--- /dev/null
+/** @file\r
+ EFI IPsec Configuration Protocol Definition\r
+ The EFI_IPSEC_CONFIG_PROTOCOL provides the mechanism to set and retrieve security and \r
+ policy related information for the EFI IPsec protocol driver.\r
+\r
+ Copyright (c) 2009, Intel Corporation\r
+ All rights reserved. This program and the accompanying materials\r
+ are licensed and made available under the terms and conditions of the BSD License\r
+ which accompanies this distribution. The full text of the license may be found at\r
+ http://opensource.org/licenses/bsd-license.php\r
+\r
+ THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
+ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
+\r
+ @par Revision Reference: \r
+ This Protocol is introduced in UEFI Specification 2.2\r
+\r
+**/\r
+\r
+#ifndef __EFI_IPSE_CCONFIG_PROTOCOL_H__\r
+#define __EFI_IPSE_CCONFIG_PROTOCOL_H__\r
+\r
+\r
+#define EFI_IPSEC_CONFIG_PROTOCOL_GUID \\r
+ { \\r
+ 0xce5e5929, 0xc7a3, 0x4602, 0xad, {0x9e, 0xc9, 0xda, 0xf9, 0x4e, 0xbf, 0xcf } \\r
+ }\r
+\r
+typedef struct _EFI_IPSEC_CONFIG_PROTOCOL EFI_IPSEC_CONFIG_PROTOCOL;\r
+\r
+///\r
+/// EFI_IPSEC_CONFIG_DATA_TYPE\r
+///\r
+typedef enum {\r
+ /// \r
+ /// The IPsec Security Policy Database (aka SPD) setting. In IPsec, \r
+ /// an essential element of Security Association (SA) processing is \r
+ /// underlying SPD that specifies what services are to be offered to \r
+ /// IP datagram and in what fashion. The SPD must be consulted \r
+ /// during the processing of all traffic (inbound and outbound), \r
+ /// including traffic not protected by IPsec, that traverses the IPsec \r
+ /// boundary. With this DataType, SetData() function is to set \r
+ /// the SPD entry information, which may add one new entry, delete \r
+ /// one existed entry or flush the whole database according to the \r
+ /// parameter values. The corresponding Data is of type \r
+ /// EFI_IPSEC_SPD_DATA\r
+ /// \r
+ IPsecConfigDataTypeSpd,\r
+ /// \r
+ /// The IPsec Security Association Database (aka SAD) setting. A \r
+ /// SA is a simplex connection that affords security services to the \r
+ /// traffic carried by it. Security services are afforded to an SA by the \r
+ /// use of AH, or ESP, but not both. The corresponding Data is of \r
+ /// type EFI_IPSEC_SAD_DATA.\r
+ /// \r
+ IPsecConfigDataTypeSad,\r
+ /// \r
+ /// The IPsec Peer Authorization Database (aka PAD) setting, which \r
+ /// provides the link between the SPD and a security association \r
+ /// management protocol. The PAD entry specifies the \r
+ /// authentication protocol (e.g. IKEv1, IKEv2) method used and the \r
+ /// authentication data. The corresponding Data is of type \r
+ /// EFI_IPSEC_PAD_DATA.\r
+ ///\r
+ IPsecConfigDataTypePad,\r
+ IPsecConfigDataTypeMaximum\r
+} EFI_IPSEC_CONFIG_DATA_TYPE;\r
+\r
+///\r
+/// EFI_IP_ADDRESS_INFO\r
+///\r
+typedef struct _EFI_IP_ADDRESS_INFO {\r
+ EFI_IP_ADDRESS Address; ///< The IPv4 or IPv6 address\r
+ UINT8 PrefixLength; ///< The length of the prefix associated with the Address.\r
+} EFI_IP_ADDRESS_INFO;\r
+\r
+\r
+///\r
+/// EFI_IPSEC_SPD_SELECTOR\r
+///\r
+typedef struct _EFI_IPSEC_SPD_SELECTOR {\r
+ /// \r
+ /// Specifies the actual number of entries in LocalAddress.\r
+ /// \r
+ UINT32 LocalAddressCount;\r
+ /// \r
+ /// A list of ranges of IPv4 or IPv6 addresses, which refers to the \r
+ /// addresses being protected by IPsec policy.\r
+ /// \r
+ EFI_IP_ADDRESS_INFO *LocalAddress;\r
+ /// \r
+ /// Specifies the actual number of entries in RemoteAddress.\r
