]> git.proxmox.com Git - mirror_edk2.git/blame - MdePkg/Include/Protocol/IpSecConfig.h
projects / mirror_edk2.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
MdePkg: Clean up source files
[mirror_edk2.git] / MdePkg / Include / Protocol / IpSecConfig.h
CommitLineData
fa05b97b 1/** @file\r
2 EFI IPsec Configuration Protocol Definition\r
9095d37b 3 The EFI_IPSEC_CONFIG_PROTOCOL provides the mechanism to set and retrieve security and\r
fa05b97b 4 policy related information for the EFI IPsec protocol driver.\r
5\r
9095d37b 6 Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>\r
9df063a0 7 This program and the accompanying materials\r
fa05b97b 8 are licensed and made available under the terms and conditions of the BSD License\r
9 which accompanies this distribution. The full text of the license may be found at\r
10 http://opensource.org/licenses/bsd-license.php\r
11\r
12 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
13 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
14\r
9095d37b 15 @par Revision Reference:\r
fa05b97b 16 This Protocol is introduced in UEFI Specification 2.2\r
17\r
18**/\r
19\r
20#ifndef __EFI_IPSE_CCONFIG_PROTOCOL_H__\r
21#define __EFI_IPSE_CCONFIG_PROTOCOL_H__\r
22\r
23\r
24#define EFI_IPSEC_CONFIG_PROTOCOL_GUID \\r
25 { \\r
3393e291 26 0xce5e5929, 0xc7a3, 0x4602, {0xad, 0x9e, 0xc9, 0xda, 0xf9, 0x4e, 0xbf, 0xcf } \\r
fa05b97b 27 }\r
28\r
29typedef struct _EFI_IPSEC_CONFIG_PROTOCOL EFI_IPSEC_CONFIG_PROTOCOL;\r
30\r
31///\r
32/// EFI_IPSEC_CONFIG_DATA_TYPE\r
33///\r
34typedef enum {\r
9095d37b
LG		 35 ///\r
36 /// The IPsec Security Policy Database (aka SPD) setting. In IPsec,\r
37 /// an essential element of Security Association (SA) processing is\r
38 /// underlying SPD that specifies what services are to be offered to\r
39 /// IP datagram and in what fashion. The SPD must be consulted\r
40 /// during the processing of all traffic (inbound and outbound),\r
41 /// including traffic not protected by IPsec, that traverses the IPsec\r
42 /// boundary. With this DataType, SetData() function is to set\r
43 /// the SPD entry information, which may add one new entry, delete\r
44 /// one existed entry or flush the whole database according to the\r
45 /// parameter values. The corresponding Data is of type\r
fa05b97b 46 /// EFI_IPSEC_SPD_DATA\r
9095d37b 47 ///\r
fa05b97b 48 IPsecConfigDataTypeSpd,\r
9095d37b
LG		 49 ///\r
50 /// The IPsec Security Association Database (aka SAD) setting. A\r
51 /// SA is a simplex connection that affords security services to the\r
52 /// traffic carried by it. Security services are afforded to an SA by the\r
53 /// use of AH, or ESP, but not both. The corresponding Data is of\r
fa05b97b 54 /// type EFI_IPSEC_SAD_DATA.\r
9095d37b 55 ///\r
fa05b97b 56 IPsecConfigDataTypeSad,\r
9095d37b
LG		 57 ///\r
58 /// The IPsec Peer Authorization Database (aka PAD) setting, which\r
59 /// provides the link between the SPD and a security association\r
60 /// management protocol. The PAD entry specifies the\r
61 /// authentication protocol (e.g. IKEv1, IKEv2) method used and the\r
62 /// authentication data. The corresponding Data is of type\r
fa05b97b 63 /// EFI_IPSEC_PAD_DATA.\r
64 ///\r
65 IPsecConfigDataTypePad,\r
66 IPsecConfigDataTypeMaximum\r
67} EFI_IPSEC_CONFIG_DATA_TYPE;\r
68\r
69///\r
70/// EFI_IP_ADDRESS_INFO\r
71///\r
72typedef struct _EFI_IP_ADDRESS_INFO {\r
73 EFI_IP_ADDRESS Address; ///< The IPv4 or IPv6 address\r
74 UINT8 PrefixLength; ///< The length of the prefix associated with the Address.\r
75} EFI_IP_ADDRESS_INFO;\r
76\r
77\r
78///\r
79/// EFI_IPSEC_SPD_SELECTOR\r
80///\r
81typedef struct _EFI_IPSEC_SPD_SELECTOR {\r
9095d37b 82 ///\r
fa05b97b 83 /// Specifies the actual number of entries in LocalAddress.\r
9095d37b 84 ///\r
fa05b97b 85 UINT32 LocalAddressCount;\r
9095d37b
LG		 86 ///\r
87 /// A list of ranges of IPv4 or IPv6 addresses, which refers to the\r
fa05b97b 88 /// addresses being protected by IPsec policy.\r
9095d37b 89 ///\r
fa05b97b 90 EFI_IP_ADDRESS_INFO *LocalAddress;\r
9095d37b 91 ///\r
fa05b97b 92 /// Specifies the actual number of entries in RemoteAddress.\r
9095d37b 93 ///\r
