xref: /illumos-gate/usr/src/boot/efi/include/Protocol/IpSecConfig.h (revision 2833423dc59f4c35fe4713dbb942950c82df0437)
1 /** @file
2   EFI IPsec Configuration Protocol Definition
3   The EFI_IPSEC_CONFIG_PROTOCOL provides the mechanism to set and retrieve security and
4   policy related information for the EFI IPsec protocol driver.
5 
6   Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
7   SPDX-License-Identifier: BSD-2-Clause-Patent
8 
9   @par Revision Reference:
10   This Protocol is introduced in UEFI Specification 2.2
11 
12 **/
13 
14 #ifndef __EFI_IPSE_CCONFIG_PROTOCOL_H__
15 #define __EFI_IPSE_CCONFIG_PROTOCOL_H__
16 
17 #define EFI_IPSEC_CONFIG_PROTOCOL_GUID \
18   { \
19     0xce5e5929, 0xc7a3, 0x4602, {0xad, 0x9e, 0xc9, 0xda, 0xf9, 0x4e, 0xbf, 0xcf } \
20   }
21 
22 typedef struct _EFI_IPSEC_CONFIG_PROTOCOL EFI_IPSEC_CONFIG_PROTOCOL;
23 
24 ///
25 /// EFI_IPSEC_CONFIG_DATA_TYPE
26 ///
27 typedef enum {
28   ///
29   /// The IPsec Security Policy Database (aka SPD) setting.  In IPsec,
30   /// an essential element of Security Association (SA) processing is
31   /// underlying SPD that specifies what services are to be offered to
32   /// IP datagram and in what fashion. The SPD must be consulted
33   /// during the processing of all traffic (inbound and outbound),
34   /// including traffic not protected by IPsec, that traverses the IPsec
35   /// boundary. With this DataType, SetData() function is to set
36   /// the SPD entry information, which may add one new entry, delete
37   /// one existed entry or flush the whole database according to the
38   /// parameter values. The corresponding Data is of type
39   /// EFI_IPSEC_SPD_DATA
40   ///
41   IPsecConfigDataTypeSpd,
42   ///
43   /// The IPsec Security Association Database (aka SAD) setting. A
44   /// SA is a simplex connection that affords security services to the
45   /// traffic carried by it. Security services are afforded to an SA by the
46   /// use of AH, or ESP, but not both. The corresponding Data is of
47   /// type EFI_IPSEC_SAD_DATA.
48   ///
49   IPsecConfigDataTypeSad,
50   ///
51   /// The IPsec Peer Authorization Database (aka PAD) setting, which
52   /// provides the link between the SPD and a security association
53   /// management protocol. The PAD entry specifies the
54   /// authentication protocol (e.g. IKEv1, IKEv2) method used and the
55   /// authentication data. The corresponding Data is of type
56   /// EFI_IPSEC_PAD_DATA.
57   ///
58   IPsecConfigDataTypePad,
59   IPsecConfigDataTypeMaximum
60 } EFI_IPSEC_CONFIG_DATA_TYPE;
61 
62 ///
63 /// EFI_IP_ADDRESS_INFO
64 ///
65 typedef struct _EFI_IP_ADDRESS_INFO {
66   EFI_IP_ADDRESS    Address;      ///< The IPv4 or IPv6 address
67   UINT8             PrefixLength; ///< The length of the prefix associated with the Address.
68 } EFI_IP_ADDRESS_INFO;
69 
70 ///
71 /// EFI_IPSEC_SPD_SELECTOR
72 ///
73 typedef struct _EFI_IPSEC_SPD_SELECTOR {
74   ///
75   /// Specifies the actual number of entries in LocalAddress.
76   ///
77   UINT32                 LocalAddressCount;
78   ///
79   /// A list of ranges of IPv4 or IPv6 addresses, which refers to the
80   /// addresses being protected by IPsec policy.
81   ///
82   EFI_IP_ADDRESS_INFO    *LocalAddress;
83   ///
84   /// Specifies the actual number of entries in RemoteAddress.
85   ///
86   UINT32                 RemoteAddressCount;
87   ///
88   /// A list of ranges of IPv4 or IPv6 addresses, which are peer entities
89   /// to LocalAddress.
