xref: /illumos-gate/usr/src/boot/efi/include/Protocol/IpSecConfig.h (revision f334afcf)

/** @file
  EFI IPsec Configuration Protocol Definition
  The EFI_IPSEC_CONFIG_PROTOCOL provides the mechanism to set and retrieve security and
  policy related information for the EFI IPsec protocol driver.

  Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
  SPDX-License-Identifier: BSD-2-Clause-Patent

  @par Revision Reference:
  This Protocol is introduced in UEFI Specification 2.2

**/

#ifndef __EFI_IPSE_CCONFIG_PROTOCOL_H__
#define __EFI_IPSE_CCONFIG_PROTOCOL_H__

#define EFI_IPSEC_CONFIG_PROTOCOL_GUID \
  { \
    0xce5e5929, 0xc7a3, 0x4602, {0xad, 0x9e, 0xc9, 0xda, 0xf9, 0x4e, 0xbf, 0xcf } \
  }

typedef struct _EFI_IPSEC_CONFIG_PROTOCOL EFI_IPSEC_CONFIG_PROTOCOL;

///
/// EFI_IPSEC_CONFIG_DATA_TYPE
///
typedef enum {
  ///
  /// The IPsec Security Policy Database (aka SPD) setting.  In IPsec,
  /// an essential element of Security Association (SA) processing is
  /// underlying SPD that specifies what services are to be offered to
  /// IP datagram and in what fashion. The SPD must be consulted
  /// during the processing of all traffic (inbound and outbound),
  /// including traffic not protected by IPsec, that traverses the IPsec
  /// boundary. With this DataType, SetData() function is to set
  /// the SPD entry information, which may add one new entry, delete
  /// one existed entry or flush the whole database according to the
  /// parameter values. The corresponding Data is of type
  /// EFI_IPSEC_SPD_DATA
  ///
  IPsecConfigDataTypeSpd,
  ///
  /// The IPsec Security Association Database (aka SAD) setting. A
  /// SA is a simplex connection that affords security services to the
  /// traffic carried by it. Security services are afforded to an SA by the
  /// use of AH, or ESP, but not both. The corresponding Data is of
  /// type EFI_IPSEC_SAD_DATA.
  ///
  IPsecConfigDataTypeSad,
  ///
  /// The IPsec Peer Authorization Database (aka PAD) setting, which
  /// provides the link between the SPD and a security association
  /// management protocol. The PAD entry specifies the
  /// authentication protocol (e.g. IKEv1, IKEv2) method used and the
  /// authentication data. The corresponding Data is of type
  /// EFI_IPSEC_PAD_DATA.
  ///
  IPsecConfigDataTypePad,
  IPsecConfigDataTypeMaximum
} EFI_IPSEC_CONFIG_DATA_TYPE;

///
/// EFI_IP_ADDRESS_INFO
///
typedef struct _EFI_IP_ADDRESS_INFO {
  EFI_IP_ADDRESS    Address;      ///< The IPv4 or IPv6 address
  UINT8             PrefixLength; ///< The length of the prefix associated with the Address.
} EFI_IP_ADDRESS_INFO;