+ /// \r
+ UINT32 RemoteAddressCount;\r
+ /// \r
+ /// A list of ranges of IPv4 or IPv6 addresses, which are peer entities \r
+ /// to LocalAddress. \r
+ /// \r
+ EFI_IP_ADDRESS_INFO *RemoteAddress;\r
+ /// \r
+ /// Next layer protocol. Obtained from the IPv4 Protocol or the IPv6 \r
+ /// Next Header fields. The next layer protocol is whatever comes \r
+ /// after any IP extension headers that are present. A zero value is a \r
+ /// wildcard that matches any value in NextLayerProtocol field.\r
+ /// \r
+ UINT16 NextLayerProtocol; \r
+ /// \r
+ /// Local Port if the Next Layer Protocol uses two ports (as do TCP, \r
+ /// UDP, and others). A zero value is a wildcard that matches any \r
+ /// value in LocalPort field.\r
+ /// \r
+ UINT16 LocalPort;\r
+ /// \r
+ /// A designed port range size. The start port is LocalPort, and \r
+ /// the total number of ports is described by LocalPortRange. \r
+ /// This field is ignored if NextLayerProtocol does not use \r
+ /// ports. \r
+ /// \r
+ UINT16 LocalPortRange;\r
+ /// \r
+ /// Remote Port if the Next Layer Protocol uses two ports. A zero \r
+ /// value is a wildcard that matches any value in RemotePort field.\r
+ /// \r
+ UINT16 RemotePort;\r
+ /// \r
+ /// A designed port range size. The start port is RemotePort, and \r
+ /// the total number of ports is described by RemotePortRange. \r
+ /// This field is ignored if NextLayerProtocol does not use ports.\r
+ /// \r
+ UINT16 RemotePortRange;\r
+} EFI_IPSEC_SPD_SELECTOR;\r
+ \r
+///\r
+/// EFI_IPSEC_TRAFFIC_DIR\r
+/// represents the directionality in an SPD entry.\r
+///\r
+typedef enum {\r
+ ///\r
+ /// The EfiIPsecInBound refers to traffic entering an IPsec implementation via \r
+ /// the unprotected interface or emitted by the implementation on the unprotected\r
+ /// side of the boundary and directed towards the protected interface. \r
+ ///\r
+ EfiIPsecInBound,\r
+ ///\r
+ /// The EfiIPsecOutBound refers to traffic entering the implementation via \r
+ /// the protected interface, or emitted by the implementation on the protected side\r
+ /// of the boundary and directed toward the unprotected interface.\r
+ ///\r
+ EfiIPsecOutBound\r
+} EFI_IPSEC_TRAFFIC_DIR;\r
+\r
+///\r
+/// EFI_IPSEC_ACTION\r
+/// represents three possible processing choices.\r
+///\r
+typedef enum {\r
+ /// \r
+ /// Refers to traffic that is not allowed to traverse the IPsec boundary.\r
+ /// \r
+ EfiIPsecActionDiscard,\r
+ /// \r
+ /// Refers to traffic that is allowed to cross the IPsec boundary \r
+ /// without protection.\r
+ /// \r
+ EfiIPsecActionBypass,\r
+ /// \r
+ /// Refers to traffic that is afforded IPsec protection, and for such \r
+ /// traffic the SPD must specify the security protocols to be \r
+ /// employed, their mode, security service options, and the \r
+ /// cryptographic algorithms to be used. \r
+ ///\r
+ EfiIPsecActionProtect\r
+} EFI_IPSEC_ACTION;\r
+\r
+///\r
+/// EFI_IPSEC_SA_LIFETIME\r
+/// defines the lifetime of an SA, which represents when a SA must be \r
+/// replaced or terminated. A value of all 0 for each field removes \r
+/// the limitation of a SA lifetime.\r
+///\r
+typedef struct _EFI_IPSEC_SA_LIFETIME {\r
+ /// \r
+ /// The number of bytes to which the IPsec cryptographic algorithm\r
+ /// can be applied. For ESP, this is the encryption algorithm and for\r
+ /// AH, this is the authentication algorithm. The ByteCount \r
+ /// includes pad bytes for cryptographic operations.\r
+ /// \r
+ UINT64 ByteCount;\r
+ /// \r