fa05b97b 94 UINT32 RemoteAddressCount;\r
9095d37b
LG		 95 ///\r
96 /// A list of ranges of IPv4 or IPv6 addresses, which are peer entities\r
97 /// to LocalAddress.\r
98 ///\r
fa05b97b 99 EFI_IP_ADDRESS_INFO *RemoteAddress;\r
9095d37b
LG		 100 ///\r
101 /// Next layer protocol. Obtained from the IPv4 Protocol or the IPv6\r
102 /// Next Header fields. The next layer protocol is whatever comes\r
103 /// after any IP extension headers that are present. A zero value is a\r
fa05b97b 104 /// wildcard that matches any value in NextLayerProtocol field.\r
9095d37b
LG		 105 ///\r
106 UINT16 NextLayerProtocol;\r
107 ///\r
108 /// Local Port if the Next Layer Protocol uses two ports (as do TCP,\r
109 /// UDP, and others). A zero value is a wildcard that matches any\r
fa05b97b 110 /// value in LocalPort field.\r
9095d37b 111 ///\r
fa05b97b 112 UINT16 LocalPort;\r
9095d37b
LG		 113 ///\r
114 /// A designed port range size. The start port is LocalPort, and\r
115 /// the total number of ports is described by LocalPortRange.\r
116 /// This field is ignored if NextLayerProtocol does not use\r
117 /// ports.\r
118 ///\r
fa05b97b 119 UINT16 LocalPortRange;\r
9095d37b
LG		 120 ///\r
121 /// Remote Port if the Next Layer Protocol uses two ports. A zero\r
fa05b97b 122 /// value is a wildcard that matches any value in RemotePort field.\r
9095d37b 123 ///\r
fa05b97b 124 UINT16 RemotePort;\r
9095d37b
LG		 125 ///\r
126 /// A designed port range size. The start port is RemotePort, and\r
127 /// the total number of ports is described by RemotePortRange.\r
fa05b97b 128 /// This field is ignored if NextLayerProtocol does not use ports.\r
9095d37b 129 ///\r
fa05b97b 130 UINT16 RemotePortRange;\r
131} EFI_IPSEC_SPD_SELECTOR;\r
9095d37b 132\r
fa05b97b 133///\r
134/// EFI_IPSEC_TRAFFIC_DIR\r
135/// represents the directionality in an SPD entry.\r
136///\r
137typedef enum {\r
138 ///\r
9095d37b 139 /// The EfiIPsecInBound refers to traffic entering an IPsec implementation via\r
fa05b97b 140 /// the unprotected interface or emitted by the implementation on the unprotected\r
9095d37b 141 /// side of the boundary and directed towards the protected interface.\r
fa05b97b 142 ///\r
143 EfiIPsecInBound,\r
144 ///\r
9095d37b 145 /// The EfiIPsecOutBound refers to traffic entering the implementation via\r
fa05b97b 146 /// the protected interface, or emitted by the implementation on the protected side\r
147 /// of the boundary and directed toward the unprotected interface.\r
148 ///\r
149 EfiIPsecOutBound\r
150} EFI_IPSEC_TRAFFIC_DIR;\r
151\r
152///\r
153/// EFI_IPSEC_ACTION\r
154/// represents three possible processing choices.\r
155///\r
156typedef enum {\r
9095d37b 157 ///\r
fa05b97b 158 /// Refers to traffic that is not allowed to traverse the IPsec boundary.\r
9095d37b 159 ///\r
fa05b97b 160 EfiIPsecActionDiscard,\r
9095d37b
LG		 161 ///\r
162 /// Refers to traffic that is allowed to cross the IPsec boundary\r
fa05b97b 163 /// without protection.\r
9095d37b 164 ///\r
fa05b97b 165 EfiIPsecActionBypass,\r
9095d37b
LG		 166 ///\r
167 /// Refers to traffic that is afforded IPsec protection, and for such\r
168 /// traffic the SPD must specify the security protocols to be\r
169 /// employed, their mode, security service options, and the\r
170 /// cryptographic algorithms to be used.\r
fa05b97b 171 ///\r
172 EfiIPsecActionProtect\r
173} EFI_IPSEC_ACTION;\r
174\r
175///\r
176/// EFI_IPSEC_SA_LIFETIME\r
9095d37b
LG		 177/// defines the lifetime of an SA, which represents when a SA must be\r
178/// replaced or terminated. A value of all 0 for each field removes\r
fa05b97b 179/// the limitation of a SA lifetime.\r
180///\r
181typedef struct _EFI_IPSEC_SA_LIFETIME {\r
9095d37b 182 ///\r
fa05b97b 183 /// The number of bytes to which the IPsec cryptographic algorithm\r
184 /// can be applied. For ESP, this is the encryption algorithm and for\r
9095d37b 185 /// AH, this is the authentication algorithm. The ByteCount\r
fa05b97b 186 /// includes pad bytes for cryptographic operations.\r
9095d37b 187 ///\r
fa05b97b 188 UINT64 ByteCount;\r
9095d37b
LG		 189 ///\r
190 /// A time interval in second that warns the implementation to\r
