summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorvanjeff <vanjeff@6f19259b-4bc3-4df7-8a09-765794883524>2009-11-11 06:14:57 +0000
committervanjeff <vanjeff@6f19259b-4bc3-4df7-8a09-765794883524>2009-11-11 06:14:57 +0000
commitfa05b97b8f75a1598f198db08d380b45a0f2f651 (patch)
treef0d621fab145314c8beed4d7bd57aacfef4bfd4b
parent2f016ba866025af6551b5bfe3be14c47c3549f6b (diff)
downloadedk2-platforms-fa05b97b8f75a1598f198db08d380b45a0f2f651.tar.xz
add EFI IPSEC protocol and EFI IPSEC Config protocol definition.
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@9410 6f19259b-4bc3-4df7-8a09-765794883524
-rw-r--r--MdePkg/Include/Protocol/IpSec.h98
-rw-r--r--MdePkg/Include/Protocol/IpSecConfig.h787
-rw-r--r--MdePkg/MdePkg.dec6
3 files changed, 891 insertions, 0 deletions
diff --git a/MdePkg/Include/Protocol/IpSec.h b/MdePkg/Include/Protocol/IpSec.h
new file mode 100644
index 0000000000..f223fa40f2
--- /dev/null
+++ b/MdePkg/Include/Protocol/IpSec.h
@@ -0,0 +1,98 @@
+/** @file
+ EFI IPSEC Protocol Definition
+ The EFI_IPSEC_PROTOCOL is used to abstract the ability to deal with the individual
+ packets sent and received by the host and provide packet-level security for IP datagram.
+
+ Copyright (c) 2009, Intel Corporation
+ All rights reserved. This program and the accompanying materials
+ are licensed and made available under the terms and conditions of the BSD License
+ which accompanies this distribution. The full text of the license may be found at
+ http://opensource.org/licenses/bsd-license.php
+
+ THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+ @par Revision Reference:
+ This Protocol is introduced in UEFI Specification 2.3
+
+**/
+
+#ifndef __EFI_IPSEC_PROTOCOL_H__
+#define __EFI_IPSEC_PROTOCOL_H__
+
+#include <Protocol/IpSecConfig.h>
+
+#define EFI_IPSEC_PROTOCOL_GUID \
+ { \
+ 0xdfb386f7, 0xe100, 0x43ad, {0x9c, 0x9a, 0xed, 0x90, 0xd0, 0x8a, 0x5e, 0x12 } \
+ }
+
+typedef struct _EFI_IPSEC_PROTOCOL EFI_IPSEC_PROTOCOL;
+
+///
+/// EFI_IPSEC_FRAGMENT_DATA
+/// defines the instances of packet fragments.
+///
+typedef struct _EFI_IPSEC_FRAGMENT_DATA {
+ UINT32 FragmentLength;
+ VOID *FragmentBuffer;
+} EFI_IPSEC_FRAGMENT_DATA;
+
+
+/**
+ Handles IPsec packet processing for inbound and outbound IP packets.
+
+ The EFI_IPSEC_PROCESS process routine handles each inbound or outbound packet.
+ The behavior is that it can perform one of the following actions:
+ bypass the packet, discard the packet, or protect the packet.
+
+ @param[in] This Pointer to the EFI_IPSEC_PROTOCOL instance.
+ @param[in] NicHandle Instance of the network interface.
+ @param[in] IpVer IPV4 or IPV6.
+ @param[in, out] IpHead Pointer to the IP Header.
+ @param[in] LastHead The protocol of the next layer to be processed by IPsec.
+ @param[in] OptionsBuffer Pointer to the options buffer.
+ @param[in] OptionsLength Length of the options buffer.
+ @param[in, out] FragmentTable Pointer to a list of fragments.
+ @param[in] FragmentCount Number of fragments.
+ @param[in] TrafficDirection Traffic direction.
+ @param[out] RecycleSignal Event for recycling of resources.
+
+ @retval EFI_SUCCESS The packet was bypassed and all buffers remain the same.
+ @retval EFI_SUCCESS The packet was protected.
+ @retval EFI_ACCESS_DENIED The packet was discarded.
+
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EFI_IPSEC_PROCESS) (
+ IN EFI_IPSEC_PROTOCOL *This,
+ IN EFI_HANDLE NicHandle,
+ IN UINT8 IpVer,
+ IN OUT VOID *IpHead,
+ IN UINT8 *LastHead,
+ IN VOID *OptionsBuffer,
+ IN UINT32 OptionsLength,
+ IN OUT EFI_IPSEC_FRAGMENT_DATA **FragmentTable,
+ IN UINT32 *FragmentCount,
+ IN EFI_IPSEC_TRAFFIC_DIR TrafficDirection,
+ OUT EFI_EVENT *RecycleSignal
+ );
+
+///
+/// EFI_IPSEC_PROTOCOL
+/// provides the ability for securing IP communications by authenticating
+/// and/or encrypting each IP packet in a data stream.
+// EFI_IPSEC_PROTOCOL can be consumed by both the IPv4 and IPv6 stack.
