1 /* SPDX-License-Identifier: GPL-2.0+ */ 2 /* 3 * MACsec netdev header, used for h/w accelerated implementations. 4 * 5 * Copyright (c) 2015 Sabrina Dubroca <sd@queasysnail.net> 6 */ 7 #ifndef _NET_MACSEC_H_ 8 #define _NET_MACSEC_H_ 9 10 #include <linux/u64_stats_sync.h> 11 #include <uapi/linux/if_link.h> 12 #include <uapi/linux/if_macsec.h> 13 14 typedef u64 __bitwise sci_t; 15 16 #define MACSEC_NUM_AN 4 /* 2 bits for the association number */ 17 18 /** 19 * struct macsec_key - SA key 20 * @id: user-provided key identifier 21 * @tfm: crypto struct, key storage 22 */ 23 struct macsec_key { 24 u8 id[MACSEC_KEYID_LEN]; 25 struct crypto_aead *tfm; 26 }; 27 28 struct macsec_rx_sc_stats { 29 __u64 InOctetsValidated; 30 __u64 InOctetsDecrypted; 31 __u64 InPktsUnchecked; 32 __u64 InPktsDelayed; 33 __u64 InPktsOK; 34 __u64 InPktsInvalid; 35 __u64 InPktsLate; 36 __u64 InPktsNotValid; 37 __u64 InPktsNotUsingSA; 38 __u64 InPktsUnusedSA; 39 }; 40 41 struct macsec_rx_sa_stats { 42 __u32 InPktsOK; 43 __u32 InPktsInvalid; 44 __u32 InPktsNotValid; 45 __u32 InPktsNotUsingSA; 46 __u32 InPktsUnusedSA; 47 }; 48 49 struct macsec_tx_sa_stats { 50 __u32 OutPktsProtected; 51 __u32 OutPktsEncrypted; 52 }; 53 54 struct macsec_tx_sc_stats { 55 __u64 OutPktsProtected; 56 __u64 OutPktsEncrypted; 57 __u64 OutOctetsProtected; 58 __u64 OutOctetsEncrypted; 59 }; 60 61 /** 62 * struct macsec_rx_sa - receive secure association 63 * @active: 64 * @next_pn: packet number expected for the next packet 65 * @lock: protects next_pn manipulations 66 * @key: key structure 67 * @stats: per-SA stats 68 */ 69 struct macsec_rx_sa { 70 struct macsec_key key; 71 spinlock_t lock; 72 u32 next_pn; 73 refcount_t refcnt; 74 bool active; 75 struct macsec_rx_sa_stats __percpu *stats; 76 struct macsec_rx_sc *sc; 77 struct rcu_head rcu; 78 }; 79 80 struct pcpu_rx_sc_stats { 81 struct macsec_rx_sc_stats stats; 82 struct u64_stats_sync syncp; 83 }; 84 85 struct pcpu_tx_sc_stats { 86 struct macsec_tx_sc_stats stats; 87 struct u64_stats_sync syncp; 88 }; 89 90 /** 91 * struct macsec_rx_sc - receive secure channel 92 * @sci: secure channel identifier for this SC 93 * @active: channel is active 94 * @sa: array of secure associations 95 * @stats: per-SC stats 96 */ 97 struct macsec_rx_sc { 98 struct macsec_rx_sc __rcu *next; 99 sci_t sci; 100 bool active; 101 struct macsec_rx_sa __rcu *sa[MACSEC_NUM_AN]; 102 struct pcpu_rx_sc_stats __percpu *stats; 103 refcount_t refcnt; 104 struct rcu_head rcu_head; 105 }; 106 107 /** 108 * struct macsec_tx_sa - transmit secure association 109 * @active: 110 * @next_pn: packet number to use for the next packet 111 * @lock: protects next_pn manipulations 112 * @key: key structure 113 * @stats: per-SA stats 114 */ 115 struct macsec_tx_sa { 116 struct macsec_key key; 117 spinlock_t lock; 118 u32 next_pn; 119 refcount_t refcnt; 120 bool active; 121 struct macsec_tx_sa_stats __percpu *stats; 122 struct rcu_head rcu; 123 }; 124 125 /** 126 * struct macsec_tx_sc - transmit secure channel 127 * @active: 128 * @encoding_sa: association number of