From: vanjeff Date: Wed, 11 Nov 2009 06:14:57 +0000 (+0000) Subject: add EFI IPSEC protocol and EFI IPSEC Config protocol definition. X-Git-Tag: edk2-stable201903~16909 X-Git-Url: https://git.proxmox.com/?p=mirror_edk2.git;a=commitdiff_plain;h=fa05b97b8f75a1598f198db08d380b45a0f2f651 add EFI IPSEC protocol and EFI IPSEC Config protocol definition. git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@9410 6f19259b-4bc3-4df7-8a09-765794883524 --- diff --git a/MdePkg/Include/Protocol/IpSec.h b/MdePkg/Include/Protocol/IpSec.h new file mode 100644 index 0000000000..f223fa40f2 --- /dev/null +++ b/MdePkg/Include/Protocol/IpSec.h @@ -0,0 +1,98 @@ +/** @file + EFI IPSEC Protocol Definition + The EFI_IPSEC_PROTOCOL is used to abstract the ability to deal with the individual + packets sent and received by the host and provide packet-level security for IP datagram. + + Copyright (c) 2009, Intel Corporation + All rights reserved. This program and the accompanying materials + are licensed and made available under the terms and conditions of the BSD License + which accompanies this distribution. The full text of the license may be found at + http://opensource.org/licenses/bsd-license.php + + THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, + WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + + @par Revision Reference: + This Protocol is introduced in UEFI Specification 2.3 + +**/ + +#ifndef __EFI_IPSEC_PROTOCOL_H__ +#define __EFI_IPSEC_PROTOCOL_H__ + +#include + +#define EFI_IPSEC_PROTOCOL_GUID \ + { \ + 0xdfb386f7, 0xe100, 0x43ad, {0x9c, 0x9a, 0xed, 0x90, 0xd0, 0x8a, 0x5e, 0x12 } \ + } + +typedef struct _EFI_IPSEC_PROTOCOL EFI_IPSEC_PROTOCOL; + +/// +/// EFI_IPSEC_FRAGMENT_DATA +/// defines the instances of packet fragments. +/// +typedef struct _EFI_IPSEC_FRAGMENT_DATA { + UINT32 FragmentLength; + VOID *FragmentBuffer; +} EFI_IPSEC_FRAGMENT_DATA; + + +/** + Handles IPsec packet processing for inbound and outbound IP packets. + + The EFI_IPSEC_PROCESS process routine handles each inbound or outbound packet. + The behavior is that it can perform one of the following actions: + bypass the packet, discard the packet, or protect the packet. + + @param[in] This Pointer to the EFI_IPSEC_PROTOCOL instance. + @param[in] NicHandle Instance of the network interface. + @param[in] IpVer IPV4 or IPV6. + @param[in, out] IpHead Pointer to the IP Header. + @param[in] LastHead The protocol of the next layer to be processed by IPsec. + @param[in] OptionsBuffer Pointer to the options buffer. + @param[in] OptionsLength Length of the options buffer. + @param[in, out] FragmentTable Pointer to a list of fragments. + @param[in] FragmentCount Number of fragments. + @param[in] TrafficDirection Traffic direction. + @param[out] RecycleSignal Event for recycling of resources. + + @retval EFI_SUCCESS The packet was bypassed and all buffers remain the same. + @retval EFI_SUCCESS The packet was protected. + @retval EFI_ACCESS_DENIED The packet was discarded. + +**/ +typedef +EFI_STATUS +(EFIAPI *EFI_IPSEC_PROCESS) ( + IN EFI_IPSEC_PROTOCOL *This, + IN EFI_HANDLE NicHandle, + IN UINT8 IpVer, + IN OUT VOID *IpHead, + IN UINT8 *LastHead, + IN VOID *OptionsBuffer, + IN UINT32 OptionsLength, + IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable, + IN UINT32 *FragmentCount, + IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection, + OUT EFI_EVENT *RecycleSignal + ); + +/// +/// EFI_IPSEC_PROTOCOL +/// provides the ability for securing IP communications by authenticating +/// and/or encrypting each IP packet in a data stream. +// EFI_IPSEC_PROTOCOL can be consumed by both the IPv4 and IPv6 stack. +// A user can employ this protocol for IPsec package handling in both IPv4 +// and IPv6 environment. +/// +struct _EFI_IPSEC_PROTOCOL { + EFI_IPSEC_PROCESS Process; ///< Handle the IPsec message. + EFI_EVENT DisabledEvent; ///< Event signaled when the interface is disabled. + BOOLEAN DisabledFlag; ///< State