90   ///
91   EFI_IP_ADDRESS_INFO    *RemoteAddress;
92   ///
93   /// Next layer protocol. Obtained from the IPv4 Protocol or the IPv6
94   /// Next Header fields. The next layer protocol is whatever comes
95   /// after any IP extension headers that are present. A zero value is a
96   /// wildcard that matches any value in NextLayerProtocol field.
97   ///
98   UINT16                 NextLayerProtocol;
99   ///
100   /// Local Port if the Next Layer Protocol uses two ports (as do TCP,
101   /// UDP, and others). A zero value is a wildcard that matches any
102   /// value in LocalPort field.
103   ///
104   UINT16                 LocalPort;
105   ///
106   /// A designed port range size. The start port is LocalPort, and
107   /// the total number of ports is described by LocalPortRange.
108   /// This field is ignored if NextLayerProtocol does not use
109   /// ports.
110   ///
111   UINT16                 LocalPortRange;
112   ///
113   /// Remote Port if the Next Layer Protocol uses two ports. A zero
114   /// value is a wildcard that matches any value in RemotePort field.
115   ///
116   UINT16                 RemotePort;
117   ///
118   /// A designed port range size. The start port is RemotePort, and
119   /// the total number of ports is described by RemotePortRange.
120   /// This field is ignored if NextLayerProtocol does not use ports.
121   ///
122   UINT16                 RemotePortRange;
123 } EFI_IPSEC_SPD_SELECTOR;
124 
125 ///
126 /// EFI_IPSEC_TRAFFIC_DIR
127 /// represents the directionality in an SPD entry.
128 ///
129 typedef enum {
130   ///
131   /// The EfiIPsecInBound refers to traffic entering an IPsec implementation via
132   /// the unprotected interface or emitted by the implementation on the unprotected
133   /// side of the boundary and directed towards the protected interface.
134   ///
135   EfiIPsecInBound,
136   ///
137   /// The EfiIPsecOutBound refers to traffic entering the implementation via
138   /// the protected interface, or emitted by the implementation on the protected side
139   /// of the boundary and directed toward the unprotected interface.
140   ///
141   EfiIPsecOutBound
142 } EFI_IPSEC_TRAFFIC_DIR;
143 
144 ///
145 /// EFI_IPSEC_ACTION
146 /// represents three possible processing choices.
147 ///
148 typedef enum {
149   ///
150   /// Refers to traffic that is not allowed to traverse the IPsec boundary.
151   ///
152   EfiIPsecActionDiscard,
153   ///
154   /// Refers to traffic that is allowed to cross the IPsec boundary
155   /// without protection.
156   ///
157   EfiIPsecActionBypass,
158   ///
159   /// Refers to traffic that is afforded IPsec protection, and for such
160   /// traffic the SPD must specify the security protocols to be
161   /// employed, their mode, security service options, and the
162   /// cryptographic algorithms to be used.
163   ///
164   EfiIPsecActionProtect
165 } EFI_IPSEC_ACTION;
166 
167 ///
168 /// EFI_IPSEC_SA_LIFETIME
169 /// defines the lifetime of an SA, which represents when a SA must be
170 /// replaced or terminated. A value of all 0 for each field removes
171 /// the limitation of a SA lifetime.
172 ///
173 typedef struct _EFI_IPSEC_SA_LIFETIME {
174   ///
175   /// The number of bytes to which the IPsec cryptographic algorithm
176   /// can be applied. For ESP, this is the encryption algorithm and for
177   /// AH, this is the authentication algorithm. The ByteCount
178   /// includes pad bytes for cryptographic operations.
179   ///
180   UINT64    ByteCount;
181   ///
182   /// A time interval in second that warns the implementation to
183   /// initiate action such as setting up a replacement SA.
184   ///
185   UINT64    SoftLifetime;
186   ///
187   /// A time interval in second when the current SA ends and is
188   /// destroyed.
189   ///
190   UINT64    HardLifetime;
191 } EFI_IPSEC_SA_LIFETIME;
192 
193 ///
194 /// EFI_IPSEC_MODE
195 /// There are two modes of IPsec operation: transport mode and tunnel mode. In
196 /// EfiIPsecTransport mode, AH and ESP provide protection primarily for next layer protocols;
197 /// In EfiIPsecTunnel mode, AH and ESP are applied to tunneled IP packets.
