1 /** @file 2 EFI IPsec Configuration Protocol Definition 3 The EFI_IPSEC_CONFIG_PROTOCOL provides the mechanism to set and retrieve security and 4 policy related information for the EFI IPsec protocol driver. 5 6 Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR> 7 SPDX-License-Identifier: BSD-2-Clause-Patent 8 9 @par Revision Reference: 10 This Protocol is introduced in UEFI Specification 2.2 11 12 **/ 13 14 #ifndef __EFI_IPSE_CCONFIG_PROTOCOL_H__ 15 #define __EFI_IPSE_CCONFIG_PROTOCOL_H__ 16 17 18 #define EFI_IPSEC_CONFIG_PROTOCOL_GUID \ 19 { \ 20 0xce5e5929, 0xc7a3, 0x4602, {0xad, 0x9e, 0xc9, 0xda, 0xf9, 0x4e, 0xbf, 0xcf } \ 21 } 22 23 typedef struct _EFI_IPSEC_CONFIG_PROTOCOL EFI_IPSEC_CONFIG_PROTOCOL; 24 25 /// 26 /// EFI_IPSEC_CONFIG_DATA_TYPE 27 /// 28 typedef enum { 29 /// 30 /// The IPsec Security Policy Database (aka SPD) setting. In IPsec, 31 /// an essential element of Security Association (SA) processing is 32 /// underlying SPD that specifies what services are to be offered to 33 /// IP datagram and in what fashion. The SPD must be consulted 34 /// during the processing of all traffic (inbound and outbound), 35 /// including traffic not protected by IPsec, that traverses the IPsec 36 /// boundary. With this DataType, SetData() function is to set 37 /// the SPD entry information, which may add one new entry, delete 38 /// one existed entry or flush the whole database according to the 39 /// parameter values. The corresponding Data is of type 40 /// EFI_IPSEC_SPD_DATA 41 /// 42 IPsecConfigDataTypeSpd, 43 /// 44 /// The IPsec Security Association Database (aka SAD) setting. A 45 /// SA is a simplex connection that affords security services to the 46 /// traffic carried by it. Security services are afforded to an SA by the 47 /// use of AH, or ESP, but not both. The corresponding Data is of 48 /// type EFI_IPSEC_SAD_DATA. 49 /// 50 IPsecConfigDataTypeSad, 51 /// 52 /// The IPsec Peer Authorization Database (aka PAD) setting, which 53 /// provides the link between the SPD and a security association 54 /// management protocol. The PAD entry specifies the 55 /// authentication protocol (e.g. IKEv1, IKEv2) method used and the 56 /// authentication data. The corresponding Data is of type 57 /// EFI_IPSEC_PAD_DATA. 58 /// 59 IPsecConfigDataTypePad, 60 IPsecConfigDataTypeMaximum 61 } EFI_IPSEC_CONFIG_DATA_TYPE; 62 63 /// 64 /// EFI_IP_ADDRESS_INFO 65 /// 66 typedef struct _EFI_IP_ADDRESS_INFO { 67 EFI_IP_ADDRESS Address; ///< The IPv4 or IPv6 address 68 UINT8 PrefixLength; ///< The length of the prefix associated with the Address. 69 } EFI_IP_ADDRESS_INFO; 70 71 72 /// 73 /// EFI_IPSEC_SPD_SELECTOR 74 /// 75 typedef struct _EFI_IPSEC_SPD_SELECTOR { 76 /// 77 /// Specifies the actual number of entries in LocalAddress. 78 /// 79 UINT32 LocalAddressCount; 80 /// 81 /// A list of ranges of IPv4 or IPv6 addresses, which refers to the 82 /// addresses being protected by IPsec policy. 83 /// 84 EFI_IP_ADDRESS_INFO *LocalAddress; 85 /// 86 /// Specifies the actual number of entries in RemoteAddress. 87 /// 88 UINT32 RemoteAddressCount; 89 /// 90 /// A list of ranges of IPv4 or IPv6 addresses, which are peer entities 91 /// to LocalAddress. 92 /// 93 EFI_IP_ADDRESS_INFO *RemoteAddress; 94 /// 95 /// Next layer protocol. Obtained from the IPv4 Protocol or the IPv6 96 /// Next Header fields. The next layer protocol is whatever comes 97 /// after any IP extension headers that are present. A zero value is a 98 /// wildcard that matches any value in NextLayerProtocol field. 