of the interface. +}; + +extern EFI_GUID gEfiIpSecProtocolGuid; + +#endif diff --git a/MdePkg/Include/Protocol/IpSecConfig.h b/MdePkg/Include/Protocol/IpSecConfig.h new file mode 100644 index 0000000000..bc80ce3ea1 --- /dev/null +++ b/MdePkg/Include/Protocol/IpSecConfig.h @@ -0,0 +1,787 @@ +/** @file + EFI IPsec Configuration Protocol Definition + The EFI_IPSEC_CONFIG_PROTOCOL provides the mechanism to set and retrieve security and + policy related information for the EFI IPsec protocol driver. + + Copyright (c) 2009, Intel Corporation + All rights reserved. This program and the accompanying materials + are licensed and made available under the terms and conditions of the BSD License + which accompanies this distribution. The full text of the license may be found at + http://opensource.org/licenses/bsd-license.php + + THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, + WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + + @par Revision Reference: + This Protocol is introduced in UEFI Specification 2.2 + +**/ + +#ifndef __EFI_IPSE_CCONFIG_PROTOCOL_H__ +#define __EFI_IPSE_CCONFIG_PROTOCOL_H__ + + +#define EFI_IPSEC_CONFIG_PROTOCOL_GUID \ + { \ + 0xce5e5929, 0xc7a3, 0x4602, 0xad, {0x9e, 0xc9, 0xda, 0xf9, 0x4e, 0xbf, 0xcf } \ + } + +typedef struct _EFI_IPSEC_CONFIG_PROTOCOL EFI_IPSEC_CONFIG_PROTOCOL; + +/// +/// EFI_IPSEC_CONFIG_DATA_TYPE +/// +typedef enum { + /// + /// The IPsec Security Policy Database (aka SPD) setting. In IPsec, + /// an essential element of Security Association (SA) processing is + /// underlying SPD that specifies what services are to be offered to + /// IP datagram and in what fashion. The SPD must be consulted + /// during the processing of all traffic (inbound and outbound), + /// including traffic not protected by IPsec, that traverses the IPsec + /// boundary. With this DataType, SetData() function is to set + /// the SPD entry information, which may add one new entry, delete + /// one existed entry or flush the whole database according to the + /// parameter values. The corresponding Data is of type + /// EFI_IPSEC_SPD_DATA + /// + IPsecConfigDataTypeSpd, + /// + /// The IPsec Security Association Database (aka SAD) setting. A + /// SA is a simplex connection that affords security services to the + /// traffic carried by it. Security services are afforded to an SA by the + /// use of AH, or ESP, but not both. The corresponding Data is of + /// type EFI_IPSEC_SAD_DATA. + /// + IPsecConfigDataTypeSad, + /// + /// The IPsec Peer Authorization Database (aka PAD) setting, which + /// provides the link between the SPD and a security association + /// management protocol. The PAD entry specifies the + /// authentication protocol (e.g. IKEv1, IKEv2) method used and the + /// authentication data. The corresponding Data is of type + /// EFI_IPSEC_PAD_DATA. + /// + IPsecConfigDataTypePad, + IPsecConfigDataTypeMaximum +} EFI_IPSEC_CONFIG_DATA_TYPE; + +/// +/// EFI_IP_ADDRESS_INFO +/// +typedef struct _EFI_IP_ADDRESS_INFO { + EFI_IP_ADDRESS Address; ///< The IPv4 or IPv6 address + UINT8 PrefixLength; ///< The length of the prefix associated with the Address. +} EFI_IP_ADDRESS_INFO; + + +/// +/// EFI_IPSEC_SPD_SELECTOR +/// +typedef struct _EFI_IPSEC_SPD_SELECTOR { + /// + /// Specifies the actual number of entries in LocalAddress. + /// + UINT32 LocalAddressCount; + /// + /// A list of ranges of IPv4 or IPv6 addresses, which refers to the + /// addresses being protected by IPsec policy. + /// + EFI_IP_ADDRESS_INFO *LocalAddress; + /// + /// Specifies the actual number of entries in RemoteAddress. + /// + UINT32 RemoteAddressCount; + /// + /// A list of ranges of IPv4 or IPv6 addresses, which are peer entities + /// to LocalAddress. + /// + EFI_IP_ADDRESS_INFO *RemoteAddress; + /// + /// Next layer protocol. Obtained from the IPv4 Protocol or the IPv6 + /// Next Header fields. The next layer protocol is whatever comes + /// after any IP