198 ///
199 typedef enum {
200   EfiIPsecTransport,
201   EfiIPsecTunnel
202 } EFI_IPSEC_MODE;
203 
204 ///
205 /// EFI_IPSEC_TUNNEL_DF_OPTION
206 /// The option of copying the DF bit from an outbound package to
207 /// the tunnel mode header that it emits, when traffic is carried
208 /// via a tunnel mode SA. This applies to SAs where both inner and
209 /// outer headers are IPv4.
210 ///
211 typedef enum {
212   EfiIPsecTunnelClearDf,  ///< Clear DF bit from inner header.
213   EfiIPsecTunnelSetDf,    ///< Set DF bit from inner header.
214   EfiIPsecTunnelCopyDf    ///< Copy DF bit from inner header.
215 } EFI_IPSEC_TUNNEL_DF_OPTION;
216 
217 ///
218 /// EFI_IPSEC_TUNNEL_OPTION
219 ///
220 typedef struct _EFI_IPSEC_TUNNEL_OPTION {
221   ///
222   /// Local tunnel address when IPsec mode is EfiIPsecTunnel.
223   ///
224   EFI_IP_ADDRESS                LocalTunnelAddress;
225   ///
226   /// Remote tunnel address when IPsec mode is EfiIPsecTunnel.
227   ///
228   EFI_IP_ADDRESS                RemoteTunnelAddress;
229   ///
230   /// The option of copying the DF bit from an outbound package
231   /// to the tunnel mode header that it emits, when traffic is
232   /// carried via a tunnel mode SA.
233   ///
234   EFI_IPSEC_TUNNEL_DF_OPTION    DF;
235 } EFI_IPSEC_TUNNEL_OPTION;
236 
237 ///
238 /// EFI_IPSEC_PROTOCOL_TYPE
239 ///
240 typedef enum {
241   EfiIPsecAH,  ///< IP Authentication Header protocol which is specified in RFC 4302.
242   EfiIPsecESP  ///< IP Encapsulating Security Payload which is specified in RFC 4303.
243 } EFI_IPSEC_PROTOCOL_TYPE;
244 
245 ///
246 /// EFI_IPSEC_PROCESS_POLICY
247 /// describes a policy list for traffic processing.
248 ///
249 typedef struct _EFI_IPSEC_PROCESS_POLICY {
250   ///
251   /// Extended Sequence Number. Is this SA using extended sequence
252   /// numbers. 64 bit counter is used if TRUE.
253   ///
254   BOOLEAN                    ExtSeqNum;
255   ///
256   /// A flag indicating whether overflow of the sequence number
257   /// counter should generate an auditable event and prevent
258   /// transmission of additional packets on the SA, or whether rollover
259   /// is permitted.
260   ///
261   BOOLEAN                    SeqOverflow;
262   ///
263   /// Is this SA using stateful fragment checking. TRUE represents
264   /// stateful fragment checking.
265   ///
266   BOOLEAN                    FragCheck;
267   ///
268   /// A time interval after which a SA must be replaced with a new SA
269   /// (and new SPI) or terminated.
270   ///
271   EFI_IPSEC_SA_LIFETIME      SaLifetime;
272   ///
273   /// IPsec mode: tunnel or transport.
274   ///
275   EFI_IPSEC_MODE             Mode;
276   ///
277   /// Tunnel Option. TunnelOption is ignored if Mode is EfiIPsecTransport.
278   ///
279   EFI_IPSEC_TUNNEL_OPTION    *TunnelOption;
280   ///
281   /// IPsec protocol: AH or ESP
282   ///
283   EFI_IPSEC_PROTOCOL_TYPE    Proto;
284   ///
285   /// Cryptographic algorithm type used for authentication.
286   ///
287   UINT8                      AuthAlgoId;
288   ///
289   /// Cryptographic algorithm type used for encryption. EncAlgo is
290   /// NULL when IPsec protocol is AH. For ESP protocol, EncAlgo
291   /// can also be used to describe the algorithm if a combined mode
292   /// algorithm is used.
293   ///
294   UINT8                      EncAlgoId;
295 } EFI_IPSEC_PROCESS_POLICY;
296 
297 ///
298 /// EFI_IPSEC_SA_ID
299 /// A triplet to identify an SA, consisting of the following members.
