[v2] net/ixgbe: fix macsec setting

Message ID 20191029163211.3254-1-guinanx.sun@intel.com (mailing list archive)
State Superseded, archived
Delegated to: xiaolong ye
Headers
Series [v2] net/ixgbe: fix macsec setting |

Checks

Context Check Description
ci/Intel-compilation fail Compilation issues
ci/iol-intel-Performance success Performance Testing PASS
ci/iol-compilation success Compile Testing PASS
ci/iol-mellanox-Performance success Performance Testing PASS
ci/travis-robot success Travis build: passed
ci/checkpatch success coding style OK

Commit Message

Guinan Sun Oct. 29, 2019, 4:32 p.m. UTC
macsec setting is not valid when port is stopped.
In order to make it valid, the patch changes the setting
to where port is started.

Fixes: 597f9fafe13b ("app/testpmd: convert to new Tx offloads API")
Cc: stable@dpdk.org

Signed-off-by: Sun GuinanX <guinanx.sun@intel.com>
---
v2:
* Modified function name
* Refactored the rte_pmd_ixgbe_macsec_enable/disable function
* Modified structure name
* Modified the data type of a structure variable
---
 drivers/net/ixgbe/ixgbe_ethdev.c  | 160 ++++++++++++++++++++++++++++++
 drivers/net/ixgbe/ixgbe_ethdev.h  |  15 +++
 drivers/net/ixgbe/rte_pmd_ixgbe.c | 127 ++----------------------
 3 files changed, 182 insertions(+), 120 deletions(-)
  

Comments

Xiaolong Ye Oct. 29, 2019, 9:03 a.m. UTC | #1
On 10/29, Sun GuinanX wrote:
>macsec setting is not valid when port is stopped.
>In order to make it valid, the patch changes the setting
>to where port is started.
>
>Fixes: 597f9fafe13b ("app/testpmd: convert to new Tx offloads API")
>Cc: stable@dpdk.org
>
>Signed-off-by: Sun GuinanX <guinanx.sun@intel.com>
>---
>v2:
>* Modified function name
>* Refactored the rte_pmd_ixgbe_macsec_enable/disable function
>* Modified structure name
>* Modified the data type of a structure variable
>---
> drivers/net/ixgbe/ixgbe_ethdev.c  | 160 ++++++++++++++++++++++++++++++
> drivers/net/ixgbe/ixgbe_ethdev.h  |  15 +++
> drivers/net/ixgbe/rte_pmd_ixgbe.c | 127 ++----------------------
> 3 files changed, 182 insertions(+), 120 deletions(-)
>
>diff --git a/drivers/net/ixgbe/ixgbe_ethdev.c b/drivers/net/ixgbe/ixgbe_ethdev.c
>index dbce7a80e..7ae7bc9ca 100644
>--- a/drivers/net/ixgbe/ixgbe_ethdev.c
>+++ b/drivers/net/ixgbe/ixgbe_ethdev.c
>@@ -379,6 +379,11 @@ static int ixgbe_dev_udp_tunnel_port_del(struct rte_eth_dev *dev,
> static int ixgbe_filter_restore(struct rte_eth_dev *dev);
> static void ixgbe_l2_tunnel_conf(struct rte_eth_dev *dev);
> 
>+static void ixgbe_dev_macsec_ctrl_register_enable(struct rte_eth_dev *dev,
>+		struct ixgbe_macsec_setting *macsec_contrl);
>+
>+static void ixgbe_dev_macsec_ctrl_register_disable(struct rte_eth_dev *dev);
>+
> /*
>  * Define VF Stats MACRO for Non "cleared on read" register
>  */
>@@ -2542,6 +2547,8 @@ ixgbe_dev_start(struct rte_eth_dev *dev)
> 	uint32_t *link_speeds;
> 	struct ixgbe_tm_conf *tm_conf =
> 		IXGBE_DEV_PRIVATE_TO_TM_CONF(dev->data->dev_private);
>+	struct ixgbe_macsec_setting *macsec_ctrl =
>+		IXGBE_DEV_PRIVATE_TO_MACSEC_CTRL(dev->data->dev_private);
> 
> 	PMD_INIT_FUNC_TRACE();
> 
>@@ -2794,6 +2801,9 @@ ixgbe_dev_start(struct rte_eth_dev *dev)
> 	 */
> 	ixgbe_dev_link_update(dev, 0);
> 
>+	/* setup the macsec ctrl register */
>+	ixgbe_dev_macsec_ctrl_register_enable(dev, macsec_ctrl);
>+
> 	return 0;
> 
> error:
>@@ -2825,6 +2835,9 @@ ixgbe_dev_stop(struct rte_eth_dev *dev)
> 
> 	PMD_INIT_FUNC_TRACE();
> 
>+	/* disable mecsec register */
>+	ixgbe_dev_macsec_ctrl_register_disable(dev);
>+
> 	rte_eal_alarm_cancel(ixgbe_dev_setup_link_alarm_handler, dev);
> 
> 	/* disable interrupts */
>@@ -8816,6 +8829,153 @@ ixgbe_clear_all_l2_tn_filter(struct rte_eth_dev *dev)
> 	return 0;
> }
> 
>+/* macsec ctrl setup enable */

This comment is not aligned with the function name, actually since this function
is quite straightforward, the comment is unnecessary.

>+void
>+ixgbe_dev_macsec_setting_save(struct rte_eth_dev *dev,
>+				struct ixgbe_macsec_setting *macsec_ctrl)
>+{
>+	struct ixgbe_macsec_setting *macsec =
>+		IXGBE_DEV_PRIVATE_TO_MACSEC_CTRL(dev->data->dev_private);
>+
>+	macsec->encrypt_en = macsec_ctrl->encrypt_en;
>+	macsec->replayprotect_en = macsec_ctrl->replayprotect_en;
>+}
>+
>+/* macsec ctrl setup disable */