extension headers that are present. A zero value is a + /// wildcard that matches any value in NextLayerProtocol field. + /// + UINT16 NextLayerProtocol; + /// + /// Local Port if the Next Layer Protocol uses two ports (as do TCP, + /// UDP, and others). A zero value is a wildcard that matches any + /// value in LocalPort field. + /// + UINT16 LocalPort; + /// + /// A designed port range size. The start port is LocalPort, and + /// the total number of ports is described by LocalPortRange. + /// This field is ignored if NextLayerProtocol does not use + /// ports. + /// + UINT16 LocalPortRange; + /// + /// Remote Port if the Next Layer Protocol uses two ports. A zero + /// value is a wildcard that matches any value in RemotePort field. + /// + UINT16 RemotePort; + /// + /// A designed port range size. The start port is RemotePort, and + /// the total number of ports is described by RemotePortRange. + /// This field is ignored if NextLayerProtocol does not use ports. + /// + UINT16 RemotePortRange; +} EFI_IPSEC_SPD_SELECTOR; + +/// +/// EFI_IPSEC_TRAFFIC_DIR +/// represents the directionality in an SPD entry. +/// +typedef enum { + /// + /// The EfiIPsecInBound refers to traffic entering an IPsec implementation via + /// the unprotected interface or emitted by the implementation on the unprotected + /// side of the boundary and directed towards the protected interface. + /// + EfiIPsecInBound, + /// + /// The EfiIPsecOutBound refers to traffic entering the implementation via + /// the protected interface, or emitted by the implementation on the protected side + /// of the boundary and directed toward the unprotected interface. + /// + EfiIPsecOutBound +} EFI_IPSEC_TRAFFIC_DIR; + +/// +/// EFI_IPSEC_ACTION +/// represents three possible processing choices. +/// +typedef enum { + /// + /// Refers to traffic that is not allowed to traverse the IPsec boundary. + /// + EfiIPsecActionDiscard, + /// + /// Refers to traffic that is allowed to cross the IPsec boundary + /// without protection. + /// + EfiIPsecActionBypass, + /// + /// Refers to traffic that is afforded IPsec protection, and for such + /// traffic the SPD must specify the security protocols to be + /// employed, their mode, security service options, and the + /// cryptographic algorithms to be used. + /// + EfiIPsecActionProtect +} EFI_IPSEC_ACTION; + +/// +/// EFI_IPSEC_SA_LIFETIME +/// defines the lifetime of an SA, which represents when a SA must be +/// replaced or terminated. A value of all 0 for each field removes +/// the limitation of a SA lifetime. +/// +typedef struct _EFI_IPSEC_SA_LIFETIME { + /// + /// The number of bytes to which the IPsec cryptographic algorithm + /// can be applied. For ESP, this is the encryption algorithm and for + /// AH, this is the authentication algorithm. The ByteCount + /// includes pad bytes for cryptographic operations. + /// + UINT64 ByteCount; + /// + /// A time interval in second that warns the implementation to + /// initiate action such as setting up a replacement SA. + /// + UINT64 SoftLifetime; + /// + /// A time interval in second when the current SA ends and is + /// destroyed. + /// + UINT64 HardLifetime; +} EFI_IPSEC_SA_LIFETIME; + +/// +/// EFI_IPSEC_MODE +/// There are two modes of IPsec operation: transport mode and tunnel mode. In +/// EfiIPsecTransport mode, AH and ESP provide protection primarily for next layer protocols; +/// In EfiIPsecTunnel mode, AH and ESP are applied to tunneled IP packets. +/// +typedef enum { + EfiIPsecTransport, + EfiIPsecTunnel +} EFI_IPSEC_MODE; + +/// +/// EFI_IPSEC_TUNNEL_DF_OPTION +/// The option of copying the DF bit from an outbound package to +/// the tunnel mode header that it emits, when traffic is carried +/// via a tunnel mode SA. This applies to SAs where both inner and +/// outer headers are IPv4. +/// +typedef enum { + EfiIPsecTunnelClearDf, ///< Clear DF bit from inner header. + EfiIPsecTunnelSetDf, ///< Set DF bit