1 /** @file 2 EFI IPsec Configuration Protocol Definition 3 The EFI_IPSEC_CONFIG_PROTOCOL provides the mechanism to set and retrieve security and 4 policy related information for the EFI IPsec protocol driver. 5 6 Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR> 7 SPDX-License-Identifier: BSD-2-Clause-Patent 8 9 @par Revision Reference: 10 This Protocol is introduced in UEFI Specification 2.2 11 12 **/ 13 14 #ifndef __EFI_IPSE_CCONFIG_PROTOCOL_H__ 15 #define __EFI_IPSE_CCONFIG_PROTOCOL_H__ 16 17 #define EFI_IPSEC_CONFIG_PROTOCOL_GUID \ 18 { \ 19 0xce5e5929, 0xc7a3, 0x4602, {0xad, 0x9e, 0xc9, 0xda, 0xf9, 0x4e, 0xbf, 0xcf } \ 20 } 21 22 typedef struct _EFI_IPSEC_CONFIG_PROTOCOL EFI_IPSEC_CONFIG_PROTOCOL; 23 24 /// 25 /// EFI_IPSEC_CONFIG_DATA_TYPE 26 /// 27 typedef enum { 28 /// 29 /// The IPsec Security Policy Database (aka SPD) setting. In IPsec, 30 /// an essential element of Security Association (SA) processing is 31 /// underlying SPD that specifies what services are to be offered to 32 /// IP datagram and in what fashion. The SPD must be consulted 33 /// during the processing of all traffic (inbound and outbound), 34 /// including traffic not protected by IPsec, that traverses the IPsec 35 /// boundary. With this DataType, SetData() function is to set 36 /// the SPD entry information, which may add one new entry, delete 37 /// one existed entry or flush the whole database according to the 38 /// parameter values. The corresponding Data is of type 39 /// EFI_IPSEC_SPD_DATA 40 /// 41 IPsecConfigDataTypeSpd, 42 /// 43 /// The IPsec Security Association Database (aka SAD) setting. A 44 /// SA is a simplex connection that affords security services to the 45 /// traffic carried by it. Security services are afforded to an SA by the 46 /// use of AH, or ESP, but not both. The corresponding Data is of 47 /// type EFI_IPSEC_SAD_DATA. 48 /// 49 IPsecConfigDataTypeSad, 50 /// 51 /// The IPsec Peer Authorization Database (aka PAD) setting, which 52 /// provides the link between the SPD and a security association 53 /// management protocol. The PAD entry specifies the 54 /// authentication protocol (e.g. IKEv1, IKEv2) method used and the 55 /// authentication data. The corresponding Data is of type 56 /// EFI_IPSEC_PAD_DATA. 57 /// 58 IPsecConfigDataTypePad, 59 IPsecConfigDataTypeMaximum 60 } EFI_IPSEC_CONFIG_DATA_TYPE; 61 62 /// 63 /// EFI_IP_ADDRESS_INFO 64 /// 65 typedef struct _EFI_IP_ADDRESS_INFO { 66 EFI_IP_ADDRESS Address; ///< The IPv4 or IPv6 address 67 UINT8 PrefixLength; ///< The length of the prefix associated with the Address. 68 } EFI_IP_ADDRESS_INFO; 69 70 /// 71 /// EFI_IPSEC_SPD_SELECTOR 72 /// 73 typedef struct _EFI_IPSEC_SPD_SELECTOR { 74 /// 75 /// Specifies the actual number of entries in LocalAddress. 76 /// 77 UINT32 LocalAddressCount; 78 /// 79 /// A list of ranges of IPv4 or IPv6 addresses, which refers to the 80 /// addresses being protected by IPsec policy. 81 /// 82 EFI_IP_ADDRESS_INFO *LocalAddress; 83 /// 84 /// Specifies the actual number of entries in RemoteAddress. 85 /// 86 UINT32 RemoteAddressCount; 87 /// 88 /// A list of ranges of IPv4 or IPv6 addresses, which are peer entities 89 /// to LocalAddress. 90 /// 91 EFI_IP_ADDRESS_INFO *RemoteAddress; 92 /// 93 /// Next layer protocol. Obtained from the IPv4 Protocol or the IPv6 94 /// Next Header fields. The next layer protocol is whatever comes 95 /// after any IP extension headers that are present. A zero value is a 96 /// wildcard that matches any value in NextLayerProtocol field. 