ditto

>+void
>+ixgbe_dev_macsec_setting_reset(struct rte_eth_dev *dev)
>+{
>+	struct ixgbe_macsec_setting *macsec =
>+		IXGBE_DEV_PRIVATE_TO_MACSEC_CTRL(dev->data->dev_private);
>+
>+	macsec->encrypt_en = 0;
>+	macsec->replayprotect_en = 0;
>+}
>+
>+/* macsec ctrl register set */
>+static void
>+ixgbe_dev_macsec_ctrl_register_enable(struct rte_eth_dev *dev,
>+				struct ixgbe_macsec_setting *macsec_contrl)
>+{
>+	struct ixgbe_hw *hw = IXGBE_DEV_PRIVATE_TO_HW(dev->data->dev_private);
>+	uint32_t ctrl;
>+	uint8_t en = (uint8_t)macsec_contrl->encrypt_en;
>+	uint8_t rp = (uint8_t)macsec_contrl->replayprotect_en;
>+
>+	/**
>+	 * Workaround:
>+	 * As no ixgbe_disable_sec_rx_path equivalent is
>+	 * implemented for tx in the base code, and we are
>+	 * not allowed to modify the base code in DPDK, so
>+	 * just call the hand-written one directly for now.
>+	 * The hardware support has been checked by
>+	 * ixgbe_disable_sec_rx_path().
>+	 */
>+	ixgbe_disable_sec_tx_path_generic(hw);
>+
>+	/* Enable Ethernet CRC (required by MACsec offload) */
>+	ctrl = IXGBE_READ_REG(hw, IXGBE_HLREG0);
>+	ctrl |= IXGBE_HLREG0_TXCRCEN | IXGBE_HLREG0_RXCRCSTRP;
>+	IXGBE_WRITE_REG(hw, IXGBE_HLREG0, ctrl);
>+
>+	/* Enable the TX and RX crypto engines */
>+	ctrl = IXGBE_READ_REG(hw, IXGBE_SECTXCTRL);
>+	ctrl &= ~IXGBE_SECTXCTRL_SECTX_DIS;
>+	IXGBE_WRITE_REG(hw, IXGBE_SECTXCTRL, ctrl);
>+
>+	ctrl = IXGBE_READ_REG(hw, IXGBE_SECRXCTRL);
>+	ctrl &= ~IXGBE_SECRXCTRL_SECRX_DIS;
>+	IXGBE_WRITE_REG(hw, IXGBE_SECRXCTRL, ctrl);
>+
>+	ctrl = IXGBE_READ_REG(hw, IXGBE_SECTXMINIFG);
>+	ctrl &= ~IXGBE_SECTX_MINSECIFG_MASK;
>+	ctrl |= 0x3;
>+	IXGBE_WRITE_REG(hw, IXGBE_SECTXMINIFG, ctrl);
>+
>+	/* Enable SA lookup */
>+	ctrl = IXGBE_READ_REG(hw, IXGBE_LSECTXCTRL);
>+	ctrl &= ~IXGBE_LSECTXCTRL_EN_MASK;
>+	ctrl |= en ? IXGBE_LSECTXCTRL_AUTH_ENCRYPT :
>+		     IXGBE_LSECTXCTRL_AUTH;
>+	ctrl |= IXGBE_LSECTXCTRL_AISCI;
>+	ctrl &= ~IXGBE_LSECTXCTRL_PNTHRSH_MASK;
>+	ctrl |= IXGBE_MACSEC_PNTHRSH & IXGBE_LSECTXCTRL_PNTHRSH_MASK;
>+	IXGBE_WRITE_REG(hw, IXGBE_LSECTXCTRL, ctrl);
>+
>+	ctrl = IXGBE_READ_REG(hw, IXGBE_LSECRXCTRL);
>+	ctrl &= ~IXGBE_LSECRXCTRL_EN_MASK;
>+	ctrl |= IXGBE_LSECRXCTRL_STRICT << IXGBE_LSECRXCTRL_EN_SHIFT;
>+	ctrl &= ~IXGBE_LSECRXCTRL_PLSH;
>+	if (rp)
>+		ctrl |= IXGBE_LSECRXCTRL_RP;
>+	else
>+		ctrl &= ~IXGBE_LSECRXCTRL_RP;
>+	IXGBE_WRITE_REG(hw, IXGBE_LSECRXCTRL, ctrl);
>+
>+	/* Start the data paths */
>+	ixgbe_enable_sec_rx_path(hw);
>+	/**
>+	 * Workaround:
>+	 * As no ixgbe_enable_sec_rx_path equivalent is
>+	 * implemented for tx in the base code, and we are
>+	 * not allowed to modify the base code in DPDK, so
>+	 * just call the hand-written one directly for now.
>+	 */
>+	ixgbe_enable_sec_tx_path_generic(hw);
>+}
>+
>+/* macsec ctrl register set */
>+static void
>+ixgbe_dev_macsec_ctrl_register_disable(struct rte_eth_dev *dev)
>+{
>+	struct ixgbe_hw *hw = IXGBE_DEV_PRIVATE_TO_HW(dev->data->dev_private);
>+	uint32_t ctrl;
>+
>+	/**
>+	 * Workaround:
>+	 * As no ixgbe_disable_sec_rx_path equivalent is
>+	 * implemented for tx in the base code, and we are
>+	 * not allowed to modify the base code in DPDK, so
>+	 * just call the hand-written one directly for now.
>+	 * The hardware support has been checked by
>+	 * ixgbe_disable_sec_rx_path().
>+	 */
>+	ixgbe_disable_sec_tx_path_generic(hw);
>+
>+	/* Disable the TX and RX crypto engines */
>+	ctrl = IXGBE_READ_REG(hw, IXGBE_SECTXCTRL);
>+	ctrl |= IXGBE_SECTXCTRL_SECTX_DIS;
>+	IXGBE_WRITE_REG(hw, IXGBE_SECTXCTRL, ctrl);
>+
>+	ctrl = IXGBE_READ_REG(hw, IXGBE_SECRXCTRL);
>+	ctrl |= IXGBE_SECRXCTRL_SECRX_DIS;
>+	IXGBE_WRITE_REG(hw, IXGBE_SECRXCTRL, ctrl);
>+
>+	/* Disable SA lookup */
>+	ctrl = IXGBE_READ_REG(hw, IXGBE_LSECTXCTRL);
>+	ctrl &= ~IXGBE_LSECTXCTRL_EN_MASK;
>+	ctrl |= IXGBE_LSECTXCTRL_DISABLE;
>+	IXGBE_WRITE_REG(hw, IXGBE_LSECTXCTRL, ctrl);
>+
>+	ctrl = IXGBE_READ_REG(hw, IXGBE_LSECRXCTRL);
>+	ctrl &= ~IXGBE_LSECRXCTRL_EN_MASK;
>+	ctrl |= IXGBE_LSECRXCTRL_DISABLE << IXGBE_LSECRXCTRL_EN_SHIFT;
>+	IXGBE_WRITE_REG(hw, IXGBE_LSECRXCTRL, ctrl);
>+
>+	/* Start the data paths */
>+	ixgbe_enable_sec_rx_path(hw);
>+	/**
>+	 * Workaround:
>+	 * As no ixgbe_enable_sec_rx_path equivalent is
>+	 * implemented for tx in the base code, and we are
>+	 * not allowed to modify the base code in DPDK, so
>+	 * just call the hand-written one directly for now.
>+	 */
>+	ixgbe_enable_sec_tx_path_generic(hw);
>+}
>+
>+
>+

One empty line is enough here.

> RTE_PMD_REGISTER_PCI(net_ixgbe, rte_ixgbe_pmd);
> RTE_PMD_REGISTER_PCI_TABLE(net_ixgbe, pci_id_ixgbe_map);
> RTE_PMD_REGISTER_KMOD_DEP(net_ixgbe, "* igb_uio | uio_pci_generic | vfio-pci");
>diff --git a/drivers/net/ixgbe/ixgbe_ethdev.h b/drivers/net/ixgbe/ixgbe_ethdev.h
>index 6e9ed2e10..6aa2cdbbc 100644
>--- a/drivers/net/ixgbe/ixgbe_ethdev.h
>+++ b/drivers/net/ixgbe/ixgbe_ethdev.h
>@@ -365,6 +365,12 @@ struct rte_flow {
> 	void *rule;
> };
> 
>+/* MACsec Control structure */

Comment is unaligned and unnecessary.

