[mirror_edk2.git] / MdePkg / Include / Protocol / IpSecConfig.h

/** @file\r
  EFI IPsec Configuration Protocol Definition\r
  The EFI_IPSEC_CONFIG_PROTOCOL provides the mechanism to set and retrieve security and \r
  policy related information for the EFI IPsec protocol driver.\r
\r
  Copyright (c) 2009, Intel Corporation\r
  All rights reserved. This program and the accompanying materials\r
  are licensed and made available under the terms and conditions of the BSD License\r
  which accompanies this distribution.  The full text of the license may be found at\r
  http://opensource.org/licenses/bsd-license.php\r
\r
  THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
  WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
\r
  @par Revision Reference:          \r
  This Protocol is introduced in UEFI Specification 2.2\r
\r
**/\r
\r
#ifndef __EFI_IPSE_CCONFIG_PROTOCOL_H__\r
#define __EFI_IPSE_CCONFIG_PROTOCOL_H__\r
\r
\r
#define EFI_IPSEC_CONFIG_PROTOCOL_GUID \\r
  { \\r
    0xce5e5929, 0xc7a3, 0x4602, 0xad, {0x9e, 0xc9, 0xda, 0xf9, 0x4e, 0xbf, 0xcf } \\r
  }\r
\r
typedef struct _EFI_IPSEC_CONFIG_PROTOCOL EFI_IPSEC_CONFIG_PROTOCOL;\r
\r
///\r
/// EFI_IPSEC_CONFIG_DATA_TYPE\r
///\r
typedef enum {\r
  /// \r
  /// The IPsec Security Policy Database (aka SPD) setting.  In IPsec, \r
  /// an essential element of Security Association (SA) processing is \r
  /// underlying SPD that specifies what services are to be offered to \r
  /// IP datagram and in what fashion. The SPD must be consulted \r
  /// during the processing of all traffic (inbound and outbound), \r
  /// including traffic not protected by IPsec, that traverses the IPsec \r
  /// boundary. With this DataType, SetData() function is to set \r
  /// the SPD entry information, which may add one new entry, delete \r
  /// one existed entry or flush the whole database according to the \r
  /// parameter values. The corresponding Data is of type \r
  /// EFI_IPSEC_SPD_DATA\r
  /// \r
  IPsecConfigDataTypeSpd,\r
  /// \r
  /// The IPsec Security Association Database (aka SAD) setting. A \r
  /// SA is a simplex connection that affords security services to the \r
  /// traffic carried by it. Security services are afforded to an SA by the \r
  /// use of AH, or ESP, but not both. The corresponding Data is of \r
  /// type EFI_IPSEC_SAD_DATA.\r
  /// \r
  IPsecConfigDataTypeSad,\r
  /// \r
  /// The IPsec Peer Authorization Database (aka PAD) setting, which \r
  /// provides the link between the SPD and a security association \r
  /// management protocol. The PAD entry specifies the \r
  /// authentication protocol (e.g. IKEv1, IKEv2) method used and the \r
  /// authentication data. The corresponding Data is of type \r
  /// EFI_IPSEC_PAD_DATA.\r
  ///\r
  IPsecConfigDataTypePad,\r
  IPsecConfigDataTypeMaximum\r
} EFI_IPSEC_CONFIG_DATA_TYPE;\r
\r
///\r
/// EFI_IP_ADDRESS_INFO\r
///\r
typedef struct _EFI_IP_ADDRESS_INFO {\r
  EFI_IP_ADDRESS  Address;      ///< The IPv4 or IPv6 address\r
  UINT8           PrefixLength; ///< The length of the prefix associated with the Address.\r
} EFI_IP_ADDRESS_INFO;\r
\r
\r
///\r
/// EFI_IPSEC_SPD_SELECTOR\r
///\r
typedef struct _EFI_IPSEC_SPD_SELECTOR {\r
  /// \r
  /// Specifies the actual number of entries in LocalAddress.\r
  /// \r
  UINT32                          LocalAddressCount;\r
  /// \r
  /// A list of ranges of IPv4 or IPv6 addresses, which refers to the \r
  /// addresses being protected by IPsec policy.\r
  /// \r
  EFI_IP_ADDRESS_INFO             *LocalAddress;\r
  /// \r
  /// Specifies the actual number of entries in RemoteAddress.\r
  /// \r
  UINT32                          RemoteAddressCount;\r
  /// \r
  /// A list of ranges of IPv4 or IPv6 addresses, which are peer entities \r
  /// to LocalAddress. \r
  /// \r
  EFI_IP_ADDRESS_INFO             *RemoteAddress;\r
  /// \r
  /// Next layer protocol. Obtained from the IPv4 Protocol or the IPv6 \r
  /// Next Header fields. The next layer protocol is whatever comes \r
  /// after any IP extension headers that are present. A zero value is a \r
  /// wildcard that matches any value in NextLayerProtocol field.\r
  /// \r
  UINT16                          NextLayerProtocol; \r
  /// \r
  /// Local Port if the Next Layer Protocol uses two ports (as do TCP, \r