97 /// 98 UINT16 NextLayerProtocol; 99 /// 100 /// Local Port if the Next Layer Protocol uses two ports (as do TCP, 101 /// UDP, and others). A zero value is a wildcard that matches any 102 /// value in LocalPort field. 103 /// 104 UINT16 LocalPort; 105 /// 106 /// A designed port range size. The start port is LocalPort, and 107 /// the total number of ports is described by LocalPortRange. 108 /// This field is ignored if NextLayerProtocol does not use 109 /// ports. 110 /// 111 UINT16 LocalPortRange; 112 /// 113 /// Remote Port if the Next Layer Protocol uses two ports. A zero 114 /// value is a wildcard that matches any value in RemotePort field. 115 /// 116 UINT16 RemotePort; 117 /// 118 /// A designed port range size. The start port is RemotePort, and 119 /// the total number of ports is described by RemotePortRange. 120 /// This field is ignored if NextLayerProtocol does not use ports. 121 /// 122 UINT16 RemotePortRange; 123 } EFI_IPSEC_SPD_SELECTOR; 124 125 /// 126 /// EFI_IPSEC_TRAFFIC_DIR 127 /// represents the directionality in an SPD entry. 128 /// 129 typedef enum { 130 /// 131 /// The EfiIPsecInBound refers to traffic entering an IPsec implementation via 132 /// the unprotected interface or emitted by the implementation on the unprotected 133 /// side of the boundary and directed towards the protected interface. 134 /// 135 EfiIPsecInBound, 136 /// 137 /// The EfiIPsecOutBound refers to traffic entering the implementation via 138 /// the protected interface, or emitted by the implementation on the protected side 139 /// of the boundary and directed toward the unprotected interface. 140 /// 141 EfiIPsecOutBound 142 } EFI_IPSEC_TRAFFIC_DIR; 143 144 /// 145 /// EFI_IPSEC_ACTION 146 /// represents three possible processing choices. 147 /// 148 typedef enum { 149 /// 150 /// Refers to traffic that is not allowed to traverse the IPsec boundary. 151 /// 152 EfiIPsecActionDiscard, 153 /// 154 /// Refers to traffic that is allowed to cross the IPsec boundary 155 /// without protection. 156 /// 157 EfiIPsecActionBypass, 158 /// 159 /// Refers to traffic that is afforded IPsec protection, and for such 160 /// traffic the SPD must specify the security protocols to be 161 /// employed, their mode, security service options, and the 162 /// cryptographic algorithms to be used. 163 /// 164 EfiIPsecActionProtect 165 } EFI_IPSEC_ACTION; 166 167 /// 168 /// EFI_IPSEC_SA_LIFETIME 169 /// defines the lifetime of an SA, which represents when a SA must be 170 /// replaced or terminated. A value of all 0 for each field removes 171 /// the limitation of a SA lifetime. 172 /// 173 typedef struct _EFI_IPSEC_SA_LIFETIME { 174 /// 175 /// The number of bytes to which the IPsec cryptographic algorithm 176 /// can be applied. For ESP, this is the encryption algorithm and for 177 /// AH, this is the authentication algorithm. The ByteCount 178 /// includes pad bytes for cryptographic operations. 179 /// 180 UINT64 ByteCount; 181 /// 182 /// A time interval in second that warns the implementation to 183 /// initiate action such as setting up a replacement SA. 184 /// 185 UINT64 SoftLifetime; 186 /// 187 /// A time interval in second when the current SA ends and is 188 /// destroyed. 189 /// 190 UINT64 HardLifetime; 191 } EFI_IPSEC_SA_LIFETIME; 192 193 /// 194 /// EFI_IPSEC_MODE 195 /// There are two modes of IPsec operation: transport mode and tunnel mode. In 196 /// EfiIPsecTransport mode, AH and ESP provide protection primarily for next layer protocols; 197 /// In EfiIPsecTunnel mode, AH and ESP are applied to tunneled IP packets. 