99 /// 100 UINT16 NextLayerProtocol; 101 /// 102 /// Local Port if the Next Layer Protocol uses two ports (as do TCP, 103 /// UDP, and others). A zero value is a wildcard that matches any 104 /// value in LocalPort field. 105 /// 106 UINT16 LocalPort; 107 /// 108 /// A designed port range size. The start port is LocalPort, and 109 /// the total number of ports is described by LocalPortRange. 110 /// This field is ignored if NextLayerProtocol does not use 111 /// ports. 112 /// 113 UINT16 LocalPortRange; 114 /// 115 /// Remote Port if the Next Layer Protocol uses two ports. A zero 116 /// value is a wildcard that matches any value in RemotePort field. 117 /// 118 UINT16 RemotePort; 119 /// 120 /// A designed port range size. The start port is RemotePort, and 121 /// the total number of ports is described by RemotePortRange. 122 /// This field is ignored if NextLayerProtocol does not use ports. 123 /// 124 UINT16 RemotePortRange; 125 } EFI_IPSEC_SPD_SELECTOR; 126 127 /// 128 /// EFI_IPSEC_TRAFFIC_DIR 129 /// represents the directionality in an SPD entry. 130 /// 131 typedef enum { 132 /// 133 /// The EfiIPsecInBound refers to traffic entering an IPsec implementation via 134 /// the unprotected interface or emitted by the implementation on the unprotected 135 /// side of the boundary and directed towards the protected interface. 136 /// 137 EfiIPsecInBound, 138 /// 139 /// The EfiIPsecOutBound refers to traffic entering the implementation via 140 /// the protected interface, or emitted by the implementation on the protected side 141 /// of the boundary and directed toward the unprotected interface. 142 /// 143 EfiIPsecOutBound 144 } EFI_IPSEC_TRAFFIC_DIR; 145 146 /// 147 /// EFI_IPSEC_ACTION 148 /// represents three possible processing choices. 149 /// 150 typedef enum { 151 /// 152 /// Refers to traffic that is not allowed to traverse the IPsec boundary. 153 /// 154 EfiIPsecActionDiscard, 155 /// 156 /// Refers to traffic that is allowed to cross the IPsec boundary 157 /// without protection. 158 /// 159 EfiIPsecActionBypass, 160 /// 161 /// Refers to traffic that is afforded IPsec protection, and for such 162 /// traffic the SPD must specify the security protocols to be 163 /// employed, their mode, security service options, and the 164 /// cryptographic algorithms to be used. 165 /// 166 EfiIPsecActionProtect 167 } EFI_IPSEC_ACTION; 168 169 /// 170 /// EFI_IPSEC_SA_LIFETIME 171 /// defines the lifetime of an SA, which represents when a SA must be 172 /// replaced or terminated. A value of all 0 for each field removes 173 /// the limitation of a SA lifetime. 174 /// 175 typedef struct _EFI_IPSEC_SA_LIFETIME { 176 /// 177 /// The number of bytes to which the IPsec cryptographic algorithm 178 /// can be applied. For ESP, this is the encryption algorithm and for 179 /// AH, this is the authentication algorithm. The ByteCount 180 /// includes pad bytes for cryptographic operations. 181 /// 182 UINT64 ByteCount; 183 /// 184 /// A time interval in second that warns the implementation to 185 /// initiate action such as setting up a replacement SA. 186 /// 187 UINT64 SoftLifetime; 188 /// 189 /// A time interval in second when the current SA ends and is 190 /// destroyed. 191 /// 192 UINT64 HardLifetime; 193 } EFI_IPSEC_SA_LIFETIME; 194 195 /// 196 /// EFI_IPSEC_MODE 197 /// There are two modes of IPsec operation: transport mode and tunnel mode. In 198 /// EfiIPsecTransport mode, AH and ESP provide protection primarily for next layer protocols; 199 /// In EfiIPsecTunnel mode, AH and ESP are applied to tunneled IP packets. 