1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * drivers/net/macsec.c - MACsec device 4 * 5 * Copyright (c) 2015 Sabrina Dubroca <sd@queasysnail.net> 6 */ 7 8 #include <linux/types.h> 9 #include <linux/skbuff.h> 10 #include <linux/socket.h> 11 #include <linux/module.h> 12 #include <crypto/aead.h> 13 #include <linux/etherdevice.h> 14 #include <linux/netdevice.h> 15 #include <linux/rtnetlink.h> 16 #include <linux/refcount.h> 17 #include <net/genetlink.h> 18 #include <net/sock.h> 19 #include <net/gro_cells.h> 20 #include <net/macsec.h> 21 #include <net/dst_metadata.h> 22 #include <linux/phy.h> 23 #include <linux/byteorder/generic.h> 24 #include <linux/if_arp.h> 25 26 #include <uapi/linux/if_macsec.h> 27 28 /* SecTAG length = macsec_eth_header without the optional SCI */ 29 #define MACSEC_TAG_LEN 6 30 31 struct macsec_eth_header { 32 struct ethhdr eth; 33 /* SecTAG */ 34 u8 tci_an; 35 #if defined(__LITTLE_ENDIAN_BITFIELD) 36 u8 short_length:6, 37 unused:2; 38 #elif defined(__BIG_ENDIAN_BITFIELD) 39 u8 unused:2, 40 short_length:6; 41 #else 42 #error "Please fix <asm/byteorder.h>" 43 #endif 44 __be32 packet_number; 45 u8 secure_channel_id[8]; /* optional */ 46 } __packed; 47 48 /* minimum secure data length deemed "not short", see IEEE 802.1AE-2006 9.7 */ 49 #define MIN_NON_SHORT_LEN 48 50 51 #define GCM_AES_IV_LEN 12 52 53 #define for_each_rxsc(secy, sc) \ 54 for (sc = rcu_dereference_bh(secy->rx_sc); \ 55 sc; \ 56 sc = rcu_dereference_bh(sc->next)) 57 #define for_each_rxsc_rtnl(secy, sc) \ 58 for (sc = rtnl_dereference(secy->rx_sc); \ 59 sc; \ 60 sc = rtnl_dereference(sc->next)) 61 62 #define pn_same_half(pn1, pn2) (!(((pn1) >> 31) ^ ((pn2) >> 31))) 63 64 struct gcm_iv_xpn { 65 union { 66 u8 short_secure_channel_id[4]; 67 ssci_t ssci; 68 }; 69 __be64 pn; 70 } __packed; 71 72 struct gcm_iv { 73 union { 74 u8 secure_channel_id[8]; 75 sci_t sci; 76 }; 77 __be32 pn; 78 }; 79 80 #define MACSEC_VALIDATE_DEFAULT MACSEC_VALIDATE_STRICT 81 82 struct pcpu_secy_stats { 83 struct macsec_dev_stats stats; 84 struct u64_stats_sync syncp; 85 }; 86 87 /** 88 * struct macsec_dev - private data 89 * @secy: SecY config 90 * @real_dev: pointer to underlying netdevice 91 * @dev_tracker: refcount tracker for @real_dev reference 92 * @stats: MACsec device stats 93 * @secys: linked list of SecY's on the underlying device 94 * @gro_cells: pointer to the Generic Receive Offload cell 95 * @offload: status of offloading on the MACsec device 96 */ 97 struct macsec_dev { 98 struct macsec_secy secy; 99 struct net_device *real_dev; 100 netdevice_tracker dev_tracker; 101 struct pcpu_secy_stats __percpu *stats; 102 struct list_head secys; 103 struct gro_cells gro_cells; 104 enum macsec_offload offload; 105 }; 106 107 /** 108 * struct macsec_rxh_data - rx_handler private argument 109 * @secys: linked list of SecY's on this underlying device 110 */ 111 struct macsec_rxh_data { 112 struct list_head secys; 113 }; 114 115 static struct macsec_dev *macsec_priv(const struct net_device *dev) 116 { 117 return (struct macsec_dev *)netdev_priv(dev); 118 } 119 120 static struct macsec_rxh_data *macsec_data_rcu(const struct net_device *dev) 121 { 122 return rcu_dereference_bh(dev->rx_handler_data); 123 } 124 125 static struct macsec_rxh_data *macsec_data_rtnl(const struct net_device *dev) 126 { 127 return rtnl_dereference(dev->rx_handler_data); 128 } 129 130 struct macsec_cb { 131 struct aead_request *req; 132 union { 133 struct macsec_tx_sa *tx_sa; 134 struct macsec_rx_sa *rx_sa; 135 }; 136 u8 assoc_num; 137 bool valid; 138 bool has_sci; 139 }; 140 141 static struct macsec_rx_sa *macsec_rxsa_get(struct macsec_rx_sa __rcu *ptr) 142 { 143 struct macsec_rx_sa *sa = rcu_dereference_bh(ptr); 144 145 if (!sa || !sa->active) 146 return NULL; 147 148 if (!refcount_inc_not_zero(&sa->refcnt)) 149 return NULL; 150 151 return sa; 152 } 153 154 static struct macsec_rx_sa *macsec_active_rxsa_get(struct macsec_rx_sc *rx_sc) 155 { 156 struct macsec_rx_sa *sa = NULL; 157 int an; 158 159 for (an = 0; an < MACSEC_NUM_AN; an++) { 160 sa = macsec_rxsa_get(rx_sc->sa[an]); 161 if (sa) 162 break; 163 } 164 return sa; 165 } 166 167 static void free_rx_sc_rcu(struct rcu_head *head) 168 { 169 struct macsec_rx_sc *rx_sc = container_of(head, struct macsec_rx_sc, rcu_head); 170 171 free_percpu(rx_sc->stats); 172 kfree(rx_sc); 173 } 174 175 static struct macsec_rx_sc *macsec_rxsc_get(struct macsec_rx_sc *sc) 176 { 177 return refcount_inc_not_zero(&sc->refcnt) ? sc : NULL; 178 } 179 180 static void macsec_rxsc_put(struct macsec_rx_sc *sc) 181 { 182 if (refcount_dec_and_test(&sc->refcnt)) 183 call_rcu(&sc->rcu_head, free_rx_sc_rcu); 184 } 185 186 static void free_rxsa(struct rcu_head *head) 187 { 188 struct macsec_rx_sa *sa = container_of(head, struct macsec_rx_sa, rcu); 189 190 crypto_free_aead(sa->key.tfm); 191 free_percpu(sa->stats); 192 kfree(sa); 193 } 194 195 static void macsec_rxsa_put(struct macsec_rx_sa *sa) 196 { 197 if (refcount_dec_and_test(&sa->refcnt)) 198 call_rcu(&sa->rcu, free_rxsa); 199 } 200 201 static struct macsec_tx_sa *macsec_txsa_get(struct macsec_tx_sa __rcu *ptr) 202 { 203 struct macsec_tx_sa *sa = rcu_dereference_bh(ptr); 204 205 if (!sa || !sa->active) 206 return NULL; 207 208 if (!refcount_inc_not_zero(&sa->refcnt)) 209 return NULL; 210 211 return sa; 212 } 213 214 static void free_txsa(struct rcu_head *head) 215 { 216 struct macsec_tx_sa *sa = container_of(head, struct macsec_tx_sa, rcu); 217 218 crypto_free_aead(sa->key.tfm); 219 free_percpu(sa->stats); 220 kfree(sa); 221 } 222 223 static void macsec_txsa_put(struct macsec_tx_sa *sa) 224 { 225 if (refcount_dec_and_test(&sa->refcnt)) 226 call_rcu(&sa->rcu, free_txsa); 227 } 228 229 static struct macsec_cb *macsec_skb_cb(struct sk_buff *skb) 230 { 231 BUILD_BUG_ON(sizeof(struct macsec_cb) > sizeof(skb->cb)); 232 return (struct macsec_cb *)skb->cb; 233 } 234 235 #define MACSEC_PORT_SCB (0x0000) 236 #define MACSEC_UNDEF_SCI ((__force sci_t)0xffffffffffffffffULL) 237 #define MACSEC_UNDEF_SSCI ((__force ssci_t)0xffffffff) 238 239 #define MACSEC_GCM_AES_128_SAK_LEN 16 240 #define MACSEC_GCM_AES_256_SAK_LEN 32 241 242 #define DEFAULT_SAK_LEN MACSEC_GCM_AES_128_SAK_LEN 243 #define DEFAULT_XPN false 244 #define DEFAULT_SEND_SCI true 245 #define DEFAULT_ENCRYPT false 246 #define DEFAULT_ENCODING_SA 0 247 #define MACSEC_XPN_MAX_REPLAY_WINDOW (((1 << 30) - 1)) 248 249 static sci_t make_sci(const u8 *addr, __be16 port) 250 { 251 sci_t sci; 252 253 memcpy(&sci, addr, ETH_ALEN); 254 memcpy(((char *)&sci) + ETH_ALEN, &port, sizeof(port)); 255 256 return sci; 257 } 258 259 static sci_t macsec_frame_sci(struct macsec_eth_header *hdr, bool sci_present) 260 { 261 sci_t sci; 262 263 if (sci_present) 264 memcpy(&sci, hdr->secure_channel_id, 265 sizeof(hdr->secure_channel_id)); 266 else 267 sci = make_sci(hdr->eth.h_source, MACSEC_PORT_ES); 268 269 return sci; 270 } 271 272 static unsigned int macsec_sectag_len(bool sci_present) 273 { 274 return MACSEC_TAG_LEN + (sci_present ? MACSEC_SCI_LEN : 0); 275 } 276 277 static unsigned int macsec_hdr_len(bool sci_present) 278 { 279 return macsec_sectag_len(sci_present) + ETH_HLEN; 280 } 281 282 static unsigned int macsec_extra_len(bool sci_present) 283 { 284 return macsec_sectag_len(sci_present) + sizeof(__be16); 285 } 286 287 /* Fill SecTAG according to IEEE 802.1AE-2006 10.5.3 */ 288 static void macsec_fill_sectag(struct macsec_eth_header *h, 289 const struct macsec_secy *secy, u32 pn, 290 bool sci_present) 291 { 292 const struct macsec_tx_sc *tx_sc = &secy->tx_sc; 293 294 memset(&h->tci_an, 0, macsec_sectag_len(sci_present)); 295 h->eth.h_proto = htons(ETH_P_MACSEC); 296 297 if (sci_present) { 298 h->tci_an |= MACSEC_TCI_SC; 299 memcpy(&h->secure_channel_id, &secy->sci, 300 sizeof(h->secure_channel_id)); 301 } else { 302 if (tx_sc->end_station) 303 h->tci_an |= MACSEC_TCI_ES; 304 if (tx_sc->scb) 305 h->tci_an |= MACSEC_TCI_SCB; 306 } 307 308 h->packet_number = htonl(pn); 309 310 /* with GCM, C/E clear for !encrypt, both set for encrypt */ 311 if (tx_sc->encrypt) 312 h->tci_an |= MACSEC_TCI_CONFID; 313 else if (secy->icv_len != MACSEC_DEFAULT_ICV_LEN) 314 h->tci_an |= MACSEC_TCI_C; 315 316 h->tci_an |= tx_sc->encoding_sa; 317 } 318 319 static void macsec_set_shortlen(struct macsec_eth_header *h, size_t data_len) 320 { 321 if (data_len < MIN_NON_SHORT_LEN) 322 h->short_length = data_len; 323 } 324 325 /* Checks if a MACsec interface is being offloaded to an hardware engine */ 326 static bool macsec_is_offloaded(struct macsec_dev *macsec) 327 { 328 if (macsec->offload == MACSEC_OFFLOAD_MAC || 329 macsec->offload == MACSEC_OFFLOAD_PHY) 330 return true; 331 332 return false; 333 } 334 335 /* Checks if underlying layers implement MACsec offloading functions. */ 336 static bool macsec_check_offload(enum macsec_offload offload, 337 struct macsec_dev *macsec) 338 { 339 if (!macsec || !macsec->real_dev) 340 return false; 341 342 if (offload == MACSEC_OFFLOAD_PHY) 343 return macsec->real_dev->phydev && 344 macsec->real_dev->phydev->macsec_ops; 345 else if (offload == MACSEC_OFFLOAD_MAC) 346 return macsec->real_dev->features & NETIF_F_HW_MACSEC && 347 macsec->real_dev->macsec_ops; 348 349 return false; 350 } 351 352 static const struct macsec_ops *__macsec_get_ops(enum macsec_offload offload, 353 struct macsec_dev *macsec, 354 struct macsec_context *ctx) 355 { 356 if (ctx) { 357 memset(ctx, 0, sizeof(*ctx)); 358 ctx->offload = offload; 359 360 if (offload == MACSEC_OFFLOAD_PHY) 361 ctx->phydev = macsec->real_dev->phydev; 362 else if (offload == MACSEC_OFFLOAD_MAC) 363 ctx->netdev = macsec->real_dev; 364 } 365 366 if (offload == MACSEC_OFFLOAD_PHY) 367 return macsec->real_dev->phydev->macsec_ops; 368 else 369 return macsec->real_dev->macsec_ops; 370 } 371 372 /* Returns a pointer to the MACsec ops struct if any and updates the MACsec 373 * context device reference if provided. 374 */ 375 static const struct macsec_ops *macsec_get_ops(struct macsec_dev *macsec, 376 struct macsec_context *ctx) 377 { 378 if (!macsec_check_offload(macsec->offload, macsec)) 379 return NULL; 380 381 return __macsec_get_ops(macsec->offload, macsec, ctx); 382 } 383 384 /* validate MACsec packet according to IEEE 802.1AE-2018 9.12 */ 385 static bool macsec_validate_skb(struct sk_buff *skb, u16 icv_len, bool xpn) 386 { 387 struct macsec_eth_header *h = (struct macsec_eth_header *)skb->data; 388 int len = skb->len - 2 * ETH_ALEN; 389 int extra_len = macsec_extra_len(!!(h->tci_an & MACSEC_TCI_SC)) + icv_len; 390 391 /* a) It comprises at least 17 octets */ 392 if (skb->len <= 16) 393 return false; 394 395 /* b) MACsec EtherType: already checked */ 396 397 /* c) V bit is clear */ 398 if (h->tci_an & MACSEC_TCI_VERSION) 399 return false; 400 401 /* d) ES or SCB => !SC */ 402 if ((h->tci_an & MACSEC_TCI_ES || h->tci_an & MACSEC_TCI_SCB) && 403 (h->tci_an & MACSEC_TCI_SC)) 404 return false; 405 406 /* e) Bits 7 and 8 of octet 4 of the SecTAG are clear */ 407 if (h->unused) 408 return false; 409 410 /* rx.pn != 0 if not XPN (figure 10-5 with 802.11AEbw-2013 amendment) */ 411 if (!h->packet_number && !xpn) 412 return false; 413 414 /* length check, f) g) h) i) */ 415 if (h->short_length) 416 return len == extra_len + h->short_length; 417 return len >= extra_len + MIN_NON_SHORT_LEN; 418 } 419 420 #define MACSEC_NEEDED_HEADROOM (macsec_extra_len(true)) 421 #define MACSEC_NEEDED_TAILROOM MACSEC_STD_ICV_LEN 422 423 static void macsec_fill_iv_xpn(unsigned char *iv, ssci_t ssci, u64 pn, 424 salt_t salt) 425 { 426 struct gcm_iv_xpn *gcm_iv = (struct gcm_iv_xpn *)iv; 427 428 gcm_iv->ssci = ssci ^ salt.ssci; 429 gcm_iv->pn = cpu_to_be64(pn) ^ salt.pn; 430 } 431 432 static void macsec_fill_iv(unsigned char *iv, sci_t sci, u32 pn) 433 { 434 struct gcm_iv *gcm_iv = (struct gcm_iv *)iv; 435 436 gcm_iv->sci = sci; 437 gcm_iv->pn = htonl(pn); 438 } 439 440 static struct macsec_eth_header *macsec_ethhdr(struct sk_buff *skb) 441 { 442 return (struct macsec_eth_header *)skb_mac_header(skb); 443 } 444 445 static void __macsec_pn_wrapped(struct macsec_secy *secy, 446 struct macsec_tx_sa *tx_sa) 447 { 448 pr_debug("PN wrapped, transitioning to !oper\n"); 449 tx_sa->active = false; 450 if (secy->protect_frames) 451 secy->operational = false; 452 } 453 454 void macsec_pn_wrapped(struct macsec_secy *secy, struct macsec_tx_sa *tx_sa) 455 { 456 spin_lock_bh(&tx_sa->lock); 457 __macsec_pn_wrapped(secy, tx_sa); 458 spin_unlock_bh(&tx_sa->lock); 459 } 460 EXPORT_SYMBOL_GPL(macsec_pn_wrapped); 461 462 static pn_t tx_sa_update_pn(struct macsec_tx_sa *tx_sa, 463 struct macsec_secy *secy) 464 { 465 pn_t pn; 466 467 spin_lock_bh(&tx_sa->lock); 468 469 pn = tx_sa->next_pn_halves; 470 if (secy->xpn) 471 tx_sa->next_pn++; 472 else 473 tx_sa->next_pn_halves.lower++; 474 475 if (tx_sa->next_pn == 0) 476 __macsec_pn_wrapped(secy, tx_sa); 477 spin_unlock_bh(&tx_sa->lock); 478 479 return pn; 480 } 481 482 static void macsec_encrypt_finish(struct sk_buff *skb, struct net_device *dev) 483 { 484 struct macsec_dev *macsec = netdev_priv(dev); 485 486 skb->dev = macsec->real_dev; 487 skb_reset_mac_header(skb); 488 skb->protocol = eth_hdr(skb)->h_proto; 489 } 490 491 static unsigned int macsec_msdu_len(struct sk_buff *skb) 492 { 493 struct macsec_dev *macsec = macsec_priv(skb->dev); 494 struct macsec_secy *secy = &macsec->secy; 495 bool sci_present = macsec_skb_cb(skb)->has_sci; 496 497 return skb->len - macsec_hdr_len(sci_present) - secy->icv_len; 498 } 499 500 static void macsec_count_tx(struct sk_buff *skb, struct macsec_tx_sc *tx_sc, 501 struct macsec_tx_sa *tx_sa) 502 { 503 unsigned int msdu_len = macsec_msdu_len(skb); 504 struct pcpu_tx_sc_stats *txsc_stats = this_cpu_ptr(tx_sc->stats); 505 506 u64_stats_update_begin(&txsc_stats->syncp); 507 if (tx_sc->encrypt) { 508 txsc_stats->stats.OutOctetsEncrypted += msdu_len; 509 txsc_stats->stats.OutPktsEncrypted++; 510 this_cpu_inc(tx_sa->stats->OutPktsEncrypted); 511 } else { 512 txsc_stats->stats.OutOctetsProtected += msdu_len; 513 txsc_stats->stats.OutPktsProtected++; 514 this_cpu_inc(tx_sa->stats->OutPktsProtected); 515 } 516 u64_stats_update_end(&txsc_stats->syncp); 517 } 518 519 static void count_tx(struct net_device *dev, int ret, int len) 520 { 521 if (likely(ret == NET_XMIT_SUCCESS || ret == NET_XMIT_CN)) 522 dev_sw_netstats_tx_add(dev, 1, len); 523 } 524 525 static void macsec_encrypt_done(void *data, int err) 526 { 527 struct sk_buff *skb = data; 528 struct net_device *dev = skb->dev; 529 struct macsec_dev *macsec = macsec_priv(dev); 530 struct macsec_tx_sa *sa = macsec_skb_cb(skb)->tx_sa; 531 int len, ret; 532 533 aead_request_free(macsec_skb_cb(skb)->req); 534 535 rcu_read_lock_bh(); 536 macsec_count_tx(skb, &macsec->secy.tx_sc, macsec_skb_cb(skb)->tx_sa); 537 /* packet is encrypted/protected so tx_bytes must be calculated */ 538 len = macsec_msdu_len(skb) + 2 * ETH_ALEN; 539 macsec_encrypt_finish(skb, dev); 540 ret = dev_queue_xmit(skb); 541 count_tx(dev, ret, len); 542 rcu_read_unlock_bh(); 543 544 macsec_txsa_put(sa); 545 dev_put(dev); 546 } 547 548 static struct aead_request *macsec_alloc_req(struct crypto_aead *tfm, 549 unsigned char **iv, 550 struct scatterlist **sg, 551 int num_frags) 552 { 553 size_t size, iv_offset, sg_offset; 554 struct aead_request *req; 555 void *tmp; 556 557 size = sizeof(struct aead_request) + crypto_aead_reqsize(tfm); 558 iv_offset = size; 559 size += GCM_AES_IV_LEN; 560 561 size = ALIGN(size, __alignof__(struct scatterlist)); 562 sg_offset = size; 563 size += sizeof(struct scatterlist) * num_frags; 