1/* SPDX-License-Identifier: GPL-2.0+ */
  2/*
  3 * MACsec netdev header, used for h/w accelerated implementations.
  4 *
  5 * Copyright (c) 2015 Sabrina Dubroca <sd@queasysnail.net>
  6 */
  7#ifndef _NET_MACSEC_H_
  8#define _NET_MACSEC_H_
  9
 10#include <linux/u64_stats_sync.h>
 11#include <uapi/linux/if_link.h>
 12#include <uapi/linux/if_macsec.h>
 13
 14#define MACSEC_DEFAULT_PN_LEN 4
 15#define MACSEC_XPN_PN_LEN 8
 16
 17#define MACSEC_NUM_AN 4 /* 2 bits for the association number */
 18
 19#define MACSEC_SCI_LEN 8
 20#define MACSEC_PORT_ES (htons(0x0001))
 21
 22#define MACSEC_TCI_VERSION 0x80
 23#define MACSEC_TCI_ES      0x40 /* end station */
 24#define MACSEC_TCI_SC      0x20 /* SCI present */
 25#define MACSEC_TCI_SCB     0x10 /* epon */
 26#define MACSEC_TCI_E       0x08 /* encryption */
 27#define MACSEC_TCI_C       0x04 /* changed text */
 28#define MACSEC_AN_MASK     0x03 /* association number */
 29#define MACSEC_TCI_CONFID  (MACSEC_TCI_E | MACSEC_TCI_C)
 30
 31#define MACSEC_DEFAULT_ICV_LEN 16
 32
 33typedef u64 __bitwise sci_t;
 34typedef u32 __bitwise ssci_t;
 35
 36struct metadata_dst;
 37
 38typedef union salt {
 39	struct {
 40		u32 ssci;
 41		u64 pn;
 42	} __packed;
 43	u8 bytes[MACSEC_SALT_LEN];
 44} __packed salt_t;
 45
 46typedef union pn {
 47	struct {
 48#if defined(__LITTLE_ENDIAN_BITFIELD)
 49		u32 lower;
 50		u32 upper;
 51#elif defined(__BIG_ENDIAN_BITFIELD)
 52		u32 upper;
 53		u32 lower;
 54#else
 55#error	"Please fix <asm/byteorder.h>"
 56#endif
 57	};
 58	u64 full64;
 59} pn_t;
 60
 61/**
 62 * struct macsec_key - SA key
 63 * @id: user-provided key identifier
 64 * @tfm: crypto struct, key storage
 65 * @salt: salt used to generate IV in XPN cipher suites
 66 */
 67struct macsec_key {
 68	u8 id[MACSEC_KEYID_LEN];
 69	struct crypto_aead *tfm;
 70	salt_t salt;
 71};
 72
 73struct macsec_rx_sc_stats {
 74	__u64 InOctetsValidated;
 75	__u64 InOctetsDecrypted;
 76	__u64 InPktsUnchecked;
 77	__u64 InPktsDelayed;
 78	__u64 InPktsOK;
 79	__u64 InPktsInvalid;
 80	__u64 InPktsLate;
 81	__u64 InPktsNotValid;
 82	__u64 InPktsNotUsingSA;
 83	__u64 InPktsUnusedSA;
 84};
 85
 86struct macsec_rx_sa_stats {
 87	__u32 InPktsOK;
 88	__u32 InPktsInvalid;
 89	__u32 InPktsNotValid;
 90	__u32 InPktsNotUsingSA;
 91	__u32 InPktsUnusedSA;
 92};
 93
 94struct macsec_tx_sa_stats {
 95	__u32 OutPktsProtected;
 96	__u32 OutPktsEncrypted;
 97};
 98
 99struct macsec_tx_sc_stats {
100	__u64 OutPktsProtected;
101	__u64 OutPktsEncrypted;
102	__u64 OutOctetsProtected;
103	__u64 OutOctetsEncrypted;
104};
105
106struct macsec_dev_stats {
107	__u64 OutPktsUntagged;
108	__u64 InPktsUntagged;
109	__u64 OutPktsTooLong;
110	__u64 InPktsNoTag;
111	__u64 InPktsBadTag;
112	__u64 InPktsUnknownSCI;
113	__u64 InPktsNoSCI;
114	__u64 InPktsOverrun;
115};
116
117/**
118 * struct macsec_rx_sa - receive secure association
119 * @active:
120 * @next_pn: packet number expected for the next packet