from inner header. + EfiIPsecTunnelCopyDf ///< Copy DF bit from inner header. +} EFI_IPSEC_TUNNEL_DF_OPTION; + +/// +/// EFI_IPSEC_TUNNEL_OPTION +/// +typedef struct _EFI_IPSEC_TUNNEL_OPTION { + /// + /// Local tunnel address when IPsec mode is EfiIPsecTunnel. + /// + EFI_IP_ADDRESS LocalTunnelAddress; + /// + /// Remote tunnel address when IPsec mode is EfiIPsecTunnel. + /// + EFI_IP_ADDRESS RemoteTunnelAddress; + /// + /// The option of copying the DF bit from an outbound package + /// to the tunnel mode header that it emits, when traffic is + /// carried via a tunnel mode SA. + /// + EFI_IPSEC_TUNNEL_DF_OPTION DF; +} EFI_IPSEC_TUNNEL_OPTION; + +/// +/// EFI_IPSEC_PROTOCOL_TYPE +/// +typedef enum { + EfiIPsecAH, ///< IP Authentication Header protocol which is specified in RFC 4302. + EfiIPsecESP ///< IP Encapsulating Security Payload which is specified in RFC 4303. +} EFI_IPSEC_PROTOCOL_TYPE; + +/// +/// EFI_IPSEC_PROCESS_POLICY +/// describes a policy list for traffic processing. +/// +typedef struct _EFI_IPSEC_PROCESS_POLICY { + /// + /// Extended Sequence Number. Is this SA using extended sequence + /// numbers. 64 bit counter is used if TRUE. + /// + BOOLEAN ExtSeqNum; + /// + /// A flag indicating whether overflow of the sequence number + /// counter should generate an auditable event and prevent + /// transmission of additional packets on the SA, or whether rollover + /// is permitted. + /// + BOOLEAN SeqOverflow; + /// + /// Is this SA using stateful fragment checking. TRUE represents + /// stateful fragment checking. + /// + BOOLEAN FragCheck; + /// + /// A time interval after which a SA must be replaced with a new SA + /// (and new SPI) or terminated. + /// + EFI_IPSEC_SA_LIFETIME SaLifetime; + /// + /// IPsec mode: tunnel or transport. + /// + EFI_IPSEC_MODE Mode; + /// + /// Tunnel Option. TunnelOption is ignored if Mode is EfiIPsecTransport. + /// + EFI_IPSEC_TUNNEL_OPTION *TunnelOption; + /// + /// IPsec protocol: AH or ESP + /// + EFI_IPSEC_PROTOCOL_TYPE Proto; + /// + /// Cryptographic algorithm type used for authentication. + /// + UINT8 AuthAlgoId; + /// + /// Cryptographic algorithm type used for encryption. EncAlgo is + /// NULL when IPsec protocol is AH. For ESP protocol, EncAlgo + /// can also be used to describe the algorithm if a combined mode + /// algorithm is used. + /// + UINT8 EncAlgoId; +} EFI_IPSEC_PROCESS_POLICY; + +/// +/// IPsec Authentication Algorithm Definition +/// The number value definition is aligned to IANA assignment +/// +#define EFI_IPSEC_AALG_NONE 0x00 +#define EFI_IPSEC_AALG_MD5HMAC 0x02 +#define EFI_IPSEC_AALG_SHA1HMAC 0x03 +#define EFI_IPSEC_AALG_SHA2_256HMAC 0x05 +#define EFI_IPSEC_AALG_SHA2_384HMAC 0x06 +#define EFI_IPSEC_AALG_SHA2_512HMAC 0x07 +#define EFI_IPSEC_AALG_AES_XCBC_MAC 0x09 +#define EFI_IPSEC_AALG_NULL 0xFB + +/// +/// IPsec Encryption Algorithm Definition +/// The number value definition is aligned to IANA assignment +/// +#define EFI_IPSEC_EALG_NONE 0x00 +#define EFI_IPSEC_EALG_DESCBC 0x02 +#define EFI_IPSEC_EALG_3DESCBC 0x03 +#define EFI_IPSEC_EALG_CASTCBC 0x06 +#define EFI_IPSEC_EALG_BLOWFISHCBC 0x07 +#define EFI_IPSEC_EALG_NULL 0x0B +#define EFI_IPSEC_EALG_AESCBC 0x0C +#define EFI_IPSEC_EALG_AESCTR 0x0D +#define EFI_IPSEC_EALG_AES_CCM_ICV8 0x0E +#define EFI_IPSEC_EALG_AES_CCM_ICV12 0x0F +#define EFI_IPSEC_EALG_AES_CCM_ICV16 0x10 +#define EFI_IPSEC_EALG_AES_GCM_ICV8 0x12 +#define EFI_IPSEC_EALG_AES_GCM_ICV12 0x13 +#define EFI_IPSEC_EALG_AES_GCM_ICV16 0x14 + +/// +/// EFI_IPSEC_SA_ID +/// A triplet to identify an SA, consisting of the following members. +/// +typedef struct _EFI_IPSEC_SA_ID { + /// + /// Security Parameter Index (aka SPI). An arbitrary 32-bit value + /// that is used by a receiver to identity the SA to which an incoming + /// package should be bound. + /// + UINT32 Spi; + /// + /// IPsec protocol: AH or ESP + /// + EFI_IPSEC_PROTOCOL_TYPE Proto; + /// + /// Destination IP