564 565 tmp = kmalloc(size, GFP_ATOMIC); 566 if (!tmp) 567 return NULL; 568 569 *iv = (unsigned char *)(tmp + iv_offset); 570 *sg = (struct scatterlist *)(tmp + sg_offset); 571 req = tmp; 572 573 aead_request_set_tfm(req, tfm); 574 575 return req; 576 } 577 578 static struct sk_buff *macsec_encrypt(struct sk_buff *skb, 579 struct net_device *dev) 580 { 581 int ret; 582 struct scatterlist *sg; 583 struct sk_buff *trailer; 584 unsigned char *iv; 585 struct ethhdr *eth; 586 struct macsec_eth_header *hh; 587 size_t unprotected_len; 588 struct aead_request *req; 589 struct macsec_secy *secy; 590 struct macsec_tx_sc *tx_sc; 591 struct macsec_tx_sa *tx_sa; 592 struct macsec_dev *macsec = macsec_priv(dev); 593 bool sci_present; 594 pn_t pn; 595 596 secy = &macsec->secy; 597 tx_sc = &secy->tx_sc; 598 599 /* 10.5.1 TX SA assignment */ 600 tx_sa = macsec_txsa_get(tx_sc->sa[tx_sc->encoding_sa]); 601 if (!tx_sa) { 602 secy->operational = false; 603 kfree_skb(skb); 604 return ERR_PTR(-EINVAL); 605 } 606 607 if (unlikely(skb_headroom(skb) < MACSEC_NEEDED_HEADROOM || 608 skb_tailroom(skb) < MACSEC_NEEDED_TAILROOM)) { 609 struct sk_buff *nskb = skb_copy_expand(skb, 610 MACSEC_NEEDED_HEADROOM, 611 MACSEC_NEEDED_TAILROOM, 612 GFP_ATOMIC); 613 if (likely(nskb)) { 614 consume_skb(skb); 615 skb = nskb; 616 } else { 617 macsec_txsa_put(tx_sa); 618 kfree_skb(skb); 619 return ERR_PTR(-ENOMEM); 620 } 621 } else { 622 skb = skb_unshare(skb, GFP_ATOMIC); 623 if (!skb) { 624 macsec_txsa_put(tx_sa); 625 return ERR_PTR(-ENOMEM); 626 } 627 } 628 629 unprotected_len = skb->len; 630 eth = eth_hdr(skb); 631 sci_present = macsec_send_sci(secy); 632 hh = skb_push(skb, macsec_extra_len(sci_present)); 633 memmove(hh, eth, 2 * ETH_ALEN); 634 635 pn = tx_sa_update_pn(tx_sa, secy); 636 if (pn.full64 == 0) { 637 macsec_txsa_put(tx_sa); 638 kfree_skb(skb); 639 return ERR_PTR(-ENOLINK); 640 } 641 macsec_fill_sectag(hh, secy, pn.lower, sci_present); 642 macsec_set_shortlen(hh, unprotected_len - 2 * ETH_ALEN); 643 644 skb_put(skb, secy->icv_len); 645 646 if (skb->len - ETH_HLEN > macsec_priv(dev)->real_dev->mtu) { 647 struct pcpu_secy_stats *secy_stats = this_cpu_ptr(macsec->stats); 648 649 u64_stats_update_begin(&secy_stats->syncp); 650 secy_stats->stats.OutPktsTooLong++; 651 u64_stats_update_end(&secy_stats->syncp); 652 653 macsec_txsa_put(tx_sa); 654 kfree_skb(skb); 655 return ERR_PTR(-EINVAL); 656 } 657 658 ret = skb_cow_data(skb, 0, &trailer); 659 if (unlikely(ret < 0)) { 660 macsec_txsa_put(tx_sa); 661 kfree_skb(skb); 662 return ERR_PTR(ret); 663 } 664 665 req = macsec_alloc_req(tx_sa->key.tfm, &iv, &sg, ret); 666 if (!req) { 667 macsec_txsa_put(tx_sa); 668 kfree_skb(skb); 669 return ERR_PTR(-ENOMEM); 670 } 671 672 if (secy->xpn) 673 macsec_fill_iv_xpn(iv, tx_sa->ssci, pn.full64, tx_sa->key.salt); 674 else 675 macsec_fill_iv(iv, secy->sci, pn.lower); 676 677 sg_init_table(sg, ret); 678 ret = skb_to_sgvec(skb, sg, 0, skb->len); 679 if (unlikely(ret < 0)) { 680 aead_request_free(req); 681 macsec_txsa_put(tx_sa); 682 kfree_skb(skb); 683 return ERR_PTR(ret); 684 } 685 686 if (tx_sc->encrypt) { 687 int len = skb->len - macsec_hdr_len(sci_present) - 688 secy->icv_len; 689 aead_request_set_crypt(req, sg, sg, len, iv); 690 aead_request_set_ad(req, macsec_hdr_len(sci_present)); 691 } else { 692 aead_request_set_crypt(req, sg, sg, 0, iv); 693 aead_request_set_ad(req, skb->len - secy->icv_len); 694 } 695 696 macsec_skb_cb(skb)->req = req; 697 macsec_skb_cb(skb)->tx_sa = tx_sa; 698 macsec_skb_cb(skb)->has_sci = sci_present; 699 aead_request_set_callback(req, 0, macsec_encrypt_done, skb); 700 701 dev_hold(skb->dev); 702 ret = crypto_aead_encrypt(req); 703 if (ret == -EINPROGRESS) { 704 return ERR_PTR(ret); 705 } else if (ret != 0) { 706 dev_put(skb->dev); 707 kfree_skb(skb); 708 aead_request_free(req); 709 macsec_txsa_put(tx_sa); 710 return ERR_PTR(-EINVAL); 711 } 712 713 dev_put(skb->dev); 714 aead_request_free(req); 715 macsec_txsa_put(tx_sa); 716 717 return skb; 718 } 719 720 static bool macsec_post_decrypt(struct sk_buff *skb, struct macsec_secy *secy, u32 pn) 721 { 722 struct macsec_rx_sa *rx_sa = macsec_skb_cb(skb)->rx_sa; 723 struct pcpu_rx_sc_stats *rxsc_stats = this_cpu_ptr(rx_sa->sc->stats); 724 struct macsec_eth_header *hdr = macsec_ethhdr(skb); 725 u32 lowest_pn = 0; 726 727 spin_lock(&rx_sa->lock); 728 if (rx_sa->next_pn_halves.lower >= secy->replay_window) 729 lowest_pn = rx_sa->next_pn_halves.lower - secy->replay_window; 730 731 /* Now perform replay protection check again 732 * (see IEEE 802.1AE-2006 figure 10-5) 733 */ 734 if (secy->replay_protect && pn < lowest_pn && 735 (!secy->xpn || pn_same_half(pn, lowest_pn))) { 736 spin_unlock(&rx_sa->lock); 737 u64_stats_update_begin(&rxsc_stats->syncp); 738 rxsc_stats->stats.InPktsLate++; 739 u64_stats_update_end(&rxsc_stats->syncp); 740 DEV_STATS_INC(secy->netdev, rx_dropped); 741 return false; 742 } 743 744 if (secy->validate_frames != MACSEC_VALIDATE_DISABLED) { 745 unsigned int msdu_len = macsec_msdu_len(skb); 746 u64_stats_update_begin(&rxsc_stats->syncp); 747 if (hdr->tci_an & MACSEC_TCI_E) 748 rxsc_stats->stats.InOctetsDecrypted += msdu_len; 749 else 750 rxsc_stats->stats.InOctetsValidated += msdu_len; 751 u64_stats_update_end(&rxsc_stats->syncp); 752 } 753 754 if (!macsec_skb_cb(skb)->valid) { 755 spin_unlock(&rx_sa->lock); 756 757 /* 10.6.5 */ 758 if (hdr->tci_an & MACSEC_TCI_C || 759 secy->validate_frames == MACSEC_VALIDATE_STRICT) { 760 u64_stats_update_begin(&rxsc_stats->syncp); 761 rxsc_stats->stats.InPktsNotValid++; 762 u64_stats_update_end(&rxsc_stats->syncp); 763 this_cpu_inc(rx_sa->stats->InPktsNotValid); 764 DEV_STATS_INC(secy->netdev, rx_errors); 765 return false; 766 } 767 768 u64_stats_update_begin(&rxsc_stats->syncp); 769 if (secy->validate_frames == MACSEC_VALIDATE_CHECK) { 770 rxsc_stats->stats.InPktsInvalid++; 771 this_cpu_inc(rx_sa->stats->InPktsInvalid); 772 } else if (pn < lowest_pn) { 773 rxsc_stats->stats.InPktsDelayed++; 774 } else { 775 rxsc_stats->stats.InPktsUnchecked++; 776 } 777 u64_stats_update_end(&rxsc_stats->syncp); 778 } else { 779 u64_stats_update_begin(&rxsc_stats->syncp); 780 if (pn < lowest_pn) { 781 rxsc_stats->stats.InPktsDelayed++; 782 } else { 783 rxsc_stats->stats.InPktsOK++; 784 this_cpu_inc(rx_sa->stats->InPktsOK); 785 } 786 u64_stats_update_end(&rxsc_stats->syncp); 787 788 // Instead of "pn >=" - to support pn overflow in xpn 789 if (pn + 1 > rx_sa->next_pn_halves.lower) { 790 rx_sa->next_pn_halves.lower = pn + 1; 791 } else if (secy->xpn && 792 !pn_same_half(pn, rx_sa->next_pn_halves.lower)) { 793 rx_sa->next_pn_halves.upper++; 794 rx_sa->next_pn_halves.lower = pn + 1; 795 } 796 797 spin_unlock(&rx_sa->lock); 798 } 799 800 return true; 801 } 802 803 static void macsec_reset_skb(struct sk_buff *skb, struct net_device *dev) 804 { 805 skb->pkt_type = PACKET_HOST; 806 skb->protocol = eth_type_trans(skb, dev); 807 808 skb_reset_network_header(skb); 809 if (!skb_transport_header_was_set(skb)) 810 skb_reset_transport_header(skb); 811 skb_reset_mac_len(skb); 812 } 813 814 static void macsec_finalize_skb(struct sk_buff *skb, u8 icv_len, u8 hdr_len) 815 { 816 skb->ip_summed = CHECKSUM_NONE; 817 memmove(skb->data + hdr_len, skb->data, 2 * ETH_ALEN); 818 skb_pull(skb, hdr_len); 819 pskb_trim_unique(skb, skb->len - icv_len); 820 } 821 822 static void count_rx(struct net_device *dev, int len) 823 { 824 dev_sw_netstats_rx_add(dev, len); 825 } 826 827 static void macsec_decrypt_done(void *data, int err) 828 { 829 struct sk_buff *skb = data; 830 struct net_device *dev = skb->dev; 831 struct macsec_dev *macsec = macsec_priv(dev); 832 struct macsec_rx_sa *rx_sa = macsec_skb_cb(skb)->rx_sa; 833 struct macsec_rx_sc *rx_sc = rx_sa->sc; 834 int len; 835 u32 pn; 836 837 aead_request_free(macsec_skb_cb(skb)->req); 838 839 if (!err) 840 macsec_skb_cb(skb)->valid = true; 841 842 rcu_read_lock_bh(); 843 pn = ntohl(macsec_ethhdr(skb)->packet_number); 844 if (!macsec_post_decrypt(skb, &macsec->secy, pn)) { 845 rcu_read_unlock_bh(); 846 kfree_skb(skb); 847 goto out; 848 } 849 850 macsec_finalize_skb(skb, macsec->secy.icv_len, 851 macsec_extra_len(macsec_skb_cb(skb)->has_sci)); 852 len = skb->len; 853 macsec_reset_skb(skb, macsec->secy.netdev); 854 855 if (gro_cells_receive(&macsec->gro_cells, skb) == NET_RX_SUCCESS) 856 count_rx(dev, len); 857 858 rcu_read_unlock_bh(); 859 860 out: 861 macsec_rxsa_put(rx_sa); 862 macsec_rxsc_put(rx_sc); 863 dev_put(dev); 864 } 865 866 static struct sk_buff *macsec_decrypt(struct sk_buff *skb, 867 struct net_device *dev, 868 struct macsec_rx_sa *rx_sa, 869 sci_t sci, 870 struct macsec_secy *secy) 871 { 872 int ret; 873 struct scatterlist *sg; 874 struct sk_buff *trailer; 875 unsigned char *iv; 876 struct aead_request *req; 877 struct macsec_eth_header *hdr; 878 u32 hdr_pn; 879 u16 icv_len = secy->icv_len; 880 881 macsec_skb_cb(skb)->valid = false; 882 skb = skb_share_check(skb, GFP_ATOMIC); 883 if (!skb) 884 return ERR_PTR(-ENOMEM); 885 886 ret = skb_cow_data(skb, 0, &trailer); 887 if (unlikely(ret < 0)) { 888 kfree_skb(skb); 889 return ERR_PTR(ret); 890 } 891 req = macsec_alloc_req(rx_sa->key.tfm, &iv, &sg, ret); 892 if (!req) { 893 kfree_skb(skb); 894 return ERR_PTR(-ENOMEM); 895 } 896 897 hdr = (struct macsec_eth_header *)skb->data; 898 hdr_pn = ntohl(hdr->packet_number); 899 900 if (secy->xpn) { 901 pn_t recovered_pn = rx_sa->next_pn_halves; 902 903 recovered_pn.lower = hdr_pn; 904 if (hdr_pn < rx_sa->next_pn_halves.lower && 905 !pn_same_half(hdr_pn, rx_sa->next_pn_halves.lower)) 906 recovered_pn.upper++; 907 908 macsec_fill_iv_xpn(iv, rx_sa->ssci, recovered_pn.full64, 909 rx_sa->key.salt); 910 } else { 911 macsec_fill_iv(iv, sci, hdr_pn); 912 } 913 914 sg_init_table(sg, ret); 915 ret = skb_to_sgvec(skb, sg, 0, skb->len); 916 if (unlikely(ret < 0)) { 917 aead_request_free(req); 918 kfree_skb(skb); 919 return ERR_PTR(ret); 920 } 921 922 if (hdr->tci_an & MACSEC_TCI_E) { 923 /* confidentiality: ethernet + macsec header 924 * authenticated, encrypted payload 925 */ 926 int len = skb->len - macsec_hdr_len(macsec_skb_cb(skb)->has_sci); 927 928 aead_request_set_crypt(req, sg, sg, len, iv); 929 aead_request_set_ad(req, macsec_hdr_len(macsec_skb_cb(skb)->has_sci)); 930 skb = skb_unshare(skb, GFP_ATOMIC); 931 if (!skb) { 932 aead_request_free(req); 933 return ERR_PTR(-ENOMEM); 934 } 935 } else { 936 /* integrity only: all headers + data authenticated */ 937 aead_request_set_crypt(req, sg, sg, icv_len, iv); 938 aead_request_set_ad(req, skb->len - icv_len); 939 } 940 941 macsec_skb_cb(skb)->req = req; 942 skb->dev = dev; 943 aead_request_set_callback(req, 0, macsec_decrypt_done, skb); 944 945 dev_hold(dev); 946 ret = crypto_aead_decrypt(req); 947 if (ret == -EINPROGRESS) { 948 return ERR_PTR(ret); 949 } else if (ret != 0) { 950 /* decryption/authentication failed 951 * 10.6 if validateFrames is disabled, deliver anyway 952 */ 953 if (ret != -EBADMSG) { 954 kfree_skb(skb); 955 skb = ERR_PTR(ret); 956 } 957 } else { 958 macsec_skb_cb(skb)->valid = true; 959 } 960 dev_put(dev); 961 962 aead_request_free(req); 963 964 return skb; 965 } 966 967 static struct macsec_rx_sc *find_rx_sc(struct macsec_secy *secy, sci_t sci) 968 { 969 struct macsec_rx_sc *rx_sc; 970 971 for_each_rxsc(secy, rx_sc) { 972 if (rx_sc->sci == sci) 973 return rx_sc; 974 } 975 976 return NULL; 977 } 978 979 static struct macsec_rx_sc *find_rx_sc_rtnl(struct macsec_secy *secy, sci_t sci) 980 { 981 struct macsec_rx_sc *rx_sc; 982 983 for_each_rxsc_rtnl(secy, rx_sc) { 984 if (rx_sc->sci == sci) 985 return rx_sc; 986 } 987 988 return NULL; 989 } 990 991 static enum rx_handler_result handle_not_macsec(struct sk_buff *skb) 992 { 993 /* Deliver to the uncontrolled port by default */ 994 enum rx_handler_result ret = RX_HANDLER_PASS; 995 struct ethhdr *hdr = eth_hdr(skb); 996 struct metadata_dst *md_dst; 997 struct macsec_rxh_data *rxd; 998 struct macsec_dev *macsec; 999 1000 rcu_read_lock(); 1001 rxd = macsec_data_rcu(skb->dev); 1002 md_dst = skb_metadata_dst(skb); 1003 1004 list_for_each_entry_rcu(macsec, &rxd->secys, secys) { 1005 struct sk_buff *nskb; 1006 struct pcpu_secy_stats *secy_stats = this_cpu_ptr(macsec->stats); 1007 struct net_device *ndev = macsec->secy.netdev; 1008 1009 /* If h/w offloading is enabled, HW decodes frames and strips 1010 * the SecTAG, so we have to deduce which port to deliver to. 1011 */ 1012 if (macsec_is_offloaded(macsec) && netif_running(ndev)) { 1013 struct macsec_rx_sc *rx_sc = NULL; 1014 1015 if (md_dst && md_dst->type == METADATA_MACSEC) 1016 rx_sc = find_rx_sc(&macsec->secy, md_dst->u.macsec_info.sci); 1017 1018 if (md_dst && md_dst->type == METADATA_MACSEC && !rx_sc) 1019 continue; 1020 1021 if (ether_addr_equal_64bits(hdr->h_dest, 1022 ndev->dev_addr)) { 1023 /* exact match, divert skb to this port */ 1024 skb->dev = ndev; 1025 skb->pkt_type = PACKET_HOST; 1026 ret = RX_HANDLER_ANOTHER; 1027 goto out; 1028 } else if (is_multicast_ether_addr_64bits( 1029 hdr->h_dest)) { 1030 /* multicast frame, deliver on this port too */ 1031 nskb = skb_clone(skb, GFP_ATOMIC); 1032 if (!nskb) 1033 break; 1034 1035 nskb->dev = ndev; 1036 if (ether_addr_equal_64bits(hdr->h_dest, 1037 ndev->broadcast)) 1038 nskb->pkt_type = PACKET_BROADCAST; 1039 else 1040 nskb->pkt_type = PACKET_MULTICAST; 1041 1042 __netif_rx(nskb); 1043 } else if (rx_sc || ndev->flags & IFF_PROMISC) { 1044 skb->dev = ndev; 1045 skb->pkt_type = PACKET_HOST; 1046 ret = RX_HANDLER_ANOTHER; 1047 goto out; 1048 } 1049 1050 continue; 1051 } 1052 1053 /* 10.6 If the management control validateFrames is not 1054 * Strict, frames without a SecTAG are received, counted, and 1055 * delivered to the Controlled Port 1056 */ 1057 if (macsec->secy.validate_frames == MACSEC_VALIDATE_STRICT) { 1058 u64_stats_update_begin(&secy_stats->syncp); 1059 secy_stats->stats.InPktsNoTag++; 1060 u64_stats_update_end(&secy_stats->syncp); 1061 DEV_STATS_INC(macsec->secy.netdev, rx_dropped); 1062 continue; 1063 } 1064 1065 /* deliver on this port */ 1066 nskb = skb_clone(skb, GFP_ATOMIC); 1067 if (!nskb) 1068 break; 1069 1070 nskb->dev = ndev; 1071 1072 if (__netif_rx(nskb) == NET_RX_SUCCESS) { 1073 u64_stats_update_begin(&secy_stats->syncp); 1074 secy_stats->stats.InPktsUntagged++; 1075 u64_stats_update_end(&secy_stats->syncp); 1076 } 1077 } 1078 1079 out: 1080 rcu_read_unlock(); 1081 return ret; 1082 } 1083 1084 static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb) 1085 { 1086 struct sk_buff *skb = *pskb; 1087 struct net_device *dev = skb->dev; 1088 struct macsec_eth_header *hdr; 1089 struct macsec_secy *secy = NULL; 1090 struct macsec_rx_sc *rx_sc; 1091 struct macsec_rx_sa *rx_sa; 1092 struct macsec_rxh_data *rxd; 1093 struct macsec_dev *macsec; 1094 unsigned int len; 1095 sci_t sci; 1096 u32 hdr_pn; 1097 bool cbit; 1098 struct pcpu_rx_sc_stats *rxsc_stats; 1099 struct pcpu_secy_stats *secy_stats; 1100 bool pulled_sci; 1101 int ret; 1102 1103 if (skb_headroom(skb) < ETH_HLEN) 1104 goto drop_direct; 1105 1106 hdr = macsec_ethhdr(skb); 1107 if (hdr->eth.h_proto != htons(ETH_P_MACSEC)) 1108 return handle_not_macsec(skb); 1109 1110 skb = skb_unshare(skb, GFP_ATOMIC); 1111 *pskb = skb; 1112 if (!skb) 1113 return RX_HANDLER_CONSUMED; 1114 1115 pulled_sci = pskb_may_pull(skb, macsec_extra_len(true)); 1116 if (!pulled_sci) { 1117 if (!pskb_may_pull(skb, macsec_extra_len(false))) 1118 goto drop_direct; 1119 } 1120 1121 hdr = macsec_ethhdr(skb); 1122 1123 /* Frames with a SecTAG that has the TCI E bit set but the C 1124 * bit clear are discarded, as this reserved encoding is used 1125 * to identify frames with a SecTAG that are not to be 1126 * delivered to the Controlled Port. 1127 */ 1128 if ((hdr->tci_an & (MACSEC_TCI_C | MACSEC_TCI_E)) == MACSEC_TCI_E) 1129 return RX_HANDLER_PASS; 1130 1131 /* now, pull the extra length */ 1132 if (hdr->tci_an & MACSEC_TCI_SC) { 1133 if (!pulled_sci) 1134 goto drop_direct; 1135 } 1136 1137 /* ethernet header is part of crypto processing */ 1138 skb_push(skb, ETH_HLEN); 1139 1140 macsec_skb_cb(skb)->has_sci = !!