1*f334afcfSToomas Soome /** @file 2*f334afcfSToomas Soome EFI IPsec Configuration Protocol Definition 3*f334afcfSToomas Soome The EFI_IPSEC_CONFIG_PROTOCOL provides the mechanism to set and retrieve security and 4*f334afcfSToomas Soome policy related information for the EFI IPsec protocol driver. 5*f334afcfSToomas Soome 6*f334afcfSToomas Soome Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR> 7*f334afcfSToomas Soome SPDX-License-Identifier: BSD-2-Clause-Patent 8*f334afcfSToomas Soome 9*f334afcfSToomas Soome @par Revision Reference: 10*f334afcfSToomas Soome This Protocol is introduced in UEFI Specification 2.2 11*f334afcfSToomas Soome 12*f334afcfSToomas Soome **/ 13*f334afcfSToomas Soome 14*f334afcfSToomas Soome #ifndef __EFI_IPSE_CCONFIG_PROTOCOL_H__ 15*f334afcfSToomas Soome #define __EFI_IPSE_CCONFIG_PROTOCOL_H__ 16*f334afcfSToomas Soome 17*f334afcfSToomas Soome #define EFI_IPSEC_CONFIG_PROTOCOL_GUID \ 18*f334afcfSToomas Soome { \ 19*f334afcfSToomas Soome 0xce5e5929, 0xc7a3, 0x4602, {0xad, 0x9e, 0xc9, 0xda, 0xf9, 0x4e, 0xbf, 0xcf } \ 20*f334afcfSToomas Soome } 21*f334afcfSToomas Soome 22*f334afcfSToomas Soome typedef struct _EFI_IPSEC_CONFIG_PROTOCOL EFI_IPSEC_CONFIG_PROTOCOL; 23*f334afcfSToomas Soome 24*f334afcfSToomas Soome /// 25*f334afcfSToomas Soome /// EFI_IPSEC_CONFIG_DATA_TYPE 26*f334afcfSToomas Soome /// 27*f334afcfSToomas Soome typedef enum { 28*f334afcfSToomas Soome /// 29*f334afcfSToomas Soome /// The IPsec Security Policy Database (aka SPD) setting. In IPsec, 30*f334afcfSToomas Soome /// an essential element of Security Association (SA) processing is 31*f334afcfSToomas Soome /// underlying SPD that specifies what services are to be offered to 32*f334afcfSToomas Soome /// IP datagram and in what fashion. The SPD must be consulted 33*f334afcfSToomas Soome /// during the processing of all traffic (inbound and outbound), 34*f334afcfSToomas Soome /// including traffic not protected by IPsec, that traverses the IPsec 35*f334afcfSToomas Soome /// boundary. With this DataType, SetData() function is to set 36*f334afcfSToomas Soome /// the SPD entry information, which may add one new entry, delete 37*f334afcfSToomas Soome /// one existed entry or flush the whole database according to the 38*f334afcfSToomas Soome /// parameter values. The corresponding Data is of type 39*f334afcfSToomas Soome /// EFI_IPSEC_SPD_DATA 40*f334afcfSToomas Soome /// 41*f334afcfSToomas Soome IPsecConfigDataTypeSpd, 42*f334afcfSToomas Soome /// 43*f334afcfSToomas Soome /// The IPsec Security Association Database (aka SAD) setting. A 44*f334afcfSToomas Soome /// SA is a simplex connection that affords security services to the 45*f334afcfSToomas Soome /// traffic carried by it. Security services are afforded to an SA by the 46*f334afcfSToomas Soome /// use of AH, or ESP, but not both. The corresponding Data is of 47*f334afcfSToomas Soome /// type EFI_IPSEC_SAD_DATA. 48*f334afcfSToomas Soome /// 49*f334afcfSToomas Soome IPsecConfigDataTypeSad, 50*f334afcfSToomas Soome /// 51*f334afcfSToomas Soome /// The IPsec Peer Authorization Database (aka PAD) setting, which 52*f334afcfSToomas Soome /// provides the link between the SPD and a security association 53*f334afcfSToomas Soome /// management protocol. The PAD entry specifies the 54*f334afcfSToomas Soome /// authentication protocol (e.g. IKEv1, IKEv2) method used and the 55*f334afcfSToomas Soome /// authentication data. The corresponding Data is of type 56*f334afcfSToomas Soome /// EFI_IPSEC_PAD_DATA. 57*f334afcfSToomas Soome /// 58*f334afcfSToomas Soome IPsecConfigDataTypePad, 59*f334afcfSToomas Soome IPsecConfigDataTypeMaximum 60*f334afcfSToomas Soome } EFI_IPSEC_CONFIG_DATA_TYPE; 61*f334afcfSToomas Soome 62*f334afcfSToomas Soome /// 63*f334afcfSToomas Soome /// EFI_IP_ADDRESS_INFO 64*f334afcfSToomas Soome /// 65*f334afcfSToomas Soome typedef struct _EFI_IP_ADDRESS_INFO { 66*f334afcfSToomas Soome EFI_IP_ADDRESS Address; ///< The IPv4 or IPv6 address 67*f334afcfSToomas Soome UINT8 PrefixLength; ///< The length of the prefix associated with the Address. 68*f334afcfSToomas Soome } EFI_IP_ADDRESS_INFO; 69*f334afcfSToomas Soome 70*f334afcfSToomas Soome /// 71*f334afcfSToomas Soome /// EFI_IPSEC_SPD_SELECTOR 72*f334afcfSToomas Soome /// 73*f334afcfSToomas Soome typedef struct _EFI_IPSEC_SPD_SELECTOR { 74*f334afcfSToomas Soome /// 75*f334afcfSToomas Soome /// Specifies the actual number of entries in LocalAddress. 76*f334afcfSToomas Soome /// 77*f334afcfSToomas Soome UINT32 LocalAddressCount; 78*f334afcfSToomas Soome /// 79*f334afcfSToomas Soome /// A list of ranges of IPv4 or IPv6 addresses, which refers to the 80*f334afcfSToomas Soome /// addresses being protected by IPsec policy. 81*f334afcfSToomas Soome /// 82*f334afcfSToomas Soome EFI_IP_ADDRESS_INFO *LocalAddress; 83*f334afcfSToomas Soome /// 84*f334afcfSToomas Soome /// Specifies the actual number of entries in RemoteAddress. 85*f334afcfSToomas Soome /// 86*f334afcfSToomas Soome UINT32 RemoteAddressCount; 87*f334afcfSToomas Soome /// 88*f334afcfSToomas Soome /// A list of ranges of IPv4 or IPv6 addresses, which are peer entities 89*f334afcfSToomas Soome /// to LocalAddress. 90*f334afcfSToomas Soome /// 91*f334afcfSToomas Soome EFI_IP_ADDRESS_INFO *RemoteAddress; 92*f334afcfSToomas Soome /// 93*f334afcfSToomas Soome /// Next layer protocol. Obtained from the IPv4 Protocol or the IPv6 94*f334afcfSToomas Soome /// Next Header fields. The next layer protocol is whatever comes 95*f334afcfSToomas Soome /// after any IP extension headers that are present. A zero value is a 96*f334afcfSToomas Soome /// wildcard that matches any value in NextLayerProtocol field. 