Loading...
Note: File does not exist in v3.1.
1/* SPDX-License-Identifier: GPL-2.0+ */
2/*
3 * MACsec netdev header, used for h/w accelerated implementations.
4 *
5 * Copyright (c) 2015 Sabrina Dubroca <sd@queasysnail.net>
6 */
7#ifndef _NET_MACSEC_H_
8#define _NET_MACSEC_H_
9
10#include <linux/u64_stats_sync.h>
11#include <uapi/linux/if_link.h>
12#include <uapi/linux/if_macsec.h>
13
14#define MACSEC_DEFAULT_PN_LEN 4
15#define MACSEC_XPN_PN_LEN 8
16
17#define MACSEC_SALT_LEN 12
18#define MACSEC_NUM_AN 4 /* 2 bits for the association number */
19
20typedef u64 __bitwise sci_t;
21typedef u32 __bitwise ssci_t;
22
23typedef union salt {
24 struct {
25 u32 ssci;
26 u64 pn;
27 } __packed;
28 u8 bytes[MACSEC_SALT_LEN];
29} __packed salt_t;
30
31typedef union pn {
32 struct {
33#if defined(__LITTLE_ENDIAN_BITFIELD)
34 u32 lower;
35 u32 upper;
36#elif defined(__BIG_ENDIAN_BITFIELD)
37 u32 upper;
38 u32 lower;
39#else
40#error "Please fix <asm/byteorder.h>"
41#endif
42 };
43 u64 full64;
44} pn_t;
45
46/**
47 * struct macsec_key - SA key
48 * @id: user-provided key identifier
49 * @tfm: crypto struct, key storage
50 * @salt: salt used to generate IV in XPN cipher suites
51 */
52struct macsec_key {
53 u8 id[MACSEC_KEYID_LEN];
54 struct crypto_aead *tfm;
55 salt_t salt;
56};
57
58struct macsec_rx_sc_stats {
59 __u64 InOctetsValidated;
60 __u64 InOctetsDecrypted;
61 __u64 InPktsUnchecked;
62 __u64 InPktsDelayed;
63 __u64 InPktsOK;
64 __u64 InPktsInvalid;
65 __u64 InPktsLate;
66 __u64 InPktsNotValid;
67 __u64 InPktsNotUsingSA;
68 __u64 InPktsUnusedSA;
69};
70
71struct macsec_rx_sa_stats {
72 __u32 InPktsOK;
73 __u32 InPktsInvalid;
74 __u32 InPktsNotValid;
75 __u32 InPktsNotUsingSA;
76 __u32 InPktsUnusedSA;
77};
78
79struct macsec_tx_sa_stats {
80 __u32 OutPktsProtected;
81 __u32 OutPktsEncrypted;
82};
83
84struct macsec_tx_sc_stats {
85 __u64 OutPktsProtected;
86 __u64 OutPktsEncrypted;
87 __u64 OutOctetsProtected;
88 __u64 OutOctetsEncrypted;
89};
90
91struct macsec_dev_stats {
92 __u64 OutPktsUntagged;
93 __u64 InPktsUntagged;
94 __u64 OutPktsTooLong;
95 __u64 InPktsNoTag;
96 __u64 InPktsBadTag;
97 __u64 InPktsUnknownSCI;
98 __u64 InPktsNoSCI;
99 __u64 InPktsOverrun;
100};
101
102/**
103 * struct macsec_rx_sa - receive secure association
104 * @active:
105 * @next_pn: packet number expected for the next packet
106 * @lock: protects next_pn manipulations
107 * @key: key structure
108 * @ssci: short secure channel identifier
109 * @stats: per-SA stats
110 */
111struct macsec_rx_sa {
112 struct macsec_key key;
113 ssci_t ssci;
114 spinlock_t lock;
115 union {
116 pn_t next_pn_halves;
117 u64 next_pn;
118 };
119 refcount_t refcnt;
120 bool active;
121 struct macsec_rx_sa_stats __percpu *stats;
122 struct macsec_rx_sc *sc;
123 struct rcu_head rcu;
124};
125
126struct pcpu_rx_sc_stats {
127 struct macsec_rx_sc_stats stats;
128 struct u64_stats_sync syncp;
129};
130
131struct pcpu_tx_sc_stats {
132 struct macsec_tx_sc_stats stats;
133 struct u64_stats_sync syncp;
134};
135
136/**
137 * struct macsec_rx_sc - receive secure channel
138 * @sci: secure channel identifier for this SC
139 * @active: channel is active
140 * @sa: array of secure associations
141 * @stats: per-SC stats
142 */
143struct macsec_rx_sc {
144 struct macsec_rx_sc __rcu *next;
145 sci_t sci;
146 bool active;
147 struct macsec_rx_sa __rcu *sa[MACSEC_NUM_AN];
148 struct pcpu_rx_sc_stats __percpu *stats;
149 refcount_t refcnt;
150 struct rcu_head rcu_head;
151};
152
153/**
154 * struct macsec_tx_sa - transmit secure association
155 * @active:
156 * @next_pn: packet number to use for the next packet
157 * @lock: protects next_pn manipulations
158 * @key: key structure
159 * @ssci: short secure channel identifier
160 * @stats: per-SA stats
161 */
162struct macsec_tx_sa {
163 struct macsec_key key;
164 ssci_t ssci;
165 spinlock_t lock;
166 union {
167 pn_t next_pn_halves;
168 u64 next_pn;
169 };
170 refcount_t refcnt;