(hdr->tci_an & MACSEC_TCI_SC); 1141 macsec_skb_cb(skb)->assoc_num = hdr->tci_an & MACSEC_AN_MASK; 1142 sci = macsec_frame_sci(hdr, macsec_skb_cb(skb)->has_sci); 1143 1144 rcu_read_lock(); 1145 rxd = macsec_data_rcu(skb->dev); 1146 1147 list_for_each_entry_rcu(macsec, &rxd->secys, secys) { 1148 struct macsec_rx_sc *sc = find_rx_sc(&macsec->secy, sci); 1149 1150 sc = sc ? macsec_rxsc_get(sc) : NULL; 1151 1152 if (sc) { 1153 secy = &macsec->secy; 1154 rx_sc = sc; 1155 break; 1156 } 1157 } 1158 1159 if (!secy) 1160 goto nosci; 1161 1162 dev = secy->netdev; 1163 macsec = macsec_priv(dev); 1164 secy_stats = this_cpu_ptr(macsec->stats); 1165 rxsc_stats = this_cpu_ptr(rx_sc->stats); 1166 1167 if (!macsec_validate_skb(skb, secy->icv_len, secy->xpn)) { 1168 u64_stats_update_begin(&secy_stats->syncp); 1169 secy_stats->stats.InPktsBadTag++; 1170 u64_stats_update_end(&secy_stats->syncp); 1171 DEV_STATS_INC(secy->netdev, rx_errors); 1172 goto drop_nosa; 1173 } 1174 1175 rx_sa = macsec_rxsa_get(rx_sc->sa[macsec_skb_cb(skb)->assoc_num]); 1176 if (!rx_sa) { 1177 /* 10.6.1 if the SA is not in use */ 1178 1179 /* If validateFrames is Strict or the C bit in the 1180 * SecTAG is set, discard 1181 */ 1182 struct macsec_rx_sa *active_rx_sa = macsec_active_rxsa_get(rx_sc); 1183 if (hdr->tci_an & MACSEC_TCI_C || 1184 secy->validate_frames == MACSEC_VALIDATE_STRICT) { 1185 u64_stats_update_begin(&rxsc_stats->syncp); 1186 rxsc_stats->stats.InPktsNotUsingSA++; 1187 u64_stats_update_end(&rxsc_stats->syncp); 1188 DEV_STATS_INC(secy->netdev, rx_errors); 1189 if (active_rx_sa) 1190 this_cpu_inc(active_rx_sa->stats->InPktsNotUsingSA); 1191 goto drop_nosa; 1192 } 1193 1194 /* not Strict, the frame (with the SecTAG and ICV 1195 * removed) is delivered to the Controlled Port. 1196 */ 1197 u64_stats_update_begin(&rxsc_stats->syncp); 1198 rxsc_stats->stats.InPktsUnusedSA++; 1199 u64_stats_update_end(&rxsc_stats->syncp); 1200 if (active_rx_sa) 1201 this_cpu_inc(active_rx_sa->stats->InPktsUnusedSA); 1202 goto deliver; 1203 } 1204 1205 /* First, PN check to avoid decrypting obviously wrong packets */ 1206 hdr_pn = ntohl(hdr->packet_number); 1207 if (secy->replay_protect) { 1208 bool late; 1209 1210 spin_lock(&rx_sa->lock); 1211 late = rx_sa->next_pn_halves.lower >= secy->replay_window && 1212 hdr_pn < (rx_sa->next_pn_halves.lower - secy->replay_window); 1213 1214 if (secy->xpn) 1215 late = late && pn_same_half(rx_sa->next_pn_halves.lower, hdr_pn); 1216 spin_unlock(&rx_sa->lock); 1217 1218 if (late) { 1219 u64_stats_update_begin(&rxsc_stats->syncp); 1220 rxsc_stats->stats.InPktsLate++; 1221 u64_stats_update_end(&rxsc_stats->syncp); 1222 DEV_STATS_INC(macsec->secy.netdev, rx_dropped); 1223 goto drop; 1224 } 1225 } 1226 1227 macsec_skb_cb(skb)->rx_sa = rx_sa; 1228 1229 /* Disabled && !changed text => skip validation */ 1230 if (hdr->tci_an & MACSEC_TCI_C || 1231 secy->validate_frames != MACSEC_VALIDATE_DISABLED) 1232 skb = macsec_decrypt(skb, dev, rx_sa, sci, secy); 1233 1234 if (IS_ERR(skb)) { 1235 /* the decrypt callback needs the reference */ 1236 if (PTR_ERR(skb) != -EINPROGRESS) { 1237 macsec_rxsa_put(rx_sa); 1238 macsec_rxsc_put(rx_sc); 1239 } 1240 rcu_read_unlock(); 1241 *pskb = NULL; 1242 return RX_HANDLER_CONSUMED; 1243 } 1244 1245 if (!macsec_post_decrypt(skb, secy, hdr_pn)) 1246 goto drop; 1247 1248 deliver: 1249 macsec_finalize_skb(skb, secy->icv_len, 1250 macsec_extra_len(macsec_skb_cb(skb)->has_sci)); 1251 len = skb->len; 1252 macsec_reset_skb(skb, secy->netdev); 1253 1254 if (rx_sa) 1255 macsec_rxsa_put(rx_sa); 1256 macsec_rxsc_put(rx_sc); 1257 1258 skb_orphan(skb); 1259 ret = gro_cells_receive(&macsec->gro_cells, skb); 1260 if (ret == NET_RX_SUCCESS) 1261 count_rx(dev, len); 1262 else 1263 DEV_STATS_INC(macsec->secy.netdev, rx_dropped); 1264 1265 rcu_read_unlock(); 1266 1267 *pskb = NULL; 1268 return RX_HANDLER_CONSUMED; 1269 1270 drop: 1271 macsec_rxsa_put(rx_sa); 1272 drop_nosa: 1273 macsec_rxsc_put(rx_sc); 1274 rcu_read_unlock(); 1275 drop_direct: 1276 kfree_skb(skb); 1277 *pskb = NULL; 1278 return RX_HANDLER_CONSUMED; 1279 1280 nosci: 1281 /* 10.6.1 if the SC is not found */ 1282 cbit = !!(hdr->tci_an & MACSEC_TCI_C); 1283 if (!cbit) 1284 macsec_finalize_skb(skb, MACSEC_DEFAULT_ICV_LEN, 1285 macsec_extra_len(macsec_skb_cb(skb)->has_sci)); 1286 1287 list_for_each_entry_rcu(macsec, &rxd->secys, secys) { 1288 struct sk_buff *nskb; 1289 1290 secy_stats = this_cpu_ptr(macsec->stats); 1291 1292 /* If validateFrames is Strict or the C bit in the 1293 * SecTAG is set, discard 1294 */ 1295 if (cbit || 1296 macsec->secy.validate_frames == MACSEC_VALIDATE_STRICT) { 1297 u64_stats_update_begin(&secy_stats->syncp); 1298 secy_stats->stats.InPktsNoSCI++; 1299 u64_stats_update_end(&secy_stats->syncp); 1300 DEV_STATS_INC(macsec->secy.netdev, rx_errors); 1301 continue; 1302 } 1303 1304 /* not strict, the frame (with the SecTAG and ICV 1305 * removed) is delivered to the Controlled Port. 1306 */ 1307 nskb = skb_clone(skb, GFP_ATOMIC); 1308 if (!nskb) 1309 break; 1310 1311 macsec_reset_skb(nskb, macsec->secy.netdev); 1312 1313 ret = __netif_rx(nskb); 1314 if (ret == NET_RX_SUCCESS) { 1315 u64_stats_update_begin(&secy_stats->syncp); 1316 secy_stats->stats.InPktsUnknownSCI++; 1317 u64_stats_update_end(&secy_stats->syncp); 1318 } else { 1319 DEV_STATS_INC(macsec->secy.netdev, rx_dropped); 1320 } 1321 } 1322 1323 rcu_read_unlock(); 1324 *pskb = skb; 1325 return RX_HANDLER_PASS; 1326 } 1327 1328 static struct crypto_aead *macsec_alloc_tfm(char *key, int key_len, int icv_len) 1329 { 1330 struct crypto_aead *tfm; 1331 int ret; 1332 1333 /* Pick a sync gcm(aes) cipher to ensure order is preserved. */ 1334 tfm = crypto_alloc_aead("gcm(aes)", 0, CRYPTO_ALG_ASYNC); 1335 1336 if (IS_ERR(tfm)) 1337 return tfm; 1338 1339 ret = crypto_aead_setkey(tfm, key, key_len); 1340 if (ret < 0) 1341 goto fail; 1342 1343 ret = crypto_aead_setauthsize(tfm, icv_len); 1344 if (ret < 0) 1345 goto fail; 1346 1347 return tfm; 1348 fail: 1349 crypto_free_aead(tfm); 1350 return ERR_PTR(ret); 1351 } 1352 1353 static int init_rx_sa(struct macsec_rx_sa *rx_sa, char *sak, int key_len, 1354 int icv_len) 1355 { 1356 rx_sa->stats = alloc_percpu(struct macsec_rx_sa_stats); 1357 if (!rx_sa->stats) 1358 return -ENOMEM; 1359 1360 rx_sa->key.tfm = macsec_alloc_tfm(sak, key_len, icv_len); 1361 if (IS_ERR(rx_sa->key.tfm)) { 1362 free_percpu(rx_sa->stats); 1363 return PTR_ERR(rx_sa->key.tfm); 1364 } 1365 1366 rx_sa->ssci = MACSEC_UNDEF_SSCI; 1367 rx_sa->active = false; 1368 rx_sa->next_pn = 1; 1369 refcount_set(&rx_sa->refcnt, 1); 1370 spin_lock_init(&rx_sa->lock); 1371 1372 return 0; 1373 } 1374 1375 static void clear_rx_sa(struct macsec_rx_sa *rx_sa) 1376 { 1377 rx_sa->active = false; 1378 1379 macsec_rxsa_put(rx_sa); 1380 } 1381 1382 static void free_rx_sc(struct macsec_rx_sc *rx_sc) 1383 { 1384 int i; 1385 1386 for (i = 0; i < MACSEC_NUM_AN; i++) { 1387 struct macsec_rx_sa *sa = rtnl_dereference(rx_sc->sa[i]); 1388 1389 RCU_INIT_POINTER(rx_sc->sa[i], NULL); 1390 if (sa) 1391 clear_rx_sa(sa); 1392 } 1393 1394 macsec_rxsc_put(rx_sc); 1395 } 1396 1397 static struct macsec_rx_sc *del_rx_sc(struct macsec_secy *secy, sci_t sci) 1398 { 1399 struct macsec_rx_sc *rx_sc, __rcu **rx_scp; 1400 1401 for (rx_scp = &secy->rx_sc, rx_sc = rtnl_dereference(*rx_scp); 1402 rx_sc; 1403 rx_scp = &rx_sc->next, rx_sc = rtnl_dereference(*rx_scp)) { 1404 if (rx_sc->sci == sci) { 1405 if (rx_sc->active) 1406 secy->n_rx_sc--; 1407 rcu_assign_pointer(*rx_scp, rx_sc->next); 1408 return rx_sc; 1409 } 1410 } 1411 1412 return NULL; 1413 } 1414 1415 static struct macsec_rx_sc *create_rx_sc(struct net_device *dev, sci_t sci, 1416 bool active) 1417 { 1418 struct macsec_rx_sc *rx_sc; 1419 struct macsec_dev *macsec; 1420 struct net_device *real_dev = macsec_priv(dev)->real_dev; 1421 struct macsec_rxh_data *rxd = macsec_data_rtnl(real_dev); 1422 struct macsec_secy *secy; 1423 1424 list_for_each_entry(macsec, &rxd->secys, secys) { 1425 if (find_rx_sc_rtnl(&macsec->secy, sci)) 1426 return ERR_PTR(-EEXIST); 1427 } 1428 1429 rx_sc = kzalloc(sizeof(*rx_sc), GFP_KERNEL); 1430 if (!rx_sc) 1431 return ERR_PTR(-ENOMEM); 1432 1433 rx_sc->stats = netdev_alloc_pcpu_stats(struct pcpu_rx_sc_stats); 1434 if (!rx_sc->stats) { 1435 kfree(rx_sc); 1436 return ERR_PTR(-ENOMEM); 1437 } 1438 1439 rx_sc->sci = sci; 1440 rx_sc->active = active; 1441 refcount_set(&rx_sc->refcnt, 1); 1442 1443 secy = &macsec_priv(dev)->secy; 1444 rcu_assign_pointer(rx_sc->next, secy->rx_sc); 1445 rcu_assign_pointer(secy->rx_sc, rx_sc); 1446 1447 if (rx_sc->active) 1448 secy->n_rx_sc++; 1449 1450 return rx_sc; 1451 } 1452 1453 static int init_tx_sa(struct macsec_tx_sa *tx_sa, char *sak, int key_len, 1454 int icv_len) 1455 { 1456 tx_sa->stats = alloc_percpu(struct macsec_tx_sa_stats); 1457 if (!tx_sa->stats) 1458 return -ENOMEM; 1459 1460 tx_sa->key.tfm = macsec_alloc_tfm(sak, key_len, icv_len); 1461 if (IS_ERR(tx_sa->key.tfm)) { 1462 free_percpu(tx_sa->stats); 1463 return PTR_ERR(tx_sa->key.tfm); 1464 } 1465 1466 tx_sa->ssci = MACSEC_UNDEF_SSCI; 1467 tx_sa->active = false; 1468 refcount_set(&tx_sa->refcnt, 1); 1469 spin_lock_init(&tx_sa->lock); 1470 1471 return 0; 1472 } 1473 1474 static void clear_tx_sa(struct macsec_tx_sa *tx_sa) 1475 { 1476 tx_sa->active = false; 1477 1478 macsec_txsa_put(tx_sa); 1479 } 1480 1481 static struct genl_family macsec_fam; 1482 1483 static struct net_device *get_dev_from_nl(struct net *net, 1484 struct nlattr **attrs) 1485 { 1486 int ifindex = nla_get_u32(attrs[MACSEC_ATTR_IFINDEX]); 1487 struct net_device *dev; 1488 1489 dev = __dev_get_by_index(net, ifindex); 1490 if (!dev) 1491 return ERR_PTR(-ENODEV); 1492 1493 if (!netif_is_macsec(dev)) 1494 return ERR_PTR(-ENODEV); 1495 1496 return dev; 1497 } 1498 1499 static enum macsec_offload nla_get_offload(const struct nlattr *nla) 1500 { 1501 return (__force enum macsec_offload)nla_get_u8(nla); 1502 } 1503 1504 static sci_t nla_get_sci(const struct nlattr *nla) 1505 { 1506 return (__force sci_t)nla_get_u64(nla); 1507 } 1508 1509 static int nla_put_sci(struct sk_buff *skb, int attrtype, sci_t value, 1510 int padattr) 1511 { 1512 return nla_put_u64_64bit(skb, attrtype, (__force u64)value, padattr); 1513 } 1514 1515 static ssci_t nla_get_ssci(const struct nlattr *nla) 1516 { 1517 return (__force ssci_t)nla_get_u32(nla); 1518 } 1519 1520 static int nla_put_ssci(struct sk_buff *skb, int attrtype, ssci_t value) 1521 { 1522 return nla_put_u32(skb, attrtype, (__force u64)value); 1523 } 1524 1525 static struct macsec_tx_sa *get_txsa_from_nl(struct net *net, 1526 struct nlattr **attrs, 1527 struct nlattr **tb_sa, 1528 struct net_device **devp, 1529 struct macsec_secy **secyp, 1530 struct macsec_tx_sc **scp, 1531 u8 *assoc_num) 1532 { 1533 struct net_device *dev; 1534 struct macsec_secy *secy; 1535 struct macsec_tx_sc *tx_sc; 1536 struct macsec_tx_sa *tx_sa; 1537 1538 if (!tb_sa[MACSEC_SA_ATTR_AN]) 1539 return ERR_PTR(-EINVAL); 1540 1541 *assoc_num = nla_get_u8(tb_sa[MACSEC_SA_ATTR_AN]); 1542 1543 dev = get_dev_from_nl(net, attrs); 1544 if (IS_ERR(dev)) 1545 return ERR_CAST(dev); 1546 1547 if (*assoc_num >= MACSEC_NUM_AN) 1548 return ERR_PTR(-EINVAL); 1549 1550 secy = &macsec_priv(dev)->secy; 1551 tx_sc = &secy->tx_sc; 1552 1553 tx_sa = rtnl_dereference(tx_sc->sa[*assoc_num]); 1554 if (!tx_sa) 1555 return ERR_PTR(-ENODEV); 1556 1557 *devp = dev; 1558 *scp = tx_sc; 1559 *secyp = secy; 1560 return tx_sa; 1561 } 1562 1563 static struct macsec_rx_sc *get_rxsc_from_nl(struct net *net, 1564 struct nlattr **attrs, 1565 struct nlattr **tb_rxsc, 1566 struct net_device **devp, 1567 struct macsec_secy **secyp) 1568 { 1569 struct net_device *dev; 1570 struct macsec_secy *secy; 1571 struct macsec_rx_sc *rx_sc; 1572 sci_t sci; 1573 1574 dev = get_dev_from_nl(net, attrs); 1575 if (IS_ERR(dev)) 1576 return ERR_CAST(dev); 1577 1578 secy = &macsec_priv(dev)->secy; 1579 1580 if (!tb_rxsc[MACSEC_RXSC_ATTR_SCI]) 1581 return ERR_PTR(-EINVAL); 1582 1583 sci = nla_get_sci(tb_rxsc[MACSEC_RXSC_ATTR_SCI]); 1584 rx_sc = find_rx_sc_rtnl(secy, sci); 1585 if (!rx_sc) 1586 return ERR_PTR(-ENODEV); 1587 1588 *secyp = secy; 1589 *devp = dev; 1590 1591 return rx_sc; 1592 } 1593 1594 static struct macsec_rx_sa *get_rxsa_from_nl(struct net *net, 1595 struct nlattr **attrs, 1596 struct nlattr **tb_rxsc, 1597 struct nlattr **tb_sa, 1598 struct net_device **devp, 1599 struct macsec_secy **secyp, 1600 struct macsec_rx_sc **scp, 1601 u8 *assoc_num) 1602 { 1603 struct macsec_rx_sc *rx_sc; 1604 struct macsec_rx_sa *rx_sa; 1605 1606 if (!tb_sa[MACSEC_SA_ATTR_AN]) 1607 return ERR_PTR(-EINVAL); 1608 1609 *assoc_num = nla_get_u8(tb_sa[MACSEC_SA_ATTR_AN]); 1610 if (*assoc_num >= MACSEC_NUM_AN) 1611 return ERR_PTR(-EINVAL); 1612 1613 rx_sc = get_rxsc_from_nl(net, attrs, tb_rxsc, devp, secyp); 1614 if (IS_ERR(rx_sc)) 1615 return ERR_CAST(rx_sc); 1616 1617 rx_sa = rtnl_dereference(rx_sc->sa[*assoc_num]); 1618 if (!rx_sa) 1619 return ERR_PTR(-ENODEV); 1620 1621 *scp = rx_sc; 1622 return rx_sa; 1623 } 1624 1625 static const struct nla_policy macsec_genl_policy[NUM_MACSEC_ATTR] = { 1626 [MACSEC_ATTR_IFINDEX] = { .type = NLA_U32 }, 1627 [MACSEC_ATTR_RXSC_CONFIG] = { .type = NLA_NESTED }, 1628 [MACSEC_ATTR_SA_CONFIG] = { .type = NLA_NESTED }, 1629 [MACSEC_ATTR_OFFLOAD] = { .type = NLA_NESTED }, 1630 }; 1631 1632 static const struct nla_policy macsec_genl_rxsc_policy[NUM_MACSEC_RXSC_ATTR] = { 1633 [MACSEC_RXSC_ATTR_SCI] = { .type = NLA_U64 }, 1634 [MACSEC_RXSC_ATTR_ACTIVE] = { .type = NLA_U8 }, 1635 }; 1636 1637 static const struct nla_policy macsec_genl_sa_policy[NUM_MACSEC_SA_ATTR] = { 1638 [MACSEC_SA_ATTR_AN] = { .type = NLA_U8 }, 1639 [MACSEC_SA_ATTR_ACTIVE] = { .type = NLA_U8 }, 1640 [MACSEC_SA_ATTR_PN] = NLA_POLICY_MIN_LEN(4), 1641 [MACSEC_SA_ATTR_KEYID] = { .type = NLA_BINARY, 1642 .len = MACSEC_KEYID_LEN, }, 1643 [MACSEC_SA_ATTR_KEY] = { .type = NLA_BINARY, 1644 .len = MACSEC_MAX_KEY_LEN, }, 1645 [MACSEC_SA_ATTR_SSCI] = { .type = NLA_U32 }, 1646 [MACSEC_SA_ATTR_SALT] = { .type = NLA_BINARY, 1647 .len = MACSEC_SALT_LEN, }, 1648 }; 1649 1650 static const struct nla_policy macsec_genl_offload_policy[NUM_MACSEC_OFFLOAD_ATTR] = { 1651 [MACSEC_OFFLOAD_ATTR_TYPE] = { .type = NLA_U8 }, 1652 }; 1653 1654 /* Offloads an operation to a device driver */ 1655 static int macsec_offload(int (* const func)(struct macsec_context *), 1656 struct macsec_context *ctx) 1657 { 1658 int ret; 1659 1660 if (unlikely(!func)) 1661 return 0; 1662 1663 if (ctx->offload == MACSEC_OFFLOAD_PHY) 1664 mutex_lock(&ctx->phydev->lock); 1665 1666 ret = (*func)(ctx); 1667 1668 if (ctx->offload == MACSEC_OFFLOAD_PHY) 1669 mutex_unlock(&ctx->phydev->lock); 1670 1671 return ret; 1672 } 1673 1674 static int parse_sa_config(struct nlattr **attrs, struct nlattr **tb_sa) 1675 { 1676 if (!attrs[MACSEC_ATTR_SA_CONFIG]) 1677 return -EINVAL; 1678 1679 if (nla_parse_nested_deprecated(tb_sa, MACSEC_SA_ATTR_MAX, attrs[MACSEC_ATTR_SA_CONFIG], macsec_genl_sa_policy, NULL)) 1680 return -EINVAL; 1681 1682 return 0; 1683 } 1684 1685 