121 * @lock: protects next_pn manipulations
122 * @key: key structure
123 * @ssci: short secure channel identifier
124 * @stats: per-SA stats
125 */
126struct macsec_rx_sa {
127	struct macsec_key key;
128	ssci_t ssci;
129	spinlock_t lock;
130	union {
131		pn_t next_pn_halves;
132		u64 next_pn;
133	};
134	refcount_t refcnt;
135	bool active;
136	struct macsec_rx_sa_stats __percpu *stats;
137	struct macsec_rx_sc *sc;
138	struct rcu_head rcu;
139};
140
141struct pcpu_rx_sc_stats {
142	struct macsec_rx_sc_stats stats;
143	struct u64_stats_sync syncp;
144};
145
146struct pcpu_tx_sc_stats {
147	struct macsec_tx_sc_stats stats;
148	struct u64_stats_sync syncp;
149};
150
151/**
152 * struct macsec_rx_sc - receive secure channel
153 * @sci: secure channel identifier for this SC
154 * @active: channel is active
155 * @sa: array of secure associations
156 * @stats: per-SC stats
157 */
158struct macsec_rx_sc {
159	struct macsec_rx_sc __rcu *next;
160	sci_t sci;
161	bool active;
162	struct macsec_rx_sa __rcu *sa[MACSEC_NUM_AN];
163	struct pcpu_rx_sc_stats __percpu *stats;
164	refcount_t refcnt;
165	struct rcu_head rcu_head;
166};
167
168/**
169 * struct macsec_tx_sa - transmit secure association
170 * @active:
171 * @next_pn: packet number to use for the next packet
172 * @lock: protects next_pn manipulations
173 * @key: key structure
174 * @ssci: short secure channel identifier
175 * @stats: per-SA stats
176 */
177struct macsec_tx_sa {
178	struct macsec_key key;
179	ssci_t ssci;
180	spinlock_t lock;
181	union {
182		pn_t next_pn_halves;
183		u64 next_pn;
184	};
185	refcount_t refcnt;
186	bool active;
187	struct macsec_tx_sa_stats __percpu *stats;
188	struct rcu_head rcu;
189};
190
191/**
192 * struct macsec_tx_sc - transmit secure channel
193 * @active:
194 * @encoding_sa: association number of the SA currently in use
195 * @encrypt: encrypt packets on transmit, or authenticate only
196 * @send_sci: always include the SCI in the SecTAG
197 * @end_station:
198 * @scb: single copy broadcast flag
199 * @sa: array of secure associations
200 * @stats: stats for this TXSC
201 * @md_dst: MACsec offload metadata dst
202 */
203struct macsec_tx_sc {
204	bool active;
205	u8 encoding_sa;
206	bool encrypt;
207	bool send_sci;
208	bool end_station;
209	bool scb;
210	struct macsec_tx_sa __rcu *sa[MACSEC_NUM_AN];
211	struct pcpu_tx_sc_stats __percpu *stats;
212	struct metadata_dst *md_dst;
213};
214
215/**
216 * struct macsec_secy - MACsec Security Entity
217 * @netdev: netdevice for this SecY
218 * @n_rx_sc: number of receive secure channels configured on this SecY
219 * @sci: secure channel identifier used for tx
220 * @key_len: length of keys used by the cipher suite
221 * @icv_len: length of ICV used by the cipher suite
222 * @validate_frames: validation mode
223 * @xpn: enable XPN for this SecY
224 * @operational: MAC_Operational flag
225 * @protect_frames: enable protection for this SecY