  /// UDP, and others). A zero value is a wildcard that matches any \r
  /// value in LocalPort field.\r
  /// \r
  UINT16                          LocalPort;\r
  /// \r
  /// A designed port range size. The start port is LocalPort, and \r
  /// the total number of ports is described by LocalPortRange. \r
  /// This field is ignored if NextLayerProtocol does not use \r
  /// ports. \r
  /// \r
  UINT16                          LocalPortRange;\r
  /// \r
  /// Remote Port if the Next Layer Protocol uses two ports. A zero \r
  /// value is a wildcard that matches any value in RemotePort field.\r
  /// \r
  UINT16                          RemotePort;\r
  /// \r
  /// A designed port range size. The start port is RemotePort, and \r
  /// the total number of ports is described by RemotePortRange. \r
  /// This field is ignored if NextLayerProtocol does not use ports.\r
  /// \r
  UINT16                          RemotePortRange;\r
} EFI_IPSEC_SPD_SELECTOR;\r
 \r
///\r
/// EFI_IPSEC_TRAFFIC_DIR\r
/// represents the directionality in an SPD entry.\r
///\r
typedef enum {\r
  ///\r
  /// The EfiIPsecInBound refers to traffic entering an IPsec implementation via \r
  /// the unprotected interface or emitted by the implementation on the unprotected\r
  /// side of the boundary and directed towards the protected interface. \r
  ///\r
  EfiIPsecInBound,\r
  ///\r
  /// The EfiIPsecOutBound refers to traffic entering the implementation via \r
  /// the protected interface, or emitted by the implementation on the protected side\r
  /// of the boundary and directed toward the unprotected interface.\r
  ///\r
  EfiIPsecOutBound\r
} EFI_IPSEC_TRAFFIC_DIR;\r
\r
///\r
/// EFI_IPSEC_ACTION\r
/// represents three possible processing choices.\r
///\r
typedef enum {\r
  /// \r
  /// Refers to traffic that is not allowed to traverse the IPsec boundary.\r
  /// \r
  EfiIPsecActionDiscard,\r
  /// \r
  /// Refers to traffic that is allowed to cross the IPsec boundary \r
  /// without protection.\r
  /// \r
  EfiIPsecActionBypass,\r
  /// \r
  /// Refers to traffic that is afforded IPsec protection, and for such \r
  /// traffic the SPD must specify the security protocols to be \r
  /// employed, their mode, security service options, and the \r
  /// cryptographic algorithms to be used. \r
  ///\r
  EfiIPsecActionProtect\r
} EFI_IPSEC_ACTION;\r
\r
///\r
/// EFI_IPSEC_SA_LIFETIME\r
/// defines the lifetime of an SA, which represents when a SA must be \r
/// replaced or terminated. A value of all 0 for each field removes \r
/// the limitation of a SA lifetime.\r
///\r
typedef struct _EFI_IPSEC_SA_LIFETIME {\r
  /// \r
  /// The number of bytes to which the IPsec cryptographic algorithm\r
  /// can be applied. For ESP, this is the encryption algorithm and for\r
  /// AH, this is the authentication algorithm. The ByteCount \r
  /// includes pad bytes for cryptographic operations.\r
  /// \r
  UINT64        ByteCount;\r
  /// \r
  /// A time interval in second that warns the implementation to \r
  /// initiate action such as setting up a replacement SA.\r
  /// \r
  UINT64        SoftLifetime;\r
  /// \r
  /// A time interval in second when the current SA ends and is \r
  /// destroyed.\r
  /// \r
  UINT64        HardLifetime;\r
} EFI_IPSEC_SA_LIFETIME;\r
\r
///\r
/// EFI_IPSEC_MODE\r
/// There are two modes of IPsec operation: transport mode and tunnel mode. In \r
/// EfiIPsecTransport mode, AH and ESP provide protection primarily for next layer protocols; \r
/// In EfiIPsecTunnel mode, AH and ESP are applied to tunneled IP packets.\r
///\r
typedef enum {\r
  EfiIPsecTransport,\r
  EfiIPsecTunnel\r
} EFI_IPSEC_MODE;\r
\r
///\r
/// EFI_IPSEC_TUNNEL_DF_OPTION\r
/// The option of copying the DF bit from an outbound package to\r
/// the tunnel mode header that it emits, when traffic is carried\r
/// via a tunnel mode SA. This applies to SAs where both inner and\r
/// outer headers are IPv4.\r
///\r
typedef enum {\r
  EfiIPsecTunnelClearDf,  ///< Clear DF bit from inner header.\r
  EfiIPsecTunnelSetDf,    ///< Set DF bit from inner header.\r
  EfiIPsecTunnelCopyDf    ///< Copy DF bit from inner header.\r
} EFI_IPSEC_TUNNEL_DF_OPTION;\r
\r
///\r
/// EFI_IPSEC_TUNNEL_OPTION\r
///\r
typedef struct _EFI_IPSEC_TUNNEL_OPTION {\r
  /// \r
  /// Local tunnel address when IPsec mode is EfiIPsecTunnel.\r
  /// \r