200 /// 201 typedef enum { 202 EfiIPsecTransport, 203 EfiIPsecTunnel 204 } EFI_IPSEC_MODE; 205 206 /// 207 /// EFI_IPSEC_TUNNEL_DF_OPTION 208 /// The option of copying the DF bit from an outbound package to 209 /// the tunnel mode header that it emits, when traffic is carried 210 /// via a tunnel mode SA. This applies to SAs where both inner and 211 /// outer headers are IPv4. 212 /// 213 typedef enum { 214 EfiIPsecTunnelClearDf, ///< Clear DF bit from inner header. 215 EfiIPsecTunnelSetDf, ///< Set DF bit from inner header. 216 EfiIPsecTunnelCopyDf ///< Copy DF bit from inner header. 217 } EFI_IPSEC_TUNNEL_DF_OPTION; 218 219 /// 220 /// EFI_IPSEC_TUNNEL_OPTION 221 /// 222 typedef struct _EFI_IPSEC_TUNNEL_OPTION { 223 /// 224 /// Local tunnel address when IPsec mode is EfiIPsecTunnel. 225 /// 226 EFI_IP_ADDRESS LocalTunnelAddress; 227 /// 228 /// Remote tunnel address when IPsec mode is EfiIPsecTunnel. 229 /// 230 EFI_IP_ADDRESS RemoteTunnelAddress; 231 /// 232 /// The option of copying the DF bit from an outbound package 233 /// to the tunnel mode header that it emits, when traffic is 234 /// carried via a tunnel mode SA. 235 /// 236 EFI_IPSEC_TUNNEL_DF_OPTION DF; 237 } EFI_IPSEC_TUNNEL_OPTION; 238 239 /// 240 /// EFI_IPSEC_PROTOCOL_TYPE 241 /// 242 typedef enum { 243 EfiIPsecAH, ///< IP Authentication Header protocol which is specified in RFC 4302. 244 EfiIPsecESP ///< IP Encapsulating Security Payload which is specified in RFC 4303. 245 } EFI_IPSEC_PROTOCOL_TYPE; 246 247 /// 248 /// EFI_IPSEC_PROCESS_POLICY 249 /// describes a policy list for traffic processing. 250 /// 251 typedef struct _EFI_IPSEC_PROCESS_POLICY { 252 /// 253 /// Extended Sequence Number. Is this SA using extended sequence 254 /// numbers. 64 bit counter is used if TRUE. 255 /// 256 BOOLEAN ExtSeqNum; 257 /// 258 /// A flag indicating whether overflow of the sequence number 259 /// counter should generate an auditable event and prevent 260 /// transmission of additional packets on the SA, or whether rollover 261 /// is permitted. 262 /// 263 BOOLEAN SeqOverflow; 264 /// 265 /// Is this SA using stateful fragment checking. TRUE represents 266 /// stateful fragment checking. 267 /// 268 BOOLEAN FragCheck; 269 /// 270 /// A time interval after which a SA must be replaced with a new SA 271 /// (and new SPI) or terminated. 272 /// 273 EFI_IPSEC_SA_LIFETIME SaLifetime; 274 /// 275 /// IPsec mode: tunnel or transport. 276 /// 277 EFI_IPSEC_MODE Mode; 278 /// 279 /// Tunnel Option. TunnelOption is ignored if Mode is EfiIPsecTransport. 280 /// 281 EFI_IPSEC_TUNNEL_OPTION *TunnelOption; 282 /// 283 /// IPsec protocol: AH or ESP 284 /// 285 EFI_IPSEC_PROTOCOL_TYPE Proto; 286 /// 287 /// Cryptographic algorithm type used for authentication. 288 /// 289 UINT8 AuthAlgoId; 290 /// 291 /// Cryptographic algorithm type used for encryption. EncAlgo is 292 /// NULL when IPsec protocol is AH. For ESP protocol, EncAlgo 293 /// can also be used to describe the algorithm if a combined mode 294 /// algorithm is used. 295 /// 296 UINT8 EncAlgoId; 297 } EFI_IPSEC_PROCESS_POLICY; 298 299 /// 300 /// EFI_IPSEC_SA_ID 301 /// A triplet to identify an SA, consisting of the following members. 