+ /// A time interval in second that warns the implementation to \r
+ /// initiate action such as setting up a replacement SA.\r
+ /// \r
+ UINT64 SoftLifetime;\r
+ /// \r
+ /// A time interval in second when the current SA ends and is \r
+ /// destroyed.\r
+ /// \r
+ UINT64 HardLifetime;\r
+} EFI_IPSEC_SA_LIFETIME;\r
+\r
+///\r
+/// EFI_IPSEC_MODE\r
+/// There are two modes of IPsec operation: transport mode and tunnel mode. In \r
+/// EfiIPsecTransport mode, AH and ESP provide protection primarily for next layer protocols; \r
+/// In EfiIPsecTunnel mode, AH and ESP are applied to tunneled IP packets.\r
+///\r
+typedef enum {\r
+ EfiIPsecTransport,\r
+ EfiIPsecTunnel\r
+} EFI_IPSEC_MODE;\r
+\r
+///\r
+/// EFI_IPSEC_TUNNEL_DF_OPTION\r
+/// The option of copying the DF bit from an outbound package to\r
+/// the tunnel mode header that it emits, when traffic is carried\r
+/// via a tunnel mode SA. This applies to SAs where both inner and\r
+/// outer headers are IPv4.\r
+///\r
+typedef enum {\r
+ EfiIPsecTunnelClearDf, ///< Clear DF bit from inner header.\r
+ EfiIPsecTunnelSetDf, ///< Set DF bit from inner header.\r
+ EfiIPsecTunnelCopyDf ///< Copy DF bit from inner header.\r
+} EFI_IPSEC_TUNNEL_DF_OPTION;\r
+\r
+///\r
+/// EFI_IPSEC_TUNNEL_OPTION\r
+///\r
+typedef struct _EFI_IPSEC_TUNNEL_OPTION {\r
+ /// \r
+ /// Local tunnel address when IPsec mode is EfiIPsecTunnel.\r
+ /// \r
+ EFI_IP_ADDRESS LocalTunnelAddress;\r
+ /// \r
+ /// Remote tunnel address when IPsec mode is EfiIPsecTunnel.\r
+ /// \r
+ EFI_IP_ADDRESS RemoteTunnelAddress;\r
+ /// \r
+ /// The option of copying the DF bit from an outbound package\r
+ /// to the tunnel mode header that it emits, when traffic is \r
+ /// carried via a tunnel mode SA. \r
+ /// \r
+ EFI_IPSEC_TUNNEL_DF_OPTION DF;\r
+} EFI_IPSEC_TUNNEL_OPTION;\r
+\r
+///\r
+/// EFI_IPSEC_PROTOCOL_TYPE\r
+///\r
+typedef enum {\r
+ EfiIPsecAH, ///< IP Authentication Header protocol which is specified in RFC 4302.\r
+ EfiIPsecESP ///< IP Encapsulating Security Payload which is specified in RFC 4303. \r
+} EFI_IPSEC_PROTOCOL_TYPE;\r
+\r
+///\r
+/// EFI_IPSEC_PROCESS_POLICY\r
+/// describes a policy list for traffic processing.\r
+///\r
+typedef struct _EFI_IPSEC_PROCESS_POLICY {\r
+ /// \r
+ /// Extended Sequence Number. Is this SA using extended sequence \r
+ /// numbers. 64 bit counter is used if TRUE.\r
+ /// \r
+ BOOLEAN ExtSeqNum;\r
+ /// \r
+ /// A flag indicating whether overflow of the sequence number \r
+ /// counter should generate an auditable event and prevent \r
+ /// transmission of additional packets on the SA, or whether rollover \r
+ /// is permitted.\r
+ /// \r
+ BOOLEAN SeqOverflow;\r
+ /// \r
+ /// Is this SA using stateful fragment checking. TRUE represents \r
+ /// stateful fragment checking.\r
+ /// \r
+ BOOLEAN FragCheck;\r
+ /// \r
+ /// A time interval after which a SA must be replaced with a new SA \r
+ /// (and new SPI) or terminated. \r
+ /// \r
+ EFI_IPSEC_SA_LIFETIME SaLifetime;\r
+ /// \r
+ /// IPsec mode: tunnel or transport.\r
+ /// \r
+ EFI_IPSEC_MODE Mode;\r
+ /// \r
+ /// Tunnel Option. TunnelOption is ignored if Mode is EfiIPsecTransport.\r
+ /// \r
+ EFI_IPSEC_TUNNEL_OPTION *TunnelOption;\r
+ /// \r
+ /// IPsec protocol: AH or ESP\r
+ /// \r
+ EFI_IPSEC_PROTOCOL_TYPE Proto;\r
+ /// \r
+ /// Cryptographic algorithm type used for authentication.\r
+ /// \r
+ UINT8 AuthAlgoId;\r
+ /// \r
+ /// Cryptographic algorithm type used for encryption. EncAlgo is \r
+ /// NULL when IPsec protocol is AH. For ESP protocol, EncAlgo \r