198 /// 199 typedef enum { 200 EfiIPsecTransport, 201 EfiIPsecTunnel 202 } EFI_IPSEC_MODE; 203 204 /// 205 /// EFI_IPSEC_TUNNEL_DF_OPTION 206 /// The option of copying the DF bit from an outbound package to 207 /// the tunnel mode header that it emits, when traffic is carried 208 /// via a tunnel mode SA. This applies to SAs where both inner and 209 /// outer headers are IPv4. 210 /// 211 typedef enum { 212 EfiIPsecTunnelClearDf, ///< Clear DF bit from inner header. 213 EfiIPsecTunnelSetDf, ///< Set DF bit from inner header. 214 EfiIPsecTunnelCopyDf ///< Copy DF bit from inner header. 215 } EFI_IPSEC_TUNNEL_DF_OPTION; 216 217 /// 218 /// EFI_IPSEC_TUNNEL_OPTION 219 /// 220 typedef struct _EFI_IPSEC_TUNNEL_OPTION { 221 /// 222 /// Local tunnel address when IPsec mode is EfiIPsecTunnel. 223 /// 224 EFI_IP_ADDRESS LocalTunnelAddress; 225 /// 226 /// Remote tunnel address when IPsec mode is EfiIPsecTunnel. 227 /// 228 EFI_IP_ADDRESS RemoteTunnelAddress; 229 /// 230 /// The option of copying the DF bit from an outbound package 231 /// to the tunnel mode header that it emits, when traffic is 232 /// carried via a tunnel mode SA. 233 /// 234 EFI_IPSEC_TUNNEL_DF_OPTION DF; 235 } EFI_IPSEC_TUNNEL_OPTION; 236 237 /// 238 /// EFI_IPSEC_PROTOCOL_TYPE 239 /// 240 typedef enum { 241 EfiIPsecAH, ///< IP Authentication Header protocol which is specified in RFC 4302. 242 EfiIPsecESP ///< IP Encapsulating Security Payload which is specified in RFC 4303. 243 } EFI_IPSEC_PROTOCOL_TYPE; 244 245 /// 246 /// EFI_IPSEC_PROCESS_POLICY 247 /// describes a policy list for traffic processing. 248 /// 249 typedef struct _EFI_IPSEC_PROCESS_POLICY { 250 /// 251 /// Extended Sequence Number. Is this SA using extended sequence 252 /// numbers. 64 bit counter is used if TRUE. 253 /// 254 BOOLEAN ExtSeqNum; 255 /// 256 /// A flag indicating whether overflow of the sequence number 257 /// counter should generate an auditable event and prevent 258 /// transmission of additional packets on the SA, or whether rollover 259 /// is permitted. 260 /// 261 BOOLEAN SeqOverflow; 262 /// 263 /// Is this SA using stateful fragment checking. TRUE represents 264 /// stateful fragment checking. 265 /// 266 BOOLEAN FragCheck; 267 /// 268 /// A time interval after which a SA must be replaced with a new SA 269 /// (and new SPI) or terminated. 270 /// 271 EFI_IPSEC_SA_LIFETIME SaLifetime; 272 /// 273 /// IPsec mode: tunnel or transport. 274 /// 275 EFI_IPSEC_MODE Mode; 276 /// 277 /// Tunnel Option. TunnelOption is ignored if Mode is EfiIPsecTransport. 278 /// 279 EFI_IPSEC_TUNNEL_OPTION *TunnelOption; 280 /// 281 /// IPsec protocol: AH or ESP 282 /// 283 EFI_IPSEC_PROTOCOL_TYPE Proto; 284 /// 285 /// Cryptographic algorithm type used for authentication. 286 /// 287 UINT8 AuthAlgoId; 288 /// 289 /// Cryptographic algorithm type used for encryption. EncAlgo is 290 /// NULL when IPsec protocol is AH. For ESP protocol, EncAlgo 291 /// can also be used to describe the algorithm if a combined mode 292 /// algorithm is used. 293 /// 294 UINT8 EncAlgoId; 295 } EFI_IPSEC_PROCESS_POLICY; 296 297 /// 298 /// EFI_IPSEC_SA_ID 299 /// A triplet to identify an SA, consisting of the following members. 