///
/// EFI_IPSEC_SPD_SELECTOR
///
typedef struct _EFI_IPSEC_SPD_SELECTOR {
  ///
  /// Specifies the actual number of entries in LocalAddress.
  ///
  UINT32                 LocalAddressCount;
  ///
  /// A list of ranges of IPv4 or IPv6 addresses, which refers to the
  /// addresses being protected by IPsec policy.
  ///
  EFI_IP_ADDRESS_INFO    *LocalAddress;
  ///
  /// Specifies the actual number of entries in RemoteAddress.
  ///
  UINT32                 RemoteAddressCount;
  ///
  /// A list of ranges of IPv4 or IPv6 addresses, which are peer entities
  /// to LocalAddress.
  ///
  EFI_IP_ADDRESS_INFO    *RemoteAddress;
  ///
  /// Next layer protocol. Obtained from the IPv4 Protocol or the IPv6
  /// Next Header fields. The next layer protocol is whatever comes
  /// after any IP extension headers that are present. A zero value is a
  /// wildcard that matches any value in NextLayerProtocol field.
  ///
  UINT16                 NextLayerProtocol;
  ///
  /// Local Port if the Next Layer Protocol uses two ports (as do TCP,
  /// UDP, and others). A zero value is a wildcard that matches any
  /// value in LocalPort field.
  ///
  UINT16                 LocalPort;
  ///
  /// A designed port range size. The start port is LocalPort, and
  /// the total number of ports is described by LocalPortRange.
  /// This field is ignored if NextLayerProtocol does not use
  /// ports.
  ///
  UINT16                 LocalPortRange;
  ///
  /// Remote Port if the Next Layer Protocol uses two ports. A zero
  /// value is a wildcard that matches any value in RemotePort field.
  ///
  UINT16                 RemotePort;
  ///
  /// A designed port range size. The start port is RemotePort, and
  /// the total number of ports is described by RemotePortRange.
  /// This field is ignored if NextLayerProtocol does not use ports.
  ///
  UINT16                 RemotePortRange;
} EFI_IPSEC_SPD_SELECTOR;

///
/// EFI_IPSEC_TRAFFIC_DIR
/// represents the directionality in an SPD entry.
///
typedef enum {
  ///
  /// The EfiIPsecInBound refers to traffic entering an IPsec implementation via
  /// the unprotected interface or emitted by the implementation on the unprotected
  /// side of the boundary and directed towards the protected interface.
  ///
  EfiIPsecInBound,
  ///
  /// The EfiIPsecOutBound refers to traffic entering the implementation via
  /// the protected interface, or emitted by the implementation on the protected side
  /// of the boundary and directed toward the unprotected interface.
  ///
  EfiIPsecOutBound
} EFI_IPSEC_TRAFFIC_DIR;

///
/// EFI_IPSEC_ACTION
/// represents three possible processing choices.
///
typedef enum {
  ///
  /// Refers to traffic that is not allowed to traverse the IPsec boundary.
  ///
  EfiIPsecActionDiscard,
  ///
  /// Refers to traffic that is allowed to cross the IPsec boundary
  /// without protection.
  ///
  EfiIPsecActionBypass,
  ///
  /// Refers to traffic that is afforded IPsec protection, and for such
  /// traffic the SPD must specify the security protocols to be
  /// employed, their mode, security service options, and the
  /// cryptographic algorithms to be used.
  ///
  EfiIPsecActionProtect
} EFI_IPSEC_ACTION;

///
/// EFI_IPSEC_SA_LIFETIME
/// defines the lifetime of an SA, which represents when a SA must be
/// replaced or terminated. A value of all 0 for each field removes
/// the limitation of a SA lifetime.
///
typedef struct _EFI_IPSEC_SA_LIFETIME {
  ///
  /// The number of bytes to which the IPsec cryptographic algorithm
  /// can be applied. For ESP, this is the encryption algorithm and for
  /// AH, this is the authentication algorithm. The ByteCount
  /// includes pad bytes for cryptographic operations.
  ///
  UINT64    ByteCount;
  ///
  /// A time interval in second that warns the implementation to
  /// initiate action such as setting up a replacement SA.
  ///
  UINT64    SoftLifetime;
  ///
  /// A time interval in second when the current SA ends and is
  /// destroyed.
  ///
  UINT64    HardLifetime;
} EFI_IPSEC_SA_LIFETIME;

///
/// EFI_IPSEC_MODE
/// There are two modes of IPsec operation: transport mode and tunnel mode. In
/// EfiIPsecTransport mode, AH and ESP provide protection primarily for next layer protocols;
/// In EfiIPsecTunnel mode, AH and ESP are applied to tunneled IP packets.
///
typedef enum {
  EfiIPsecTransport,
  EfiIPsecTunnel
} EFI_IPSEC_MODE;