>+struct ixgbe_macsec_setting {
>+	uint8_t encrypt_en;		/* encrypt enabled */
>+	uint8_t replayprotect_en;	/* replayprotect enabled */
>+};
>+
> /*
>  * Statistics counters collected by the MACsec
>  */
>@@ -471,6 +477,7 @@ struct ixgbe_adapter {
> 	struct ixgbe_hw             hw;
> 	struct ixgbe_hw_stats       stats;
> 	struct ixgbe_macsec_stats   macsec_stats;
>+	struct ixgbe_macsec_setting	macsec_ctrl;
> 	struct ixgbe_hw_fdir_info   fdir;
> 	struct ixgbe_interrupt      intr;
> 	struct ixgbe_stat_mapping_registers stat_mappings;
>@@ -523,6 +530,9 @@ int ixgbe_vf_representor_uninit(struct rte_eth_dev *ethdev);
> #define IXGBE_DEV_PRIVATE_TO_MACSEC_STATS(adapter) \
> 	(&((struct ixgbe_adapter *)adapter)->macsec_stats)
> 
>+#define IXGBE_DEV_PRIVATE_TO_MACSEC_CTRL(adapter) \
>+	(&((struct ixgbe_adapter *)adapter)->macsec_ctrl)
>+
> #define IXGBE_DEV_PRIVATE_TO_INTR(adapter) \
> 	(&((struct ixgbe_adapter *)adapter)->intr)
> 
>@@ -741,6 +751,11 @@ int ixgbe_action_rss_same(const struct rte_flow_action_rss *comp,
> int ixgbe_config_rss_filter(struct rte_eth_dev *dev,
> 		struct ixgbe_rte_flow_rss_conf *conf, bool add);
> 
>+void ixgbe_dev_macsec_setting_save(struct rte_eth_dev *dev,
>+		struct ixgbe_macsec_setting *macsec_ctrl);
>+
>+void ixgbe_dev_macsec_setting_reset(struct rte_eth_dev *dev);
>+
> static inline int
> ixgbe_ethertype_filter_lookup(struct ixgbe_filter_info *filter_info,
> 			      uint16_t ethertype)
>diff --git a/drivers/net/ixgbe/rte_pmd_ixgbe.c b/drivers/net/ixgbe/rte_pmd_ixgbe.c
>index 9514f2cf5..3a1474876 100644
>--- a/drivers/net/ixgbe/rte_pmd_ixgbe.c
>+++ b/drivers/net/ixgbe/rte_pmd_ixgbe.c
>@@ -515,82 +515,18 @@ rte_pmd_ixgbe_set_vf_rate_limit(uint16_t port, uint16_t vf,
> int
> rte_pmd_ixgbe_macsec_enable(uint16_t port, uint8_t en, uint8_t rp)
> {

I think there is usercase when dev is started, and user calls
rte_pmd_ixgbe_macsec_enable and he expects it will take effect, so we still
need to configure register (call ixgbe_dev_macsec_ctrl_register_enable) here
other than just caching the macsec setting.

>-	struct ixgbe_hw *hw;
> 	struct rte_eth_dev *dev;
>-	uint32_t ctrl;
>+	struct ixgbe_macsec_setting macsec_setting;
> 
> 	RTE_ETH_VALID_PORTID_OR_ERR_RET(port, -ENODEV);
> 
> 	dev = &rte_eth_devices[port];
> 
>-	if (!is_ixgbe_supported(dev))
>-		return -ENOTSUP;
>-
>-	hw = IXGBE_DEV_PRIVATE_TO_HW(dev->data->dev_private);
>+	macsec_setting.encrypt_en = en;
>+	macsec_setting.replayprotect_en = rp;
> 
>-	/* Stop the data paths */
>-	if (ixgbe_disable_sec_rx_path(hw) != IXGBE_SUCCESS)
>-		return -ENOTSUP;
>-	/**
>-	 * Workaround:
>-	 * As no ixgbe_disable_sec_rx_path equivalent is
>-	 * implemented for tx in the base code, and we are
>-	 * not allowed to modify the base code in DPDK, so
>-	 * just call the hand-written one directly for now.
>-	 * The hardware support has been checked by
>-	 * ixgbe_disable_sec_rx_path().
>-	 */
>-	ixgbe_disable_sec_tx_path_generic(hw);
>-
>-	/* Enable Ethernet CRC (required by MACsec offload) */
>-	ctrl = IXGBE_READ_REG(hw, IXGBE_HLREG0);
>-	ctrl |= IXGBE_HLREG0_TXCRCEN | IXGBE_HLREG0_RXCRCSTRP;
>-	IXGBE_WRITE_REG(hw, IXGBE_HLREG0, ctrl);
>-
>-	/* Enable the TX and RX crypto engines */
>-	ctrl = IXGBE_READ_REG(hw, IXGBE_SECTXCTRL);
>-	ctrl &= ~IXGBE_SECTXCTRL_SECTX_DIS;
>-	IXGBE_WRITE_REG(hw, IXGBE_SECTXCTRL, ctrl);
>-
>-	ctrl = IXGBE_READ_REG(hw, IXGBE_SECRXCTRL);
>-	ctrl &= ~IXGBE_SECRXCTRL_SECRX_DIS;
>-	IXGBE_WRITE_REG(hw, IXGBE_SECRXCTRL, ctrl);
>-
>-	ctrl = IXGBE_READ_REG(hw, IXGBE_SECTXMINIFG);
>-	ctrl &= ~IXGBE_SECTX_MINSECIFG_MASK;
>-	ctrl |= 0x3;
>-	IXGBE_WRITE_REG(hw, IXGBE_SECTXMINIFG, ctrl);
>-
>-	/* Enable SA lookup */
>-	ctrl = IXGBE_READ_REG(hw, IXGBE_LSECTXCTRL);
>-	ctrl &= ~IXGBE_LSECTXCTRL_EN_MASK;
>-	ctrl |= en ? IXGBE_LSECTXCTRL_AUTH_ENCRYPT :
>-		     IXGBE_LSECTXCTRL_AUTH;
>-	ctrl |= IXGBE_LSECTXCTRL_AISCI;
>-	ctrl &= ~IXGBE_LSECTXCTRL_PNTHRSH_MASK;
>-	ctrl |= IXGBE_MACSEC_PNTHRSH & IXGBE_LSECTXCTRL_PNTHRSH_MASK;
>-	IXGBE_WRITE_REG(hw, IXGBE_LSECTXCTRL, ctrl);
>-
>-	ctrl = IXGBE_READ_REG(hw, IXGBE_LSECRXCTRL);
>-	ctrl &= ~IXGBE_LSECRXCTRL_EN_MASK;
>-	ctrl |= IXGBE_LSECRXCTRL_STRICT << IXGBE_LSECRXCTRL_EN_SHIFT;
>-	ctrl &= ~IXGBE_LSECRXCTRL_PLSH;
>-	if (rp)
>-		ctrl |= IXGBE_LSECRXCTRL_RP;
>-	else
>-		ctrl &= ~IXGBE_LSECRXCTRL_RP;
>-	IXGBE_WRITE_REG(hw, IXGBE_LSECRXCTRL, ctrl);
>-
>-	/* Start the data paths */
>-	ixgbe_enable_sec_rx_path(hw);
>-	/**
>-	 * Workaround:
>-	 * As no ixgbe_enable_sec_rx_path equivalent is
>-	 * implemented for tx in the base code, and we are
>-	 * not allowed to modify the base code in DPDK, so
>-	 * just call the hand-written one directly for now.
>-	 */
>-	ixgbe_enable_sec_tx_path_generic(hw);
>+	/* Enable macsec setup  */
>+	ixgbe_dev_macsec_setting_save(dev, &macsec_setting);
> 
> 	return 0;
> }
>@@ -598,63 +534,14 @@ rte_pmd_ixgbe_macsec_enable(uint16_t port, uint8_t en, uint8_t rp)
> int
> rte_pmd_ixgbe_macsec_disable(uint16_t port)
> {

Ditto.