300 /// 301 typedef struct _EFI_IPSEC_SA_ID { 302 /// 303 /// Security Parameter Index (aka SPI). An arbitrary 32-bit value 304 /// that is used by a receiver to identity the SA to which an incoming 305 /// package should be bound. 306 /// 307 UINT32 Spi; 308 /// 309 /// IPsec protocol: AH or ESP 310 /// 311 EFI_IPSEC_PROTOCOL_TYPE Proto; 312 /// 313 /// Destination IP address. 314 /// 315 EFI_IP_ADDRESS DestAddress; 316 } EFI_IPSEC_SA_ID; 317 318 #define MAX_PEERID_LEN 128 319 320 /// 321 /// EFI_IPSEC_SPD_DATA 322 /// 323 typedef struct _EFI_IPSEC_SPD_DATA { 324 /// 325 /// A null-terminated ASCII name string which is used as a symbolic 326 /// identifier for an IPsec Local or Remote address. 327 /// 328 UINT8 Name[MAX_PEERID_LEN]; 329 /// 330 /// Bit-mapped list describing Populate from Packet flags. When 331 /// creating a SA, if PackageFlag bit is set to TRUE, instantiate 332 /// the selector from the corresponding field in the package that 333 /// triggered the creation of the SA, else from the value(s) in the 334 /// corresponding SPD entry. The PackageFlag bit setting for 335 /// corresponding selector field of EFI_IPSEC_SPD_SELECTOR: 336 /// Bit 0: EFI_IPSEC_SPD_SELECTOR.LocalAddress 337 /// Bit 1: EFI_IPSEC_SPD_SELECTOR.RemoteAddress 338 /// Bit 2: 339 /// EFI_IPSEC_SPD_SELECTOR.NextLayerProtocol 340 /// Bit 3: EFI_IPSEC_SPD_SELECTOR.LocalPort 341 /// Bit 4: EFI_IPSEC_SPD_SELECTOR.RemotePort 342 /// Others: Reserved. 343 /// 344 UINT32 PackageFlag; 345 /// 346 /// The traffic direction of data gram. 347 /// 348 EFI_IPSEC_TRAFFIC_DIR TrafficDirection; 349 /// 350 /// Processing choices to indicate which action is required by this 351 /// policy. 352 /// 353 EFI_IPSEC_ACTION Action; 354 /// 355 /// The policy and rule information for a SPD entry. 356 /// 357 EFI_IPSEC_PROCESS_POLICY *ProcessingPolicy; 358 /// 359 /// Specifies the actual number of entries in SaId list. 360 /// 361 UINTN SaIdCount; 362 /// 363 /// The SAD entry used for the traffic processing. The 364 /// existed SAD entry links indicate this is the manual key case. 365 /// 366 EFI_IPSEC_SA_ID SaId[1]; 367 } EFI_IPSEC_SPD_DATA; 368 369 /// 370 /// EFI_IPSEC_AH_ALGO_INFO 371 /// The security algorithm selection for IPsec AH authentication. 372 /// The required authentication algorithm is specified in RFC 4305. 373 /// 374 typedef struct _EFI_IPSEC_AH_ALGO_INFO { 375 UINT8 AuthAlgoId; 376 UINTN AuthKeyLength; 377 VOID *AuthKey; 378 } EFI_IPSEC_AH_ALGO_INFO; 379 380 /// 381 /// EFI_IPSEC_ESP_ALGO_INFO 382 /// The security algorithm selection for IPsec ESP encryption and authentication. 383 /// The required authentication algorithm is specified in RFC 4305. 384 /// EncAlgoId fields can also specify an ESP combined mode algorithm 385 /// (e.g. AES with CCM mode, specified in RFC 4309), which provides both 386 /// confidentiality and authentication services. 387 /// 388 typedef struct _EFI_IPSEC_ESP_ALGO_INFO { 389 UINT8 EncAlgoId; 390 UINTN EncKeyLength; 391 VOID *EncKey; 392 UINT8 AuthAlgoId; 393 UINTN AuthKeyLength; 394 VOID *AuthKey; 395 } EFI_IPSEC_ESP_ALGO_INFO; 396 397 /// 398 /// EFI_IPSEC_ALGO_INFO 399 /// 400 typedef union { 401 EFI_IPSEC_AH_ALGO_INFO AhAlgoInfo; 402 EFI_IPSEC_ESP_ALGO_INFO EspAlgoInfo; 403 } EFI_IPSEC_ALGO_INFO; 404 405 /// 406 /// EFI_IPSEC_SA_DATA 407 /// 408 typedef struct _EFI_IPSEC_SA_DATA { 409 /// 410 /// IPsec mode: tunnel or transport. 411 /// 412 EFI_IPSEC_MODE Mode; 413 /// 414 /// Sequence Number Counter. A 64-bit counter used to generate the 415 /// sequence number field in AH or ESP headers. 