///
/// EFI_IPSEC_TUNNEL_DF_OPTION
/// The option of copying the DF bit from an outbound package to
/// the tunnel mode header that it emits, when traffic is carried
/// via a tunnel mode SA. This applies to SAs where both inner and
/// outer headers are IPv4.
///
typedef enum {
  EfiIPsecTunnelClearDf,  ///< Clear DF bit from inner header.
  EfiIPsecTunnelSetDf,    ///< Set DF bit from inner header.
  EfiIPsecTunnelCopyDf    ///< Copy DF bit from inner header.
} EFI_IPSEC_TUNNEL_DF_OPTION;

///
/// EFI_IPSEC_TUNNEL_OPTION
///
typedef struct _EFI_IPSEC_TUNNEL_OPTION {
  ///
  /// Local tunnel address when IPsec mode is EfiIPsecTunnel.
  ///
  EFI_IP_ADDRESS                LocalTunnelAddress;
  ///
  /// Remote tunnel address when IPsec mode is EfiIPsecTunnel.
  ///
  EFI_IP_ADDRESS                RemoteTunnelAddress;
  ///
  /// The option of copying the DF bit from an outbound package
  /// to the tunnel mode header that it emits, when traffic is
  /// carried via a tunnel mode SA.
  ///
  EFI_IPSEC_TUNNEL_DF_OPTION    DF;
} EFI_IPSEC_TUNNEL_OPTION;

///
/// EFI_IPSEC_PROTOCOL_TYPE
///
typedef enum {
  EfiIPsecAH,  ///< IP Authentication Header protocol which is specified in RFC 4302.
  EfiIPsecESP  ///< IP Encapsulating Security Payload which is specified in RFC 4303.
} EFI_IPSEC_PROTOCOL_TYPE;

///
/// EFI_IPSEC_PROCESS_POLICY
/// describes a policy list for traffic processing.
///
typedef struct _EFI_IPSEC_PROCESS_POLICY {
  ///
  /// Extended Sequence Number. Is this SA using extended sequence
  /// numbers. 64 bit counter is used if TRUE.
  ///
  BOOLEAN                    ExtSeqNum;
  ///
  /// A flag indicating whether overflow of the sequence number
  /// counter should generate an auditable event and prevent
  /// transmission of additional packets on the SA, or whether rollover
  /// is permitted.
  ///
  BOOLEAN                    SeqOverflow;
  ///
  /// Is this SA using stateful fragment checking. TRUE represents
  /// stateful fragment checking.
  ///
  BOOLEAN                    FragCheck;
  ///
  /// A time interval after which a SA must be replaced with a new SA
  /// (and new SPI) or terminated.
  ///
  EFI_IPSEC_SA_LIFETIME      SaLifetime;
  ///
  /// IPsec mode: tunnel or transport.
  ///
  EFI_IPSEC_MODE             Mode;
  ///
  /// Tunnel Option. TunnelOption is ignored if Mode is EfiIPsecTransport.
  ///
  EFI_IPSEC_TUNNEL_OPTION    *TunnelOption;
  ///
  /// IPsec protocol: AH or ESP
  ///
  EFI_IPSEC_PROTOCOL_TYPE    Proto;
  ///
  /// Cryptographic algorithm type used for authentication.
  ///
  UINT8                      AuthAlgoId;
  ///
  /// Cryptographic algorithm type used for encryption. EncAlgo is
  /// NULL when IPsec protocol is AH. For ESP protocol, EncAlgo
  /// can also be used to describe the algorithm if a combined mode
  /// algorithm is used.
  ///
  UINT8                      EncAlgoId;
} EFI_IPSEC_PROCESS_POLICY;