Thanks,
Xiaolong
  
Guinan Sun Oct. 30, 2019, 3:19 a.m. UTC | #2
Hi, Xiaolong

On 10/29, Sun GuinanX wrote:
> >macsec setting is not valid when port is stopped.
> >In order to make it valid, the patch changes the setting to where port
> >is started.
> >
> >Fixes: 597f9fafe13b ("app/testpmd: convert to new Tx offloads API")
> >Cc: stable@dpdk.org
> >
> >Signed-off-by: Sun GuinanX <guinanx.sun@intel.com>
> >---
> >v2:
> >* Modified function name
> >* Refactored the rte_pmd_ixgbe_macsec_enable/disable function
> >* Modified structure name
> >* Modified the data type of a structure variable
> >---
> > drivers/net/ixgbe/ixgbe_ethdev.c  | 160 ++++++++++++++++++++++++++++++
> >drivers/net/ixgbe/ixgbe_ethdev.h  |  15 +++
> >drivers/net/ixgbe/rte_pmd_ixgbe.c | 127 ++----------------------
> > 3 files changed, 182 insertions(+), 120 deletions(-)
> >
> >diff --git a/drivers/net/ixgbe/ixgbe_ethdev.c
> >b/drivers/net/ixgbe/ixgbe_ethdev.c
> >index dbce7a80e..7ae7bc9ca 100644
> >--- a/drivers/net/ixgbe/ixgbe_ethdev.c
> >+++ b/drivers/net/ixgbe/ixgbe_ethdev.c
> >@@ -379,6 +379,11 @@ static int ixgbe_dev_udp_tunnel_port_del(struct
> >rte_eth_dev *dev,  static int ixgbe_filter_restore(struct rte_eth_dev
> >*dev);  static void ixgbe_l2_tunnel_conf(struct rte_eth_dev *dev);
> >
> >+static void ixgbe_dev_macsec_ctrl_register_enable(struct rte_eth_dev *dev,
> >+		struct ixgbe_macsec_setting *macsec_contrl);
> >+
> >+static void ixgbe_dev_macsec_ctrl_register_disable(struct rte_eth_dev
> >+*dev);
> >+
> > /*
> >  * Define VF Stats MACRO for Non "cleared on read" register
> >  */
> >@@ -2542,6 +2547,8 @@ ixgbe_dev_start(struct rte_eth_dev *dev)
> > 	uint32_t *link_speeds;
> > 	struct ixgbe_tm_conf *tm_conf =
> > 		IXGBE_DEV_PRIVATE_TO_TM_CONF(dev->data->dev_private);
> >+	struct ixgbe_macsec_setting *macsec_ctrl =
> >+		IXGBE_DEV_PRIVATE_TO_MACSEC_CTRL(dev->data-
> >dev_private);
> >
> > 	PMD_INIT_FUNC_TRACE();
> >
> >@@ -2794,6 +2801,9 @@ ixgbe_dev_start(struct rte_eth_dev *dev)
> > 	 */
> > 	ixgbe_dev_link_update(dev, 0);
> >
> >+	/* setup the macsec ctrl register */
> >+	ixgbe_dev_macsec_ctrl_register_enable(dev, macsec_ctrl);
> >+
> > 	return 0;
> >
> > error:
> >@@ -2825,6 +2835,9 @@ ixgbe_dev_stop(struct rte_eth_dev *dev)
> >
> > 	PMD_INIT_FUNC_TRACE();
> >
> >+	/* disable mecsec register */
> >+	ixgbe_dev_macsec_ctrl_register_disable(dev);
> >+
> > 	rte_eal_alarm_cancel(ixgbe_dev_setup_link_alarm_handler, dev);
> >
> > 	/* disable interrupts */
> >@@ -8816,6 +8829,153 @@ ixgbe_clear_all_l2_tn_filter(struct rte_eth_dev
> *dev)
> > 	return 0;
> > }
> >
> >+/* macsec ctrl setup enable */
> 
> This comment is not aligned with the function name, actually since this function
> is quite straightforward, the comment is unnecessary.
Similar useless comments had been removed
> 
> >+void
> >+ixgbe_dev_macsec_setting_save(struct rte_eth_dev *dev,
> >+				struct ixgbe_macsec_setting *macsec_ctrl) {
> >+	struct ixgbe_macsec_setting *macsec =
> >+		IXGBE_DEV_PRIVATE_TO_MACSEC_CTRL(dev->data-
> >dev_private);
> >+
> >+	macsec->encrypt_en = macsec_ctrl->encrypt_en;
> >+	macsec->replayprotect_en = macsec_ctrl->replayprotect_en; }
> >+
> >+/* macsec ctrl setup disable */
> 
> ditto
Similar useless comments had been removed
> 
> >+void
> >+ixgbe_dev_macsec_setting_reset(struct rte_eth_dev *dev) {
> >+	struct ixgbe_macsec_setting *macsec =
> >+		IXGBE_DEV_PRIVATE_TO_MACSEC_CTRL(dev->data-
> >dev_private);
> >+
> >+	macsec->encrypt_en = 0;
> >+	macsec->replayprotect_en = 0;
> >+}
> >+
> >+/* macsec ctrl register set */
> >+static void
> >+ixgbe_dev_macsec_ctrl_register_enable(struct rte_eth_dev *dev,
> >+				struct ixgbe_macsec_setting *macsec_contrl) {
> >+	struct ixgbe_hw *hw = IXGBE_DEV_PRIVATE_TO_HW(dev->data-
> >dev_private);
> >+	uint32_t ctrl;
> >+	uint8_t en = (uint8_t)macsec_contrl->encrypt_en;
> >+	uint8_t rp = (uint8_t)macsec_contrl->replayprotect_en;
> >+
> >+	/**
> >+	 * Workaround:
> >+	 * As no ixgbe_disable_sec_rx_path equivalent is
> >+	 * implemented for tx in the base code, and we are
> >+	 * not allowed to modify the base code in DPDK, so
> >+	 * just call the hand-written one directly for now.
> >+	 * The hardware support has been checked by
> >+	 * ixgbe_disable_sec_rx_path().
> >+	 */
> >+	ixgbe_disable_sec_tx_path_generic(hw);
> >+
> >+	/* Enable Ethernet CRC (required by MACsec offload) */
> >+	ctrl = IXGBE_READ_REG(hw, IXGBE_HLREG0);
> >+	ctrl |= IXGBE_HLREG0_TXCRCEN | IXGBE_HLREG0_RXCRCSTRP;
> >+	IXGBE_WRITE_REG(hw, IXGBE_HLREG0, ctrl);
> >+
> >+	/* Enable the TX and RX crypto engines */
> >+	ctrl = IXGBE_READ_REG(hw, IXGBE_SECTXCTRL);
> >+	ctrl &= ~IXGBE_SECTXCTRL_SECTX_DIS;
> >+	IXGBE_WRITE_REG(hw, IXGBE_SECTXCTRL, ctrl);
> >+
> >+	ctrl = IXGBE_READ_REG(hw, IXGBE_SECRXCTRL);
> >+	ctrl &= ~IXGBE_SECRXCTRL_SECRX_DIS;
> >+	IXGBE_WRITE_REG(hw, IXGBE_SECRXCTRL, ctrl);
> >+
> >+	ctrl = IXGBE_READ_REG(hw, IXGBE_SECTXMINIFG);
> >+	ctrl &= ~IXGBE_SECTX_MINSECIFG_MASK;
> >+	ctrl |= 0x3;
> >+	IXGBE_WRITE_REG(hw, IXGBE_SECTXMINIFG, ctrl);
> >+
> >+	/* Enable SA lookup */
> >+	ctrl = IXGBE_READ_REG(hw, IXGBE_LSECTXCTRL);
> >+	ctrl &= ~IXGBE_LSECTXCTRL_EN_MASK;
> >+	ctrl |= en ? IXGBE_LSECTXCTRL_AUTH_ENCRYPT :
> >+		     IXGBE_LSECTXCTRL_AUTH;
> >+	ctrl |= IXGBE_LSECTXCTRL_AISCI;
> >+	ctrl &= ~IXGBE_LSECTXCTRL_PNTHRSH_MASK;
> >+	ctrl |= IXGBE_MACSEC_PNTHRSH &
> IXGBE_LSECTXCTRL_PNTHRSH_MASK;