+// A user can employ this protocol for IPsec package handling in both IPv4
+// and IPv6 environment.
+///
+struct _EFI_IPSEC_PROTOCOL {
+ EFI_IPSEC_PROCESS Process; ///< Handle the IPsec message.
+ EFI_EVENT DisabledEvent; ///< Event signaled when the interface is disabled.
+ BOOLEAN DisabledFlag; ///< State of the interface.
+};
+
+extern EFI_GUID gEfiIpSecProtocolGuid;
+
+#endif
diff --git a/MdePkg/Include/Protocol/IpSecConfig.h b/MdePkg/Include/Protocol/IpSecConfig.h
new file mode 100644
index 0000000000..bc80ce3ea1
--- /dev/null
+++ b/MdePkg/Include/Protocol/IpSecConfig.h
@@ -0,0 +1,787 @@
+/** @file
+ EFI IPsec Configuration Protocol Definition
+ The EFI_IPSEC_CONFIG_PROTOCOL provides the mechanism to set and retrieve security and
+ policy related information for the EFI IPsec protocol driver.
+
+ Copyright (c) 2009, Intel Corporation
+ All rights reserved. This program and the accompanying materials
+ are licensed and made available under the terms and conditions of the BSD License
+ which accompanies this distribution. The full text of the license may be found at
+ http://opensource.org/licenses/bsd-license.php
+
+ THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+ @par Revision Reference:
+ This Protocol is introduced in UEFI Specification 2.2
+
+**/
+
+#ifndef __EFI_IPSE_CCONFIG_PROTOCOL_H__
+#define __EFI_IPSE_CCONFIG_PROTOCOL_H__
+
+
+#define EFI_IPSEC_CONFIG_PROTOCOL_GUID \
+ { \
+ 0xce5e5929, 0xc7a3, 0x4602, 0xad, {0x9e, 0xc9, 0xda, 0xf9, 0x4e, 0xbf, 0xcf } \
+ }
+
+typedef struct _EFI_IPSEC_CONFIG_PROTOCOL EFI_IPSEC_CONFIG_PROTOCOL;
+
+///
+/// EFI_IPSEC_CONFIG_DATA_TYPE
+///
+typedef enum {
+ ///
+ /// The IPsec Security Policy Database (aka SPD) setting. In IPsec,
+ /// an essential element of Security Association (SA) processing is
+ /// underlying SPD that specifies what services are to be offered to
+ /// IP datagram and in what fashion. The SPD must be consulted
+ /// during the processing of all traffic (inbound and outbound),
+ /// including traffic not protected by IPsec, that traverses the IPsec
+ /// boundary. With this DataType, SetData() function is to set
+ /// the SPD entry information, which may add one new entry, delete
+ /// one existed entry or flush the whole database according to the
+ /// parameter values. The corresponding Data is of type
+ /// EFI_IPSEC_SPD_DATA
+ ///
+ IPsecConfigDataTypeSpd,
+ ///
+ /// The IPsec Security Association Database (aka SAD) setting. A
+ /// SA is a simplex connection that affords security services to the
+ /// traffic carried by it. Security services are afforded to an SA by the
+ /// use of AH, or ESP, but not both. The corresponding Data is of
+ /// type EFI_IPSEC_SAD_DATA.
+ ///
+ IPsecConfigDataTypeSad,
+ ///
+ /// The IPsec Peer Authorization Database (aka PAD) setting, which
+ /// provides the link between the SPD and a security association
+ /// management protocol. The PAD entry specifies the
+ /// authentication protocol (e.g. IKEv1, IKEv2) method used and the
+ /// authentication data. The corresponding Data is of type
+ /// EFI_IPSEC_PAD_DATA.
+ ///
+ IPsecConfigDataTypePad,
+ IPsecConfigDataTypeMaximum
+} EFI_IPSEC_CONFIG_DATA_TYPE;
+
+///
+/// EFI_IP_ADDRESS_INFO
+///
+typedef struct _EFI_IP_ADDRESS_INFO {
+ EFI_IP_ADDRESS Address; ///< The IPv4 or IPv6 address
+ UINT8 PrefixLength; ///< The length of the prefix associated with the Address.
+} EFI_IP_ADDRESS_INFO;
+
+
+///
+/// EFI_IPSEC_SPD_SELECTOR
+///
+typedef struct _EFI_IPSEC_SPD_SELECTOR {
+ ///
+ /// Specifies the actual number of entries in LocalAddress.
+ ///
+ UINT32 LocalAddressCount;
+ ///
+ /// A list of ranges of IPv4 or IPv6 addresses, which refers to the
+ /// addresses being protected by IPsec policy.
+ ///
+ EFI_IP_ADDRESS_INFO *LocalAddress;
+ ///
+ /// Specifies the actual number of entries in RemoteAddress.
+ ///
+ UINT32 RemoteAddressCount;
+ ///
+ /// A list of ranges of IPv4 or IPv6 addresses, which are peer entities
+ /// to LocalAddress.
