TianoCore EDK2 master
Loading...
Searching...
No Matches
IpSecConfig.h File Reference

Go to the source code of this file.

Data Structures

struct  _EFI_IP_ADDRESS_INFO
 
struct  _EFI_IPSEC_SPD_SELECTOR
 
struct  _EFI_IPSEC_SA_LIFETIME
 
struct  _EFI_IPSEC_TUNNEL_OPTION
 
struct  _EFI_IPSEC_PROCESS_POLICY
 
struct  _EFI_IPSEC_SA_ID
 
struct  _EFI_IPSEC_SPD_DATA
 
struct  _EFI_IPSEC_AH_ALGO_INFO
 
struct  _EFI_IPSEC_ESP_ALGO_INFO
 
union  EFI_IPSEC_ALGO_INFO
 
struct  _EFI_IPSEC_SA_DATA
 
struct  _EFI_IPSEC_SA_DATA2
 
struct  _EFI_IPSEC_PAD_ID
 
union  EFI_IPSEC_CONFIG_SELECTOR
 
struct  _EFI_IPSEC_PAD_DATA
 
struct  _EFI_IPSEC_CONFIG_PROTOCOL
 

Macros

#define EFI_IPSEC_CONFIG_PROTOCOL_GUID
 
#define MAX_PEERID_LEN   128
 

Typedefs

typedef struct _EFI_IPSEC_CONFIG_PROTOCOL EFI_IPSEC_CONFIG_PROTOCOL
 
typedef struct _EFI_IP_ADDRESS_INFO EFI_IP_ADDRESS_INFO
 
typedef struct _EFI_IPSEC_SPD_SELECTOR EFI_IPSEC_SPD_SELECTOR
 
typedef struct _EFI_IPSEC_SA_LIFETIME EFI_IPSEC_SA_LIFETIME
 
typedef struct _EFI_IPSEC_TUNNEL_OPTION EFI_IPSEC_TUNNEL_OPTION
 
typedef struct _EFI_IPSEC_PROCESS_POLICY EFI_IPSEC_PROCESS_POLICY
 
typedef struct _EFI_IPSEC_SA_ID EFI_IPSEC_SA_ID
 
typedef struct _EFI_IPSEC_SPD_DATA EFI_IPSEC_SPD_DATA
 
typedef struct _EFI_IPSEC_AH_ALGO_INFO EFI_IPSEC_AH_ALGO_INFO
 
typedef struct _EFI_IPSEC_ESP_ALGO_INFO EFI_IPSEC_ESP_ALGO_INFO
 
typedef struct _EFI_IPSEC_SA_DATA EFI_IPSEC_SA_DATA
 
typedef struct _EFI_IPSEC_SA_DATA2 EFI_IPSEC_SA_DATA2
 
typedef struct _EFI_IPSEC_PAD_ID EFI_IPSEC_PAD_ID
 
typedef struct _EFI_IPSEC_PAD_DATA EFI_IPSEC_PAD_DATA
 
typedef EFI_STATUS(EFIAPI * EFI_IPSEC_CONFIG_SET_DATA) (IN EFI_IPSEC_CONFIG_PROTOCOL *This, IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, IN EFI_IPSEC_CONFIG_SELECTOR *Selector, IN VOID *Data, IN EFI_IPSEC_CONFIG_SELECTOR *InsertBefore OPTIONAL)
 
typedef EFI_STATUS(EFIAPI * EFI_IPSEC_CONFIG_GET_DATA) (IN EFI_IPSEC_CONFIG_PROTOCOL *This, IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, IN EFI_IPSEC_CONFIG_SELECTOR *Selector, IN OUT UINTN *DataSize, OUT VOID *Data)
 
typedef EFI_STATUS(EFIAPI * EFI_IPSEC_CONFIG_GET_NEXT_SELECTOR) (IN EFI_IPSEC_CONFIG_PROTOCOL *This, IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, IN OUT UINTN *SelectorSize, IN OUT EFI_IPSEC_CONFIG_SELECTOR *Selector)
 
typedef EFI_STATUS(EFIAPI * EFI_IPSEC_CONFIG_REGISTER_NOTIFY) (IN EFI_IPSEC_CONFIG_PROTOCOL *This, IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, IN EFI_EVENT Event)
 
typedef EFI_STATUS(EFIAPI * EFI_IPSEC_CONFIG_UNREGISTER_NOTIFY) (IN EFI_IPSEC_CONFIG_PROTOCOL *This, IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, IN EFI_EVENT Event)
 