static int parse_rxsc_config(struct nlattr **attrs, struct nlattr **tb_rxsc) 1686 { 1687 if (!attrs[MACSEC_ATTR_RXSC_CONFIG]) 1688 return -EINVAL; 1689 1690 if (nla_parse_nested_deprecated(tb_rxsc, MACSEC_RXSC_ATTR_MAX, attrs[MACSEC_ATTR_RXSC_CONFIG], macsec_genl_rxsc_policy, NULL)) 1691 return -EINVAL; 1692 1693 return 0; 1694 } 1695 1696 static bool validate_add_rxsa(struct nlattr **attrs) 1697 { 1698 if (!attrs[MACSEC_SA_ATTR_AN] || 1699 !attrs[MACSEC_SA_ATTR_KEY] || 1700 !attrs[MACSEC_SA_ATTR_KEYID]) 1701 return false; 1702 1703 if (nla_get_u8(attrs[MACSEC_SA_ATTR_AN]) >= MACSEC_NUM_AN) 1704 return false; 1705 1706 if (attrs[MACSEC_SA_ATTR_PN] && 1707 nla_get_u64(attrs[MACSEC_SA_ATTR_PN]) == 0) 1708 return false; 1709 1710 if (attrs[MACSEC_SA_ATTR_ACTIVE]) { 1711 if (nla_get_u8(attrs[MACSEC_SA_ATTR_ACTIVE]) > 1) 1712 return false; 1713 } 1714 1715 if (nla_len(attrs[MACSEC_SA_ATTR_KEYID]) != MACSEC_KEYID_LEN) 1716 return false; 1717 1718 return true; 1719 } 1720 1721 static int macsec_add_rxsa(struct sk_buff *skb, struct genl_info *info) 1722 { 1723 struct net_device *dev; 1724 struct nlattr **attrs = info->attrs; 1725 struct macsec_secy *secy; 1726 struct macsec_rx_sc *rx_sc; 1727 struct macsec_rx_sa *rx_sa; 1728 unsigned char assoc_num; 1729 int pn_len; 1730 struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1]; 1731 struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1]; 1732 int err; 1733 1734 if (!attrs[MACSEC_ATTR_IFINDEX]) 1735 return -EINVAL; 1736 1737 if (parse_sa_config(attrs, tb_sa)) 1738 return -EINVAL; 1739 1740 if (parse_rxsc_config(attrs, tb_rxsc)) 1741 return -EINVAL; 1742 1743 if (!validate_add_rxsa(tb_sa)) 1744 return -EINVAL; 1745 1746 rtnl_lock(); 1747 rx_sc = get_rxsc_from_nl(genl_info_net(info), attrs, tb_rxsc, &dev, &secy); 1748 if (IS_ERR(rx_sc)) { 1749 rtnl_unlock(); 1750 return PTR_ERR(rx_sc); 1751 } 1752 1753 assoc_num = nla_get_u8(tb_sa[MACSEC_SA_ATTR_AN]); 1754 1755 if (nla_len(tb_sa[MACSEC_SA_ATTR_KEY]) != secy->key_len) { 1756 pr_notice("macsec: nl: add_rxsa: bad key length: %d != %d\n", 1757 nla_len(tb_sa[MACSEC_SA_ATTR_KEY]), secy->key_len); 1758 rtnl_unlock(); 1759 return -EINVAL; 1760 } 1761 1762 pn_len = secy->xpn ? MACSEC_XPN_PN_LEN : MACSEC_DEFAULT_PN_LEN; 1763 if (tb_sa[MACSEC_SA_ATTR_PN] && 1764 nla_len(tb_sa[MACSEC_SA_ATTR_PN]) != pn_len) { 1765 pr_notice("macsec: nl: add_rxsa: bad pn length: %d != %d\n", 1766 nla_len(tb_sa[MACSEC_SA_ATTR_PN]), pn_len); 1767 rtnl_unlock(); 1768 return -EINVAL; 1769 } 1770 1771 if (secy->xpn) { 1772 if (!tb_sa[MACSEC_SA_ATTR_SSCI] || !tb_sa[MACSEC_SA_ATTR_SALT]) { 1773 rtnl_unlock(); 1774 return -EINVAL; 1775 } 1776 1777 if (nla_len(tb_sa[MACSEC_SA_ATTR_SALT]) != MACSEC_SALT_LEN) { 1778 pr_notice("macsec: nl: add_rxsa: bad salt length: %d != %d\n", 1779 nla_len(tb_sa[MACSEC_SA_ATTR_SALT]), 1780 MACSEC_SALT_LEN); 1781 rtnl_unlock(); 1782 return -EINVAL; 1783 } 1784 } 1785 1786 rx_sa = rtnl_dereference(rx_sc->sa[assoc_num]); 1787 if (rx_sa) { 1788 rtnl_unlock(); 1789 return -EBUSY; 1790 } 1791 1792 rx_sa = kmalloc(sizeof(*rx_sa), GFP_KERNEL); 1793 if (!rx_sa) { 1794 rtnl_unlock(); 1795 return -ENOMEM; 1796 } 1797 1798 err = init_rx_sa(rx_sa, nla_data(tb_sa[MACSEC_SA_ATTR_KEY]), 1799 secy->key_len, secy->icv_len); 1800 if (err < 0) { 1801 kfree(rx_sa); 1802 rtnl_unlock(); 1803 return err; 1804 } 1805 1806 if (tb_sa[MACSEC_SA_ATTR_PN]) { 1807 spin_lock_bh(&rx_sa->lock); 1808 rx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]); 1809 spin_unlock_bh(&rx_sa->lock); 1810 } 1811 1812 if (tb_sa[MACSEC_SA_ATTR_ACTIVE]) 1813 rx_sa->active = !!nla_get_u8(tb_sa[MACSEC_SA_ATTR_ACTIVE]); 1814 1815 rx_sa->sc = rx_sc; 1816 1817 if (secy->xpn) { 1818 rx_sa->ssci = nla_get_ssci(tb_sa[MACSEC_SA_ATTR_SSCI]); 1819 nla_memcpy(rx_sa->key.salt.bytes, tb_sa[MACSEC_SA_ATTR_SALT], 1820 MACSEC_SALT_LEN); 1821 } 1822 1823 /* If h/w offloading is available, propagate to the device */ 1824 if (macsec_is_offloaded(netdev_priv(dev))) { 1825 const struct macsec_ops *ops; 1826 struct macsec_context ctx; 1827 1828 ops = macsec_get_ops(netdev_priv(dev), &ctx); 1829 if (!ops) { 1830 err = -EOPNOTSUPP; 1831 goto cleanup; 1832 } 1833 1834 ctx.sa.assoc_num = assoc_num; 1835 ctx.sa.rx_sa = rx_sa; 1836 ctx.secy = secy; 1837 memcpy(ctx.sa.key, nla_data(tb_sa[MACSEC_SA_ATTR_KEY]), 1838 secy->key_len); 1839 1840 err = macsec_offload(ops->mdo_add_rxsa, &ctx); 1841 memzero_explicit(ctx.sa.key, secy->key_len); 1842 if (err) 1843 goto cleanup; 1844 } 1845 1846 nla_memcpy(rx_sa->key.id, tb_sa[MACSEC_SA_ATTR_KEYID], MACSEC_KEYID_LEN); 1847 rcu_assign_pointer(rx_sc->sa[assoc_num], rx_sa); 1848 1849 rtnl_unlock(); 1850 1851 return 0; 1852 1853 cleanup: 1854 macsec_rxsa_put(rx_sa); 1855 rtnl_unlock(); 1856 return err; 1857 } 1858 1859 static bool validate_add_rxsc(struct nlattr **attrs) 1860 { 1861 if (!attrs[MACSEC_RXSC_ATTR_SCI]) 1862 return false; 1863 1864 if (attrs[MACSEC_RXSC_ATTR_ACTIVE]) { 1865 if (nla_get_u8(attrs[MACSEC_RXSC_ATTR_ACTIVE]) > 1) 1866 return false; 1867 } 1868 1869 return true; 1870 } 1871 1872 static int macsec_add_rxsc(struct sk_buff *skb, struct genl_info *info) 1873 { 1874 struct net_device *dev; 1875 sci_t sci = MACSEC_UNDEF_SCI; 1876 struct nlattr **attrs = info->attrs; 1877 struct macsec_rx_sc *rx_sc; 1878 struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1]; 1879 struct macsec_secy *secy; 1880 bool active = true; 1881 int ret; 1882 1883 if (!attrs[MACSEC_ATTR_IFINDEX]) 1884 return -EINVAL; 1885 1886 if (parse_rxsc_config(attrs, tb_rxsc)) 1887 return -EINVAL; 1888 1889 if (!validate_add_rxsc(tb_rxsc)) 1890 return -EINVAL; 1891 1892 rtnl_lock(); 1893 dev = get_dev_from_nl(genl_info_net(info), attrs); 1894 if (IS_ERR(dev)) { 1895 rtnl_unlock(); 1896 return PTR_ERR(dev); 1897 } 1898 1899 secy = &macsec_priv(dev)->secy; 1900 sci = nla_get_sci(tb_rxsc[MACSEC_RXSC_ATTR_SCI]); 1901 1902 if (tb_rxsc[MACSEC_RXSC_ATTR_ACTIVE]) 1903 active = nla_get_u8(tb_rxsc[MACSEC_RXSC_ATTR_ACTIVE]); 1904 1905 rx_sc = create_rx_sc(dev, sci, active); 1906 if (IS_ERR(rx_sc)) { 1907 rtnl_unlock(); 1908 return PTR_ERR(rx_sc); 1909 } 1910 1911 if (macsec_is_offloaded(netdev_priv(dev))) { 1912 const struct macsec_ops *ops; 1913 struct macsec_context ctx; 1914 1915 ops = macsec_get_ops(netdev_priv(dev), &ctx); 1916 if (!ops) { 1917 ret = -EOPNOTSUPP; 1918 goto cleanup; 1919 } 1920 1921 ctx.rx_sc = rx_sc; 1922 ctx.secy = secy; 1923 1924 ret = macsec_offload(ops->mdo_add_rxsc, &ctx); 1925 if (ret) 1926 goto cleanup; 1927 } 1928 1929 rtnl_unlock(); 1930 1931 return 0; 1932 1933 cleanup: 1934 del_rx_sc(secy, sci); 1935 free_rx_sc(rx_sc); 1936 rtnl_unlock(); 1937 return ret; 1938 } 1939 1940 static bool validate_add_txsa(struct nlattr **attrs) 1941 { 1942 if (!attrs[MACSEC_SA_ATTR_AN] || 1943 !attrs[MACSEC_SA_ATTR_PN] || 1944 !attrs[MACSEC_SA_ATTR_KEY] || 1945 !attrs[MACSEC_SA_ATTR_KEYID]) 1946 return false; 1947 1948 if (nla_get_u8(attrs[MACSEC_SA_ATTR_AN]) >= MACSEC_NUM_AN) 1949 return false; 1950 1951 if (nla_get_u64(attrs[MACSEC_SA_ATTR_PN]) == 0) 1952 return false; 1953 1954 if (attrs[MACSEC_SA_ATTR_ACTIVE]) { 1955 if (nla_get_u8(attrs[MACSEC_SA_ATTR_ACTIVE]) > 1) 1956 return false; 1957 } 1958 1959 if (nla_len(attrs[MACSEC_SA_ATTR_KEYID]) != MACSEC_KEYID_LEN) 1960 return false; 1961 1962 return true; 1963 } 1964 1965 static int macsec_add_txsa(struct sk_buff *skb, struct genl_info *info) 1966 { 1967 struct net_device *dev; 1968 struct nlattr **attrs = info->attrs; 1969 struct macsec_secy *secy; 1970 struct macsec_tx_sc *tx_sc; 1971 struct macsec_tx_sa *tx_sa; 1972 unsigned char assoc_num; 1973 int pn_len; 1974 struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1]; 1975 bool was_operational; 1976 int err; 1977 1978 if (!attrs[MACSEC_ATTR_IFINDEX]) 1979 return -EINVAL; 1980 1981 if (parse_sa_config(attrs, tb_sa)) 1982 return -EINVAL; 1983 1984 if (!validate_add_txsa(tb_sa)) 1985 return -EINVAL; 1986 1987 rtnl_lock(); 1988 dev = get_dev_from_nl(genl_info_net(info), attrs); 1989 if (IS_ERR(dev)) { 1990 rtnl_unlock(); 1991 return PTR_ERR(dev); 1992 } 1993 1994 secy = &macsec_priv(dev)->secy; 1995 tx_sc = &secy->tx_sc; 1996 1997 assoc_num = nla_get_u8(tb_sa[MACSEC_SA_ATTR_AN]); 1998 1999 if (nla_len(tb_sa[MACSEC_SA_ATTR_KEY]) != secy->key_len) { 2000 pr_notice("macsec: nl: add_txsa: bad key length: %d != %d\n", 2001 nla_len(tb_sa[MACSEC_SA_ATTR_KEY]), secy->key_len); 2002 rtnl_unlock(); 2003 return -EINVAL; 2004 } 2005 2006 pn_len = secy->xpn ? MACSEC_XPN_PN_LEN : MACSEC_DEFAULT_PN_LEN; 2007 if (nla_len(tb_sa[MACSEC_SA_ATTR_PN]) != pn_len) { 2008 pr_notice("macsec: nl: add_txsa: bad pn length: %d != %d\n", 2009 nla_len(tb_sa[MACSEC_SA_ATTR_PN]), pn_len); 2010 rtnl_unlock(); 2011 return -EINVAL; 2012 } 2013 2014 if (secy->xpn) { 2015 if (!tb_sa[MACSEC_SA_ATTR_SSCI] || !tb_sa[MACSEC_SA_ATTR_SALT]) { 2016 rtnl_unlock(); 2017 return -EINVAL; 2018 } 2019 2020 if (nla_len(tb_sa[MACSEC_SA_ATTR_SALT]) != MACSEC_SALT_LEN) { 2021 pr_notice("macsec: nl: add_txsa: bad salt length: %d != %d\n", 2022 nla_len(tb_sa[MACSEC_SA_ATTR_SALT]), 2023 MACSEC_SALT_LEN); 2024 rtnl_unlock(); 2025 return -EINVAL; 2026 } 2027 } 2028 2029 tx_sa = rtnl_dereference(tx_sc->sa[assoc_num]); 2030 if (tx_sa) { 2031 rtnl_unlock(); 2032 return -EBUSY; 2033 } 2034 2035 tx_sa = kmalloc(sizeof(*tx_sa), GFP_KERNEL); 2036 if (!tx_sa) { 2037 rtnl_unlock(); 2038 return -ENOMEM; 2039 } 2040 2041 err = init_tx_sa(tx_sa, nla_data(tb_sa[MACSEC_SA_ATTR_KEY]), 2042 secy->key_len, secy->icv_len); 2043 if (err < 0) { 2044 kfree(tx_sa); 2045 rtnl_unlock(); 2046 return err; 2047 } 2048 2049 spin_lock_bh(&tx_sa->lock); 2050 tx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]); 2051 spin_unlock_bh(&tx_sa->lock); 2052 2053 if (tb_sa[MACSEC_SA_ATTR_ACTIVE]) 2054 tx_sa->active = !!nla_get_u8(tb_sa[MACSEC_SA_ATTR_ACTIVE]); 2055 2056 was_operational = secy->operational; 2057 if (assoc_num == tx_sc->encoding_sa && tx_sa->active) 2058 secy->operational = true; 2059 2060 if (secy->xpn) { 2061 tx_sa->ssci = nla_get_ssci(tb_sa[MACSEC_SA_ATTR_SSCI]); 2062 nla_memcpy(tx_sa->key.salt.bytes, tb_sa[MACSEC_SA_ATTR_SALT], 2063 MACSEC_SALT_LEN); 2064 } 2065 2066 /* If h/w offloading is available, propagate to the device */ 2067 if (macsec_is_offloaded(netdev_priv(dev))) { 2068 const struct macsec_ops *ops; 2069 struct macsec_context ctx; 2070 2071 ops = macsec_get_ops(netdev_priv(dev), &ctx); 2072 if (!ops) { 2073 err = -EOPNOTSUPP; 2074 goto cleanup; 2075 } 2076 2077 ctx.sa.assoc_num = assoc_num; 2078 ctx.sa.tx_sa = tx_sa; 2079 ctx.secy = secy; 2080 memcpy(ctx.sa.key, nla_data(tb_sa[MACSEC_SA_ATTR_KEY]), 2081 secy->key_len); 2082 2083 err = macsec_offload(ops->mdo_add_txsa, &ctx); 2084 memzero_explicit(ctx.sa.key, secy->key_len); 2085 if (err) 2086 goto cleanup; 2087 } 2088 2089 nla_memcpy(tx_sa->key.id, tb_sa[MACSEC_SA_ATTR_KEYID], MACSEC_KEYID_LEN); 2090 rcu_assign_pointer(tx_sc->sa[assoc_num], tx_sa); 2091 2092 rtnl_unlock(); 2093 2094 return 0; 2095 2096 cleanup: 2097 secy->operational = was_operational; 2098 macsec_txsa_put(tx_sa); 2099 rtnl_unlock(); 2100 return err; 2101 } 2102 2103 static int macsec_del_rxsa(struct sk_buff *skb, struct genl_info *info) 2104 { 2105 struct nlattr **attrs = info->attrs; 2106 struct net_device *dev; 2107 struct macsec_secy *secy; 2108 struct macsec_rx_sc *rx_sc; 2109 struct macsec_rx_sa *rx_sa; 2110 u8 assoc_num; 2111 struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1]; 2112 struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1]; 2113 int ret; 2114 2115 if (!attrs[MACSEC_ATTR_IFINDEX]) 2116 return -EINVAL; 2117 2118 if (parse_sa_config(attrs, tb_sa)) 2119 return -EINVAL; 2120 2121 if (parse_rxsc_config(attrs, tb_rxsc)) 2122 return -EINVAL; 2123 2124 rtnl_lock(); 2125 rx_sa = get_rxsa_from_nl(genl_info_net(info), attrs, tb_rxsc, tb_sa, 2126 &dev, &secy, &rx_sc, &assoc_num); 2127 if (IS_ERR(rx_sa)) { 2128 rtnl_unlock(); 2129 return PTR_ERR(rx_sa); 2130 } 2131 2132 if (rx_sa->active) { 2133 rtnl_unlock(); 2134 return -EBUSY; 2135 } 2136 2137 /* If h/w offloading is available, propagate to the device */ 2138 if (macsec_is_offloaded(netdev_priv(dev))) { 2139 const struct macsec_ops *ops; 2140 struct macsec_context ctx; 2141 2142 ops = macsec_get_ops(netdev_priv(dev), &ctx); 2143 if (!ops) { 2144 ret = -EOPNOTSUPP; 2145 goto cleanup; 2146 } 2147 2148 ctx.sa.assoc_num = assoc_num; 2149 ctx.sa.rx_sa = rx_sa; 2150 ctx.secy = secy; 2151 2152 ret = macsec_offload(ops->mdo_del_rxsa, &ctx); 2153 if (ret) 2154 goto cleanup; 2155 } 2156 2157 RCU_INIT_POINTER(rx_sc->sa[assoc_num], NULL); 2158 clear_rx_sa(rx_sa); 2159 2160 rtnl_unlock(); 2161 2162 return 0; 2163 2164 cleanup: 2165 rtnl_unlock(); 2166 return ret; 2167 } 2168 2169 static int macsec_del_rxsc(struct sk_buff *skb, struct genl_info *info) 2170 { 2171 struct nlattr **attrs = info->attrs; 2172 struct net_device *dev; 2173 struct macsec_secy *secy; 2174 struct macsec_rx_sc *rx_sc; 2175 sci_t sci; 2176 struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1]; 2177 int ret; 2178 2179 if (!attrs[MACSEC_ATTR_IFINDEX]) 2180 return -EINVAL; 2181 2182 if (parse_rxsc_config(attrs, tb_rxsc)) 2183 return -EINVAL; 2184 2185 if (!tb_rxsc[MACSEC_RXSC_ATTR_SCI]) 2186 return -EINVAL; 2187 2188 rtnl_lock(); 2189 dev = get_dev_from_nl(genl_info_net(info), info->attrs); 2190 if (IS_ERR(dev)) { 2191 rtnl_unlock(); 2192 return PTR_ERR(dev); 2193 } 2194 2195 secy = &macsec_priv(dev)->secy; 2196 sci = nla_get_sci(tb_rxsc[MACSEC_RXSC_ATTR_SCI]); 2197 2198 rx_sc = del_rx_sc(secy, sci); 2199 if (!rx_sc) { 2200 rtnl_unlock(); 2201 return -ENODEV; 2202 } 2203 2204 /* If h/w offloading is available, propagate to the device */ 2205 if (macsec_is_offloaded(netdev_priv(dev))) { 2206 const struct macsec_ops *ops; 2207 struct macsec_context ctx; 2208 2209 ops = macsec_get_ops(netdev_priv(dev), &ctx); 2210 if (!ops) { 2211 ret = -EOPNOTSUPP; 2212 goto cleanup; 2213 } 2214 2215 ctx.rx_sc = rx_sc; 2216 ctx.secy = secy; 2217 ret = macsec_offload(ops->mdo_del_rxsc, &ctx); 2218 if (ret) 2219 goto cleanup; 2220 } 2221 2222 free_rx_sc(rx_sc); 2223 rtnl_unlock(); 2224 2225 return 0; 2226 2227 cleanup: 2228 rtnl_unlock(); 2229 return ret; 2230 } 2231 2232 static int macsec_del_txsa(struct sk_buff *skb, struct genl_info *info) 2233 { 2234 struct nlattr **attrs = info->attrs; 2235 struct net_device *dev; 2236 struct macsec_secy *secy; 2237 struct macsec_tx_sc *tx_sc; 2238 struct macsec_tx_sa *tx_sa; 2239 u8 assoc_num; 2240 struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1]; 2241 int ret; 2242 2243 if (!attrs[MACSEC_ATTR_IFINDEX]) 2244 return -EINVAL; 2245 2246 if (parse_sa_config(attrs, tb_sa)) 2247 return -EINVAL; 2248 2249 rtnl_lock(); 2250 tx_sa = get_txsa_from_nl(genl_info_net(info), attrs, tb_sa, 2251 &dev, &secy, &tx_sc, &assoc_num); 2252 if (IS_ERR(tx_sa)) { 2253 rtnl_unlock(); 2254 return PTR_ERR(tx_sa); 2255 } 2256 2257 if (tx_sa->active) { 2258 rtnl_unlock(); 2259 return -EBUSY; 2260 } 2261 2262 /* If h/w offloading is available, propagate to the device */ 2263 if (macsec_is_offloaded(netdev_priv(dev))) { 2264 const struct macsec_ops *ops; 2265 struct macsec_context ctx; 2266 2267 ops = macsec_get_ops(netdev_priv(dev), &ctx); 2268 if (!ops) { 2269 ret = -EOPNOTSUPP; 2270 goto cleanup; 2271 } 2272 2273 ctx.sa.assoc_num = assoc_num; 2274 ctx.sa.tx_sa = tx_sa; 2275 ctx.secy = secy; 2276 2277 ret = macsec_offload(ops->mdo_del_txsa, &ctx); 2278 if (ret) 2279 goto cleanup; 2280 } 2281 2282 RCU_INIT_POINTER(tx_sc->sa[assoc_num], NULL); 2283 clear_tx_sa(tx_sa); 2284 2285 rtnl_unlock(); 