171 bool active;
172 struct macsec_tx_sa_stats __percpu *stats;
173 struct rcu_head rcu;
174};
175
176/**
177 * struct macsec_tx_sc - transmit secure channel
178 * @active:
179 * @encoding_sa: association number of the SA currently in use
180 * @encrypt: encrypt packets on transmit, or authenticate only
181 * @send_sci: always include the SCI in the SecTAG
182 * @end_station:
183 * @scb: single copy broadcast flag
184 * @sa: array of secure associations
185 * @stats: stats for this TXSC
186 */
187struct macsec_tx_sc {
188 bool active;
189 u8 encoding_sa;
190 bool encrypt;
191 bool send_sci;
192 bool end_station;
193 bool scb;
194 struct macsec_tx_sa __rcu *sa[MACSEC_NUM_AN];
195 struct pcpu_tx_sc_stats __percpu *stats;
196};
197
198/**
199 * struct macsec_secy - MACsec Security Entity
200 * @netdev: netdevice for this SecY
201 * @n_rx_sc: number of receive secure channels configured on this SecY
202 * @sci: secure channel identifier used for tx
203 * @key_len: length of keys used by the cipher suite
204 * @icv_len: length of ICV used by the cipher suite
205 * @validate_frames: validation mode
206 * @xpn: enable XPN for this SecY
207 * @operational: MAC_Operational flag
208 * @protect_frames: enable protection for this SecY
209 * @replay_protect: enable packet number checks on receive
210 * @replay_window: size of the replay window
211 * @tx_sc: transmit secure channel
212 * @rx_sc: linked list of receive secure channels
213 */
214struct macsec_secy {
215 struct net_device *netdev;
216 unsigned int n_rx_sc;
217 sci_t sci;
218 u16 key_len;
219 u16 icv_len;
220 enum macsec_validation_type validate_frames;
221 bool xpn;
222 bool operational;
223 bool protect_frames;
224 bool replay_protect;
225 u32 replay_window;
226 struct macsec_tx_sc tx_sc;
227 struct macsec_rx_sc __rcu *rx_sc;
228};
229
230/**
231 * struct macsec_context - MACsec context for hardware offloading
232 */
233struct macsec_context {
234 union {
235 struct net_device *netdev;
236 struct phy_device *phydev;
237 };
238 enum macsec_offload offload;
239
240 struct macsec_secy *secy;
241 struct macsec_rx_sc *rx_sc;
242 struct {
243 unsigned char assoc_num;
244 u8 key[MACSEC_KEYID_LEN];
245 union {
246 struct macsec_rx_sa *rx_sa;
247 struct macsec_tx_sa *tx_sa;
248 };
249 } sa;
250 union {
251 struct macsec_tx_sc_stats *tx_sc_stats;
252 struct macsec_tx_sa_stats *tx_sa_stats;
253 struct macsec_rx_sc_stats *rx_sc_stats;
254 struct macsec_rx_sa_stats *rx_sa_stats;
255 struct macsec_dev_stats *dev_stats;
256 } stats;
257
258 u8 prepare:1;
259};
260
261/**
262 * struct macsec_ops - MACsec offloading operations
263 */
264struct macsec_ops {
265 /* Device wide */
266 int (*mdo_dev_open)(struct macsec_context *ctx);
267 int (*mdo_dev_stop)(struct macsec_context *ctx);
268 /* SecY */
269 int (*mdo_add_secy)(struct macsec_context *ctx);
270 int (*mdo_upd_secy)(struct macsec_context *ctx);
271 int (*mdo_del_secy)(struct macsec_context *ctx);
272 /* Security channels */
273 int (*mdo_add_rxsc)(struct macsec_context *ctx);
274 int (*mdo_upd_rxsc)(struct macsec_context *ctx);
275 int (*mdo_del_rxsc)(struct macsec_context *ctx);
276 /* Security associations */
277 int (*mdo_add_rxsa)(struct macsec_context *ctx);
278 int (*mdo_upd_rxsa)(struct macsec_context *ctx);
279 int (*mdo_del_rxsa)(struct macsec_context *ctx);
280 int (*mdo_add_txsa)(struct macsec_context *ctx);
281 int (*mdo_upd_txsa)(struct macsec_context *ctx);
282 int (*mdo_del_txsa)(struct macsec_context *ctx);
283 /* Statistics */
284 int (*mdo_get_dev_stats)(struct macsec_context *ctx);
285 int (*mdo_get_tx_sc_stats)(struct macsec_context *ctx);
286 int (*mdo_get_tx_sa_stats)(struct macsec_context *ctx);
287 int (*mdo_get_rx_sc_stats)(struct macsec_context *ctx);
288 int (*mdo_get_rx_sa_stats)(struct macsec_context *ctx);
289};
290
291void macsec_pn_wrapped(struct macsec_secy *secy, struct macsec_tx_sa *tx_sa);
292
293#endif /* _NET_MACSEC_H_ */