1c0e4eadfSAntoine Tenart /* SPDX-License-Identifier: GPL-2.0+ */ 2c0e4eadfSAntoine Tenart /* 3c0e4eadfSAntoine Tenart * MACsec netdev header, used for h/w accelerated implementations. 4c0e4eadfSAntoine Tenart * 5c0e4eadfSAntoine Tenart * Copyright (c) 2015 Sabrina Dubroca <sd@queasysnail.net> 6c0e4eadfSAntoine Tenart */ 7c0e4eadfSAntoine Tenart #ifndef _NET_MACSEC_H_ 8c0e4eadfSAntoine Tenart #define _NET_MACSEC_H_ 9c0e4eadfSAntoine Tenart 10c0e4eadfSAntoine Tenart #include <linux/u64_stats_sync.h> 11bd9424efSSubbaraya Sundeep #include <linux/if_vlan.h> 12c0e4eadfSAntoine Tenart #include <uapi/linux/if_link.h> 13c0e4eadfSAntoine Tenart #include <uapi/linux/if_macsec.h> 14c0e4eadfSAntoine Tenart 1548ef50faSEra Mayflower #define MACSEC_DEFAULT_PN_LEN 4 1648ef50faSEra Mayflower #define MACSEC_XPN_PN_LEN 8 1748ef50faSEra Mayflower 18c0e4eadfSAntoine Tenart #define MACSEC_NUM_AN 4 /* 2 bits for the association number */ 19c0e4eadfSAntoine Tenart 20b1671253SLior Nahmanson #define MACSEC_SCI_LEN 8 21b1671253SLior Nahmanson #define MACSEC_PORT_ES (htons(0x0001)) 22b1671253SLior Nahmanson 23b1671253SLior Nahmanson #define MACSEC_TCI_VERSION 0x80 24b1671253SLior Nahmanson #define MACSEC_TCI_ES 0x40 /* end station */ 25b1671253SLior Nahmanson #define MACSEC_TCI_SC 0x20 /* SCI present */ 26b1671253SLior Nahmanson #define MACSEC_TCI_SCB 0x10 /* epon */ 27b1671253SLior Nahmanson #define MACSEC_TCI_E 0x08 /* encryption */ 28b1671253SLior Nahmanson #define MACSEC_TCI_C 0x04 /* changed text */ 29b1671253SLior Nahmanson #define MACSEC_AN_MASK 0x03 /* association number */ 30b1671253SLior Nahmanson #define MACSEC_TCI_CONFID (MACSEC_TCI_E | MACSEC_TCI_C) 31b1671253SLior Nahmanson 32b1671253SLior Nahmanson #define MACSEC_DEFAULT_ICV_LEN 16 33b1671253SLior Nahmanson 34a21ecf0eSEra Mayflower typedef u64 __bitwise sci_t; 35a21ecf0eSEra Mayflower typedef u32 __bitwise ssci_t; 36a21ecf0eSEra Mayflower 370a28bfd4SLior Nahmanson struct metadata_dst; 380a28bfd4SLior Nahmanson 39a21ecf0eSEra Mayflower typedef union salt { 40a21ecf0eSEra Mayflower struct { 41a21ecf0eSEra Mayflower u32 ssci; 42a21ecf0eSEra Mayflower u64 pn; 43a21ecf0eSEra Mayflower } __packed; 44a21ecf0eSEra Mayflower u8 bytes[MACSEC_SALT_LEN]; 45a21ecf0eSEra Mayflower } __packed salt_t; 46a21ecf0eSEra Mayflower 47a21ecf0eSEra Mayflower typedef union pn { 48a21ecf0eSEra Mayflower struct { 49a21ecf0eSEra Mayflower #if defined(__LITTLE_ENDIAN_BITFIELD) 50a21ecf0eSEra Mayflower u32 lower; 51a21ecf0eSEra Mayflower u32 upper; 52a21ecf0eSEra Mayflower #elif defined(__BIG_ENDIAN_BITFIELD) 53a21ecf0eSEra Mayflower u32 upper; 54a21ecf0eSEra Mayflower u32 lower; 55a21ecf0eSEra Mayflower #else 56a21ecf0eSEra Mayflower #error "Please fix <asm/byteorder.h>" 57a21ecf0eSEra Mayflower #endif 58a21ecf0eSEra Mayflower }; 59a21ecf0eSEra