fa05b97b 191 /// initiate action such as setting up a replacement SA.\r
9095d37b 192 ///\r
fa05b97b 193 UINT64 SoftLifetime;\r
9095d37b
LG		 194 ///\r
195 /// A time interval in second when the current SA ends and is\r
fa05b97b 196 /// destroyed.\r
9095d37b 197 ///\r
fa05b97b 198 UINT64 HardLifetime;\r
199} EFI_IPSEC_SA_LIFETIME;\r
200\r
201///\r
202/// EFI_IPSEC_MODE\r
9095d37b
LG		 203/// There are two modes of IPsec operation: transport mode and tunnel mode. In\r
204/// EfiIPsecTransport mode, AH and ESP provide protection primarily for next layer protocols;\r
fa05b97b 205/// In EfiIPsecTunnel mode, AH and ESP are applied to tunneled IP packets.\r
206///\r
207typedef enum {\r
208 EfiIPsecTransport,\r
209 EfiIPsecTunnel\r
210} EFI_IPSEC_MODE;\r
211\r
212///\r
213/// EFI_IPSEC_TUNNEL_DF_OPTION\r
214/// The option of copying the DF bit from an outbound package to\r
215/// the tunnel mode header that it emits, when traffic is carried\r
216/// via a tunnel mode SA. This applies to SAs where both inner and\r
217/// outer headers are IPv4.\r
218///\r
219typedef enum {\r
220 EfiIPsecTunnelClearDf, ///< Clear DF bit from inner header.\r
221 EfiIPsecTunnelSetDf, ///< Set DF bit from inner header.\r
222 EfiIPsecTunnelCopyDf ///< Copy DF bit from inner header.\r
223} EFI_IPSEC_TUNNEL_DF_OPTION;\r
224\r
225///\r
226/// EFI_IPSEC_TUNNEL_OPTION\r
227///\r
228typedef struct _EFI_IPSEC_TUNNEL_OPTION {\r
9095d37b 229 ///\r
fa05b97b 230 /// Local tunnel address when IPsec mode is EfiIPsecTunnel.\r
9095d37b 231 ///\r
fa05b97b 232 EFI_IP_ADDRESS LocalTunnelAddress;\r
9095d37b 233 ///\r
fa05b97b 234 /// Remote tunnel address when IPsec mode is EfiIPsecTunnel.\r
9095d37b 235 ///\r
fa05b97b 236 EFI_IP_ADDRESS RemoteTunnelAddress;\r
9095d37b 237 ///\r
fa05b97b 238 /// The option of copying the DF bit from an outbound package\r
9095d37b
LG		 239 /// to the tunnel mode header that it emits, when traffic is\r
240 /// carried via a tunnel mode SA.\r
241 ///\r
fa05b97b 242 EFI_IPSEC_TUNNEL_DF_OPTION DF;\r
243} EFI_IPSEC_TUNNEL_OPTION;\r
244\r
245///\r
246/// EFI_IPSEC_PROTOCOL_TYPE\r
247///\r
248typedef enum {\r
249 EfiIPsecAH, ///< IP Authentication Header protocol which is specified in RFC 4302.\r
9095d37b 250 EfiIPsecESP ///< IP Encapsulating Security Payload which is specified in RFC 4303.\r
fa05b97b 251} EFI_IPSEC_PROTOCOL_TYPE;\r
252\r
253///\r
254/// EFI_IPSEC_PROCESS_POLICY\r
255/// describes a policy list for traffic processing.\r
256///\r
257typedef struct _EFI_IPSEC_PROCESS_POLICY {\r
9095d37b
LG		 258 ///\r
259 /// Extended Sequence Number. Is this SA using extended sequence\r
fa05b97b 260 /// numbers. 64 bit counter is used if TRUE.\r
9095d37b 261 ///\r
fa05b97b 262 BOOLEAN ExtSeqNum;\r
9095d37b
LG		 263 ///\r
264 /// A flag indicating whether overflow of the sequence number\r
265 /// counter should generate an auditable event and prevent\r
266 /// transmission of additional packets on the SA, or whether rollover\r
fa05b97b 267 /// is permitted.\r
9095d37b 268 ///\r
fa05b97b 269 BOOLEAN SeqOverflow;\r
9095d37b
LG		 270 ///\r
271 /// Is this SA using stateful fragment checking. TRUE represents\r
fa05b97b 272 /// stateful fragment checking.\r
9095d37b 273 ///\r
fa05b97b 274 BOOLEAN FragCheck;\r
9095d37b
LG		 275 ///\r
276 /// A time interval after which a SA must be replaced with a new SA\r
277 /// (and new SPI) or terminated.\r
278 ///\r
fa05b97b 279 EFI_IPSEC_SA_LIFETIME SaLifetime;\r
9095d37b 280 ///\r
fa05b97b 281 /// IPsec mode: tunnel or transport.\r
9095d37b 282 ///\r
fa05b97b 283 EFI_IPSEC_MODE Mode;\r
9095d37b 284 ///\r
fa05b97b 285 /// Tunnel Option. TunnelOption is ignored if Mode is EfiIPsecTransport.\r
9095d37b 286 ///\r
fa05b97b 287 EFI_IPSEC_TUNNEL_OPTION *TunnelOption;\r
9095d37b 288 ///\r
fa05b97b 289 /// IPsec protocol: AH or ESP\r
9095d37b 290 ///\r
fa05b97b 291 EFI_IPSEC_PROTOCOL_TYPE Proto;\r
9095d37b 292 ///\r
fa05b97b 293 /// Cryptographic algorithm type used for authentication.\r
9095d37b 294 ///\r
fa05b97b 295 UINT8 AuthAlgoId;\r
9095d37b
LG		 296 ///\r
297 /// Cryptographic algorithm type used for encryption. EncAlgo is\r
298 /// NULL when IPsec protocol is AH. For ESP protocol, EncAlgo\r
