
fa05b97b | 419 | /// IPsec mode: tunnel or transport.\r |
9095d37b | 420 | ///\r |
fa05b97b | 421 | EFI_IPSEC_MODE Mode;\r |
9095d37b LG |
422 | ///\r |
423 | /// Sequence Number Counter. A 64-bit counter used to generate the\r | |
fa05b97b | 424 | /// sequence number field in AH or ESP headers.\r |
9095d37b | 425 | ///\r |
fa05b97b | 426 | UINT64 SNCount;\r |
9095d37b LG |
427 | ///\r |
428 | /// Anti-Replay Window. A 64-bit counter and a bit-map used to\r | |
fa05b97b | 429 | /// determine whether an inbound AH or ESP packet is a replay.\r |
9095d37b | 430 | ///\r |
fa05b97b | 431 | UINT8 AntiReplayWindows;\r |
9095d37b LG |
432 | ///\r |
433 | /// AH/ESP cryptographic algorithm, key and parameters.\r | |
434 | ///\r | |
fa05b97b | 435 | EFI_IPSEC_ALGO_INFO AlgoInfo;\r |
9095d37b LG |
436 | ///\r |
437 | /// Lifetime of this SA.\r | |
438 | ///\r | |
fa05b97b | 439 | EFI_IPSEC_SA_LIFETIME SaLifetime;\r |
9095d37b LG |
440 | ///\r |
441 | /// Any observed path MTU and aging variables. The Path MTU\r | |
fa05b97b | 442 | /// processing is defined in section 8 of RFC 4301.\r |
9095d37b | 443 | ///\r |
fa05b97b | 444 | UINT32 PathMTU;\r |
9095d37b | 445 | ///\r |
fa05b97b | 446 | /// Link to one SPD entry.\r |
9095d37b | 447 | ///\r |
fa05b97b | 448 | EFI_IPSEC_SPD_SELECTOR *SpdSelector;\r |
9095d37b LG |
449 | ///\r |
450 | /// Indication of whether it's manually set or negotiated automatically.\r | |
451 | /// If ManualSet is FALSE, the corresponding SA entry is inserted through\r | |
fa05b97b | 452 | /// IKE protocol negotiation.\r |
453 | ///\r | |
454 | BOOLEAN ManualSet;\r | |
455 | } EFI_IPSEC_SA_DATA;\r | |
456 | \r | |
705f53a9 | 457 | ///\r |
458 | /// EFI_IPSEC_SA_DATA2\r | |
459 | ///\r | |
9095d37b | 460 | typedef struct _EFI_IPSEC_SA_DATA2 {\r |
705f53a9 | 461 | ///\r |
462 | /// IPsec mode: tunnel or transport\r | |
463 | ///\r | |
9095d37b | 464 | EFI_IPSEC_MODE Mode;\r |
705f53a9 | 465 | ///\r |
9095d37b LG |
466 | /// Sequence Number Counter. A 64-bit counter used to generate the sequence\r |
467 | /// number field in AH or ESP headers.\r | |
705f53a9 | 468 | ///\r |
9095d37b | 469 | UINT64 SNCount;\r |
705f53a9 | 470 | ///\r |
9095d37b | 471 | /// Anti-Replay Window. A 64-bit counter and a bit-map used to determine\r |
705f53a9 | 472 | /// whether an inbound AH or ESP packet is a replay.\r |
473 | ///\r | |
9095d37b | 474 | UINT8 AntiReplayWindows;\r |
705f53a9 | 475 | ///\r |
476 | /// AH/ESP cryptographic algorithm, key and parameters.\r | |
477 | ///\r | |
9095d37b | 478 | EFI_IPSEC_ALGO_INFO AlgoInfo;\r |
705f53a9 | 479 | ///\r |
480 | /// Lifetime of this SA.\r | |
481 | ///\r | |
9095d37b | 482 | EFI_IPSEC_SA_LIFETIME SaLifetime;\r |
705f53a9 | 483 | ///\r |
9095d37b | 484 | /// Any observed path MTU and aging variables. The Path MTU processing is\r |
705f53a9 | 485 | /// defined in section 8 of RFC 4301.\r |
486 | ///\r | |
9095d37b | 487 | UINT32 PathMTU;\r |
705f53a9 | 488 | ///\r |
489 | /// Link to one SPD entry\r | |
490 | ///\r | |
9095d37b | 491 | EFI_IPSEC_SPD_SELECTOR *SpdSelector;\r |
705f53a9 | 492 | ///\r |
9095d37b LG |
493 | /// Indication of whether it's manually set or negotiated automatically.\r |
494 | /// If ManualSet is FALSE, the corresponding SA entry is inserted through IKE\r | |
705f53a9 | 495 | /// protocol negotiation\r |
496 | ///\r | |
497 | BOOLEAN ManualSet;\r | |
498 | ///\r | |
499 | /// The tunnel header IP source address.\r | |
500 | ///\r | |
501 | EFI_IP_ADDRESS TunnelSourceAddress;\r | |
502 | ///\r | |
503 | /// The tunnel header IP destination address.\r | |
504 | ///\r | |
505 | EFI_IP_ADDRESS TunnelDestinationAddress;\r | |
9095d37b | 506 | } EFI_IPSEC_SA_DATA2;\r |
705f53a9 | 507 | \r |
508 | \r | |
fa05b97b | 509 | ///\r |