+ ///
+ EFI_IP_ADDRESS_INFO *RemoteAddress;
+ ///
+ /// Next layer protocol. Obtained from the IPv4 Protocol or the IPv6
+ /// Next Header fields. The next layer protocol is whatever comes
+ /// after any IP extension headers that are present. A zero value is a
+ /// wildcard that matches any value in NextLayerProtocol field.
+ ///
+ UINT16 NextLayerProtocol;
+ ///
+ /// Local Port if the Next Layer Protocol uses two ports (as do TCP,
+ /// UDP, and others). A zero value is a wildcard that matches any
+ /// value in LocalPort field.
+ ///
+ UINT16 LocalPort;
+ ///
+ /// A designed port range size. The start port is LocalPort, and
+ /// the total number of ports is described by LocalPortRange.
+ /// This field is ignored if NextLayerProtocol does not use
+ /// ports.
+ ///
+ UINT16 LocalPortRange;
+ ///
+ /// Remote Port if the Next Layer Protocol uses two ports. A zero
+ /// value is a wildcard that matches any value in RemotePort field.
+ ///
+ UINT16 RemotePort;
+ ///
+ /// A designed port range size. The start port is RemotePort, and
+ /// the total number of ports is described by RemotePortRange.
+ /// This field is ignored if NextLayerProtocol does not use ports.
+ ///
+ UINT16 RemotePortRange;
+} EFI_IPSEC_SPD_SELECTOR;
+
+///
+/// EFI_IPSEC_TRAFFIC_DIR
+/// represents the directionality in an SPD entry.
+///
+typedef enum {
+ ///
+ /// The EfiIPsecInBound refers to traffic entering an IPsec implementation via
+ /// the unprotected interface or emitted by the implementation on the unprotected
+ /// side of the boundary and directed towards the protected interface.
+ ///
+ EfiIPsecInBound,
+ ///
+ /// The EfiIPsecOutBound refers to traffic entering the implementation via
+ /// the protected interface, or emitted by the implementation on the protected side
+ /// of the boundary and directed toward the unprotected interface.
+ ///
+ EfiIPsecOutBound
+} EFI_IPSEC_TRAFFIC_DIR;
+
+///
+/// EFI_IPSEC_ACTION
+/// represents three possible processing choices.
+///
+typedef enum {
+ ///
+ /// Refers to traffic that is not allowed to traverse the IPsec boundary.
+ ///
+ EfiIPsecActionDiscard,
+ ///
+ /// Refers to traffic that is allowed to cross the IPsec boundary
+ /// without protection.
+ ///
+ EfiIPsecActionBypass,
+ ///
+ /// Refers to traffic that is afforded IPsec protection, and for such
+ /// traffic the SPD must specify the security protocols to be
+ /// employed, their mode, security service options, and the
+ /// cryptographic algorithms to be used.
+ ///
+ EfiIPsecActionProtect
+} EFI_IPSEC_ACTION;
+
+///
+/// EFI_IPSEC_SA_LIFETIME
+/// defines the lifetime of an SA, which represents when a SA must be
+/// replaced or terminated. A value of all 0 for each field removes
+/// the limitation of a SA lifetime.
+///
+typedef struct _EFI_IPSEC_SA_LIFETIME {
+ ///
+ /// The number of bytes to which the IPsec cryptographic algorithm
+ /// can be applied. For ESP, this is the encryption algorithm and for
+ /// AH, this is the authentication algorithm. The ByteCount
+ /// includes pad bytes for cryptographic operations.
+ ///
+ UINT64 ByteCount;
+ ///
+ /// A time interval in second that warns the implementation to
+ /// initiate action such as setting up a replacement SA.
+ ///
+ UINT64 SoftLifetime;
+ ///
+ /// A time interval in second when the current SA ends and is
+ /// destroyed.
+ ///
+ UINT64 HardLifetime;
+} EFI_IPSEC_SA_LIFETIME;
+
+///
+/// EFI_IPSEC_MODE
+/// There are two modes of IPsec operation: transport mode and tunnel mode. In
+/// EfiIPsecTransport mode, AH and ESP provide protection primarily for next layer protocols;
+/// In EfiIPsecTunnel mode, AH and ESP are applied to tunneled IP packets.
+///
+typedef enum {
+ EfiIPsecTransport,
+ EfiIPsecTunnel
+} EFI_IPSEC_MODE;
+
+///
+/// EFI_IPSEC_TUNNEL_DF_OPTION
+/// The option of copying the DF bit from an outbound package to
+/// the tunnel mode header that it emits, when traffic is carried
+/// via a tunnel mode SA. This applies to SAs where both inner and
+/// outer headers are IPv4.
+///
+typedef enum {
+ EfiIPsecTunnelClearDf, ///< Clear DF bit from inner header.
+ EfiIPsecTunnelSetDf, ///< Set DF bit from inner header.
+ EfiIPsecTunnelCopyDf ///< Copy DF bit from inner header.