2286 2287 return 0; 2288 2289 cleanup: 2290 rtnl_unlock(); 2291 return ret; 2292 } 2293 2294 static bool validate_upd_sa(struct nlattr **attrs) 2295 { 2296 if (!attrs[MACSEC_SA_ATTR_AN] || 2297 attrs[MACSEC_SA_ATTR_KEY] || 2298 attrs[MACSEC_SA_ATTR_KEYID] || 2299 attrs[MACSEC_SA_ATTR_SSCI] || 2300 attrs[MACSEC_SA_ATTR_SALT]) 2301 return false; 2302 2303 if (nla_get_u8(attrs[MACSEC_SA_ATTR_AN]) >= MACSEC_NUM_AN) 2304 return false; 2305 2306 if (attrs[MACSEC_SA_ATTR_PN] && nla_get_u64(attrs[MACSEC_SA_ATTR_PN]) == 0) 2307 return false; 2308 2309 if (attrs[MACSEC_SA_ATTR_ACTIVE]) { 2310 if (nla_get_u8(attrs[MACSEC_SA_ATTR_ACTIVE]) > 1) 2311 return false; 2312 } 2313 2314 return true; 2315 } 2316 2317 static int macsec_upd_txsa(struct sk_buff *skb, struct genl_info *info) 2318 { 2319 struct nlattr **attrs = info->attrs; 2320 struct net_device *dev; 2321 struct macsec_secy *secy; 2322 struct macsec_tx_sc *tx_sc; 2323 struct macsec_tx_sa *tx_sa; 2324 u8 assoc_num; 2325 struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1]; 2326 bool was_operational, was_active; 2327 pn_t prev_pn; 2328 int ret = 0; 2329 2330 prev_pn.full64 = 0; 2331 2332 if (!attrs[MACSEC_ATTR_IFINDEX]) 2333 return -EINVAL; 2334 2335 if (parse_sa_config(attrs, tb_sa)) 2336 return -EINVAL; 2337 2338 if (!validate_upd_sa(tb_sa)) 2339 return -EINVAL; 2340 2341 rtnl_lock(); 2342 tx_sa = get_txsa_from_nl(genl_info_net(info), attrs, tb_sa, 2343 &dev, &secy, &tx_sc, &assoc_num); 2344 if (IS_ERR(tx_sa)) { 2345 rtnl_unlock(); 2346 return PTR_ERR(tx_sa); 2347 } 2348 2349 if (tb_sa[MACSEC_SA_ATTR_PN]) { 2350 int pn_len; 2351 2352 pn_len = secy->xpn ? MACSEC_XPN_PN_LEN : MACSEC_DEFAULT_PN_LEN; 2353 if (nla_len(tb_sa[MACSEC_SA_ATTR_PN]) != pn_len) { 2354 pr_notice("macsec: nl: upd_txsa: bad pn length: %d != %d\n", 2355 nla_len(tb_sa[MACSEC_SA_ATTR_PN]), pn_len); 2356 rtnl_unlock(); 2357 return -EINVAL; 2358 } 2359 2360 spin_lock_bh(&tx_sa->lock); 2361 prev_pn = tx_sa->next_pn_halves; 2362 tx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]); 2363 spin_unlock_bh(&tx_sa->lock); 2364 } 2365 2366 was_active = tx_sa->active; 2367 if (tb_sa[MACSEC_SA_ATTR_ACTIVE]) 2368 tx_sa->active = nla_get_u8(tb_sa[MACSEC_SA_ATTR_ACTIVE]); 2369 2370 was_operational = secy->operational; 2371 if (assoc_num == tx_sc->encoding_sa) 2372 secy->operational = tx_sa->active; 2373 2374 /* If h/w offloading is available, propagate to the device */ 2375 if (macsec_is_offloaded(netdev_priv(dev))) { 2376 const struct macsec_ops *ops; 2377 struct macsec_context ctx; 2378 2379 ops = macsec_get_ops(netdev_priv(dev), &ctx); 2380 if (!ops) { 2381 ret = -EOPNOTSUPP; 2382 goto cleanup; 2383 } 2384 2385 ctx.sa.assoc_num = assoc_num; 2386 ctx.sa.tx_sa = tx_sa; 2387 ctx.secy = secy; 2388 2389 ret = macsec_offload(ops->mdo_upd_txsa, &ctx); 2390 if (ret) 2391 goto cleanup; 2392 } 2393 2394 rtnl_unlock(); 2395 2396 return 0; 2397 2398 cleanup: 2399 if (tb_sa[MACSEC_SA_ATTR_PN]) { 2400 spin_lock_bh(&tx_sa->lock); 2401 tx_sa->next_pn_halves = prev_pn; 2402 spin_unlock_bh(&tx_sa->lock); 2403 } 2404 tx_sa->active = was_active; 2405 secy->operational = was_operational; 2406 rtnl_unlock(); 2407 return ret; 2408 } 2409 2410 static int macsec_upd_rxsa(struct sk_buff *skb, struct genl_info *info) 2411 { 2412 struct nlattr **attrs = info->attrs; 2413 struct net_device *dev; 2414 struct macsec_secy *secy; 2415 struct macsec_rx_sc *rx_sc; 2416 struct macsec_rx_sa *rx_sa; 2417 u8 assoc_num; 2418 struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1]; 2419 struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1]; 2420 bool was_active; 2421 pn_t prev_pn; 2422 int ret = 0; 2423 2424 prev_pn.full64 = 0; 2425 2426 if (!attrs[MACSEC_ATTR_IFINDEX]) 2427 return -EINVAL; 2428 2429 if (parse_rxsc_config(attrs, tb_rxsc)) 2430 return -EINVAL; 2431 2432 if (parse_sa_config(attrs, tb_sa)) 2433 return -EINVAL; 2434 2435 if (!validate_upd_sa(tb_sa)) 2436 return -EINVAL; 2437 2438 rtnl_lock(); 2439 rx_sa = get_rxsa_from_nl(genl_info_net(info), attrs, tb_rxsc, tb_sa, 2440 &dev, &secy, &rx_sc, &assoc_num); 2441 if (IS_ERR(rx_sa)) { 2442 rtnl_unlock(); 2443 return PTR_ERR(rx_sa); 2444 } 2445 2446 if (tb_sa[MACSEC_SA_ATTR_PN]) { 2447 int pn_len; 2448 2449 pn_len = secy->xpn ? MACSEC_XPN_PN_LEN : MACSEC_DEFAULT_PN_LEN; 2450 if (nla_len(tb_sa[MACSEC_SA_ATTR_PN]) != pn_len) { 2451 pr_notice("macsec: nl: upd_rxsa: bad pn length: %d != %d\n", 2452 nla_len(tb_sa[MACSEC_SA_ATTR_PN]), pn_len); 2453 rtnl_unlock(); 2454 return -EINVAL; 2455 } 2456 2457 spin_lock_bh(&rx_sa->lock); 2458 prev_pn = rx_sa->next_pn_halves; 2459 rx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]); 2460 spin_unlock_bh(&rx_sa->lock); 2461 } 2462 2463 was_active = rx_sa->active; 2464 if (tb_sa[MACSEC_SA_ATTR_ACTIVE]) 2465 rx_sa->active = nla_get_u8(tb_sa[MACSEC_SA_ATTR_ACTIVE]); 2466 2467 /* If h/w offloading is available, propagate to the device */ 2468 if (macsec_is_offloaded(netdev_priv(dev))) { 2469 const struct macsec_ops *ops; 2470 struct macsec_context ctx; 2471 2472 ops = macsec_get_ops(netdev_priv(dev), &ctx); 2473 if (!ops) { 2474 ret = -EOPNOTSUPP; 2475 goto cleanup; 2476 } 2477 2478 ctx.sa.assoc_num = assoc_num; 2479 ctx.sa.rx_sa = rx_sa; 2480 ctx.secy = secy; 2481 2482 ret = macsec_offload(ops->mdo_upd_rxsa, &ctx); 2483 if (ret) 2484 goto cleanup; 2485 } 2486 2487 rtnl_unlock(); 2488 return 0; 2489 2490 cleanup: 2491 if (tb_sa[MACSEC_SA_ATTR_PN]) { 2492 spin_lock_bh(&rx_sa->lock); 2493 rx_sa->next_pn_halves = prev_pn; 2494 spin_unlock_bh(&rx_sa->lock); 2495 } 2496 rx_sa->active = was_active; 2497 rtnl_unlock(); 2498 return ret; 2499 } 2500 2501 static int macsec_upd_rxsc(struct sk_buff *skb, struct genl_info *info) 2502 { 2503 struct nlattr **attrs = info->attrs; 2504 struct net_device *dev; 2505 struct macsec_secy *secy; 2506 struct macsec_rx_sc *rx_sc; 2507 struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1]; 2508 unsigned int prev_n_rx_sc; 2509 bool was_active; 2510 int ret; 2511 2512 if (!attrs[MACSEC_ATTR_IFINDEX]) 2513 return -EINVAL; 2514 2515 if (parse_rxsc_config(attrs, tb_rxsc)) 2516 return -EINVAL; 2517 2518 if (!validate_add_rxsc(tb_rxsc)) 2519 return -EINVAL; 2520 2521 rtnl_lock(); 2522 rx_sc = get_rxsc_from_nl(genl_info_net(info), attrs, tb_rxsc, &dev, &secy); 2523 if (IS_ERR(rx_sc)) { 2524 rtnl_unlock(); 2525 return PTR_ERR(rx_sc); 2526 } 2527 2528 was_active = rx_sc->active; 2529 prev_n_rx_sc = secy->n_rx_sc; 2530 if (tb_rxsc[MACSEC_RXSC_ATTR_ACTIVE]) { 2531 bool new = !!nla_get_u8(tb_rxsc[MACSEC_RXSC_ATTR_ACTIVE]); 2532 2533 if (rx_sc->active != new) 2534 secy->n_rx_sc += new ? 1 : -1; 2535 2536 rx_sc->active = new; 2537 } 2538 2539 /* If h/w offloading is available, propagate to the device */ 2540 if (macsec_is_offloaded(netdev_priv(dev))) { 2541 const struct macsec_ops *ops; 2542 struct macsec_context ctx; 2543 2544 ops = macsec_get_ops(netdev_priv(dev), &ctx); 2545 if (!ops) { 2546 ret = -EOPNOTSUPP; 2547 goto cleanup; 2548 } 2549 2550 ctx.rx_sc = rx_sc; 2551 ctx.secy = secy; 2552 2553 ret = macsec_offload(ops->mdo_upd_rxsc, &ctx); 2554 if (ret) 2555 goto cleanup; 2556 } 2557 2558 rtnl_unlock(); 2559 2560 return 0; 2561 2562 cleanup: 2563 secy->n_rx_sc = prev_n_rx_sc; 2564 rx_sc->active = was_active; 2565 rtnl_unlock(); 2566 return ret; 2567 } 2568 2569 static bool macsec_is_configured(struct macsec_dev *macsec) 2570 { 2571 struct macsec_secy *secy = &macsec->secy; 2572 struct macsec_tx_sc *tx_sc = &secy->tx_sc; 2573 int i; 2574 2575 if (secy->rx_sc) 2576 return true; 2577 2578 for (i = 0; i < MACSEC_NUM_AN; i++) 2579 if (tx_sc->sa[i]) 2580 return true; 2581 2582 return false; 2583 } 2584 2585 static int macsec_update_offload(struct net_device *dev, enum macsec_offload offload) 2586 { 2587 enum macsec_offload prev_offload; 2588 const struct macsec_ops *ops; 2589 struct macsec_context ctx; 2590 struct macsec_dev *macsec; 2591 int ret = 0; 2592 2593 macsec = macsec_priv(dev); 2594 2595 /* Check if the offloading mode is supported by the underlying layers */ 2596 if (offload != MACSEC_OFFLOAD_OFF && 2597 !macsec_check_offload(offload, macsec)) 2598 return -EOPNOTSUPP; 2599 2600 /* Check if the net device is busy. */ 2601 if (netif_running(dev)) 2602 return -EBUSY; 2603 2604 /* Check if the device already has rules configured: we do not support 2605 * rules migration. 2606 */ 2607 if (macsec_is_configured(macsec)) 2608 return -EBUSY; 2609 2610 prev_offload = macsec->offload; 2611 2612 ops = __macsec_get_ops(offload == MACSEC_OFFLOAD_OFF ? prev_offload : offload, 2613 macsec, &ctx); 2614 if (!ops) 2615 return -EOPNOTSUPP; 2616 2617 macsec->offload = offload; 2618 2619 ctx.secy = &macsec->secy; 2620 ret = offload == MACSEC_OFFLOAD_OFF ? macsec_offload(ops->mdo_del_secy, &ctx) 2621 : macsec_offload(ops->mdo_add_secy, &ctx); 2622 if (ret) 2623 macsec->offload = prev_offload; 2624 2625 return ret; 2626 } 2627 2628 static int macsec_upd_offload(struct sk_buff *skb, struct genl_info *info) 2629 { 2630 struct nlattr *tb_offload[MACSEC_OFFLOAD_ATTR_MAX + 1]; 2631 struct nlattr **attrs = info->attrs; 2632 enum macsec_offload offload; 2633 struct macsec_dev *macsec; 2634 struct net_device *dev; 2635 int ret = 0; 2636 2637 if (!attrs[MACSEC_ATTR_IFINDEX]) 2638 return -EINVAL; 2639 2640 if (!attrs[MACSEC_ATTR_OFFLOAD]) 2641 return -EINVAL; 2642 2643 if (nla_parse_nested_deprecated(tb_offload, MACSEC_OFFLOAD_ATTR_MAX, 2644 attrs[MACSEC_ATTR_OFFLOAD], 2645 macsec_genl_offload_policy, NULL)) 2646 return -EINVAL; 2647 2648 rtnl_lock(); 2649 2650 dev = get_dev_from_nl(genl_info_net(info), attrs); 2651 if (IS_ERR(dev)) { 2652 ret = PTR_ERR(dev); 2653 goto out; 2654 } 2655 macsec = macsec_priv(dev); 2656 2657 if (!tb_offload[MACSEC_OFFLOAD_ATTR_TYPE]) { 2658 ret = -EINVAL; 2659 goto out; 2660 } 2661 2662 offload = nla_get_u8(tb_offload[MACSEC_OFFLOAD_ATTR_TYPE]); 2663 2664 if (macsec->offload != offload) 2665 ret = macsec_update_offload(dev, offload); 2666 out: 2667 rtnl_unlock(); 2668 return ret; 2669 } 2670 2671 static void get_tx_sa_stats(struct net_device *dev, int an, 2672 struct macsec_tx_sa *tx_sa, 2673 struct macsec_tx_sa_stats *sum) 2674 { 2675 struct macsec_dev *macsec = macsec_priv(dev); 2676 int cpu; 2677 2678 /* If h/w offloading is available, propagate to the device */ 2679 if (macsec_is_offloaded(macsec)) { 2680 const struct macsec_ops *ops; 2681 struct macsec_context ctx; 2682 2683 ops = macsec_get_ops(macsec, &ctx); 2684 if (ops) { 2685 ctx.sa.assoc_num = an; 2686 ctx.sa.tx_sa = tx_sa; 2687 ctx.stats.tx_sa_stats = sum; 2688 ctx.secy = &macsec_priv(dev)->secy; 2689 macsec_offload(ops->mdo_get_tx_sa_stats, &ctx); 2690 } 2691 return; 2692 } 2693 2694 for_each_possible_cpu(cpu) { 2695 const struct macsec_tx_sa_stats *stats = 2696 per_cpu_ptr(tx_sa->stats, cpu); 2697 2698 sum->OutPktsProtected += stats->OutPktsProtected; 2699 sum->OutPktsEncrypted += stats->OutPktsEncrypted; 2700 } 2701 } 2702 2703 static int copy_tx_sa_stats(struct sk_buff *skb, struct macsec_tx_sa_stats *sum) 2704 { 2705 if (nla_put_u32(skb, MACSEC_SA_STATS_ATTR_OUT_PKTS_PROTECTED, 2706 sum->OutPktsProtected) || 2707 nla_put_u32(skb, MACSEC_SA_STATS_ATTR_OUT_PKTS_ENCRYPTED, 2708 sum->OutPktsEncrypted)) 2709 return -EMSGSIZE; 2710 2711 return 0; 2712 } 2713 2714 static void get_rx_sa_stats(struct net_device *dev, 2715 struct macsec_rx_sc *rx_sc, int an, 2716 struct macsec_rx_sa *rx_sa, 2717 struct macsec_rx_sa_stats *sum) 2718 { 2719 struct macsec_dev *macsec = macsec_priv(dev); 2720 int cpu; 2721 2722 /* If h/w offloading is available, propagate to the device */ 2723 if (macsec_is_offloaded(macsec)) { 2724 const struct macsec_ops *ops; 2725 struct macsec_context ctx; 2726 2727 ops = macsec_get_ops(macsec, &ctx); 2728 if (ops) { 2729 ctx.sa.assoc_num = an; 2730 ctx.sa.rx_sa = rx_sa; 2731 ctx.stats.rx_sa_stats = sum; 2732 ctx.secy = &macsec_priv(dev)->secy; 2733 ctx.rx_sc = rx_sc; 2734 macsec_offload(ops->mdo_get_rx_sa_stats, &ctx); 2735 } 2736 return; 2737 } 2738 2739 for_each_possible_cpu(cpu) { 2740 const struct macsec_rx_sa_stats *stats = 2741 per_cpu_ptr(rx_sa->stats, cpu); 2742 2743 sum->InPktsOK += stats->InPktsOK; 2744 sum->InPktsInvalid += stats->InPktsInvalid; 2745 sum->InPktsNotValid += stats->InPktsNotValid; 2746 sum->InPktsNotUsingSA += stats->InPktsNotUsingSA; 2747 sum->InPktsUnusedSA += stats->InPktsUnusedSA; 2748 } 2749 } 2750 2751 static int copy_rx_sa_stats(struct sk_buff *skb, 2752 struct macsec_rx_sa_stats *sum) 2753 { 2754 if (nla_put_u32(skb, MACSEC_SA_STATS_ATTR_IN_PKTS_OK, sum->InPktsOK) || 2755 nla_put_u32(skb, MACSEC_SA_STATS_ATTR_IN_PKTS_INVALID, 2756 sum->InPktsInvalid) || 2757 nla_put_u32(skb, MACSEC_SA_STATS_ATTR_IN_PKTS_NOT_VALID, 2758 sum->InPktsNotValid) || 2759 nla_put_u32(skb, MACSEC_SA_STATS_ATTR_IN_PKTS_NOT_USING_SA, 2760 sum->InPktsNotUsingSA) || 2761 nla_put_u32(skb, MACSEC_SA_STATS_ATTR_IN_PKTS_UNUSED_SA, 2762 sum->InPktsUnusedSA)) 2763 return -EMSGSIZE; 2764 2765 return 0; 2766 } 2767 2768 static void get_rx_sc_stats(struct net_device *dev, 2769 struct macsec_rx_sc *rx_sc, 2770 struct macsec_rx_sc_stats *sum) 2771 { 2772 struct macsec_dev *macsec = macsec_priv(dev); 2773 int cpu; 2774 2775 /* If h/w offloading is available, propagate to the device */ 2776 if (macsec_is_offloaded(macsec)) { 2777 const struct macsec_ops *ops; 2778 struct macsec_context ctx; 2779 2780 ops = macsec_get_ops(macsec, &ctx); 2781 if (ops) { 2782 ctx.stats.rx_sc_stats = sum; 2783 ctx.secy = &macsec_priv(dev)->secy; 2784 ctx.rx_sc = rx_sc; 2785 macsec_offload(ops->mdo_get_rx_sc_stats, &ctx); 2786 } 2787 return; 2788 } 2789 2790 for_each_possible_cpu(cpu) { 2791 const struct pcpu_rx_sc_stats *stats; 2792 struct macsec_rx_sc_stats tmp; 2793 unsigned int start; 2794 2795 stats = per_cpu_ptr(rx_sc->stats, cpu); 2796 do { 2797 start = u64_stats_fetch_begin(&stats->syncp); 2798 memcpy(&tmp, &stats->stats, sizeof(tmp)); 2799 } while (u64_stats_fetch_retry(&stats->syncp, start)); 2800 2801 sum->InOctetsValidated += tmp.InOctetsValidated; 2802 sum->InOctetsDecrypted += tmp.InOctetsDecrypted; 2803 sum->InPktsUnchecked += tmp.InPktsUnchecked; 2804 sum->InPktsDelayed += tmp.InPktsDelayed; 2805 sum->InPktsOK += tmp.InPktsOK; 2806 sum->InPktsInvalid += tmp.InPktsInvalid; 2807 sum->InPktsLate += tmp.InPktsLate; 2808 sum->InPktsNotValid += tmp.InPktsNotValid; 2809 sum->InPktsNotUsingSA += tmp.InPktsNotUsingSA; 2810 sum->InPktsUnusedSA += tmp.InPktsUnusedSA; 2811 } 2812 } 2813 2814 static int copy_rx_sc_stats(struct sk_buff *skb, struct macsec_rx_sc_stats *sum) 2815 { 2816 if (nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_OCTETS_VALIDATED, 2817 sum->InOctetsValidated, 2818 MACSEC_RXSC_STATS_ATTR_PAD) || 2819 nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_OCTETS_DECRYPTED, 2820 sum->InOctetsDecrypted, 2821 MACSEC_RXSC_STATS_ATTR_PAD) || 2822 nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_UNCHECKED, 2823 sum->InPktsUnchecked, 2824 MACSEC_RXSC_STATS_ATTR_PAD) || 2825 nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_DELAYED, 2826 sum->InPktsDelayed, 2827 MACSEC_RXSC_STATS_ATTR_PAD) || 2828 nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_OK, 2829 sum->InPktsOK, 2830 MACSEC_RXSC_STATS_ATTR_PAD) || 2831 nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_INVALID, 2832 sum->InPktsInvalid, 2833 MACSEC_RXSC_STATS_ATTR_PAD) || 2834 nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_LATE, 2835 sum->InPktsLate, 2836 MACSEC_RXSC_STATS_ATTR_PAD) || 2837 nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_NOT_VALID, 2838 sum->InPktsNotValid, 