Enumerations

enum  EFI_IPSEC_CONFIG_DATA_TYPE { IPsecConfigDataTypeSpd , IPsecConfigDataTypeSad , IPsecConfigDataTypePad , IPsecConfigDataTypeMaximum }
 
enum  EFI_IPSEC_TRAFFIC_DIR { EfiIPsecInBound , EfiIPsecOutBound }
 
enum  EFI_IPSEC_ACTION { EfiIPsecActionDiscard , EfiIPsecActionBypass , EfiIPsecActionProtect }
 
enum  EFI_IPSEC_MODE { EfiIPsecTransport , EfiIPsecTunnel }
 
enum  EFI_IPSEC_TUNNEL_DF_OPTION { EfiIPsecTunnelClearDf , EfiIPsecTunnelSetDf , EfiIPsecTunnelCopyDf }
 
enum  EFI_IPSEC_PROTOCOL_TYPE { EfiIPsecAH , EfiIPsecESP }
 
enum  EFI_IPSEC_AUTH_PROTOCOL_TYPE { EfiIPsecAuthProtocolIKEv1 , EfiIPsecAuthProtocolIKEv2 , EfiIPsecAuthProtocolMaximum }
 
enum  EFI_IPSEC_AUTH_METHOD { EfiIPsecAuthMethodPreSharedSecret , EfiIPsecAuthMethodCertificates , EfiIPsecAuthMethodMaximum }
 

Variables

EFI_GUID gEfiIpSecConfigProtocolGuid
 

Detailed Description

EFI IPsec Configuration Protocol Definition The EFI_IPSEC_CONFIG_PROTOCOL provides the mechanism to set and retrieve security and policy related information for the EFI IPsec protocol driver.

Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent

Revision Reference:
This Protocol is introduced in UEFI Specification 2.2

Definition in file IpSecConfig.h.

Macro Definition Documentation

◆ EFI_IPSEC_CONFIG_PROTOCOL_GUID

#define EFI_IPSEC_CONFIG_PROTOCOL_GUID
Value:
{ \
0xce5e5929, 0xc7a3, 0x4602, {0xad, 0x9e, 0xc9, 0xda, 0xf9, 0x4e, 0xbf, 0xcf } \
}

Definition at line 17 of file IpSecConfig.h.

◆ MAX_PEERID_LEN

#define MAX_PEERID_LEN   128

Definition at line 318 of file IpSecConfig.h.

Typedef Documentation

◆ EFI_IP_ADDRESS_INFO

EFI_IP_ADDRESS_INFO

◆ EFI_IPSEC_AH_ALGO_INFO

EFI_IPSEC_AH_ALGO_INFO The security algorithm selection for IPsec AH authentication. The required authentication algorithm is specified in RFC 4305.

◆ EFI_IPSEC_CONFIG_GET_DATA

typedef EFI_STATUS(EFIAPI * EFI_IPSEC_CONFIG_GET_DATA) (IN EFI_IPSEC_CONFIG_PROTOCOL *This, IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, IN EFI_IPSEC_CONFIG_SELECTOR *Selector, IN OUT UINTN *DataSize, OUT VOID *Data)

Return the configuration value for the EFI IPsec driver.

This function lookup the data entry from IPsec database or IKEv2 configuration information. The expected data type and unique identification are described in DataType and Selector parameters.

Parameters
[in]ThisPointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
[in]DataTypeThe type of data to retrieve.
[in]SelectorPointer to an entry selector which is an identifier of the IPsec configuration data entry.
[in,out]DataSizeOn output the size of data returned in Data.
[out]DataThe buffer to return the contents of the IPsec configuration data. The type of the data buffer is associated with the DataType.
Return values
EFI_SUCCESSThe specified configuration data is got successfully.
EFI_INVALID_PARAMETEROne or more of the followings are TRUE:
  • This is NULL.
  • Selector is NULL.
  • DataSize is NULL.
  • Data is NULL and *DataSize is not zero
EFI_NOT_FOUNDThe configuration data specified by Selector is not found.
EFI_UNSUPPORTEDThe specified DataType is not supported.
EFI_BUFFER_TOO_SMALLThe DataSize is too small for the result. DataSize has been updated with the size needed to complete the request.