///
/// EFI_IPSEC_SA_ID
/// A triplet to identify an SA, consisting of the following members.
///
typedef struct _EFI_IPSEC_SA_ID {
  ///
  /// Security Parameter Index (aka SPI).  An arbitrary 32-bit value
  /// that is used by a receiver to identity the SA to which an incoming
  /// package should be bound.
  ///
  UINT32                     Spi;
  ///
  /// IPsec protocol: AH or ESP
  ///
  EFI_IPSEC_PROTOCOL_TYPE    Proto;
  ///
  /// Destination IP address.
  ///
  EFI_IP_ADDRESS             DestAddress;
} EFI_IPSEC_SA_ID;

#define MAX_PEERID_LEN  128

///
/// EFI_IPSEC_SPD_DATA
///
typedef struct _EFI_IPSEC_SPD_DATA {
  ///
  /// A null-terminated ASCII name string which is used as a symbolic
  /// identifier for an IPsec Local or Remote address.
  ///
  UINT8    Name[MAX_PEERID_LEN];
  ///
  /// Bit-mapped list describing Populate from Packet flags. When
  /// creating a SA, if PackageFlag bit is set to TRUE, instantiate
  /// the selector from the corresponding field in the package that
  /// triggered the creation of the SA, else from the value(s) in the
  /// corresponding SPD entry. The PackageFlag bit setting for
  /// corresponding selector field of EFI_IPSEC_SPD_SELECTOR:
  ///     Bit 0: EFI_IPSEC_SPD_SELECTOR.LocalAddress
  ///     Bit 1: EFI_IPSEC_SPD_SELECTOR.RemoteAddress
  ///     Bit 2:
  /// EFI_IPSEC_SPD_SELECTOR.NextLayerProtocol
  ///     Bit 3: EFI_IPSEC_SPD_SELECTOR.LocalPort
  ///     Bit 4: EFI_IPSEC_SPD_SELECTOR.RemotePort
  ///     Others: Reserved.
  ///
  UINT32                      PackageFlag;
  ///
  /// The traffic direction of data gram.
  ///
  EFI_IPSEC_TRAFFIC_DIR       TrafficDirection;
  ///
  /// Processing choices to indicate which action is required by this
  /// policy.
  ///
  EFI_IPSEC_ACTION            Action;
  ///
  /// The policy and rule information for a SPD entry.
  ///
  EFI_IPSEC_PROCESS_POLICY    *ProcessingPolicy;
  ///
  /// Specifies the actual number of entries in SaId list.
  ///
  UINTN                       SaIdCount;
  ///
  /// The SAD entry used for the traffic processing. The
  /// existed SAD entry links indicate this is the manual key case.
  ///
  EFI_IPSEC_SA_ID             SaId[1];
} EFI_IPSEC_SPD_DATA;

///
/// EFI_IPSEC_AH_ALGO_INFO
/// The security algorithm selection for IPsec AH authentication.
/// The required authentication algorithm is specified in RFC 4305.
///
typedef struct _EFI_IPSEC_AH_ALGO_INFO {
  UINT8    AuthAlgoId;
  UINTN    AuthKeyLength;
  VOID     *AuthKey;
} EFI_IPSEC_AH_ALGO_INFO;

///
/// EFI_IPSEC_ESP_ALGO_INFO
/// The security algorithm selection for IPsec ESP encryption and authentication.
/// The required authentication algorithm is specified in RFC 4305.
/// EncAlgoId fields can also specify an ESP combined mode algorithm
/// (e.g. AES with CCM mode, specified in RFC 4309), which provides both
/// confidentiality and authentication services.
///
typedef struct _EFI_IPSEC_ESP_ALGO_INFO {
  UINT8    EncAlgoId;
  UINTN    EncKeyLength;
  VOID     *EncKey;
  UINT8    AuthAlgoId;
  UINTN    AuthKeyLength;
  VOID     *AuthKey;
} EFI_IPSEC_ESP_ALGO_INFO;

///
/// EFI_IPSEC_ALGO_INFO
///
typedef union {
  EFI_IPSEC_AH_ALGO_INFO     AhAlgoInfo;
  EFI_IPSEC_ESP_ALGO_INFO    EspAlgoInfo;
} EFI_IPSEC_ALGO_INFO;