Mayflower u64 full64; 60a21ecf0eSEra Mayflower } pn_t; 61a21ecf0eSEra Mayflower 62c0e4eadfSAntoine Tenart /** 63c0e4eadfSAntoine Tenart * struct macsec_key - SA key 64c0e4eadfSAntoine Tenart * @id: user-provided key identifier 65c0e4eadfSAntoine Tenart * @tfm: crypto struct, key storage 66a21ecf0eSEra Mayflower * @salt: salt used to generate IV in XPN cipher suites 67c0e4eadfSAntoine Tenart */ 68c0e4eadfSAntoine Tenart struct macsec_key { 69c0e4eadfSAntoine Tenart u8 id[MACSEC_KEYID_LEN]; 70c0e4eadfSAntoine Tenart struct crypto_aead *tfm; 71a21ecf0eSEra Mayflower salt_t salt; 72c0e4eadfSAntoine Tenart }; 73c0e4eadfSAntoine Tenart 74c0e4eadfSAntoine Tenart struct macsec_rx_sc_stats { 75c0e4eadfSAntoine Tenart __u64 InOctetsValidated; 76c0e4eadfSAntoine Tenart __u64 InOctetsDecrypted; 77c0e4eadfSAntoine Tenart __u64 InPktsUnchecked; 78c0e4eadfSAntoine Tenart __u64 InPktsDelayed; 79c0e4eadfSAntoine Tenart __u64 InPktsOK; 80c0e4eadfSAntoine Tenart __u64 InPktsInvalid; 81c0e4eadfSAntoine Tenart __u64 InPktsLate; 82c0e4eadfSAntoine Tenart __u64 InPktsNotValid; 83c0e4eadfSAntoine Tenart __u64 InPktsNotUsingSA; 84c0e4eadfSAntoine Tenart __u64 InPktsUnusedSA; 85c0e4eadfSAntoine Tenart }; 86c0e4eadfSAntoine Tenart 87c0e4eadfSAntoine Tenart struct macsec_rx_sa_stats { 88c0e4eadfSAntoine Tenart __u32 InPktsOK; 89c0e4eadfSAntoine Tenart __u32 InPktsInvalid; 90c0e4eadfSAntoine Tenart __u32 InPktsNotValid; 91c0e4eadfSAntoine Tenart __u32 InPktsNotUsingSA; 92c0e4eadfSAntoine Tenart __u32 InPktsUnusedSA; 93c0e4eadfSAntoine Tenart }; 94c0e4eadfSAntoine Tenart 95c0e4eadfSAntoine Tenart struct macsec_tx_sa_stats { 96c0e4eadfSAntoine Tenart __u32 OutPktsProtected; 97c0e4eadfSAntoine Tenart __u32 OutPktsEncrypted; 98c0e4eadfSAntoine Tenart }; 99c0e4eadfSAntoine Tenart 100c0e4eadfSAntoine Tenart struct macsec_tx_sc_stats { 101c0e4eadfSAntoine Tenart __u64 OutPktsProtected; 102c0e4eadfSAntoine Tenart __u64 OutPktsEncrypted; 103c0e4eadfSAntoine Tenart __u64 OutOctetsProtected; 104c0e4eadfSAntoine Tenart __u64 OutOctetsEncrypted; 105c0e4eadfSAntoine Tenart }; 106c0e4eadfSAntoine Tenart 107b62c3624SDmitry Bogdanov struct macsec_dev_stats { 108b62c3624SDmitry Bogdanov __u64 OutPktsUntagged; 109b62c3624SDmitry Bogdanov __u64 InPktsUntagged; 110b62c3624SDmitry Bogdanov __u64 OutPktsTooLong; 111b62c3624SDmitry Bogdanov __u64 InPktsNoTag; 112b62c3624SDmitry Bogdanov __u64 InPktsBadTag; 113b62c3624SDmitry Bogdanov __u64 InPktsUnknownSCI; 114b62c3624SDmitry Bogdanov __u64 InPktsNoSCI; 115b62c3624SDmitry Bogdanov __u64 InPktsOverrun; 116b62c3624SDmitry Bogdanov }; 117b62c3624SDmitry Bogdanov 118c0e4eadfSAntoine Tenart /** 119c0e4eadfSAntoine Tenart * struct macsec_rx_sa - receive secure association 120c0e4eadfSAntoine Tenart * @active: 121c0e4eadfSAntoine Tenart * @next_pn: packet number