+} EFI_IPSEC_TUNNEL_DF_OPTION;
+
+///
+/// EFI_IPSEC_TUNNEL_OPTION
+///
+typedef struct _EFI_IPSEC_TUNNEL_OPTION {
+ ///
+ /// Local tunnel address when IPsec mode is EfiIPsecTunnel.
+ ///
+ EFI_IP_ADDRESS LocalTunnelAddress;
+ ///
+ /// Remote tunnel address when IPsec mode is EfiIPsecTunnel.
+ ///
+ EFI_IP_ADDRESS RemoteTunnelAddress;
+ ///
+ /// The option of copying the DF bit from an outbound package
+ /// to the tunnel mode header that it emits, when traffic is
+ /// carried via a tunnel mode SA.
+ ///
+ EFI_IPSEC_TUNNEL_DF_OPTION DF;
+} EFI_IPSEC_TUNNEL_OPTION;
+
+///
+/// EFI_IPSEC_PROTOCOL_TYPE
+///
+typedef enum {
+ EfiIPsecAH, ///< IP Authentication Header protocol which is specified in RFC 4302.
+ EfiIPsecESP ///< IP Encapsulating Security Payload which is specified in RFC 4303.
+} EFI_IPSEC_PROTOCOL_TYPE;
+
+///
+/// EFI_IPSEC_PROCESS_POLICY
+/// describes a policy list for traffic processing.
+///
+typedef struct _EFI_IPSEC_PROCESS_POLICY {
+ ///
+ /// Extended Sequence Number. Is this SA using extended sequence
+ /// numbers. 64 bit counter is used if TRUE.
+ ///
+ BOOLEAN ExtSeqNum;
+ ///
+ /// A flag indicating whether overflow of the sequence number
+ /// counter should generate an auditable event and prevent
+ /// transmission of additional packets on the SA, or whether rollover
+ /// is permitted.
+ ///
+ BOOLEAN SeqOverflow;
+ ///
+ /// Is this SA using stateful fragment checking. TRUE represents
+ /// stateful fragment checking.
+ ///
+ BOOLEAN FragCheck;
+ ///
+ /// A time interval after which a SA must be replaced with a new SA
+ /// (and new SPI) or terminated.
+ ///
+ EFI_IPSEC_SA_LIFETIME SaLifetime;
+ ///
+ /// IPsec mode: tunnel or transport.
+ ///
+ EFI_IPSEC_MODE Mode;
+ ///
+ /// Tunnel Option. TunnelOption is ignored if Mode is EfiIPsecTransport.
+ ///
+ EFI_IPSEC_TUNNEL_OPTION *TunnelOption;
+ ///
+ /// IPsec protocol: AH or ESP
+ ///
+ EFI_IPSEC_PROTOCOL_TYPE Proto;
+ ///
+ /// Cryptographic algorithm type used for authentication.
+ ///
+ UINT8 AuthAlgoId;
+ ///
+ /// Cryptographic algorithm type used for encryption. EncAlgo is
+ /// NULL when IPsec protocol is AH. For ESP protocol, EncAlgo
+ /// can also be used to describe the algorithm if a combined mode
+ /// algorithm is used.
+ ///
+ UINT8 EncAlgoId;
+} EFI_IPSEC_PROCESS_POLICY;
+
+///
+/// IPsec Authentication Algorithm Definition
+/// The number value definition is aligned to IANA assignment
+///
+#define EFI_IPSEC_AALG_NONE 0x00
+#define EFI_IPSEC_AALG_MD5HMAC 0x02
+#define EFI_IPSEC_AALG_SHA1HMAC 0x03
+#define EFI_IPSEC_AALG_SHA2_256HMAC 0x05
+#define EFI_IPSEC_AALG_SHA2_384HMAC 0x06
+#define EFI_IPSEC_AALG_SHA2_512HMAC 0x07
+#define EFI_IPSEC_AALG_AES_XCBC_MAC 0x09
+#define EFI_IPSEC_AALG_NULL 0xFB
+
+///
+/// IPsec Encryption Algorithm Definition
+/// The number value definition is aligned to IANA assignment
+///
+#define EFI_IPSEC_EALG_NONE 0x00
+#define EFI_IPSEC_EALG_DESCBC 0x02
+#define EFI_IPSEC_EALG_3DESCBC 0x03
+#define EFI_IPSEC_EALG_CASTCBC 0x06
+#define EFI_IPSEC_EALG_BLOWFISHCBC 0x07
+#define EFI_IPSEC_EALG_NULL 0x0B
+#define EFI_IPSEC_EALG_AESCBC 0x0C
+#define EFI_IPSEC_EALG_AESCTR 0x0D
+#define EFI_IPSEC_EALG_AES_CCM_ICV8 0x0E
+#define EFI_IPSEC_EALG_AES_CCM_ICV12 0x0F
+#define EFI_IPSEC_EALG_AES_CCM_ICV16 0x10
+#define EFI_IPSEC_EALG_AES_GCM_ICV8 0x12
+#define EFI_IPSEC_EALG_AES_GCM_ICV12 0x13
+#define EFI_IPSEC_EALG_AES_GCM_ICV16 0x14
+
+///
+/// EFI_IPSEC_SA_ID
+/// A triplet to identify an SA, consisting of the following members.