97*f334afcfSToomas Soome /// 98*f334afcfSToomas Soome UINT16 NextLayerProtocol; 99*f334afcfSToomas Soome /// 100*f334afcfSToomas Soome /// Local Port if the Next Layer Protocol uses two ports (as do TCP, 101*f334afcfSToomas Soome /// UDP, and others). A zero value is a wildcard that matches any 102*f334afcfSToomas Soome /// value in LocalPort field. 103*f334afcfSToomas Soome /// 104*f334afcfSToomas Soome UINT16 LocalPort; 105*f334afcfSToomas Soome /// 106*f334afcfSToomas Soome /// A designed port range size. The start port is LocalPort, and 107*f334afcfSToomas Soome /// the total number of ports is described by LocalPortRange. 108*f334afcfSToomas Soome /// This field is ignored if NextLayerProtocol does not use 109*f334afcfSToomas Soome /// ports. 110*f334afcfSToomas Soome /// 111*f334afcfSToomas Soome UINT16 LocalPortRange; 112*f334afcfSToomas Soome /// 113*f334afcfSToomas Soome /// Remote Port if the Next Layer Protocol uses two ports. A zero 114*f334afcfSToomas Soome /// value is a wildcard that matches any value in RemotePort field. 115*f334afcfSToomas Soome /// 116*f334afcfSToomas Soome UINT16 RemotePort; 117*f334afcfSToomas Soome /// 118*f334afcfSToomas Soome /// A designed port range size. The start port is RemotePort, and 119*f334afcfSToomas Soome /// the total number of ports is described by RemotePortRange. 120*f334afcfSToomas Soome /// This field is ignored if NextLayerProtocol does not use ports. 121*f334afcfSToomas Soome /// 122*f334afcfSToomas Soome UINT16 RemotePortRange; 123*f334afcfSToomas Soome } EFI_IPSEC_SPD_SELECTOR; 124*f334afcfSToomas Soome 125*f334afcfSToomas Soome /// 126*f334afcfSToomas Soome /// EFI_IPSEC_TRAFFIC_DIR 127*f334afcfSToomas Soome /// represents the directionality in an SPD entry. 128*f334afcfSToomas Soome /// 129*f334afcfSToomas Soome typedef enum { 130*f334afcfSToomas Soome /// 131*f334afcfSToomas Soome /// The EfiIPsecInBound refers to traffic entering an IPsec implementation via 132*f334afcfSToomas Soome /// the unprotected interface or emitted by the implementation on the unprotected 133*f334afcfSToomas Soome /// side of the boundary and directed towards the protected interface. 134*f334afcfSToomas Soome /// 135*f334afcfSToomas Soome EfiIPsecInBound, 136*f334afcfSToomas Soome /// 137*f334afcfSToomas Soome /// The EfiIPsecOutBound refers to traffic entering the implementation via 138*f334afcfSToomas Soome /// the protected interface, or emitted by the implementation on the protected side 139*f334afcfSToomas Soome /// of the boundary and directed toward the unprotected interface. 140*f334afcfSToomas Soome /// 141*f334afcfSToomas Soome EfiIPsecOutBound 142*f334afcfSToomas Soome } EFI_IPSEC_TRAFFIC_DIR; 143*f334afcfSToomas Soome 144*f334afcfSToomas Soome /// 145*f334afcfSToomas Soome /// EFI_IPSEC_ACTION 146*f334afcfSToomas Soome /// represents three possible processing choices. 147*f334afcfSToomas Soome /// 148*f334afcfSToomas Soome typedef enum { 149*f334afcfSToomas Soome /// 150*f334afcfSToomas Soome /// Refers to traffic that is not allowed to traverse the IPsec boundary. 151*f334afcfSToomas Soome /// 152*f334afcfSToomas Soome EfiIPsecActionDiscard, 153*f334afcfSToomas Soome /// 154*f334afcfSToomas Soome /// Refers to traffic that is allowed to cross the IPsec boundary 155*f334afcfSToomas Soome /// without protection. 156*f334afcfSToomas Soome /// 157*f334afcfSToomas Soome EfiIPsecActionBypass, 158*f334afcfSToomas Soome /// 159*f334afcfSToomas Soome /// Refers to traffic that is afforded IPsec protection, and for such 160*f334afcfSToomas Soome /// traffic the SPD must specify the security protocols to be 161*f334afcfSToomas Soome /// employed, their mode, security service options, and the 162*f334afcfSToomas Soome /// cryptographic algorithms to be used. 163*f334afcfSToomas Soome /// 164*f334afcfSToomas Soome EfiIPsecActionProtect 165*f334afcfSToomas Soome } EFI_IPSEC_ACTION; 166*f334afcfSToomas Soome 167*f334afcfSToomas Soome /// 168*f334afcfSToomas Soome /// EFI_IPSEC_SA_LIFETIME 169*f334afcfSToomas Soome /// defines the lifetime of an SA, which represents when a SA must be 170*f334afcfSToomas Soome /// replaced or terminated. A value of all 0 for each field removes 171*f334afcfSToomas Soome /// the limitation of a SA lifetime. 172*f334afcfSToomas Soome /// 173*f334afcfSToomas Soome typedef struct _EFI_IPSEC_SA_LIFETIME { 174*f334afcfSToomas Soome /// 175*f334afcfSToomas Soome /// The number of bytes to which the IPsec cryptographic algorithm 176*f334afcfSToomas Soome /// can be applied. For ESP, this is the encryption algorithm and for 177*f334afcfSToomas Soome /// AH, this is the authentication algorithm. The ByteCount 178*f334afcfSToomas Soome /// includes pad bytes for cryptographic operations. 179*f334afcfSToomas Soome /// 180*f334afcfSToomas Soome UINT64 ByteCount; 181*f334afcfSToomas Soome /// 182*f334afcfSToomas Soome /// A time interval in second that warns the implementation to 183*f334afcfSToomas Soome /// initiate action such as setting up a replacement SA. 184*f334afcfSToomas Soome /// 185*f334afcfSToomas Soome UINT64 SoftLifetime; 186*f334afcfSToomas Soome /// 187*f334afcfSToomas Soome /// A time interval in second when the current SA ends and is 188*f334afcfSToomas Soome /// destroyed. 189*f334afcfSToomas Soome /// 190*f334afcfSToomas Soome UINT64 HardLifetime; 191*f334afcfSToomas Soome } EFI_IPSEC_SA_LIFETIME; 192*f334afcfSToomas Soome 193*f334afcfSToomas Soome /// 194*f334afcfSToomas Soome /// EFI_IPSEC_MODE 195*f334afcfSToomas Soome /// There are two modes of IPsec operation: transport mode and tunnel mode. In 196*f334afcfSToomas Soome /// EfiIPsecTransport mode, AH and ESP provide protection primarily for next layer protocols; 197*f334afcfSToomas Soome /// In EfiIPsecTunnel mode, AH and ESP are applied to tunneled IP packets. 