]> git.proxmox.com Git - mirror_edk2.git/blob - MdePkg/Include/Protocol/IpSecConfig.h
projects / mirror_edk2.git / blob
? search:


d9a9b614a1b683afe9b59638af6efbc0b28011cc
[mirror_edk2.git] / MdePkg / Include / Protocol / IpSecConfig.h
1 /** @file
2 EFI IPsec Configuration Protocol Definition
3 The EFI_IPSEC_CONFIG_PROTOCOL provides the mechanism to set and retrieve security and
4 policy related information for the EFI IPsec protocol driver.
5
6 Copyright (c) 2009 - 2010, Intel Corporation
7 All rights reserved. This program and the accompanying materials
8 are licensed and made available under the terms and conditions of the BSD License
9 which accompanies this distribution. The full text of the license may be found at
10 http://opensource.org/licenses/bsd-license.php
11
12 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
13 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
14
15 @par Revision Reference:
16 This Protocol is introduced in UEFI Specification 2.2
17
18 **/
19
20 #ifndef __EFI_IPSE_CCONFIG_PROTOCOL_H__
21 #define __EFI_IPSE_CCONFIG_PROTOCOL_H__
22
23
24 #define EFI_IPSEC_CONFIG_PROTOCOL_GUID \
25 { \
26 0xce5e5929, 0xc7a3, 0x4602, {0xad, 0x9e, 0xc9, 0xda, 0xf9, 0x4e, 0xbf, 0xcf } \
27 }
28
29 typedef struct _EFI_IPSEC_CONFIG_PROTOCOL EFI_IPSEC_CONFIG_PROTOCOL;
30
31 ///
32 /// EFI_IPSEC_CONFIG_DATA_TYPE
33 ///
34 typedef enum {
35 ///
36 /// The IPsec Security Policy Database (aka SPD) setting. In IPsec,
37 /// an essential element of Security Association (SA) processing is
38 /// underlying SPD that specifies what services are to be offered to
39 /// IP datagram and in what fashion. The SPD must be consulted
40 /// during the processing of all traffic (inbound and outbound),
41 /// including traffic not protected by IPsec, that traverses the IPsec
42 /// boundary. With this DataType, SetData() function is to set
43 /// the SPD entry information, which may add one new entry, delete
44 /// one existed entry or flush the whole database according to the
45 /// parameter values. The corresponding Data is of type
46 /// EFI_IPSEC_SPD_DATA
47 ///
48 IPsecConfigDataTypeSpd,
49 ///
50 /// The IPsec Security Association Database (aka SAD) setting. A
51 /// SA is a simplex connection that affords security services to the
52 /// traffic carried by it. Security services are afforded to an SA by the
53 /// use of AH, or ESP, but not both. The corresponding Data is of
54 /// type EFI_IPSEC_SAD_DATA.
55 ///
56 IPsecConfigDataTypeSad,
57 ///
58 /// The IPsec Peer Authorization Database (aka PAD) setting, which
59 /// provides the link between the SPD and a security association
60 /// management protocol. The PAD entry specifies the
61 /// authentication protocol (e.g. IKEv1, IKEv2) method used and the
62 /// authentication data. The corresponding Data is of type
63 /// EFI_IPSEC_PAD_DATA.
64 ///
65 IPsecConfigDataTypePad,
66 IPsecConfigDataTypeMaximum
67 } EFI_IPSEC_CONFIG_DATA_TYPE;
68
69 ///
70 /// EFI_IP_ADDRESS_INFO
71 ///
72 typedef struct _EFI_IP_ADDRESS_INFO {
73 EFI_IP_ADDRESS Address; ///< The IPv4 or IPv6 address
74 UINT8 PrefixLength; ///< The length of the prefix associated with the Address.
75 } EFI_IP_ADDRESS_INFO;
76
77
78 ///
79 /// EFI_IPSEC_SPD_SELECTOR
80 ///
81 typedef struct _EFI_IPSEC_SPD_SELECTOR {
82 ///
83 /// Specifies the actual number of entries in LocalAddress.
84 ///
85 UINT32 LocalAddressCount;
86 ///
87 /// A list of ranges of IPv4 or IPv6 addresses, which refers to the
88 /// addresses being protected by IPsec policy.