302 /// 303 typedef struct _EFI_IPSEC_SA_ID { 304 /// 305 /// Security Parameter Index (aka SPI). An arbitrary 32-bit value 306 /// that is used by a receiver to identity the SA to which an incoming 307 /// package should be bound. 308 /// 309 UINT32 Spi; 310 /// 311 /// IPsec protocol: AH or ESP 312 /// 313 EFI_IPSEC_PROTOCOL_TYPE Proto; 314 /// 315 /// Destination IP address. 316 /// 317 EFI_IP_ADDRESS DestAddress; 318 } EFI_IPSEC_SA_ID; 319 320 321 #define MAX_PEERID_LEN 128 322 323 /// 324 /// EFI_IPSEC_SPD_DATA 325 /// 326 typedef struct _EFI_IPSEC_SPD_DATA { 327 /// 328 /// A null-terminated ASCII name string which is used as a symbolic 329 /// identifier for an IPsec Local or Remote address. 330 /// 331 UINT8 Name[MAX_PEERID_LEN]; 332 /// 333 /// Bit-mapped list describing Populate from Packet flags. When 334 /// creating a SA, if PackageFlag bit is set to TRUE, instantiate 335 /// the selector from the corresponding field in the package that 336 /// triggered the creation of the SA, else from the value(s) in the 337 /// corresponding SPD entry. The PackageFlag bit setting for 338 /// corresponding selector field of EFI_IPSEC_SPD_SELECTOR: 339 /// Bit 0: EFI_IPSEC_SPD_SELECTOR.LocalAddress 340 /// Bit 1: EFI_IPSEC_SPD_SELECTOR.RemoteAddress 341 /// Bit 2: 342 /// EFI_IPSEC_SPD_SELECTOR.NextLayerProtocol 343 /// Bit 3: EFI_IPSEC_SPD_SELECTOR.LocalPort 344 /// Bit 4: EFI_IPSEC_SPD_SELECTOR.RemotePort 345 /// Others: Reserved. 346 /// 347 UINT32 PackageFlag; 348 /// 349 /// The traffic direction of data gram. 350 /// 351 EFI_IPSEC_TRAFFIC_DIR TrafficDirection; 352 /// 353 /// Processing choices to indicate which action is required by this 354 /// policy. 355 /// 356 EFI_IPSEC_ACTION Action; 357 /// 358 /// The policy and rule information for a SPD entry. 359 /// 360 EFI_IPSEC_PROCESS_POLICY *ProcessingPolicy; 361 /// 362 /// Specifies the actual number of entries in SaId list. 363 /// 364 UINTN SaIdCount; 365 /// 366 /// The SAD entry used for the traffic processing. The 367 /// existed SAD entry links indicate this is the manual key case. 368 /// 369 EFI_IPSEC_SA_ID SaId[1]; 370 } EFI_IPSEC_SPD_DATA; 371 372 /// 373 /// EFI_IPSEC_AH_ALGO_INFO 374 /// The security algorithm selection for IPsec AH authentication. 375 /// The required authentication algorithm is specified in RFC 4305. 376 /// 377 typedef struct _EFI_IPSEC_AH_ALGO_INFO { 378 UINT8 AuthAlgoId; 379 UINTN AuthKeyLength; 380 VOID *AuthKey; 381 } EFI_IPSEC_AH_ALGO_INFO; 382 383 /// 384 /// EFI_IPSEC_ESP_ALGO_INFO 385 /// The security algorithm selection for IPsec ESP encryption and authentication. 386 /// The required authentication algorithm is specified in RFC 4305. 387 /// EncAlgoId fields can also specify an ESP combined mode algorithm 388 /// (e.g. AES with CCM mode, specified in RFC 4309), which provides both 389 /// confidentiality and authentication services. 390 /// 391 typedef struct _EFI_IPSEC_ESP_ALGO_INFO { 392 UINT8 EncAlgoId; 393 UINTN EncKeyLength; 394 VOID *EncKey; 395 UINT8 AuthAlgoId; 396 UINTN AuthKeyLength; 397 VOID *AuthKey; 398 } EFI_IPSEC_ESP_ALGO_INFO; 399 400 /// 401 /// EFI_IPSEC_ALGO_INFO 402 /// 403 typedef union { 404 EFI_IPSEC_AH_ALGO_INFO AhAlgoInfo; 405 EFI_IPSEC_ESP_ALGO_INFO EspAlgoInfo; 406 } EFI_IPSEC_ALGO_INFO; 407 408 /// 409 /// EFI_IPSEC_SA_DATA 410 /// 411 typedef struct _EFI_IPSEC_SA_DATA { 412 /// 413 /// IPsec mode: tunnel or transport. 414 /// 415 EFI_IPSEC_MODE Mode; 416 /// 417 /// Sequence Number Counter. A 64-bit counter used to generate the 418 /// sequence number field in AH or ESP headers. 