299 /// can also be used to describe the algorithm if a combined mode\r
fa05b97b 300 /// algorithm is used.\r
301 ///\r
302 UINT8 EncAlgoId;\r
303} EFI_IPSEC_PROCESS_POLICY;\r
304\r
fa05b97b 305///\r
306/// EFI_IPSEC_SA_ID\r
307/// A triplet to identify an SA, consisting of the following members.\r
308///\r
309typedef struct _EFI_IPSEC_SA_ID {\r
9095d37b
LG		 310 ///\r
311 /// Security Parameter Index (aka SPI). An arbitrary 32-bit value\r
312 /// that is used by a receiver to identity the SA to which an incoming\r
fa05b97b 313 /// package should be bound.\r
9095d37b 314 ///\r
fa05b97b 315 UINT32 Spi;\r
9095d37b 316 ///\r
fa05b97b 317 /// IPsec protocol: AH or ESP\r
9095d37b 318 ///\r
fa05b97b 319 EFI_IPSEC_PROTOCOL_TYPE Proto;\r
9095d37b
LG		 320 ///\r
321 /// Destination IP address.\r
322 ///\r
fa05b97b 323 EFI_IP_ADDRESS DestAddress;\r
324} EFI_IPSEC_SA_ID;\r
325\r
326\r
327#define MAX_PEERID_LEN 128\r
328\r
329///\r
330/// EFI_IPSEC_SPD_DATA\r
331///\r
332typedef struct _EFI_IPSEC_SPD_DATA {\r
9095d37b
LG		 333 ///\r
334 /// A null-terminated ASCII name string which is used as a symbolic\r
fa05b97b 335 /// identifier for an IPsec Local or Remote address.\r
9095d37b 336 ///\r
fa05b97b 337 UINT8 Name[MAX_PEERID_LEN];\r
9095d37b
LG		 338 ///\r
339 /// Bit-mapped list describing Populate from Packet flags. When\r
340 /// creating a SA, if PackageFlag bit is set to TRUE, instantiate\r
341 /// the selector from the corresponding field in the package that\r
342 /// triggered the creation of the SA, else from the value(s) in the\r
343 /// corresponding SPD entry. The PackageFlag bit setting for\r
fa05b97b 344 /// corresponding selector field of EFI_IPSEC_SPD_SELECTOR:\r
9095d37b
LG		 345 /// Bit 0: EFI_IPSEC_SPD_SELECTOR.LocalAddress\r
346 /// Bit 1: EFI_IPSEC_SPD_SELECTOR.RemoteAddress\r
347 /// Bit 2:\r
348 /// EFI_IPSEC_SPD_SELECTOR.NextLayerProtocol\r
349 /// Bit 3: EFI_IPSEC_SPD_SELECTOR.LocalPort\r
350 /// Bit 4: EFI_IPSEC_SPD_SELECTOR.RemotePort\r
fa05b97b 351 /// Others: Reserved.\r
352 ///\r
353 UINT32 PackageFlag;\r
9095d37b 354 ///\r
fa05b97b 355 /// The traffic direction of data gram.\r
9095d37b 356 ///\r
fa05b97b 357 EFI_IPSEC_TRAFFIC_DIR TrafficDirection;\r
9095d37b
LG		 358 ///\r
359 /// Processing choices to indicate which action is required by this\r
360 /// policy.\r
361 ///\r
fa05b97b 362 EFI_IPSEC_ACTION Action;\r
9095d37b 363 ///\r
fa05b97b 364 /// The policy and rule information for a SPD entry.\r
9095d37b 365 ///\r
fa05b97b 366 EFI_IPSEC_PROCESS_POLICY *ProcessingPolicy;\r
9095d37b 367 ///\r
fa05b97b 368 /// Specifies the actual number of entries in SaId list.\r
9095d37b 369 ///\r
fa05b97b 370 UINTN SaIdCount;\r
9095d37b
LG		 371 ///\r
372 /// The SAD entry used for the traffic processing. The\r
fa05b97b 373 /// existed SAD entry links indicate this is the manual key case.\r
9095d37b 374 ///\r
fa05b97b 375 EFI_IPSEC_SA_ID SaId[1];\r
376} EFI_IPSEC_SPD_DATA;\r
377\r
378///\r
379/// EFI_IPSEC_AH_ALGO_INFO\r
380/// The security algorithm selection for IPsec AH authentication.\r
381/// The required authentication algorithm is specified in RFC 4305.\r
382///\r
383typedef struct _EFI_IPSEC_AH_ALGO_INFO {\r
384 UINT8 AuthAlgoId;\r
385 UINTN AuthKeyLength;\r
386 VOID *AuthKey;\r
387} EFI_IPSEC_AH_ALGO_INFO;\r
388\r
389///\r
390/// EFI_IPSEC_ESP_ALGO_INFO\r
391/// The security algorithm selection for IPsec ESP encryption and authentication.\r
9095d37b
LG		 392/// The required authentication algorithm is specified in RFC 4305.\r
393/// EncAlgoId fields can also specify an ESP combined mode algorithm\r
394/// (e.g. AES with CCM mode, specified in RFC 4309), which provides both\r
fa05b97b 395/// confidentiality and authentication services.\r
396///\r
397typedef struct _EFI_IPSEC_ESP_ALGO_INFO {\r
398 UINT8 EncAlgoId;\r
399 UINTN EncKeyLength;\r
400 VOID *EncKey;\r
401 UINT8 AuthAlgoId;\r
402 UINTN AuthKeyLength;\r
403 VOID *AuthKey;\r
404} EFI_IPSEC_ESP_ALGO_INFO;\r
405\r
406///\r
407/// EFI_IPSEC_ALGO_INFO\r
408///\r
409typedef union {\r
410 EFI_IPSEC_AH_ALGO_INFO AhAlgoInfo;\r
411 EFI_IPSEC_ESP_ALGO_INFO EspAlgoInfo;\r