+ /// can also be used to describe the algorithm if a combined mode \r
+ /// algorithm is used.\r
+ ///\r
+ UINT8 EncAlgoId;\r
+} EFI_IPSEC_PROCESS_POLICY;\r
+\r
+///\r
+/// IPsec Authentication Algorithm Definition\r
+/// The number value definition is aligned to IANA assignment\r
+///\r
+#define EFI_IPSEC_AALG_NONE 0x00\r
+#define EFI_IPSEC_AALG_MD5HMAC 0x02\r
+#define EFI_IPSEC_AALG_SHA1HMAC 0x03\r
+#define EFI_IPSEC_AALG_SHA2_256HMAC 0x05\r
+#define EFI_IPSEC_AALG_SHA2_384HMAC 0x06\r
+#define EFI_IPSEC_AALG_SHA2_512HMAC 0x07\r
+#define EFI_IPSEC_AALG_AES_XCBC_MAC 0x09\r
+#define EFI_IPSEC_AALG_NULL 0xFB\r
+\r
+///\r
+/// IPsec Encryption Algorithm Definition\r
+/// The number value definition is aligned to IANA assignment\r
+///\r
+#define EFI_IPSEC_EALG_NONE 0x00\r
+#define EFI_IPSEC_EALG_DESCBC 0x02\r
+#define EFI_IPSEC_EALG_3DESCBC 0x03\r
+#define EFI_IPSEC_EALG_CASTCBC 0x06\r
+#define EFI_IPSEC_EALG_BLOWFISHCBC 0x07\r
+#define EFI_IPSEC_EALG_NULL 0x0B\r
+#define EFI_IPSEC_EALG_AESCBC 0x0C\r
+#define EFI_IPSEC_EALG_AESCTR 0x0D\r
+#define EFI_IPSEC_EALG_AES_CCM_ICV8 0x0E\r
+#define EFI_IPSEC_EALG_AES_CCM_ICV12 0x0F\r
+#define EFI_IPSEC_EALG_AES_CCM_ICV16 0x10\r
+#define EFI_IPSEC_EALG_AES_GCM_ICV8 0x12\r
+#define EFI_IPSEC_EALG_AES_GCM_ICV12 0x13\r
+#define EFI_IPSEC_EALG_AES_GCM_ICV16 0x14\r
+\r
+///\r
+/// EFI_IPSEC_SA_ID\r
+/// A triplet to identify an SA, consisting of the following members.\r
+///\r
+typedef struct _EFI_IPSEC_SA_ID {\r
+ /// \r
+ /// Security Parameter Index (aka SPI). An arbitrary 32-bit value \r
+ /// that is used by a receiver to identity the SA to which an incoming \r
+ /// package should be bound.\r
+ /// \r
+ UINT32 Spi;\r
+ /// \r
+ /// IPsec protocol: AH or ESP\r
+ /// \r
+ EFI_IPSEC_PROTOCOL_TYPE Proto;\r
+ /// \r
+ /// Destination IP address. \r
+ /// \r
+ EFI_IP_ADDRESS DestAddress;\r
+} EFI_IPSEC_SA_ID;\r
+\r
+\r
+#define MAX_PEERID_LEN 128\r
+\r
+///\r
+/// EFI_IPSEC_SPD_DATA\r
+///\r
+typedef struct _EFI_IPSEC_SPD_DATA {\r
+ /// \r
+ /// A null-terminated name string which is used as a symbolic \r
+ /// identifier for an IPsec Local or Remote address.\r
+ /// \r
+ UINT8 Name[MAX_PEERID_LEN];\r
+ /// \r
+ /// Bit-mapped list describing Populate from Packet flags. When \r
+ /// creating a SA, if PackageFlag bit is set to TRUE, instantiate \r
+ /// the selector from the corresponding field in the package that \r
+ /// triggered the creation of the SA, else from the value(s) in the \r
+ /// corresponding SPD entry. The PackageFlag bit setting for \r
+ /// corresponding selector field of EFI_IPSEC_SPD_SELECTOR:\r
+ /// Bit 0: EFI_IPSEC_SPD_SELECTOR.LocalAddress \r
+ /// Bit 1: EFI_IPSEC_SPD_SELECTOR.RemoteAddress \r
+ /// Bit 2: \r
+ /// EFI_IPSEC_SPD_SELECTOR.NextLayerProtocol \r
+ /// Bit 3: EFI_IPSEC_SPD_SELECTOR.LocalPort \r
+ /// Bit 4: EFI_IPSEC_SPD_SELECTOR.RemotePort \r
+ /// Others: Reserved.\r
+ ///\r
+ UINT32 PackageFlag;\r
+ /// \r
+ /// The traffic direction of data gram.\r
+ /// \r
+ EFI_IPSEC_TRAFFIC_DIR TrafficDirection;\r
+ /// \r
+ /// Processing choices to indicate which action is required by this \r
+ /// policy. \r
+ /// \r
+ EFI_IPSEC_ACTION Action;\r
+ /// \r
+ /// The policy and rule information for a SPD entry.\r
+ /// \r
+ EFI_IPSEC_PROCESS_POLICY *ProcessingPolicy;\r
+ /// \r
+ /// Specifies the actual number of entries in SaId list.\r
+ /// \r
+ UINTN SaIdCount;\r
+ /// \r
+ /// The SAD entry used for the traffic processing. The \r
+ /// existed SAD entry links indicate this is the manual key case.\r