419 /// 420 UINT64 SNCount; 421 /// 422 /// Anti-Replay Window. A 64-bit counter and a bit-map used to 423 /// determine whether an inbound AH or ESP packet is a replay. 424 /// 425 UINT8 AntiReplayWindows; 426 /// 427 /// AH/ESP cryptographic algorithm, key and parameters. 428 /// 429 EFI_IPSEC_ALGO_INFO AlgoInfo; 430 /// 431 /// Lifetime of this SA. 432 /// 433 EFI_IPSEC_SA_LIFETIME SaLifetime; 434 /// 435 /// Any observed path MTU and aging variables. The Path MTU 436 /// processing is defined in section 8 of RFC 4301. 437 /// 438 UINT32 PathMTU; 439 /// 440 /// Link to one SPD entry. 441 /// 442 EFI_IPSEC_SPD_SELECTOR *SpdSelector; 443 /// 444 /// Indication of whether it's manually set or negotiated automatically. 445 /// If ManualSet is FALSE, the corresponding SA entry is inserted through 446 /// IKE protocol negotiation. 447 /// 448 BOOLEAN ManualSet; 449 } EFI_IPSEC_SA_DATA; 450 451 /// 452 /// EFI_IPSEC_SA_DATA2 453 /// 454 typedef struct _EFI_IPSEC_SA_DATA2 { 455 /// 456 /// IPsec mode: tunnel or transport 457 /// 458 EFI_IPSEC_MODE Mode; 459 /// 460 /// Sequence Number Counter. A 64-bit counter used to generate the sequence 461 /// number field in AH or ESP headers. 462 /// 463 UINT64 SNCount; 464 /// 465 /// Anti-Replay Window. A 64-bit counter and a bit-map used to determine 466 /// whether an inbound AH or ESP packet is a replay. 467 /// 468 UINT8 AntiReplayWindows; 469 /// 470 /// AH/ESP cryptographic algorithm, key and parameters. 471 /// 472 EFI_IPSEC_ALGO_INFO AlgoInfo; 473 /// 474 /// Lifetime of this SA. 475 /// 476 EFI_IPSEC_SA_LIFETIME SaLifetime; 477 /// 478 /// Any observed path MTU and aging variables. The Path MTU processing is 479 /// defined in section 8 of RFC 4301. 480 /// 481 UINT32 PathMTU; 482 /// 483 /// Link to one SPD entry 484 /// 485 EFI_IPSEC_SPD_SELECTOR *SpdSelector; 486 /// 487 /// Indication of whether it's manually set or negotiated automatically. 488 /// If ManualSet is FALSE, the corresponding SA entry is inserted through IKE 489 /// protocol negotiation 490 /// 491 BOOLEAN ManualSet; 492 /// 493 /// The tunnel header IP source address. 494 /// 495 EFI_IP_ADDRESS TunnelSourceAddress; 496 /// 497 /// The tunnel header IP destination address. 498 /// 499 EFI_IP_ADDRESS TunnelDestinationAddress; 500 } EFI_IPSEC_SA_DATA2; 501 502 503 /// 504 /// EFI_IPSEC_PAD_ID 505 /// specifies the identifier for PAD entry, which is also used for SPD lookup. 506 /// IpAddress Pointer to the IPv4 or IPv6 address range. 507 /// 508 typedef struct _EFI_IPSEC_PAD_ID { 509 /// 510 /// Flag to identify which type of PAD Id is used. 511 /// 512 BOOLEAN PeerIdValid; 513 union { 514 /// 515 /// Pointer to the IPv4 or IPv6 address range. 516 /// 517 EFI_IP_ADDRESS_INFO IpAddress; 518 /// 519 /// Pointer to a null terminated ASCII string 520 /// representing the symbolic names. A PeerId can be a DNS 521 /// name, Distinguished Name, RFC 822 email address or Key ID 522 /// (specified in section 4.4.3.1 of RFC 4301) 523 /// 524 UINT8 PeerId[MAX_PEERID_LEN]; 525 } Id; 526 } EFI_IPSEC_PAD_ID; 527 528 /// 529 /// EFI_IPSEC_CONFIG_SELECTOR 530 /// describes the expected IPsec configuration data selector 531 /// of type EFI_IPSEC_CONFIG_DATA_TYPE. 532 /// 533 typedef union { 534 EFI_IPSEC_SPD_SELECTOR SpdSelector; 535 EFI_IPSEC_SA_ID SaId; 536 EFI_IPSEC_PAD_ID PadId; 537 } EFI_IPSEC_CONFIG_SELECTOR; 538 539 /// 540 /// EFI_IPSEC_AUTH_PROTOCOL_TYPE 541 /// defines the possible authentication protocol for IPsec 542 /// security association management. 