412} EFI_IPSEC_ALGO_INFO;\r
413\r
414///\r
415/// EFI_IPSEC_SA_DATA\r
416///\r
417typedef struct _EFI_IPSEC_SA_DATA {\r
9095d37b 418 ///\r
fa05b97b 419 /// IPsec mode: tunnel or transport.\r
9095d37b 420 ///\r
fa05b97b 421 EFI_IPSEC_MODE Mode;\r
9095d37b
LG		 422 ///\r
423 /// Sequence Number Counter. A 64-bit counter used to generate the\r
fa05b97b 424 /// sequence number field in AH or ESP headers.\r
9095d37b 425 ///\r
fa05b97b 426 UINT64 SNCount;\r
9095d37b
LG		 427 ///\r
428 /// Anti-Replay Window. A 64-bit counter and a bit-map used to\r
fa05b97b 429 /// determine whether an inbound AH or ESP packet is a replay.\r
9095d37b 430 ///\r
fa05b97b 431 UINT8 AntiReplayWindows;\r
9095d37b
LG		 432 ///\r
433 /// AH/ESP cryptographic algorithm, key and parameters.\r
434 ///\r
fa05b97b 435 EFI_IPSEC_ALGO_INFO AlgoInfo;\r
9095d37b
LG		 436 ///\r
437 /// Lifetime of this SA.\r
438 ///\r
fa05b97b 439 EFI_IPSEC_SA_LIFETIME SaLifetime;\r
9095d37b
LG		 440 ///\r
441 /// Any observed path MTU and aging variables. The Path MTU\r
fa05b97b 442 /// processing is defined in section 8 of RFC 4301.\r
9095d37b 443 ///\r
fa05b97b 444 UINT32 PathMTU;\r
9095d37b 445 ///\r
fa05b97b 446 /// Link to one SPD entry.\r
9095d37b 447 ///\r
fa05b97b 448 EFI_IPSEC_SPD_SELECTOR *SpdSelector;\r
9095d37b
LG		 449 ///\r
450 /// Indication of whether it's manually set or negotiated automatically.\r
451 /// If ManualSet is FALSE, the corresponding SA entry is inserted through\r
fa05b97b 452 /// IKE protocol negotiation.\r
453 ///\r
454 BOOLEAN ManualSet;\r
455} EFI_IPSEC_SA_DATA;\r
456\r
705f53a9 457///\r
458/// EFI_IPSEC_SA_DATA2\r
459///\r
9095d37b 460typedef struct _EFI_IPSEC_SA_DATA2 {\r
705f53a9 461 ///\r
462 /// IPsec mode: tunnel or transport\r
463 ///\r
9095d37b 464 EFI_IPSEC_MODE Mode;\r
705f53a9 465 ///\r
9095d37b
LG		 466 /// Sequence Number Counter. A 64-bit counter used to generate the sequence\r
467 /// number field in AH or ESP headers.\r
705f53a9 468 ///\r
9095d37b 469 UINT64 SNCount;\r
705f53a9 470 ///\r
9095d37b 471 /// Anti-Replay Window. A 64-bit counter and a bit-map used to determine\r
705f53a9 472 /// whether an inbound AH or ESP packet is a replay.\r
473 ///\r
9095d37b 474 UINT8 AntiReplayWindows;\r
705f53a9 475 ///\r
476 /// AH/ESP cryptographic algorithm, key and parameters.\r
477 ///\r
9095d37b 478 EFI_IPSEC_ALGO_INFO AlgoInfo;\r
705f53a9 479 ///\r
480 /// Lifetime of this SA.\r
481 ///\r
9095d37b 482 EFI_IPSEC_SA_LIFETIME SaLifetime;\r
705f53a9 483 ///\r
9095d37b 484 /// Any observed path MTU and aging variables. The Path MTU processing is\r
705f53a9 485 /// defined in section 8 of RFC 4301.\r
486 ///\r
9095d37b 487 UINT32 PathMTU;\r
705f53a9 488 ///\r
489 /// Link to one SPD entry\r
490 ///\r
9095d37b 491 EFI_IPSEC_SPD_SELECTOR *SpdSelector;\r
705f53a9 492 ///\r
9095d37b
LG		 493 /// Indication of whether it's manually set or negotiated automatically.\r
494 /// If ManualSet is FALSE, the corresponding SA entry is inserted through IKE\r
705f53a9 495 /// protocol negotiation\r
496 ///\r
497 BOOLEAN ManualSet;\r
498 ///\r
499 /// The tunnel header IP source address.\r
500 ///\r
501 EFI_IP_ADDRESS TunnelSourceAddress;\r
502 ///\r
503 /// The tunnel header IP destination address.\r
504 ///\r
505 EFI_IP_ADDRESS TunnelDestinationAddress;\r
9095d37b 506} EFI_IPSEC_SA_DATA2;\r
705f53a9 507\r
508\r
fa05b97b 509///\r
510/// EFI_IPSEC_PAD_ID\r
511/// specifies the identifier for PAD entry, which is also used for SPD lookup.\r
512/// IpAddress Pointer to the IPv4 or IPv6 address range.\r
513///\r
514typedef struct _EFI_IPSEC_PAD_ID {\r
515 ///\r
516 /// Flag to identify which type of PAD Id is used.\r
9095d37b
LG		 517 ///\r
518 BOOLEAN PeerIdValid;\r
fa05b97b 519 union {\r
520 ///\r
521 /// Pointer to the IPv4 or IPv6 address range.\r
522 ///\r
523 EFI_IP_ADDRESS_INFO IpAddress;\r
524 ///\r
4f077902 525 /// Pointer to a null terminated ASCII string\r
9095d37b
LG		 526 /// representing the symbolic names. A PeerId can be a DNS\r
527 /// name, Distinguished Name, RFC 822 email address or Key ID\r
fa05b97b 528 /// (specified in section 4.4.3.1 of RFC 4301)\r
529 ///\r
530 UINT8 PeerId[MAX_PEERID_LEN];\r
