Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/114955/?format=api
{ "id": 114955, "url": "http://patches.dpdk.org/api/patches/114955/?format=api", "web_url": "http://patches.dpdk.org/project/dpdk/patch/20220814184620.512343-3-gakhil@marvell.com/", "project": { "id": 1, "url": "http://patches.dpdk.org/api/projects/1/?format=api", "name": "DPDK", "link_name": "dpdk", "list_id": "dev.dpdk.org", "list_email": "dev@dpdk.org", "web_url": "http://core.dpdk.org", "scm_url": "git://dpdk.org/dpdk", "webscm_url": "http://git.dpdk.org/dpdk", "list_archive_url": "https://inbox.dpdk.org/dev", "list_archive_url_format": "https://inbox.dpdk.org/dev/{}", "commit_url_format": "" }, "msgid": "<20220814184620.512343-3-gakhil@marvell.com>", "list_archive_url": "https://inbox.dpdk.org/dev/20220814184620.512343-3-gakhil@marvell.com", "date": "2022-08-14T18:46:19", "name": "[2/3] security: support MACsec", "commit_ref": null, "pull_url": null, "state": "superseded", "archived": true, "hash": "e9a70fd3be52287923079a90546918ab49595f09", "submitter": { "id": 2094, "url": "http://patches.dpdk.org/api/people/2094/?format=api", "name": "Akhil Goyal", "email": "gakhil@marvell.com" }, "delegate": { "id": 1, "url": "http://patches.dpdk.org/api/users/1/?format=api", "username": "tmonjalo", "first_name": "Thomas", "last_name": "Monjalon", "email": "thomas@monjalon.net" }, "mbox": "http://patches.dpdk.org/project/dpdk/patch/20220814184620.512343-3-gakhil@marvell.com/mbox/", "series": [ { "id": 24306, "url": "http://patches.dpdk.org/api/series/24306/?format=api", "web_url": "http://patches.dpdk.org/project/dpdk/list/?series=24306", "date": "2022-08-14T18:46:17", "name": "security: support MACsec", "version": 1, "mbox": "http://patches.dpdk.org/series/24306/mbox/" } ], "comments": "http://patches.dpdk.org/api/patches/114955/comments/", "check": "warning", "checks": "http://patches.dpdk.org/api/patches/114955/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<dev-bounces@dpdk.org>", "X-Original-To": "patchwork@inbox.dpdk.org", "Delivered-To": "patchwork@inbox.dpdk.org", "Received": [ "from mails.dpdk.org (mails.dpdk.org [217.70.189.124])\n\tby inbox.dpdk.org (Postfix) with ESMTP id 68FAEA00C2;\n\tSun, 14 Aug 2022 20:46:45 +0200 (CEST)", "from [217.70.189.124] (localhost [127.0.0.1])\n\tby mails.dpdk.org (Postfix) with ESMTP id D55B041148;\n\tSun, 14 Aug 2022 20:46:43 +0200 (CEST)", "from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com\n [67.231.156.173])\n by mails.dpdk.org (Postfix) with ESMTP id 6BDC44113C\n for <dev@dpdk.org>; Sun, 14 Aug 2022 20:46:42 +0200 (CEST)", "from pps.filterd (m0045851.ppops.net [127.0.0.1])\n by mx0b-0016f401.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id\n 27EIGlrh025092;\n Sun, 14 Aug 2022 11:46:41 -0700", "from dc5-exch02.marvell.com ([199.233.59.182])\n by mx0b-0016f401.pphosted.com (PPS) with ESMTPS id 3hxbfkm1dk-1\n (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT);\n Sun, 14 Aug 2022 11:46:41 -0700", "from DC5-EXCH01.marvell.com (10.69.176.38) by DC5-EXCH02.marvell.com\n (10.69.176.39) with Microsoft SMTP Server (TLS) id 15.0.1497.18;\n Sun, 14 Aug 2022 11:46:39 -0700", "from maili.marvell.com (10.69.176.80) by DC5-EXCH01.marvell.com\n (10.69.176.38) with Microsoft SMTP Server id 15.0.1497.2 via Frontend\n Transport; Sun, 14 Aug 2022 11:46:39 -0700", "from localhost.localdomain (unknown [10.28.36.102])\n by maili.marvell.com (Postfix) with ESMTP id 43E603F7051;\n Sun, 14 Aug 2022 11:46:35 -0700 (PDT)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com;\n h=from : to : cc :\n subject : date : message-id : in-reply-to : references : mime-version :\n content-transfer-encoding : content-type; s=pfpt0220;\n bh=XvJEj2XjFU9QIAALF4n1uESsYmrwy+FbScYPe1l7mVI=;\n b=jPahfBgilDc7o6tHVnTjjQ1HQe5Iwg4q0gwYaS+SZRxFOoQ1NenIEuG5dSglgwVZdF+n\n ayRv5XlyOOKEmAyT1iLSRCgN0tz85ZOkvvnTKcSWMYaLSoVjXjlSoSc3AIrbsPzSJuVo\n teFsh6omf+UJ67sVouecuBKP/J2jG8Inuigw/Fugt86SBirAsti5vzSPlXnO0SoT33Qt\n lalnm2BZHC9hvv4aJeARQjhxnWmR+WSVe/0LOLwEl5I1ZLzwlipiVl14GfcbsdkQbsIe\n EkxjLhYsV+054zVJwWaFQ1JtIFOcIaPdkthQpjgvIdaRd4it66OFSEnzY7g/ZYdbvs3T +g==", "From": "Akhil Goyal <gakhil@marvell.com>", "To": "<dev@dpdk.org>", "CC": "<thomas@monjalon.net>, <david.marchand@redhat.com>,\n <hemant.agrawal@nxp.com>, <vattunuru@marvell.com>,\n <ferruh.yigit@xilinx.com>, <andrew.rybchenko@oktetlabs.ru>,\n <konstantin.v.ananyev@yandex.ru>, <jiawenwu@trustnetic.com>,\n <yisen.zhuang@huawei.com>, <irusskikh@marvell.com>,\n <qiming.yang@intel.com>, <jerinj@marvell.com>, <adwivedi@marvell.com>,\n Akhil Goyal <gakhil@marvell.com>", "Subject": "[PATCH 2/3] security: support MACsec", "Date": "Mon, 15 Aug 2022 00:16:19 +0530", "Message-ID": "<20220814184620.512343-3-gakhil@marvell.com>", "X-Mailer": "git-send-email 2.25.1", "In-Reply-To": "<20220814184620.512343-1-gakhil@marvell.com>", "References": "<20220814184620.512343-1-gakhil@marvell.com>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "Content-Type": "text/plain", "X-Proofpoint-GUID": "8na761ls5arVKddDdf1ic_6GyXgtbpGT", "X-Proofpoint-ORIG-GUID": "8na761ls5arVKddDdf1ic_6GyXgtbpGT", "X-Proofpoint-Virus-Version": "vendor=baseguard\n engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1\n definitions=2022-08-14_11,2022-08-11_01,2022-06-22_01", "X-BeenThere": "dev@dpdk.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "DPDK patches and discussions <dev.dpdk.org>", "List-Unsubscribe": "<https://mails.dpdk.org/options/dev>,\n <mailto:dev-request@dpdk.org?subject=unsubscribe>", "List-Archive": "<http://mails.dpdk.org/archives/dev/>", "List-Post": "<mailto:dev@dpdk.org>", "List-Help": "<mailto:dev-request@dpdk.org?subject=help>", "List-Subscribe": "<https://mails.dpdk.org/listinfo/dev>,\n <mailto:dev-request@dpdk.org?subject=subscribe>", "Errors-To": "dev-bounces@dpdk.org" }, "content": "Added support for MACsec in rte_security for offloading\nMACsec Protocol operation to inline NIC device or a crypto device.\n\nTo support MACsec we cannot just make one security session and\nsend with the packet to process it. MACsec specifications suggest,\nit has 3 different entities - SECY Entity, SC(secure channel) and\nSA(security association). And same SA can be used by multiple SCs and\nsimilarly many SECY can have same SCs. Hence, in order to support this\nmany to one relationships between all entities, 2 new APIs are created -\nrte_security_macsec_sc_create and rte_security_macsec_sa_create.\nFlow of execution of the APIs would be as\n- rte_security_macsec_sa_create\n- rte_security_macsec_sc_create\n- rte_security_session_create(for secy)\nAnd in case of inline protocol processing rte_flow can be created with\nrte_security action. A new flow item will be added for MACsec header.\nNew APIs are also created for getting SC and SA stats.\n\nSigned-off-by: Akhil Goyal <gakhil@marvell.com>\n---\n doc/guides/prog_guide/rte_security.rst | 107 +++++++-\n lib/security/rte_security.c | 86 ++++++\n lib/security/rte_security.h | 362 ++++++++++++++++++++++++-\n lib/security/rte_security_driver.h | 86 ++++++\n lib/security/version.map | 6 +\n 5 files changed, 634 insertions(+), 13 deletions(-)", "diff": "diff --git a/doc/guides/prog_guide/rte_security.rst b/doc/guides/prog_guide/rte_security.rst\nindex 72ca0bd330..1af4d60c75 100644\n--- a/doc/guides/prog_guide/rte_security.rst\n+++ b/doc/guides/prog_guide/rte_security.rst\n@@ -345,6 +345,55 @@ The CRC is Ethernet CRC-32 as specified in Ethernet/[ISO/IEC 8802-3].\n * Other DOCSIS protocol functionality such as Header Checksum (HCS)\n calculation may be added in the future.\n \n+MACSEC Protocol\n+~~~~~~~~~~~~~~~\n+\n+Media Access Control security (MACsec) provides point-to-point security on Ethernet\n+links and is defined by IEEE standard 802.1AE. MACsec secures an Ethernet link for\n+almost all traffic, including frames from the Link Layer Discovery Protocol (LLDP),\n+Link Aggregation Control Protocol (LACP), Dynamic Host Configuration Protocol (DHCP),\n+Address Resolution Protocol (ARP), and other protocols that are not typically secured\n+on an Ethernet link because of limitations with other security solutions.\n+\n+.. code-block:: c\n+\n+ Receive Transmit\n+ ------- --------\n+\n+ Ethernet frame Ethernet frame\n+ from network towards network\n+ | ^\n+ ~ |\n+ | ~\n+ V |\n+ +-----------------------+ +------------------+ +-------------------------+\n+ | Secure frame verify | | Cipher Suite(SA) | | Secure Frame Generation |\n+ +-----------------------+<-----+------------------+----->+-------------------------+\n+ | SecTAG + ICV remove | | SECY | SC | | SecTAG + ICV Added |\n+ +---+-------------------+ +------------------+ +-------------------------+\n+ | ^\n+ | |\n+ V |\n+ Packet to Core/App Packet from core/App\n+\n+\n+\n+To configure MACsec on an inline NIC device or a lookaside crypto device, a security\n+association(SA) and a secure channel(SC) are created before creating rte_security\n+session.