510 | /// EFI_IPSEC_PAD_ID\r | |
511 | /// specifies the identifier for PAD entry, which is also used for SPD lookup.\r | |
512 | /// IpAddress Pointer to the IPv4 or IPv6 address range.\r | |
513 | ///\r | |
514 | typedef struct _EFI_IPSEC_PAD_ID {\r | |
515 | ///\r | |
516 | /// Flag to identify which type of PAD Id is used.\r | |
9095d37b LG |
517 | ///\r |
518 | BOOLEAN PeerIdValid;\r | |
fa05b97b | 519 | union {\r |
520 | ///\r | |
521 | /// Pointer to the IPv4 or IPv6 address range.\r | |
522 | ///\r | |
523 | EFI_IP_ADDRESS_INFO IpAddress;\r | |
524 | ///\r | |
4f077902 | 525 | /// Pointer to a null terminated ASCII string\r |
9095d37b LG |
526 | /// representing the symbolic names. A PeerId can be a DNS\r |
527 | /// name, Distinguished Name, RFC 822 email address or Key ID\r | |
fa05b97b | 528 | /// (specified in section 4.4.3.1 of RFC 4301)\r |
529 | ///\r | |
530 | UINT8 PeerId[MAX_PEERID_LEN];\r | |
531 | } Id;\r | |
532 | } EFI_IPSEC_PAD_ID;\r | |
533 | \r | |
534 | ///\r | |
535 | /// EFI_IPSEC_CONFIG_SELECTOR\r | |
9095d37b | 536 | /// describes the expected IPsec configuration data selector\r |
fa05b97b | 537 | /// of type EFI_IPSEC_CONFIG_DATA_TYPE.\r |
538 | ///\r | |
539 | typedef union {\r | |
540 | EFI_IPSEC_SPD_SELECTOR SpdSelector;\r | |
541 | EFI_IPSEC_SA_ID SaId;\r | |
542 | EFI_IPSEC_PAD_ID PadId;\r | |
543 | } EFI_IPSEC_CONFIG_SELECTOR;\r | |
544 | \r | |
545 | ///\r | |
546 | /// EFI_IPSEC_AUTH_PROTOCOL_TYPE\r | |
9095d37b | 547 | /// defines the possible authentication protocol for IPsec\r |
fa05b97b | 548 | /// security association management.\r |
549 | ///\r | |
550 | typedef enum {\r | |
551 | EfiIPsecAuthProtocolIKEv1,\r | |
552 | EfiIPsecAuthProtocolIKEv2,\r | |
553 | EfiIPsecAuthProtocolMaximum\r | |
554 | } EFI_IPSEC_AUTH_PROTOCOL_TYPE;\r | |
555 | \r | |
556 | ///\r | |
557 | /// EFI_IPSEC_AUTH_METHOD\r | |
558 | ///\r | |
559 | typedef enum {\r | |
560 | ///\r | |
561 | /// Using Pre-shared Keys for manual security associations.\r | |
562 | ///\r | |
563 | EfiIPsecAuthMethodPreSharedSecret,\r | |
564 | ///\r | |
565 | /// IKE employs X.509 certificates for SA establishment.\r | |
566 | ///\r | |
567 | EfiIPsecAuthMethodCertificates,\r | |
568 | EfiIPsecAuthMethodMaximum\r | |
569 | } EFI_IPSEC_AUTH_METHOD;\r | |
570 | \r | |
571 | ///\r | |
572 | /// EFI_IPSEC_PAD_DATA\r | |
573 | ///\r | |
574 | typedef struct _EFI_IPSEC_PAD_DATA {\r | |
9095d37b | 575 | ///\r |
fa05b97b | 576 | /// Authentication Protocol for IPsec security association management.\r |
9095d37b | 577 | ///\r |
fa05b97b | 578 | EFI_IPSEC_AUTH_PROTOCOL_TYPE AuthProtocol;\r |
9095d37b | 579 | ///\r |
fa05b97b | 580 | /// Authentication method used.\r |
9095d37b | 581 | ///\r |
fa05b97b | 582 | EFI_IPSEC_AUTH_METHOD AuthMethod;\r |
9095d37b LG |
583 | ///\r |
584 | /// The IKE ID payload will be used as a symbolic name for SPD\r | |
585 | /// lookup if IkeIdFlag is TRUE. Otherwise, the remote IP\r | |
fa05b97b | 586 | /// address provided in traffic selector playloads will be used.\r |
9095d37b | 587 | ///\r |
fa05b97b | 588 | BOOLEAN IkeIdFlag;\r |
9095d37b | 589 | ///\r |
fa05b97b | 590 | /// The size of Authentication data buffer, in bytes.\r |
9095d37b | 591 | ///\r |
fa05b97b | 592 | UINTN AuthDataSize;\r |
9095d37b LG |
593 | ///\r |
594 | /// Buffer for Authentication data, (e.g., the pre-shared secret or the\r | |
595 | /// trust anchor relative to which the peer's certificate will be\r | |
fa05b97b | 596 | /// validated).\r |
9095d37b | 597 | ///\r |
fa05b97b | 598 | VOID *AuthData;\r |
9095d37b | 599 | ///\r |
fa05b97b | 600 | /// The size of RevocationData, in bytes\r |
9095d37b | 601 | ///\r |
fa05b97b | 602 | UINTN RevocationDataSize;\r |
9095d37b LG |
603 | ///\r |