  EFI_IP_ADDRESS              LocalTunnelAddress;\r
  /// \r
  /// Remote tunnel address when IPsec mode is EfiIPsecTunnel.\r
  /// \r
  EFI_IP_ADDRESS              RemoteTunnelAddress;\r
  /// \r
  /// The option of copying the DF bit from an outbound package\r
  /// to the tunnel mode header that it emits, when traffic is \r
  /// carried via a tunnel mode SA. \r
  /// \r
  EFI_IPSEC_TUNNEL_DF_OPTION  DF;\r
} EFI_IPSEC_TUNNEL_OPTION;\r
\r
///\r
/// EFI_IPSEC_PROTOCOL_TYPE\r
///\r
typedef enum {\r
  EfiIPsecAH,  ///< IP Authentication Header protocol which is specified in RFC 4302.\r
  EfiIPsecESP  ///< IP Encapsulating Security Payload which is specified in RFC 4303. \r
} EFI_IPSEC_PROTOCOL_TYPE;\r
\r
///\r
/// EFI_IPSEC_PROCESS_POLICY\r
/// describes a policy list for traffic processing.\r
///\r
typedef struct _EFI_IPSEC_PROCESS_POLICY {\r
  /// \r
  /// Extended Sequence Number. Is this SA using extended sequence \r
  /// numbers. 64 bit counter is used if TRUE.\r
  /// \r
  BOOLEAN                 ExtSeqNum;\r
  /// \r
  /// A flag indicating whether overflow of the sequence number \r
  /// counter should generate an auditable event and prevent \r
  /// transmission of additional packets on the SA, or whether rollover \r
  /// is permitted.\r
  /// \r
  BOOLEAN                 SeqOverflow;\r
  /// \r
  /// Is this SA using stateful fragment checking. TRUE represents \r
  /// stateful fragment checking.\r
  /// \r
  BOOLEAN                 FragCheck;\r
  /// \r
  /// A time interval after which a SA must be replaced with a new SA \r
  /// (and new SPI) or terminated. \r
  /// \r
  EFI_IPSEC_SA_LIFETIME   SaLifetime;\r
  /// \r
  /// IPsec mode: tunnel or transport.\r
  /// \r
  EFI_IPSEC_MODE          Mode;\r
  /// \r
  /// Tunnel Option. TunnelOption is ignored if Mode is EfiIPsecTransport.\r
  /// \r
  EFI_IPSEC_TUNNEL_OPTION *TunnelOption;\r
  /// \r
  /// IPsec protocol: AH or ESP\r
  /// \r
  EFI_IPSEC_PROTOCOL_TYPE Proto;\r
  ///  \r
  /// Cryptographic algorithm type used for authentication.\r
  /// \r
  UINT8                   AuthAlgoId;\r
  /// \r
  /// Cryptographic algorithm type used for encryption. EncAlgo is \r
  /// NULL when IPsec protocol is AH. For ESP protocol, EncAlgo \r
  /// can also be used to describe the algorithm if a combined mode \r
  /// algorithm is used.\r
  ///\r
  UINT8                   EncAlgoId;\r
} EFI_IPSEC_PROCESS_POLICY;\r
\r
///\r
/// IPsec Authentication Algorithm Definition\r
///   The number value definition is aligned to IANA assignment\r
///\r
#define EFI_IPSEC_AALG_NONE                0x00\r
#define EFI_IPSEC_AALG_MD5HMAC             0x02\r
#define EFI_IPSEC_AALG_SHA1HMAC            0x03\r
#define EFI_IPSEC_AALG_SHA2_256HMAC        0x05\r
#define EFI_IPSEC_AALG_SHA2_384HMAC        0x06\r
#define EFI_IPSEC_AALG_SHA2_512HMAC        0x07\r
#define EFI_IPSEC_AALG_AES_XCBC_MAC        0x09\r
#define EFI_IPSEC_AALG_NULL                0xFB\r
\r
///\r
/// IPsec Encryption Algorithm Definition\r
///   The number value definition is aligned to IANA assignment\r
///\r
#define EFI_IPSEC_EALG_NONE                0x00\r
#define EFI_IPSEC_EALG_DESCBC              0x02\r
#define EFI_IPSEC_EALG_3DESCBC             0x03\r
#define EFI_IPSEC_EALG_CASTCBC             0x06\r
#define EFI_IPSEC_EALG_BLOWFISHCBC         0x07\r
#define EFI_IPSEC_EALG_NULL                0x0B\r
#define EFI_IPSEC_EALG_AESCBC              0x0C\r
#define EFI_IPSEC_EALG_AESCTR              0x0D\r
#define EFI_IPSEC_EALG_AES_CCM_ICV8        0x0E\r
#define EFI_IPSEC_EALG_AES_CCM_ICV12       0x0F\r
#define EFI_IPSEC_EALG_AES_CCM_ICV16       0x10\r
#define EFI_IPSEC_EALG_AES_GCM_ICV8        0x12\r
#define EFI_IPSEC_EALG_AES_GCM_ICV12       0x13\r
#define EFI_IPSEC_EALG_AES_GCM_ICV16       0x14\r
\r
///\r
/// EFI_IPSEC_SA_ID\r
/// A triplet to identify an SA, consisting of the following members.\r
///\r
typedef struct _EFI_IPSEC_SA_ID {\r
  /// \r
  /// Security Parameter Index (aka SPI).  An arbitrary 32-bit value \r
  /// that is used by a receiver to identity the SA to which an incoming \r
  /// package should be bound.\r
  /// \r
  UINT32                          Spi;\r
  /// \r
  /// IPsec protocol: AH or ESP\r
  /// \r
  EFI_IPSEC_PROTOCOL_TYPE         Proto;\r
  /// \r
  /// Destination IP address. \r
  /// \r
  EFI_IP_ADDRESS                  DestAddress;\r