416 /// 417 UINT64 SNCount; 418 /// 419 /// Anti-Replay Window. A 64-bit counter and a bit-map used to 420 /// determine whether an inbound AH or ESP packet is a replay. 421 /// 422 UINT8 AntiReplayWindows; 423 /// 424 /// AH/ESP cryptographic algorithm, key and parameters. 425 /// 426 EFI_IPSEC_ALGO_INFO AlgoInfo; 427 /// 428 /// Lifetime of this SA. 429 /// 430 EFI_IPSEC_SA_LIFETIME SaLifetime; 431 /// 432 /// Any observed path MTU and aging variables. The Path MTU 433 /// processing is defined in section 8 of RFC 4301. 434 /// 435 UINT32 PathMTU; 436 /// 437 /// Link to one SPD entry. 438 /// 439 EFI_IPSEC_SPD_SELECTOR *SpdSelector; 440 /// 441 /// Indication of whether it's manually set or negotiated automatically. 442 /// If ManualSet is FALSE, the corresponding SA entry is inserted through 443 /// IKE protocol negotiation. 444 /// 445 BOOLEAN ManualSet; 446 } EFI_IPSEC_SA_DATA; 447 448 /// 449 /// EFI_IPSEC_SA_DATA2 450 /// 451 typedef struct _EFI_IPSEC_SA_DATA2 { 452 /// 453 /// IPsec mode: tunnel or transport 454 /// 455 EFI_IPSEC_MODE Mode; 456 /// 457 /// Sequence Number Counter. A 64-bit counter used to generate the sequence 458 /// number field in AH or ESP headers. 459 /// 460 UINT64 SNCount; 461 /// 462 /// Anti-Replay Window. A 64-bit counter and a bit-map used to determine 463 /// whether an inbound AH or ESP packet is a replay. 464 /// 465 UINT8 AntiReplayWindows; 466 /// 467 /// AH/ESP cryptographic algorithm, key and parameters. 468 /// 469 EFI_IPSEC_ALGO_INFO AlgoInfo; 470 /// 471 /// Lifetime of this SA. 472 /// 473 EFI_IPSEC_SA_LIFETIME SaLifetime; 474 /// 475 /// Any observed path MTU and aging variables. The Path MTU processing is 476 /// defined in section 8 of RFC 4301. 477 /// 478 UINT32 PathMTU; 479 /// 480 /// Link to one SPD entry 481 /// 482 EFI_IPSEC_SPD_SELECTOR *SpdSelector; 483 /// 484 /// Indication of whether it's manually set or negotiated automatically. 485 /// If ManualSet is FALSE, the corresponding SA entry is inserted through IKE 486 /// protocol negotiation 487 /// 488 BOOLEAN ManualSet; 489 /// 490 /// The tunnel header IP source address. 491 /// 492 EFI_IP_ADDRESS TunnelSourceAddress; 493 /// 494 /// The tunnel header IP destination address. 495 /// 496 EFI_IP_ADDRESS TunnelDestinationAddress; 497 } EFI_IPSEC_SA_DATA2; 498 499 /// 500 /// EFI_IPSEC_PAD_ID 501 /// specifies the identifier for PAD entry, which is also used for SPD lookup. 502 /// IpAddress Pointer to the IPv4 or IPv6 address range. 503 /// 504 typedef struct _EFI_IPSEC_PAD_ID { 505 /// 506 /// Flag to identify which type of PAD Id is used. 507 /// 508 BOOLEAN PeerIdValid; 509 union { 510 /// 511 /// Pointer to the IPv4 or IPv6 address range. 512 /// 513 EFI_IP_ADDRESS_INFO IpAddress; 514 /// 515 /// Pointer to a null terminated ASCII string 516 /// representing the symbolic names. A PeerId can be a DNS 517 /// name, Distinguished Name, RFC 822 email address or Key ID 518 /// (specified in section 4.4.3.1 of RFC 4301) 519 /// 520 UINT8 PeerId[MAX_PEERID_LEN]; 521 } Id; 522 } EFI_IPSEC_PAD_ID; 523 524 /// 525 /// EFI_IPSEC_CONFIG_SELECTOR 526 /// describes the expected IPsec configuration data selector 527 /// of type EFI_IPSEC_CONFIG_DATA_TYPE. 528 /// 529 typedef union { 530 EFI_IPSEC_SPD_SELECTOR SpdSelector; 531 EFI_IPSEC_SA_ID SaId; 532 EFI_IPSEC_PAD_ID PadId; 533 } EFI_IPSEC_CONFIG_SELECTOR; 534 535 /// 536 /// EFI_IPSEC_AUTH_PROTOCOL_TYPE 537 /// defines the possible authentication protocol for IPsec 538 /// security association management. 