///
/// EFI_IPSEC_SA_DATA
///
typedef struct _EFI_IPSEC_SA_DATA {
  ///
  /// IPsec mode: tunnel or transport.
  ///
  EFI_IPSEC_MODE            Mode;
  ///
  /// Sequence Number Counter. A 64-bit counter used to generate the
  /// sequence number field in AH or ESP headers.
  ///
  UINT64                    SNCount;
  ///
  /// Anti-Replay Window. A 64-bit counter and a bit-map used to
  /// determine whether an inbound AH or ESP packet is a replay.
  ///
  UINT8                     AntiReplayWindows;
  ///
  /// AH/ESP cryptographic algorithm, key and parameters.
  ///
  EFI_IPSEC_ALGO_INFO       AlgoInfo;
  ///
  /// Lifetime of this SA.
  ///
  EFI_IPSEC_SA_LIFETIME     SaLifetime;
  ///
  /// Any observed path MTU and aging variables. The Path MTU
  /// processing is defined in section 8 of RFC 4301.
  ///
  UINT32                    PathMTU;
  ///
  /// Link to one SPD entry.
  ///
  EFI_IPSEC_SPD_SELECTOR    *SpdSelector;
  ///
  /// Indication of whether it's manually set or negotiated automatically.
  /// If ManualSet is FALSE, the corresponding SA entry is inserted through
  /// IKE protocol negotiation.
  ///
  BOOLEAN                   ManualSet;
} EFI_IPSEC_SA_DATA;

///
/// EFI_IPSEC_SA_DATA2
///
typedef struct _EFI_IPSEC_SA_DATA2 {
  ///
  /// IPsec mode: tunnel or transport
  ///
  EFI_IPSEC_MODE            Mode;
  ///
  /// Sequence Number Counter. A 64-bit counter used to generate the sequence
  /// number field in AH or ESP headers.
  ///
  UINT64                    SNCount;
  ///
  /// Anti-Replay Window. A 64-bit counter and a bit-map used to determine
  /// whether an inbound AH or ESP packet is a replay.
  ///
  UINT8                     AntiReplayWindows;
  ///
  /// AH/ESP cryptographic algorithm, key and parameters.
  ///
  EFI_IPSEC_ALGO_INFO       AlgoInfo;
  ///
  /// Lifetime of this SA.
  ///
  EFI_IPSEC_SA_LIFETIME     SaLifetime;
  ///
  /// Any observed path MTU and aging variables. The Path MTU processing is
  /// defined in section 8 of RFC 4301.
  ///
  UINT32                    PathMTU;
  ///
  /// Link to one SPD entry
  ///
  EFI_IPSEC_SPD_SELECTOR    *SpdSelector;
  ///
  /// Indication of whether it's manually set or negotiated automatically.
  /// If ManualSet is FALSE, the corresponding SA entry is inserted through IKE
  /// protocol negotiation
  ///
  BOOLEAN                   ManualSet;
  ///
  /// The tunnel header IP source address.
  ///
  EFI_IP_ADDRESS            TunnelSourceAddress;
  ///
  /// The tunnel header IP destination address.
  ///
  EFI_IP_ADDRESS            TunnelDestinationAddress;
} EFI_IPSEC_SA_DATA2;

///
/// EFI_IPSEC_PAD_ID
/// specifies the identifier for PAD entry, which is also used for SPD lookup.
/// IpAddress Pointer to the IPv4 or IPv6 address range.
///
typedef struct _EFI_IPSEC_PAD_ID {
  ///
  /// Flag to identify which type of PAD Id is used.
  ///
  BOOLEAN    PeerIdValid;
  union {
    ///
    /// Pointer to the IPv4 or IPv6 address range.
    ///
    EFI_IP_ADDRESS_INFO    IpAddress;
    ///
    /// Pointer to a null terminated ASCII string
    /// representing the symbolic names. A PeerId can be a DNS
    /// name, Distinguished Name, RFC 822 email address or Key ID
    /// (specified in section 4.4.3.1 of RFC 4301)
    ///
    UINT8                  PeerId[MAX_PEERID_LEN];
  } Id;
} EFI_IPSEC_PAD_ID;