89 ///
90 EFI_IP_ADDRESS_INFO *LocalAddress;
91 ///
92 /// Specifies the actual number of entries in RemoteAddress.
93 ///
94 UINT32 RemoteAddressCount;
95 ///
96 /// A list of ranges of IPv4 or IPv6 addresses, which are peer entities
97 /// to LocalAddress.
98 ///
99 EFI_IP_ADDRESS_INFO *RemoteAddress;
100 ///
101 /// Next layer protocol. Obtained from the IPv4 Protocol or the IPv6
102 /// Next Header fields. The next layer protocol is whatever comes
103 /// after any IP extension headers that are present. A zero value is a
104 /// wildcard that matches any value in NextLayerProtocol field.
105 ///
106 UINT16 NextLayerProtocol;
107 ///
108 /// Local Port if the Next Layer Protocol uses two ports (as do TCP,
109 /// UDP, and others). A zero value is a wildcard that matches any
110 /// value in LocalPort field.
111 ///
112 UINT16 LocalPort;
113 ///
114 /// A designed port range size. The start port is LocalPort, and
115 /// the total number of ports is described by LocalPortRange.
116 /// This field is ignored if NextLayerProtocol does not use
117 /// ports.
118 ///
119 UINT16 LocalPortRange;
120 ///
121 /// Remote Port if the Next Layer Protocol uses two ports. A zero
122 /// value is a wildcard that matches any value in RemotePort field.
123 ///
124 UINT16 RemotePort;
125 ///
126 /// A designed port range size. The start port is RemotePort, and
127 /// the total number of ports is described by RemotePortRange.
128 /// This field is ignored if NextLayerProtocol does not use ports.
129 ///
130 UINT16 RemotePortRange;
131 } EFI_IPSEC_SPD_SELECTOR;
132
133 ///
134 /// EFI_IPSEC_TRAFFIC_DIR
135 /// represents the directionality in an SPD entry.
136 ///
137 typedef enum {
138 ///
139 /// The EfiIPsecInBound refers to traffic entering an IPsec implementation via
140 /// the unprotected interface or emitted by the implementation on the unprotected
141 /// side of the boundary and directed towards the protected interface.
142 ///
143 EfiIPsecInBound,
144 ///
145 /// The EfiIPsecOutBound refers to traffic entering the implementation via
146 /// the protected interface, or emitted by the implementation on the protected side
147 /// of the boundary and directed toward the unprotected interface.
148 ///
149 EfiIPsecOutBound
150 } EFI_IPSEC_TRAFFIC_DIR;
151
152 ///
153 /// EFI_IPSEC_ACTION
154 /// represents three possible processing choices.
155 ///
156 typedef enum {
157 ///
158 /// Refers to traffic that is not allowed to traverse the IPsec boundary.
159 ///
160 EfiIPsecActionDiscard,
161 ///
162 /// Refers to traffic that is allowed to cross the IPsec boundary
163 /// without protection.
164 ///
165 EfiIPsecActionBypass,
166 ///
167 /// Refers to traffic that is afforded IPsec protection, and for such
168 /// traffic the SPD must specify the security protocols to be
169 /// employed, their mode, security service options, and the
170 /// cryptographic algorithms to be used.
171 ///
172 EfiIPsecActionProtect
173 } EFI_IPSEC_ACTION;
174
175 ///
176 /// EFI_IPSEC_SA_LIFETIME
177 /// defines the lifetime of an SA, which represents when a SA must be
178 /// replaced or terminated. A value of all 0 for each field removes
179 /// the limitation of a SA lifetime.
180 ///
181 typedef struct _EFI_IPSEC_SA_LIFETIME {
182 ///
183 /// The number of bytes to which the IPsec cryptographic algorithm
184 /// can be applied. For ESP, this is the encryption algorithm and for
185 /// AH, this is the authentication algorithm. The ByteCount
186 /// includes pad bytes for cryptographic operations.
187 ///
188 UINT64 ByteCount;
189 ///
190 /// A time interval in second that warns the implementation to
191 /// initiate action such as setting up a replacement SA.
192 ///
193 UINT64 SoftLifetime;
194 ///
195 /// A time interval in second when the current SA ends and is
196 /// destroyed.