the SA currently in use 129 * @encrypt: encrypt packets on transmit, or authenticate only 130 * @send_sci: always include the SCI in the SecTAG 131 * @end_station: 132 * @scb: single copy broadcast flag 133 * @sa: array of secure associations 134 * @stats: stats for this TXSC 135 */ 136 struct macsec_tx_sc { 137 bool active; 138 u8 encoding_sa; 139 bool encrypt; 140 bool send_sci; 141 bool end_station; 142 bool scb; 143 struct macsec_tx_sa __rcu *sa[MACSEC_NUM_AN]; 144 struct pcpu_tx_sc_stats __percpu *stats; 145 }; 146 147 /** 148 * struct macsec_secy - MACsec Security Entity 149 * @netdev: netdevice for this SecY 150 * @n_rx_sc: number of receive secure channels configured on this SecY 151 * @sci: secure channel identifier used for tx 152 * @key_len: length of keys used by the cipher suite 153 * @icv_len: length of ICV used by the cipher suite 154 * @validate_frames: validation mode 155 * @operational: MAC_Operational flag 156 * @protect_frames: enable protection for this SecY 157 * @replay_protect: enable packet number checks on receive 158 * @replay_window: size of the replay window 159 * @tx_sc: transmit secure channel 160 * @rx_sc: linked list of receive secure channels 161 */ 162 struct macsec_secy { 163 struct net_device *netdev; 164 unsigned int n_rx_sc; 165 sci_t sci; 166 u16 key_len; 167 u16 icv_len; 168 enum macsec_validation_type validate_frames; 169 bool operational; 170 bool protect_frames; 171 bool replay_protect; 172 u32 replay_window; 173 struct macsec_tx_sc tx_sc; 174 struct macsec_rx_sc __rcu *rx_sc; 175 }; 176 177 /** 178 * struct macsec_context - MACsec context for hardware offloading 179 */ 180 struct macsec_context { 181 struct phy_device *phydev; 182 enum macsec_offload offload; 183 184 struct macsec_secy *secy; 185 struct macsec_rx_sc *rx_sc; 186 struct { 187 unsigned char assoc_num; 188 u8 key[MACSEC_KEYID_LEN]; 189 union { 190 struct macsec_rx_sa *rx_sa; 191 struct macsec_tx_sa *tx_sa; 192 }; 193 } sa; 194 195 u8 prepare:1; 196 }; 197 198 /** 199 * struct macsec_ops - MACsec offloading operations 200 */ 201 struct macsec_ops { 202 /* Device wide */ 203 int (*mdo_dev_open)(struct macsec_context *ctx); 204 int (*mdo_dev_stop)(struct macsec_context *ctx); 205 /* SecY */ 206 int (*mdo_add_secy)(struct macsec_context *ctx); 207 int (*mdo_upd_secy)(struct macsec_context *ctx); 208 int (*mdo_del_secy)(struct macsec_context *ctx); 209 /* Security channels */ 210 int (*mdo_add_rxsc)(struct macsec_context *ctx); 211 int (*mdo_upd_rxsc)(struct macsec_context *ctx); 212 int (*mdo_del_rxsc)(struct macsec_context *ctx); 213 /* Security associations */ 214 int (*mdo_add_rxsa)(struct macsec_context *ctx); 215 int (*mdo_upd_rxsa)(struct macsec_context *ctx); 216 int (*mdo_del_rxsa)(struct macsec_context *ctx); 217 int (*mdo_add_txsa)(struct macsec_context *ctx); 218 int (*mdo_upd_txsa)(struct macsec_context *ctx); 219 int (*mdo_del_txsa)(struct macsec_context *ctx); 220 }; 221 222 void macsec_pn_wrapped(struct macsec_secy *secy, struct macsec_tx_sa *tx_sa); 223 224 #endif /* _NET_MACSEC_H_ */ 225