///
/// EFI_IPSEC_CONFIG_SELECTOR
/// describes the expected IPsec configuration data selector
/// of type EFI_IPSEC_CONFIG_DATA_TYPE.
///
typedef union {
  EFI_IPSEC_SPD_SELECTOR    SpdSelector;
  EFI_IPSEC_SA_ID           SaId;
  EFI_IPSEC_PAD_ID          PadId;
} EFI_IPSEC_CONFIG_SELECTOR;

///
/// EFI_IPSEC_AUTH_PROTOCOL_TYPE
/// defines the possible authentication protocol for IPsec
/// security association management.
///
typedef enum {
  EfiIPsecAuthProtocolIKEv1,
  EfiIPsecAuthProtocolIKEv2,
  EfiIPsecAuthProtocolMaximum
} EFI_IPSEC_AUTH_PROTOCOL_TYPE;

///
/// EFI_IPSEC_AUTH_METHOD
///
typedef enum {
  ///
  /// Using Pre-shared Keys for manual security associations.
  ///
  EfiIPsecAuthMethodPreSharedSecret,
  ///
  /// IKE employs X.509 certificates for SA establishment.
  ///
  EfiIPsecAuthMethodCertificates,
  EfiIPsecAuthMethodMaximum
} EFI_IPSEC_AUTH_METHOD;

///
/// EFI_IPSEC_PAD_DATA
///
typedef struct _EFI_IPSEC_PAD_DATA {
  ///
  /// Authentication Protocol for IPsec security association  management.
  ///
  EFI_IPSEC_AUTH_PROTOCOL_TYPE    AuthProtocol;
  ///
  /// Authentication method used.
  ///
  EFI_IPSEC_AUTH_METHOD           AuthMethod;
  ///
  /// The IKE ID payload will be used as a symbolic name for SPD
  /// lookup if IkeIdFlag is TRUE. Otherwise, the remote IP
  /// address provided in traffic selector playloads will be used.
  ///
  BOOLEAN                         IkeIdFlag;
  ///
  /// The size of Authentication data buffer, in bytes.
  ///
  UINTN                           AuthDataSize;
  ///
  /// Buffer for Authentication data, (e.g., the pre-shared secret or the
  /// trust anchor relative to which the peer's certificate will be
  /// validated).
  ///
  VOID                            *AuthData;
  ///
  /// The size of RevocationData, in bytes
  ///
  UINTN                           RevocationDataSize;
  ///
  /// Pointer to CRL or OCSP data, if certificates are used for
  /// authentication method.
  ///
  VOID                            *RevocationData;
} EFI_IPSEC_PAD_DATA;

/**
  Set the security association, security policy and peer authorization configuration
  information for the EFI IPsec driver.

  This function is used to set the IPsec configuration information of type DataType for
  the EFI IPsec driver.
  The IPsec configuration data has a unique selector/identifier separately to identify
  a data entry. The selector structure depends on DataType's definition.
  Using SetData() with a Data of NULL causes the IPsec configuration data entry identified
  by DataType and Selector to be deleted.

  @param[in] This               Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
  @param[in] DataType           The type of data to be set.
  @param[in] Selector           Pointer to an entry selector on operated configuration data
                                specified by DataType. A NULL Selector causes the entire
                                specified-type configuration information to be flushed.
  @param[in] Data               The data buffer to be set. The structure of the data buffer is
                                associated with the DataType.
  @param[in] InsertBefore       Pointer to one entry selector which describes the expected
                                position the new data entry will be added. If InsertBefore is NULL,
                                the new entry will be appended the end of database.