expected for the next packet 122c0e4eadfSAntoine Tenart * @lock: protects next_pn manipulations 123c0e4eadfSAntoine Tenart * @key: key structure 124a21ecf0eSEra Mayflower * @ssci: short secure channel identifier 125c0e4eadfSAntoine Tenart * @stats: per-SA stats 126c0e4eadfSAntoine Tenart */ 127c0e4eadfSAntoine Tenart struct macsec_rx_sa { 128c0e4eadfSAntoine Tenart struct macsec_key key; 129a21ecf0eSEra Mayflower ssci_t ssci; 130c0e4eadfSAntoine Tenart spinlock_t lock; 131a21ecf0eSEra Mayflower union { 132a21ecf0eSEra Mayflower pn_t next_pn_halves; 133a21ecf0eSEra Mayflower u64 next_pn; 134a21ecf0eSEra Mayflower }; 135c0e4eadfSAntoine Tenart refcount_t refcnt; 136c0e4eadfSAntoine Tenart bool active; 137c0e4eadfSAntoine Tenart struct macsec_rx_sa_stats __percpu *stats; 138c0e4eadfSAntoine Tenart struct macsec_rx_sc *sc; 139c0e4eadfSAntoine Tenart struct rcu_head rcu; 140c0e4eadfSAntoine Tenart }; 141c0e4eadfSAntoine Tenart 142c0e4eadfSAntoine Tenart struct pcpu_rx_sc_stats { 143c0e4eadfSAntoine Tenart struct macsec_rx_sc_stats stats; 144c0e4eadfSAntoine Tenart struct u64_stats_sync syncp; 145c0e4eadfSAntoine Tenart }; 146c0e4eadfSAntoine Tenart 147c0e4eadfSAntoine Tenart struct pcpu_tx_sc_stats { 148c0e4eadfSAntoine Tenart struct macsec_tx_sc_stats stats; 149c0e4eadfSAntoine Tenart struct u64_stats_sync syncp; 150c0e4eadfSAntoine Tenart }; 151c0e4eadfSAntoine Tenart 152c0e4eadfSAntoine Tenart /** 153c0e4eadfSAntoine Tenart * struct macsec_rx_sc - receive secure channel 154c0e4eadfSAntoine Tenart * @sci: secure channel identifier for this SC 155c0e4eadfSAntoine Tenart * @active: channel is active 156c0e4eadfSAntoine Tenart * @sa: array of secure associations 157c0e4eadfSAntoine Tenart * @stats: per-SC stats 158c0e4eadfSAntoine Tenart */ 159c0e4eadfSAntoine Tenart struct macsec_rx_sc { 160c0e4eadfSAntoine Tenart struct macsec_rx_sc __rcu *next; 161c0e4eadfSAntoine Tenart sci_t sci; 162c0e4eadfSAntoine Tenart bool active; 163c0e4eadfSAntoine Tenart struct macsec_rx_sa __rcu *sa[MACSEC_NUM_AN]; 164c0e4eadfSAntoine Tenart struct pcpu_rx_sc_stats __percpu *stats; 165c0e4eadfSAntoine Tenart refcount_t refcnt; 166c0e4eadfSAntoine Tenart struct rcu_head rcu_head; 167c0e4eadfSAntoine Tenart }; 168c0e4eadfSAntoine Tenart 169c0e4eadfSAntoine Tenart /** 170c0e4eadfSAntoine Tenart * struct macsec_tx_sa - transmit secure association 171c0e4eadfSAntoine Tenart * @active: 172c0e4eadfSAntoine Tenart * @next_pn: packet number to use for the next packet 173c0e4eadfSAntoine Tenart * @lock: protects next_pn manipulations 174c0e4eadfSAntoine Tenart * @key: key structure 175a21ecf0eSEra Mayflower * @ssci: short secure channel identifier 176c0e4eadfSAntoine Tenart * @stats: per-SA stats 177c0e4eadfSAntoine Tenart */ 178c0e4eadfSAntoine Tenart struct macsec_tx_sa { 179c0e4eadfSAntoine