\n+\n+SA is created using API ``rte_security_macsec_sa_create`` which allows setting\n+SA keys, salt, SSCI, packet number(PN) into the PMD and the API returns a handle\n+which can be used to map it with a secure channel using the API\n+``rte_security_macsec_sc_create``. Same SAs can be used for multiple SCs.\n+The Rx SC will need a set of 4 SAs for each of the association numbers(AN).\n+For Tx SC a single SA is set which will be used by hardware to process the packet.\n+\n+The API ``rte_security_macsec_sc_create`` returns a handle for SC and this handle\n+is set in ``rte_security_macsec_xform`` to create a MACsec session using\n+``rte_security_session_create``.\n+\n+\n Device Features and Capabilities\n ---------------------------------\n \n@@ -517,6 +566,35 @@ protocol.\n RTE_CRYPTODEV_END_OF_CAPABILITIES_LIST()\n };\n \n+Below is the example PMD capability for MACsec\n+\n+.. code-block:: c\n+\n+ static const struct rte_security_capability pmd_security_capabilities[] = {\n+ { /* DOCSIS Uplink */\n+ .action = RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL,\n+ .protocol = RTE_SECURITY_PROTOCOL_MACSEC,\n+ .macsec = {\n+ .mtu = 1500,\n+ .alg = RTE_SECURITY_MACSEC_ALG_GCM_128,\n+ .max_nb_sc = 64,\n+ .max_nb_sa = 128,\n+ .max_nb_sess = 64,\n+ .replay_win_sz = 4096,\n+ .relative_sectag_insert = 1,\n+ .fixed_sectag_insert = 1,\n+ .icv_include_da_sa = 1,\n+ .ctrl_port_enable = 1,\n+ .preserve_sectag = 1,\n+ .preserve_icv = 1,\n+ .validate_frames = 1,\n+ .re_key = 1,\n+ .anti_replay = 1,\n+ },\n+ .crypto_capabilities = NULL,\n+ },\n+ };\n+\n Capabilities Discovery\n ~~~~~~~~~~~~~~~~~~~~~~\n \n@@ -661,6 +739,8 @@ which will be updated in the future.\n \n IPsec related configuration parameters are defined in ``rte_security_ipsec_xform``\n \n+MACsec related configuration parameters are defined in ``rte_security_macsec_xform``\n+\n PDCP related configuration parameters are defined in ``rte_security_pdcp_xform``\n \n DOCSIS related configuration parameters are defined in ``rte_security_docsis_xform``\n@@ -682,7 +762,7 @@ The ingress/egress flow attribute should match that specified in the security\n session if the security session supports the definition of the direction.\n \n Multiple flows can be configured to use the same security session. For\n-example if the security session specifies an egress IPsec SA, then multiple\n+example if the security session specifies an egress IPsec/MACsec SA, then multiple\n flows can be specified to that SA. In the case of an ingress IPsec SA then\n it is only valid to have a single flow to map to that security session.\n \n@@ -692,8 +772,8 @@ it is only valid to have a single flow to map to that security session.\n |\n +--------|--------+\n | Add/Remove |\n- | IPsec SA | <------ Build security flow action of\n- | | | ipsec transform\n+ | IPsec/MACsec SA | <------ Build security flow action of\n+ | | | IPsec/MACsec transform\n |--------|--------|\n |\n +--------V--------+\n@@ -712,9 +792,9 @@ it is only valid to have a single flow to map to that security session.\n | |\n +--------|--------+\n \n-* Add/Delete SA flow:\n+* Add/Delete IPsec SA flow:\n To add a new inline SA construct a rte_flow_item for Ethernet + IP + ESP\n- using the SA selectors and the ``rte_crypto_ipsec_xform`` as the ``rte_flow_action``.\n+ using the SA selectors and the ``rte_security_ipsec_xform`` as the ``rte_flow_action``.\n Note that any rte_flow_items may be empty, which means it is not checked.\n \n .. code-block:: console\n@@ -729,6 +809,23 @@ it is only valid to have a single flow to map to that security session.\n | Eth | -> ... -> | ESP | -> | END |\n +-------+ +--------+ +-----+\n \n+* Add/Delete MACsec SA flow:\n+ To add a new inline SA construct a rte_flow_item for Ethernet + SecTAG\n+ using the SA selectors and the ``rte_security_macsec_xform`` as the ``rte_flow_action``.\n+ Note that any rte_flow_items may be empty, which means it is not checked.