} EFI_IPSEC_SA_ID;\r
\r
\r
#define MAX_PEERID_LEN     128\r
\r
///\r
/// EFI_IPSEC_SPD_DATA\r
///\r
typedef struct _EFI_IPSEC_SPD_DATA {\r
  /// \r
  /// A null-terminated name string which is used as a symbolic \r
  /// identifier for an IPsec Local or Remote address.\r
  /// \r
  UINT8                           Name[MAX_PEERID_LEN];\r
  /// \r
  /// Bit-mapped list describing Populate from Packet flags. When \r
  /// creating a SA, if PackageFlag bit is set to TRUE, instantiate \r
  /// the selector from the corresponding field in the package that \r
  /// triggered the creation of the SA, else from the value(s) in the \r
  /// corresponding SPD entry. The PackageFlag bit setting for \r
  /// corresponding selector field of EFI_IPSEC_SPD_SELECTOR:\r
  ///     Bit 0: EFI_IPSEC_SPD_SELECTOR.LocalAddress \r
  ///     Bit 1: EFI_IPSEC_SPD_SELECTOR.RemoteAddress \r
  ///     Bit 2: \r
  /// EFI_IPSEC_SPD_SELECTOR.NextLayerProtocol \r
  ///     Bit 3: EFI_IPSEC_SPD_SELECTOR.LocalPort \r
  ///     Bit 4: EFI_IPSEC_SPD_SELECTOR.RemotePort \r
  ///     Others: Reserved.\r
  ///\r
  UINT32                          PackageFlag;\r
  /// \r
  /// The traffic direction of data gram.\r
  /// \r
  EFI_IPSEC_TRAFFIC_DIR           TrafficDirection;\r
  /// \r
  /// Processing choices to indicate which action is required by this \r
  /// policy. \r
  /// \r
  EFI_IPSEC_ACTION                Action;\r
  /// \r
  /// The policy and rule information for a SPD entry.\r
  /// \r
  EFI_IPSEC_PROCESS_POLICY        *ProcessingPolicy;\r
  /// \r
  /// Specifies the actual number of entries in SaId list.\r
  /// \r
  UINTN                           SaIdCount;\r
  /// \r
  /// The SAD entry used for the traffic processing. The \r
  /// existed SAD entry links indicate this is the manual key case.\r
  /// \r
  EFI_IPSEC_SA_ID                 SaId[1];\r
} EFI_IPSEC_SPD_DATA;\r
\r
///\r
/// EFI_IPSEC_AH_ALGO_INFO\r
/// The security algorithm selection for IPsec AH authentication.\r
/// The required authentication algorithm is specified in RFC 4305.\r
///\r
typedef struct _EFI_IPSEC_AH_ALGO_INFO {\r
  UINT8                           AuthAlgoId;\r
  UINTN                           AuthKeyLength;\r
  VOID                            *AuthKey;\r
} EFI_IPSEC_AH_ALGO_INFO;\r
\r
///\r
/// EFI_IPSEC_ESP_ALGO_INFO\r
/// The security algorithm selection for IPsec ESP encryption and authentication.\r
/// The required authentication algorithm is specified in RFC 4305. \r
/// EncAlgoId fields can also specify an ESP combined mode algorithm \r
/// (e.g. AES with CCM mode, specified in RFC 4309), which provides both \r
/// confidentiality and authentication services.\r
///\r
typedef struct _EFI_IPSEC_ESP_ALGO_INFO {\r
  UINT8                     EncAlgoId;\r
  UINTN                     EncKeyLength;\r
  VOID                      *EncKey;\r
  UINT8                     AuthAlgoId;\r
  UINTN                     AuthKeyLength;\r
  VOID                      *AuthKey;\r
} EFI_IPSEC_ESP_ALGO_INFO;\r
\r
///\r
/// EFI_IPSEC_ALGO_INFO\r
///\r
typedef union {\r
  EFI_IPSEC_AH_ALGO_INFO          AhAlgoInfo;\r
  EFI_IPSEC_ESP_ALGO_INFO         EspAlgoInfo;\r
} EFI_IPSEC_ALGO_INFO;\r
\r
///\r
/// EFI_IPSEC_SA_DATA\r
///\r
typedef struct _EFI_IPSEC_SA_DATA {\r
  /// \r
  /// IPsec mode: tunnel or transport.\r
  /// \r
  EFI_IPSEC_MODE                  Mode;\r
  /// \r
  /// Sequence Number Counter. A 64-bit counter used to generate the \r
  /// sequence number field in AH or ESP headers.\r
  /// \r
  UINT64                          SNCount;\r
  /// \r
  /// Anti-Replay Window. A 64-bit counter and a bit-map used to \r
  /// determine whether an inbound AH or ESP packet is a replay.\r
  /// \r
  UINT8                           AntiReplayWindows;\r
  /// \r
  /// AH/ESP cryptographic algorithm, key and parameters. \r
  /// \r
  EFI_IPSEC_ALGO_INFO             AlgoInfo;\r
  /// \r
  /// Lifetime of this SA. \r
  /// \r
  EFI_IPSEC_SA_LIFETIME           SaLifetime;\r
  /// \r
  /// Any observed path MTU and aging variables. The Path MTU \r
  /// processing is defined in section 8 of RFC 4301.\r
  /// \r
  UINT32                          PathMTU;\r
  /// \r
  /// Link to one SPD entry.\r
  /// \r
  EFI_IPSEC_SPD_SELECTOR          *SpdSelector;\r
  /// \r
Commit	Line	Data
fa05b97b	1	/** @file\r