Tenart struct macsec_key key; 180a21ecf0eSEra Mayflower ssci_t ssci; 181c0e4eadfSAntoine Tenart spinlock_t lock; 182a21ecf0eSEra Mayflower union { 183a21ecf0eSEra Mayflower pn_t next_pn_halves; 184a21ecf0eSEra Mayflower u64 next_pn; 185a21ecf0eSEra Mayflower }; 186c0e4eadfSAntoine Tenart refcount_t refcnt; 187c0e4eadfSAntoine Tenart bool active; 188c0e4eadfSAntoine Tenart struct macsec_tx_sa_stats __percpu *stats; 189c0e4eadfSAntoine Tenart struct rcu_head rcu; 190c0e4eadfSAntoine Tenart }; 191c0e4eadfSAntoine Tenart 192c0e4eadfSAntoine Tenart /** 193c0e4eadfSAntoine Tenart * struct macsec_tx_sc - transmit secure channel 194c0e4eadfSAntoine Tenart * @active: 195c0e4eadfSAntoine Tenart * @encoding_sa: association number of the SA currently in use 196c0e4eadfSAntoine Tenart * @encrypt: encrypt packets on transmit, or authenticate only 197c0e4eadfSAntoine Tenart * @send_sci: always include the SCI in the SecTAG 198c0e4eadfSAntoine Tenart * @end_station: 199c0e4eadfSAntoine Tenart * @scb: single copy broadcast flag 200c0e4eadfSAntoine Tenart * @sa: array of secure associations 201c0e4eadfSAntoine Tenart * @stats: stats for this TXSC 2020a28bfd4SLior Nahmanson * @md_dst: MACsec offload metadata dst 203c0e4eadfSAntoine Tenart */ 204c0e4eadfSAntoine Tenart struct macsec_tx_sc { 205c0e4eadfSAntoine Tenart bool active; 206c0e4eadfSAntoine Tenart u8 encoding_sa; 207c0e4eadfSAntoine Tenart bool encrypt; 208c0e4eadfSAntoine Tenart bool send_sci; 209c0e4eadfSAntoine Tenart bool end_station; 210c0e4eadfSAntoine Tenart bool scb; 211c0e4eadfSAntoine Tenart struct macsec_tx_sa __rcu *sa[MACSEC_NUM_AN]; 212c0e4eadfSAntoine Tenart struct pcpu_tx_sc_stats __percpu *stats; 2130a28bfd4SLior Nahmanson struct metadata_dst *md_dst; 214c0e4eadfSAntoine Tenart }; 215c0e4eadfSAntoine Tenart 216c0e4eadfSAntoine Tenart /** 217c0e4eadfSAntoine Tenart * struct macsec_secy - MACsec Security Entity 218c0e4eadfSAntoine Tenart * @netdev: netdevice for this SecY 219c0e4eadfSAntoine Tenart * @n_rx_sc: number of receive secure channels configured on this SecY 220c0e4eadfSAntoine Tenart * @sci: secure channel identifier used for tx 221c0e4eadfSAntoine Tenart * @key_len: length of keys used by the cipher suite 222c0e4eadfSAntoine Tenart * @icv_len: length of ICV used by the cipher suite 223c0e4eadfSAntoine Tenart * @validate_frames: validation mode 224a21ecf0eSEra Mayflower * @xpn: enable XPN for this SecY 225c0e4eadfSAntoine Tenart * @operational: MAC_Operational flag 226c0e4eadfSAntoine Tenart * @protect_frames: enable protection for this SecY 227c0e4eadfSAntoine Tenart * @replay_protect: enable packet number checks on receive 228c0e4eadfSAntoine Tenart * @replay_window: size of the replay window 229c0e4eadfSAntoine Tenart * @tx_sc: transmit secure channel 230c0e4eadfSAntoine Tenart * @rx_sc: linked list of receive secure channels 231c0e4eadfSAntoine Tenart */ 232c0e4eadfSAntoine Tenart struct macsec_secy { 233c0e4eadfSAntoine Tenart struct net_device *netdev; 234c0e4eadfSAntoine Tenart unsigned int n_rx_sc; 235c0e4eadfSAntoine Tenart sci_t sci; 236c0e4eadfSAntoine Tenart u16 key_len; 237c0e4eadfSAntoine Tenart u16 icv_len; 238c0e4eadfSAntoine Tenart enum macsec_validation_type validate_frames; 239a21ecf0eSEra Mayflower bool xpn; 240c0e4eadfSAntoine Tenart bool operational; 241c0e4eadfSAntoine Tenart bool protect_frames; 242c0e4eadfSAntoine Tenart bool replay_protect; 243c0e4eadfSAntoine Tenart u32 replay_window; 244c0e4eadfSAntoine Tenart struct macsec_tx_sc tx_sc; 245c0e4eadfSAntoine Tenart struct macsec_rx_sc __rcu *rx_sc; 246c0e4eadfSAntoine Tenart }; 247c0e4eadfSAntoine Tenart 24876564261SAntoine Tenart /** 24976564261SAntoine Tenart * struct macsec_context - MACsec context for hardware offloading 25076564261SAntoine Tenart */ 25176564261SAntoine Tenart struct macsec_context { 2528fa91371SAntoine Tenart union { 2538fa91371SAntoine Tenart struct net_device *netdev; 25476564261SAntoine Tenart struct phy_device *phydev; 2558fa91371SAntoine Tenart }; 25676564261SAntoine Tenart enum macsec_offload offload; 25776564261SAntoine Tenart 25876564261SAntoine Tenart struct macsec_secy *secy; 25976564261SAntoine Tenart struct macsec_rx_sc *rx_sc; 26076564261SAntoine Tenart struct { 2610412cc84SRadu Pirea (NXP OSS) bool update_pn; 26276564261SAntoine Tenart unsigned char assoc_num; 2631f7fe512SAntoine Tenart u8 key[MACSEC_MAX_KEY_LEN]; 26476564261SAntoine Tenart union { 26576564261SAntoine Tenart struct macsec_rx_sa *rx_sa; 26676564261SAntoine Tenart struct macsec_tx_sa *tx_sa; 26776564261SAntoine Tenart }; 26876564261SAntoine Tenart } sa; 269b62c3624SDmitry Bogdanov union { 270b62c3624SDmitry Bogdanov struct macsec_tx_sc_stats *tx_sc_stats; 271b62c3624SDmitry Bogdanov struct macsec_tx_sa_stats *tx_sa_stats; 272b62c3624SDmitry Bogdanov struct macsec_rx_sc_stats *rx_sc_stats; 273b62c3624SDmitry Bogdanov struct macsec_rx_sa_stats *rx_sa_stats; 274b62c3624SDmitry Bogdanov struct macsec_dev_stats *dev_stats; 275b62c3624SDmitry Bogdanov } stats; 27676564261SAntoine Tenart }; 27776564261SAntoine Tenart 2780830e20bSAntoine Tenart /** 2790830e20bSAntoine Tenart * struct macsec_ops - MACsec offloading operations 2800830e20bSAntoine Tenart */ 2810830e20bSAntoine Tenart struct macsec_ops { 2820830e20bSAntoine Tenart /* Device wide */ 2830830e20bSAntoine Tenart int (*mdo_dev_open)(struct macsec_context *ctx); 2840830e20bSAntoine Tenart int (*mdo_dev_stop)(struct macsec_context *ctx); 2850830e20bSAntoine Tenart /* SecY */ 2860830e20bSAntoine Tenart int (*mdo_add_secy)(struct macsec_context *ctx); 2870830e20bSAntoine Tenart int (*mdo_upd_secy)(struct