197 ///
198 UINT64 HardLifetime;
199 } EFI_IPSEC_SA_LIFETIME;
200
201 ///
202 /// EFI_IPSEC_MODE
203 /// There are two modes of IPsec operation: transport mode and tunnel mode. In
204 /// EfiIPsecTransport mode, AH and ESP provide protection primarily for next layer protocols;
205 /// In EfiIPsecTunnel mode, AH and ESP are applied to tunneled IP packets.
206 ///
207 typedef enum {
208 EfiIPsecTransport,
209 EfiIPsecTunnel
210 } EFI_IPSEC_MODE;
211
212 ///
213 /// EFI_IPSEC_TUNNEL_DF_OPTION
214 /// The option of copying the DF bit from an outbound package to
215 /// the tunnel mode header that it emits, when traffic is carried
216 /// via a tunnel mode SA. This applies to SAs where both inner and
217 /// outer headers are IPv4.
218 ///
219 typedef enum {
220 EfiIPsecTunnelClearDf, ///< Clear DF bit from inner header.
221 EfiIPsecTunnelSetDf, ///< Set DF bit from inner header.
222 EfiIPsecTunnelCopyDf ///< Copy DF bit from inner header.
223 } EFI_IPSEC_TUNNEL_DF_OPTION;
224
225 ///
226 /// EFI_IPSEC_TUNNEL_OPTION
227 ///
228 typedef struct _EFI_IPSEC_TUNNEL_OPTION {
229 ///
230 /// Local tunnel address when IPsec mode is EfiIPsecTunnel.
231 ///
232 EFI_IP_ADDRESS LocalTunnelAddress;
233 ///
234 /// Remote tunnel address when IPsec mode is EfiIPsecTunnel.
235 ///
236 EFI_IP_ADDRESS RemoteTunnelAddress;
237 ///
238 /// The option of copying the DF bit from an outbound package
239 /// to the tunnel mode header that it emits, when traffic is
240 /// carried via a tunnel mode SA.
241 ///
242 EFI_IPSEC_TUNNEL_DF_OPTION DF;
243 } EFI_IPSEC_TUNNEL_OPTION;
244
245 ///
246 /// EFI_IPSEC_PROTOCOL_TYPE
247 ///
248 typedef enum {
249 EfiIPsecAH, ///< IP Authentication Header protocol which is specified in RFC 4302.
250 EfiIPsecESP ///< IP Encapsulating Security Payload which is specified in RFC 4303.
251 } EFI_IPSEC_PROTOCOL_TYPE;
252
253 ///
254 /// EFI_IPSEC_PROCESS_POLICY
255 /// describes a policy list for traffic processing.
256 ///
257 typedef struct _EFI_IPSEC_PROCESS_POLICY {
258 ///
259 /// Extended Sequence Number. Is this SA using extended sequence
260 /// numbers. 64 bit counter is used if TRUE.
261 ///
262 BOOLEAN ExtSeqNum;
263 ///
264 /// A flag indicating whether overflow of the sequence number
265 /// counter should generate an auditable event and prevent
266 /// transmission of additional packets on the SA, or whether rollover
267 /// is permitted.
268 ///
269 BOOLEAN SeqOverflow;
270 ///
271 /// Is this SA using stateful fragment checking. TRUE represents
272 /// stateful fragment checking.
273 ///
274 BOOLEAN FragCheck;
275 ///
276 /// A time interval after which a SA must be replaced with a new SA
277 /// (and new SPI) or terminated.
278 ///
279 EFI_IPSEC_SA_LIFETIME SaLifetime;
280 ///
281 /// IPsec mode: tunnel or transport.
282 ///
283 EFI_IPSEC_MODE Mode;
284 ///
285 /// Tunnel Option. TunnelOption is ignored if Mode is EfiIPsecTransport.
286 ///
287 EFI_IPSEC_TUNNEL_OPTION *TunnelOption;
288 ///
289 /// IPsec protocol: AH or ESP
290 ///
291 EFI_IPSEC_PROTOCOL_TYPE Proto;
292 ///
293 /// Cryptographic algorithm type used for authentication.