2839 MACSEC_RXSC_STATS_ATTR_PAD) || 2840 nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_NOT_USING_SA, 2841 sum->InPktsNotUsingSA, 2842 MACSEC_RXSC_STATS_ATTR_PAD) || 2843 nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_UNUSED_SA, 2844 sum->InPktsUnusedSA, 2845 MACSEC_RXSC_STATS_ATTR_PAD)) 2846 return -EMSGSIZE; 2847 2848 return 0; 2849 } 2850 2851 static void get_tx_sc_stats(struct net_device *dev, 2852 struct macsec_tx_sc_stats *sum) 2853 { 2854 struct macsec_dev *macsec = macsec_priv(dev); 2855 int cpu; 2856 2857 /* If h/w offloading is available, propagate to the device */ 2858 if (macsec_is_offloaded(macsec)) { 2859 const struct macsec_ops *ops; 2860 struct macsec_context ctx; 2861 2862 ops = macsec_get_ops(macsec, &ctx); 2863 if (ops) { 2864 ctx.stats.tx_sc_stats = sum; 2865 ctx.secy = &macsec_priv(dev)->secy; 2866 macsec_offload(ops->mdo_get_tx_sc_stats, &ctx); 2867 } 2868 return; 2869 } 2870 2871 for_each_possible_cpu(cpu) { 2872 const struct pcpu_tx_sc_stats *stats; 2873 struct macsec_tx_sc_stats tmp; 2874 unsigned int start; 2875 2876 stats = per_cpu_ptr(macsec_priv(dev)->secy.tx_sc.stats, cpu); 2877 do { 2878 start = u64_stats_fetch_begin(&stats->syncp); 2879 memcpy(&tmp, &stats->stats, sizeof(tmp)); 2880 } while (u64_stats_fetch_retry(&stats->syncp, start)); 2881 2882 sum->OutPktsProtected += tmp.OutPktsProtected; 2883 sum->OutPktsEncrypted += tmp.OutPktsEncrypted; 2884 sum->OutOctetsProtected += tmp.OutOctetsProtected; 2885 sum->OutOctetsEncrypted += tmp.OutOctetsEncrypted; 2886 } 2887 } 2888 2889 static int copy_tx_sc_stats(struct sk_buff *skb, struct macsec_tx_sc_stats *sum) 2890 { 2891 if (nla_put_u64_64bit(skb, MACSEC_TXSC_STATS_ATTR_OUT_PKTS_PROTECTED, 2892 sum->OutPktsProtected, 2893 MACSEC_TXSC_STATS_ATTR_PAD) || 2894 nla_put_u64_64bit(skb, MACSEC_TXSC_STATS_ATTR_OUT_PKTS_ENCRYPTED, 2895 sum->OutPktsEncrypted, 2896 MACSEC_TXSC_STATS_ATTR_PAD) || 2897 nla_put_u64_64bit(skb, MACSEC_TXSC_STATS_ATTR_OUT_OCTETS_PROTECTED, 2898 sum->OutOctetsProtected, 2899 MACSEC_TXSC_STATS_ATTR_PAD) || 2900 nla_put_u64_64bit(skb, MACSEC_TXSC_STATS_ATTR_OUT_OCTETS_ENCRYPTED, 2901 sum->OutOctetsEncrypted, 2902 MACSEC_TXSC_STATS_ATTR_PAD)) 2903 return -EMSGSIZE; 2904 2905 return 0; 2906 } 2907 2908 static void get_secy_stats(struct net_device *dev, struct macsec_dev_stats *sum) 2909 { 2910 struct macsec_dev *macsec = macsec_priv(dev); 2911 int cpu; 2912 2913 /* If h/w offloading is available, propagate to the device */ 2914 if (macsec_is_offloaded(macsec)) { 2915 const struct macsec_ops *ops; 2916 struct macsec_context ctx; 2917 2918 ops = macsec_get_ops(macsec, &ctx); 2919 if (ops) { 2920 ctx.stats.dev_stats = sum; 2921 ctx.secy = &macsec_priv(dev)->secy; 2922 macsec_offload(ops->mdo_get_dev_stats, &ctx); 2923 } 2924 return; 2925 } 2926 2927 for_each_possible_cpu(cpu) { 2928 const struct pcpu_secy_stats *stats; 2929 struct macsec_dev_stats tmp; 2930 unsigned int start; 2931 2932 stats = per_cpu_ptr(macsec_priv(dev)->stats, cpu); 2933 do { 2934 start = u64_stats_fetch_begin(&stats->syncp); 2935 memcpy(&tmp, &stats->stats, sizeof(tmp)); 2936 } while (u64_stats_fetch_retry(&stats->syncp, start)); 2937 2938 sum->OutPktsUntagged += tmp.OutPktsUntagged; 2939 sum->InPktsUntagged += tmp.InPktsUntagged; 2940 sum->OutPktsTooLong += tmp.OutPktsTooLong; 2941 sum->InPktsNoTag += tmp.InPktsNoTag; 2942 sum->InPktsBadTag += tmp.InPktsBadTag; 2943 sum->InPktsUnknownSCI += tmp.InPktsUnknownSCI; 2944 sum->InPktsNoSCI += tmp.InPktsNoSCI; 2945 sum->InPktsOverrun += tmp.InPktsOverrun; 2946 } 2947 } 2948 2949 static int copy_secy_stats(struct sk_buff *skb, struct macsec_dev_stats *sum) 2950 { 2951 if (nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_OUT_PKTS_UNTAGGED, 2952 sum->OutPktsUntagged, 2953 MACSEC_SECY_STATS_ATTR_PAD) || 2954 nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_IN_PKTS_UNTAGGED, 2955 sum->InPktsUntagged, 2956 MACSEC_SECY_STATS_ATTR_PAD) || 2957 nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_OUT_PKTS_TOO_LONG, 2958 sum->OutPktsTooLong, 2959 MACSEC_SECY_STATS_ATTR_PAD) || 2960 nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_IN_PKTS_NO_TAG, 2961 sum->InPktsNoTag, 2962 MACSEC_SECY_STATS_ATTR_PAD) || 2963 nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_IN_PKTS_BAD_TAG, 2964 sum->InPktsBadTag, 2965 MACSEC_SECY_STATS_ATTR_PAD) || 2966 nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_IN_PKTS_UNKNOWN_SCI, 2967 sum->InPktsUnknownSCI, 2968 MACSEC_SECY_STATS_ATTR_PAD) || 2969 nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_IN_PKTS_NO_SCI, 2970 sum->InPktsNoSCI, 2971 MACSEC_SECY_STATS_ATTR_PAD) || 2972 nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_IN_PKTS_OVERRUN, 2973 sum->InPktsOverrun, 2974 MACSEC_SECY_STATS_ATTR_PAD)) 2975 return -EMSGSIZE; 2976 2977 return 0; 2978 } 2979 2980 static int nla_put_secy(struct macsec_secy *secy, struct sk_buff *skb) 2981 { 2982 struct macsec_tx_sc *tx_sc = &secy->tx_sc; 2983 struct nlattr *secy_nest = nla_nest_start_noflag(skb, 2984 MACSEC_ATTR_SECY); 2985 u64 csid; 2986 2987 if (!secy_nest) 2988 return 1; 2989 2990 switch (secy->key_len) { 2991 case MACSEC_GCM_AES_128_SAK_LEN: 2992 csid = secy->xpn ? MACSEC_CIPHER_ID_GCM_AES_XPN_128 : MACSEC_DEFAULT_CIPHER_ID; 2993 break; 2994 case MACSEC_GCM_AES_256_SAK_LEN: 2995 csid = secy->xpn ? MACSEC_CIPHER_ID_GCM_AES_XPN_256 : MACSEC_CIPHER_ID_GCM_AES_256; 2996 break; 2997 default: 2998 goto cancel; 2999 } 3000 3001 if (nla_put_sci(skb, MACSEC_SECY_ATTR_SCI, secy->sci, 3002 MACSEC_SECY_ATTR_PAD) || 3003 nla_put_u64_64bit(skb, MACSEC_SECY_ATTR_CIPHER_SUITE, 3004 csid, MACSEC_SECY_ATTR_PAD) || 3005 nla_put_u8(skb, MACSEC_SECY_ATTR_ICV_LEN, secy->icv_len) || 3006 nla_put_u8(skb, MACSEC_SECY_ATTR_OPER, secy->operational) || 3007 nla_put_u8(skb, MACSEC_SECY_ATTR_PROTECT, secy->protect_frames) || 3008 nla_put_u8(skb, MACSEC_SECY_ATTR_REPLAY, secy->replay_protect) || 3009 nla_put_u8(skb, MACSEC_SECY_ATTR_VALIDATE, secy->validate_frames) || 3010 nla_put_u8(skb, MACSEC_SECY_ATTR_ENCRYPT, tx_sc->encrypt) || 3011 nla_put_u8(skb, MACSEC_SECY_ATTR_INC_SCI, tx_sc->send_sci) || 3012 nla_put_u8(skb, MACSEC_SECY_ATTR_ES, tx_sc->end_station) || 3013 nla_put_u8(skb, MACSEC_SECY_ATTR_SCB, tx_sc->scb) || 3014 nla_put_u8(skb, MACSEC_SECY_ATTR_ENCODING_SA, tx_sc->encoding_sa)) 3015 goto cancel; 3016 3017 if (secy->replay_protect) { 3018 if (nla_put_u32(skb, MACSEC_SECY_ATTR_WINDOW, secy->replay_window)) 3019 goto cancel; 3020 } 3021 3022 nla_nest_end(skb, secy_nest); 3023 return 0; 3024 3025 cancel: 3026 nla_nest_cancel(skb, secy_nest); 3027 return 1; 3028 } 3029 3030 static noinline_for_stack int 3031 dump_secy(struct macsec_secy *secy, struct net_device *dev, 3032 struct sk_buff *skb, struct netlink_callback *cb) 3033 { 3034 struct macsec_tx_sc_stats tx_sc_stats = {0, }; 3035 struct macsec_tx_sa_stats tx_sa_stats = {0, }; 3036 struct macsec_rx_sc_stats rx_sc_stats = {0, }; 3037 struct macsec_rx_sa_stats rx_sa_stats = {0, }; 3038 struct macsec_dev *macsec = netdev_priv(dev); 3039 struct macsec_dev_stats dev_stats = {0, }; 3040 struct macsec_tx_sc *tx_sc = &secy->tx_sc; 3041 struct nlattr *txsa_list, *rxsc_list; 3042 struct macsec_rx_sc *rx_sc; 3043 struct nlattr *attr; 3044 void *hdr; 3045 int i, j; 3046 3047 hdr = genlmsg_put(skb, NETLINK_CB(cb->skb).portid, cb->nlh->nlmsg_seq, 3048 &macsec_fam, NLM_F_MULTI, MACSEC_CMD_GET_TXSC); 3049 if (!hdr) 3050 return -EMSGSIZE; 3051 3052 genl_dump_check_consistent(cb, hdr); 3053 3054 if (nla_put_u32(skb, MACSEC_ATTR_IFINDEX, dev->ifindex)) 3055 goto nla_put_failure; 3056 3057 attr = nla_nest_start_noflag(skb, MACSEC_ATTR_OFFLOAD); 3058 if (!attr) 3059 goto nla_put_failure; 3060 if (nla_put_u8(skb, MACSEC_OFFLOAD_ATTR_TYPE, macsec->offload)) 3061 goto nla_put_failure; 3062 nla_nest_end(skb, attr); 3063 3064 if (nla_put_secy(secy, skb)) 3065 goto nla_put_failure; 3066 3067 attr = nla_nest_start_noflag(skb, MACSEC_ATTR_TXSC_STATS); 3068 if (!attr) 3069 goto nla_put_failure; 3070 3071 get_tx_sc_stats(dev, &tx_sc_stats); 3072 if (copy_tx_sc_stats(skb, &tx_sc_stats)) { 3073 nla_nest_cancel(skb, attr); 3074 goto nla_put_failure; 3075 } 3076 nla_nest_end(skb, attr); 3077 3078 attr = nla_nest_start_noflag(skb, MACSEC_ATTR_SECY_STATS); 3079 if (!attr) 3080 goto nla_put_failure; 3081 get_secy_stats(dev, &dev_stats); 3082 if (copy_secy_stats(skb, &dev_stats)) { 3083 nla_nest_cancel(skb, attr); 3084 goto nla_put_failure; 3085 } 3086 nla_nest_end(skb, attr); 3087 3088 txsa_list = nla_nest_start_noflag(skb, MACSEC_ATTR_TXSA_LIST); 3089 if (!txsa_list) 3090 goto nla_put_failure; 3091 for (i = 0, j = 1; i < MACSEC_NUM_AN; i++) { 3092 struct macsec_tx_sa *tx_sa = rtnl_dereference(tx_sc->sa[i]); 3093 struct nlattr *txsa_nest; 3094 u64 pn; 3095 int pn_len; 3096 3097 if (!tx_sa) 3098 continue; 3099 3100 txsa_nest = nla_nest_start_noflag(skb, j++); 3101 if (!txsa_nest) { 3102 nla_nest_cancel(skb, txsa_list); 3103 goto nla_put_failure; 3104 } 3105 3106 attr = nla_nest_start_noflag(skb, MACSEC_SA_ATTR_STATS); 3107 if (!attr) { 3108 nla_nest_cancel(skb, txsa_nest); 3109 nla_nest_cancel(skb, txsa_list); 3110 goto nla_put_failure; 3111 } 3112 memset(&tx_sa_stats, 0, sizeof(tx_sa_stats)); 3113 get_tx_sa_stats(dev, i, tx_sa, &tx_sa_stats); 3114 if (copy_tx_sa_stats(skb, &tx_sa_stats)) { 3115 nla_nest_cancel(skb, attr); 3116 nla_nest_cancel(skb, txsa_nest); 3117 nla_nest_cancel(skb, txsa_list); 3118 goto nla_put_failure; 3119 } 3120 nla_nest_end(skb, attr); 3121 3122 if (secy->xpn) { 3123 pn = tx_sa->next_pn; 3124 pn_len = MACSEC_XPN_PN_LEN; 3125 } else { 3126 pn = tx_sa->next_pn_halves.lower; 3127 pn_len = MACSEC_DEFAULT_PN_LEN; 3128 } 3129 3130 if (nla_put_u8(skb, MACSEC_SA_ATTR_AN, i) || 3131 nla_put(skb, MACSEC_SA_ATTR_PN, pn_len, &pn) || 3132 nla_put(skb, MACSEC_SA_ATTR_KEYID, MACSEC_KEYID_LEN, tx_sa->key.id) || 3133 (secy->xpn && nla_put_ssci(skb, MACSEC_SA_ATTR_SSCI, tx_sa->ssci)) || 3134 nla_put_u8(skb, MACSEC_SA_ATTR_ACTIVE, tx_sa->active)) { 3135 nla_nest_cancel(skb, txsa_nest); 3136 nla_nest_cancel(skb, txsa_list); 3137 goto nla_put_failure; 3138 } 3139 3140 nla_nest_end(skb, txsa_nest); 3141 } 3142 nla_nest_end(skb, txsa_list); 3143 3144 rxsc_list = nla_nest_start_noflag(skb, MACSEC_ATTR_RXSC_LIST); 3145 if (!rxsc_list) 3146 goto nla_put_failure; 3147 3148 j = 1; 3149 for_each_rxsc_rtnl(secy, rx_sc) { 3150 int k; 3151 struct nlattr *rxsa_list; 3152 struct nlattr *rxsc_nest = nla_nest_start_noflag(skb, j++); 3153 3154 if (!rxsc_nest) { 3155 nla_nest_cancel(skb, rxsc_list); 3156 goto nla_put_failure; 3157 } 3158 3159 if (nla_put_u8(skb, MACSEC_RXSC_ATTR_ACTIVE, rx_sc->active) || 3160 nla_put_sci(skb, MACSEC_RXSC_ATTR_SCI, rx_sc->sci, 3161 MACSEC_RXSC_ATTR_PAD)) { 3162 nla_nest_cancel(skb, rxsc_nest); 3163 nla_nest_cancel(skb, rxsc_list); 3164 goto nla_put_failure; 3165 } 3166 3167 attr = nla_nest_start_noflag(skb, MACSEC_RXSC_ATTR_STATS); 3168 if (!attr) { 3169 nla_nest_cancel(skb, rxsc_nest); 3170 nla_nest_cancel(skb, rxsc_list); 3171 goto nla_put_failure; 3172 } 3173 memset(&rx_sc_stats, 0, sizeof(rx_sc_stats)); 3174 get_rx_sc_stats(dev, rx_sc, &rx_sc_stats); 3175 if (copy_rx_sc_stats(skb, &rx_sc_stats)) { 3176 nla_nest_cancel(skb, attr); 3177 nla_nest_cancel(skb, rxsc_nest); 3178 nla_nest_cancel(skb, rxsc_list); 3179 goto nla_put_failure; 3180 } 3181 nla_nest_end(skb, attr); 3182 3183 rxsa_list = nla_nest_start_noflag(skb, 3184 MACSEC_RXSC_ATTR_SA_LIST); 3185 if (!rxsa_list) { 3186 nla_nest_cancel(skb, rxsc_nest); 3187 nla_nest_cancel(skb, rxsc_list); 3188 goto nla_put_failure; 3189 } 3190 3191 for (i = 0, k = 1; i < MACSEC_NUM_AN; i++) { 3192 struct macsec_rx_sa *rx_sa = rtnl_dereference(rx_sc->sa[i]); 3193 struct nlattr *rxsa_nest; 3194 u64 pn; 3195 int pn_len; 3196 3197 if (!rx_sa) 3198 continue; 3199 3200 rxsa_nest = nla_nest_start_noflag(skb, k++); 3201 if (!rxsa_nest) { 3202 nla_nest_cancel(skb, rxsa_list); 3203 nla_nest_cancel(skb, rxsc_nest); 3204 nla_nest_cancel(skb, rxsc_list); 3205 goto nla_put_failure; 3206 } 3207 3208 attr = nla_nest_start_noflag(skb, 3209 MACSEC_SA_ATTR_STATS); 3210 if (!attr) { 3211 nla_nest_cancel(skb, rxsa_list); 3212 nla_nest_cancel(skb, rxsc_nest); 3213 nla_nest_cancel(skb, rxsc_list); 3214 goto nla_put_failure; 3215 } 3216 memset(&rx_sa_stats, 0, sizeof(rx_sa_stats)); 3217 get_rx_sa_stats(dev, rx_sc, i, rx_sa, &rx_sa_stats); 3218 if (copy_rx_sa_stats(skb, &rx_sa_stats)) { 3219 nla_nest_cancel(skb, attr); 3220 nla_nest_cancel(skb, rxsa_list); 3221 nla_nest_cancel(skb, rxsc_nest); 3222 nla_nest_cancel(skb, rxsc_list); 3223 goto nla_put_failure; 3224 } 3225 nla_nest_end(skb, attr); 3226 3227 if (secy->xpn) { 3228 pn = rx_sa->next_pn; 3229 pn_len = MACSEC_XPN_PN_LEN; 3230 } else { 3231 pn = rx_sa->next_pn_halves.lower; 3232 pn_len = MACSEC_DEFAULT_PN_LEN; 3233 } 3234 3235 if (nla_put_u8(skb, MACSEC_SA_ATTR_AN, i) || 3236 nla_put(skb, MACSEC_SA_ATTR_PN, pn_len, &pn) || 3237 nla_put(skb, MACSEC_SA_ATTR_KEYID, MACSEC_KEYID_LEN, rx_sa->key.id) || 3238 (secy->xpn && nla_put_ssci(skb, MACSEC_SA_ATTR_SSCI, rx_sa->ssci)) || 3239 nla_put_u8(skb, MACSEC_SA_ATTR_ACTIVE, rx_sa->active)) { 3240 nla_nest_cancel(skb, rxsa_nest); 3241 nla_nest_cancel(skb, rxsc_nest); 3242 nla_nest_cancel(skb, rxsc_list); 3243 goto nla_put_failure; 3244 } 3245 nla_nest_end(skb, rxsa_nest); 3246 } 3247 3248 nla_nest_end(skb, rxsa_list); 3249 nla_nest_end(skb, rxsc_nest); 3250 } 3251 3252 nla_nest_end(skb, rxsc_list); 3253 3254 genlmsg_end(skb, hdr); 3255 3256 return 0; 3257 3258 nla_put_failure: 3259 genlmsg_cancel(skb, hdr); 3260 return -EMSGSIZE; 3261 } 3262 3263 static int macsec_generation = 1; /* protected by RTNL */ 3264 3265 static int macsec_dump_txsc(struct sk_buff *skb, struct netlink_callback *cb) 3266 { 3267 struct net *net = sock_net(skb->sk); 3268 struct net_device *dev; 3269 int dev_idx, d; 3270 3271 dev_idx = cb->args[0]; 3272 3273 d = 0; 3274 rtnl_lock(); 3275 3276 cb->seq = macsec_generation; 3277 3278 for_each_netdev(net, dev) { 3279 struct macsec_secy *secy; 3280 3281 if (d < dev_idx) 3282 goto next; 3283 3284 if (!netif_is_macsec(dev)) 3285 goto next; 3286 3287 secy = &macsec_priv(dev)->secy; 3288 if (dump_secy(secy, dev, skb, cb) < 0) 3289 goto done; 3290 next: 3291 d++; 3292 } 3293 3294 done: 3295 rtnl_unlock(); 3296 cb->args[0] = d; 3297 return skb->len; 3298 } 3299 3300 static const struct genl_small_ops macsec_genl_ops[] = { 3301 { 3302 .cmd = MACSEC_CMD_GET_TXSC, 3303 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 3304 .dumpit = macsec_dump_txsc, 3305 }, 3306 { 3307 .cmd = MACSEC_CMD_ADD_RXSC, 3308 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 3309 .doit = macsec_add_rxsc, 3310 .flags = GENL_ADMIN_PERM, 3311 }, 3312 { 3313 .cmd = MACSEC_CMD_DEL_RXSC, 3314 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 3315 .doit = macsec_del_rxsc, 3316 .flags = GENL_ADMIN_PERM, 3317 }, 3318 { 3319 .cmd = MACSEC_CMD_UPD_RXSC, 3320 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 3321 .doit = macsec_upd_rxsc, 3322 .flags = GENL_ADMIN_PERM, 3323 }, 3324 { 3325 .cmd = MACSEC_CMD_ADD_TXSA, 3326 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 3327 .doit = macsec_add_txsa, 3328 .flags = GENL_ADMIN_PERM, 3329 }, 3330 { 3331 .cmd = MACSEC_CMD_DEL_TXSA, 3332 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 3333 .doit = macsec_del_txsa, 3334 .flags = GENL_ADMIN_PERM, 3335 }, 3336 { 3337 .cmd = MACSEC_CMD_UPD_TXSA, 3338 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 3339 .doit = macsec_upd_txsa, 3340 .flags = GENL_ADMIN_PERM, 3341 }, 3342 { 3343 .cmd = MACSEC_CMD_ADD_RXSA, 3344 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 3345 .doit = macsec_add_rxsa, 3346 .flags = GENL_ADMIN_PERM, 3347 }, 3348 { 3349 .cmd = MACSEC_CMD_DEL_RXSA, 3350 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 3351 .doit = macsec_del_rxsa, 3352 .flags = GENL_ADMIN_PERM, 3353 }, 3354 { 3355 .cmd = MACSEC_CMD_UPD_RXSA, 3356 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 3357 .doit = macsec_upd_rxsa, 3358 .flags = GENL_ADMIN_PERM, 3359 }, 3360 { 3361 .cmd = MACSEC_CMD_UPD_OFFLOAD, 3362 .