539 /// 540 typedef enum { 541 EfiIPsecAuthProtocolIKEv1, 542 EfiIPsecAuthProtocolIKEv2, 543 EfiIPsecAuthProtocolMaximum 544 } EFI_IPSEC_AUTH_PROTOCOL_TYPE; 545 546 /// 547 /// EFI_IPSEC_AUTH_METHOD 548 /// 549 typedef enum { 550 /// 551 /// Using Pre-shared Keys for manual security associations. 552 /// 553 EfiIPsecAuthMethodPreSharedSecret, 554 /// 555 /// IKE employs X.509 certificates for SA establishment. 556 /// 557 EfiIPsecAuthMethodCertificates, 558 EfiIPsecAuthMethodMaximum 559 } EFI_IPSEC_AUTH_METHOD; 560 561 /// 562 /// EFI_IPSEC_PAD_DATA 563 /// 564 typedef struct _EFI_IPSEC_PAD_DATA { 565 /// 566 /// Authentication Protocol for IPsec security association management. 567 /// 568 EFI_IPSEC_AUTH_PROTOCOL_TYPE AuthProtocol; 569 /// 570 /// Authentication method used. 571 /// 572 EFI_IPSEC_AUTH_METHOD AuthMethod; 573 /// 574 /// The IKE ID payload will be used as a symbolic name for SPD 575 /// lookup if IkeIdFlag is TRUE. Otherwise, the remote IP 576 /// address provided in traffic selector playloads will be used. 577 /// 578 BOOLEAN IkeIdFlag; 579 /// 580 /// The size of Authentication data buffer, in bytes. 581 /// 582 UINTN AuthDataSize; 583 /// 584 /// Buffer for Authentication data, (e.g., the pre-shared secret or the 585 /// trust anchor relative to which the peer's certificate will be 586 /// validated). 587 /// 588 VOID *AuthData; 589 /// 590 /// The size of RevocationData, in bytes 591 /// 592 UINTN RevocationDataSize; 593 /// 594 /// Pointer to CRL or OCSP data, if certificates are used for 595 /// authentication method. 596 /// 597 VOID *RevocationData; 598 } EFI_IPSEC_PAD_DATA; 599 600 /** 601 Set the security association, security policy and peer authorization configuration 602 information for the EFI IPsec driver. 603 604 This function is used to set the IPsec configuration information of type DataType for 605 the EFI IPsec driver. 606 The IPsec configuration data has a unique selector/identifier separately to identify 607 a data entry. The selector structure depends on DataType's definition. 608 Using SetData() with a Data of NULL causes the IPsec configuration data entry identified 609 by DataType and Selector to be deleted. 610 611 @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance. 612 @param[in] DataType The type of data to be set. 613 @param[in] Selector Pointer to an entry selector on operated configuration data 614 specified by DataType. A NULL Selector causes the entire 615 specified-type configuration information to be flushed. 616 @param[in] Data The data buffer to be set. The structure of the data buffer is 617 associated with the DataType. 618 @param[in] InsertBefore Pointer to one entry selector which describes the expected 619 position the new data entry will be added. If InsertBefore is NULL, 620 the new entry will be appended the end of database. 621 622 @retval EFI_SUCCESS The specified configuration entry data is set successfully. 623 @retval EFI_INVALID_PARAMETER One or more of the following are TRUE: 624 - This is NULL. 625 @retval EFI_UNSUPPORTED The specified DataType is not supported. 626 @retval EFI_OUT_OF_RESOURCED The required system resource could not be allocated. 627 628 **/ 629 typedef 630 EFI_STATUS 631 (EFIAPI *EFI_IPSEC_CONFIG_SET_DATA)( 632 IN EFI_IPSEC_CONFIG_PROTOCOL *This, 633 IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, 634 IN EFI_IPSEC_CONFIG_SELECTOR *Selector, 635 IN VOID *Data, 636 IN EFI_IPSEC_CONFIG_SELECTOR *InsertBefore OPTIONAL 637 ); 638 639 /** 640 Return the configuration value for the EFI IPsec driver. 