294 ///
295 UINT8 AuthAlgoId;
296 ///
297 /// Cryptographic algorithm type used for encryption. EncAlgo is
298 /// NULL when IPsec protocol is AH. For ESP protocol, EncAlgo
299 /// can also be used to describe the algorithm if a combined mode
300 /// algorithm is used.
301 ///
302 UINT8 EncAlgoId;
303 } EFI_IPSEC_PROCESS_POLICY;
304
305 ///
306 /// IPsec Authentication Algorithm Definition
307 /// The number value definition is aligned to IANA assignment
308 ///
309 #define EFI_IPSEC_AALG_NONE 0x00
310 #define EFI_IPSEC_AALG_MD5HMAC 0x02
311 #define EFI_IPSEC_AALG_SHA1HMAC 0x03
312 #define EFI_IPSEC_AALG_SHA2_256HMAC 0x05
313 #define EFI_IPSEC_AALG_SHA2_384HMAC 0x06
314 #define EFI_IPSEC_AALG_SHA2_512HMAC 0x07
315 #define EFI_IPSEC_AALG_AES_XCBC_MAC 0x09
316 #define EFI_IPSEC_AALG_NULL 0xFB
317
318 ///
319 /// IPsec Encryption Algorithm Definition
320 /// The number value definition is aligned to IANA assignment
321 ///
322 #define EFI_IPSEC_EALG_NONE 0x00
323 #define EFI_IPSEC_EALG_DESCBC 0x02
324 #define EFI_IPSEC_EALG_3DESCBC 0x03
325 #define EFI_IPSEC_EALG_CASTCBC 0x06
326 #define EFI_IPSEC_EALG_BLOWFISHCBC 0x07
327 #define EFI_IPSEC_EALG_NULL 0x0B
328 #define EFI_IPSEC_EALG_AESCBC 0x0C
329 #define EFI_IPSEC_EALG_AESCTR 0x0D
330 #define EFI_IPSEC_EALG_AES_CCM_ICV8 0x0E
331 #define EFI_IPSEC_EALG_AES_CCM_ICV12 0x0F
332 #define EFI_IPSEC_EALG_AES_CCM_ICV16 0x10
333 #define EFI_IPSEC_EALG_AES_GCM_ICV8 0x12
334 #define EFI_IPSEC_EALG_AES_GCM_ICV12 0x13
335 #define EFI_IPSEC_EALG_AES_GCM_ICV16 0x14
336
337 ///
338 /// EFI_IPSEC_SA_ID
339 /// A triplet to identify an SA, consisting of the following members.
340 ///
341 typedef struct _EFI_IPSEC_SA_ID {
342 ///
343 /// Security Parameter Index (aka SPI). An arbitrary 32-bit value
344 /// that is used by a receiver to identity the SA to which an incoming
345 /// package should be bound.
346 ///
347 UINT32 Spi;
348 ///
349 /// IPsec protocol: AH or ESP
350 ///
351 EFI_IPSEC_PROTOCOL_TYPE Proto;
352 ///
353 /// Destination IP address.
354 ///
355 EFI_IP_ADDRESS DestAddress;
356 } EFI_IPSEC_SA_ID;
357
358
359 #define MAX_PEERID_LEN 128
360
361 ///
362 /// EFI_IPSEC_SPD_DATA
363 ///
364 typedef struct _EFI_IPSEC_SPD_DATA {
365 ///
366 /// A null-terminated name string which is used as a symbolic
367 /// identifier for an IPsec Local or Remote address.
368 ///
369 UINT8 Name[MAX_PEERID_LEN];
370 ///
371 /// Bit-mapped list describing Populate from Packet flags. When
372 /// creating a SA, if PackageFlag bit is set to TRUE, instantiate
373 /// the selector from the corresponding field in the package that
374 /// triggered the creation of the SA, else from the value(s) in the
375 /// corresponding SPD entry. The PackageFlag bit setting for
376 /// corresponding selector field of EFI_IPSEC_SPD_SELECTOR:
377 /// Bit 0: EFI_IPSEC_SPD_SELECTOR.LocalAddress
378 /// Bit 1: EFI_IPSEC_SPD_SELECTOR.RemoteAddress
379 /// Bit 2:
380 /// EFI_IPSEC_SPD_SELECTOR.NextLayerProtocol
381 /// Bit 3: EFI_IPSEC_SPD_SELECTOR.LocalPort
382 /// Bit 4: EFI_IPSEC_SPD_SELECTOR.RemotePort
383 /// Others: Reserved.