300 ///
301 typedef struct _EFI_IPSEC_SA_ID {
302   ///
303   /// Security Parameter Index (aka SPI).  An arbitrary 32-bit value
304   /// that is used by a receiver to identity the SA to which an incoming
305   /// package should be bound.
306   ///
307   UINT32                     Spi;
308   ///
309   /// IPsec protocol: AH or ESP
310   ///
311   EFI_IPSEC_PROTOCOL_TYPE    Proto;
312   ///
313   /// Destination IP address.
314   ///
315   EFI_IP_ADDRESS             DestAddress;
316 } EFI_IPSEC_SA_ID;
317 
318 #define MAX_PEERID_LEN  128
319 
320 ///
321 /// EFI_IPSEC_SPD_DATA
322 ///
323 typedef struct _EFI_IPSEC_SPD_DATA {
324   ///
325   /// A null-terminated ASCII name string which is used as a symbolic
326   /// identifier for an IPsec Local or Remote address.
327   ///
328   UINT8    Name[MAX_PEERID_LEN];
329   ///
330   /// Bit-mapped list describing Populate from Packet flags. When
331   /// creating a SA, if PackageFlag bit is set to TRUE, instantiate
332   /// the selector from the corresponding field in the package that
333   /// triggered the creation of the SA, else from the value(s) in the
334   /// corresponding SPD entry. The PackageFlag bit setting for
335   /// corresponding selector field of EFI_IPSEC_SPD_SELECTOR:
336   ///     Bit 0: EFI_IPSEC_SPD_SELECTOR.LocalAddress
337   ///     Bit 1: EFI_IPSEC_SPD_SELECTOR.RemoteAddress
338   ///     Bit 2:
339   /// EFI_IPSEC_SPD_SELECTOR.NextLayerProtocol
340   ///     Bit 3: EFI_IPSEC_SPD_SELECTOR.LocalPort
341   ///     Bit 4: EFI_IPSEC_SPD_SELECTOR.RemotePort
342   ///     Others: Reserved.
343   ///
344   UINT32                      PackageFlag;
345   ///
346   /// The traffic direction of data gram.
347   ///
348   EFI_IPSEC_TRAFFIC_DIR       TrafficDirection;
349   ///
350   /// Processing choices to indicate which action is required by this
351   /// policy.
352   ///
353   EFI_IPSEC_ACTION            Action;
354   ///
355   /// The policy and rule information for a SPD entry.
356   ///
357   EFI_IPSEC_PROCESS_POLICY    *ProcessingPolicy;
358   ///
359   /// Specifies the actual number of entries in SaId list.
360   ///
361   UINTN                       SaIdCount;
362   ///
363   /// The SAD entry used for the traffic processing. The
364   /// existed SAD entry links indicate this is the manual key case.
365   ///
366   EFI_IPSEC_SA_ID             SaId[1];
367 } EFI_IPSEC_SPD_DATA;
368 
369 ///
370 /// EFI_IPSEC_AH_ALGO_INFO
371 /// The security algorithm selection for IPsec AH authentication.
372 /// The required authentication algorithm is specified in RFC 4305.
373 ///
374 typedef struct _EFI_IPSEC_AH_ALGO_INFO {
375   UINT8    AuthAlgoId;
376   UINTN    AuthKeyLength;
377   VOID     *AuthKey;
378 } EFI_IPSEC_AH_ALGO_INFO;
379 
380 ///
381 /// EFI_IPSEC_ESP_ALGO_INFO
382 /// The security algorithm selection for IPsec ESP encryption and authentication.
383 /// The required authentication algorithm is specified in RFC 4305.
384 /// EncAlgoId fields can also specify an ESP combined mode algorithm
385 /// (e.g. AES with CCM mode, specified in RFC 4309), which provides both
386 /// confidentiality and authentication services.
387 ///
388 typedef struct _EFI_IPSEC_ESP_ALGO_INFO {
389   UINT8    EncAlgoId;
390   UINTN    EncKeyLength;
391   VOID     *EncKey;
392   UINT8    AuthAlgoId;
393   UINTN    AuthKeyLength;
394   VOID     *AuthKey;
395 } EFI_IPSEC_ESP_ALGO_INFO;
396 
397 ///
398 /// EFI_IPSEC_ALGO_INFO
399 ///
400 typedef union {
401   EFI_IPSEC_AH_ALGO_INFO     AhAlgoInfo;
402   EFI_IPSEC_ESP_ALGO_INFO    EspAlgoInfo;
403 } EFI_IPSEC_ALGO_INFO;
404 
405 ///
406 /// EFI_IPSEC_SA_DATA
407 ///
408 typedef struct _EFI_IPSEC_SA_DATA {
409   ///
410   /// IPsec mode: tunnel or transport.