198*f334afcfSToomas Soome /// 199*f334afcfSToomas Soome typedef enum { 200*f334afcfSToomas Soome EfiIPsecTransport, 201*f334afcfSToomas Soome EfiIPsecTunnel 202*f334afcfSToomas Soome } EFI_IPSEC_MODE; 203*f334afcfSToomas Soome 204*f334afcfSToomas Soome /// 205*f334afcfSToomas Soome /// EFI_IPSEC_TUNNEL_DF_OPTION 206*f334afcfSToomas Soome /// The option of copying the DF bit from an outbound package to 207*f334afcfSToomas Soome /// the tunnel mode header that it emits, when traffic is carried 208*f334afcfSToomas Soome /// via a tunnel mode SA. This applies to SAs where both inner and 209*f334afcfSToomas Soome /// outer headers are IPv4. 210*f334afcfSToomas Soome /// 211*f334afcfSToomas Soome typedef enum { 212*f334afcfSToomas Soome EfiIPsecTunnelClearDf, ///< Clear DF bit from inner header. 213*f334afcfSToomas Soome EfiIPsecTunnelSetDf, ///< Set DF bit from inner header. 214*f334afcfSToomas Soome EfiIPsecTunnelCopyDf ///< Copy DF bit from inner header. 215*f334afcfSToomas Soome } EFI_IPSEC_TUNNEL_DF_OPTION; 216*f334afcfSToomas Soome 217*f334afcfSToomas Soome /// 218*f334afcfSToomas Soome /// EFI_IPSEC_TUNNEL_OPTION 219*f334afcfSToomas Soome /// 220*f334afcfSToomas Soome typedef struct _EFI_IPSEC_TUNNEL_OPTION { 221*f334afcfSToomas Soome /// 222*f334afcfSToomas Soome /// Local tunnel address when IPsec mode is EfiIPsecTunnel. 223*f334afcfSToomas Soome /// 224*f334afcfSToomas Soome EFI_IP_ADDRESS LocalTunnelAddress; 225*f334afcfSToomas Soome /// 226*f334afcfSToomas Soome /// Remote tunnel address when IPsec mode is EfiIPsecTunnel. 227*f334afcfSToomas Soome /// 228*f334afcfSToomas Soome EFI_IP_ADDRESS RemoteTunnelAddress; 229*f334afcfSToomas Soome /// 230*f334afcfSToomas Soome /// The option of copying the DF bit from an outbound package 231*f334afcfSToomas Soome /// to the tunnel mode header that it emits, when traffic is 232*f334afcfSToomas Soome /// carried via a tunnel mode SA. 233*f334afcfSToomas Soome /// 234*f334afcfSToomas Soome EFI_IPSEC_TUNNEL_DF_OPTION DF; 235*f334afcfSToomas Soome } EFI_IPSEC_TUNNEL_OPTION; 236*f334afcfSToomas Soome 237*f334afcfSToomas Soome /// 238*f334afcfSToomas Soome /// EFI_IPSEC_PROTOCOL_TYPE 239*f334afcfSToomas Soome /// 240*f334afcfSToomas Soome typedef enum { 241*f334afcfSToomas Soome EfiIPsecAH, ///< IP Authentication Header protocol which is specified in RFC 4302. 242*f334afcfSToomas Soome EfiIPsecESP ///< IP Encapsulating Security Payload which is specified in RFC 4303. 243*f334afcfSToomas Soome } EFI_IPSEC_PROTOCOL_TYPE; 244*f334afcfSToomas Soome 245*f334afcfSToomas Soome /// 246*f334afcfSToomas Soome /// EFI_IPSEC_PROCESS_POLICY 247*f334afcfSToomas Soome /// describes a policy list for traffic processing. 248*f334afcfSToomas Soome /// 249*f334afcfSToomas Soome typedef struct _EFI_IPSEC_PROCESS_POLICY { 250*f334afcfSToomas Soome /// 251*f334afcfSToomas Soome /// Extended Sequence Number. Is this SA using extended sequence 252*f334afcfSToomas Soome /// numbers. 64 bit counter is used if TRUE. 253*f334afcfSToomas Soome /// 254*f334afcfSToomas Soome BOOLEAN ExtSeqNum; 255*f334afcfSToomas Soome /// 256*f334afcfSToomas Soome /// A flag indicating whether overflow of the sequence number 257*f334afcfSToomas Soome /// counter should generate an auditable event and prevent 258*f334afcfSToomas Soome /// transmission of additional packets on the SA, or whether rollover 259*f334afcfSToomas Soome /// is permitted. 260*f334afcfSToomas Soome /// 261*f334afcfSToomas Soome BOOLEAN SeqOverflow; 262*f334afcfSToomas Soome /// 263*f334afcfSToomas Soome /// Is this SA using stateful fragment checking. TRUE represents 264*f334afcfSToomas Soome /// stateful fragment checking. 265*f334afcfSToomas Soome /// 266*f334afcfSToomas Soome BOOLEAN FragCheck; 267*f334afcfSToomas Soome /// 268*f334afcfSToomas Soome /// A time interval after which a SA must be replaced with a new SA 269*f334afcfSToomas Soome /// (and new SPI) or terminated. 270*f334afcfSToomas Soome /// 271*f334afcfSToomas Soome EFI_IPSEC_SA_LIFETIME SaLifetime; 272*f334afcfSToomas Soome /// 273*f334afcfSToomas Soome /// IPsec mode: tunnel or transport. 274*f334afcfSToomas Soome /// 275*f334afcfSToomas Soome EFI_IPSEC_MODE Mode; 276*f334afcfSToomas Soome /// 277*f334afcfSToomas Soome /// Tunnel Option. TunnelOption is ignored if Mode is EfiIPsecTransport. 278*f334afcfSToomas Soome /// 279*f334afcfSToomas Soome EFI_IPSEC_TUNNEL_OPTION *TunnelOption; 280*f334afcfSToomas Soome /// 281*f334afcfSToomas Soome /// IPsec protocol: AH or ESP 282*f334afcfSToomas Soome /// 283*f334afcfSToomas Soome EFI_IPSEC_PROTOCOL_TYPE Proto; 284*f334afcfSToomas Soome /// 285*f334afcfSToomas Soome /// Cryptographic algorithm type used for authentication. 286*f334afcfSToomas Soome /// 287*f334afcfSToomas Soome UINT8 AuthAlgoId; 288*f334afcfSToomas Soome /// 289*f334afcfSToomas Soome /// Cryptographic algorithm type used for encryption. EncAlgo is 290*f334afcfSToomas Soome /// NULL when IPsec protocol is AH. For ESP protocol, EncAlgo 291*f334afcfSToomas Soome /// can also be used to describe the algorithm if a combined mode 292*f334afcfSToomas Soome /// algorithm is used. 293*f334afcfSToomas Soome /// 294*f334afcfSToomas Soome UINT8 EncAlgoId; 295*f334afcfSToomas Soome } EFI_IPSEC_PROCESS_POLICY; 296*f334afcfSToomas Soome 297*f334afcfSToomas Soome /// 298*f334afcfSToomas Soome /// EFI_IPSEC_SA_ID 299*f334afcfSToomas Soome /// A triplet to identify an SA, consisting of the following members. 