\n+\n+.. code-block:: console\n+\n+ In its most basic form, MACsec flow specification is as follows:\n+ +-------+ +----------+ +-----+\n+ | Eth | -> | SecTag | -> | END |\n+ +-------+ +----------+ +-----+\n+\n+ However, the API can represent, MACsec offload with any encapsulation:\n+ +-------+ +--------+ +-----+\n+ | Eth | -> ... -> | SecTag | -> | END |\n+ +-------+ +--------+ +-----+\n+\n \n Telemetry support\n -----------------\ndiff --git a/lib/security/rte_security.c b/lib/security/rte_security.c\nindex 4f5e4b4d49..45f8827d78 100644\n--- a/lib/security/rte_security.c\n+++ b/lib/security/rte_security.c\n@@ -121,6 +121,92 @@ rte_security_session_destroy(struct rte_security_ctx *instance,\n \treturn 0;\n }\n \n+int\n+rte_security_macsec_sc_create(struct rte_security_ctx *instance,\n+\t\t\t struct rte_security_macsec_sc *conf)\n+{\n+\tint sc_id;\n+\n+\tRTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sc_create, -EINVAL, -ENOTSUP);\n+\tRTE_PTR_OR_ERR_RET(conf, -EINVAL);\n+\n+\tsc_id = instance->ops->macsec_sc_create(instance->device, conf);\n+\tif (sc_id >= 0)\n+\t\tinstance->macsec_sc_cnt++;\n+\n+\treturn sc_id;\n+}\n+\n+int\n+rte_security_macsec_sa_create(struct rte_security_ctx *instance,\n+\t\t\t struct rte_security_macsec_sa *conf)\n+{\n+\tint sa_id;\n+\n+\tRTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sa_create, -EINVAL, -ENOTSUP);\n+\tRTE_PTR_OR_ERR_RET(conf, -EINVAL);\n+\n+\tsa_id = instance->ops->macsec_sa_create(instance->device, conf);\n+\tif (sa_id >= 0)\n+\t\tinstance->macsec_sa_cnt++;\n+\n+\treturn sa_id;\n+}\n+\n+int\n+rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id)\n+{\n+\tint ret;\n+\n+\tRTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sc_destroy, -EINVAL, -ENOTSUP);\n+\n+\tret = instance->ops->macsec_sc_destroy(instance->device, sc_id);\n+\tif (ret != 0)\n+\t\treturn ret;\n+\n+\tif (instance->macsec_sc_cnt)\n+\t\tinstance->macsec_sc_cnt--;\n+\n+\treturn 0;\n+}\n+\n+int\n+rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id)\n+{\n+\tint ret;\n+\n+\tRTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sa_destroy, -EINVAL, -ENOTSUP);\n+\n+\tret = instance->ops->macsec_sa_destroy(instance->device, sa_id);\n+\tif (ret != 0)\n+\t\treturn ret;\n+\n+\tif (instance->macsec_sa_cnt)\n+\t\tinstance->macsec_sa_cnt--;\n+\n+\treturn 0;\n+}\n+\n+int\n+rte_security_macsec_sc_stats_get(struct rte_security_ctx *instance, uint16_t sc_id,\n+\t\t\t struct rte_security_macsec_sc_stats *stats)\n+{\n+\tRTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sc_stats_get, -EINVAL, -ENOTSUP);\n+\tRTE_PTR_OR_ERR_RET(stats, -EINVAL);\n+\n+\treturn instance->ops->macsec_sc_stats_get(instance->device, sc_id, stats);\n+}\n+\n+int\n+rte_security_macsec_sa_stats_get(struct rte_security_ctx *instance, uint16_t sa_id,\n+\t\t\t struct rte_security_macsec_sa_stats *stats)\n+{\n+\tRTE_PTR_CHAIN3_OR_ERR_RET(instance, ops, macsec_sa_stats_get, -EINVAL, -ENOTSUP);\n+\tRTE_PTR_OR_ERR_RET(stats, -EINVAL);\n+\n+\treturn instance->ops->macsec_sa_stats_get(instance->device, sa_id, stats);\n+}\n+\n int\n __rte_security_set_pkt_metadata(struct rte_security_ctx *instance,\n \t\t\t\tstruct rte_security_session *sess,\ndiff --git a/lib/security/rte_security.h b/lib/security/rte_security.h\nindex 675db940eb..1ae2a5627d 100644\n--- a/lib/security/rte_security.h\n+++ b/lib/security/rte_security.h\n@@ -23,6 +23,7 @@ extern \"C\" {\n #include <rte_common.h>\n #include <rte_crypto.h>\n #include <rte_ip.h>\n+#include <rte_macsec.h>\n #include <rte_mbuf_dyn.h>\n \n /** IPSec protocol mode */\n@@ -73,6 +74,10 @@ struct rte_security_ctx {\n \t/**< Pointer to security ops for the device */\n \tuint16_t sess_cnt;\n \t/**< Number of sessions attached to this context */\n+\tuint16_t macsec_sc_cnt;\n+\t/**< Number of MACsec SC attached to this context */\n+\tuint16_t macsec_sa_cnt;\n+\t/**< Number of MACsec SA attached to this context */\n \tuint32_t flags;\n \t/**< Flags for security context */\n };\n@@ -354,12 +359,157 @@ struct rte_security_ipsec_xform {\n \t/**< UDP parameters, ignored when udp_encap option not specified */\n };\n \n+/**\n+ * MACsec secure association(SA) configuration structure.\n+ */\n+struct rte_security_macsec_sa {\n+\t/** MACsec SA key for AES-GCM 128/256 */\n+\tstruct {\n+\t\tconst uint8_t *data;\t/**< pointer to key data */\n+\t\tuint16_t length;\t/**< key length in bytes */\n+\t} key;\n+\t/** 96-bit value distributed by key agreement protocol */\n+\tuint8_t salt[RTE_MACSEC_SALT_LEN];\n+\t/** Association number to be used */\n+\tuint8_t an : 2;\n+\t/** Short Secure Channel Identifier, to be used for XPN cases */\n+\tuint32_t ssci;\n+\t/** Packet number expected/ to be used for next packet of this SA */\n+\tuint32_t next_pn;\n+};\n+\n+/**\n+ * MACSec packet flow direction\n+ */\n+enum rte_security_macsec_direction {\n+\t/** Generate SecTag and encrypt/authenticate */\n+\tRTE_SECURITY_MACSEC_DIR_TX,\n+\t/** Remove SecTag and decrypt/verify */\n+\tRTE_SECURITY_MACSEC_DIR_RX,\n+};\n+\n+/**\n+ * MACsec Secure Channel configuration parameters.