384 ///
385 UINT32 PackageFlag;
386 ///
387 /// The traffic direction of data gram.
388 ///
389 EFI_IPSEC_TRAFFIC_DIR TrafficDirection;
390 ///
391 /// Processing choices to indicate which action is required by this
392 /// policy.
393 ///
394 EFI_IPSEC_ACTION Action;
395 ///
396 /// The policy and rule information for a SPD entry.
397 ///
398 EFI_IPSEC_PROCESS_POLICY *ProcessingPolicy;
399 ///
400 /// Specifies the actual number of entries in SaId list.
401 ///
402 UINTN SaIdCount;
403 ///
404 /// The SAD entry used for the traffic processing. The
405 /// existed SAD entry links indicate this is the manual key case.
406 ///
407 EFI_IPSEC_SA_ID SaId[1];
408 } EFI_IPSEC_SPD_DATA;
409
410 ///
411 /// EFI_IPSEC_AH_ALGO_INFO
412 /// The security algorithm selection for IPsec AH authentication.
413 /// The required authentication algorithm is specified in RFC 4305.
414 ///
415 typedef struct _EFI_IPSEC_AH_ALGO_INFO {
416 UINT8 AuthAlgoId;
417 UINTN AuthKeyLength;
418 VOID *AuthKey;
419 } EFI_IPSEC_AH_ALGO_INFO;
420
421 ///
422 /// EFI_IPSEC_ESP_ALGO_INFO
423 /// The security algorithm selection for IPsec ESP encryption and authentication.
424 /// The required authentication algorithm is specified in RFC 4305.
425 /// EncAlgoId fields can also specify an ESP combined mode algorithm
426 /// (e.g. AES with CCM mode, specified in RFC 4309), which provides both
427 /// confidentiality and authentication services.
428 ///
429 typedef struct _EFI_IPSEC_ESP_ALGO_INFO {
430 UINT8 EncAlgoId;
431 UINTN EncKeyLength;
432 VOID *EncKey;
433 UINT8 AuthAlgoId;
434 UINTN AuthKeyLength;
435 VOID *AuthKey;
436 } EFI_IPSEC_ESP_ALGO_INFO;
437
438 ///
439 /// EFI_IPSEC_ALGO_INFO
440 ///
441 typedef union {
442 EFI_IPSEC_AH_ALGO_INFO AhAlgoInfo;
443 EFI_IPSEC_ESP_ALGO_INFO EspAlgoInfo;
444 } EFI_IPSEC_ALGO_INFO;
445
446 ///
447 /// EFI_IPSEC_SA_DATA
448 ///
449 typedef struct _EFI_IPSEC_SA_DATA {
450 ///
451 /// IPsec mode: tunnel or transport.
452 ///
453 EFI_IPSEC_MODE Mode;
454 ///
455 /// Sequence Number Counter. A 64-bit counter used to generate the
456 /// sequence number field in AH or ESP headers.
457 ///
458 UINT64 SNCount;
459 ///
460 /// Anti-Replay Window. A 64-bit counter and a bit-map used to
461 /// determine whether an inbound AH or ESP packet is a replay.
462 ///
463 UINT8 AntiReplayWindows;
464 ///
465 /// AH/ESP cryptographic algorithm, key and parameters.
466 ///
467 EFI_IPSEC_ALGO_INFO AlgoInfo;
468 ///
469 /// Lifetime of this SA.
470 ///
471 EFI_IPSEC_SA_LIFETIME SaLifetime;
472 ///
473 /// Any observed path MTU and aging variables. The Path MTU
474 /// processing is defined in section 8 of RFC 4301.
475 ///
476 UINT32 PathMTU;
477 ///
478 /// Link to one SPD entry.
479 ///
480 EFI_IPSEC_SPD_SELECTOR *SpdSelector;
481 ///
482 /// Indication of whether it's manually set or negotiated automatically.
483 /// If ManualSet is FALSE, the corresponding SA entry is inserted through
484 /// IKE protocol negotiation.