Definition at line 667 of file IpSecConfig.h.

◆ EFI_IPSEC_CONFIG_GET_NEXT_SELECTOR

typedef EFI_STATUS(EFIAPI * EFI_IPSEC_CONFIG_GET_NEXT_SELECTOR) (IN EFI_IPSEC_CONFIG_PROTOCOL *This, IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, IN OUT UINTN *SelectorSize, IN OUT EFI_IPSEC_CONFIG_SELECTOR *Selector)

Enumerates the current selector for IPsec configuration data entry.

This function is called multiple times to retrieve the entry Selector in IPsec configuration database. On each call to GetNextSelector(), the next entry Selector are retrieved into the output interface.

If the entire IPsec configuration database has been iterated, the error EFI_NOT_FOUND is returned. If the Selector buffer is too small for the next Selector copy, an EFI_BUFFER_TOO_SMALL error is returned, and SelectorSize is updated to reflect the size of buffer needed.

On the initial call to GetNextSelector() to start the IPsec configuration database search, a pointer to the buffer with all zero value is passed in Selector. Calls to SetData() between calls to GetNextSelector may produce unpredictable results.

Parameters
[in]ThisPointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
[in]DataTypeThe type of IPsec configuration data to retrieve.
[in,out]SelectorSizeThe size of the Selector buffer.
[in,out]SelectorOn input, supplies the pointer to last Selector that was returned by GetNextSelector(). On output, returns one copy of the current entry Selector of a given DataType.
Return values
EFI_SUCCESSThe specified configuration data is got successfully.
EFI_INVALID_PARAMETEROne or more of the followings are TRUE:
  • This is NULL.
  • SelectorSize is NULL.
  • Selector is NULL.
EFI_NOT_FOUNDThe next configuration data entry was not found.
EFI_UNSUPPORTEDThe specified DataType is not supported.
EFI_BUFFER_TOO_SMALLThe SelectorSize is too small for the result. This parameter has been updated with the size needed to complete the search request.

Definition at line 714 of file IpSecConfig.h.

◆ EFI_IPSEC_CONFIG_PROTOCOL

Definition at line 22 of file IpSecConfig.h.

◆ EFI_IPSEC_CONFIG_REGISTER_NOTIFY

typedef EFI_STATUS(EFIAPI * EFI_IPSEC_CONFIG_REGISTER_NOTIFY) (IN EFI_IPSEC_CONFIG_PROTOCOL *This, IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, IN EFI_EVENT Event)

Register an event that is to be signaled whenever a configuration process on the specified IPsec configuration information is done.

This function registers an event that is to be signaled whenever a configuration process on the specified IPsec configuration data is done (e.g. IPsec security policy database configuration is ready). An event can be registered for different DataType simultaneously and the caller is responsible for determining which type of configuration data causes the signaling of the event in such case.

Parameters
[in]ThisPointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
[in]DataTypeThe type of data to be registered the event for.
[in]EventThe event to be registered.
Return values
EFI_SUCCESSThe event is registered successfully.
EFI_INVALID_PARAMETERThis is NULL or Event is NULL.
EFI_ACCESS_DENIEDThe Event is already registered for the DataType.
EFI_UNSUPPORTEDThe notify registration unsupported or the specified DataType is not supported.

Definition at line 744 of file IpSecConfig.h.

◆ EFI_IPSEC_CONFIG_SET_DATA

typedef EFI_STATUS(EFIAPI * EFI_IPSEC_CONFIG_SET_DATA) (IN EFI_IPSEC_CONFIG_PROTOCOL *This, IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, IN EFI_IPSEC_CONFIG_SELECTOR *Selector, IN VOID *Data, IN EFI_IPSEC_CONFIG_SELECTOR *InsertBefore OPTIONAL)

Set the security association, security policy and peer authorization configuration information for the EFI IPsec driver.