300*f334afcfSToomas Soome /// 301*f334afcfSToomas Soome typedef struct _EFI_IPSEC_SA_ID { 302*f334afcfSToomas Soome /// 303*f334afcfSToomas Soome /// Security Parameter Index (aka SPI). An arbitrary 32-bit value 304*f334afcfSToomas Soome /// that is used by a receiver to identity the SA to which an incoming 305*f334afcfSToomas Soome /// package should be bound. 306*f334afcfSToomas Soome /// 307*f334afcfSToomas Soome UINT32 Spi; 308*f334afcfSToomas Soome /// 309*f334afcfSToomas Soome /// IPsec protocol: AH or ESP 310*f334afcfSToomas Soome /// 311*f334afcfSToomas Soome EFI_IPSEC_PROTOCOL_TYPE Proto; 312*f334afcfSToomas Soome /// 313*f334afcfSToomas Soome /// Destination IP address. 314*f334afcfSToomas Soome /// 315*f334afcfSToomas Soome EFI_IP_ADDRESS DestAddress; 316*f334afcfSToomas Soome } EFI_IPSEC_SA_ID; 317*f334afcfSToomas Soome 318*f334afcfSToomas Soome #define MAX_PEERID_LEN 128 319*f334afcfSToomas Soome 320*f334afcfSToomas Soome /// 321*f334afcfSToomas Soome /// EFI_IPSEC_SPD_DATA 322*f334afcfSToomas Soome /// 323*f334afcfSToomas Soome typedef struct _EFI_IPSEC_SPD_DATA { 324*f334afcfSToomas Soome /// 325*f334afcfSToomas Soome /// A null-terminated ASCII name string which is used as a symbolic 326*f334afcfSToomas Soome /// identifier for an IPsec Local or Remote address. 327*f334afcfSToomas Soome /// 328*f334afcfSToomas Soome UINT8 Name[MAX_PEERID_LEN]; 329*f334afcfSToomas Soome /// 330*f334afcfSToomas Soome /// Bit-mapped list describing Populate from Packet flags. When 331*f334afcfSToomas Soome /// creating a SA, if PackageFlag bit is set to TRUE, instantiate 332*f334afcfSToomas Soome /// the selector from the corresponding field in the package that 333*f334afcfSToomas Soome /// triggered the creation of the SA, else from the value(s) in the 334*f334afcfSToomas Soome /// corresponding SPD entry. The PackageFlag bit setting for 335*f334afcfSToomas Soome /// corresponding selector field of EFI_IPSEC_SPD_SELECTOR: 336*f334afcfSToomas Soome /// Bit 0: EFI_IPSEC_SPD_SELECTOR.LocalAddress 337*f334afcfSToomas Soome /// Bit 1: EFI_IPSEC_SPD_SELECTOR.RemoteAddress 338*f334afcfSToomas Soome /// Bit 2: 339*f334afcfSToomas Soome /// EFI_IPSEC_SPD_SELECTOR.NextLayerProtocol 340*f334afcfSToomas Soome /// Bit 3: EFI_IPSEC_SPD_SELECTOR.LocalPort 341*f334afcfSToomas Soome /// Bit 4: EFI_IPSEC_SPD_SELECTOR.RemotePort 342*f334afcfSToomas Soome /// Others: Reserved. 343*f334afcfSToomas Soome /// 344*f334afcfSToomas Soome UINT32 PackageFlag; 345*f334afcfSToomas Soome /// 346*f334afcfSToomas Soome /// The traffic direction of data gram. 347*f334afcfSToomas Soome /// 348*f334afcfSToomas Soome EFI_IPSEC_TRAFFIC_DIR TrafficDirection; 349*f334afcfSToomas Soome /// 350*f334afcfSToomas Soome /// Processing choices to indicate which action is required by this 351*f334afcfSToomas Soome /// policy. 352*f334afcfSToomas Soome /// 353*f334afcfSToomas Soome EFI_IPSEC_ACTION Action; 354*f334afcfSToomas Soome /// 355*f334afcfSToomas Soome /// The policy and rule information for a SPD entry. 356*f334afcfSToomas Soome /// 357*f334afcfSToomas Soome EFI_IPSEC_PROCESS_POLICY *ProcessingPolicy; 358*f334afcfSToomas Soome /// 359*f334afcfSToomas Soome /// Specifies the actual number of entries in SaId list. 360*f334afcfSToomas Soome /// 361*f334afcfSToomas Soome UINTN SaIdCount; 362*f334afcfSToomas Soome /// 363*f334afcfSToomas Soome /// The SAD entry used for the traffic processing. The 364*f334afcfSToomas Soome /// existed SAD entry links indicate this is the manual key case. 365*f334afcfSToomas Soome /// 366*f334afcfSToomas Soome EFI_IPSEC_SA_ID SaId[1]; 367*f334afcfSToomas Soome } EFI_IPSEC_SPD_DATA; 368*f334afcfSToomas Soome 369*f334afcfSToomas Soome /// 370*f334afcfSToomas Soome /// EFI_IPSEC_AH_ALGO_INFO 371*f334afcfSToomas Soome /// The security algorithm selection for IPsec AH authentication. 372*f334afcfSToomas Soome /// The required authentication algorithm is specified in RFC 4305. 373*f334afcfSToomas Soome /// 374*f334afcfSToomas Soome typedef struct _EFI_IPSEC_AH_ALGO_INFO { 375*f334afcfSToomas Soome UINT8 AuthAlgoId; 376*f334afcfSToomas Soome UINTN AuthKeyLength; 377*f334afcfSToomas Soome VOID *AuthKey; 378*f334afcfSToomas Soome } EFI_IPSEC_AH_ALGO_INFO; 379*f334afcfSToomas Soome 380*f334afcfSToomas Soome /// 381*f334afcfSToomas Soome /// EFI_IPSEC_ESP_ALGO_INFO 382*f334afcfSToomas Soome /// The security algorithm selection for IPsec ESP encryption and authentication. 383*f334afcfSToomas Soome /// The required authentication algorithm is specified in RFC 4305. 384*f334afcfSToomas Soome /// EncAlgoId fields can also specify an ESP combined mode algorithm 385*f334afcfSToomas Soome /// (e.g. AES with CCM mode, specified in RFC 4309), which provides both 386*f334afcfSToomas Soome /// confidentiality and authentication services. 387*f334afcfSToomas Soome /// 388*f334afcfSToomas Soome typedef struct _EFI_IPSEC_ESP_ALGO_INFO { 389*f334afcfSToomas Soome UINT8 EncAlgoId; 390*f334afcfSToomas Soome UINTN EncKeyLength; 391*f334afcfSToomas Soome VOID *EncKey; 392*f334afcfSToomas Soome UINT8 AuthAlgoId; 393*f334afcfSToomas Soome UINTN AuthKeyLength; 394*f334afcfSToomas Soome VOID *AuthKey; 395*f334afcfSToomas Soome } EFI_IPSEC_ESP_ALGO_INFO; 396*f334afcfSToomas Soome 397*f334afcfSToomas Soome /// 398*f334afcfSToomas Soome /// EFI_IPSEC_ALGO_INFO 399*f334afcfSToomas Soome /// 400*f334afcfSToomas Soome typedef union { 401*f334afcfSToomas Soome EFI_IPSEC_AH_ALGO_INFO AhAlgoInfo; 402*f334afcfSToomas Soome EFI_IPSEC_ESP_ALGO_INFO EspAlgoInfo; 403*f334afcfSToomas Soome } EFI_IPSEC_ALGO_INFO; 404*f334afcfSToomas Soome 405*f334afcfSToomas Soome /// 406*f334afcfSToomas Soome /// EFI_IPSEC_SA_DATA 407*f334afcfSToomas Soome /// 408*f334afcfSToomas Soome typedef struct _EFI_IPSEC_SA_DATA { 409*f334afcfSToomas Soome /// 410*f334afcfSToomas Soome /// IPsec mode: tunnel or transport. 