+///
+typedef struct _EFI_IPSEC_SA_ID {
+ ///
+ /// Security Parameter Index (aka SPI). An arbitrary 32-bit value
+ /// that is used by a receiver to identity the SA to which an incoming
+ /// package should be bound.
+ ///
+ UINT32 Spi;
+ ///
+ /// IPsec protocol: AH or ESP
+ ///
+ EFI_IPSEC_PROTOCOL_TYPE Proto;
+ ///
+ /// Destination IP address.
+ ///
+ EFI_IP_ADDRESS DestAddress;
+} EFI_IPSEC_SA_ID;
+
+
+#define MAX_PEERID_LEN 128
+
+///
+/// EFI_IPSEC_SPD_DATA
+///
+typedef struct _EFI_IPSEC_SPD_DATA {
+ ///
+ /// A null-terminated name string which is used as a symbolic
+ /// identifier for an IPsec Local or Remote address.
+ ///
+ UINT8 Name[MAX_PEERID_LEN];
+ ///
+ /// Bit-mapped list describing Populate from Packet flags. When
+ /// creating a SA, if PackageFlag bit is set to TRUE, instantiate
+ /// the selector from the corresponding field in the package that
+ /// triggered the creation of the SA, else from the value(s) in the
+ /// corresponding SPD entry. The PackageFlag bit setting for
+ /// corresponding selector field of EFI_IPSEC_SPD_SELECTOR:
+ /// Bit 0: EFI_IPSEC_SPD_SELECTOR.LocalAddress
+ /// Bit 1: EFI_IPSEC_SPD_SELECTOR.RemoteAddress
+ /// Bit 2:
+ /// EFI_IPSEC_SPD_SELECTOR.NextLayerProtocol
+ /// Bit 3: EFI_IPSEC_SPD_SELECTOR.LocalPort
+ /// Bit 4: EFI_IPSEC_SPD_SELECTOR.RemotePort
+ /// Others: Reserved.
+ ///
+ UINT32 PackageFlag;
+ ///
+ /// The traffic direction of data gram.
+ ///
+ EFI_IPSEC_TRAFFIC_DIR TrafficDirection;
+ ///
+ /// Processing choices to indicate which action is required by this
+ /// policy.
+ ///
+ EFI_IPSEC_ACTION Action;
+ ///
+ /// The policy and rule information for a SPD entry.
+ ///
+ EFI_IPSEC_PROCESS_POLICY *ProcessingPolicy;
+ ///
+ /// Specifies the actual number of entries in SaId list.
+ ///
+ UINTN SaIdCount;
+ ///
+ /// The SAD entry used for the traffic processing. The
+ /// existed SAD entry links indicate this is the manual key case.
+ ///
+ EFI_IPSEC_SA_ID SaId[1];
+} EFI_IPSEC_SPD_DATA;
+
+///
+/// EFI_IPSEC_AH_ALGO_INFO
+/// The security algorithm selection for IPsec AH authentication.
+/// The required authentication algorithm is specified in RFC 4305.
+///
+typedef struct _EFI_IPSEC_AH_ALGO_INFO {
+ UINT8 AuthAlgoId;
+ UINTN AuthKeyLength;
+ VOID *AuthKey;
+} EFI_IPSEC_AH_ALGO_INFO;
+
+///
+/// EFI_IPSEC_ESP_ALGO_INFO
+/// The security algorithm selection for IPsec ESP encryption and authentication.
+/// The required authentication algorithm is specified in RFC 4305.
+/// EncAlgoId fields can also specify an ESP combined mode algorithm
+/// (e.g. AES with CCM mode, specified in RFC 4309), which provides both
+/// confidentiality and authentication services.
+///
+typedef struct _EFI_IPSEC_ESP_ALGO_INFO {
+ UINT8 EncAlgoId;
+ UINTN EncKeyLength;
+ VOID *EncKey;
+ UINT8 AuthAlgoId;
+ UINTN AuthKeyLength;
+ VOID *AuthKey;
+} EFI_IPSEC_ESP_ALGO_INFO;
+
+///
+/// EFI_IPSEC_ALGO_INFO
+///
+typedef union {
+ EFI_IPSEC_AH_ALGO_INFO AhAlgoInfo;
+ EFI_IPSEC_ESP_ALGO_INFO EspAlgoInfo;
+} EFI_IPSEC_ALGO_INFO;
+
+///
+/// EFI_IPSEC_SA_DATA
+///
+typedef struct _EFI_IPSEC_SA_DATA {
+ ///
+ /// IPsec mode: tunnel or transport.
+ ///
+ EFI_IPSEC_MODE Mode;
+ ///
+ /// Sequence Number Counter. A 64-bit counter used to generate the
+ /// sequence number field in AH or ESP headers.