411   ///
412   EFI_IPSEC_MODE            Mode;
413   ///
414   /// Sequence Number Counter. A 64-bit counter used to generate the
415   /// sequence number field in AH or ESP headers.
416   ///
417   UINT64                    SNCount;
418   ///
419   /// Anti-Replay Window. A 64-bit counter and a bit-map used to
420   /// determine whether an inbound AH or ESP packet is a replay.
421   ///
422   UINT8                     AntiReplayWindows;
423   ///
424   /// AH/ESP cryptographic algorithm, key and parameters.
425   ///
426   EFI_IPSEC_ALGO_INFO       AlgoInfo;
427   ///
428   /// Lifetime of this SA.
429   ///
430   EFI_IPSEC_SA_LIFETIME     SaLifetime;
431   ///
432   /// Any observed path MTU and aging variables. The Path MTU
433   /// processing is defined in section 8 of RFC 4301.
434   ///
435   UINT32                    PathMTU;
436   ///
437   /// Link to one SPD entry.
438   ///
439   EFI_IPSEC_SPD_SELECTOR    *SpdSelector;
440   ///
441   /// Indication of whether it's manually set or negotiated automatically.
442   /// If ManualSet is FALSE, the corresponding SA entry is inserted through
443   /// IKE protocol negotiation.
444   ///
445   BOOLEAN                   ManualSet;
446 } EFI_IPSEC_SA_DATA;
447 
448 ///
449 /// EFI_IPSEC_SA_DATA2
450 ///
451 typedef struct _EFI_IPSEC_SA_DATA2 {
452   ///
453   /// IPsec mode: tunnel or transport
454   ///
455   EFI_IPSEC_MODE            Mode;
456   ///
457   /// Sequence Number Counter. A 64-bit counter used to generate the sequence
458   /// number field in AH or ESP headers.
459   ///
460   UINT64                    SNCount;
461   ///
462   /// Anti-Replay Window. A 64-bit counter and a bit-map used to determine
463   /// whether an inbound AH or ESP packet is a replay.
464   ///
465   UINT8                     AntiReplayWindows;
466   ///
467   /// AH/ESP cryptographic algorithm, key and parameters.
468   ///
469   EFI_IPSEC_ALGO_INFO       AlgoInfo;
470   ///
471   /// Lifetime of this SA.
472   ///
473   EFI_IPSEC_SA_LIFETIME     SaLifetime;
474   ///
475   /// Any observed path MTU and aging variables. The Path MTU processing is
476   /// defined in section 8 of RFC 4301.
477   ///
478   UINT32                    PathMTU;
479   ///
480   /// Link to one SPD entry
481   ///
482   EFI_IPSEC_SPD_SELECTOR    *SpdSelector;
483   ///
484   /// Indication of whether it's manually set or negotiated automatically.
485   /// If ManualSet is FALSE, the corresponding SA entry is inserted through IKE
486   /// protocol negotiation
487   ///
488   BOOLEAN                   ManualSet;
489   ///
490   /// The tunnel header IP source address.
491   ///
492   EFI_IP_ADDRESS            TunnelSourceAddress;
493   ///
494   /// The tunnel header IP destination address.
495   ///
496   EFI_IP_ADDRESS            TunnelDestinationAddress;
497 } EFI_IPSEC_SA_DATA2;
498 
499 ///
500 /// EFI_IPSEC_PAD_ID
501 /// specifies the identifier for PAD entry, which is also used for SPD lookup.
502 /// IpAddress Pointer to the IPv4 or IPv6 address range.
503 ///
504 typedef struct _EFI_IPSEC_PAD_ID {
505   ///
506   /// Flag to identify which type of PAD Id is used.
507   ///
508   BOOLEAN    PeerIdValid;
509   union {
510     ///
511     /// Pointer to the IPv4 or IPv6 address range.