531 } Id;\r
532} EFI_IPSEC_PAD_ID;\r
533\r
534///\r
535/// EFI_IPSEC_CONFIG_SELECTOR\r
9095d37b 536/// describes the expected IPsec configuration data selector\r
fa05b97b 537/// of type EFI_IPSEC_CONFIG_DATA_TYPE.\r
538///\r
539typedef union {\r
540 EFI_IPSEC_SPD_SELECTOR SpdSelector;\r
541 EFI_IPSEC_SA_ID SaId;\r
542 EFI_IPSEC_PAD_ID PadId;\r
543} EFI_IPSEC_CONFIG_SELECTOR;\r
544\r
545///\r
546/// EFI_IPSEC_AUTH_PROTOCOL_TYPE\r
9095d37b 547/// defines the possible authentication protocol for IPsec\r
fa05b97b 548/// security association management.\r
549///\r
550typedef enum {\r
551 EfiIPsecAuthProtocolIKEv1,\r
552 EfiIPsecAuthProtocolIKEv2,\r
553 EfiIPsecAuthProtocolMaximum\r
554} EFI_IPSEC_AUTH_PROTOCOL_TYPE;\r
555\r
556///\r
557/// EFI_IPSEC_AUTH_METHOD\r
558///\r
559typedef enum {\r
560 ///\r
561 /// Using Pre-shared Keys for manual security associations.\r
562 ///\r
563 EfiIPsecAuthMethodPreSharedSecret,\r
564 ///\r
565 /// IKE employs X.509 certificates for SA establishment.\r
566 ///\r
567 EfiIPsecAuthMethodCertificates,\r
568 EfiIPsecAuthMethodMaximum\r
569} EFI_IPSEC_AUTH_METHOD;\r
570\r
571///\r
572/// EFI_IPSEC_PAD_DATA\r
573///\r
574typedef struct _EFI_IPSEC_PAD_DATA {\r
9095d37b 575 ///\r
fa05b97b 576 /// Authentication Protocol for IPsec security association management.\r
9095d37b 577 ///\r
fa05b97b 578 EFI_IPSEC_AUTH_PROTOCOL_TYPE AuthProtocol;\r
9095d37b 579 ///\r
fa05b97b 580 /// Authentication method used.\r
9095d37b 581 ///\r
fa05b97b 582 EFI_IPSEC_AUTH_METHOD AuthMethod;\r
9095d37b
LG		 583 ///\r
584 /// The IKE ID payload will be used as a symbolic name for SPD\r
585 /// lookup if IkeIdFlag is TRUE. Otherwise, the remote IP\r
fa05b97b 586 /// address provided in traffic selector playloads will be used.\r
9095d37b 587 ///\r
fa05b97b 588 BOOLEAN IkeIdFlag;\r
9095d37b 589 ///\r
fa05b97b 590 /// The size of Authentication data buffer, in bytes.\r
9095d37b 591 ///\r
fa05b97b 592 UINTN AuthDataSize;\r
9095d37b
LG		 593 ///\r
594 /// Buffer for Authentication data, (e.g., the pre-shared secret or the\r
595 /// trust anchor relative to which the peer's certificate will be\r
fa05b97b 596 /// validated).\r
9095d37b 597 ///\r
fa05b97b 598 VOID *AuthData;\r
9095d37b 599 ///\r
fa05b97b 600 /// The size of RevocationData, in bytes\r
9095d37b 601 ///\r
fa05b97b 602 UINTN RevocationDataSize;\r
9095d37b
LG		 603 ///\r
604 /// Pointer to CRL or OCSP data, if certificates are used for\r
fa05b97b 605 /// authentication method.\r
9095d37b 606 ///\r
fa05b97b 607 VOID *RevocationData;\r
608} EFI_IPSEC_PAD_DATA;\r
609\r
610\r
611/**\r
612 Set the security association, security policy and peer authorization configuration\r
9095d37b 613 information for the EFI IPsec driver.\r
fa05b97b 614\r
615 This function is used to set the IPsec configuration information of type DataType for\r
616 the EFI IPsec driver.\r
617 The IPsec configuration data has a unique selector/identifier separately to identify\r
3227f995 618 a data entry. The selector structure depends on DataType's definition.\r
fa05b97b 619 Using SetData() with a Data of NULL causes the IPsec configuration data entry identified\r
9095d37b 620 by DataType and Selector to be deleted.\r
fa05b97b 621\r
622 @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r
623 @param[in] DataType The type of data to be set.\r
9095d37b
LG		 624 @param[in] Selector Pointer to an entry selector on operated configuration data\r
625 specified by DataType. A NULL Selector causes the entire\r
fa05b97b 626 specified-type configuration information to be flushed.\r
9095d37b 627 @param[in] Data The data buffer to be set. The structure of the data buffer is\r
fa05b97b 628 associated with the DataType.\r
629 @param[in] InsertBefore Pointer to one entry selector which describes the expected\r
630 position the new data entry will be added. If InsertBefore is NULL,\r
631 the new entry will be appended the end of database.\r
9095d37b 632\r
fa05b97b 633 @retval EFI_SUCCESS The specified configuration entry data is set successfully.\r
634 @retval EFI_INVALID_PARAMETER One or more of the following are TRUE:\r
635 - This is NULL.\r