\n+ */\n+struct rte_security_macsec_sc {\n+\t/** Direction of SC */\n+\tenum rte_security_macsec_direction dir;\n+\tunion {\n+\t\tstruct {\n+\t\t\t/** SAs for each association number */\n+\t\t\tuint16_t sa_id[RTE_MACSEC_NUM_AN];\n+\t\t\t/** flag to denote which all SAs are in use for each association number */\n+\t\t\tuint16_t sa_in_use[RTE_MACSEC_NUM_AN];\n+\t\t\t/** Channel is active */\n+\t\t\tuint8_t active : 1;\n+\t\t\t/** Reserved bitfields for future */\n+\t\t\tuint8_t reserved : 7;\n+\t\t} sc_rx;\n+\t\tstruct {\n+\t\t\tuint16_t sa_id; /**< SA id to be used for encryption */\n+\t\t\tuint16_t sa_id_rekey; /**< Rekeying SA id to be used for encryption */\n+\t\t\tuint64_t sci; /**< SCI value to be used if send_sci is set */\n+\t\t\tuint8_t active : 1; /**< Channel is active */\n+\t\t\tuint8_t re_key_en : 1; /**< Enable Rekeying */\n+\t\t\t/** Reserved bitfields for future */\n+\t\t\tuint8_t reserved : 6;\n+\t\t} sc_tx;\n+\t};\n+};\n+\n+/**\n+ * MACsec Supported Algorithm list as per IEEE Std 802.1AE\n+ */\n+enum rte_security_macsec_alg {\n+\tRTE_SECURITY_MACSEC_ALG_GCM_128, /**< AES-GCM 128 bit block cipher */\n+\tRTE_SECURITY_MACSEC_ALG_GCM_256, /**< AES-GCM 256 bit block cipher */\n+\tRTE_SECURITY_MACSEC_ALG_GCM_XPN_128, /**< AES-GCM 128 bit block cipher with unique SSCI */\n+\tRTE_SECURITY_MACSEC_ALG_GCM_XPN_256, /**< AES-GCM 256 bit block cipher with unique SSCI */\n+};\n+\n+/** Disable Validation of MACsec frame */\n+#define RTE_SECURITY_MACSEC_VALIDATE_DISABLE\t0\n+/** Validate MACsec frame but do not discard invalid frame */\n+#define RTE_SECURITY_MACSEC_VALIDATE_NO_DISCARD\t1\n+/** Validate MACsec frame and discart invalid frame */\n+#define RTE_SECURITY_MACSEC_VALIDATE_STRICT\t2\n+/** Do not perform any MACsec operation */\n+#define RTE_SECURITY_MACSEC_VALIDATE_NO_OP\t3\n+\n /**\n * MACsec security session configuration\n */\n struct rte_security_macsec_xform {\n-\t/** To be Filled */\n-\tint dummy;\n+\t/** Direction of flow/secure channel */\n+\tenum rte_security_macsec_direction dir;\n+\t/** MACsec algorithm to be used */\n+\tenum rte_security_macsec_alg alg;\n+\t/** cipher offset from start of ethernet header */\n+\tuint8_t cipher_off;\n+\t/**\n+\t * SCI to be used for RX flow identification or\n+\t * to set SCI in packet for TX when send_sci is set\n+\t */\n+\tuint64_t sci;\n+\t/** Receive/transmit secure channel id created by *rte_security_macsec_sc_create* */\n+\tuint16_t sc_id;\n+\tunion {\n+\t\tstruct {\n+\t\t\t/** MTU for transmit frame (Valid for inline processing) */\n+\t\t\tuint16_t mtu;\n+\t\t\t/**\n+\t\t\t * Offset to insert sectag from start of ethernet header or\n+\t\t\t * from a matching VLAN tag\n+\t\t\t */\n+\t\t\tuint8_t sectag_off;\n+\t\t\t/** Enable MACsec protection of frames */\n+\t\t\tuint16_t protect_frames : 1;\n+\t\t\t/**\n+\t\t\t * Sectag insertion mode\n+\t\t\t * If 1, Sectag is inserted at fixed sectag_off set above.\n+\t\t\t * If 0, Sectag is inserted at relative sectag_off from a matching\n+\t\t\t * VLAN tag set.\n+\t\t\t */\n+\t\t\tuint16_t sectag_insert_mode : 1;\n+\t\t\t/** ICV includes source and destination MAC addresses */\n+\t\t\tuint16_t icv_include_da_sa : 1;\n+\t\t\t/** Control port is enabled */\n+\t\t\tuint16_t ctrl_port_enable : 1;\n+\t\t\t/** Version of MACsec header. Should be 0 */\n+\t\t\tuint16_t sectag_version : 1;\n+\t\t\t/** Enable end station. SCI is not valid */\n+\t\t\tuint16_t end_station : 1;\n+\t\t\t/** Send SCI along with sectag */\n+\t\t\tuint16_t send_sci : 1;\n+\t\t\t/** enable secure channel support EPON - single copy broadcast */\n+\t\t\tuint16_t scb : 1;\n+\t\t\t/**\n+\t\t\t * Enable packet encryption and set RTE_MACSEC_TCI_C and\n+\t\t\t * RTE_MACSEC_TCI_E in sectag\n+\t\t\t */\n+\t\t\tuint16_t encrypt : 1;\n+\t\t\t/** Reserved bitfields for future */\n+\t\t\tuint16_t reserved : 7;\n+\t\t} tx_secy;\n+\t\tstruct {\n+\t\t\t/** Replay Window size to be supported */\n+\t\t\tuint32_t