411*f334afcfSToomas Soome /// 412*f334afcfSToomas Soome EFI_IPSEC_MODE Mode; 413*f334afcfSToomas Soome /// 414*f334afcfSToomas Soome /// Sequence Number Counter. A 64-bit counter used to generate the 415*f334afcfSToomas Soome /// sequence number field in AH or ESP headers. 416*f334afcfSToomas Soome /// 417*f334afcfSToomas Soome UINT64 SNCount; 418*f334afcfSToomas Soome /// 419*f334afcfSToomas Soome /// Anti-Replay Window. A 64-bit counter and a bit-map used to 420*f334afcfSToomas Soome /// determine whether an inbound AH or ESP packet is a replay. 421*f334afcfSToomas Soome /// 422*f334afcfSToomas Soome UINT8 AntiReplayWindows; 423*f334afcfSToomas Soome /// 424*f334afcfSToomas Soome /// AH/ESP cryptographic algorithm, key and parameters. 425*f334afcfSToomas Soome /// 426*f334afcfSToomas Soome EFI_IPSEC_ALGO_INFO AlgoInfo; 427*f334afcfSToomas Soome /// 428*f334afcfSToomas Soome /// Lifetime of this SA. 429*f334afcfSToomas Soome /// 430*f334afcfSToomas Soome EFI_IPSEC_SA_LIFETIME SaLifetime; 431*f334afcfSToomas Soome /// 432*f334afcfSToomas Soome /// Any observed path MTU and aging variables. The Path MTU 433*f334afcfSToomas Soome /// processing is defined in section 8 of RFC 4301. 434*f334afcfSToomas Soome /// 435*f334afcfSToomas Soome UINT32 PathMTU; 436*f334afcfSToomas Soome /// 437*f334afcfSToomas Soome /// Link to one SPD entry. 438*f334afcfSToomas Soome /// 439*f334afcfSToomas Soome EFI_IPSEC_SPD_SELECTOR *SpdSelector; 440*f334afcfSToomas Soome /// 441*f334afcfSToomas Soome /// Indication of whether it's manually set or negotiated automatically. 442*f334afcfSToomas Soome /// If ManualSet is FALSE, the corresponding SA entry is inserted through 443*f334afcfSToomas Soome /// IKE protocol negotiation. 444*f334afcfSToomas Soome /// 445*f334afcfSToomas Soome BOOLEAN ManualSet; 446*f334afcfSToomas Soome } EFI_IPSEC_SA_DATA; 447*f334afcfSToomas Soome 448*f334afcfSToomas Soome /// 449*f334afcfSToomas Soome /// EFI_IPSEC_SA_DATA2 450*f334afcfSToomas Soome /// 451*f334afcfSToomas Soome typedef struct _EFI_IPSEC_SA_DATA2 { 452*f334afcfSToomas Soome /// 453*f334afcfSToomas Soome /// IPsec mode: tunnel or transport 454*f334afcfSToomas Soome /// 455*f334afcfSToomas Soome EFI_IPSEC_MODE Mode; 456*f334afcfSToomas Soome /// 457*f334afcfSToomas Soome /// Sequence Number Counter. A 64-bit counter used to generate the sequence 458*f334afcfSToomas Soome /// number field in AH or ESP headers. 459*f334afcfSToomas Soome /// 460*f334afcfSToomas Soome UINT64 SNCount; 461*f334afcfSToomas Soome /// 462*f334afcfSToomas Soome /// Anti-Replay Window. A 64-bit counter and a bit-map used to determine 463*f334afcfSToomas Soome /// whether an inbound AH or ESP packet is a replay. 464*f334afcfSToomas Soome /// 465*f334afcfSToomas Soome UINT8 AntiReplayWindows; 466*f334afcfSToomas Soome /// 467*f334afcfSToomas Soome /// AH/ESP cryptographic algorithm, key and parameters. 468*f334afcfSToomas Soome /// 469*f334afcfSToomas Soome EFI_IPSEC_ALGO_INFO AlgoInfo; 470*f334afcfSToomas Soome /// 471*f334afcfSToomas Soome /// Lifetime of this SA. 472*f334afcfSToomas Soome /// 473*f334afcfSToomas Soome EFI_IPSEC_SA_LIFETIME SaLifetime; 474*f334afcfSToomas Soome /// 475*f334afcfSToomas Soome /// Any observed path MTU and aging variables. The Path MTU processing is 476*f334afcfSToomas Soome /// defined in section 8 of RFC 4301. 477*f334afcfSToomas Soome /// 478*f334afcfSToomas Soome UINT32 PathMTU; 479*f334afcfSToomas Soome /// 480*f334afcfSToomas Soome /// Link to one SPD entry 481*f334afcfSToomas Soome /// 482*f334afcfSToomas Soome EFI_IPSEC_SPD_SELECTOR *SpdSelector; 483*f334afcfSToomas Soome /// 484*f334afcfSToomas Soome /// Indication of whether it's manually set or negotiated automatically. 485*f334afcfSToomas Soome /// If ManualSet is FALSE, the corresponding SA entry is inserted through IKE 486*f334afcfSToomas Soome /// protocol negotiation 487*f334afcfSToomas Soome /// 488*f334afcfSToomas Soome BOOLEAN ManualSet; 489*f334afcfSToomas Soome /// 490*f334afcfSToomas Soome /// The tunnel header IP source address. 491*f334afcfSToomas Soome /// 492*f334afcfSToomas Soome EFI_IP_ADDRESS TunnelSourceAddress; 493*f334afcfSToomas Soome /// 494*f334afcfSToomas Soome /// The tunnel header IP destination address. 495*f334afcfSToomas Soome /// 496*f334afcfSToomas Soome EFI_IP_ADDRESS TunnelDestinationAddress; 497*f334afcfSToomas Soome } EFI_IPSEC_SA_DATA2; 498*f334afcfSToomas Soome 499*f334afcfSToomas Soome /// 500*f334afcfSToomas Soome /// EFI_IPSEC_PAD_ID 501*f334afcfSToomas Soome /// specifies the identifier for PAD entry, which is also used for SPD lookup. 502*f334afcfSToomas Soome /// IpAddress Pointer to the IPv4 or IPv6 address range. 503*f334afcfSToomas Soome /// 504*f334afcfSToomas Soome typedef struct _EFI_IPSEC_PAD_ID { 505*f334afcfSToomas Soome /// 506*f334afcfSToomas Soome /// Flag to identify which type of PAD Id is used. 507*f334afcfSToomas Soome /// 508*f334afcfSToomas Soome BOOLEAN PeerIdValid; 509*f334afcfSToomas Soome union { 510*f334afcfSToomas Soome /// 511*f334afcfSToomas Soome /// Pointer to the IPv4 or IPv6 address range. 