636 @retval EFI_UNSUPPORTED The specified DataType is not supported.\r
637 @retval EFI_OUT_OF_RESOURCED The required system resource could not be allocated.\r
638\r
639**/\r
640typedef\r
641EFI_STATUS\r
a1749b80 642(EFIAPI *EFI_IPSEC_CONFIG_SET_DATA)(\r
fa05b97b 643 IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r
644 IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r
645 IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r
646 IN VOID *Data,\r
647 IN EFI_IPSEC_CONFIG_SELECTOR *InsertBefore OPTIONAL\r
648 );\r
649\r
650/**\r
9095d37b 651 Return the configuration value for the EFI IPsec driver.\r
fa05b97b 652\r
653 This function lookup the data entry from IPsec database or IKEv2 configuration\r
654 information. The expected data type and unique identification are described in\r
9095d37b 655 DataType and Selector parameters.\r
fa05b97b 656\r
657 @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r
658 @param[in] DataType The type of data to retrieve.\r
9095d37b 659 @param[in] Selector Pointer to an entry selector which is an identifier of the IPsec\r
fa05b97b 660 configuration data entry.\r
661 @param[in, out] DataSize On output the size of data returned in Data.\r
9095d37b
LG		 662 @param[out] Data The buffer to return the contents of the IPsec configuration data.\r
663 The type of the data buffer is associated with the DataType.\r
664\r
fa05b97b 665 @retval EFI_SUCCESS The specified configuration data is got successfully.\r
666 @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE:\r
667 - This is NULL.\r
668 - Selector is NULL.\r
669 - DataSize is NULL.\r
670 - Data is NULL and *DataSize is not zero\r
671 @retval EFI_NOT_FOUND The configuration data specified by Selector is not found.\r
672 @retval EFI_UNSUPPORTED The specified DataType is not supported.\r
673 @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. DataSize has been\r
674 updated with the size needed to complete the request.\r
675\r
676**/\r
677typedef\r
678EFI_STATUS\r
a1749b80 679(EFIAPI *EFI_IPSEC_CONFIG_GET_DATA)(\r
fa05b97b 680 IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r
681 IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r
682 IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r
683 IN OUT UINTN *DataSize,\r
684 OUT VOID *Data\r
685 );\r
686\r
687/**\r
9095d37b 688 Enumerates the current selector for IPsec configuration data entry.\r
fa05b97b 689\r
690 This function is called multiple times to retrieve the entry Selector in IPsec\r
9095d37b 691 configuration database. On each call to GetNextSelector(), the next entry\r
fa05b97b 692 Selector are retrieved into the output interface.\r
9095d37b
LG		 693\r
694 If the entire IPsec configuration database has been iterated, the error\r
fa05b97b 695 EFI_NOT_FOUND is returned.\r
9095d37b
LG		 696 If the Selector buffer is too small for the next Selector copy, an\r
697 EFI_BUFFER_TOO_SMALL error is returned, and SelectorSize is updated to reflect\r
fa05b97b 698 the size of buffer needed.\r
699\r
700 On the initial call to GetNextSelector() to start the IPsec configuration database\r
9095d37b
LG		 701 search, a pointer to the buffer with all zero value is passed in Selector. Calls\r
702 to SetData() between calls to GetNextSelector may produce unpredictable results.\r
fa05b97b 703\r
704 @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r
705 @param[in] DataType The type of IPsec configuration data to retrieve.\r
706 @param[in, out] SelectorSize The size of the Selector buffer.\r
9095d37b 707 @param[in, out] Selector On input, supplies the pointer to last Selector that was\r
fa05b97b 708 returned by GetNextSelector().\r
709 On output, returns one copy of the current entry Selector\r
9095d37b
LG		 710 of a given DataType.\r
711\r
fa05b97b 712 @retval EFI_SUCCESS The specified configuration data is got successfully.\r
713 @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE:\r
714 - This is NULL.\r
715 - SelectorSize is NULL.\r
716 - Selector is NULL.\r
717 @retval EFI_NOT_FOUND The next configuration data entry was not found.\r
718 @retval EFI_UNSUPPORTED The specified DataType is not supported.\r