641 642 This function lookup the data entry from IPsec database or IKEv2 configuration 643 information. The expected data type and unique identification are described in 644 DataType and Selector parameters. 645 646 @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance. 647 @param[in] DataType The type of data to retrieve. 648 @param[in] Selector Pointer to an entry selector which is an identifier of the IPsec 649 configuration data entry. 650 @param[in, out] DataSize On output the size of data returned in Data. 651 @param[out] Data The buffer to return the contents of the IPsec configuration data. 652 The type of the data buffer is associated with the DataType. 653 654 @retval EFI_SUCCESS The specified configuration data is got successfully. 655 @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE: 656 - This is NULL. 657 - Selector is NULL. 658 - DataSize is NULL. 659 - Data is NULL and *DataSize is not zero 660 @retval EFI_NOT_FOUND The configuration data specified by Selector is not found. 661 @retval EFI_UNSUPPORTED The specified DataType is not supported. 662 @retval EFI_BUFFER_TOO_SMALL The DataSize is too small for the result. DataSize has been 663 updated with the size needed to complete the request. 664 665 **/ 666 typedef 667 EFI_STATUS 668 (EFIAPI *EFI_IPSEC_CONFIG_GET_DATA)( 669 IN EFI_IPSEC_CONFIG_PROTOCOL *This, 670 IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, 671 IN EFI_IPSEC_CONFIG_SELECTOR *Selector, 672 IN OUT UINTN *DataSize, 673 OUT VOID *Data 674 ); 675 676 /** 677 Enumerates the current selector for IPsec configuration data entry. 678 679 This function is called multiple times to retrieve the entry Selector in IPsec 680 configuration database. On each call to GetNextSelector(), the next entry 681 Selector are retrieved into the output interface. 682 683 If the entire IPsec configuration database has been iterated, the error 684 EFI_NOT_FOUND is returned. 685 If the Selector buffer is too small for the next Selector copy, an 686 EFI_BUFFER_TOO_SMALL error is returned, and SelectorSize is updated to reflect 687 the size of buffer needed. 688 689 On the initial call to GetNextSelector() to start the IPsec configuration database 690 search, a pointer to the buffer with all zero value is passed in Selector. Calls 691 to SetData() between calls to GetNextSelector may produce unpredictable results. 692 693 @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance. 694 @param[in] DataType The type of IPsec configuration data to retrieve. 695 @param[in, out] SelectorSize The size of the Selector buffer. 696 @param[in, out] Selector On input, supplies the pointer to last Selector that was 697 returned by GetNextSelector(). 698 On output, returns one copy of the current entry Selector 699 of a given DataType. 700 701 @retval EFI_SUCCESS The specified configuration data is got successfully. 702 @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE: 703 - This is NULL. 704 - SelectorSize is NULL. 705 - Selector is NULL. 706 @retval EFI_NOT_FOUND The next configuration data entry was not found. 707 @retval EFI_UNSUPPORTED The specified DataType is not supported. 708 @retval EFI_BUFFER_TOO_SMALL The SelectorSize is too small for the result. This parameter 709 has been updated with the size needed to complete the search 710 request. 