512     ///
513     EFI_IP_ADDRESS_INFO    IpAddress;
514     ///
515     /// Pointer to a null terminated ASCII string
516     /// representing the symbolic names. A PeerId can be a DNS
517     /// name, Distinguished Name, RFC 822 email address or Key ID
518     /// (specified in section 4.4.3.1 of RFC 4301)
519     ///
520     UINT8                  PeerId[MAX_PEERID_LEN];
521   } Id;
522 } EFI_IPSEC_PAD_ID;
523 
524 ///
525 /// EFI_IPSEC_CONFIG_SELECTOR
526 /// describes the expected IPsec configuration data selector
527 /// of type EFI_IPSEC_CONFIG_DATA_TYPE.
528 ///
529 typedef union {
530   EFI_IPSEC_SPD_SELECTOR    SpdSelector;
531   EFI_IPSEC_SA_ID           SaId;
532   EFI_IPSEC_PAD_ID          PadId;
533 } EFI_IPSEC_CONFIG_SELECTOR;
534 
535 ///
536 /// EFI_IPSEC_AUTH_PROTOCOL_TYPE
537 /// defines the possible authentication protocol for IPsec
538 /// security association management.
539 ///
540 typedef enum {
541   EfiIPsecAuthProtocolIKEv1,
542   EfiIPsecAuthProtocolIKEv2,
543   EfiIPsecAuthProtocolMaximum
544 } EFI_IPSEC_AUTH_PROTOCOL_TYPE;
545 
546 ///
547 /// EFI_IPSEC_AUTH_METHOD
548 ///
549 typedef enum {
550   ///
551   /// Using Pre-shared Keys for manual security associations.
552   ///
553   EfiIPsecAuthMethodPreSharedSecret,
554   ///
555   /// IKE employs X.509 certificates for SA establishment.
556   ///
557   EfiIPsecAuthMethodCertificates,
558   EfiIPsecAuthMethodMaximum
559 } EFI_IPSEC_AUTH_METHOD;
560 
561 ///
562 /// EFI_IPSEC_PAD_DATA
563 ///
564 typedef struct _EFI_IPSEC_PAD_DATA {
565   ///
566   /// Authentication Protocol for IPsec security association  management.
567   ///
568   EFI_IPSEC_AUTH_PROTOCOL_TYPE    AuthProtocol;
569   ///
570   /// Authentication method used.
571   ///
572   EFI_IPSEC_AUTH_METHOD           AuthMethod;
573   ///
574   /// The IKE ID payload will be used as a symbolic name for SPD
575   /// lookup if IkeIdFlag is TRUE. Otherwise, the remote IP
576   /// address provided in traffic selector playloads will be used.
577   ///
578   BOOLEAN                         IkeIdFlag;
579   ///
580   /// The size of Authentication data buffer, in bytes.
581   ///
582   UINTN                           AuthDataSize;
583   ///
584   /// Buffer for Authentication data, (e.g., the pre-shared secret or the
585   /// trust anchor relative to which the peer's certificate will be
586   /// validated).
587   ///
588   VOID                            *AuthData;
589   ///
590   /// The size of RevocationData, in bytes
591   ///
592   UINTN                           RevocationDataSize;
593   ///
594   /// Pointer to CRL or OCSP data, if certificates are used for
595   /// authentication method.
596   ///
597   VOID                            *RevocationData;
598 } EFI_IPSEC_PAD_DATA;
599 
600 /**
601   Set the security association, security policy and peer authorization configuration
602   information for the EFI IPsec driver.
603 
604   This function is used to set the IPsec configuration information of type DataType for
605   the EFI IPsec driver.
606   The IPsec configuration data has a unique selector/identifier separately to identify
607   a data entry. The selector structure depends on DataType's definition.
608   Using SetData() with a Data of NULL causes the IPsec configuration data entry identified
609   by DataType and Selector to be deleted.
610 
611   @param[in] This               Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
612   @param[in] DataType           The type of data to be set.
613   @param[in] Selector           Pointer to an entry selector on operated configuration data
614                                 specified by DataType. A NULL Selector causes the entire
615                                 specified-type configuration information to be flushed.
616   @param[in] Data               The data buffer to be set. The structure of the data buffer is
617                                 associated with the DataType.
618   @param[in] InsertBefore       Pointer to one entry selector which describes the expected
619                                 position the new data entry will be added. If InsertBefore is NULL,
620                                 the new entry will be appended the end of database.