719 @retval EFI_BUFFER_TOO_SMALL The SelectorSize is too small for the result. This parameter\r
9095d37b 720 has been updated with the size needed to complete the search\r
fa05b97b 721 request.\r
722\r
723**/\r
724typedef\r
725EFI_STATUS\r
a1749b80 726(EFIAPI *EFI_IPSEC_CONFIG_GET_NEXT_SELECTOR)(\r
fa05b97b 727 IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r
728 IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r
729 IN OUT UINTN *SelectorSize,\r
730 IN OUT EFI_IPSEC_CONFIG_SELECTOR *Selector\r
731 );\r
732\r
733/**\r
734 Register an event that is to be signaled whenever a configuration process on the\r
9095d37b 735 specified IPsec configuration information is done.\r
fa05b97b 736\r
737 This function registers an event that is to be signaled whenever a configuration\r
9095d37b 738 process on the specified IPsec configuration data is done (e.g. IPsec security\r
fa05b97b 739 policy database configuration is ready). An event can be registered for different\r
9095d37b
LG		 740 DataType simultaneously and the caller is responsible for determining which type\r
741 of configuration data causes the signaling of the event in such case.\r
fa05b97b 742\r
743 @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r
744 @param[in] DataType The type of data to be registered the event for.\r
745 @param[in] Event The event to be registered.\r
9095d37b 746\r
fa05b97b 747 @retval EFI_SUCCESS The event is registered successfully.\r
748 @retval EFI_INVALID_PARAMETER This is NULL or Event is NULL.\r
749 @retval EFI_ACCESS_DENIED The Event is already registered for the DataType.\r
750 @retval EFI_UNSUPPORTED The notify registration unsupported or the specified\r
751 DataType is not supported.\r
752\r
753**/\r
754typedef\r
755EFI_STATUS\r
a1749b80 756(EFIAPI *EFI_IPSEC_CONFIG_REGISTER_NOTIFY)(\r
fa05b97b 757 IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r
758 IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r
759 IN EFI_EVENT Event\r
760 );\r
761\r
762/**\r
763 Remove the specified event that is previously registered on the specified IPsec\r
9095d37b 764 configuration data.\r
fa05b97b 765\r
9095d37b 766 This function removes a previously registered event for the specified configuration data.\r
fa05b97b 767\r
768 @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r
769 @param[in] DataType The configuration data type to remove the registered event for.\r
770 @param[in] Event The event to be unregistered.\r
9095d37b 771\r
fa05b97b 772 @retval EFI_SUCCESS The event is removed successfully.\r
9095d37b 773 @retval EFI_NOT_FOUND The Event specified by DataType could not be found in the\r
fa05b97b 774 database.\r
775 @retval EFI_INVALID_PARAMETER This is NULL or Event is NULL.\r
776 @retval EFI_UNSUPPORTED The notify registration unsupported or the specified\r
777 DataType is not supported.\r
778\r
779**/\r
780typedef\r
781EFI_STATUS\r
a1749b80 782(EFIAPI *EFI_IPSEC_CONFIG_UNREGISTER_NOTIFY)(\r
fa05b97b 783 IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r
784 IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r
785 IN EFI_EVENT Event\r
786 );\r
787\r
788///\r
789/// EFI_IPSEC_CONFIG_PROTOCOL\r
790/// provides the ability to set and lookup the IPsec SAD (Security Association Database),\r
9095d37b
LG		 791/// SPD (Security Policy Database) data entry and configure the security association\r
792/// management protocol such as IKEv2. This protocol is used as the central\r
fa05b97b 793/// repository of any policy-specific configuration for EFI IPsec driver.\r
9095d37b 794/// EFI_IPSEC_CONFIG_PROTOCOL can be bound to both IPv4 and IPv6 stack. User can use this\r
fa05b97b 795/// protocol for IPsec configuration in both IPv4 and IPv6 environment.\r
9095d37b 796///\r
fa05b97b 797struct _EFI_IPSEC_CONFIG_PROTOCOL {\r
798 EFI_IPSEC_CONFIG_SET_DATA SetData;\r
799 EFI_IPSEC_CONFIG_GET_DATA GetData;\r
800 EFI_IPSEC_CONFIG_GET_NEXT_SELECTOR GetNextSelector;\r
801 EFI_IPSEC_CONFIG_REGISTER_NOTIFY RegisterDataNotify;\r
802 EFI_IPSEC_CONFIG_UNREGISTER_NOTIFY UnregisterDataNotify;\r
803};\r
804\r
805extern EFI_GUID gEfiIpSecConfigProtocolGuid;\r
806\r
807#endif\r
EFI Development Kit II mirror for PVE