replay_win_sz;\n+\t\t\t/** Set bits as per RTE_SECURITY_MACSEC_VALIDATE_* */\n+\t\t\tuint16_t validate_frames : 2;\n+\t\t\t/** ICV includes source and destination MAC addresses */\n+\t\t\tuint16_t icv_include_da_sa : 1;\n+\t\t\t/** Control port is enabled */\n+\t\t\tuint16_t ctrl_port_enable : 1;\n+\t\t\t/** Do not strip SecTAG after processing */\n+\t\t\tuint16_t preserve_sectag : 1;\n+\t\t\t/** Do not strip ICV from the packet after processing */\n+\t\t\tuint16_t preserve_icv : 1;\n+\t\t\t/** Enable anti-replay protection */\n+\t\t\tuint16_t replay_protect : 1;\n+\t\t\t/** Reserved bitfields for future */\n+\t\t\tuint16_t reserved : 9;\n+\t\t} rx_secy;\n+\t};\n };\n \n /**\n@@ -513,7 +663,7 @@ struct rte_security_session_conf {\n \t};\n \t/**< Configuration parameters for security session */\n \tstruct rte_crypto_sym_xform *crypto_xform;\n-\t/**< Security Session Crypto Transformations */\n+\t/**< Security Session Crypto Transformations. NULL in case of MACsec */\n \tvoid *userdata;\n \t/**< Application specific userdata to be saved with session */\n };\n@@ -588,6 +738,80 @@ int\n rte_security_session_destroy(struct rte_security_ctx *instance,\n \t\t\t struct rte_security_session *sess);\n \n+/**\n+ * @warning\n+ * @b EXPERIMENTAL: this API may change without prior notice\n+ *\n+ * Create MACsec security channel(SC)\n+ *\n+ * @param instance\tsecurity instance\n+ * @param conf\tMACsec SC configuration params\n+ * @return\n+ * - secure channel id if successful\n+ * - -EINVAL if configuration params are invalid of instance is NULL.\n+ * - -ENOTSUP if device does not support MACsec.\n+ * - -ENOMEM if PMD is not capable to create more SC.\n+ * - other negative value for other errors.\n+ */\n+__rte_experimental\n+int\n+rte_security_macsec_sc_create(struct rte_security_ctx *instance,\n+\t\t\t struct rte_security_macsec_sc *conf);\n+\n+/**\n+ * @warning\n+ * @b EXPERIMENTAL: this API may change without prior notice\n+ *\n+ * Destroy MACsec security channel(SC)\n+ *\n+ * @param instance\tsecurity instance\n+ * @param sc_id\tSC id to be destroyed\n+ * @return\n+ * - 0 if successful\n+ * - -EINVAL if sc_id is invalid or instance is NULL.\n+ * - -EBUSY if sc is being used by some session.\n+ */\n+__rte_experimental\n+int\n+rte_security_macsec_sc_destroy(struct rte_security_ctx *instance, uint16_t sc_id);\n+\n+/**\n+ * @warning\n+ * @b EXPERIMENTAL: this API may change without prior notice\n+ *\n+ * Create MACsec security association(SA)\n+ *\n+ * @param instance\tsecurity instance\n+ * @param conf\tMACsec SA configuration params\n+ * @return\n+ * - positive SA id if successful\n+ * - -EINVAL if configuration params are invalid of instance is NULL.\n+ * - -ENOTSUP if device does not support MACsec.\n+ * - -ENOMEM if PMD is not capable to create more SAs.\n+ * - other negative value for other errors.\n+ */\n+__rte_experimental\n+int\n+rte_security_macsec_sa_create(struct rte_security_ctx *instance,\n+\t\t\t struct rte_security_macsec_sa *conf);\n+\n+/**\n+ * @warning\n+ * @b EXPERIMENTAL: this API may change without prior notice\n+ *\n+ * Destroy MACsec security association(SA)\n+ *\n+ * @param instance\tsecurity instance\n+ * @param sa_id\tSA id to be destroyed\n+ * @return\n+ * - 0 if successful\n+ * - -EINVAL if sa_id is invalid or instance is NULL.\n+ * - -EBUSY if sa is being used by some session.\n+ */\n+__rte_experimental\n+int\n+rte_security_macsec_sa_destroy(struct rte_security_ctx *instance, uint16_t sa_id);\n+\n /** Device-specific metadata field type */\n typedef uint64_t rte_security_dynfield_t;\n /** Dynamic mbuf field for device-specific metadata */\n@@ -747,8 +971,62 @@ rte_security_attach_session(struct rte_crypto_op *op,\n \treturn __rte_security_attach_session(op->sym, sess);\n }\n \n-struct rte_security_macsec_stats {\n-\tuint64_t reserved;\n+struct rte_security_macsec_secy_stats {\n+\tuint64_t ctl_pkt_bcast_cnt;\n+\tuint64_t ctl_pkt_mcast_cnt;\n+\tuint64_t ctl_pkt_ucast_cnt;\n+\tuint64_t ctl_octet_cnt;\n+\tuint64_t unctl_pkt_bcast_cnt;\n+\tuint64_t unctl_pkt_mcast_cnt;\n+\tuint64_t unctl_pkt_ucast_cnt;\n+\tuint64_t unctl_octet_cnt;\n+\t/* Valid only for RX */\n+\tuint64_t octet_decrypted_cnt;\n+\tuint64_t octet_validated_cnt;\n+\tuint64_t pkt_port_disabled_cnt;\n+\tuint64_t pkt_badtag_cnt;\n+\tuint64_t pkt_nosa_cnt;\n+\tuint64_t pkt_nosaerror_cnt;\n+\tuint64_t pkt_tagged_ctl_cnt;\n+\tuint64_t