address. + /// + EFI_IP_ADDRESS DestAddress; +} EFI_IPSEC_SA_ID; + + +#define MAX_PEERID_LEN 128 + +/// +/// EFI_IPSEC_SPD_DATA +/// +typedef struct _EFI_IPSEC_SPD_DATA { + /// + /// A null-terminated name string which is used as a symbolic + /// identifier for an IPsec Local or Remote address. + /// + UINT8 Name[MAX_PEERID_LEN]; + /// + /// Bit-mapped list describing Populate from Packet flags. When + /// creating a SA, if PackageFlag bit is set to TRUE, instantiate + /// the selector from the corresponding field in the package that + /// triggered the creation of the SA, else from the value(s) in the + /// corresponding SPD entry. The PackageFlag bit setting for + /// corresponding selector field of EFI_IPSEC_SPD_SELECTOR: + /// Bit 0: EFI_IPSEC_SPD_SELECTOR.LocalAddress + /// Bit 1: EFI_IPSEC_SPD_SELECTOR.RemoteAddress + /// Bit 2: + /// EFI_IPSEC_SPD_SELECTOR.NextLayerProtocol + /// Bit 3: EFI_IPSEC_SPD_SELECTOR.LocalPort + /// Bit 4: EFI_IPSEC_SPD_SELECTOR.RemotePort + /// Others: Reserved. + /// + UINT32 PackageFlag; + /// + /// The traffic direction of data gram. + /// + EFI_IPSEC_TRAFFIC_DIR TrafficDirection; + /// + /// Processing choices to indicate which action is required by this + /// policy. + /// + EFI_IPSEC_ACTION Action; + /// + /// The policy and rule information for a SPD entry. + /// + EFI_IPSEC_PROCESS_POLICY *ProcessingPolicy; + /// + /// Specifies the actual number of entries in SaId list. + /// + UINTN SaIdCount; + /// + /// The SAD entry used for the traffic processing. The + /// existed SAD entry links indicate this is the manual key case. + /// + EFI_IPSEC_SA_ID SaId[1]; +} EFI_IPSEC_SPD_DATA; + +/// +/// EFI_IPSEC_AH_ALGO_INFO +/// The security algorithm selection for IPsec AH authentication. +/// The required authentication algorithm is specified in RFC 4305. +/// +typedef struct _EFI_IPSEC_AH_ALGO_INFO { + UINT8 AuthAlgoId; + UINTN AuthKeyLength; + VOID *AuthKey; +} EFI_IPSEC_AH_ALGO_INFO; + +/// +/// EFI_IPSEC_ESP_ALGO_INFO +/// The security algorithm selection for IPsec ESP encryption and authentication. +/// The required authentication algorithm is specified in RFC 4305. +/// EncAlgoId fields can also specify an ESP combined mode algorithm +/// (e.g. AES with CCM mode, specified in RFC 4309), which provides both +/// confidentiality and authentication services. +/// +typedef struct _EFI_IPSEC_ESP_ALGO_INFO { + UINT8 EncAlgoId; + UINTN EncKeyLength; + VOID *EncKey; + UINT8 AuthAlgoId; + UINTN AuthKeyLength; + VOID *AuthKey; +} EFI_IPSEC_ESP_ALGO_INFO; + +/// +/// EFI_IPSEC_ALGO_INFO +/// +typedef union { + EFI_IPSEC_AH_ALGO_INFO AhAlgoInfo; + EFI_IPSEC_ESP_ALGO_INFO EspAlgoInfo; +} EFI_IPSEC_ALGO_INFO; + +/// +/// EFI_IPSEC_SA_DATA +/// +typedef struct _EFI_IPSEC_SA_DATA { + /// + /// IPsec mode: tunnel or transport. + /// + EFI_IPSEC_MODE Mode; + /// + /// Sequence Number Counter. A 64-bit counter used to generate the + /// sequence number field in AH or ESP headers. + /// + UINT64 SNCount; + /// + /// Anti-Replay Window. A 64-bit counter and a bit-map used to + /// determine whether an inbound AH or ESP packet is a replay. + /// + UINT8 AntiReplayWindows; + /// + /// AH/ESP cryptographic algorithm, key and parameters. + /// + EFI_IPSEC_ALGO_INFO AlgoInfo; + /// + /// Lifetime of this SA. + /// + EFI_IPSEC_SA_LIFETIME SaLifetime; + /// + /// Any observed path MTU and aging variables. The Path MTU + /// processing is defined in section 8 of RFC 4301. + /// + UINT32 PathMTU; + /// + /// Link to one SPD entry. + /// + EFI_IPSEC_SPD_SELECTOR *SpdSelector; + /// + /// Indication of whether it¡¯s manually set or negotiated automatically. + /// If ManualSet is FALSE, the corresponding SA entry is inserted through + /// IKE protocol negotiation. + /// + BOOLEAN ManualSet; +} EFI_IPSEC_SA_DATA; + +/// +/// EFI_IPSEC_PAD_ID +/// specifies the identifier for PAD entry, which is also used for SPD lookup. +/// IpAddress Pointer to the IPv4 or IPv6 address