  @retval EFI_SUCCESS           The specified configuration entry data is set successfully.
  @retval EFI_INVALID_PARAMETER One or more of the following are TRUE:
                                - This is NULL.
  @retval EFI_UNSUPPORTED       The specified DataType is not supported.
  @retval EFI_OUT_OF_RESOURCED  The required system resource could not be allocated.

**/
typedef
EFI_STATUS
(EFIAPI *EFI_IPSEC_CONFIG_SET_DATA)(
  IN EFI_IPSEC_CONFIG_PROTOCOL        *This,
  IN EFI_IPSEC_CONFIG_DATA_TYPE       DataType,
  IN EFI_IPSEC_CONFIG_SELECTOR        *Selector,
  IN VOID                             *Data,
  IN EFI_IPSEC_CONFIG_SELECTOR        *InsertBefore   OPTIONAL
  );

/**
  Return the configuration value for the EFI IPsec driver.

  This function lookup the data entry from IPsec database or IKEv2 configuration
  information. The expected data type and unique identification are described in
  DataType and Selector parameters.

  @param[in]      This          Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
  @param[in]      DataType      The type of data to retrieve.
  @param[in]      Selector      Pointer to an entry selector which is an identifier of the IPsec
                                configuration data entry.
  @param[in, out] DataSize      On output the size of data returned in Data.
  @param[out]     Data          The buffer to return the contents of the IPsec configuration data.
                                The type of the data buffer is associated with the DataType.

  @retval EFI_SUCCESS           The specified configuration data is got successfully.
  @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE:
                                - This is NULL.
                                - Selector is NULL.
                                - DataSize is NULL.
                                - Data is NULL and *DataSize is not zero
  @retval EFI_NOT_FOUND         The configuration data specified by Selector is not found.
  @retval EFI_UNSUPPORTED       The specified DataType is not supported.
  @retval EFI_BUFFER_TOO_SMALL  The DataSize is too small for the result. DataSize has been
                                updated with the size needed to complete the request.

**/
typedef
EFI_STATUS
(EFIAPI *EFI_IPSEC_CONFIG_GET_DATA)(
  IN EFI_IPSEC_CONFIG_PROTOCOL        *This,
  IN EFI_IPSEC_CONFIG_DATA_TYPE       DataType,
  IN EFI_IPSEC_CONFIG_SELECTOR        *Selector,
  IN OUT UINTN                        *DataSize,
  OUT VOID                            *Data
  );

/**
  Enumerates the current selector for IPsec configuration data entry.

  This function is called multiple times to retrieve the entry Selector in IPsec
  configuration database. On each call to GetNextSelector(), the next entry
  Selector are retrieved into the output interface.

  If the entire IPsec configuration database has been iterated, the error
  EFI_NOT_FOUND is returned.
  If the Selector buffer is too small for the next Selector copy, an
  EFI_BUFFER_TOO_SMALL error is returned, and SelectorSize is updated to reflect
  the size of buffer needed.

  On the initial call to GetNextSelector() to start the IPsec configuration database
  search, a pointer to the buffer with all zero value is passed in Selector. Calls
  to SetData() between calls to GetNextSelector may produce unpredictable results.

  @param[in]      This          Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
  @param[in]      DataType      The type of IPsec configuration data to retrieve.
  @param[in, out] SelectorSize  The size of the Selector buffer.
  @param[in, out] Selector      On input, supplies the pointer to last Selector that was
                                returned by GetNextSelector().
                                On output, returns one copy of the current entry Selector
                                of a given DataType.

  @retval EFI_SUCCESS           The specified configuration data is got successfully.
  @retval EFI_INVALID_PARAMETER One or more of the followings are TRUE:
                                - This is NULL.
                                - SelectorSize is NULL.
                                - Selector is NULL.
  @retval EFI_NOT_FOUND         The next configuration data entry was not found.
  @retval EFI_UNSUPPORTED       The specified DataType is not supported.
  @retval EFI_BUFFER_TOO_SMALL  The SelectorSize is too small for the result. This parameter
                                has been updated with the size needed to complete the search
                                request.