543 /// 544 typedef enum { 545 EfiIPsecAuthProtocolIKEv1, 546 EfiIPsecAuthProtocolIKEv2, 547 EfiIPsecAuthProtocolMaximum 548 } EFI_IPSEC_AUTH_PROTOCOL_TYPE; 549 550 /// 551 /// EFI_IPSEC_AUTH_METHOD 552 /// 553 typedef enum { 554 /// 555 /// Using Pre-shared Keys for manual security associations. 556 /// 557 EfiIPsecAuthMethodPreSharedSecret, 558 /// 559 /// IKE employs X.509 certificates for SA establishment. 560 /// 561 EfiIPsecAuthMethodCertificates, 562 EfiIPsecAuthMethodMaximum 563 } EFI_IPSEC_AUTH_METHOD; 564 565 /// 566 /// EFI_IPSEC_PAD_DATA 567 /// 568 typedef struct _EFI_IPSEC_PAD_DATA { 569 /// 570 /// Authentication Protocol for IPsec security association management. 571 /// 572 EFI_IPSEC_AUTH_PROTOCOL_TYPE AuthProtocol; 573 /// 574 /// Authentication method used. 575 /// 576 EFI_IPSEC_AUTH_METHOD AuthMethod; 577 /// 578 /// The IKE ID payload will be used as a symbolic name for SPD 579 /// lookup if IkeIdFlag is TRUE. Otherwise, the remote IP 580 /// address provided in traffic selector playloads will be used. 581 /// 582 BOOLEAN IkeIdFlag; 583 /// 584 /// The size of Authentication data buffer, in bytes. 585 /// 586 UINTN AuthDataSize; 587 /// 588 /// Buffer for Authentication data, (e.g., the pre-shared secret or the 589 /// trust anchor relative to which the peer's certificate will be 590 /// validated). 591 /// 592 VOID *AuthData; 593 /// 594 /// The size of RevocationData, in bytes 595 /// 596 UINTN RevocationDataSize; 597 /// 598 /// Pointer to CRL or OCSP data, if certificates are used for 599 /// authentication method. 600 /// 601 VOID *RevocationData; 602 } EFI_IPSEC_PAD_DATA; 603 604 605 /** 606 Set the security association, security policy and peer authorization configuration 607 information for the EFI IPsec driver. 608 609 This function is used to set the IPsec configuration information of type DataType for 610 the EFI IPsec driver. 611 The IPsec configuration data has a unique selector/identifier separately to identify 612 a data entry. The selector structure depends on DataType's definition. 613 Using SetData() with a Data of NULL causes the IPsec configuration data entry identified 614 by DataType and Selector to be deleted. 615 616 @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance. 617 @param[in] DataType The type of data to be set. 618 @param[in] Selector Pointer to an entry selector on operated configuration data 619 specified by DataType. A NULL Selector causes the entire 620 specified-type configuration information to be flushed. 621 @param[in] Data The data buffer to be set. The structure of the data buffer is 622 associated with the DataType. 623 @param[in] InsertBefore Pointer to one entry selector which describes the expected 624 position the new data entry will be added. If InsertBefore is NULL, 625 the new entry will be appended the end of database. 626 627 @retval EFI_SUCCESS The specified configuration entry data is set successfully. 628 @retval EFI_INVALID_PARAMETER One or more of the following are TRUE: 629 - This is NULL. 630 @retval EFI_UNSUPPORTED The specified DataType is not supported. 631 @retval EFI_OUT_OF_RESOURCED The required system resource could not be allocated. 632 633 **/ 634 typedef 635 EFI_STATUS 636 (EFIAPI *EFI_IPSEC_CONFIG_SET_DATA)( 637 IN EFI_IPSEC_CONFIG_PROTOCOL *This, 638 IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, 639 IN EFI_IPSEC_CONFIG_SELECTOR *Selector, 640 IN VOID *Data, 641 IN EFI_IPSEC_CONFIG_SELECTOR *InsertBefore OPTIONAL 642 ); 643 644 /** 645 Return the configuration value for the EFI IPsec driver. 