range. +/// +typedef struct _EFI_IPSEC_PAD_ID { + /// + /// Flag to identify which type of PAD Id is used. + /// + BOOLEAN PeerIdValid; + union { + /// + /// Pointer to the IPv4 or IPv6 address range. + /// + EFI_IP_ADDRESS_INFO IpAddress; + /// + /// Pointer to a null terminated string (8-bit ASCII character) + /// representing the symbolic names. A PeerId can be a DNS + /// name, Distinguished Name, RFC 822 email address or Key ID + /// (specified in section 4.4.3.1 of RFC 4301) + /// + UINT8 PeerId[MAX_PEERID_LEN]; + } Id; +} EFI_IPSEC_PAD_ID; + +/// +/// EFI_IPSEC_CONFIG_SELECTOR +/// describes the expected IPsec configuration data selector +/// of type EFI_IPSEC_CONFIG_DATA_TYPE. +/// +typedef union { + EFI_IPSEC_SPD_SELECTOR SpdSelector; + EFI_IPSEC_SA_ID SaId; + EFI_IPSEC_PAD_ID PadId; +} EFI_IPSEC_CONFIG_SELECTOR; + +/// +/// EFI_IPSEC_AUTH_PROTOCOL_TYPE +/// defines the possible authentication protocol for IPsec +/// security association management. +/// +typedef enum { + EfiIPsecAuthProtocolIKEv1, + EfiIPsecAuthProtocolIKEv2, + EfiIPsecAuthProtocolMaximum +} EFI_IPSEC_AUTH_PROTOCOL_TYPE; + +/// +/// EFI_IPSEC_AUTH_METHOD +/// +typedef enum { + /// + /// Using Pre-shared Keys for manual security associations. + /// + EfiIPsecAuthMethodPreSharedSecret, + /// + /// IKE employs X.509 certificates for SA establishment. + /// + EfiIPsecAuthMethodCertificates, + EfiIPsecAuthMethodMaximum +} EFI_IPSEC_AUTH_METHOD; + +/// +/// EFI_IPSEC_PAD_DATA +/// +typedef struct _EFI_IPSEC_PAD_DATA { + /// + /// Authentication Protocol for IPsec security association management. + /// + EFI_IPSEC_AUTH_PROTOCOL_TYPE AuthProtocol; + /// + /// Authentication method used. + /// + EFI_IPSEC_AUTH_METHOD AuthMethod; + /// + /// The IKE ID payload will be used as a symbolic name for SPD + /// lookup if IkeIdFlag is TRUE. Otherwise, the remote IP + /// address provided in traffic selector playloads will be used. + /// + BOOLEAN IkeIdFlag; + /// + /// The size of Authentication data buffer, in bytes. + /// + UINTN AuthDataSize; + /// + /// Buffer for Authentication data, (e.g., the pre-shared secret or the + /// trust anchor relative to which the peer's certificate will be + /// validated). + /// + VOID *AuthData; + /// + /// The size of RevocationData, in bytes + /// + UINTN RevocationDataSize; + /// + /// Pointer to CRL or OCSP data, if certificates are used for + /// authentication method. + /// + VOID *RevocationData; +} EFI_IPSEC_PAD_DATA; + + +/** + Set the security association, security policy and peer authorization configuration + information for the EFI IPsec driver. + + This function is used to set the IPsec configuration information of type DataType for + the EFI IPsec driver. + The IPsec configuration data has a unique selector/identifier separately to identify + a data entry. The selector structure depends on DataType¡¯s definition. + Using SetData() with a Data of NULL causes the IPsec configuration data entry identified + by DataType and Selector to be deleted. + + @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance. + @param[in] DataType The type of data to be set. + @param[in] Selector Pointer to an entry selector on operated configuration data + specified by DataType. A NULL Selector causes the entire + specified-type configuration information to be flushed. + @param[in] Data The data buffer to be set. The structure of the data buffer is + associated with the DataType. + @param[in] InsertBefore Pointer to one entry selector which describes the expected + position the new data entry will be added. If InsertBefore is NULL, + the new entry will be appended the end of database. + + @retval EFI_SUCCESS The specified configuration entry data is set successfully. + @retval EFI_INVALID_PARAMETER One or more of the following are TRUE: + - This is NULL. + @retval EFI_UNSUPPORTED The specified DataType is not supported. + @retval EFI_OUT_OF_RESOURCED The required system resource could