> >+	IXGBE_WRITE_REG(hw, IXGBE_LSECTXCTRL, ctrl);
> >+
> >+	ctrl = IXGBE_READ_REG(hw, IXGBE_LSECRXCTRL);
> >+	ctrl &= ~IXGBE_LSECRXCTRL_EN_MASK;
> >+	ctrl |= IXGBE_LSECRXCTRL_STRICT << IXGBE_LSECRXCTRL_EN_SHIFT;
> >+	ctrl &= ~IXGBE_LSECRXCTRL_PLSH;
> >+	if (rp)
> >+		ctrl |= IXGBE_LSECRXCTRL_RP;
> >+	else
> >+		ctrl &= ~IXGBE_LSECRXCTRL_RP;
> >+	IXGBE_WRITE_REG(hw, IXGBE_LSECRXCTRL, ctrl);
> >+
> >+	/* Start the data paths */
> >+	ixgbe_enable_sec_rx_path(hw);
> >+	/**
> >+	 * Workaround:
> >+	 * As no ixgbe_enable_sec_rx_path equivalent is
> >+	 * implemented for tx in the base code, and we are
> >+	 * not allowed to modify the base code in DPDK, so
> >+	 * just call the hand-written one directly for now.
> >+	 */
> >+	ixgbe_enable_sec_tx_path_generic(hw);
> >+}
> >+
> >+/* macsec ctrl register set */
> >+static void
> >+ixgbe_dev_macsec_ctrl_register_disable(struct rte_eth_dev *dev) {
> >+	struct ixgbe_hw *hw = IXGBE_DEV_PRIVATE_TO_HW(dev->data-
> >dev_private);
> >+	uint32_t ctrl;
> >+
> >+	/**
> >+	 * Workaround:
> >+	 * As no ixgbe_disable_sec_rx_path equivalent is
> >+	 * implemented for tx in the base code, and we are
> >+	 * not allowed to modify the base code in DPDK, so
> >+	 * just call the hand-written one directly for now.
> >+	 * The hardware support has been checked by
> >+	 * ixgbe_disable_sec_rx_path().
> >+	 */
> >+	ixgbe_disable_sec_tx_path_generic(hw);
> >+
> >+	/* Disable the TX and RX crypto engines */
> >+	ctrl = IXGBE_READ_REG(hw, IXGBE_SECTXCTRL);
> >+	ctrl |= IXGBE_SECTXCTRL_SECTX_DIS;
> >+	IXGBE_WRITE_REG(hw, IXGBE_SECTXCTRL, ctrl);
> >+
> >+	ctrl = IXGBE_READ_REG(hw, IXGBE_SECRXCTRL);
> >+	ctrl |= IXGBE_SECRXCTRL_SECRX_DIS;
> >+	IXGBE_WRITE_REG(hw, IXGBE_SECRXCTRL, ctrl);
> >+
> >+	/* Disable SA lookup */
> >+	ctrl = IXGBE_READ_REG(hw, IXGBE_LSECTXCTRL);
> >+	ctrl &= ~IXGBE_LSECTXCTRL_EN_MASK;
> >+	ctrl |= IXGBE_LSECTXCTRL_DISABLE;
> >+	IXGBE_WRITE_REG(hw, IXGBE_LSECTXCTRL, ctrl);
> >+
> >+	ctrl = IXGBE_READ_REG(hw, IXGBE_LSECRXCTRL);
> >+	ctrl &= ~IXGBE_LSECRXCTRL_EN_MASK;
> >+	ctrl |= IXGBE_LSECRXCTRL_DISABLE << IXGBE_LSECRXCTRL_EN_SHIFT;
> >+	IXGBE_WRITE_REG(hw, IXGBE_LSECRXCTRL, ctrl);
> >+
> >+	/* Start the data paths */
> >+	ixgbe_enable_sec_rx_path(hw);
> >+	/**
> >+	 * Workaround:
> >+	 * As no ixgbe_enable_sec_rx_path equivalent is
> >+	 * implemented for tx in the base code, and we are
> >+	 * not allowed to modify the base code in DPDK, so
> >+	 * just call the hand-written one directly for now.
> >+	 */
> >+	ixgbe_enable_sec_tx_path_generic(hw);
> >+}
> >+
> >+
> >+
> 
> One empty line is enough here.
had been removed
> 
> > RTE_PMD_REGISTER_PCI(net_ixgbe, rte_ixgbe_pmd);
> >RTE_PMD_REGISTER_PCI_TABLE(net_ixgbe, pci_id_ixgbe_map);
> >RTE_PMD_REGISTER_KMOD_DEP(net_ixgbe, "* igb_uio | uio_pci_generic |
> >vfio-pci"); diff --git a/drivers/net/ixgbe/ixgbe_ethdev.h
> >b/drivers/net/ixgbe/ixgbe_ethdev.h
> >index 6e9ed2e10..6aa2cdbbc 100644
> >--- a/drivers/net/ixgbe/ixgbe_ethdev.h
> >+++ b/drivers/net/ixgbe/ixgbe_ethdev.h
> >@@ -365,6 +365,12 @@ struct rte_flow {
> > 	void *rule;
> > };
> >
> >+/* MACsec Control structure */
> 
> Comment is unaligned and unnecessary.
had been removed
> 
> >+struct ixgbe_macsec_setting {
> >+	uint8_t encrypt_en;		/* encrypt enabled */
> >+	uint8_t replayprotect_en;	/* replayprotect enabled */
> >+};
> >+
> > /*
> >  * Statistics counters collected by the MACsec
> >  */
> >@@ -471,6 +477,7 @@ struct ixgbe_adapter {
> > 	struct ixgbe_hw             hw;
> > 	struct ixgbe_hw_stats       stats;
> > 	struct ixgbe_macsec_stats   macsec_stats;
> >+	struct ixgbe_macsec_setting	macsec_ctrl;
> > 	struct ixgbe_hw_fdir_info   fdir;
> > 	struct ixgbe_interrupt      intr;
> > 	struct ixgbe_stat_mapping_registers stat_mappings; @@ -523,6 +530,9
> >@@ int ixgbe_vf_representor_uninit(struct rte_eth_dev *ethdev);
> >#define IXGBE_DEV_PRIVATE_TO_MACSEC_STATS(adapter) \
> > 	(&((struct ixgbe_adapter *)adapter)->macsec_stats)
> >
> >+#define IXGBE_DEV_PRIVATE_TO_MACSEC_CTRL(adapter) \
> >+	(&((struct ixgbe_adapter *)adapter)->macsec_ctrl)
> >+
> > #define IXGBE_DEV_PRIVATE_TO_INTR(adapter) \
> > 	(&((struct ixgbe_adapter *)adapter)->intr)
> >
> >@@ -741,6 +751,11 @@ int ixgbe_action_rss_same(const struct
> >rte_flow_action_rss *comp,  int ixgbe_config_rss_filter(struct rte_eth_dev
> *dev,
> > 		struct ixgbe_rte_flow_rss_conf *conf, bool add);
> >
> >+void ixgbe_dev_macsec_setting_save(struct rte_eth_dev *dev,
> >+		struct ixgbe_macsec_setting *macsec_ctrl);
> >+
> >+void ixgbe_dev_macsec_setting_reset(struct rte_eth_dev *dev);
> >+
> > static inline int
> > ixgbe_ethertype_filter_lookup(struct ixgbe_filter_info *filter_info,
> > 			      uint16_t ethertype)
> >diff --git a/drivers/net/ixgbe/rte_pmd_ixgbe.c
> >b/drivers/net/ixgbe/rte_pmd_ixgbe.c
> >index 9514f2cf5..3a1474876 100644
> >--- a/drivers/net/ixgbe/rte_pmd_ixgbe.c
> >+++ b/drivers/net/ixgbe/rte_pmd_ixgbe.c
> >@@ -515,82 +515,18 @@ rte_pmd_ixgbe_set_vf_rate_limit(uint16_t port,
> >uint16_t vf,  int  rte_pmd_ixgbe_macsec_enable(uint16_t port, uint8_t
> >en, uint8_t rp)  {
> 
> I think there is usercase when dev is started, and user calls
> rte_pmd_ixgbe_macsec_enable and he expects it will take effect, so we still
> need to configure register (call ixgbe_dev_macsec_ctrl_register_enable) here
> other than just caching the macsec setting.
>
This kind of usercase processing will be added in the patch of V3.
 