	2	EFI IPsec Configuration Protocol Definition\r
	3	The EFI_IPSEC_CONFIG_PROTOCOL provides the mechanism to set and retrieve security and \r
	4	policy related information for the EFI IPsec protocol driver.\r
	5	\r
	6	Copyright (c) 2009, Intel Corporation\r
	7	All rights reserved. This program and the accompanying materials\r
	8	are licensed and made available under the terms and conditions of the BSD License\r
	9	which accompanies this distribution. The full text of the license may be found at\r
	10	http://opensource.org/licenses/bsd-license.php\r
	11	\r
	12	THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
	13	WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
	14	\r
	15	@par Revision Reference: \r
	16	This Protocol is introduced in UEFI Specification 2.2\r
	17	\r
	18	**/\r
	19	\r
	20	#ifndef __EFI_IPSE_CCONFIG_PROTOCOL_H__\r
	21	#define __EFI_IPSE_CCONFIG_PROTOCOL_H__\r
	22	\r
	23	\r
	24	#define EFI_IPSEC_CONFIG_PROTOCOL_GUID \\r
	25	{ \\r
	26	0xce5e5929, 0xc7a3, 0x4602, 0xad, {0x9e, 0xc9, 0xda, 0xf9, 0x4e, 0xbf, 0xcf } \\r
	27	}\r
	28	\r
	29	typedef struct _EFI_IPSEC_CONFIG_PROTOCOL EFI_IPSEC_CONFIG_PROTOCOL;\r
	30	\r
	31	///\r
	32	/// EFI_IPSEC_CONFIG_DATA_TYPE\r
	33	///\r
	34	typedef enum {\r
	35	/// \r
	36	/// The IPsec Security Policy Database (aka SPD) setting. In IPsec, \r
	37	/// an essential element of Security Association (SA) processing is \r
	38	/// underlying SPD that specifies what services are to be offered to \r
	39	/// IP datagram and in what fashion. The SPD must be consulted \r
	40	/// during the processing of all traffic (inbound and outbound), \r
	41	/// including traffic not protected by IPsec, that traverses the IPsec \r
	42	/// boundary. With this DataType, SetData() function is to set \r
	43	/// the SPD entry information, which may add one new entry, delete \r
	44	/// one existed entry or flush the whole database according to the \r
	45	/// parameter values. The corresponding Data is of type \r
	46	/// EFI_IPSEC_SPD_DATA\r
	47	/// \r
	48	IPsecConfigDataTypeSpd,\r
	49	/// \r
	50	/// The IPsec Security Association Database (aka SAD) setting. A \r
	51	/// SA is a simplex connection that affords security services to the \r
	52	/// traffic carried by it. Security services are afforded to an SA by the \r
	53	/// use of AH, or ESP, but not both. The corresponding Data is of \r
	54	/// type EFI_IPSEC_SAD_DATA.\r
	55	/// \r
	56	IPsecConfigDataTypeSad,\r
	57	/// \r
	58	/// The IPsec Peer Authorization Database (aka PAD) setting, which \r
	59	/// provides the link between the SPD and a security association \r
	60	/// management protocol. The PAD entry specifies the \r
	61	/// authentication protocol (e.g. IKEv1, IKEv2) method used and the \r
	62	/// authentication data. The corresponding Data is of type \r
	63	/// EFI_IPSEC_PAD_DATA.\r
	64	///\r
65	IPsecConfigDataTypePad,\r
66	IPsecConfigDataTypeMaximum\r
67	} EFI_IPSEC_CONFIG_DATA_TYPE;\r
68	\r
69	///\r
70	/// EFI_IP_ADDRESS_INFO\r
71	///\r
72	typedef struct _EFI_IP_ADDRESS_INFO {\r
73	EFI_IP_ADDRESS Address; ///< The IPv4 or IPv6 address\r
74	UINT8 PrefixLength; ///< The length of the prefix associated with the Address.\r
75	} EFI_IP_ADDRESS_INFO;\r
76	\r
77	\r
78	///\r
79	/// EFI_IPSEC_SPD_SELECTOR\r
80	///\r
81	typedef struct _EFI_IPSEC_SPD_SELECTOR {\r
82	/// \r
83	/// Specifies the actual number of entries in LocalAddress.\r
84	/// \r
85	UINT32 LocalAddressCount;\r
86	/// \r
87	/// A list of ranges of IPv4 or IPv6 addresses, which refers to the \r
88	/// addresses being protected by IPsec policy.\r
89	/// \r
90	EFI_IP_ADDRESS_INFO *LocalAddress;\r
91	/// \r
92	/// Specifies the actual number of entries in RemoteAddress.\r
93	/// \r
94	UINT32 RemoteAddressCount;\r
95	/// \r
96	/// A list of ranges of IPv4 or IPv6 addresses, which are peer entities \r
97	/// to LocalAddress. \r
98	/// \r
99	EFI_IP_ADDRESS_INFO *RemoteAddress;\r
100	/// \r
101	/// Next layer protocol. Obtained from the IPv4 Protocol or the IPv6 \r
102	/// Next Header fields. The next layer protocol is whatever comes \r
103	/// after any IP extension headers that are present. A zero value is a \r
104	/// wildcard that matches any value in NextLayerProtocol field.\r
105	/// \r
106	UINT16 NextLayerProtocol; \r
107	/// \r
108	/// Local Port if the Next Layer Protocol uses two ports (as do TCP, \r