+ ///
+ UINT64 SNCount;
+ ///
+ /// Anti-Replay Window. A 64-bit counter and a bit-map used to
+ /// determine whether an inbound AH or ESP packet is a replay.
+ ///
+ UINT8 AntiReplayWindows;
+ ///
+ /// AH/ESP cryptographic algorithm, key and parameters.
+ ///
+ EFI_IPSEC_ALGO_INFO AlgoInfo;
+ ///
+ /// Lifetime of this SA.
+ ///
+ EFI_IPSEC_SA_LIFETIME SaLifetime;
+ ///
+ /// Any observed path MTU and aging variables. The Path MTU
+ /// processing is defined in section 8 of RFC 4301.
+ ///
+ UINT32 PathMTU;
+ ///
+ /// Link to one SPD entry.
+ ///
+ EFI_IPSEC_SPD_SELECTOR *SpdSelector;
+ ///
+ /// Indication of whether it¡¯s manually set or negotiated automatically.
+ /// If ManualSet is FALSE, the corresponding SA entry is inserted through
+ /// IKE protocol negotiation.
+ ///
+ BOOLEAN ManualSet;
+} EFI_IPSEC_SA_DATA;
+
+///
+/// EFI_IPSEC_PAD_ID
+/// specifies the identifier for PAD entry, which is also used for SPD lookup.
+/// IpAddress Pointer to the IPv4 or IPv6 address range.
+///
+typedef struct _EFI_IPSEC_PAD_ID {
+ ///
+ /// Flag to identify which type of PAD Id is used.
+ ///
+ BOOLEAN PeerIdValid;
+ union {
+ ///
+ /// Pointer to the IPv4 or IPv6 address range.
+ ///
+ EFI_IP_ADDRESS_INFO IpAddress;
+ ///
+ /// Pointer to a null terminated string (8-bit ASCII character)
+ /// representing the symbolic names. A PeerId can be a DNS
+ /// name, Distinguished Name, RFC 822 email address or Key ID
+ /// (specified in section 4.4.3.1 of RFC 4301)
+ ///
+ UINT8 PeerId[MAX_PEERID_LEN];
+ } Id;
+} EFI_IPSEC_PAD_ID;
+
+///
+/// EFI_IPSEC_CONFIG_SELECTOR
+/// describes the expected IPsec configuration data selector
+/// of type EFI_IPSEC_CONFIG_DATA_TYPE.
+///
+typedef union {
+ EFI_IPSEC_SPD_SELECTOR SpdSelector;
+ EFI_IPSEC_SA_ID SaId;
+ EFI_IPSEC_PAD_ID PadId;
+} EFI_IPSEC_CONFIG_SELECTOR;
+
+///
+/// EFI_IPSEC_AUTH_PROTOCOL_TYPE
+/// defines the possible authentication protocol for IPsec
+/// security association management.
+///
+typedef enum {
+ EfiIPsecAuthProtocolIKEv1,
+ EfiIPsecAuthProtocolIKEv2,
+ EfiIPsecAuthProtocolMaximum
+} EFI_IPSEC_AUTH_PROTOCOL_TYPE;
+
+///
+/// EFI_IPSEC_AUTH_METHOD
+///
+typedef enum {
+ ///
+ /// Using Pre-shared Keys for manual security associations.
+ ///
+ EfiIPsecAuthMethodPreSharedSecret,
+ ///
+ /// IKE employs X.509 certificates for SA establishment.
+ ///
+ EfiIPsecAuthMethodCertificates,
+ EfiIPsecAuthMethodMaximum
+} EFI_IPSEC_AUTH_METHOD;
+
+///
+/// EFI_IPSEC_PAD_DATA
+///
+typedef struct _EFI_IPSEC_PAD_DATA {
+ ///
+ /// Authentication Protocol for IPsec security association management.
+ ///
+ EFI_IPSEC_AUTH_PROTOCOL_TYPE AuthProtocol;
+ ///
+ /// Authentication method used.
+ ///
+ EFI_IPSEC_AUTH_METHOD AuthMethod;
+ ///
+ /// The IKE ID payload will be used as a symbolic name for SPD
+ /// lookup if IkeIdFlag is TRUE. Otherwise, the remote IP
+ /// address provided in traffic selector playloads will be used.
+ ///
+ BOOLEAN IkeIdFlag;
+ ///
+ /// The size of Authentication data buffer, in bytes.
+ ///
+ UINTN AuthDataSize;
+ ///
+ /// Buffer for Authentication data, (e.g., the pre-shared secret or the
+ /// trust anchor relative to which the peer's certificate will be
+ /// validated).
+ ///
+ VOID *AuthData;
+ ///
+ /// The size of RevocationData, in bytes
+ ///
+ UINTN RevocationDataSize;
+ ///
+ /// Pointer to CRL or OCSP data, if certificates are used for
+ /// authentication method.
+ ///
+ VOID *RevocationData;
+} EFI_IPSEC_PAD_DATA;
+
+
+/**
+ Set the security association, security policy and peer authorization configuration
+ information for the EFI IPsec driver.