not be allocated. + +**/ +typedef +EFI_STATUS +(EFIAPI *EFI_IPSEC_CONFIG_SET_DATA) ( + IN EFI_IPSEC_CONFIG_PROTOCOL *This, + IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, + IN EFI_IPSEC_CONFIG_SELECTOR *Selector, + IN VOID *Data, + IN EFI_IPSEC_CONFIG_SELECTOR *InsertBefore OPTIONAL + ); + +/** + Return the configuration value for the EFI IPsec driver. + + This function lookup the data entry from IPsec database or IKEv2 configuration + information. The expected data type and unique identification are described in + DataType and Selector parameters. + + @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance. + @param[in] DataType The type of data to retrieve. + @param[in] Selector Pointer to an entry selector which is an identifier of the IPsec + configuration data entry. + @param[in, out] DataSize On output the size of data returned in Data. + @param[out] Data The buffer to return the contents of the IPsec configuration data. + The type of the data buffer is associated with the DataType. + + @retval EFI_SUCCESS The specified configuration data is got successfully. + @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE: + - This is NULL. + - Selector is NULL. + - DataSize is NULL. + - Data is NULL and *DataSize is not zero + @retval EFI_NOT_FOUND The configuration data specified by Selector is not found. + @retval EFI_UNSUPPORTED The specified DataType is not supported. + @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. DataSize has been + updated with the size needed to complete the request. + +**/ +typedef +EFI_STATUS +(EFIAPI *EFI_IPSEC_CONFIG_GET_DATA) ( + IN EFI_IPSEC_CONFIG_PROTOCOL *This, + IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, + IN EFI_IPSEC_CONFIG_SELECTOR *Selector, + IN OUT UINTN *DataSize, + OUT VOID *Data + ); + +/** + Enumerates the current selector for IPsec configuration data entry. + + This function is called multiple times to retrieve the entry Selector in IPsec + configuration database. On each call to GetNextSelector(), the next entry + Selector are retrieved into the output interface. + + If the entire IPsec configuration database has been iterated, the error + EFI_NOT_FOUND is returned. + If the Selector buffer is too small for the next Selector copy, an + EFI_BUFFER_TOO_SMALL error is returned, and SelectorSize is updated to reflect + the size of buffer needed. + + On the initial call to GetNextSelector() to start the IPsec configuration database + search, a pointer to the buffer with all zero value is passed in Selector. Calls + to SetData() between calls to GetNextSelector may produce unpredictable results. + + @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance. + @param[in] DataType The type of IPsec configuration data to retrieve. + @param[in, out] SelectorSize The size of the Selector buffer. + @param[in, out] Selector On input, supplies the pointer to last Selector that was + returned by GetNextSelector(). + On output, returns one copy of the current entry Selector + of a given DataType. + + @retval EFI_SUCCESS The specified configuration data is got successfully. + @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE: + - This is NULL. + - SelectorSize is NULL. + - Selector is NULL. + @retval EFI_NOT_FOUND The next configuration data entry was not found. + @retval EFI_UNSUPPORTED The specified DataType is not supported. + @retval EFI_BUFFER_TOO_SMALL The SelectorSize is too small for the result. This parameter + has been updated with the size needed to complete the search + request. + +**/ +typedef +EFI_STATUS +(EFIAPI *EFI_IPSEC_CONFIG_GET_NEXT_SELECTOR) ( + IN EFI_IPSEC_CONFIG_PROTOCOL *This, + IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, + IN OUT UINTN *SelectorSize, + IN OUT EFI_IPSEC_CONFIG_SELECTOR *Selector + ); + +/** + Register an event that is to be signaled whenever a configuration process on the + specified IPsec configuration information is done. + + This function