512*f334afcfSToomas Soome /// 513*f334afcfSToomas Soome EFI_IP_ADDRESS_INFO IpAddress; 514*f334afcfSToomas Soome /// 515*f334afcfSToomas Soome /// Pointer to a null terminated ASCII string 516*f334afcfSToomas Soome /// representing the symbolic names. A PeerId can be a DNS 517*f334afcfSToomas Soome /// name, Distinguished Name, RFC 822 email address or Key ID 518*f334afcfSToomas Soome /// (specified in section 4.4.3.1 of RFC 4301) 519*f334afcfSToomas Soome /// 520*f334afcfSToomas Soome UINT8 PeerId[MAX_PEERID_LEN]; 521*f334afcfSToomas Soome } Id; 522*f334afcfSToomas Soome } EFI_IPSEC_PAD_ID; 523*f334afcfSToomas Soome 524*f334afcfSToomas Soome /// 525*f334afcfSToomas Soome /// EFI_IPSEC_CONFIG_SELECTOR 526*f334afcfSToomas Soome /// describes the expected IPsec configuration data selector 527*f334afcfSToomas Soome /// of type EFI_IPSEC_CONFIG_DATA_TYPE. 528*f334afcfSToomas Soome /// 529*f334afcfSToomas Soome typedef union { 530*f334afcfSToomas Soome EFI_IPSEC_SPD_SELECTOR SpdSelector; 531*f334afcfSToomas Soome EFI_IPSEC_SA_ID SaId; 532*f334afcfSToomas Soome EFI_IPSEC_PAD_ID PadId; 533*f334afcfSToomas Soome } EFI_IPSEC_CONFIG_SELECTOR; 534*f334afcfSToomas Soome 535*f334afcfSToomas Soome /// 536*f334afcfSToomas Soome /// EFI_IPSEC_AUTH_PROTOCOL_TYPE 537*f334afcfSToomas Soome /// defines the possible authentication protocol for IPsec 538*f334afcfSToomas Soome /// security association management. 539*f334afcfSToomas Soome /// 540*f334afcfSToomas Soome typedef enum { 541*f334afcfSToomas Soome EfiIPsecAuthProtocolIKEv1, 542*f334afcfSToomas Soome EfiIPsecAuthProtocolIKEv2, 543*f334afcfSToomas Soome EfiIPsecAuthProtocolMaximum 544*f334afcfSToomas Soome } EFI_IPSEC_AUTH_PROTOCOL_TYPE; 545*f334afcfSToomas Soome 546*f334afcfSToomas Soome /// 547*f334afcfSToomas Soome /// EFI_IPSEC_AUTH_METHOD 548*f334afcfSToomas Soome /// 549*f334afcfSToomas Soome typedef enum { 550*f334afcfSToomas Soome /// 551*f334afcfSToomas Soome /// Using Pre-shared Keys for manual security associations. 552*f334afcfSToomas Soome /// 553*f334afcfSToomas Soome EfiIPsecAuthMethodPreSharedSecret, 554*f334afcfSToomas Soome /// 555*f334afcfSToomas Soome /// IKE employs X.509 certificates for SA establishment. 556*f334afcfSToomas Soome /// 557*f334afcfSToomas Soome EfiIPsecAuthMethodCertificates, 558*f334afcfSToomas Soome EfiIPsecAuthMethodMaximum 559*f334afcfSToomas Soome } EFI_IPSEC_AUTH_METHOD; 560*f334afcfSToomas Soome 561*f334afcfSToomas Soome /// 562*f334afcfSToomas Soome /// EFI_IPSEC_PAD_DATA 563*f334afcfSToomas Soome /// 564*f334afcfSToomas Soome typedef struct _EFI_IPSEC_PAD_DATA { 565*f334afcfSToomas Soome /// 566*f334afcfSToomas Soome /// Authentication Protocol for IPsec security association management. 567*f334afcfSToomas Soome /// 568*f334afcfSToomas Soome EFI_IPSEC_AUTH_PROTOCOL_TYPE AuthProtocol; 569*f334afcfSToomas Soome /// 570*f334afcfSToomas Soome /// Authentication method used. 571*f334afcfSToomas Soome /// 572*f334afcfSToomas Soome EFI_IPSEC_AUTH_METHOD AuthMethod; 573*f334afcfSToomas Soome /// 574*f334afcfSToomas Soome /// The IKE ID payload will be used as a symbolic name for SPD 575*f334afcfSToomas Soome /// lookup if IkeIdFlag is TRUE. Otherwise, the remote IP 576*f334afcfSToomas Soome /// address provided in traffic selector playloads will be used. 577*f334afcfSToomas Soome /// 578*f334afcfSToomas Soome BOOLEAN IkeIdFlag; 579*f334afcfSToomas Soome /// 580*f334afcfSToomas Soome /// The size of Authentication data buffer, in bytes. 581*f334afcfSToomas Soome /// 582*f334afcfSToomas Soome UINTN AuthDataSize; 583*f334afcfSToomas Soome /// 584*f334afcfSToomas Soome /// Buffer for Authentication data, (e.g., the pre-shared secret or the 585*f334afcfSToomas Soome /// trust anchor relative to which the peer's certificate will be 586*f334afcfSToomas Soome /// validated). 587*f334afcfSToomas Soome /// 588*f334afcfSToomas Soome VOID *AuthData; 589*f334afcfSToomas Soome /// 590*f334afcfSToomas Soome /// The size of RevocationData, in bytes 591*f334afcfSToomas Soome /// 592*f334afcfSToomas Soome UINTN RevocationDataSize; 593*f334afcfSToomas Soome /// 594*f334afcfSToomas Soome /// Pointer to CRL or OCSP data, if certificates are used for 595*f334afcfSToomas Soome /// authentication method. 596*f334afcfSToomas Soome /// 597*f334afcfSToomas Soome VOID *RevocationData; 598*f334afcfSToomas Soome } EFI_IPSEC_PAD_DATA; 599*f334afcfSToomas Soome 600*f334afcfSToomas Soome /** 601*f334afcfSToomas Soome Set the security association, security policy and peer authorization configuration 602*f334afcfSToomas Soome information for the EFI IPsec driver. 603*f334afcfSToomas Soome 604*f334afcfSToomas Soome This function is used to set the IPsec configuration information of type DataType for 605*f334afcfSToomas Soome the EFI IPsec driver. 606*f334afcfSToomas Soome The IPsec configuration data has a unique selector/identifier separately to identify 607*f334afcfSToomas Soome a data entry. The selector structure depends on DataType's definition. 608*f334afcfSToomas Soome Using SetData() with a Data of NULL causes the IPsec configuration data entry identified 609*f334afcfSToomas Soome by DataType and Selector to be deleted. 610*f334afcfSToomas Soome 611*f334afcfSToomas Soome @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance. 612*f334afcfSToomas Soome @param[in] DataType The type of data to be set. 613*f334afcfSToomas Soome @param[in] Selector Pointer to an entry selector on operated configuration data 614*f334afcfSToomas Soome specified by DataType. A NULL Selector causes the entire 615*f334afcfSToomas Soome specified-type configuration information to be flushed. 616*f334afcfSToomas Soome @param[in] Data The data buffer to be set. The structure of the data buffer is 617*f334afcfSToomas Soome associated with the DataType. 618*f334afcfSToomas Soome @param[in] InsertBefore Pointer to one entry selector which describes the expected 619*f334afcfSToomas Soome position the new data entry will be added. If InsertBefore is NULL, 620*f334afcfSToomas Soome the new entry will be appended the end of database. 621*f334afcfSToomas Soome 622*f334afcfSToomas Soome @retval EFI_SUCCESS The specified configuration entry data is set successfully. 