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP, 3363 .doit = macsec_upd_offload, 3364 .flags = GENL_ADMIN_PERM, 3365 }, 3366 }; 3367 3368 static struct genl_family macsec_fam __ro_after_init = { 3369 .name = MACSEC_GENL_NAME, 3370 .hdrsize = 0, 3371 .version = MACSEC_GENL_VERSION, 3372 .maxattr = MACSEC_ATTR_MAX, 3373 .policy = macsec_genl_policy, 3374 .netnsok = true, 3375 .module = THIS_MODULE, 3376 .small_ops = macsec_genl_ops, 3377 .n_small_ops = ARRAY_SIZE(macsec_genl_ops), 3378 .resv_start_op = MACSEC_CMD_UPD_OFFLOAD + 1, 3379 }; 3380 3381 static netdev_tx_t macsec_start_xmit(struct sk_buff *skb, 3382 struct net_device *dev) 3383 { 3384 struct macsec_dev *macsec = netdev_priv(dev); 3385 struct macsec_secy *secy = &macsec->secy; 3386 struct pcpu_secy_stats *secy_stats; 3387 int ret, len; 3388 3389 if (macsec_is_offloaded(netdev_priv(dev))) { 3390 struct metadata_dst *md_dst = secy->tx_sc.md_dst; 3391 3392 skb_dst_drop(skb); 3393 dst_hold(&md_dst->dst); 3394 skb_dst_set(skb, &md_dst->dst); 3395 skb->dev = macsec->real_dev; 3396 return dev_queue_xmit(skb); 3397 } 3398 3399 /* 10.5 */ 3400 if (!secy->protect_frames) { 3401 secy_stats = this_cpu_ptr(macsec->stats); 3402 u64_stats_update_begin(&secy_stats->syncp); 3403 secy_stats->stats.OutPktsUntagged++; 3404 u64_stats_update_end(&secy_stats->syncp); 3405 skb->dev = macsec->real_dev; 3406 len = skb->len; 3407 ret = dev_queue_xmit(skb); 3408 count_tx(dev, ret, len); 3409 return ret; 3410 } 3411 3412 if (!secy->operational) { 3413 kfree_skb(skb); 3414 DEV_STATS_INC(dev, tx_dropped); 3415 return NETDEV_TX_OK; 3416 } 3417 3418 len = skb->len; 3419 skb = macsec_encrypt(skb, dev); 3420 if (IS_ERR(skb)) { 3421 if (PTR_ERR(skb) != -EINPROGRESS) 3422 DEV_STATS_INC(dev, tx_dropped); 3423 return NETDEV_TX_OK; 3424 } 3425 3426 macsec_count_tx(skb, &macsec->secy.tx_sc, macsec_skb_cb(skb)->tx_sa); 3427 3428 macsec_encrypt_finish(skb, dev); 3429 ret = dev_queue_xmit(skb); 3430 count_tx(dev, ret, len); 3431 return ret; 3432 } 3433 3434 #define MACSEC_FEATURES \ 3435 (NETIF_F_SG | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST) 3436 3437 static int macsec_dev_init(struct net_device *dev) 3438 { 3439 struct macsec_dev *macsec = macsec_priv(dev); 3440 struct net_device *real_dev = macsec->real_dev; 3441 int err; 3442 3443 dev->tstats = netdev_alloc_pcpu_stats(struct pcpu_sw_netstats); 3444 if (!dev->tstats) 3445 return -ENOMEM; 3446 3447 err = gro_cells_init(&macsec->gro_cells, dev); 3448 if (err) { 3449 free_percpu(dev->tstats); 3450 return err; 3451 } 3452 3453 dev->features = real_dev->features & MACSEC_FEATURES; 3454 dev->features |= NETIF_F_LLTX | NETIF_F_GSO_SOFTWARE; 3455 3456 dev->needed_headroom = real_dev->needed_headroom + 3457 MACSEC_NEEDED_HEADROOM; 3458 dev->needed_tailroom = real_dev->needed_tailroom + 3459 MACSEC_NEEDED_TAILROOM; 3460 3461 if (is_zero_ether_addr(dev->dev_addr)) 3462 eth_hw_addr_inherit(dev, real_dev); 3463 if (is_zero_ether_addr(dev->broadcast)) 3464 memcpy(dev->broadcast, real_dev->broadcast, dev->addr_len); 3465 3466 /* Get macsec's reference to real_dev */ 3467 netdev_hold(real_dev, &macsec->dev_tracker, GFP_KERNEL); 3468 3469 return 0; 3470 } 3471 3472 static void macsec_dev_uninit(struct net_device *dev) 3473 { 3474 struct macsec_dev *macsec = macsec_priv(dev); 3475 3476 gro_cells_destroy(&macsec->gro_cells); 3477 free_percpu(dev->tstats); 3478 } 3479 3480 static netdev_features_t macsec_fix_features(struct net_device *dev, 3481 netdev_features_t features) 3482 { 3483 struct macsec_dev *macsec = macsec_priv(dev); 3484 struct net_device *real_dev = macsec->real_dev; 3485 3486 features &= (real_dev->features & MACSEC_FEATURES) | 3487 NETIF_F_GSO_SOFTWARE | NETIF_F_SOFT_FEATURES; 3488 features |= NETIF_F_LLTX; 3489 3490 return features; 3491 } 3492 3493 static int macsec_dev_open(struct net_device *dev) 3494 { 3495 struct macsec_dev *macsec = macsec_priv(dev); 3496 struct net_device *real_dev = macsec->real_dev; 3497 int err; 3498 3499 err = dev_uc_add(real_dev, dev->dev_addr); 3500 if (err < 0) 3501 return err; 3502 3503 if (dev->flags & IFF_ALLMULTI) { 3504 err = dev_set_allmulti(real_dev, 1); 3505 if (err < 0) 3506 goto del_unicast; 3507 } 3508 3509 if (dev->flags & IFF_PROMISC) { 3510 err = dev_set_promiscuity(real_dev, 1); 3511 if (err < 0) 3512 goto clear_allmulti; 3513 } 3514 3515 /* If h/w offloading is available, propagate to the device */ 3516 if (macsec_is_offloaded(macsec)) { 3517 const struct macsec_ops *ops; 3518 struct macsec_context ctx; 3519 3520 ops = macsec_get_ops(netdev_priv(dev), &ctx); 3521 if (!ops) { 3522 err = -EOPNOTSUPP; 3523 goto clear_allmulti; 3524 } 3525 3526 ctx.secy = &macsec->secy; 3527 err = macsec_offload(ops->mdo_dev_open, &ctx); 3528 if (err) 3529 goto clear_allmulti; 3530 } 3531 3532 if (netif_carrier_ok(real_dev)) 3533 netif_carrier_on(dev); 3534 3535 return 0; 3536 clear_allmulti: 3537 if (dev->flags & IFF_ALLMULTI) 3538 dev_set_allmulti(real_dev, -1); 3539 del_unicast: 3540 dev_uc_del(real_dev, dev->dev_addr); 3541 netif_carrier_off(dev); 3542 return err; 3543 } 3544 3545 static int macsec_dev_stop(struct net_device *dev) 3546 { 3547 struct macsec_dev *macsec = macsec_priv(dev); 3548 struct net_device *real_dev = macsec->real_dev; 3549 3550 netif_carrier_off(dev); 3551 3552 /* If h/w offloading is available, propagate to the device */ 3553 if (macsec_is_offloaded(macsec)) { 3554 const struct macsec_ops *ops; 3555 struct macsec_context ctx; 3556 3557 ops = macsec_get_ops(macsec, &ctx); 3558 if (ops) { 3559 ctx.secy = &macsec->secy; 3560 macsec_offload(ops->mdo_dev_stop, &ctx); 3561 } 3562 } 3563 3564 dev_mc_unsync(real_dev, dev); 3565 dev_uc_unsync(real_dev, dev); 3566 3567 if (dev->flags & IFF_ALLMULTI) 3568 dev_set_allmulti(real_dev, -1); 3569 3570 if (dev->flags & IFF_PROMISC) 3571 dev_set_promiscuity(real_dev, -1); 3572 3573 dev_uc_del(real_dev, dev->dev_addr); 3574 3575 return 0; 3576 } 3577 3578 static void macsec_dev_change_rx_flags(struct net_device *dev, int change) 3579 { 3580 struct net_device *real_dev = macsec_priv(dev)->real_dev; 3581 3582 if (!(dev->flags & IFF_UP)) 3583 return; 3584 3585 if (change & IFF_ALLMULTI) 3586 dev_set_allmulti(real_dev, dev->flags & IFF_ALLMULTI ? 1 : -1); 3587 3588 if (change & IFF_PROMISC) 3589 dev_set_promiscuity(real_dev, 3590 dev->flags & IFF_PROMISC ? 1 : -1); 3591 } 3592 3593 static void macsec_dev_set_rx_mode(struct net_device *dev) 3594 { 3595 struct net_device *real_dev = macsec_priv(dev)->real_dev; 3596 3597 dev_mc_sync(real_dev, dev); 3598 dev_uc_sync(real_dev, dev); 3599 } 3600 3601 static int macsec_set_mac_address(struct net_device *dev, void *p) 3602 { 3603 struct macsec_dev *macsec = macsec_priv(dev); 3604 struct net_device *real_dev = macsec->real_dev; 3605 struct sockaddr *addr = p; 3606 int err; 3607 3608 if (!is_valid_ether_addr(addr->sa_data)) 3609 return -EADDRNOTAVAIL; 3610 3611 if (!(dev->flags & IFF_UP)) 3612 goto out; 3613 3614 err = dev_uc_add(real_dev, addr->sa_data); 3615 if (err < 0) 3616 return err; 3617 3618 dev_uc_del(real_dev, dev->dev_addr); 3619 3620 out: 3621 eth_hw_addr_set(dev, addr->sa_data); 3622 3623 /* If h/w offloading is available, propagate to the device */ 3624 if (macsec_is_offloaded(macsec)) { 3625 const struct macsec_ops *ops; 3626 struct macsec_context ctx; 3627 3628 ops = macsec_get_ops(macsec, &ctx); 3629 if (ops) { 3630 ctx.secy = &macsec->secy; 3631 macsec_offload(ops->mdo_upd_secy, &ctx); 3632 } 3633 } 3634 3635 return 0; 3636 } 3637 3638 static int macsec_change_mtu(struct net_device *dev, int new_mtu) 3639 { 3640 struct macsec_dev *macsec = macsec_priv(dev); 3641 unsigned int extra = macsec->secy.icv_len + macsec_extra_len(true); 3642 3643 if (macsec->real_dev->mtu - extra < new_mtu) 3644 return -ERANGE; 3645 3646 dev->mtu = new_mtu; 3647 3648 return 0; 3649 } 3650 3651 static void macsec_get_stats64(struct net_device *dev, 3652 struct rtnl_link_stats64 *s) 3653 { 3654 if (!dev->tstats) 3655 return; 3656 3657 dev_fetch_sw_netstats(s, dev->tstats); 3658 3659 s->rx_dropped = atomic_long_read(&dev->stats.__rx_dropped); 3660 s->tx_dropped = atomic_long_read(&dev->stats.__tx_dropped); 3661 s->rx_errors = atomic_long_read(&dev->stats.__rx_errors); 3662 } 3663 3664 static int macsec_get_iflink(const struct net_device *dev) 3665 { 3666 return macsec_priv(dev)->real_dev->ifindex; 3667 } 3668 3669 static const struct net_device_ops macsec_netdev_ops = { 3670 .ndo_init = macsec_dev_init, 3671 .ndo_uninit = macsec_dev_uninit, 3672 .ndo_open = macsec_dev_open, 3673 .ndo_stop = macsec_dev_stop, 3674 .ndo_fix_features = macsec_fix_features, 3675 .ndo_change_mtu = macsec_change_mtu, 3676 .ndo_set_rx_mode = macsec_dev_set_rx_mode, 3677 .ndo_change_rx_flags = macsec_dev_change_rx_flags, 3678 .ndo_set_mac_address = macsec_set_mac_address, 3679 .ndo_start_xmit = macsec_start_xmit, 3680 .ndo_get_stats64 = macsec_get_stats64, 3681 .ndo_get_iflink = macsec_get_iflink, 3682 }; 3683 3684 static const struct device_type macsec_type = { 3685 .name = "macsec", 3686 }; 3687 3688 static const struct nla_policy macsec_rtnl_policy[IFLA_MACSEC_MAX + 1] = { 3689 [IFLA_MACSEC_SCI] = { .type = NLA_U64 }, 3690 [IFLA_MACSEC_PORT] = { .type = NLA_U16 }, 3691 [IFLA_MACSEC_ICV_LEN] = { .type = NLA_U8 }, 3692 [IFLA_MACSEC_CIPHER_SUITE] = { .type = NLA_U64 }, 3693 [IFLA_MACSEC_WINDOW] = { .type = NLA_U32 }, 3694 [IFLA_MACSEC_ENCODING_SA] = { .type = NLA_U8 }, 3695 [IFLA_MACSEC_ENCRYPT] = { .type = NLA_U8 }, 3696 [IFLA_MACSEC_PROTECT] = { .type = NLA_U8 }, 3697 [IFLA_MACSEC_INC_SCI] = { .type = NLA_U8 }, 3698 [IFLA_MACSEC_ES] = { .type = NLA_U8 }, 3699 [IFLA_MACSEC_SCB] = { .type = NLA_U8 }, 3700 [IFLA_MACSEC_REPLAY_PROTECT] = { .type = NLA_U8 }, 3701 [IFLA_MACSEC_VALIDATION] = { .type = NLA_U8 }, 3702 [IFLA_MACSEC_OFFLOAD] = { .type = NLA_U8 }, 3703 }; 3704 3705 static void macsec_free_netdev(struct net_device *dev) 3706 { 3707 struct macsec_dev *macsec = macsec_priv(dev); 3708 3709 if (macsec->secy.tx_sc.md_dst) 3710 metadata_dst_free(macsec->secy.tx_sc.md_dst); 3711 free_percpu(macsec->stats); 3712 free_percpu(macsec->secy.tx_sc.stats); 3713 3714 /* Get rid of the macsec's reference to real_dev */ 3715 netdev_put(macsec->real_dev, &macsec->dev_tracker); 3716 } 3717 3718 static void macsec_setup(struct net_device *dev) 3719 { 3720 ether_setup(dev); 3721 dev->min_mtu = 0; 3722 dev->max_mtu = ETH_MAX_MTU; 3723 dev->priv_flags |= IFF_NO_QUEUE; 3724 dev->netdev_ops = &macsec_netdev_ops; 3725 dev->needs_free_netdev = true; 3726 dev->priv_destructor = macsec_free_netdev; 3727 SET_NETDEV_DEVTYPE(dev, &macsec_type); 3728 3729 eth_zero_addr(dev->broadcast); 3730 } 3731 3732 static int macsec_changelink_common(struct net_device *dev, 3733 struct nlattr *data[]) 3734 { 3735 struct macsec_secy *secy; 3736 struct macsec_tx_sc *tx_sc; 3737 3738 secy = &macsec_priv(dev)->secy; 3739 tx_sc = &secy->tx_sc; 3740 3741 if (data[IFLA_MACSEC_ENCODING_SA]) { 3742 struct macsec_tx_sa *tx_sa; 3743 3744 tx_sc->encoding_sa = nla_get_u8(data[IFLA_MACSEC_ENCODING_SA]); 3745 tx_sa = rtnl_dereference(tx_sc->sa[tx_sc->encoding_sa]); 3746 3747 secy->operational = tx_sa && tx_sa->active; 3748 } 3749 3750 if (data[IFLA_MACSEC_ENCRYPT]) 3751 tx_sc->encrypt = !!nla_get_u8(data[IFLA_MACSEC_ENCRYPT]); 3752 3753 if (data[IFLA_MACSEC_PROTECT]) 3754 secy->protect_frames = !!nla_get_u8(data[IFLA_MACSEC_PROTECT]); 3755 3756 if (data[IFLA_MACSEC_INC_SCI]) 3757 tx_sc->send_sci = !!nla_get_u8(data[IFLA_MACSEC_INC_SCI]); 3758 3759 if (data[IFLA_MACSEC_ES]) 3760 tx_sc->end_station = !!nla_get_u8(data[IFLA_MACSEC_ES]); 3761 3762 if (data[IFLA_MACSEC_SCB]) 3763 tx_sc->scb = !!nla_get_u8(data[IFLA_MACSEC_SCB]); 3764 3765 if (data[IFLA_MACSEC_REPLAY_PROTECT]) 3766 secy->replay_protect = !!nla_get_u8(data[IFLA_MACSEC_REPLAY_PROTECT]); 3767 3768 if (data[IFLA_MACSEC_VALIDATION]) 3769 secy->validate_frames = nla_get_u8(data[IFLA_MACSEC_VALIDATION]); 3770 3771 if (data[IFLA_MACSEC_CIPHER_SUITE]) { 3772 switch (nla_get_u64(data[IFLA_MACSEC_CIPHER_SUITE])) { 3773 case MACSEC_CIPHER_ID_GCM_AES_128: 3774 case MACSEC_DEFAULT_CIPHER_ID: 3775 secy->key_len = MACSEC_GCM_AES_128_SAK_LEN; 3776 secy->xpn = false; 3777 break; 3778 case MACSEC_CIPHER_ID_GCM_AES_256: 3779 secy->key_len = MACSEC_GCM_AES_256_SAK_LEN; 3780 secy->xpn = false; 3781 break; 3782 case MACSEC_CIPHER_ID_GCM_AES_XPN_128: 3783 secy->key_len = MACSEC_GCM_AES_128_SAK_LEN; 3784 secy->xpn = true; 3785 break; 3786 case MACSEC_CIPHER_ID_GCM_AES_XPN_256: 3787 secy->key_len = MACSEC_GCM_AES_256_SAK_LEN; 3788 secy->xpn = true; 3789 break; 3790 default: 3791 return -EINVAL; 3792 } 3793 } 3794 3795 if (data[IFLA_MACSEC_WINDOW]) { 3796 secy->replay_window = nla_get_u32(data[IFLA_MACSEC_WINDOW]); 3797 3798 /* IEEE 802.1AEbw-2013 10.7.8 - maximum replay window 3799 * for XPN cipher suites */ 3800 if (secy->xpn && 3801 secy->replay_window > MACSEC_XPN_MAX_REPLAY_WINDOW) 3802 return -EINVAL; 3803 } 3804 3805 return 0; 3806 } 3807 3808 static int macsec_changelink(struct net_device *dev, struct nlattr *tb[], 3809 struct nlattr *data[], 3810 struct netlink_ext_ack *extack) 3811 { 3812 struct macsec_dev *macsec = macsec_priv(dev); 3813 bool macsec_offload_state_change = false; 3814 enum macsec_offload offload; 3815 struct macsec_tx_sc tx_sc; 3816 struct macsec_secy secy; 3817 int ret; 3818 3819 if (!data) 3820 return 0; 3821 3822 if (data[IFLA_MACSEC_CIPHER_SUITE] || 3823 data[IFLA_MACSEC_ICV_LEN] || 3824 data[IFLA_MACSEC_SCI] || 3825 data[IFLA_MACSEC_PORT]) 3826 return -EINVAL; 3827 3828 /* Keep a copy of unmodified secy and tx_sc, in case the offload 3829 * propagation fails, to revert macsec_changelink_common. 