This function is used to set the IPsec configuration information of type DataType for the EFI IPsec driver. The IPsec configuration data has a unique selector/identifier separately to identify a data entry. The selector structure depends on DataType's definition. Using SetData() with a Data of NULL causes the IPsec configuration data entry identified by DataType and Selector to be deleted.

Parameters
[in]ThisPointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
[in]DataTypeThe type of data to be set.
[in]SelectorPointer to an entry selector on operated configuration data specified by DataType. A NULL Selector causes the entire specified-type configuration information to be flushed.
[in]DataThe data buffer to be set. The structure of the data buffer is associated with the DataType.
[in]InsertBeforePointer to one entry selector which describes the expected position the new data entry will be added. If InsertBefore is NULL, the new entry will be appended the end of database.
Return values
EFI_SUCCESSThe specified configuration entry data is set successfully.
EFI_INVALID_PARAMETEROne or more of the following are TRUE:
  • This is NULL.
EFI_UNSUPPORTEDThe specified DataType is not supported.
EFI_OUT_OF_RESOURCEDThe required system resource could not be allocated.

Definition at line 630 of file IpSecConfig.h.

◆ EFI_IPSEC_CONFIG_UNREGISTER_NOTIFY

typedef EFI_STATUS(EFIAPI * EFI_IPSEC_CONFIG_UNREGISTER_NOTIFY) (IN EFI_IPSEC_CONFIG_PROTOCOL *This, IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, IN EFI_EVENT Event)

Remove the specified event that is previously registered on the specified IPsec configuration data.

This function removes a previously registered event for the specified configuration data.

Parameters
[in]ThisPointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
[in]DataTypeThe configuration data type to remove the registered event for.
[in]EventThe event to be unregistered.
Return values
EFI_SUCCESSThe event is removed successfully.
EFI_NOT_FOUNDThe Event specified by DataType could not be found in the database.
EFI_INVALID_PARAMETERThis is NULL or Event is NULL.
EFI_UNSUPPORTEDThe notify registration unsupported or the specified DataType is not supported.

Definition at line 770 of file IpSecConfig.h.

◆ EFI_IPSEC_ESP_ALGO_INFO

EFI_IPSEC_ESP_ALGO_INFO The security algorithm selection for IPsec ESP encryption and authentication. The required authentication algorithm is specified in RFC 4305. EncAlgoId fields can also specify an ESP combined mode algorithm (e.g. AES with CCM mode, specified in RFC 4309), which provides both confidentiality and authentication services.

◆ EFI_IPSEC_PAD_DATA

EFI_IPSEC_PAD_DATA

◆ EFI_IPSEC_PAD_ID

EFI_IPSEC_PAD_ID specifies the identifier for PAD entry, which is also used for SPD lookup. IpAddress Pointer to the IPv4 or IPv6 address range.

◆ EFI_IPSEC_PROCESS_POLICY

EFI_IPSEC_PROCESS_POLICY describes a policy list for traffic processing.

◆ EFI_IPSEC_SA_DATA

EFI_IPSEC_SA_DATA

◆ EFI_IPSEC_SA_DATA2

EFI_IPSEC_SA_DATA2

◆ EFI_IPSEC_SA_ID

EFI_IPSEC_SA_ID A triplet to identify an SA, consisting of the following members.

◆ EFI_IPSEC_SA_LIFETIME

EFI_IPSEC_SA_LIFETIME defines the lifetime of an SA, which represents when a SA must be replaced or terminated. A value of all 0 for each field removes the limitation of a SA lifetime.

◆ EFI_IPSEC_SPD_DATA

EFI_IPSEC_SPD_DATA

◆ EFI_IPSEC_SPD_SELECTOR

EFI_IPSEC_SPD_SELECTOR

◆ EFI_IPSEC_TUNNEL_OPTION

EFI_IPSEC_TUNNEL_OPTION

Enumeration Type Documentation

◆ EFI_IPSEC_ACTION

EFI_IPSEC_ACTION represents three possible processing choices.

Enumerator
EfiIPsecActionDiscard 

Refers to traffic that is not allowed to traverse the IPsec boundary.

EfiIPsecActionBypass 

Refers to traffic that is allowed to cross the IPsec boundary without protection.