+ /// \r
+ EFI_IPSEC_SA_ID SaId[1];\r
+} EFI_IPSEC_SPD_DATA;\r
+\r
+///\r
+/// EFI_IPSEC_AH_ALGO_INFO\r
+/// The security algorithm selection for IPsec AH authentication.\r
+/// The required authentication algorithm is specified in RFC 4305.\r
+///\r
+typedef struct _EFI_IPSEC_AH_ALGO_INFO {\r
+ UINT8 AuthAlgoId;\r
+ UINTN AuthKeyLength;\r
+ VOID *AuthKey;\r
+} EFI_IPSEC_AH_ALGO_INFO;\r
+\r
+///\r
+/// EFI_IPSEC_ESP_ALGO_INFO\r
+/// The security algorithm selection for IPsec ESP encryption and authentication.\r
+/// The required authentication algorithm is specified in RFC 4305. \r
+/// EncAlgoId fields can also specify an ESP combined mode algorithm \r
+/// (e.g. AES with CCM mode, specified in RFC 4309), which provides both \r
+/// confidentiality and authentication services.\r
+///\r
+typedef struct _EFI_IPSEC_ESP_ALGO_INFO {\r
+ UINT8 EncAlgoId;\r
+ UINTN EncKeyLength;\r
+ VOID *EncKey;\r
+ UINT8 AuthAlgoId;\r
+ UINTN AuthKeyLength;\r
+ VOID *AuthKey;\r
+} EFI_IPSEC_ESP_ALGO_INFO;\r
+\r
+///\r
+/// EFI_IPSEC_ALGO_INFO\r
+///\r
+typedef union {\r
+ EFI_IPSEC_AH_ALGO_INFO AhAlgoInfo;\r
+ EFI_IPSEC_ESP_ALGO_INFO EspAlgoInfo;\r
+} EFI_IPSEC_ALGO_INFO;\r
+\r
+///\r
+/// EFI_IPSEC_SA_DATA\r
+///\r
+typedef struct _EFI_IPSEC_SA_DATA {\r
+ /// \r
+ /// IPsec mode: tunnel or transport.\r
+ /// \r
+ EFI_IPSEC_MODE Mode;\r
+ /// \r
+ /// Sequence Number Counter. A 64-bit counter used to generate the \r
+ /// sequence number field in AH or ESP headers.\r
+ /// \r
+ UINT64 SNCount;\r
+ /// \r
+ /// Anti-Replay Window. A 64-bit counter and a bit-map used to \r
+ /// determine whether an inbound AH or ESP packet is a replay.\r
+ /// \r
+ UINT8 AntiReplayWindows;\r
+ /// \r
+ /// AH/ESP cryptographic algorithm, key and parameters. \r
+ /// \r
+ EFI_IPSEC_ALGO_INFO AlgoInfo;\r
+ /// \r
+ /// Lifetime of this SA. \r
+ /// \r
+ EFI_IPSEC_SA_LIFETIME SaLifetime;\r
+ /// \r
+ /// Any observed path MTU and aging variables. The Path MTU \r
+ /// processing is defined in section 8 of RFC 4301.\r
+ /// \r
+ UINT32 PathMTU;\r
+ /// \r
+ /// Link to one SPD entry.\r
+ /// \r
+ EFI_IPSEC_SPD_SELECTOR *SpdSelector;\r
+ /// \r
+ /// Indication of whether it¡¯s manually set or negotiated automatically. \r
+ /// If ManualSet is FALSE, the corresponding SA entry is inserted through \r
+ /// IKE protocol negotiation.\r
+ ///\r
+ BOOLEAN ManualSet;\r
+} EFI_IPSEC_SA_DATA;\r
+\r
+///\r
+/// EFI_IPSEC_PAD_ID\r
+/// specifies the identifier for PAD entry, which is also used for SPD lookup.\r
+/// IpAddress Pointer to the IPv4 or IPv6 address range.\r
+///\r
+typedef struct _EFI_IPSEC_PAD_ID {\r
+ ///\r
+ /// Flag to identify which type of PAD Id is used.\r
+ /// \r
+ BOOLEAN PeerIdValid; \r
+ union {\r
+ ///\r
+ /// Pointer to the IPv4 or IPv6 address range.\r
+ ///\r
+ EFI_IP_ADDRESS_INFO IpAddress;\r
+ ///\r
+ /// Pointer to a null terminated string (8-bit ASCII character) \r
+ /// representing the symbolic names. A PeerId can be a DNS \r
+ /// name, Distinguished Name, RFC 822 email address or Key ID \r
+ /// (specified in section 4.4.3.1 of RFC 4301)\r
+ ///\r
+ UINT8 PeerId[MAX_PEERID_LEN];\r
+ } Id;\r
+} EFI_IPSEC_PAD_ID;\r
+\r
+///\r
+/// EFI_IPSEC_CONFIG_SELECTOR\r
+/// describes the expected IPsec configuration data selector \r
+/// of type EFI_IPSEC_CONFIG_DATA_TYPE.\r
+///\r
+typedef union {\r
+ EFI_IPSEC_SPD_SELECTOR SpdSelector;\r
+ EFI_IPSEC_SA_ID SaId;\r
+ EFI_IPSEC_PAD_ID PadId;\r
+} EFI_IPSEC_CONFIG_SELECTOR;\r
+\r
+///\r
+/// EFI_IPSEC_AUTH_PROTOCOL_TYPE\r