3830 */ 3831 memcpy(&secy, &macsec->secy, sizeof(secy)); 3832 memcpy(&tx_sc, &macsec->secy.tx_sc, sizeof(tx_sc)); 3833 3834 ret = macsec_changelink_common(dev, data); 3835 if (ret) 3836 goto cleanup; 3837 3838 if (data[IFLA_MACSEC_OFFLOAD]) { 3839 offload = nla_get_u8(data[IFLA_MACSEC_OFFLOAD]); 3840 if (macsec->offload != offload) { 3841 macsec_offload_state_change = true; 3842 ret = macsec_update_offload(dev, offload); 3843 if (ret) 3844 goto cleanup; 3845 } 3846 } 3847 3848 /* If h/w offloading is available, propagate to the device */ 3849 if (!macsec_offload_state_change && macsec_is_offloaded(macsec)) { 3850 const struct macsec_ops *ops; 3851 struct macsec_context ctx; 3852 3853 ops = macsec_get_ops(netdev_priv(dev), &ctx); 3854 if (!ops) { 3855 ret = -EOPNOTSUPP; 3856 goto cleanup; 3857 } 3858 3859 ctx.secy = &macsec->secy; 3860 ret = macsec_offload(ops->mdo_upd_secy, &ctx); 3861 if (ret) 3862 goto cleanup; 3863 } 3864 3865 return 0; 3866 3867 cleanup: 3868 memcpy(&macsec->secy.tx_sc, &tx_sc, sizeof(tx_sc)); 3869 memcpy(&macsec->secy, &secy, sizeof(secy)); 3870 3871 return ret; 3872 } 3873 3874 static void macsec_del_dev(struct macsec_dev *macsec) 3875 { 3876 int i; 3877 3878 while (macsec->secy.rx_sc) { 3879 struct macsec_rx_sc *rx_sc = rtnl_dereference(macsec->secy.rx_sc); 3880 3881 rcu_assign_pointer(macsec->secy.rx_sc, rx_sc->next); 3882 free_rx_sc(rx_sc); 3883 } 3884 3885 for (i = 0; i < MACSEC_NUM_AN; i++) { 3886 struct macsec_tx_sa *sa = rtnl_dereference(macsec->secy.tx_sc.sa[i]); 3887 3888 if (sa) { 3889 RCU_INIT_POINTER(macsec->secy.tx_sc.sa[i], NULL); 3890 clear_tx_sa(sa); 3891 } 3892 } 3893 } 3894 3895 static void macsec_common_dellink(struct net_device *dev, struct list_head *head) 3896 { 3897 struct macsec_dev *macsec = macsec_priv(dev); 3898 struct net_device *real_dev = macsec->real_dev; 3899 3900 /* If h/w offloading is available, propagate to the device */ 3901 if (macsec_is_offloaded(macsec)) { 3902 const struct macsec_ops *ops; 3903 struct macsec_context ctx; 3904 3905 ops = macsec_get_ops(netdev_priv(dev), &ctx); 3906 if (ops) { 3907 ctx.secy = &macsec->secy; 3908 macsec_offload(ops->mdo_del_secy, &ctx); 3909 } 3910 } 3911 3912 unregister_netdevice_queue(dev, head); 3913 list_del_rcu(&macsec->secys); 3914 macsec_del_dev(macsec); 3915 netdev_upper_dev_unlink(real_dev, dev); 3916 3917 macsec_generation++; 3918 } 3919 3920 static void macsec_dellink(struct net_device *dev, struct list_head *head) 3921 { 3922 struct macsec_dev *macsec = macsec_priv(dev); 3923 struct net_device *real_dev = macsec->real_dev; 3924 struct macsec_rxh_data *rxd = macsec_data_rtnl(real_dev); 3925 3926 macsec_common_dellink(dev, head); 3927 3928 if (list_empty(&rxd->secys)) { 3929 netdev_rx_handler_unregister(real_dev); 3930 kfree(rxd); 3931 } 3932 } 3933 3934 static int register_macsec_dev(struct net_device *real_dev, 3935 struct net_device *dev) 3936 { 3937 struct macsec_dev *macsec = macsec_priv(dev); 3938 struct macsec_rxh_data *rxd = macsec_data_rtnl(real_dev); 3939 3940 if (!rxd) { 3941 int err; 3942 3943 rxd = kmalloc(sizeof(*rxd), GFP_KERNEL); 3944 if (!rxd) 3945 return -ENOMEM; 3946 3947 INIT_LIST_HEAD(&rxd->secys); 3948 3949 err = netdev_rx_handler_register(real_dev, macsec_handle_frame, 3950 rxd); 3951 if (err < 0) { 3952 kfree(rxd); 3953 return err; 3954 } 3955 } 3956 3957 list_add_tail_rcu(&macsec->secys, &rxd->secys); 3958 return 0; 3959 } 3960 3961 static bool sci_exists(struct net_device *dev, sci_t sci) 3962 { 3963 struct macsec_rxh_data *rxd = macsec_data_rtnl(dev); 3964 struct macsec_dev *macsec; 3965 3966 list_for_each_entry(macsec, &rxd->secys, secys) { 3967 if (macsec->secy.sci == sci) 3968 return true; 3969 } 3970 3971 return false; 3972 } 3973 3974 static sci_t dev_to_sci(struct net_device *dev, __be16 port) 3975 { 3976 return make_sci(dev->dev_addr, port); 3977 } 3978 3979 static int macsec_add_dev(struct net_device *dev, sci_t sci, u8 icv_len) 3980 { 3981 struct macsec_dev *macsec = macsec_priv(dev); 3982 struct macsec_secy *secy = &macsec->secy; 3983 3984 macsec->stats = netdev_alloc_pcpu_stats(struct pcpu_secy_stats); 3985 if (!macsec->stats) 3986 return -ENOMEM; 3987 3988 secy->tx_sc.stats = netdev_alloc_pcpu_stats(struct pcpu_tx_sc_stats); 3989 if (!secy->tx_sc.stats) 3990 return -ENOMEM; 3991 3992 secy->tx_sc.md_dst = metadata_dst_alloc(0, METADATA_MACSEC, GFP_KERNEL); 3993 if (!secy->tx_sc.md_dst) 3994 /* macsec and secy percpu stats will be freed when unregistering 3995 * net_device in macsec_free_netdev() 3996 */ 3997 return -ENOMEM; 3998 3999 if (sci == MACSEC_UNDEF_SCI) 4000 sci = dev_to_sci(dev, MACSEC_PORT_ES); 4001 4002 secy->netdev = dev; 4003 secy->operational = true; 4004 secy->key_len = DEFAULT_SAK_LEN; 4005 secy->icv_len = icv_len; 4006 secy->validate_frames = MACSEC_VALIDATE_DEFAULT; 4007 secy->protect_frames = true; 4008 secy->replay_protect = false; 4009 secy->xpn = DEFAULT_XPN; 4010 4011 secy->sci = sci; 4012 secy->tx_sc.md_dst->u.macsec_info.sci = sci; 4013 secy->tx_sc.active = true; 4014 secy->tx_sc.encoding_sa = DEFAULT_ENCODING_SA; 4015 secy->tx_sc.encrypt = DEFAULT_ENCRYPT; 4016 secy->tx_sc.send_sci = DEFAULT_SEND_SCI; 4017 secy->tx_sc.end_station = false; 4018 secy->tx_sc.scb = false; 4019 4020 return 0; 4021 } 4022 4023 static struct lock_class_key macsec_netdev_addr_lock_key; 4024 4025 static int macsec_newlink(struct net *net, struct net_device *dev, 4026 struct nlattr *tb[], struct nlattr *data[], 4027 struct netlink_ext_ack *extack) 4028 { 4029 struct macsec_dev *macsec = macsec_priv(dev); 4030 rx_handler_func_t *rx_handler; 4031 u8 icv_len = MACSEC_DEFAULT_ICV_LEN; 4032 struct net_device *real_dev; 4033 int err, mtu; 4034 sci_t sci; 4035 4036 if (!tb[IFLA_LINK]) 4037 return -EINVAL; 4038 real_dev = __dev_get_by_index(net, nla_get_u32(tb[IFLA_LINK])); 4039 if (!real_dev) 4040 return -ENODEV; 4041 if (real_dev->type != ARPHRD_ETHER) 4042 return -EINVAL; 4043 4044 dev->priv_flags |= IFF_MACSEC; 4045 4046 macsec->real_dev = real_dev; 4047 4048 if (data && data[IFLA_MACSEC_OFFLOAD]) 4049 macsec->offload = nla_get_offload(data[IFLA_MACSEC_OFFLOAD]); 4050 else 4051 /* MACsec offloading is off by default */ 4052 macsec->offload = MACSEC_OFFLOAD_OFF; 4053 4054 /* Check if the offloading mode is supported by the underlying layers */ 4055 if (macsec->offload != MACSEC_OFFLOAD_OFF && 4056 !macsec_check_offload(macsec->offload, macsec)) 4057 return -EOPNOTSUPP; 4058 4059 /* send_sci must be set to true when transmit sci explicitly is set */ 4060 if ((data && data[IFLA_MACSEC_SCI]) && 4061 (data && data[IFLA_MACSEC_INC_SCI])) { 4062 u8 send_sci = !!nla_get_u8(data[IFLA_MACSEC_INC_SCI]); 4063 4064 if (!send_sci) 4065 return -EINVAL; 4066 } 4067 4068 if (data && data[IFLA_MACSEC_ICV_LEN]) 4069 icv_len = nla_get_u8(data[IFLA_MACSEC_ICV_LEN]); 4070 mtu = real_dev->mtu - icv_len - macsec_extra_len(true); 4071 if (mtu < 0) 4072 dev->mtu = 0; 4073 else 4074 dev->mtu = mtu; 4075 4076 rx_handler = rtnl_dereference(real_dev->rx_handler); 4077 if (rx_handler && rx_handler != macsec_handle_frame) 4078 return -EBUSY; 4079 4080 err = register_netdevice(dev); 4081 if (err < 0) 4082 return err; 4083 4084 netdev_lockdep_set_classes(dev); 4085 lockdep_set_class(&dev->addr_list_lock, 4086 &macsec_netdev_addr_lock_key); 4087 4088 err = netdev_upper_dev_link(real_dev, dev, extack); 4089 if (err < 0) 4090 goto unregister; 4091 4092 /* need to be already registered so that ->init has run and 4093 * the MAC addr is set 4094 */ 4095 if (data && data[IFLA_MACSEC_SCI]) 4096 sci = nla_get_sci(data[IFLA_MACSEC_SCI]); 4097 else if (data && data[IFLA_MACSEC_PORT]) 4098 sci = dev_to_sci(dev, nla_get_be16(data[IFLA_MACSEC_PORT])); 4099 else 4100 sci = dev_to_sci(dev, MACSEC_PORT_ES); 4101 4102 if (rx_handler && sci_exists(real_dev, sci)) { 4103 err = -EBUSY; 4104 goto unlink; 4105 } 4106 4107 err = macsec_add_dev(dev, sci, icv_len); 4108 if (err) 4109 goto unlink; 4110 4111 if (data) { 4112 err = macsec_changelink_common(dev, data); 4113 if (err) 4114 goto del_dev; 4115 } 4116 4117 /* If h/w offloading is available, propagate to the device */ 4118 if (macsec_is_offloaded(macsec)) { 4119 const struct macsec_ops *ops; 4120 struct macsec_context ctx; 4121 4122 ops = macsec_get_ops(macsec, &ctx); 4123 if (ops) { 4124 ctx.secy = &macsec->secy; 4125 err = macsec_offload(ops->mdo_add_secy, &ctx); 4126 if (err) 4127 goto del_dev; 4128 } 4129 } 4130 4131 err = register_macsec_dev(real_dev, dev); 4132 if (err < 0) 4133 goto del_dev; 4134 4135 netif_stacked_transfer_operstate(real_dev, dev); 4136 linkwatch_fire_event(dev); 4137 4138 macsec_generation++; 4139 4140 return 0; 4141 4142 del_dev: 4143 macsec_del_dev(macsec); 4144 unlink: 4145 netdev_upper_dev_unlink(real_dev, dev); 4146 unregister: 4147 unregister_netdevice(dev); 4148 return err; 4149 } 4150 4151 static int macsec_validate_attr(struct nlattr *tb[], struct nlattr *data[], 4152 struct netlink_ext_ack *extack) 4153 { 4154 u64 csid = MACSEC_DEFAULT_CIPHER_ID; 4155 u8 icv_len = MACSEC_DEFAULT_ICV_LEN; 4156 int flag; 4157 bool es, scb, sci; 4158 4159 if (!data) 4160 return 0; 4161 4162 if (data[IFLA_MACSEC_CIPHER_SUITE]) 4163 csid = nla_get_u64(data[IFLA_MACSEC_CIPHER_SUITE]); 4164 4165 if (data[IFLA_MACSEC_ICV_LEN]) { 4166 icv_len = nla_get_u8(data[IFLA_MACSEC_ICV_LEN]); 4167 if (icv_len != MACSEC_DEFAULT_ICV_LEN) { 4168 char dummy_key[DEFAULT_SAK_LEN] = { 0 }; 4169 struct crypto_aead *dummy_tfm; 4170 4171 dummy_tfm = macsec_alloc_tfm(dummy_key, 4172 DEFAULT_SAK_LEN, 4173 icv_len); 4174 if (IS_ERR(dummy_tfm)) 4175 return PTR_ERR(dummy_tfm); 4176 crypto_free_aead(dummy_tfm); 4177 } 4178 } 4179 4180 switch (csid) { 4181 case MACSEC_CIPHER_ID_GCM_AES_128: 4182 case MACSEC_CIPHER_ID_GCM_AES_256: 4183 case MACSEC_CIPHER_ID_GCM_AES_XPN_128: 4184 case MACSEC_CIPHER_ID_GCM_AES_XPN_256: 4185 case MACSEC_DEFAULT_CIPHER_ID: 4186 if (icv_len < MACSEC_MIN_ICV_LEN || 4187 icv_len > MACSEC_STD_ICV_LEN) 4188 return -EINVAL; 4189 break; 4190 default: 4191 return -EINVAL; 4192 } 4193 4194 if (data[IFLA_MACSEC_ENCODING_SA]) { 4195 if (nla_get_u8(data[IFLA_MACSEC_ENCODING_SA]) >= MACSEC_NUM_AN) 4196 return -EINVAL; 4197 } 4198 4199 for (flag = IFLA_MACSEC_ENCODING_SA + 1; 4200 flag < IFLA_MACSEC_VALIDATION; 4201 flag++) { 4202 if (data[flag]) { 4203 if (nla_get_u8(data[flag]) > 1) 4204 return -EINVAL; 4205 } 4206 } 4207 4208 es = data[IFLA_MACSEC_ES] ? nla_get_u8(data[IFLA_MACSEC_ES]) : false; 4209 sci = data[IFLA_MACSEC_INC_SCI] ? nla_get_u8(data[IFLA_MACSEC_INC_SCI]) : false; 4210 scb = data[IFLA_MACSEC_SCB] ? nla_get_u8(data[IFLA_MACSEC_SCB]) : false; 4211 4212 if ((sci && (scb || es)) || (scb && es)) 4213 return -EINVAL; 4214 4215 if (data[IFLA_MACSEC_VALIDATION] && 4216 nla_get_u8(data[IFLA_MACSEC_VALIDATION]) > MACSEC_VALIDATE_MAX) 4217 return -EINVAL; 4218 4219 if ((data[IFLA_MACSEC_REPLAY_PROTECT] && 4220 nla_get_u8(data[IFLA_MACSEC_REPLAY_PROTECT])) && 4221 !data[IFLA_MACSEC_WINDOW]) 4222 return -EINVAL; 4223 4224 return 0; 4225 } 4226 4227 static struct net *macsec_get_link_net(const struct net_device *dev) 4228 { 4229 return dev_net(macsec_priv(dev)->real_dev); 4230 } 4231 4232 static size_t macsec_get_size(const struct net_device *dev) 4233 { 4234 return nla_total_size_64bit(8) + /* IFLA_MACSEC_SCI */ 4235 nla_total_size(1) + /* IFLA_MACSEC_ICV_LEN */ 4236 nla_total_size_64bit(8) + /* IFLA_MACSEC_CIPHER_SUITE */ 4237 nla_total_size(4) + /* IFLA_MACSEC_WINDOW */ 4238 nla_total_size(1) + /* IFLA_MACSEC_ENCODING_SA */ 4239 nla_total_size(1) + /* IFLA_MACSEC_ENCRYPT */ 4240 nla_total_size(1) + /* IFLA_MACSEC_PROTECT */ 4241 nla_total_size(1) + /* IFLA_MACSEC_INC_SCI */ 4242 nla_total_size(1) + /* IFLA_MACSEC_ES */ 4243 nla_total_size(1) + /* IFLA_MACSEC_SCB */ 4244 nla_total_size(1) + /* IFLA_MACSEC_REPLAY_PROTECT */ 4245 nla_total_size(1) + /* IFLA_MACSEC_VALIDATION */ 4246 nla_total_size(1) + /* IFLA_MACSEC_OFFLOAD */ 4247 0; 4248 } 4249 4250 static int macsec_fill_info(struct sk_buff *skb, 4251 const struct net_device *dev) 4252 { 4253 struct macsec_tx_sc *tx_sc; 4254 struct macsec_dev *macsec; 4255 struct macsec_secy *secy; 4256 u64 csid; 4257 4258 macsec = macsec_priv(dev); 4259 secy = &macsec->secy; 4260 tx_sc = &secy->tx_sc; 4261 4262 switch (secy->key_len) { 4263 case MACSEC_GCM_AES_128_SAK_LEN: 4264 csid = secy->xpn ? MACSEC_CIPHER_ID_GCM_AES_XPN_128 : MACSEC_DEFAULT_CIPHER_ID; 4265 break; 4266 case MACSEC_GCM_AES_256_SAK_LEN: 4267 csid = secy->xpn ? MACSEC_CIPHER_ID_GCM_AES_XPN_256 : MACSEC_CIPHER_ID_GCM_AES_256; 4268 break; 4269 default: 4270 goto nla_put_failure; 4271 } 4272 4273 if (nla_put_sci(skb, IFLA_MACSEC_SCI, secy->sci, 4274 IFLA_MACSEC_PAD) || 4275 nla_put_u8(skb, IFLA_MACSEC_ICV_LEN, secy->icv_len) || 4276 nla_put_u64_64bit(skb, IFLA_MACSEC_CIPHER_SUITE, 4277 csid, IFLA_MACSEC_PAD) || 4278 nla_put_u8(skb, IFLA_MACSEC_ENCODING_SA, tx_sc->encoding_sa) || 4279 nla_put_u8(skb, IFLA_MACSEC_ENCRYPT, tx_sc->encrypt) || 4280 nla_put_u8(skb, IFLA_MACSEC_PROTECT, secy->protect_frames) || 4281 nla_put_u8(skb, IFLA_MACSEC_INC_SCI, tx_sc->send_sci) || 4282 nla_put_u8(skb, IFLA_MACSEC_ES, tx_sc->end_station) || 4283 nla_put_u8(skb, IFLA_MACSEC_SCB, tx_sc->scb) || 4284 nla_put_u8(skb, IFLA_MACSEC_REPLAY_PROTECT, secy->replay_protect) || 4285 nla_put_u8(skb, IFLA_MACSEC_VALIDATION, secy->validate_frames) || 4286 nla_put_u8(skb, IFLA_MACSEC_OFFLOAD, macsec->offload) || 4287 0) 4288 goto nla_put_failure; 4289 4290 if (secy->replay_protect) { 4291 if (nla_put_u32(skb, IFLA_MACSEC_WINDOW, secy->replay_window)) 4292 goto nla_put_failure; 4293 } 4294 4295 return 0; 4296 4297 nla_put_failure: 4298 return -EMSGSIZE; 4299 } 4300 4301 static struct rtnl_link_ops macsec_link_ops __read_mostly = { 4302 .kind = "macsec", 4303 .priv_size = sizeof(struct macsec_dev), 4304 .maxtype = IFLA_MACSEC_MAX, 4305 .policy = macsec_rtnl_policy, 4306 .setup = macsec_setup, 4307 .validate = macsec_validate_attr, 4308 .newlink = macsec_newlink, 4309 .changelink = macsec_changelink, 4310 .dellink = macsec_dellink, 4311 .get_size = macsec_get_size, 4312 .fill_info = macsec_fill_info, 4313 .get_link_net = macsec_get_link_net, 4314 }; 4315 4316 static bool is_macsec_master(struct net_device *dev) 4317 { 4318 return rcu_access_pointer(dev->rx_handler) == macsec_handle_frame; 4319 } 4320 4321 static int macsec_notify(struct notifier_block *this, unsigned long event, 4322 void *ptr) 4323 { 4324 struct net_device *real_dev = netdev_notifier_info_to_dev(ptr); 4325 LIST_HEAD(head); 4326 4327 if (!is_macsec_master(real_dev)) 4328 return NOTIFY_DONE; 4329 4330 switch (event) { 4331 case NETDEV_DOWN: 4332 case NETDEV_UP: 4333 case NETDEV_CHANGE: { 4334 struct macsec_dev *m, *n; 4335 struct macsec_rxh_data *rxd; 4336 4337 rxd = macsec_data_rtnl(real_dev); 4338 list_for_each_entry_safe(m, n, &rxd->secys, secys) { 4339 struct net_device *dev = m->secy.netdev; 4340 4341 netif_stacked_transfer_operstate(real_dev, dev); 4342 } 4343 break; 4344 } 4345 case NETDEV_UNREGISTER: { 4346 struct macsec_dev *m, *n; 4347 struct macsec_rxh_data *rxd; 4348 4349 rxd = macsec_data_rtnl(real_dev); 4350 list_for_each_entry_safe(m, n, &rxd->secys, secys) { 4351 macsec_common_dellink(m->secy.netdev, &head); 4352 } 4353 4354 netdev_rx_handler_unregister(real_dev); 4355 kfree(rxd); 4356 4357 unregister_netdevice_many(&head); 4358 break; 4359 } 4360 case NETDEV_CHANGEMTU: { 4361 struct macsec_dev *m; 4362 struct macsec_rxh_data *rxd; 4363 4364 rxd = macsec_data_rtnl(real_dev); 4365 list_for_each_entry(m, &rxd->secys, secys) { 4366 struct net_device *dev = m->secy.netdev; 4367 unsigned int mtu = real_dev->mtu - (m->secy.icv_len + 4368 macsec_extra_len(true)); 4369 4370 if (dev->mtu > mtu) 4371 dev_set_mtu(dev, mtu); 4372 } 4373 } 4374 } 4375 4376 return NOTIFY_OK; 4377 } 4378 4379 static struct notifier_block macsec_notifier = { 4380 .notifier_call = macsec_notify, 4381 }; 4382 4383 static int __init macsec_init(void) 4384 { 4385 int err; 4386 4387 pr_info("MACsec IEEE 802.1AE\n"); 4388 err = register_netdevice_notifier(&macsec_notifier); 4389 if (err) 4390 return err; 4391 4392 err = rtnl_link_register(&macsec_link_ops); 4393 if (err) 4394 goto notifier; 4395 4396 err = genl_register_family(&macsec_fam); 4397 if (err) 4398 goto rtnl; 4399 4400 return 0; 4401 4402 rtnl: 4403 rtnl_link_unregister(&macsec_link_ops); 4404 notifier: 4405 unregister_netdevice_notifier(&macsec_notifier); 4406 return err; 4407 } 4408 4409 static void __exit macsec_exit(void) 4410 { 4411 genl_unregister_family(&macsec_fam); 4412 rtnl_link_unregister(&macsec_link_ops); 4413 unregister_netdevice_notifier(&macsec_notifier); 4414 rcu_barrier(); 4415 } 4416 4417 module_init(macsec_init); 4418 module_exit(macsec_exit); 4419 4420 MODULE_ALIAS_RTNL_LINK("macsec"); 4421 MODULE_ALIAS_GENL_FAMILY("macsec"); 4422 4423 MODULE_DESCRIPTION("MACsec IEEE 802.1AE"); 4424 MODULE_LICENSE("GPL v2"); 4425