711 712 **/ 713 typedef 714 EFI_STATUS 715 (EFIAPI *EFI_IPSEC_CONFIG_GET_NEXT_SELECTOR)( 716 IN EFI_IPSEC_CONFIG_PROTOCOL *This, 717 IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, 718 IN OUT UINTN *SelectorSize, 719 IN OUT EFI_IPSEC_CONFIG_SELECTOR *Selector 720 ); 721 722 /** 723 Register an event that is to be signaled whenever a configuration process on the 724 specified IPsec configuration information is done. 725 726 This function registers an event that is to be signaled whenever a configuration 727 process on the specified IPsec configuration data is done (e.g. IPsec security 728 policy database configuration is ready). An event can be registered for different 729 DataType simultaneously and the caller is responsible for determining which type 730 of configuration data causes the signaling of the event in such case. 731 732 @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance. 733 @param[in] DataType The type of data to be registered the event for. 734 @param[in] Event The event to be registered. 735 736 @retval EFI_SUCCESS The event is registered successfully. 737 @retval EFI_INVALID_PARAMETER This is NULL or Event is NULL. 738 @retval EFI_ACCESS_DENIED The Event is already registered for the DataType. 739 @retval EFI_UNSUPPORTED The notify registration unsupported or the specified 740 DataType is not supported. 741 742 **/ 743 typedef 744 EFI_STATUS 745 (EFIAPI *EFI_IPSEC_CONFIG_REGISTER_NOTIFY)( 746 IN EFI_IPSEC_CONFIG_PROTOCOL *This, 747 IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, 748 IN EFI_EVENT Event 749 ); 750 751 /** 752 Remove the specified event that is previously registered on the specified IPsec 753 configuration data. 754 755 This function removes a previously registered event for the specified configuration data. 756 757 @param[in] This Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance. 758 @param[in] DataType The configuration data type to remove the registered event for. 759 @param[in] Event The event to be unregistered. 760 761 @retval EFI_SUCCESS The event is removed successfully. 762 @retval EFI_NOT_FOUND The Event specified by DataType could not be found in the 763 database. 764 @retval EFI_INVALID_PARAMETER This is NULL or Event is NULL. 765 @retval EFI_UNSUPPORTED The notify registration unsupported or the specified 766 DataType is not supported. 767 768 **/ 769 typedef 770 EFI_STATUS 771 (EFIAPI *EFI_IPSEC_CONFIG_UNREGISTER_NOTIFY)( 772 IN EFI_IPSEC_CONFIG_PROTOCOL *This, 773 IN EFI_IPSEC_CONFIG_DATA_TYPE DataType, 774 IN EFI_EVENT Event 775 ); 776 777 /// 778 /// EFI_IPSEC_CONFIG_PROTOCOL 779 /// provides the ability to set and lookup the IPsec SAD (Security Association Database), 780 /// SPD (Security Policy Database) data entry and configure the security association 781 /// management protocol such as IKEv2. This protocol is used as the central 782 /// repository of any policy-specific configuration for EFI IPsec driver. 783 /// EFI_IPSEC_CONFIG_PROTOCOL can be bound to both IPv4 and IPv6 stack. User can use this 784 /// protocol for IPsec configuration in both IPv4 and IPv6 environment. 785 /// 786 struct _EFI_IPSEC_CONFIG_PROTOCOL { 787 EFI_IPSEC_CONFIG_SET_DATA SetData; 788 EFI_IPSEC_CONFIG_GET_DATA GetData; 789 EFI_IPSEC_CONFIG_GET_NEXT_SELECTOR GetNextSelector; 790 EFI_IPSEC_CONFIG_REGISTER_NOTIFY RegisterDataNotify; 791 EFI_IPSEC_CONFIG_UNREGISTER_NOTIFY UnregisterDataNotify; 792 }; 793 794 extern EFI_GUID gEfiIpSecConfigProtocolGuid; 795 796 #endif 797