+
+ This function is used to set the IPsec configuration information of type DataType for
+ the EFI IPsec driver.
+ The IPsec configuration data has a unique selector/identifier separately to identify
+ a data entry. The selector structure depends on DataType¡¯s definition.
+ Using SetData() with a Data of NULL causes the IPsec configuration data entry identified
+ by DataType and Selector to be deleted.
+
+ @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
+ @param[in] DataType The type of data to be set.
+ @param[in] Selector Pointer to an entry selector on operated configuration data
+ specified by DataType. A NULL Selector causes the entire
+ specified-type configuration information to be flushed.
+ @param[in] Data The data buffer to be set. The structure of the data buffer is
+ associated with the DataType.
+ @param[in] InsertBefore Pointer to one entry selector which describes the expected
+ position the new data entry will be added. If InsertBefore is NULL,
+ the new entry will be appended the end of database.
+
+ @retval EFI_SUCCESS The specified configuration entry data is set successfully.
+ @retval EFI_INVALID_PARAMETER One or more of the following are TRUE:
+ - This is NULL.
+ @retval EFI_UNSUPPORTED The specified DataType is not supported.
+ @retval EFI_OUT_OF_RESOURCED The required system resource could not be allocated.
+
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EFI_IPSEC_CONFIG_SET_DATA) (
+ IN EFI_IPSEC_CONFIG_PROTOCOL *This,
+ IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
+ IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
+ IN VOID *Data,
+ IN EFI_IPSEC_CONFIG_SELECTOR *InsertBefore OPTIONAL
+ );
+
+/**
+ Return the configuration value for the EFI IPsec driver.
+
+ This function lookup the data entry from IPsec database or IKEv2 configuration
+ information. The expected data type and unique identification are described in
+ DataType and Selector parameters.
+
+ @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
+ @param[in] DataType The type of data to retrieve.
+ @param[in] Selector Pointer to an entry selector which is an identifier of the IPsec
+ configuration data entry.
+ @param[in, out] DataSize On output the size of data returned in Data.
+ @param[out] Data The buffer to return the contents of the IPsec configuration data.
+ The type of the data buffer is associated with the DataType.
+
+ @retval EFI_SUCCESS The specified configuration data is got successfully.
+ @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE:
+ - This is NULL.
+ - Selector is NULL.
+ - DataSize is NULL.
+ - Data is NULL and *DataSize is not zero
+ @retval EFI_NOT_FOUND The configuration data specified by Selector is not found.
+ @retval EFI_UNSUPPORTED The specified DataType is not supported.
+ @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. DataSize has been
+ updated with the size needed to complete the request.
+
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EFI_IPSEC_CONFIG_GET_DATA) (
+ IN EFI_IPSEC_CONFIG_PROTOCOL *This,
+ IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
+ IN EFI_IPSEC_CONFIG_SELECTOR *Selector,
+ IN OUT UINTN *DataSize,
+ OUT VOID *Data
+ );
+
+/**
+ Enumerates the current selector for IPsec configuration data entry.
+
+ This function is called multiple times to retrieve the entry Selector in IPsec
+ configuration database. On each call to GetNextSelector(), the next entry
+ Selector are retrieved into the output interface.
+
+ If the entire IPsec configuration database has been iterated, the error
+ EFI_NOT_FOUND is returned.
+ If the Selector buffer is too small for the next Selector copy, an
+ EFI_BUFFER_TOO_SMALL error is returned, and SelectorSize is updated to reflect
+ the size of buffer needed.
+
+ On the initial call to GetNextSelector() to start the IPsec configuration database
+ search, a pointer to the buffer with all zero value is passed in Selector. Calls
+ to SetData() between calls to GetNextSelector may produce unpredictable results.
+
+ @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
+ @param[in] DataType The type of IPsec configuration data to retrieve.
+ @param[in, out] SelectorSize The size of the Selector buffer.
+ @param[in, out] Selector On input, supplies the pointer to last Selector that was
+ returned by GetNextSelector().
+ On output, returns one copy of the current entry Selector
+ of a given DataType.
+
+ @retval EFI_SUCCESS The specified configuration data is got successfully.
+ @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE:
+ - This is NULL.
+ - SelectorSize is NULL.
+ - Selector is NULL.
+ @retval EFI_NOT_FOUND The next configuration data entry was not found.
+ @retval EFI_UNSUPPORTED The specified DataType is not supported.
+ @retval EFI_BUFFER_TOO_SMALL The SelectorSize is too small for the result. This parameter
+ has been updated with the size needed to complete the search
+ request.
+
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EFI_IPSEC_CONFIG_GET_NEXT_SELECTOR) (
+ IN EFI_IPSEC_CONFIG_PROTOCOL *This,
+ IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
+ IN OUT UINTN *SelectorSize,
+ IN OUT EFI_IPSEC_CONFIG_SELECTOR *Selector
+ );
+
+/**
+ Register an event that is to be signaled whenever a configuration process on the
+ specified IPsec configuration information is done.