109	/// UDP, and others). A zero value is a wildcard that matches any \r
110	/// value in LocalPort field.\r
111	/// \r
112	UINT16 LocalPort;\r
113	/// \r
114	/// A designed port range size. The start port is LocalPort, and \r
115	/// the total number of ports is described by LocalPortRange. \r
116	/// This field is ignored if NextLayerProtocol does not use \r
117	/// ports. \r
118	/// \r
119	UINT16 LocalPortRange;\r
120	/// \r
121	/// Remote Port if the Next Layer Protocol uses two ports. A zero \r
122	/// value is a wildcard that matches any value in RemotePort field.\r
123	/// \r
124	UINT16 RemotePort;\r
125	/// \r
126	/// A designed port range size. The start port is RemotePort, and \r
127	/// the total number of ports is described by RemotePortRange. \r
128	/// This field is ignored if NextLayerProtocol does not use ports.\r
129	/// \r
130	UINT16 RemotePortRange;\r
131	} EFI_IPSEC_SPD_SELECTOR;\r
132	\r
133	///\r
134	/// EFI_IPSEC_TRAFFIC_DIR\r
135	/// represents the directionality in an SPD entry.\r
136	///\r
137	typedef enum {\r
138	///\r
139	/// The EfiIPsecInBound refers to traffic entering an IPsec implementation via \r
140	/// the unprotected interface or emitted by the implementation on the unprotected\r
141	/// side of the boundary and directed towards the protected interface. \r
142	///\r
143	EfiIPsecInBound,\r
144	///\r
145	/// The EfiIPsecOutBound refers to traffic entering the implementation via \r
146	/// the protected interface, or emitted by the implementation on the protected side\r
147	/// of the boundary and directed toward the unprotected interface.\r
148	///\r
149	EfiIPsecOutBound\r
150	} EFI_IPSEC_TRAFFIC_DIR;\r
151	\r
152	///\r
153	/// EFI_IPSEC_ACTION\r
154	/// represents three possible processing choices.\r
155	///\r
156	typedef enum {\r
157	/// \r
158	/// Refers to traffic that is not allowed to traverse the IPsec boundary.\r
159	/// \r
160	EfiIPsecActionDiscard,\r
161	/// \r
162	/// Refers to traffic that is allowed to cross the IPsec boundary \r
163	/// without protection.\r
164	/// \r
165	EfiIPsecActionBypass,\r
166	/// \r
167	/// Refers to traffic that is afforded IPsec protection, and for such \r
168	/// traffic the SPD must specify the security protocols to be \r
169	/// employed, their mode, security service options, and the \r
170	/// cryptographic algorithms to be used. \r
171	///\r
172	EfiIPsecActionProtect\r
173	} EFI_IPSEC_ACTION;\r
174	\r
175	///\r
176	/// EFI_IPSEC_SA_LIFETIME\r
177	/// defines the lifetime of an SA, which represents when a SA must be \r
178	/// replaced or terminated. A value of all 0 for each field removes \r
179	/// the limitation of a SA lifetime.\r
180	///\r
181	typedef struct _EFI_IPSEC_SA_LIFETIME {\r
182	/// \r
183	/// The number of bytes to which the IPsec cryptographic algorithm\r
184	/// can be applied. For ESP, this is the encryption algorithm and for\r
185	/// AH, this is the authentication algorithm. The ByteCount \r
186	/// includes pad bytes for cryptographic operations.\r
187	/// \r
188	UINT64 ByteCount;\r
189	/// \r
190	/// A time interval in second that warns the implementation to \r
191	/// initiate action such as setting up a replacement SA.\r
192	/// \r
193	UINT64 SoftLifetime;\r
194	/// \r
195	/// A time interval in second when the current SA ends and is \r
196	/// destroyed.\r
197	/// \r
198	UINT64 HardLifetime;\r
199	} EFI_IPSEC_SA_LIFETIME;\r
200	\r
201	///\r
202	/// EFI_IPSEC_MODE\r
203	/// There are two modes of IPsec operation: transport mode and tunnel mode. In \r
204	/// EfiIPsecTransport mode, AH and ESP provide protection primarily for next layer protocols; \r
205	/// In EfiIPsecTunnel mode, AH and ESP are applied to tunneled IP packets.\r
206	///\r
207	typedef enum {\r
208	EfiIPsecTransport,\r
209	EfiIPsecTunnel\r
210	} EFI_IPSEC_MODE;\r
211	\r
212	///\r
213	/// EFI_IPSEC_TUNNEL_DF_OPTION\r
214	/// The option of copying the DF bit from an outbound package to\r
215	/// the tunnel mode header that it emits, when traffic is carried\r
216	/// via a tunnel mode SA. This applies to SAs where both inner and\r
217	/// outer headers are IPv4.\r
218	///\r
219	typedef enum {\r
220	EfiIPsecTunnelClearDf, ///< Clear DF bit from inner header.\r
221	EfiIPsecTunnelSetDf, ///< Set DF bit from inner header.\r
222	EfiIPsecTunnelCopyDf ///< Copy DF bit from inner header.\r