621 
622   @retval EFI_SUCCESS           The specified configuration entry data is set successfully.
623   @retval EFI_INVALID_PARAMETER One or more of the following are TRUE:
624                                 - This is NULL.
625   @retval EFI_UNSUPPORTED       The specified DataType is not supported.
626   @retval EFI_OUT_OF_RESOURCED  The required system resource could not be allocated.
627 
628 **/
629 typedef
630 EFI_STATUS
631 (EFIAPI *EFI_IPSEC_CONFIG_SET_DATA)(
632   IN EFI_IPSEC_CONFIG_PROTOCOL        *This,
633   IN EFI_IPSEC_CONFIG_DATA_TYPE       DataType,
634   IN EFI_IPSEC_CONFIG_SELECTOR        *Selector,
635   IN VOID                             *Data,
636   IN EFI_IPSEC_CONFIG_SELECTOR        *InsertBefore   OPTIONAL
637   );
638 
639 /**
640   Return the configuration value for the EFI IPsec driver.
641 
642   This function lookup the data entry from IPsec database or IKEv2 configuration
643   information. The expected data type and unique identification are described in
644   DataType and Selector parameters.
645 
646   @param[in]      This          Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
647   @param[in]      DataType      The type of data to retrieve.
648   @param[in]      Selector      Pointer to an entry selector which is an identifier of the IPsec
649                                 configuration data entry.
650   @param[in, out] DataSize      On output the size of data returned in Data.
651   @param[out]     Data          The buffer to return the contents of the IPsec configuration data.
652                                 The type of the data buffer is associated with the DataType.
653 
654   @retval EFI_SUCCESS           The specified configuration data is got successfully.
655   @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE:
656                                 - This is NULL.
657                                 - Selector is NULL.
658                                 - DataSize is NULL.
659                                 - Data is NULL and *DataSize is not zero
660   @retval EFI_NOT_FOUND         The configuration data specified by Selector is not found.
661   @retval EFI_UNSUPPORTED       The specified DataType is not supported.
662   @retval EFI_BUFFER_TOO_SMALL  The DataSize is too small for the result. DataSize has been
663                                 updated with the size needed to complete the request.
664 
665 **/
666 typedef
667 EFI_STATUS
668 (EFIAPI *EFI_IPSEC_CONFIG_GET_DATA)(
669   IN EFI_IPSEC_CONFIG_PROTOCOL        *This,
670   IN EFI_IPSEC_CONFIG_DATA_TYPE       DataType,
671   IN EFI_IPSEC_CONFIG_SELECTOR        *Selector,
672   IN OUT UINTN                        *DataSize,
673   OUT VOID                            *Data
674   );
675 
676 /**
677   Enumerates the current selector for IPsec configuration data entry.
678 
679   This function is called multiple times to retrieve the entry Selector in IPsec
680   configuration database. On each call to GetNextSelector(), the next entry
681   Selector are retrieved into the output interface.
682 
683   If the entire IPsec configuration database has been iterated, the error
684   EFI_NOT_FOUND is returned.
685   If the Selector buffer is too small for the next Selector copy, an
686   EFI_BUFFER_TOO_SMALL error is returned, and SelectorSize is updated to reflect
687   the size of buffer needed.
688 
689   On the initial call to GetNextSelector() to start the IPsec configuration database
690   search, a pointer to the buffer with all zero value is passed in Selector. Calls
691   to SetData() between calls to GetNextSelector may produce unpredictable results.
692 
693   @param[in]      This          Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
694   @param[in]      DataType      The type of IPsec configuration data to retrieve.
695   @param[in, out] SelectorSize  The size of the Selector buffer.
696   @param[in, out] Selector      On input, supplies the pointer to last Selector that was
697                                 returned by GetNextSelector().
698                                 On output, returns one copy of the current entry Selector
699                                 of a given DataType.
700 
701   @retval EFI_SUCCESS           The specified configuration data is got successfully.
702   @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE:
703                                 - This is NULL.
704                                 - SelectorSize is NULL.
705                                 - Selector is NULL.
706   @retval EFI_NOT_FOUND         The next configuration data entry was not found.
707   @retval EFI_UNSUPPORTED       The specified DataType is not supported.