+/// defines the possible authentication protocol for IPsec \r
+/// security association management.\r
+///\r
+typedef enum {\r
+ EfiIPsecAuthProtocolIKEv1,\r
+ EfiIPsecAuthProtocolIKEv2,\r
+ EfiIPsecAuthProtocolMaximum\r
+} EFI_IPSEC_AUTH_PROTOCOL_TYPE;\r
+\r
+///\r
+/// EFI_IPSEC_AUTH_METHOD\r
+///\r
+typedef enum {\r
+ ///\r
+ /// Using Pre-shared Keys for manual security associations.\r
+ ///\r
+ EfiIPsecAuthMethodPreSharedSecret,\r
+ ///\r
+ /// IKE employs X.509 certificates for SA establishment.\r
+ ///\r
+ EfiIPsecAuthMethodCertificates,\r
+ EfiIPsecAuthMethodMaximum\r
+} EFI_IPSEC_AUTH_METHOD;\r
+\r
+///\r
+/// EFI_IPSEC_PAD_DATA\r
+///\r
+typedef struct _EFI_IPSEC_PAD_DATA {\r
+ /// \r
+ /// Authentication Protocol for IPsec security association management.\r
+ /// \r
+ EFI_IPSEC_AUTH_PROTOCOL_TYPE AuthProtocol;\r
+ /// \r
+ /// Authentication method used.\r
+ /// \r
+ EFI_IPSEC_AUTH_METHOD AuthMethod;\r
+ /// \r
+ /// The IKE ID payload will be used as a symbolic name for SPD \r
+ /// lookup if IkeIdFlag is TRUE. Otherwise, the remote IP \r
+ /// address provided in traffic selector playloads will be used.\r
+ /// \r
+ BOOLEAN IkeIdFlag;\r
+ /// \r
+ /// The size of Authentication data buffer, in bytes.\r
+ /// \r
+ UINTN AuthDataSize;\r
+ /// \r
+ /// Buffer for Authentication data, (e.g., the pre-shared secret or the \r
+ /// trust anchor relative to which the peer's certificate will be \r
+ /// validated).\r
+ /// \r
+ VOID *AuthData;\r
+ /// \r
+ /// The size of RevocationData, in bytes\r
+ /// \r
+ UINTN RevocationDataSize;\r
+ /// \r
+ /// Pointer to CRL or OCSP data, if certificates are used for \r
+ /// authentication method.\r
+ /// \r
+ VOID *RevocationData;\r
+} EFI_IPSEC_PAD_DATA;\r
+\r
+\r
+/**\r
+ Set the security association, security policy and peer authorization configuration\r
+ information for the EFI IPsec driver. \r
+\r
+ This function is used to set the IPsec configuration information of type DataType for\r
+ the EFI IPsec driver.\r
+ The IPsec configuration data has a unique selector/identifier separately to identify\r
+ a data entry. The selector structure depends on DataType¡¯s definition.\r
+ Using SetData() with a Data of NULL causes the IPsec configuration data entry identified\r
+ by DataType and Selector to be deleted. \r
+\r
+ @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r
+ @param[in] DataType The type of data to be set.\r
+ @param[in] Selector Pointer to an entry selector on operated configuration data \r
+ specified by DataType. A NULL Selector causes the entire \r
+ specified-type configuration information to be flushed.\r
+ @param[in] Data The data buffer to be set. The structure of the data buffer is \r
+ associated with the DataType.\r
+ @param[in] InsertBefore Pointer to one entry selector which describes the expected\r
+ position the new data entry will be added. If InsertBefore is NULL,\r
+ the new entry will be appended the end of database.\r
+ \r
+ @retval EFI_SUCCESS The specified configuration entry data is set successfully.\r
+ @retval EFI_INVALID_PARAMETER One or more of the following are TRUE:\r
+ - This is NULL.\r
+ @retval EFI_UNSUPPORTED The specified DataType is not supported.\r
+ @retval EFI_OUT_OF_RESOURCED The required system resource could not be allocated.\r
+\r
+**/\r
+typedef\r
+EFI_STATUS\r
+(EFIAPI *EFI_IPSEC_CONFIG_SET_DATA) (\r
+ IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r
+ IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r
+ IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r
+ IN VOID *Data,\r
+ IN EFI_IPSEC_CONFIG_SELECTOR *InsertBefore OPTIONAL\r
+ );\r
+\r
+/**\r
+ Return the configuration value for the EFI IPsec driver. \r
+\r
+ This function lookup the data entry from IPsec database or IKEv2 configuration\r
+ information. The expected data type and unique identification are described in\r
+ DataType and Selector parameters. \r
+\r
+ @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r
+ @param[in] DataType The type of data to retrieve.\r
+ @param[in] Selector Pointer to an entry selector which is an identifier of the IPsec \r
+ configuration data entry.\r
+ @param[in, out] DataSize On output the size of data returned in Data.\r
+ @param[out] Data The buffer to return the contents of the IPsec configuration data. \r
+ The type of the data buffer is associated with the DataType. \r
+ \r
+ @retval EFI_SUCCESS The specified configuration data is got successfully.\r
+ @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE:\r
+ - This is NULL.\r
+ - Selector is NULL.\r
+ - DataSize is NULL.\r
+ - Data is NULL and *DataSize is not zero\r
+ @retval EFI_NOT_FOUND The configuration data specified by Selector is not found.\r
+ @retval EFI_UNSUPPORTED The specified DataType is not supported.\r
+ @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. DataSize has been\r
+ updated with the size needed to complete the request.\r
+\r
+**/\r
+typedef\r
+EFI_STATUS\r
+(EFIAPI *EFI_IPSEC_CONFIG_GET_DATA) (\r
+ IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r
+ IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r
+ IN EFI_IPSEC_CONFIG_SELECTOR *Selector,\r
+ IN OUT UINTN *DataSize,\r
+ OUT VOID *Data\r
+ );\r
+\r
+/**\r
+ Enumerates the current selector for IPsec configuration data entry. \r
+\r
+ This function is called multiple times to retrieve the entry Selector in IPsec\r
+ configuration database. On each call to GetNextSelector(), the next entry \r
+ Selector are retrieved into the output interface.\r
+ \r
+ If the entire IPsec configuration database has been iterated, the error \r
+ EFI_NOT_FOUND is returned.\r
+ If the Selector buffer is too small for the next Selector copy, an \r
+ EFI_BUFFER_TOO_SMALL error is returned, and SelectorSize is updated to reflect \r
+ the size of buffer needed.\r
+\r
+ On the initial call to GetNextSelector() to start the IPsec configuration database\r
+ search, a pointer to the buffer with all zero value is passed in Selector. Calls \r
+ to SetData() between calls to GetNextSelector may produce unpredictable results. \r
+\r
+ @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r
+ @param[in] DataType The type of IPsec configuration data to retrieve.\r
+ @param[in, out] SelectorSize The size of the Selector buffer.\r
+ @param[in, out] Selector On input, supplies the pointer to last Selector that was \r
+ returned by GetNextSelector().\r
+ On output, returns one copy of the current entry Selector\r
+ of a given DataType. \r
+ \r
+ @retval EFI_SUCCESS The specified configuration data is got successfully.\r
+ @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE:\r
+ - This is NULL.\r
+ - SelectorSize is NULL.\r
+ - Selector is NULL.\r
+ @retval EFI_NOT_FOUND The next configuration data entry was not found.\r
+ @retval EFI_UNSUPPORTED The specified DataType is not supported.\r
+ @retval EFI_BUFFER_TOO_SMALL The SelectorSize is too small for the result. This parameter\r
+ has been updated with the size needed to complete the search \r