623*f334afcfSToomas Soome @retval EFI_INVALID_PARAMETER One or more of the following are TRUE: 624*f334afcfSToomas Soome - This is NULL. 625*f334afcfSToomas Soome @retval EFI_UNSUPPORTED The specified DataType is not supported. 626*f334afcfSToomas Soome @retval EFI_OUT_OF_RESOURCED The required system resource could not be allocated. 627*f334afcfSToomas Soome 628*f334afcfSToomas Soome **/ 629*f334afcfSToomas Soome typedef 630*f334afcfSToomas Soome EFI_STATUS 631*f334afcfSToomas Soome (EFIAPI *EFI_IPSEC_CONFIG_SET_DATA)( 632*f334afcfSToomas Soome IN EFI_IPSEC_CONFIG_PROTOCOL *This, 633*f334afcfSToomas Soome IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, 634*f334afcfSToomas Soome IN EFI_IPSEC_CONFIG_SELECTOR *Selector, 635*f334afcfSToomas Soome IN VOID *Data, 636*f334afcfSToomas Soome IN EFI_IPSEC_CONFIG_SELECTOR *InsertBefore OPTIONAL 637*f334afcfSToomas Soome ); 638*f334afcfSToomas Soome 639*f334afcfSToomas Soome /** 640*f334afcfSToomas Soome Return the configuration value for the EFI IPsec driver. 641*f334afcfSToomas Soome 642*f334afcfSToomas Soome This function lookup the data entry from IPsec database or IKEv2 configuration 643*f334afcfSToomas Soome information. The expected data type and unique identification are described in 644*f334afcfSToomas Soome DataType and Selector parameters. 645*f334afcfSToomas Soome 646*f334afcfSToomas Soome @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance. 647*f334afcfSToomas Soome @param[in] DataType The type of data to retrieve. 648*f334afcfSToomas Soome @param[in] Selector Pointer to an entry selector which is an identifier of the IPsec 649*f334afcfSToomas Soome configuration data entry. 650*f334afcfSToomas Soome @param[in, out] DataSize On output the size of data returned in Data. 651*f334afcfSToomas Soome @param[out] Data The buffer to return the contents of the IPsec configuration data. 652*f334afcfSToomas Soome The type of the data buffer is associated with the DataType. 653*f334afcfSToomas Soome 654*f334afcfSToomas Soome @retval EFI_SUCCESS The specified configuration data is got successfully. 655*f334afcfSToomas Soome @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE: 656*f334afcfSToomas Soome - This is NULL. 657*f334afcfSToomas Soome - Selector is NULL. 658*f334afcfSToomas Soome - DataSize is NULL. 659*f334afcfSToomas Soome - Data is NULL and *DataSize is not zero 660*f334afcfSToomas Soome @retval EFI_NOT_FOUND The configuration data specified by Selector is not found. 661*f334afcfSToomas Soome @retval EFI_UNSUPPORTED The specified DataType is not supported. 662*f334afcfSToomas Soome @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. DataSize has been 663*f334afcfSToomas Soome updated with the size needed to complete the request. 664*f334afcfSToomas Soome 665*f334afcfSToomas Soome **/ 666*f334afcfSToomas Soome typedef 667*f334afcfSToomas Soome EFI_STATUS 668*f334afcfSToomas Soome (EFIAPI *EFI_IPSEC_CONFIG_GET_DATA)( 669*f334afcfSToomas Soome IN EFI_IPSEC_CONFIG_PROTOCOL *This, 670*f334afcfSToomas Soome IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, 671*f334afcfSToomas Soome IN EFI_IPSEC_CONFIG_SELECTOR *Selector, 672*f334afcfSToomas Soome IN OUT UINTN *DataSize, 673*f334afcfSToomas Soome OUT VOID *Data 674*f334afcfSToomas Soome ); 675*f334afcfSToomas Soome 676*f334afcfSToomas Soome /** 677*f334afcfSToomas Soome Enumerates the current selector for IPsec configuration data entry. 678*f334afcfSToomas Soome 679*f334afcfSToomas Soome This function is called multiple times to retrieve the entry Selector in IPsec 680*f334afcfSToomas Soome configuration database. On each call to GetNextSelector(), the next entry 681*f334afcfSToomas Soome Selector are retrieved into the output interface. 682*f334afcfSToomas Soome 683*f334afcfSToomas Soome If the entire IPsec configuration database has been iterated, the error 684*f334afcfSToomas Soome EFI_NOT_FOUND is returned. 685*f334afcfSToomas Soome If the Selector buffer is too small for the next Selector copy, an 686*f334afcfSToomas Soome EFI_BUFFER_TOO_SMALL error is returned, and SelectorSize is updated to reflect 687*f334afcfSToomas Soome the size of buffer needed. 688*f334afcfSToomas Soome 689*f334afcfSToomas Soome On the initial call to GetNextSelector() to start the IPsec configuration database 690*f334afcfSToomas Soome search, a pointer to the buffer with all zero value is passed in Selector. Calls 691*f334afcfSToomas Soome to SetData() between calls to GetNextSelector may produce unpredictable results. 692*f334afcfSToomas Soome 693*f334afcfSToomas Soome @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance. 694*f334afcfSToomas Soome @param[in] DataType The type of IPsec configuration data to retrieve. 695*f334afcfSToomas Soome @param[in, out] SelectorSize The size of the Selector buffer. 696*f334afcfSToomas Soome @param[in, out] Selector On input, supplies the pointer to last Selector that was 697*f334afcfSToomas Soome returned by GetNextSelector(). 698*f334afcfSToomas Soome On output, returns one copy of the current entry Selector 699*f334afcfSToomas Soome of a given DataType. 700*f334afcfSToomas Soome 701*f334afcfSToomas Soome @retval EFI_SUCCESS The specified configuration data is got successfully. 702*f334afcfSToomas Soome @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE: 703*f334afcfSToomas Soome - This is NULL. 704*f334afcfSToomas Soome - SelectorSize is NULL. 705*f334afcfSToomas Soome - Selector is NULL. 706*f334afcfSToomas Soome @retval EFI_NOT_FOUND The next configuration data entry was not found. 707*f334afcfSToomas Soome @retval EFI_UNSUPPORTED The specified DataType is not supported. 