macsec_context *ctx); 2880830e20bSAntoine Tenart int (*mdo_del_secy)(struct macsec_context *ctx); 2890830e20bSAntoine Tenart /* Security channels */ 2900830e20bSAntoine Tenart int (*mdo_add_rxsc)(struct macsec_context *ctx); 2910830e20bSAntoine Tenart int (*mdo_upd_rxsc)(struct macsec_context *ctx); 2920830e20bSAntoine Tenart int (*mdo_del_rxsc)(struct macsec_context *ctx); 2930830e20bSAntoine Tenart /* Security associations */ 2940830e20bSAntoine Tenart int (*mdo_add_rxsa)(struct macsec_context *ctx); 2950830e20bSAntoine Tenart int (*mdo_upd_rxsa)(struct macsec_context *ctx); 2960830e20bSAntoine Tenart int (*mdo_del_rxsa)(struct macsec_context *ctx); 2970830e20bSAntoine Tenart int (*mdo_add_txsa)(struct macsec_context *ctx); 2980830e20bSAntoine Tenart int (*mdo_upd_txsa)(struct macsec_context *ctx); 2990830e20bSAntoine Tenart int (*mdo_del_txsa)(struct macsec_context *ctx); 300b62c3624SDmitry Bogdanov /* Statistics */ 301b62c3624SDmitry Bogdanov int (*mdo_get_dev_stats)(struct macsec_context *ctx); 302b62c3624SDmitry Bogdanov int (*mdo_get_tx_sc_stats)(struct macsec_context *ctx); 303b62c3624SDmitry Bogdanov int (*mdo_get_tx_sa_stats)(struct macsec_context *ctx); 304b62c3624SDmitry Bogdanov int (*mdo_get_rx_sc_stats)(struct macsec_context *ctx); 305b62c3624SDmitry Bogdanov int (*mdo_get_rx_sa_stats)(struct macsec_context *ctx); 306*ee5dde3aSRahul Rameshbabu bool rx_uses_md_dst; 3070830e20bSAntoine Tenart }; 3080830e20bSAntoine Tenart 3095c937de7SAntoine Tenart void macsec_pn_wrapped(struct macsec_secy *secy, struct macsec_tx_sa *tx_sa); macsec_send_sci(const struct macsec_secy * secy)310b1671253SLior Nahmansonstatic inline bool macsec_send_sci(const struct macsec_secy *secy) 311b1671253SLior Nahmanson { 312b1671253SLior Nahmanson const struct macsec_tx_sc *tx_sc = &secy->tx_sc; 313b1671253SLior Nahmanson 314b1671253SLior Nahmanson return tx_sc->send_sci || 315b1671253SLior Nahmanson (secy->n_rx_sc > 1 && !tx_sc->end_station && !tx_sc->scb); 316b1671253SLior Nahmanson } 317f132fdd9SPatrisious Haddad struct net_device *macsec_get_real_dev(const struct net_device *dev); 318f132fdd9SPatrisious Haddad bool macsec_netdev_is_offloaded(struct net_device *dev); 3195c937de7SAntoine Tenart macsec_netdev_priv(const struct net_device * dev)320bd9424efSSubbaraya Sundeepstatic inline void *macsec_netdev_priv(const struct net_device *dev) 321bd9424efSSubbaraya Sundeep { 322bd9424efSSubbaraya Sundeep #if IS_ENABLED(CONFIG_VLAN_8021Q) 323bd9424efSSubbaraya Sundeep if (is_vlan_dev(dev)) 324bd9424efSSubbaraya Sundeep return netdev_priv(vlan_dev_priv(dev)->real_dev); 325bd9424efSSubbaraya Sundeep #endif 326bd9424efSSubbaraya Sundeep return netdev_priv(dev); 327bd9424efSSubbaraya Sundeep } 328bd9424efSSubbaraya Sundeep 329c0e4eadfSAntoine Tenart #endif /* _NET_MACSEC_H_ */ 330