604 | /// Pointer to CRL or OCSP data, if certificates are used for\r | |
fa05b97b | 605 | /// authentication method.\r |
9095d37b | 606 | ///\r |
fa05b97b | 607 | VOID *RevocationData;\r |
608 | } EFI_IPSEC_PAD_DATA;\r | |
609 | \r | |
610 | \r | |
611 | /**\r | |
612 | Set the security association, security policy and peer authorization configuration\r | |
9095d37b | 613 | information for the EFI IPsec driver.\r |
fa05b97b | 614 | \r |
615 | This function is used to set the IPsec configuration information of type DataType for\r | |
616 | the EFI IPsec driver.\r | |
617 | The IPsec configuration data has a unique selector/identifier separately to identify\r | |
3227f995 | 618 | a data entry. The selector structure depends on DataType's definition.\r |
fa05b97b | 619 | Using SetData() with a Data of NULL causes the IPsec configuration data entry identified\r |
9095d37b | 620 | by DataType and Selector to be deleted.\r |
fa05b97b | 621 | \r |
622 | @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r | |
623 | @param[in] DataType The type of data to be set.\r | |
9095d37b LG |
624 | @param[in] Selector Pointer to an entry selector on operated configuration data\r |
625 | specified by DataType. A NULL Selector causes the entire\r | |
fa05b97b | 626 | specified-type configuration information to be flushed.\r |
9095d37b | 627 | @param[in] Data The data buffer to be set. The structure of the data buffer is\r |
fa05b97b | 628 | associated with the DataType.\r |
629 | @param[in] InsertBefore Pointer to one entry selector which describes the expected\r | |
630 | position the new data entry will be added. If InsertBefore is NULL,\r | |
631 | the new entry will be appended the end of database.\r | |
9095d37b | 632 | \r |
fa05b97b | 633 | @retval EFI_SUCCESS The specified configuration entry data is set successfully.\r |
634 | @retval EFI_INVALID_PARAMETER One or more of the following are TRUE:\r | |
635 | - This is NULL.\r | |
636 | @retval EFI_UNSUPPORTED The specified DataType is not supported.\r | |
637 | @retval EFI_OUT_OF_RESOURCED The required system resource could not be allocated.\r | |
638 | \r | |
639 | **/\r | |
640 | typedef\r | |
641 | EFI_STATUS\r | |
a1749b80 | 642 | (EFIAPI *EFI_IPSEC_CONFIG_SET_DATA)(\r |
fa05b97b | 643 | IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r |
644 | IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r | |
645 | IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r | |
646 | IN VOID *Data,\r | |
647 | IN EFI_IPSEC_CONFIG_SELECTOR *InsertBefore OPTIONAL\r | |
648 | );\r | |
649 | \r | |
650 | /**\r | |
9095d37b | 651 | Return the configuration value for the EFI IPsec driver.\r |
fa05b97b | 652 | \r |
653 | This function lookup the data entry from IPsec database or IKEv2 configuration\r | |
654 | information. The expected data type and unique identification are described in\r | |
9095d37b | 655 | DataType and Selector parameters.\r |
fa05b97b | 656 | \r |
657 | @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r | |
658 | @param[in] DataType The type of data to retrieve.\r | |
9095d37b | 659 | @param[in] Selector Pointer to an entry selector which is an identifier of the IPsec\r |
fa05b97b | 660 | configuration data entry.\r |
661 | @param[in, out] DataSize On output the size of data returned in Data.\r | |
9095d37b LG |
662 | @param[out] Data The buffer to return the contents of the IPsec configuration data.\r |
663 | The type of the data buffer is associated with the DataType.\r | |
664 | \r | |
fa05b97b | 665 | @retval EFI_SUCCESS The specified configuration data is got successfully.\r |
666 | @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE:\r | |
667 | - This is NULL.\r | |
668 | - Selector is NULL.\r | |
669 | - DataSize is NULL.\r | |