485 ///
486 BOOLEAN ManualSet;
487 } EFI_IPSEC_SA_DATA;
488
489 ///
490 /// EFI_IPSEC_PAD_ID
491 /// specifies the identifier for PAD entry, which is also used for SPD lookup.
492 /// IpAddress Pointer to the IPv4 or IPv6 address range.
493 ///
494 typedef struct _EFI_IPSEC_PAD_ID {
495 ///
496 /// Flag to identify which type of PAD Id is used.
497 ///
498 BOOLEAN PeerIdValid;
499 union {
500 ///
501 /// Pointer to the IPv4 or IPv6 address range.
502 ///
503 EFI_IP_ADDRESS_INFO IpAddress;
504 ///
505 /// Pointer to a null terminated string (8-bit ASCII character)
506 /// representing the symbolic names. A PeerId can be a DNS
507 /// name, Distinguished Name, RFC 822 email address or Key ID
508 /// (specified in section 4.4.3.1 of RFC 4301)
509 ///
510 UINT8 PeerId[MAX_PEERID_LEN];
511 } Id;
512 } EFI_IPSEC_PAD_ID;
513
514 ///
515 /// EFI_IPSEC_CONFIG_SELECTOR
516 /// describes the expected IPsec configuration data selector
517 /// of type EFI_IPSEC_CONFIG_DATA_TYPE.
518 ///
519 typedef union {
520 EFI_IPSEC_SPD_SELECTOR SpdSelector;
521 EFI_IPSEC_SA_ID SaId;
522 EFI_IPSEC_PAD_ID PadId;
523 } EFI_IPSEC_CONFIG_SELECTOR;
524
525 ///
526 /// EFI_IPSEC_AUTH_PROTOCOL_TYPE
527 /// defines the possible authentication protocol for IPsec
528 /// security association management.
529 ///
530 typedef enum {
531 EfiIPsecAuthProtocolIKEv1,
532 EfiIPsecAuthProtocolIKEv2,
533 EfiIPsecAuthProtocolMaximum
534 } EFI_IPSEC_AUTH_PROTOCOL_TYPE;
535
536 ///
537 /// EFI_IPSEC_AUTH_METHOD
538 ///
539 typedef enum {
540 ///
541 /// Using Pre-shared Keys for manual security associations.
542 ///
543 EfiIPsecAuthMethodPreSharedSecret,
544 ///
545 /// IKE employs X.509 certificates for SA establishment.
546 ///
547 EfiIPsecAuthMethodCertificates,
548 EfiIPsecAuthMethodMaximum
549 } EFI_IPSEC_AUTH_METHOD;
550
551 ///
552 /// EFI_IPSEC_PAD_DATA
553 ///
554 typedef struct _EFI_IPSEC_PAD_DATA {
555 ///
556 /// Authentication Protocol for IPsec security association management.
557 ///
558 EFI_IPSEC_AUTH_PROTOCOL_TYPE AuthProtocol;
559 ///
560 /// Authentication method used.
561 ///
562 EFI_IPSEC_AUTH_METHOD AuthMethod;
563 ///
564 /// The IKE ID payload will be used as a symbolic name for SPD
565 /// lookup if IkeIdFlag is TRUE. Otherwise, the remote IP
566 /// address provided in traffic selector playloads will be used.
567 ///
568 BOOLEAN IkeIdFlag;
569 ///
570 /// The size of Authentication data buffer, in bytes.
571 ///
572 UINTN AuthDataSize;
573 ///
574 /// Buffer for Authentication data, (e.g., the pre-shared secret or the
575 /// trust anchor relative to which the peer's certificate will be
576 /// validated).
577 ///
578 VOID *AuthData;
579 ///
580 /// The size of RevocationData, in bytes
581 ///
582 UINTN RevocationDataSize;
583 ///
584 /// Pointer to CRL or OCSP data, if certificates are used for
585 /// authentication method.
586 ///
587 VOID *RevocationData;
588 } EFI_IPSEC_PAD_DATA;
589
590
591 /**
592 Set the security association, security policy and peer authorization configuration
593 information for the EFI IPsec driver.
594
595 This function is used to set the IPsec configuration information of type DataType for
596 the EFI IPsec driver.