+ request.\r
+\r
+**/\r
+typedef\r
+EFI_STATUS\r
+(EFIAPI *EFI_IPSEC_CONFIG_GET_NEXT_SELECTOR) (\r
+ IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r
+ IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r
+ IN OUT UINTN *SelectorSize,\r
+ IN OUT EFI_IPSEC_CONFIG_SELECTOR *Selector\r
+ );\r
+\r
+/**\r
+ Register an event that is to be signaled whenever a configuration process on the\r
+ specified IPsec configuration information is done. \r
+\r
+ This function registers an event that is to be signaled whenever a configuration\r
+ process on the specified IPsec configuration data is done (e.g. IPsec security \r
+ policy database configuration is ready). An event can be registered for different\r
+ DataType simultaneously and the caller is responsible for determining which type \r
+ of configuration data causes the signaling of the event in such case. \r
+\r
+ @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r
+ @param[in] DataType The type of data to be registered the event for.\r
+ @param[in] Event The event to be registered.\r
+ \r
+ @retval EFI_SUCCESS The event is registered successfully.\r
+ @retval EFI_INVALID_PARAMETER This is NULL or Event is NULL.\r
+ @retval EFI_ACCESS_DENIED The Event is already registered for the DataType.\r
+ @retval EFI_UNSUPPORTED The notify registration unsupported or the specified\r
+ DataType is not supported.\r
+\r
+**/\r
+typedef\r
+EFI_STATUS\r
+(EFIAPI *EFI_IPSEC_CONFIG_REGISTER_NOTIFY) (\r
+ IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r
+ IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r
+ IN EFI_EVENT Event\r
+ );\r
+\r
+/**\r
+ Remove the specified event that is previously registered on the specified IPsec\r
+ configuration data. \r
+\r
+ This function removes a previously registered event for the specified configuration data. \r
+\r
+ @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.\r
+ @param[in] DataType The configuration data type to remove the registered event for.\r
+ @param[in] Event The event to be unregistered.\r
+ \r
+ @retval EFI_SUCCESS The event is removed successfully.\r
+ @retval EFI_NOT_FOUND The Event specified by DataType could not be found in the \r
+ database.\r
+ @retval EFI_INVALID_PARAMETER This is NULL or Event is NULL.\r
+ @retval EFI_UNSUPPORTED The notify registration unsupported or the specified\r
+ DataType is not supported.\r
+\r
+**/\r
+typedef\r
+EFI_STATUS\r
+(EFIAPI *EFI_IPSEC_CONFIG_UNREGISTER_NOTIFY) (\r
+ IN EFI_IPSEC_CONFIG_PROTOCOL *This,\r
+ IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,\r
+ IN EFI_EVENT Event\r
+ );\r
+\r
+///\r
+/// EFI_IPSEC_CONFIG_PROTOCOL\r
+/// provides the ability to set and lookup the IPsec SAD (Security Association Database),\r
+/// SPD (Security Policy Database) data entry and configure the security association \r
+/// management protocol such as IKEv2. This protocol is used as the central \r
+/// repository of any policy-specific configuration for EFI IPsec driver.\r
+/// EFI_IPSEC_CONFIG_PROTOCOL can be bound to both IPv4 and IPv6 stack. User can use this \r
+/// protocol for IPsec configuration in both IPv4 and IPv6 environment.\r
+/// \r
+struct _EFI_IPSEC_CONFIG_PROTOCOL {\r
+ EFI_IPSEC_CONFIG_SET_DATA SetData;\r
+ EFI_IPSEC_CONFIG_GET_DATA GetData;\r
+ EFI_IPSEC_CONFIG_GET_NEXT_SELECTOR GetNextSelector;\r
+ EFI_IPSEC_CONFIG_REGISTER_NOTIFY RegisterDataNotify;\r
+ EFI_IPSEC_CONFIG_UNREGISTER_NOTIFY UnregisterDataNotify;\r
+};\r
+\r
+extern EFI_GUID gEfiIpSecConfigProtocolGuid;\r
+\r
+#endif\r