226 * @replay_protect: enable packet number checks on receive
227 * @replay_window: size of the replay window
228 * @tx_sc: transmit secure channel
229 * @rx_sc: linked list of receive secure channels
230 */
231struct macsec_secy {
232	struct net_device *netdev;
233	unsigned int n_rx_sc;
234	sci_t sci;
235	u16 key_len;
236	u16 icv_len;
237	enum macsec_validation_type validate_frames;
238	bool xpn;
239	bool operational;
240	bool protect_frames;
241	bool replay_protect;
242	u32 replay_window;
243	struct macsec_tx_sc tx_sc;
244	struct macsec_rx_sc __rcu *rx_sc;
245};
246
247/**
248 * struct macsec_context - MACsec context for hardware offloading
249 */
250struct macsec_context {
251	union {
252		struct net_device *netdev;
253		struct phy_device *phydev;
254	};
255	enum macsec_offload offload;
256
257	struct macsec_secy *secy;
258	struct macsec_rx_sc *rx_sc;
259	struct {
260		unsigned char assoc_num;
261		u8 key[MACSEC_MAX_KEY_LEN];
262		union {
263			struct macsec_rx_sa *rx_sa;
264			struct macsec_tx_sa *tx_sa;
265		};
266	} sa;
267	union {
268		struct macsec_tx_sc_stats *tx_sc_stats;
269		struct macsec_tx_sa_stats *tx_sa_stats;
270		struct macsec_rx_sc_stats *rx_sc_stats;
271		struct macsec_rx_sa_stats *rx_sa_stats;
272		struct macsec_dev_stats  *dev_stats;
273	} stats;
274};
275
276/**
277 * struct macsec_ops - MACsec offloading operations
278 */
279struct macsec_ops {
280	/* Device wide */
281	int (*mdo_dev_open)(struct macsec_context *ctx);
282	int (*mdo_dev_stop)(struct macsec_context *ctx);
283	/* SecY */
284	int (*mdo_add_secy)(struct macsec_context *ctx);
285	int (*mdo_upd_secy)(struct macsec_context *ctx);
286	int (*mdo_del_secy)(struct macsec_context *ctx);
287	/* Security channels */
288	int (*mdo_add_rxsc)(struct macsec_context *ctx);
289	int (*mdo_upd_rxsc)(struct macsec_context *ctx);
290	int (*mdo_del_rxsc)(struct macsec_context *ctx);
291	/* Security associations */
292	int (*mdo_add_rxsa)(struct macsec_context *ctx);
293	int (*mdo_upd_rxsa)(struct macsec_context *ctx);
294	int (*mdo_del_rxsa)(struct macsec_context *ctx);
295	int (*mdo_add_txsa)(struct macsec_context *ctx);
296	int (*mdo_upd_txsa)(struct macsec_context *ctx);
297	int (*mdo_del_txsa)(struct macsec_context *ctx);
298	/* Statistics */
299	int (*mdo_get_dev_stats)(struct macsec_context *ctx);
300	int (*mdo_get_tx_sc_stats)(struct macsec_context *ctx);
301	int (*mdo_get_tx_sa_stats)(struct macsec_context *ctx);
302	int (*mdo_get_rx_sc_stats)(struct macsec_context *ctx);
303	int (*mdo_get_rx_sa_stats)(struct macsec_context *ctx);
304};
305
306void macsec_pn_wrapped(struct macsec_secy *secy, struct macsec_tx_sa *tx_sa);
307static inline bool macsec_send_sci(const struct macsec_secy *secy)
308{
309	const struct macsec_tx_sc *tx_sc = &secy->tx_sc;
310
311	return tx_sc->send_sci ||
312		(secy->n_rx_sc > 1 && !tx_sc->end_station && !tx_sc->scb);
313}
314
315#endif /* _NET_MACSEC_H_ */