670 | - Data is NULL and *DataSize is not zero\r | |
671 | @retval EFI_NOT_FOUND The configuration data specified by Selector is not found.\r | |
672 | @retval EFI_UNSUPPORTED The specified DataType is not supported.\r | |
673 | @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. DataSize has been\r | |
674 | updated with the size needed to complete the request.\r | |
675 | \r | |
676 | **/\r | |
677 | typedef\r | |
678 | EFI_STATUS\r | |
a1749b80 | 679 | (EFIAPI *EFI_IPSEC_CONFIG_GET_DATA)(\r |
fa05b97b | 680 | IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r |
681 | IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r | |
682 | IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r | |
683 | IN OUT UINTN *DataSize,\r | |
684 | OUT VOID *Data\r | |
685 | );\r | |
686 | \r | |
687 | /**\r | |
9095d37b | 688 | Enumerates the current selector for IPsec configuration data entry.\r |
fa05b97b | 689 | \r |
690 | This function is called multiple times to retrieve the entry Selector in IPsec\r | |
9095d37b | 691 | configuration database. On each call to GetNextSelector(), the next entry\r |
fa05b97b | 692 | Selector are retrieved into the output interface.\r |
9095d37b LG |
693 | \r |
694 | If the entire IPsec configuration database has been iterated, the error\r | |
fa05b97b | 695 | EFI_NOT_FOUND is returned.\r |
9095d37b LG |
696 | If the Selector buffer is too small for the next Selector copy, an\r |
697 | EFI_BUFFER_TOO_SMALL error is returned, and SelectorSize is updated to reflect\r | |
fa05b97b | 698 | the size of buffer needed.\r |
699 | \r | |
700 | On the initial call to GetNextSelector() to start the IPsec configuration database\r | |
9095d37b LG |
701 | search, a pointer to the buffer with all zero value is passed in Selector. Calls\r |
702 | to SetData() between calls to GetNextSelector may produce unpredictable results.\r | |
fa05b97b | 703 | \r |
704 | @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r | |
705 | @param[in] DataType The type of IPsec configuration data to retrieve.\r | |
706 | @param[in, out] SelectorSize The size of the Selector buffer.\r | |
9095d37b | 707 | @param[in, out] Selector On input, supplies the pointer to last Selector that was\r |
fa05b97b | 708 | returned by GetNextSelector().\r |
709 | On output, returns one copy of the current entry Selector\r | |
9095d37b LG |
710 | of a given DataType.\r |
711 | \r | |
fa05b97b | 712 | @retval EFI_SUCCESS The specified configuration data is got successfully.\r |
713 | @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE:\r | |
714 | - This is NULL.\r | |
715 | - SelectorSize is NULL.\r | |
716 | - Selector is NULL.\r | |
717 | @retval EFI_NOT_FOUND The next configuration data entry was not found.\r | |
718 | @retval EFI_UNSUPPORTED The specified DataType is not supported.\r | |
719 | @retval EFI_BUFFER_TOO_SMALL The SelectorSize is too small for the result. This parameter\r | |
9095d37b | 720 | has been updated with the size needed to complete the search\r |
fa05b97b | 721 | request.\r |
722 | \r | |
723 | **/\r | |
724 | typedef\r | |
725 | EFI_STATUS\r | |
a1749b80 | 726 | (EFIAPI *EFI_IPSEC_CONFIG_GET_NEXT_SELECTOR)(\r |
fa05b97b | 727 | IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r |
728 | IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r | |
729 | IN OUT UINTN *SelectorSize,\r | |
730 | IN OUT EFI_IPSEC_CONFIG_SELECTOR *Selector\r | |
731 | );\r | |
732 | \r | |
733 | /**\r | |
734 | Register an event that is to be signaled whenever a configuration process on the\r | |
9095d37b | 735 | specified IPsec configuration information is done.\r |
fa05b97b | 736 | \r |
737 | This function registers an event that is to be signaled whenever a configuration\r | |