223	} EFI_IPSEC_TUNNEL_DF_OPTION;\r
224	\r
225	///\r
226	/// EFI_IPSEC_TUNNEL_OPTION\r
227	///\r
228	typedef struct _EFI_IPSEC_TUNNEL_OPTION {\r
229	/// \r
230	/// Local tunnel address when IPsec mode is EfiIPsecTunnel.\r
231	/// \r
232	EFI_IP_ADDRESS LocalTunnelAddress;\r
233	/// \r
234	/// Remote tunnel address when IPsec mode is EfiIPsecTunnel.\r
235	/// \r
236	EFI_IP_ADDRESS RemoteTunnelAddress;\r
237	/// \r
238	/// The option of copying the DF bit from an outbound package\r
239	/// to the tunnel mode header that it emits, when traffic is \r
240	/// carried via a tunnel mode SA. \r
241	/// \r
242	EFI_IPSEC_TUNNEL_DF_OPTION DF;\r
243	} EFI_IPSEC_TUNNEL_OPTION;\r
244	\r
245	///\r
246	/// EFI_IPSEC_PROTOCOL_TYPE\r
247	///\r
248	typedef enum {\r
249	EfiIPsecAH, ///< IP Authentication Header protocol which is specified in RFC 4302.\r
250	EfiIPsecESP ///< IP Encapsulating Security Payload which is specified in RFC 4303. \r
251	} EFI_IPSEC_PROTOCOL_TYPE;\r
252	\r
253	///\r
254	/// EFI_IPSEC_PROCESS_POLICY\r
255	/// describes a policy list for traffic processing.\r
256	///\r
257	typedef struct _EFI_IPSEC_PROCESS_POLICY {\r
258	/// \r
259	/// Extended Sequence Number. Is this SA using extended sequence \r
260	/// numbers. 64 bit counter is used if TRUE.\r
261	/// \r
262	BOOLEAN ExtSeqNum;\r
263	/// \r
264	/// A flag indicating whether overflow of the sequence number \r
265	/// counter should generate an auditable event and prevent \r
266	/// transmission of additional packets on the SA, or whether rollover \r
267	/// is permitted.\r
268	/// \r
269	BOOLEAN SeqOverflow;\r
270	/// \r
271	/// Is this SA using stateful fragment checking. TRUE represents \r
272	/// stateful fragment checking.\r
273	/// \r
274	BOOLEAN FragCheck;\r
275	/// \r
276	/// A time interval after which a SA must be replaced with a new SA \r
277	/// (and new SPI) or terminated. \r
278	/// \r
279	EFI_IPSEC_SA_LIFETIME SaLifetime;\r
280	/// \r
281	/// IPsec mode: tunnel or transport.\r
282	/// \r
283	EFI_IPSEC_MODE Mode;\r
284	/// \r
285	/// Tunnel Option. TunnelOption is ignored if Mode is EfiIPsecTransport.\r
286	/// \r
287	EFI_IPSEC_TUNNEL_OPTION *TunnelOption;\r
288	/// \r
289	/// IPsec protocol: AH or ESP\r
290	/// \r
291	EFI_IPSEC_PROTOCOL_TYPE Proto;\r
292	/// \r
293	/// Cryptographic algorithm type used for authentication.\r
294	/// \r
295	UINT8 AuthAlgoId;\r
296	/// \r
297	/// Cryptographic algorithm type used for encryption. EncAlgo is \r
298	/// NULL when IPsec protocol is AH. For ESP protocol, EncAlgo \r
299	/// can also be used to describe the algorithm if a combined mode \r
300	/// algorithm is used.\r
301	///\r
302	UINT8 EncAlgoId;\r
303	} EFI_IPSEC_PROCESS_POLICY;\r
304	\r
305	///\r
306	/// IPsec Authentication Algorithm Definition\r
307	/// The number value definition is aligned to IANA assignment\r
308	///\r
309	#define EFI_IPSEC_AALG_NONE 0x00\r
310	#define EFI_IPSEC_AALG_MD5HMAC 0x02\r
311	#define EFI_IPSEC_AALG_SHA1HMAC 0x03\r
312	#define EFI_IPSEC_AALG_SHA2_256HMAC 0x05\r
313	#define EFI_IPSEC_AALG_SHA2_384HMAC 0x06\r
314	#define EFI_IPSEC_AALG_SHA2_512HMAC 0x07\r
315	#define EFI_IPSEC_AALG_AES_XCBC_MAC 0x09\r
316	#define EFI_IPSEC_AALG_NULL 0xFB\r
317	\r
318	///\r
319	/// IPsec Encryption Algorithm Definition\r
320	/// The number value definition is aligned to IANA assignment\r
321	///\r
322	#define EFI_IPSEC_EALG_NONE 0x00\r
323	#define EFI_IPSEC_EALG_DESCBC 0x02\r
324	#define EFI_IPSEC_EALG_3DESCBC 0x03\r
325	#define EFI_IPSEC_EALG_CASTCBC 0x06\r
326	#define EFI_IPSEC_EALG_BLOWFISHCBC 0x07\r
327	#define EFI_IPSEC_EALG_NULL 0x0B\r
328	#define EFI_IPSEC_EALG_AESCBC 0x0C\r
329	#define EFI_IPSEC_EALG_AESCTR 0x0D\r
330	#define EFI_IPSEC_EALG_AES_CCM_ICV8 0x0E\r
331	#define EFI_IPSEC_EALG_AES_CCM_ICV12 0x0F\r
332	#define EFI_IPSEC_EALG_AES_CCM_ICV16 0x10\r
333	#define EFI_IPSEC_EALG_AES_GCM_ICV8 0x12\r
334	#define EFI_IPSEC_EALG_AES_GCM_ICV12 0x13\r
335	#define EFI_IPSEC_EALG_AES_GCM_ICV16 0x14\r
336	\r
337	///\r
338	/// EFI_IPSEC_SA_ID\r
339	/// A triplet to identify an SA, consisting of the following members.\r
340	///\r
341	typedef struct _EFI_IPSEC_SA_ID {\r
342	/// \r
343	/// Security Parameter Index (aka SPI). An arbitrary 32-bit value \r
344	/// that is used by a receiver to identity the SA to which an incoming \r
345	/// package should be bound.\r