597 The IPsec configuration data has a unique selector/identifier separately to identify
598 a data entry. The selector structure depends on DataType's definition.
599 Using SetData() with a Data of NULL causes the IPsec configuration data entry identified
600 by DataType and Selector to be deleted.
601
602 @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
603 @param[in] DataType The type of data to be set.
604 @param[in] Selector Pointer to an entry selector on operated configuration data
605 specified by DataType. A NULL Selector causes the entire
606 specified-type configuration information to be flushed.
607 @param[in] Data The data buffer to be set. The structure of the data buffer is
608 associated with the DataType.
609 @param[in] InsertBefore Pointer to one entry selector which describes the expected
610 position the new data entry will be added. If InsertBefore is NULL,
611 the new entry will be appended the end of database.
612
613 @retval EFI_SUCCESS The specified configuration entry data is set successfully.
614 @retval EFI_INVALID_PARAMETER One or more of the following are TRUE:
615 - This is NULL.
616 @retval EFI_UNSUPPORTED The specified DataType is not supported.
617 @retval EFI_OUT_OF_RESOURCED The required system resource could not be allocated.
618
619 **/
620 typedef
621 EFI_STATUS
622 (EFIAPI *EFI_IPSEC_CONFIG_SET_DATA)(
623 IN EFI_IPSEC_CONFIG_PROTOCOL *This,
624 IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
625 IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
626 IN VOID *Data,
627 IN EFI_IPSEC_CONFIG_SELECTOR *InsertBefore OPTIONAL
628 );
629
630 /**
631 Return the configuration value for the EFI IPsec driver.
632
633 This function lookup the data entry from IPsec database or IKEv2 configuration
634 information. The expected data type and unique identification are described in
635 DataType and Selector parameters.
636
637 @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
638 @param[in] DataType The type of data to retrieve.
639 @param[in] Selector Pointer to an entry selector which is an identifier of the IPsec
640 configuration data entry.
641 @param[in, out] DataSize On output the size of data returned in Data.
642 @param[out] Data The buffer to return the contents of the IPsec configuration data.
643 The type of the data buffer is associated with the DataType.
644
645 @retval EFI_SUCCESS The specified configuration data is got successfully.
646 @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE:
647 - This is NULL.
648 - Selector is NULL.
649 - DataSize is NULL.
650 - Data is NULL and *DataSize is not zero
651 @retval EFI_NOT_FOUND The configuration data specified by Selector is not found.
652 @retval EFI_UNSUPPORTED The specified DataType is not supported.
653 @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. DataSize has been
654 updated with the size needed to complete the request.
655
656 **/
657 typedef
658 EFI_STATUS
659 (EFIAPI *EFI_IPSEC_CONFIG_GET_DATA)(
660 IN EFI_IPSEC_CONFIG_PROTOCOL *This,
661 IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
662 IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
663 IN OUT UINTN *DataSize,
664 OUT VOID *Data
665 );
666
667 /**
668 Enumerates the current selector for IPsec configuration data entry.
669
670 This function is called multiple times to retrieve the entry Selector in IPsec
671 configuration database. On each call to GetNextSelector(), the next entry
672 Selector are retrieved into the output interface.
673
674 If the entire IPsec configuration database has been iterated, the error
675 EFI_NOT_FOUND is returned.
676 If the Selector buffer is too small for the next Selector copy, an
677 EFI_BUFFER_TOO_SMALL error is returned, and SelectorSize is updated to reflect
678 the size of buffer needed.
679
680 On the initial call to GetNextSelector() to start the IPsec configuration database
681 search, a pointer to the buffer with all zero value is passed in Selector. Calls
682 to SetData() between calls to GetNextSelector may produce unpredictable results.
683
684 @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
685 @param[in] DataType The type of IPsec configuration data to retrieve.
686 @param[in, out] SelectorSize The size of the Selector buffer.
687 @param[in, out] Selector On input, supplies the pointer to last Selector that was
688 returned by GetNextSelector().
689 On output, returns one copy of the current entry Selector
690 of a given DataType.
691
692 @retval EFI_SUCCESS The specified configuration data is got successfully.
693 @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE:
694 - This is NULL.