646 647 This function lookup the data entry from IPsec database or IKEv2 configuration 648 information. The expected data type and unique identification are described in 649 DataType and Selector parameters. 650 651 @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance. 652 @param[in] DataType The type of data to retrieve. 653 @param[in] Selector Pointer to an entry selector which is an identifier of the IPsec 654 configuration data entry. 655 @param[in, out] DataSize On output the size of data returned in Data. 656 @param[out] Data The buffer to return the contents of the IPsec configuration data. 657 The type of the data buffer is associated with the DataType. 658 659 @retval EFI_SUCCESS The specified configuration data is got successfully. 660 @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE: 661 - This is NULL. 662 - Selector is NULL. 663 - DataSize is NULL. 664 - Data is NULL and *DataSize is not zero 665 @retval EFI_NOT_FOUND The configuration data specified by Selector is not found. 666 @retval EFI_UNSUPPORTED The specified DataType is not supported. 667 @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. DataSize has been 668 updated with the size needed to complete the request. 669 670 **/ 671 typedef 672 EFI_STATUS 673 (EFIAPI *EFI_IPSEC_CONFIG_GET_DATA)( 674 IN EFI_IPSEC_CONFIG_PROTOCOL *This, 675 IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, 676 IN EFI_IPSEC_CONFIG_SELECTOR *Selector, 677 IN OUT UINTN *DataSize, 678 OUT VOID *Data 679 ); 680 681 /** 682 Enumerates the current selector for IPsec configuration data entry. 683 684 This function is called multiple times to retrieve the entry Selector in IPsec 685 configuration database. On each call to GetNextSelector(), the next entry 686 Selector are retrieved into the output interface. 687 688 If the entire IPsec configuration database has been iterated, the error 689 EFI_NOT_FOUND is returned. 690 If the Selector buffer is too small for the next Selector copy, an 691 EFI_BUFFER_TOO_SMALL error is returned, and SelectorSize is updated to reflect 692 the size of buffer needed. 693 694 On the initial call to GetNextSelector() to start the IPsec configuration database 695 search, a pointer to the buffer with all zero value is passed in Selector. Calls 696 to SetData() between calls to GetNextSelector may produce unpredictable results. 697 698 @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance. 699 @param[in] DataType The type of IPsec configuration data to retrieve. 700 @param[in, out] SelectorSize The size of the Selector buffer. 701 @param[in, out] Selector On input, supplies the pointer to last Selector that was 702 returned by GetNextSelector(). 703 On output, returns one copy of the current entry Selector 704 of a given DataType. 705 706 @retval EFI_SUCCESS The specified configuration data is got successfully. 707 @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE: 708 - This is NULL. 709 - SelectorSize is NULL. 710 - Selector is NULL. 711 @retval EFI_NOT_FOUND The next configuration data entry was not found. 712 @retval EFI_UNSUPPORTED The specified DataType is not supported. 713 @retval EFI_BUFFER_TOO_SMALL The SelectorSize is too small for the result. This parameter 714 has been updated with the size needed to complete the search 715 request. 