708*f334afcfSToomas Soome @retval EFI_BUFFER_TOO_SMALL The SelectorSize is too small for the result. This parameter 709*f334afcfSToomas Soome has been updated with the size needed to complete the search 710*f334afcfSToomas Soome request. 711*f334afcfSToomas Soome 712*f334afcfSToomas Soome **/ 713*f334afcfSToomas Soome typedef 714*f334afcfSToomas Soome EFI_STATUS 715*f334afcfSToomas Soome (EFIAPI *EFI_IPSEC_CONFIG_GET_NEXT_SELECTOR)( 716*f334afcfSToomas Soome IN EFI_IPSEC_CONFIG_PROTOCOL *This, 717*f334afcfSToomas Soome IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, 718*f334afcfSToomas Soome IN OUT UINTN *SelectorSize, 719*f334afcfSToomas Soome IN OUT EFI_IPSEC_CONFIG_SELECTOR *Selector 720*f334afcfSToomas Soome ); 721*f334afcfSToomas Soome 722*f334afcfSToomas Soome /** 723*f334afcfSToomas Soome Register an event that is to be signaled whenever a configuration process on the 724*f334afcfSToomas Soome specified IPsec configuration information is done. 725*f334afcfSToomas Soome 726*f334afcfSToomas Soome This function registers an event that is to be signaled whenever a configuration 727*f334afcfSToomas Soome process on the specified IPsec configuration data is done (e.g. IPsec security 728*f334afcfSToomas Soome policy database configuration is ready). An event can be registered for different 729*f334afcfSToomas Soome DataType simultaneously and the caller is responsible for determining which type 730*f334afcfSToomas Soome of configuration data causes the signaling of the event in such case. 731*f334afcfSToomas Soome 732*f334afcfSToomas Soome @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance. 733*f334afcfSToomas Soome @param[in] DataType The type of data to be registered the event for. 734*f334afcfSToomas Soome @param[in] Event The event to be registered. 735*f334afcfSToomas Soome 736*f334afcfSToomas Soome @retval EFI_SUCCESS The event is registered successfully. 737*f334afcfSToomas Soome @retval EFI_INVALID_PARAMETER This is NULL or Event is NULL. 738*f334afcfSToomas Soome @retval EFI_ACCESS_DENIED The Event is already registered for the DataType. 739*f334afcfSToomas Soome @retval EFI_UNSUPPORTED The notify registration unsupported or the specified 740*f334afcfSToomas Soome DataType is not supported. 741*f334afcfSToomas Soome 742*f334afcfSToomas Soome **/ 743*f334afcfSToomas Soome typedef 744*f334afcfSToomas Soome EFI_STATUS 745*f334afcfSToomas Soome (EFIAPI *EFI_IPSEC_CONFIG_REGISTER_NOTIFY)( 746*f334afcfSToomas Soome IN EFI_IPSEC_CONFIG_PROTOCOL *This, 747*f334afcfSToomas Soome IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, 748*f334afcfSToomas Soome IN EFI_EVENT Event 749*f334afcfSToomas Soome ); 750*f334afcfSToomas Soome 751*f334afcfSToomas Soome /** 752*f334afcfSToomas Soome Remove the specified event that is previously registered on the specified IPsec 753*f334afcfSToomas Soome configuration data. 754*f334afcfSToomas Soome 755*f334afcfSToomas Soome This function removes a previously registered event for the specified configuration data. 756*f334afcfSToomas Soome 757*f334afcfSToomas Soome @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance. 758*f334afcfSToomas Soome @param[in] DataType The configuration data type to remove the registered event for. 759*f334afcfSToomas Soome @param[in] Event The event to be unregistered. 760*f334afcfSToomas Soome 761*f334afcfSToomas Soome @retval EFI_SUCCESS The event is removed successfully. 762*f334afcfSToomas Soome @retval EFI_NOT_FOUND The Event specified by DataType could not be found in the 763*f334afcfSToomas Soome database. 764*f334afcfSToomas Soome @retval EFI_INVALID_PARAMETER This is NULL or Event is NULL. 765*f334afcfSToomas Soome @retval EFI_UNSUPPORTED The notify registration unsupported or the specified 766*f334afcfSToomas Soome DataType is not supported. 767*f334afcfSToomas Soome 768*f334afcfSToomas Soome **/ 769*f334afcfSToomas Soome typedef 770*f334afcfSToomas Soome EFI_STATUS 771*f334afcfSToomas Soome (EFIAPI *EFI_IPSEC_CONFIG_UNREGISTER_NOTIFY)( 772*f334afcfSToomas Soome IN EFI_IPSEC_CONFIG_PROTOCOL *This, 773*f334afcfSToomas Soome IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, 774*f334afcfSToomas Soome IN EFI_EVENT Event 775*f334afcfSToomas Soome ); 776*f334afcfSToomas Soome 777*f334afcfSToomas Soome /// 778*f334afcfSToomas Soome /// EFI_IPSEC_CONFIG_PROTOCOL 779*f334afcfSToomas Soome /// provides the ability to set and lookup the IPsec SAD (Security Association Database), 780*f334afcfSToomas Soome /// SPD (Security Policy Database) data entry and configure the security association 781*f334afcfSToomas Soome /// management protocol such as IKEv2. This protocol is used as the central 782*f334afcfSToomas Soome /// repository of any policy-specific configuration for EFI IPsec driver. 783*f334afcfSToomas Soome /// EFI_IPSEC_CONFIG_PROTOCOL can be bound to both IPv4 and IPv6 stack. User can use this 784*f334afcfSToomas Soome /// protocol for IPsec configuration in both IPv4 and IPv6 environment. 785*f334afcfSToomas Soome /// 786*f334afcfSToomas Soome struct _EFI_IPSEC_CONFIG_PROTOCOL { 787*f334afcfSToomas Soome EFI_IPSEC_CONFIG_SET_DATA SetData; 788*f334afcfSToomas Soome EFI_IPSEC_CONFIG_GET_DATA GetData; 789*f334afcfSToomas Soome EFI_IPSEC_CONFIG_GET_NEXT_SELECTOR GetNextSelector; 790*f334afcfSToomas Soome EFI_IPSEC_CONFIG_REGISTER_NOTIFY RegisterDataNotify; 791*f334afcfSToomas Soome EFI_IPSEC_CONFIG_UNREGISTER_NOTIFY UnregisterDataNotify; 792*f334afcfSToomas Soome }; 793*f334afcfSToomas Soome 794*f334afcfSToomas Soome extern EFI_GUID gEfiIpSecConfigProtocolGuid; 795*f334afcfSToomas Soome 796*f334afcfSToomas Soome #endif 797