> >-	struct ixgbe_hw *hw;
> > 	struct rte_eth_dev *dev;
> >-	uint32_t ctrl;
> >+	struct ixgbe_macsec_setting macsec_setting;
> >
> > 	RTE_ETH_VALID_PORTID_OR_ERR_RET(port, -ENODEV);
> >
> > 	dev = &rte_eth_devices[port];
> >
> >-	if (!is_ixgbe_supported(dev))
> >-		return -ENOTSUP;
> >-
> >-	hw = IXGBE_DEV_PRIVATE_TO_HW(dev->data->dev_private);
> >+	macsec_setting.encrypt_en = en;
> >+	macsec_setting.replayprotect_en = rp;
> >
> >-	/* Stop the data paths */
> >-	if (ixgbe_disable_sec_rx_path(hw) != IXGBE_SUCCESS)
> >-		return -ENOTSUP;
> >-	/**
> >-	 * Workaround:
> >-	 * As no ixgbe_disable_sec_rx_path equivalent is
> >-	 * implemented for tx in the base code, and we are
> >-	 * not allowed to modify the base code in DPDK, so
> >-	 * just call the hand-written one directly for now.
> >-	 * The hardware support has been checked by
> >-	 * ixgbe_disable_sec_rx_path().
> >-	 */
> >-	ixgbe_disable_sec_tx_path_generic(hw);
> >-
> >-	/* Enable Ethernet CRC (required by MACsec offload) */
> >-	ctrl = IXGBE_READ_REG(hw, IXGBE_HLREG0);
> >-	ctrl |= IXGBE_HLREG0_TXCRCEN | IXGBE_HLREG0_RXCRCSTRP;
> >-	IXGBE_WRITE_REG(hw, IXGBE_HLREG0, ctrl);
> >-
> >-	/* Enable the TX and RX crypto engines */
> >-	ctrl = IXGBE_READ_REG(hw, IXGBE_SECTXCTRL);
> >-	ctrl &= ~IXGBE_SECTXCTRL_SECTX_DIS;
> >-	IXGBE_WRITE_REG(hw, IXGBE_SECTXCTRL, ctrl);
> >-
> >-	ctrl = IXGBE_READ_REG(hw, IXGBE_SECRXCTRL);
> >-	ctrl &= ~IXGBE_SECRXCTRL_SECRX_DIS;
> >-	IXGBE_WRITE_REG(hw, IXGBE_SECRXCTRL, ctrl);
> >-
> >-	ctrl = IXGBE_READ_REG(hw, IXGBE_SECTXMINIFG);
> >-	ctrl &= ~IXGBE_SECTX_MINSECIFG_MASK;
> >-	ctrl |= 0x3;
> >-	IXGBE_WRITE_REG(hw, IXGBE_SECTXMINIFG, ctrl);
> >-
> >-	/* Enable SA lookup */
> >-	ctrl = IXGBE_READ_REG(hw, IXGBE_LSECTXCTRL);
> >-	ctrl &= ~IXGBE_LSECTXCTRL_EN_MASK;
> >-	ctrl |= en ? IXGBE_LSECTXCTRL_AUTH_ENCRYPT :
> >-		     IXGBE_LSECTXCTRL_AUTH;
> >-	ctrl |= IXGBE_LSECTXCTRL_AISCI;
> >-	ctrl &= ~IXGBE_LSECTXCTRL_PNTHRSH_MASK;
> >-	ctrl |= IXGBE_MACSEC_PNTHRSH &
> IXGBE_LSECTXCTRL_PNTHRSH_MASK;
> >-	IXGBE_WRITE_REG(hw, IXGBE_LSECTXCTRL, ctrl);
> >-
> >-	ctrl = IXGBE_READ_REG(hw, IXGBE_LSECRXCTRL);
> >-	ctrl &= ~IXGBE_LSECRXCTRL_EN_MASK;
> >-	ctrl |= IXGBE_LSECRXCTRL_STRICT << IXGBE_LSECRXCTRL_EN_SHIFT;
> >-	ctrl &= ~IXGBE_LSECRXCTRL_PLSH;
> >-	if (rp)
> >-		ctrl |= IXGBE_LSECRXCTRL_RP;
> >-	else
> >-		ctrl &= ~IXGBE_LSECRXCTRL_RP;
> >-	IXGBE_WRITE_REG(hw, IXGBE_LSECRXCTRL, ctrl);
> >-
> >-	/* Start the data paths */
> >-	ixgbe_enable_sec_rx_path(hw);
> >-	/**
> >-	 * Workaround:
> >-	 * As no ixgbe_enable_sec_rx_path equivalent is
> >-	 * implemented for tx in the base code, and we are
> >-	 * not allowed to modify the base code in DPDK, so
> >-	 * just call the hand-written one directly for now.
> >-	 */
> >-	ixgbe_enable_sec_tx_path_generic(hw);
> >+	/* Enable macsec setup  */
> >+	ixgbe_dev_macsec_setting_save(dev, &macsec_setting);
> >
> > 	return 0;
> > }
> >@@ -598,63 +534,14 @@ rte_pmd_ixgbe_macsec_enable(uint16_t port,
> >uint8_t en, uint8_t rp)  int  rte_pmd_ixgbe_macsec_disable(uint16_t
> >port)  {
> 
> Ditto.
>
This kind of usercase processing will be added in the patch of V3.
 