716 717 **/ 718 typedef 719 EFI_STATUS 720 (EFIAPI *EFI_IPSEC_CONFIG_GET_NEXT_SELECTOR)( 721 IN EFI_IPSEC_CONFIG_PROTOCOL *This, 722 IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, 723 IN OUT UINTN *SelectorSize, 724 IN OUT EFI_IPSEC_CONFIG_SELECTOR *Selector 725 ); 726 727 /** 728 Register an event that is to be signaled whenever a configuration process on the 729 specified IPsec configuration information is done. 730 731 This function registers an event that is to be signaled whenever a configuration 732 process on the specified IPsec configuration data is done (e.g. IPsec security 733 policy database configuration is ready). An event can be registered for different 734 DataType simultaneously and the caller is responsible for determining which type 735 of configuration data causes the signaling of the event in such case. 736 737 @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance. 738 @param[in] DataType The type of data to be registered the event for. 739 @param[in] Event The event to be registered. 740 741 @retval EFI_SUCCESS The event is registered successfully. 742 @retval EFI_INVALID_PARAMETER This is NULL or Event is NULL. 743 @retval EFI_ACCESS_DENIED The Event is already registered for the DataType. 744 @retval EFI_UNSUPPORTED The notify registration unsupported or the specified 745 DataType is not supported. 746 747 **/ 748 typedef 749 EFI_STATUS 750 (EFIAPI *EFI_IPSEC_CONFIG_REGISTER_NOTIFY)( 751 IN EFI_IPSEC_CONFIG_PROTOCOL *This, 752 IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, 753 IN EFI_EVENT Event 754 ); 755 756 /** 757 Remove the specified event that is previously registered on the specified IPsec 758 configuration data. 759 760 This function removes a previously registered event for the specified configuration data. 761 762 @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance. 763 @param[in] DataType The configuration data type to remove the registered event for. 764 @param[in] Event The event to be unregistered. 765 766 @retval EFI_SUCCESS The event is removed successfully. 767 @retval EFI_NOT_FOUND The Event specified by DataType could not be found in the 768 database. 769 @retval EFI_INVALID_PARAMETER This is NULL or Event is NULL. 770 @retval EFI_UNSUPPORTED The notify registration unsupported or the specified 771 DataType is not supported. 772 773 **/ 774 typedef 775 EFI_STATUS 776 (EFIAPI *EFI_IPSEC_CONFIG_UNREGISTER_NOTIFY)( 777 IN EFI_IPSEC_CONFIG_PROTOCOL *This, 778 IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, 779 IN EFI_EVENT Event 780 ); 781 782 /// 783 /// EFI_IPSEC_CONFIG_PROTOCOL 784 /// provides the ability to set and lookup the IPsec SAD (Security Association Database), 785 /// SPD (Security Policy Database) data entry and configure the security association 786 /// management protocol such as IKEv2. This protocol is used as the central 787 /// repository of any policy-specific configuration for EFI IPsec driver. 788 /// EFI_IPSEC_CONFIG_PROTOCOL can be bound to both IPv4 and IPv6 stack. User can use this 789 /// protocol for IPsec configuration in both IPv4 and IPv6 environment. 790 /// 791 struct _EFI_IPSEC_CONFIG_PROTOCOL { 792 EFI_IPSEC_CONFIG_SET_DATA SetData; 793 EFI_IPSEC_CONFIG_GET_DATA GetData; 794 EFI_IPSEC_CONFIG_GET_NEXT_SELECTOR GetNextSelector; 795 EFI_IPSEC_CONFIG_REGISTER_NOTIFY RegisterDataNotify; 796 EFI_IPSEC_CONFIG_UNREGISTER_NOTIFY UnregisterDataNotify; 797 }; 798 799 extern EFI_GUID gEfiIpSecConfigProtocolGuid; 800 801 #endif 802