pkt_untaged_cnt;\n+\tuint64_t pkt_ctl_cnt;\n+\tuint64_t pkt_notag_cnt;\n+\t/* Valid only for TX */\n+\tuint64_t octet_encrypted_cnt;\n+\tuint64_t octet_protected_cnt;\n+\tuint64_t pkt_noactivesa_cnt;\n+\tuint64_t pkt_toolong_cnt;\n+\tuint64_t pkt_untagged_cnt;\n+};\n+\n+struct rte_security_macsec_sc_stats {\n+\t/* RX */\n+\tuint64_t hit_cnt;\n+\tuint64_t pkt_invalid_cnt;\n+\tuint64_t pkt_late_cnt;\n+\tuint64_t pkt_notvalid_cnt;\n+\tuint64_t pkt_unchecked_cnt;\n+\tuint64_t pkt_delay_cnt;\n+\tuint64_t pkt_ok_cnt;\n+\tuint64_t octet_decrypt_cnt;\n+\tuint64_t octet_validate_cnt;\n+\t/* TX */\n+\tuint64_t pkt_encrypt_cnt;\n+\tuint64_t pkt_protected_cnt;\n+\tuint64_t octet_encrypt_cnt;\n+\tuint64_t octet_protected_cnt;\n+};\n+\n+struct rte_security_macsec_sa_stats {\n+\t/* RX */\n+\tuint64_t pkt_invalid_cnt;\n+\tuint64_t pkt_nosaerror_cnt;\n+\tuint64_t pkt_notvalid_cnt;\n+\tuint64_t pkt_ok_cnt;\n+\tuint64_t pkt_nosa_cnt;\n+\t/* TX */\n+\tuint64_t pkt_encrypt_cnt;\n+\tuint64_t pkt_protected_cnt;\n };\n \n struct rte_security_ipsec_stats {\n@@ -776,7 +1054,7 @@ struct rte_security_stats {\n \n \tRTE_STD_C11\n \tunion {\n-\t\tstruct rte_security_macsec_stats macsec;\n+\t\tstruct rte_security_macsec_secy_stats macsec;\n \t\tstruct rte_security_ipsec_stats ipsec;\n \t\tstruct rte_security_pdcp_stats pdcp;\n \t\tstruct rte_security_docsis_stats docsis;\n@@ -802,6 +1080,44 @@ rte_security_session_stats_get(struct rte_security_ctx *instance,\n \t\t\t struct rte_security_session *sess,\n \t\t\t struct rte_security_stats *stats);\n \n+/**\n+ * @warning\n+ * @b EXPERIMENTAL: this API may change without prior notice\n+ *\n+ * Get MACsec SA statistics\n+ *\n+ * @param\tinstance\tsecurity instance\n+ * @param\tsa_id\t\tSA id for which stats are needed\n+ * @param\tstats\t\tstatistics\n+ * @return\n+ * - On success, return 0\n+ * - On failure, a negative value\n+ */\n+__rte_experimental\n+int\n+rte_security_macsec_sa_stats_get(struct rte_security_ctx *instance,\n+\t\t\t\t uint16_t sa_id,\n+\t\t\t\t struct rte_security_macsec_sa_stats *stats);\n+\n+/**\n+ * @warning\n+ * @b EXPERIMENTAL: this API may change without prior notice\n+ *\n+ * Get MACsec SC statistics\n+ *\n+ * @param\tinstance\tsecurity instance\n+ * @param\tsc_id\t\tSC id for which stats are needed\n+ * @param\tstats\t\tSC statistics\n+ * @return\n+ * - On success, return 0\n+ * - On failure, a negative value\n+ */\n+__rte_experimental\n+int\n+rte_security_macsec_sc_stats_get(struct rte_security_ctx *instance,\n+\t\t\t\t uint16_t sc_id,\n+\t\t\t\t struct rte_security_macsec_sc_stats *stats);\n+\n /**\n * Security capability definition\n */\n@@ -828,8 +1144,38 @@ struct rte_security_capability {\n \t\t} ipsec;\n \t\t/**< IPsec capability */\n \t\tstruct {\n-\t\t\t/* To be Filled */\n-\t\t\tint dummy;\n+\t\t\t/** MTU supported for inline TX */\n+\t\t\tuint16_t mtu;\n+\t\t\t/** MACsec algorithm to be used */\n+\t\t\tenum rte_security_macsec_alg alg;\n+\t\t\t/** Maximum number of secure channels supported. */\n+\t\t\tuint16_t max_nb_sc;\n+\t\t\t/** Maximum number of SAs supported. */\n+\t\t\tuint16_t max_nb_sa;\n+\t\t\t/** Maximum number of SAs supported. */\n+\t\t\tuint16_t max_nb_sess;\n+\t\t\t/** MACsec Anti Replay Window Size. */\n+\t\t\tuint32_t replay_win_sz;\n+\t\t\t/** Support Sectag insertion at relative offset. */\n+\t\t\tuint16_t relative_sectag_insert : 1;\n+\t\t\t/** Support Sectag insertion at fixed offset. */\n+\t\t\tuint16_t fixed_sectag_insert : 1;\n+\t\t\t/** ICV includes source and destination MAC addresses */\n+\t\t\tuint16_t icv_include_da_sa : 1;\n+\t\t\t/** Control port traffic is supported */\n+\t\t\tuint16_t ctrl_port_enable : 1;\n+\t\t\t/** Do not strip SecTAG after processing */\n+\t\t\tuint16_t preserve_sectag : 1;\n+\t\t\t/** Do not strip ICV from the packet after processing */\n+\t\t\tuint16_t preserve_icv : 1;\n+\t\t\t/** Support frame validation as per RTE_SECURITY_MACSEC_VALIDATE_* */\n+\t\t\tuint16_t validate_frames : 1;\n+\t\t\t/** support re-keying on SA expiry */\n+\t\t\tuint16_t re_key : 1;\n+\t\t\t/** support Anti replay */\n+\t\t\tuint16_t anti_replay : 1;\n+\t\t\t/** Reserved bitfields for future capabilities */\n+\t\t\tuint16_t reserved : 7;\n \t\t} macsec;\n \t\t/**< MACsec capability */\n \t\tstruct {\ndiff --git a/lib/security/rte_security_driver.h b/lib/security/rte_security_driver.h\nindex b0253e962e..c4098d0f8a 100644\n--- a/lib/security/rte_security_driver.h\n+++ b/lib/security/rte_security_driver.h\n@@ -63,6 +63,50 @@ typedef int (*security_session_update_t)(void *device,\n \t\tstruct rte_security_session *sess,\n \t\tstruct rte_security_session_conf *conf);\n \n+/**\n+ * Configure a MACsec secure channel(SC) on a device.