346	/// \r
347	UINT32 Spi;\r
348	/// \r
349	/// IPsec protocol: AH or ESP\r
350	/// \r
351	EFI_IPSEC_PROTOCOL_TYPE Proto;\r
352	/// \r
353	/// Destination IP address. \r
354	/// \r
355	EFI_IP_ADDRESS DestAddress;\r
356	} EFI_IPSEC_SA_ID;\r
357	\r
358	\r
359	#define MAX_PEERID_LEN 128\r
360	\r
361	///\r
362	/// EFI_IPSEC_SPD_DATA\r
363	///\r
364	typedef struct _EFI_IPSEC_SPD_DATA {\r
365	/// \r
366	/// A null-terminated name string which is used as a symbolic \r
367	/// identifier for an IPsec Local or Remote address.\r
368	/// \r
369	UINT8 Name[MAX_PEERID_LEN];\r
370	/// \r
371	/// Bit-mapped list describing Populate from Packet flags. When \r
372	/// creating a SA, if PackageFlag bit is set to TRUE, instantiate \r
373	/// the selector from the corresponding field in the package that \r
374	/// triggered the creation of the SA, else from the value(s) in the \r
375	/// corresponding SPD entry. The PackageFlag bit setting for \r
376	/// corresponding selector field of EFI_IPSEC_SPD_SELECTOR:\r
377	/// Bit 0: EFI_IPSEC_SPD_SELECTOR.LocalAddress \r
378	/// Bit 1: EFI_IPSEC_SPD_SELECTOR.RemoteAddress \r
379	/// Bit 2: \r
380	/// EFI_IPSEC_SPD_SELECTOR.NextLayerProtocol \r
381	/// Bit 3: EFI_IPSEC_SPD_SELECTOR.LocalPort \r
382	/// Bit 4: EFI_IPSEC_SPD_SELECTOR.RemotePort \r
383	/// Others: Reserved.\r
384	///\r
385	UINT32 PackageFlag;\r
386	/// \r
387	/// The traffic direction of data gram.\r
388	/// \r
389	EFI_IPSEC_TRAFFIC_DIR TrafficDirection;\r
390	/// \r
391	/// Processing choices to indicate which action is required by this \r
392	/// policy. \r
393	/// \r
394	EFI_IPSEC_ACTION Action;\r
395	/// \r
396	/// The policy and rule information for a SPD entry.\r
397	/// \r
398	EFI_IPSEC_PROCESS_POLICY *ProcessingPolicy;\r
399	/// \r
400	/// Specifies the actual number of entries in SaId list.\r
401	/// \r
402	UINTN SaIdCount;\r
403	/// \r
404	/// The SAD entry used for the traffic processing. The \r
405	/// existed SAD entry links indicate this is the manual key case.\r
406	/// \r
407	EFI_IPSEC_SA_ID SaId[1];\r
408	} EFI_IPSEC_SPD_DATA;\r
409	\r
410	///\r
411	/// EFI_IPSEC_AH_ALGO_INFO\r
412	/// The security algorithm selection for IPsec AH authentication.\r
413	/// The required authentication algorithm is specified in RFC 4305.\r
414	///\r
415	typedef struct _EFI_IPSEC_AH_ALGO_INFO {\r
416	UINT8 AuthAlgoId;\r
417	UINTN AuthKeyLength;\r
418	VOID *AuthKey;\r
419	} EFI_IPSEC_AH_ALGO_INFO;\r
420	\r
421	///\r
422	/// EFI_IPSEC_ESP_ALGO_INFO\r
423	/// The security algorithm selection for IPsec ESP encryption and authentication.\r
424	/// The required authentication algorithm is specified in RFC 4305. \r
425	/// EncAlgoId fields can also specify an ESP combined mode algorithm \r
426	/// (e.g. AES with CCM mode, specified in RFC 4309), which provides both \r
427	/// confidentiality and authentication services.\r
428	///\r
429	typedef struct _EFI_IPSEC_ESP_ALGO_INFO {\r
430	UINT8 EncAlgoId;\r
431	UINTN EncKeyLength;\r
432	VOID *EncKey;\r
433	UINT8 AuthAlgoId;\r
434	UINTN AuthKeyLength;\r
435	VOID *AuthKey;\r
436	} EFI_IPSEC_ESP_ALGO_INFO;\r
437	\r
438	///\r
439	/// EFI_IPSEC_ALGO_INFO\r
440	///\r
441	typedef union {\r
442	EFI_IPSEC_AH_ALGO_INFO AhAlgoInfo;\r
443	EFI_IPSEC_ESP_ALGO_INFO EspAlgoInfo;\r
444	} EFI_IPSEC_ALGO_INFO;\r
445	\r
446	///\r
447	/// EFI_IPSEC_SA_DATA\r
448	///\r
449	typedef struct _EFI_IPSEC_SA_DATA {\r
450	/// \r
451	/// IPsec mode: tunnel or transport.\r
452	/// \r
453	EFI_IPSEC_MODE Mode;\r
454	/// \r
455	/// Sequence Number Counter. A 64-bit counter used to generate the \r
456	/// sequence number field in AH or ESP headers.\r
457	/// \r
458	UINT64 SNCount;\r
459	/// \r
460	/// Anti-Replay Window. A 64-bit counter and a bit-map used to \r
461	/// determine whether an inbound AH or ESP packet is a replay.\r
462	/// \r
463	UINT8 AntiReplayWindows;\r
464	/// \r
465	/// AH/ESP cryptographic algorithm, key and parameters. \r
466	/// \r
467	EFI_IPSEC_ALGO_INFO AlgoInfo;\r
468	/// \r
469	/// Lifetime of this SA. \r
470	/// \r
471	EFI_IPSEC_SA_LIFETIME SaLifetime;\r
472	/// \r
473	/// Any observed path MTU and aging variables. The Path MTU \r
474	/// processing is defined in section 8 of RFC 4301.\r
475	/// \r
476	UINT32 PathMTU;\r
477	/// \r
478	/// Link to one SPD entry.\r
479	/// \r
480	EFI_IPSEC_SPD_SELECTOR *SpdSelector;\r
481	/// \r
482