+
+ This function registers an event that is to be signaled whenever a configuration
+ process on the specified IPsec configuration data is done (e.g. IPsec security
+ policy database configuration is ready). An event can be registered for different
+ DataType simultaneously and the caller is responsible for determining which type
+ of configuration data causes the signaling of the event in such case.
+
+ @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
+ @param[in] DataType The type of data to be registered the event for.
+ @param[in] Event The event to be registered.
+
+ @retval EFI_SUCCESS The event is registered successfully.
+ @retval EFI_INVALID_PARAMETER This is NULL or Event is NULL.
+ @retval EFI_ACCESS_DENIED The Event is already registered for the DataType.
+ @retval EFI_UNSUPPORTED The notify registration unsupported or the specified
+ DataType is not supported.
+
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EFI_IPSEC_CONFIG_REGISTER_NOTIFY) (
+ IN EFI_IPSEC_CONFIG_PROTOCOL *This,
+ IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
+ IN EFI_EVENT Event
+ );
+
+/**
+ Remove the specified event that is previously registered on the specified IPsec
+ configuration data.
+
+ This function removes a previously registered event for the specified configuration data.
+
+ @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
+ @param[in] DataType The configuration data type to remove the registered event for.
+ @param[in] Event The event to be unregistered.
+
+ @retval EFI_SUCCESS The event is removed successfully.
+ @retval EFI_NOT_FOUND The Event specified by DataType could not be found in the
+ database.
+ @retval EFI_INVALID_PARAMETER This is NULL or Event is NULL.
+ @retval EFI_UNSUPPORTED The notify registration unsupported or the specified
+ DataType is not supported.
+
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EFI_IPSEC_CONFIG_UNREGISTER_NOTIFY) (
+ IN EFI_IPSEC_CONFIG_PROTOCOL *This,
+ IN EFI_IPSEC_CONFIG_DATA_TYPE DataType,
+ IN EFI_EVENT Event
+ );
+
+///
+/// EFI_IPSEC_CONFIG_PROTOCOL
+/// provides the ability to set and lookup the IPsec SAD (Security Association Database),
+/// SPD (Security Policy Database) data entry and configure the security association
+/// management protocol such as IKEv2. This protocol is used as the central
+/// repository of any policy-specific configuration for EFI IPsec driver.
+/// EFI_IPSEC_CONFIG_PROTOCOL can be bound to both IPv4 and IPv6 stack. User can use this
+/// protocol for IPsec configuration in both IPv4 and IPv6 environment.
+///
+struct _EFI_IPSEC_CONFIG_PROTOCOL {
+ EFI_IPSEC_CONFIG_SET_DATA SetData;
+ EFI_IPSEC_CONFIG_GET_DATA GetData;
+ EFI_IPSEC_CONFIG_GET_NEXT_SELECTOR GetNextSelector;
+ EFI_IPSEC_CONFIG_REGISTER_NOTIFY RegisterDataNotify;
+ EFI_IPSEC_CONFIG_UNREGISTER_NOTIFY UnregisterDataNotify;
+};
+
+extern EFI_GUID gEfiIpSecConfigProtocolGuid;
+
+#endif
diff --git a/MdePkg/MdePkg.dec b/MdePkg/MdePkg.dec
index 9c0b98cd5b..dfbc89eb98 100644
--- a/MdePkg/MdePkg.dec
+++ b/MdePkg/MdePkg.dec
@@ -1000,6 +1000,9 @@
## Include/Protocol/Ftp4.h
gEfiFtp4ProtocolGuid = { 0xeb338826, 0x681b, 0x4295, {0xb3, 0x56, 0x2b, 0x36, 0x4c, 0x75, 0x7b, 0x9 }}
+ ## Include/Protocol/IpSecConfig.h
+ gEfiIpSecConfigProtocolGuid = { 0xce5e5929, 0xc7a3, 0x4602, 0xad, {0x9e, 0xc9, 0xda, 0xf9, 0x4e, 0xbf, 0xcf }}
+
## Include/Protocol/DriverHealth.h
gEfiDriverHealthProtocolGuid = { 0x2a534210, 0x9280, 0x41d8, {0xae, 0x79, 0xca, 0xda, 0x1, 0xa2, 0xb1, 0x27 }}
@@ -1021,6 +1024,9 @@
## Include/Protocol/FirmwareManagement.h
gEfiFirmwareManagementProtocolGuid = { 0x86c77a67, 0xb97, 0x4633, {0xa1, 0x87, 0x49, 0x10, 0x4d, 0x6, 0x85, 0xc7 }}
+ ## Include/Protocol/IpSec.h
+ gEfiIpSecProtocolGuid = { 0xdfb386f7, 0xe100, 0x43ad, {0x9c, 0x9a, 0xed, 0x90, 0xd0, 0x8a, 0x5e, 0x12 }}
+
[PcdsFeatureFlag]
## If TRUE, the component name protocol will not be installed.
gEfiMdePkgTokenSpaceGuid.PcdComponentNameDisable|FALSE|BOOLEAN|0x0000000d