> Thanks,
> Xiaolong
  

Patch

diff --git a/drivers/net/ixgbe/ixgbe_ethdev.c b/drivers/net/ixgbe/ixgbe_ethdev.c
index dbce7a80e..7ae7bc9ca 100644
--- a/drivers/net/ixgbe/ixgbe_ethdev.c
+++ b/drivers/net/ixgbe/ixgbe_ethdev.c
@@ -379,6 +379,11 @@  static int ixgbe_dev_udp_tunnel_port_del(struct rte_eth_dev *dev,
 static int ixgbe_filter_restore(struct rte_eth_dev *dev);
 static void ixgbe_l2_tunnel_conf(struct rte_eth_dev *dev);
 
+static void ixgbe_dev_macsec_ctrl_register_enable(struct rte_eth_dev *dev,
+		struct ixgbe_macsec_setting *macsec_contrl);
+
+static void ixgbe_dev_macsec_ctrl_register_disable(struct rte_eth_dev *dev);
+
 /*
  * Define VF Stats MACRO for Non "cleared on read" register
  */
@@ -2542,6 +2547,8 @@  ixgbe_dev_start(struct rte_eth_dev *dev)
 	uint32_t *link_speeds;
 	struct ixgbe_tm_conf *tm_conf =
 		IXGBE_DEV_PRIVATE_TO_TM_CONF(dev->data->dev_private);
+	struct ixgbe_macsec_setting *macsec_ctrl =
+		IXGBE_DEV_PRIVATE_TO_MACSEC_CTRL(dev->data->dev_private);
 
 	PMD_INIT_FUNC_TRACE();
 
@@ -2794,6 +2801,9 @@  ixgbe_dev_start(struct rte_eth_dev *dev)
 	 */
 	ixgbe_dev_link_update(dev, 0);
 
+	/* setup the macsec ctrl register */
+	ixgbe_dev_macsec_ctrl_register_enable(dev, macsec_ctrl);
+
 	return 0;
 
 error:
@@ -2825,6 +2835,9 @@  ixgbe_dev_stop(struct rte_eth_dev *dev)
 
 	PMD_INIT_FUNC_TRACE();
 
+	/* disable mecsec register */
+	ixgbe_dev_macsec_ctrl_register_disable(dev);
+
 	rte_eal_alarm_cancel(ixgbe_dev_setup_link_alarm_handler, dev);
 
 	/* disable interrupts */
@@ -8816,6 +8829,153 @@  ixgbe_clear_all_l2_tn_filter(struct rte_eth_dev *dev)
 	return 0;
 }
 