EfiIPsecActionProtect 

Refers to traffic that is afforded IPsec protection, and for such traffic the SPD must specify the security protocols to be employed, their mode, security service options, and the cryptographic algorithms to be used.

Definition at line 148 of file IpSecConfig.h.

◆ EFI_IPSEC_AUTH_METHOD

EFI_IPSEC_AUTH_METHOD

Enumerator
EfiIPsecAuthMethodPreSharedSecret 

Using Pre-shared Keys for manual security associations.

EfiIPsecAuthMethodCertificates 

IKE employs X.509 certificates for SA establishment.

Definition at line 549 of file IpSecConfig.h.

◆ EFI_IPSEC_AUTH_PROTOCOL_TYPE

EFI_IPSEC_AUTH_PROTOCOL_TYPE defines the possible authentication protocol for IPsec security association management.

Definition at line 540 of file IpSecConfig.h.

◆ EFI_IPSEC_CONFIG_DATA_TYPE

EFI_IPSEC_CONFIG_DATA_TYPE

Enumerator
IPsecConfigDataTypeSpd 

The IPsec Security Policy Database (aka SPD) setting. In IPsec, an essential element of Security Association (SA) processing is underlying SPD that specifies what services are to be offered to IP datagram and in what fashion. The SPD must be consulted during the processing of all traffic (inbound and outbound), including traffic not protected by IPsec, that traverses the IPsec boundary. With this DataType, SetData() function is to set the SPD entry information, which may add one new entry, delete one existed entry or flush the whole database according to the parameter values. The corresponding Data is of type EFI_IPSEC_SPD_DATA

IPsecConfigDataTypeSad 

The IPsec Security Association Database (aka SAD) setting. A SA is a simplex connection that affords security services to the traffic carried by it. Security services are afforded to an SA by the use of AH, or ESP, but not both. The corresponding Data is of type EFI_IPSEC_SAD_DATA.

IPsecConfigDataTypePad 

The IPsec Peer Authorization Database (aka PAD) setting, which provides the link between the SPD and a security association management protocol. The PAD entry specifies the authentication protocol (e.g. IKEv1, IKEv2) method used and the authentication data. The corresponding Data is of type EFI_IPSEC_PAD_DATA.

Definition at line 27 of file IpSecConfig.h.

◆ EFI_IPSEC_MODE

EFI_IPSEC_MODE There are two modes of IPsec operation: transport mode and tunnel mode. In EfiIPsecTransport mode, AH and ESP provide protection primarily for next layer protocols; In EfiIPsecTunnel mode, AH and ESP are applied to tunneled IP packets.

Definition at line 199 of file IpSecConfig.h.

◆ EFI_IPSEC_PROTOCOL_TYPE

EFI_IPSEC_PROTOCOL_TYPE

Enumerator
EfiIPsecAH 

IP Authentication Header protocol which is specified in RFC 4302.

EfiIPsecESP 

IP Encapsulating Security Payload which is specified in RFC 4303.

Definition at line 240 of file IpSecConfig.h.

◆ EFI_IPSEC_TRAFFIC_DIR

EFI_IPSEC_TRAFFIC_DIR represents the directionality in an SPD entry.

Enumerator
EfiIPsecInBound 

The EfiIPsecInBound refers to traffic entering an IPsec implementation via the unprotected interface or emitted by the implementation on the unprotected side of the boundary and directed towards the protected interface.

EfiIPsecOutBound 

The EfiIPsecOutBound refers to traffic entering the implementation via the protected interface, or emitted by the implementation on the protected side of the boundary and directed toward the unprotected interface.

Definition at line 129 of file IpSecConfig.h.

◆ EFI_IPSEC_TUNNEL_DF_OPTION

EFI_IPSEC_TUNNEL_DF_OPTION The option of copying the DF bit from an outbound package to the tunnel mode header that it emits, when traffic is carried via a tunnel mode SA. This applies to SAs where both inner and outer headers are IPv4.

Enumerator
EfiIPsecTunnelClearDf 

Clear DF bit from inner header.

EfiIPsecTunnelSetDf 

Set DF bit from inner header.

EfiIPsecTunnelCopyDf 

Copy DF bit from inner header.

Definition at line 211 of file IpSecConfig.h.