**/
typedef
EFI_STATUS
(EFIAPI *EFI_IPSEC_CONFIG_GET_NEXT_SELECTOR)(
  IN EFI_IPSEC_CONFIG_PROTOCOL        *This,
  IN EFI_IPSEC_CONFIG_DATA_TYPE       DataType,
  IN OUT UINTN                        *SelectorSize,
  IN OUT EFI_IPSEC_CONFIG_SELECTOR    *Selector
  );

/**
  Register an event that is to be signaled whenever a configuration process on the
  specified IPsec configuration information is done.

  This function registers an event that is to be signaled whenever a configuration
  process on the specified IPsec configuration data is done (e.g. IPsec security
  policy database configuration is ready). An event can be registered for different
  DataType simultaneously and the caller is responsible for determining which type
  of configuration data causes the signaling of the event in such case.

  @param[in] This               Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
  @param[in] DataType           The type of data to be registered the event for.
  @param[in] Event              The event to be registered.

  @retval EFI_SUCCESS           The event is registered successfully.
  @retval EFI_INVALID_PARAMETER This is NULL or Event is NULL.
  @retval EFI_ACCESS_DENIED     The Event is already registered for the DataType.
  @retval EFI_UNSUPPORTED       The notify registration unsupported or the specified
                                DataType is not supported.

**/
typedef
EFI_STATUS
(EFIAPI *EFI_IPSEC_CONFIG_REGISTER_NOTIFY)(
  IN EFI_IPSEC_CONFIG_PROTOCOL        *This,
  IN EFI_IPSEC_CONFIG_DATA_TYPE       DataType,
  IN EFI_EVENT                        Event
  );

/**
  Remove the specified event that is previously registered on the specified IPsec
  configuration data.

  This function removes a previously registered event for the specified configuration data.

  @param[in] This               Pointer to the EFI_IPSEC_CONFIG_PROTOCOL instance.
  @param[in] DataType           The configuration data type to remove the registered event for.
  @param[in] Event              The event to be unregistered.

  @retval EFI_SUCCESS           The event is removed successfully.
  @retval EFI_NOT_FOUND         The Event specified by DataType could not be found in the
                                database.
  @retval EFI_INVALID_PARAMETER This is NULL or Event is NULL.
  @retval EFI_UNSUPPORTED       The notify registration unsupported or the specified
                                DataType is not supported.

**/
typedef
EFI_STATUS
(EFIAPI *EFI_IPSEC_CONFIG_UNREGISTER_NOTIFY)(
  IN EFI_IPSEC_CONFIG_PROTOCOL        *This,
  IN EFI_IPSEC_CONFIG_DATA_TYPE       DataType,
  IN EFI_EVENT                        Event
  );

///
/// EFI_IPSEC_CONFIG_PROTOCOL
/// provides the ability to set and lookup the IPsec SAD (Security Association Database),
/// SPD (Security Policy Database) data entry and configure the security association
/// management protocol such as IKEv2. This protocol is used as the central
/// repository of any policy-specific configuration for EFI IPsec driver.
/// EFI_IPSEC_CONFIG_PROTOCOL can be bound to both IPv4 and IPv6 stack. User can use this
/// protocol for IPsec configuration in both IPv4 and IPv6 environment.
///
struct _EFI_IPSEC_CONFIG_PROTOCOL {
  EFI_IPSEC_CONFIG_SET_DATA             SetData;
  EFI_IPSEC_CONFIG_GET_DATA             GetData;
  EFI_IPSEC_CONFIG_GET_NEXT_SELECTOR    GetNextSelector;
  EFI_IPSEC_CONFIG_REGISTER_NOTIFY      RegisterDataNotify;
  EFI_IPSEC_CONFIG_UNREGISTER_NOTIFY    UnregisterDataNotify;
};

extern EFI_GUID  gEfiIpSecConfigProtocolGuid;

#endif