9095d37b | 738 | process on the specified IPsec configuration data is done (e.g. IPsec security\r |
fa05b97b | 739 | policy database configuration is ready). An event can be registered for different\r |
9095d37b LG |
740 | DataType simultaneously and the caller is responsible for determining which type\r |
741 | of configuration data causes the signaling of the event in such case.\r | |
fa05b97b | 742 | \r |
743 | @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r | |
744 | @param[in] DataType The type of data to be registered the event for.\r | |
745 | @param[in] Event The event to be registered.\r | |
9095d37b | 746 | \r |
fa05b97b | 747 | @retval EFI_SUCCESS The event is registered successfully.\r |
748 | @retval EFI_INVALID_PARAMETER This is NULL or Event is NULL.\r | |
749 | @retval EFI_ACCESS_DENIED The Event is already registered for the DataType.\r | |
750 | @retval EFI_UNSUPPORTED The notify registration unsupported or the specified\r | |
751 | DataType is not supported.\r | |
752 | \r | |
753 | **/\r | |
754 | typedef\r | |
755 | EFI_STATUS\r | |
a1749b80 | 756 | (EFIAPI *EFI_IPSEC_CONFIG_REGISTER_NOTIFY)(\r |
fa05b97b | 757 | IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r |
758 | IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r | |
759 | IN EFI_EVENT Event\r | |
760 | );\r | |
761 | \r | |
762 | /**\r | |
763 | Remove the specified event that is previously registered on the specified IPsec\r | |
9095d37b | 764 | configuration data.\r |
fa05b97b | 765 | \r |
9095d37b | 766 | This function removes a previously registered event for the specified configuration data.\r |
fa05b97b | 767 | \r |
768 | @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r | |
769 | @param[in] DataType The configuration data type to remove the registered event for.\r | |
770 | @param[in] Event The event to be unregistered.\r | |
9095d37b | 771 | \r |
fa05b97b | 772 | @retval EFI_SUCCESS The event is removed successfully.\r |
9095d37b | 773 | @retval EFI_NOT_FOUND The Event specified by DataType could not be found in the\r |
fa05b97b | 774 | database.\r |
775 | @retval EFI_INVALID_PARAMETER This is NULL or Event is NULL.\r | |
776 | @retval EFI_UNSUPPORTED The notify registration unsupported or the specified\r | |
777 | DataType is not supported.\r | |
778 | \r | |
779 | **/\r | |
780 | typedef\r | |
781 | EFI_STATUS\r | |
a1749b80 | 782 | (EFIAPI *EFI_IPSEC_CONFIG_UNREGISTER_NOTIFY)(\r |
fa05b97b | 783 | IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r |
784 | IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r | |
785 | IN EFI_EVENT Event\r | |
786 | );\r | |
787 | \r | |
788 | ///\r | |
789 | /// EFI_IPSEC_CONFIG_PROTOCOL\r | |
790 | /// provides the ability to set and lookup the IPsec SAD (Security Association Database),\r | |
9095d37b LG |
791 | /// SPD (Security Policy Database) data entry and configure the security association\r |
792 | /// management protocol such as IKEv2. This protocol is used as the central\r | |
fa05b97b | 793 | /// repository of any policy-specific configuration for EFI IPsec driver.\r |
9095d37b | 794 | /// EFI_IPSEC_CONFIG_PROTOCOL can be bound to both IPv4 and IPv6 stack. User can use this\r |
fa05b97b | 795 | /// protocol for IPsec configuration in both IPv4 and IPv6 environment.\r |
9095d37b | 796 | ///\r |
fa05b97b | 797 | struct _EFI_IPSEC_CONFIG_PROTOCOL {\r |
798 | EFI_IPSEC_CONFIG_SET_DATA SetData;\r | |
799 | EFI_IPSEC_CONFIG_GET_DATA GetData;\r | |
800 | EFI_IPSEC_CONFIG_GET_NEXT_SELECTOR GetNextSelector;\r | |
801 | EFI_IPSEC_CONFIG_REGISTER_NOTIFY RegisterDataNotify;\r | |
802 | EFI_IPSEC_CONFIG_UNREGISTER_NOTIFY UnregisterDataNotify;\r | |
803 | };\r | |
804 | \r | |
805 | extern EFI_GUID gEfiIpSecConfigProtocolGuid;\r | |
806 | \r | |
807 | #endif\r |