708   @retval EFI_BUFFER_TOO_SMALL  The SelectorSize is too small for the result. This parameter
709                                 has been updated with the size needed to complete the search
710                                 request.
711 
712 **/
713 typedef
714 EFI_STATUS
715 (EFIAPI *EFI_IPSEC_CONFIG_GET_NEXT_SELECTOR)(
716   IN EFI_IPSEC_CONFIG_PROTOCOL        *This,
717   IN EFI_IPSEC_CONFIG_DATA_TYPE       DataType,
718   IN OUT UINTN                        *SelectorSize,
719   IN OUT EFI_IPSEC_CONFIG_SELECTOR    *Selector
720   );
721 
722 /**
723   Register an event that is to be signaled whenever a configuration process on the
724   specified IPsec configuration information is done.
725 
726   This function registers an event that is to be signaled whenever a configuration
727   process on the specified IPsec configuration data is done (e.g. IPsec security
728   policy database configuration is ready). An event can be registered for different
729   DataType simultaneously and the caller is responsible for determining which type
730   of configuration data causes the signaling of the event in such case.
731 
732   @param[in] This               Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
733   @param[in] DataType           The type of data to be registered the event for.
734   @param[in] Event              The event to be registered.
735 
736   @retval EFI_SUCCESS           The event is registered successfully.
737   @retval EFI_INVALID_PARAMETER This is NULL or Event is NULL.
738   @retval EFI_ACCESS_DENIED     The Event is already registered for the DataType.
739   @retval EFI_UNSUPPORTED       The notify registration unsupported or the specified
740                                 DataType is not supported.
741 
742 **/
743 typedef
744 EFI_STATUS
745 (EFIAPI *EFI_IPSEC_CONFIG_REGISTER_NOTIFY)(
746   IN EFI_IPSEC_CONFIG_PROTOCOL        *This,
747   IN EFI_IPSEC_CONFIG_DATA_TYPE       DataType,
748   IN EFI_EVENT                        Event
749   );
750 
751 /**
752   Remove the specified event that is previously registered on the specified IPsec
753   configuration data.
754 
755   This function removes a previously registered event for the specified configuration data.
756 
757   @param[in] This               Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
758   @param[in] DataType           The configuration data type to remove the registered event for.
759   @param[in] Event              The event to be unregistered.
760 
761   @retval EFI_SUCCESS           The event is removed successfully.
762   @retval EFI_NOT_FOUND         The Event specified by DataType could not be found in the
763                                 database.
764   @retval EFI_INVALID_PARAMETER This is NULL or Event is NULL.
765   @retval EFI_UNSUPPORTED       The notify registration unsupported or the specified
766                                 DataType is not supported.
767 
768 **/
769 typedef
770 EFI_STATUS
771 (EFIAPI *EFI_IPSEC_CONFIG_UNREGISTER_NOTIFY)(
772   IN EFI_IPSEC_CONFIG_PROTOCOL        *This,
773   IN EFI_IPSEC_CONFIG_DATA_TYPE       DataType,
774   IN EFI_EVENT                        Event
775   );
776 
777 ///
778 /// EFI_IPSEC_CONFIG_PROTOCOL
779 /// provides the ability to set and lookup the IPsec SAD (Security Association Database),
780 /// SPD (Security Policy Database) data entry and configure the security association
781 /// management protocol such as IKEv2. This protocol is used as the central
782 /// repository of any policy-specific configuration for EFI IPsec driver.
783 /// EFI_IPSEC_CONFIG_PROTOCOL can be bound to both IPv4 and IPv6 stack. User can use this
784 /// protocol for IPsec configuration in both IPv4 and IPv6 environment.
785 ///
786 struct _EFI_IPSEC_CONFIG_PROTOCOL {
787   EFI_IPSEC_CONFIG_SET_DATA             SetData;
788   EFI_IPSEC_CONFIG_GET_DATA             GetData;
789   EFI_IPSEC_CONFIG_GET_NEXT_SELECTOR    GetNextSelector;
790   EFI_IPSEC_CONFIG_REGISTER_NOTIFY      RegisterDataNotify;
791   EFI_IPSEC_CONFIG_UNREGISTER_NOTIFY    UnregisterDataNotify;
792 };
793 
794 extern EFI_GUID  gEfiIpSecConfigProtocolGuid;
795 
796 #endif
797