[RFC,v2,1/7] security: MACSEC infrastructure data declarations
diff mbox series

Message ID 23d01b87ab0b6628fab4480c731930bf82eec91d.1571928488.git.Pavel.Belous@aquantia.com
State RFC, archived
Delegated to: akhil goyal
Headers show
Series
  • RFC: Support MACSEC offload in the RTE_SECURITY infrastructure.
Related show

Checks

Context Check Description
ci/Intel-compilation fail Compilation issues
ci/checkpatch warning coding style issues

Commit Message

Pavel Belous Oct. 25, 2019, 5:53 p.m. UTC
From: Pavel Belous <Pavel.Belous@aquantia.com>

This patch extends rte_security framework to support MACSEC operations.

Signed-off-by: Igor Russkikh <igor.russkikh@aquantia.com>
Signed-off-by: Pavel Belous <pavel.belous@aquantia.com>
---
 lib/librte_security/rte_security.h | 143 +++++++++++++++++++++++++++++++++++--
 1 file changed, 138 insertions(+), 5 deletions(-)

Patch
diff mbox series

diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h
index aaafdfc..201319f 100644
--- a/lib/librte_security/rte_security.h
+++ b/lib/librte_security/rte_security.h
@@ -29,6 +29,7 @@  extern "C" {
 #include <rte_mbuf.h>
 #include <rte_memory.h>
 #include <rte_mempool.h>
+#include <rte_ether.h>
 
 /** IPSec protocol mode */
 enum rte_security_ipsec_sa_mode {
@@ -215,11 +216,109 @@  struct rte_security_ipsec_xform {
 };
 
 /**
+ * MACSEC global configuration parameters
+ *
+ */
+struct rte_security_macsec_param {
+	uint8_t enabled;
+	uint32_t ingress_pn_threshold;
+	uint32_t egress_pn_threshold;
+	uint8_t interrupts_enabled;
+	/**< List of bypassed ethertypes */
+	uint32_t ctl_ether_types[8];
+};
+
+/**
+ * MACSEC SC (Secure Connection) parameters
+ *
+ */
+struct rte_security_macsec_txsc_param {
+	struct rte_ether_addr s_mac;
+	/**< local side mac address */
+	struct rte_ether_addr d_mac;
+	/**< remote side mac address */
+	uint64_t sci;
+	uint32_t tci;
+	uint32_t sa_num;
+	uint8_t encrypt;
+	uint8_t protect;
+	uint8_t key_len;
+	uint8_t auto_rollover_enabled;
+
+	uint32_t index;
+	uint32_t curr_an;
+};
+
+struct rte_security_macsec_rxsc_param {
+	struct rte_ether_addr s_mac;
+	struct rte_ether_addr d_mac;
+	uint64_t sci;
+	uint32_t tci;
+	uint32_t sa_num;
+	/**< remote side mac address */
+	uint8_t replay_protection;
+	/**< replay protection */
+	uint32_t anti_replay_window;
+	/**< anti replay window */
+	uint16_t port_ident;
+	/**< remote side port identifier */
+	uint8_t auto_rollover_enabled;
+	uint8_t validate_frames;
+
+	uint32_t index;
+};
+
+struct rte_security_macsec_sa_param {
+	uint8_t sa_idx;
+	uint8_t an;
+	uint32_t packet_number;
+	uint8_t key_len;
+	uint8_t key[32];
+};
+
+struct rte_security_macsec_capabilities {
+        /** Extended Packet Numbers (XPN)
+         *
+         * * 1: Extended (64 bit) packet numbers supported
+         * * 0: Extended (64 bit) packet numbers not supported
+         */
+        uint32_t xpn : 1;
+};
+
+/**
+ * Available operations over MACSEC instance
+ */
+enum rte_security_macsec_op {
+	RTE_SECURITY_MACSEC_OP_CONFIG = 0,
+
+	RTE_SECURITY_MACSEC_OP_ADD_TXSC,
+	RTE_SECURITY_MACSEC_OP_DEL_TXSC,
+	RTE_SECURITY_MACSEC_OP_UPD_TXSC,
+
+	RTE_SECURITY_MACSEC_OP_ADD_RXSC,
+	RTE_SECURITY_MACSEC_OP_DEL_RXSC,
+	RTE_SECURITY_MACSEC_OP_UPD_RXSC,
+
+	RTE_SECURITY_MACSEC_OP_ADD_TXSA,
+	RTE_SECURITY_MACSEC_OP_DEL_TXSA,
+	RTE_SECURITY_MACSEC_OP_UPD_TXSA,
+
+	RTE_SECURITY_MACSEC_OP_ADD_RXSA,
+	RTE_SECURITY_MACSEC_OP_DEL_RXSA,
+	RTE_SECURITY_MACSEC_OP_UPD_RXSA,
+};
+
+/**
  * MACsec security session configuration
  */
 struct rte_security_macsec_xform {
-	/** To be Filled */
-	int dummy;
+	enum rte_security_macsec_op op;
+	union {
+		struct rte_security_macsec_param config_options;
+		struct rte_security_macsec_txsc_param txsc_options;
+		struct rte_security_macsec_rxsc_param rxsc_options;
+		struct rte_security_macsec_sa_param sa_options;
+	};
 };
 
 /**
@@ -495,7 +594,42 @@  rte_security_attach_session(struct rte_crypto_op *op,
 }
 
 struct rte_security_macsec_stats {
-	uint64_t reserved;
+	/* Ingress Counters */
+	uint64_t in_ctl_pkts;
+	uint64_t in_tagged_miss_pkts;
+	uint64_t in_untagged_miss_pkts;
+	uint64_t in_notag_pkts;
+	uint64_t in_untagged_pkts;
+	uint64_t in_bad_tag_pkts;
+	uint64_t in_no_sci_pkts;
+	uint64_t in_unknown_sci_pkts;
+
+	/* Egress Counters */
+	uint64_t out_ctl_pkts;
+	uint64_t out_unknown_sa_pkts;
+	uint64_t out_untagged_pkts;
+	uint64_t out_too_long;
+
+	/* Ingress SA Counters */
+	uint64_t in_untagged_hit_pkts;
+	uint64_t in_not_using_sa;
+	uint64_t in_unused_sa;
+	uint64_t in_not_valid_pkts;
+	uint64_t in_invalid_pkts;
+	uint64_t in_ok_pkts;
+	uint64_t in_unchecked_pkts;
+	uint64_t in_validated_octets;
+	uint64_t in_decrypted_octets;
+	/* Egress SC Counters */
+	uint64_t out_sc_protected_pkts;
+	uint64_t out_sc_encrypted_pkts;
+	uint64_t out_sc_protected_octets;
+	uint64_t out_sc_encrypted_octets;
+	/* Egress SA Counters */
+	uint64_t out_sa_hit_drop_redirect;
+	uint64_t out_sa_protected2_pkts;
+	uint64_t out_sa_protected_pkts;
+	uint64_t out_sa_encrypted_pkts;
 };
 
 struct rte_security_ipsec_stats {
@@ -566,8 +700,7 @@  struct rte_security_capability {
 		} ipsec;
 		/**< IPsec capability */
 		struct {
-			/* To be Filled */
-			int dummy;
+			struct rte_security_macsec_capabilities caps;
 		} macsec;
 		/**< MACsec capability */
 		struct {