695 - SelectorSize is NULL.
696 - Selector is NULL.
697 @retval EFI_NOT_FOUND The next configuration data entry was not found.
698 @retval EFI_UNSUPPORTED The specified DataType is not supported.
699 @retval EFI_BUFFER_TOO_SMALL The SelectorSize is too small for the result. This parameter
700 has been updated with the size needed to complete the search
701 request.
702
703 **/
704 typedef
705 EFI_STATUS
706 (EFIAPI *EFI_IPSEC_CONFIG_GET_NEXT_SELECTOR)(
707 IN EFI_IPSEC_CONFIG_PROTOCOL *This,
708 IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
709 IN OUT UINTN *SelectorSize,
710 IN OUT EFI_IPSEC_CONFIG_SELECTOR *Selector
711 );
712
713 /**
714 Register an event that is to be signaled whenever a configuration process on the
715 specified IPsec configuration information is done.
716
717 This function registers an event that is to be signaled whenever a configuration
718 process on the specified IPsec configuration data is done (e.g. IPsec security
719 policy database configuration is ready). An event can be registered for different
720 DataType simultaneously and the caller is responsible for determining which type
721 of configuration data causes the signaling of the event in such case.
722
723 @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
724 @param[in] DataType The type of data to be registered the event for.
725 @param[in] Event The event to be registered.
726
727 @retval EFI_SUCCESS The event is registered successfully.
728 @retval EFI_INVALID_PARAMETER This is NULL or Event is NULL.
729 @retval EFI_ACCESS_DENIED The Event is already registered for the DataType.
730 @retval EFI_UNSUPPORTED The notify registration unsupported or the specified
731 DataType is not supported.
732
733 **/
734 typedef
735 EFI_STATUS
736 (EFIAPI *EFI_IPSEC_CONFIG_REGISTER_NOTIFY)(
737 IN EFI_IPSEC_CONFIG_PROTOCOL *This,
738 IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
739 IN EFI_EVENT Event
740 );
741
742 /**
743 Remove the specified event that is previously registered on the specified IPsec
744 configuration data.
745
746 This function removes a previously registered event for the specified configuration data.
747
748 @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
749 @param[in] DataType The configuration data type to remove the registered event for.
750 @param[in] Event The event to be unregistered.
751
752 @retval EFI_SUCCESS The event is removed successfully.
753 @retval EFI_NOT_FOUND The Event specified by DataType could not be found in the
754 database.
755 @retval EFI_INVALID_PARAMETER This is NULL or Event is NULL.
756 @retval EFI_UNSUPPORTED The notify registration unsupported or the specified
757 DataType is not supported.
758
759 **/
760 typedef
761 EFI_STATUS
762 (EFIAPI *EFI_IPSEC_CONFIG_UNREGISTER_NOTIFY)(
763 IN EFI_IPSEC_CONFIG_PROTOCOL *This,
764 IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
765 IN EFI_EVENT Event
766 );
767
768 ///
769 /// EFI_IPSEC_CONFIG_PROTOCOL
770 /// provides the ability to set and lookup the IPsec SAD (Security Association Database),
771 /// SPD (Security Policy Database) data entry and configure the security association
772 /// management protocol such as IKEv2. This protocol is used as the central
773 /// repository of any policy-specific configuration for EFI IPsec driver.
774 /// EFI_IPSEC_CONFIG_PROTOCOL can be bound to both IPv4 and IPv6 stack. User can use this
775 /// protocol for IPsec configuration in both IPv4 and IPv6 environment.
776 ///
777 struct _EFI_IPSEC_CONFIG_PROTOCOL {
778 EFI_IPSEC_CONFIG_SET_DATA SetData;
779 EFI_IPSEC_CONFIG_GET_DATA GetData;
780 EFI_IPSEC_CONFIG_GET_NEXT_SELECTOR GetNextSelector;
781 EFI_IPSEC_CONFIG_REGISTER_NOTIFY RegisterDataNotify;
782 EFI_IPSEC_CONFIG_UNREGISTER_NOTIFY UnregisterDataNotify;
783 };
784
785 extern EFI_GUID gEfiIpSecConfigProtocolGuid;
786
787 #endif
EFI Development Kit II mirror for PVE