\n+ *\n+ * @param\tdevice\t\tCrypto/eth device pointer\n+ * @param\tconf\t\tMACsec SC configuration params\n+ *\n+ * @return\n+ * - positive sc_id if SC is created successfully.\n+ * - -EINVAL if input parameters are invalid.\n+ * - -ENOTSUP if device does not support MACsec.\n+ * - -ENOMEM if the SC cannot be created.\n+ */\n+typedef int (*security_macsec_sc_create_t)(void *device, struct rte_security_macsec_sc *conf);\n+\n+/**\n+ * Free MACsec secure channel(SC).\n+ *\n+ * @param\tdevice\t\tCrypto/eth device pointer\n+ * @param\tsc_id\t\tMACsec SC id\n+ */\n+typedef int (*security_macsec_sc_destroy_t)(void *device, uint16_t sc_id);\n+\n+/**\n+ * Configure a MACsec security Association(SA) on a device.\n+ *\n+ * @param\tdevice\t\tCrypto/eth device pointer\n+ * @param\tconf\t\tMACsec SA configuration params\n+ *\n+ * @return\n+ * - positive sa_id if SA is created successfully.\n+ * - -EINVAL if input parameters are invalid.\n+ * - -ENOTSUP if device does not support MACsec.\n+ * - -ENOMEM if the SA cannot be created.\n+ */\n+typedef int (*security_macsec_sa_create_t)(void *device, struct rte_security_macsec_sa *conf);\n+\n+/**\n+ * Free MACsec security association(SA).\n+ *\n+ * @param\tdevice\t\tCrypto/eth device pointer\n+ * @param\tsa_id\t\tMACsec SA id\n+ */\n+typedef int (*security_macsec_sa_destroy_t)(void *device, uint16_t sa_id);\n+\n /**\n * Get the size of a security session\n *\n@@ -89,6 +133,36 @@ typedef int (*security_session_stats_get_t)(void *device,\n \t\tstruct rte_security_session *sess,\n \t\tstruct rte_security_stats *stats);\n \n+/**\n+ * Get MACsec secure channel stats from the PMD.\n+ *\n+ * @param\tdevice\t\tCrypto/eth device pointer\n+ * @param\tsc_id\t\tsecure channel id created by rte_security_macsec_sc_create()\n+ * @param\tstats\t\tSC stats of the driver\n+ *\n+ * @return\n+ * - 0 if success.\n+ * - -EINVAL if sc_id or device is invalid.\n+ */\n+typedef int (*security_macsec_sc_stats_get_t)(void *device, uint16_t sc_id,\n+\t\tstruct rte_security_macsec_sc_stats *stats);\n+\n+/**\n+ * Get MACsec SA stats from the PMD.\n+ *\n+ * @param\tdevice\t\tCrypto/eth device pointer\n+ * @param\tsa_id\t\tsecure channel id created by rte_security_macsec_sc_create()\n+ * @param\tstats\t\tSC stats of the driver\n+ *\n+ * @return\n+ * - 0 if success.\n+ * - -EINVAL if sa_id or device is invalid.\n+ */\n+typedef int (*security_macsec_sa_stats_get_t)(void *device, uint16_t sa_id,\n+\t\tstruct rte_security_macsec_sa_stats *stats);\n+\n+\n+\n __rte_internal\n int rte_security_dynfield_register(void);\n \n@@ -154,6 +228,18 @@ struct rte_security_ops {\n \t/**< Get userdata associated with session which processed the packet. */\n \tsecurity_capabilities_get_t capabilities_get;\n \t/**< Get security capabilities. */\n+\tsecurity_macsec_sc_create_t macsec_sc_create;\n+\t/**< Configure a MACsec security channel(SC). */\n+\tsecurity_macsec_sc_destroy_t macsec_sc_destroy;\n+\t/**< Free a MACsec security channel(SC). */\n+\tsecurity_macsec_sa_create_t macsec_sa_create;\n+\t/**< Configure a MACsec security association(SA). */\n+\tsecurity_macsec_sa_destroy_t macsec_sa_destroy;\n+\t/**< Free a MACsec security association(SA). */\n+\tsecurity_macsec_sc_stats_get_t macsec_sc_stats_get;\n+\t/**< Get MACsec SC statistics. */\n+\tsecurity_macsec_sa_stats_get_t macsec_sa_stats_get;\n+\t/**< Get MACsec SA statistics. */\n };\n \n #ifdef __cplusplus\ndiff --git a/lib/security/version.map b/lib/security/version.map\nindex c770b2e8f8..c0c3574dca 100644\n--- a/lib/security/version.map\n+++ b/lib/security/version.map\n@@ -16,6 +16,12 @@ EXPERIMENTAL {\n \t__rte_security_get_userdata;\n \t__rte_security_set_pkt_metadata;\n \trte_security_dynfield_offset;\n+\trte_security_macsec_sa_create;\n+\trte_security_macsec_sa_destroy;\n+\trte_security_macsec_sa_stats_get;\n+\trte_security_macsec_sc_create;\n+\trte_security_macsec_sc_destroy;\n+\trte_security_macsec_sc_stats_get;\n \trte_security_session_stats_get;\n \trte_security_session_update;\n };\n", "prefixes": [ "2/3" ] }