registers an event that is to be signaled whenever a configuration + process on the specified IPsec configuration data is done (e.g. IPsec security + policy database configuration is ready). An event can be registered for different + DataType simultaneously and the caller is responsible for determining which type + of configuration data causes the signaling of the event in such case. + + @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance. + @param[in] DataType The type of data to be registered the event for. + @param[in] Event The event to be registered. + + @retval EFI_SUCCESS The event is registered successfully. + @retval EFI_INVALID_PARAMETER This is NULL or Event is NULL. + @retval EFI_ACCESS_DENIED The Event is already registered for the DataType. + @retval EFI_UNSUPPORTED The notify registration unsupported or the specified + DataType is not supported. + +**/ +typedef +EFI_STATUS +(EFIAPI *EFI_IPSEC_CONFIG_REGISTER_NOTIFY) ( + IN EFI_IPSEC_CONFIG_PROTOCOL *This, + IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, + IN EFI_EVENT Event + ); + +/** + Remove the specified event that is previously registered on the specified IPsec + configuration data. + + This function removes a previously registered event for the specified configuration data. + + @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance. + @param[in] DataType The configuration data type to remove the registered event for. + @param[in] Event The event to be unregistered. + + @retval EFI_SUCCESS The event is removed successfully. + @retval EFI_NOT_FOUND The Event specified by DataType could not be found in the + database. + @retval EFI_INVALID_PARAMETER This is NULL or Event is NULL. + @retval EFI_UNSUPPORTED The notify registration unsupported or the specified + DataType is not supported. + +**/ +typedef +EFI_STATUS +(EFIAPI *EFI_IPSEC_CONFIG_UNREGISTER_NOTIFY) ( + IN EFI_IPSEC_CONFIG_PROTOCOL *This, + IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, + IN EFI_EVENT Event + ); + +/// +/// EFI_IPSEC_CONFIG_PROTOCOL +/// provides the ability to set and lookup the IPsec SAD (Security Association Database), +/// SPD (Security Policy Database) data entry and configure the security association +/// management protocol such as IKEv2. This protocol is used as the central +/// repository of any policy-specific configuration for EFI IPsec driver. +/// EFI_IPSEC_CONFIG_PROTOCOL can be bound to both IPv4 and IPv6 stack. User can use this +/// protocol for IPsec configuration in both IPv4 and IPv6 environment. +/// +struct _EFI_IPSEC_CONFIG_PROTOCOL { + EFI_IPSEC_CONFIG_SET_DATA SetData; + EFI_IPSEC_CONFIG_GET_DATA GetData; + EFI_IPSEC_CONFIG_GET_NEXT_SELECTOR GetNextSelector; + EFI_IPSEC_CONFIG_REGISTER_NOTIFY RegisterDataNotify; + EFI_IPSEC_CONFIG_UNREGISTER_NOTIFY UnregisterDataNotify; +}; + +extern EFI_GUID gEfiIpSecConfigProtocolGuid; + +#endif diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec index 9c0b98cd5b..dfbc89eb98 100644 --- a/MdePkg/MdePkg.dec +++ b/MdePkg/MdePkg.dec @@ -1000,6 +1000,9 @@ ## Include/Protocol/Ftp4.h gEfiFtp4ProtocolGuid = { 0xeb338826, 0x681b, 0x4295, {0xb3, 0x56, 0x2b, 0x36, 0x4c, 0x75, 0x7b, 0x9 }} + ## Include/Protocol/IpSecConfig.h + gEfiIpSecConfigProtocolGuid = { 0xce5e5929, 0xc7a3, 0x4602, 0xad, {0x9e, 0xc9, 0xda, 0xf9, 0x4e, 0xbf, 0xcf }} + ## Include/Protocol/DriverHealth.h gEfiDriverHealthProtocolGuid = { 0x2a534210, 0x9280, 0x41d8, {0xae, 0x79, 0xca, 0xda, 0x1, 0xa2, 0xb1, 0x27 }} @@ -1021,6 +1024,9 @@ ## Include/Protocol/FirmwareManagement.h gEfiFirmwareManagementProtocolGuid = { 0x86c77a67, 0xb97, 0x4633, {0xa1, 0x87, 0x49, 0x10, 0x4d, 0x6, 0x85, 0xc7 }} + ## Include/Protocol/IpSec.h + gEfiIpSecProtocolGuid = { 0xdfb386f7, 0xe100, 0x43ad, {0x9c, 0x9a, 0xed, 0x90, 0xd0, 0x8a, 0x5e, 0x12 }} + [PcdsFeatureFlag] ## If TRUE, the component name protocol will not be installed. gEfiMdePkgTokenSpaceGuid.PcdComponentNameDisable|FALSE|BOOLEAN|0x0000000d