+/* macsec ctrl setup enable */
+void
+ixgbe_dev_macsec_setting_save(struct rte_eth_dev *dev,
+				struct ixgbe_macsec_setting *macsec_ctrl)
+{
+	struct ixgbe_macsec_setting *macsec =
+		IXGBE_DEV_PRIVATE_TO_MACSEC_CTRL(dev->data->dev_private);
+
+	macsec->encrypt_en = macsec_ctrl->encrypt_en;
+	macsec->replayprotect_en = macsec_ctrl->replayprotect_en;
+}
+
+/* macsec ctrl setup disable */
+void
+ixgbe_dev_macsec_setting_reset(struct rte_eth_dev *dev)
+{
+	struct ixgbe_macsec_setting *macsec =
+		IXGBE_DEV_PRIVATE_TO_MACSEC_CTRL(dev->data->dev_private);
+
+	macsec->encrypt_en = 0;
+	macsec->replayprotect_en = 0;
+}
+
+/* macsec ctrl register set */
+static void
+ixgbe_dev_macsec_ctrl_register_enable(struct rte_eth_dev *dev,
+				struct ixgbe_macsec_setting *macsec_contrl)
+{
+	struct ixgbe_hw *hw = IXGBE_DEV_PRIVATE_TO_HW(dev->data->dev_private);
+	uint32_t ctrl;
+	uint8_t en = (uint8_t)macsec_contrl->encrypt_en;
+	uint8_t rp = (uint8_t)macsec_contrl->replayprotect_en;
+
+	/**
+	 * Workaround:
+	 * As no ixgbe_disable_sec_rx_path equivalent is
+	 * implemented for tx in the base code, and we are
+	 * not allowed to modify the base code in DPDK, so
+	 * just call the hand-written one directly for now.
+	 * The hardware support has been checked by
+	 * ixgbe_disable_sec_rx_path().
+	 */
+	ixgbe_disable_sec_tx_path_generic(hw);
+
+	/* Enable Ethernet CRC (required by MACsec offload) */
+	ctrl = IXGBE_READ_REG(hw, IXGBE_HLREG0);
+	ctrl |= IXGBE_HLREG0_TXCRCEN | IXGBE_HLREG0_RXCRCSTRP;
+	IXGBE_WRITE_REG(hw, IXGBE_HLREG0, ctrl);
+
+	/* Enable the TX and RX crypto engines */
+	ctrl = IXGBE_READ_REG(hw, IXGBE_SECTXCTRL);
+	ctrl &= ~IXGBE_SECTXCTRL_SECTX_DIS;
+	IXGBE_WRITE_REG(hw, IXGBE_SECTXCTRL, ctrl);
+
+	ctrl = IXGBE_READ_REG(hw, IXGBE_SECRXCTRL);
+	ctrl &= ~IXGBE_SECRXCTRL_SECRX_DIS;
+	IXGBE_WRITE_REG(hw, IXGBE_SECRXCTRL, ctrl);
+
+	ctrl = IXGBE_READ_REG(hw, IXGBE_SECTXMINIFG);
+	ctrl &= ~IXGBE_SECTX_MINSECIFG_MASK;
+	ctrl |= 0x3;
+	IXGBE_WRITE_REG(hw, IXGBE_SECTXMINIFG, ctrl);
+
+	/* Enable SA lookup */
+	ctrl = IXGBE_READ_REG(hw, IXGBE_LSECTXCTRL);
+	ctrl &= ~IXGBE_LSECTXCTRL_EN_MASK;
+	ctrl |= en ? IXGBE_LSECTXCTRL_AUTH_ENCRYPT :
+		     IXGBE_LSECTXCTRL_AUTH;
+	ctrl |= IXGBE_LSECTXCTRL_AISCI;
+	ctrl &= ~IXGBE_LSECTXCTRL_PNTHRSH_MASK;
+	ctrl |= IXGBE_MACSEC_PNTHRSH & IXGBE_LSECTXCTRL_PNTHRSH_MASK;
+	IXGBE_WRITE_REG(hw, IXGBE_LSECTXCTRL, ctrl);
+
+	ctrl = IXGBE_READ_REG(hw, IXGBE_LSECRXCTRL);
+	ctrl &= ~IXGBE_LSECRXCTRL_EN_MASK;
+	ctrl |= IXGBE_LSECRXCTRL_STRICT << IXGBE_LSECRXCTRL_EN_SHIFT;
+	ctrl &= ~IXGBE_LSECRXCTRL_PLSH;
+	if (rp)
+		ctrl |= IXGBE_LSECRXCTRL_RP;
+	else
+		ctrl &= ~IXGBE_LSECRXCTRL_RP;
+	IXGBE_WRITE_REG(hw, IXGBE_LSECRXCTRL, ctrl);
+
+	/* Start the data paths */
+	ixgbe_enable_sec_rx_path(hw);
+	/**
+	 * Workaround:
+	 * As no ixgbe_enable_sec_rx_path equivalent is
+	 * implemented for tx in the base code, and we are
+	 * not allowed to modify the base code in DPDK, so
+	 * just call the hand-written one directly for now.
+	 */
+	ixgbe_enable_sec_tx_path_generic(hw);
+}
+
+/* macsec ctrl register set */
+static void
+ixgbe_dev_macsec_ctrl_register_disable(struct rte_eth_dev *dev)
+{
+	struct ixgbe_hw *hw = IXGBE_DEV_PRIVATE_TO_HW(dev->data->dev_private);
+	uint32_t ctrl;
+
+	/**
+	 * Workaround:
+	 * As no ixgbe_disable_sec_rx_path equivalent is
+	 * implemented for tx in the base code, and we are
+	 * not allowed to modify the base code in DPDK, so
+	 * just call the hand-written one directly for now.
+	 * The hardware support has been checked by
+	 * ixgbe_disable_sec_rx_path().
+	 */
+	ixgbe_disable_sec_tx_path_generic(hw);
+
+	/* Disable the TX and RX crypto engines */
+	ctrl = IXGBE_READ_REG(hw, IXGBE_SECTXCTRL);
+	ctrl |= IXGBE_SECTXCTRL_SECTX_DIS;
+	IXGBE_WRITE_REG(hw, IXGBE_SECTXCTRL, ctrl);
+
+	ctrl = IXGBE_READ_REG(hw, IXGBE_SECRXCTRL);
+	ctrl |= IXGBE_SECRXCTRL_SECRX_DIS;
+	IXGBE_WRITE_REG(hw, IXGBE_SECRXCTRL, ctrl);
+
+	/* Disable SA lookup */
+	ctrl = IXGBE_READ_REG(hw, IXGBE_LSECTXCTRL);
+	ctrl &= ~IXGBE_LSECTXCTRL_EN_MASK;
+	ctrl |= IXGBE_LSECTXCTRL_DISABLE;
+	IXGBE_WRITE_REG(hw, IXGBE_LSECTXCTRL, ctrl);
+
+	ctrl = IXGBE_READ_REG(hw, IXGBE_LSECRXCTRL);
+	ctrl &= ~IXGBE_LSECRXCTRL_EN_MASK;
+	ctrl |= IXGBE_LSECRXCTRL_DISABLE << IXGBE_LSECRXCTRL_EN_SHIFT;
+	IXGBE_WRITE_REG(hw, IXGBE_LSECRXCTRL, ctrl);
+
+	/* Start the data paths */
+	ixgbe_enable_sec_rx_path(hw);
+	/**
+	 * Workaround:
+	 * As no ixgbe_enable_sec_rx_path equivalent is
+	 * implemented for tx in the base code, and we are
+	 * not allowed to modify the base code in DPDK, so
+	 * just call the hand-written one directly for now.
+	 */
+	ixgbe_enable_sec_tx_path_generic(hw);
+}
+
+
+
 RTE_PMD_REGISTER_PCI(net_ixgbe, rte_ixgbe_pmd);
 RTE_PMD_REGISTER_PCI_TABLE(net_ixgbe, pci_id_ixgbe_map);
 RTE_PMD_REGISTER_KMOD_DEP(net_ixgbe, "* igb_uio | uio_pci_generic | vfio-pci");
diff --git a/drivers/net/ixgbe/ixgbe_ethdev.h b/drivers/net/ixgbe/ixgbe_ethdev.h
index 6e9ed2e10..6aa2cdbbc 100644
--- a/drivers/net/ixgbe/ixgbe_ethdev.h
+++ b/drivers/net/ixgbe/ixgbe_ethdev.h
@@ -365,6 +365,12 @@  struct rte_flow {
 	void *rule;
 };
 
+/* MACsec Control structure */
+struct ixgbe_macsec_setting {
+	uint8_t encrypt_en;		/* encrypt enabled */
+	uint8_t replayprotect_en;	/* replayprotect enabled */
+};
+
 /*
  * Statistics counters collected by the MACsec
  */
@@ -471,6 +477,7 @@  struct ixgbe_adapter {
 	struct ixgbe_hw             hw;
 	struct ixgbe_hw_stats       stats;
 	struct ixgbe_macsec_stats   macsec_stats;
+	struct ixgbe_macsec_setting	macsec_ctrl;
 	struct ixgbe_hw_fdir_info   fdir;
 	struct ixgbe_interrupt      intr;
 	struct ixgbe_stat_mapping_registers stat_mappings;
@@ -523,6 +530,9 @@  int ixgbe_vf_representor_uninit(struct rte_eth_dev *ethdev);
 #define IXGBE_DEV_PRIVATE_TO_MACSEC_STATS(adapter) \
 	(&((struct ixgbe_adapter *)adapter)->macsec_stats)
 
+#define IXGBE_DEV_PRIVATE_TO_MACSEC_CTRL(adapter) \
+	(&((struct ixgbe_adapter *)adapter)->macsec_ctrl)
+
 #define IXGBE_DEV_PRIVATE_TO_INTR(adapter) \
 	(&((struct ixgbe_adapter *)adapter)->intr)
 
@@ -741,6 +751,11 @@  int ixgbe_action_rss_same(const struct rte_flow_action_rss *comp,
 int ixgbe_config_rss_filter(struct rte_eth_dev *dev,
 		struct ixgbe_rte_flow_rss_conf *conf, bool add);
 
+void ixgbe_dev_macsec_setting_save(struct rte_eth_dev *dev,
+		struct ixgbe_macsec_setting *macsec_ctrl);
+
+void ixgbe_dev_macsec_setting_reset(struct rte_eth_dev *dev);
+
 static inline int
 ixgbe_ethertype_filter_lookup(struct ixgbe_filter_info *filter_info,
 			      uint16_t ethertype)
diff --git a/drivers/net/ixgbe/rte_pmd_ixgbe.c b/drivers/net/ixgbe/rte_pmd_ixgbe.c
index 9514f2cf5..3a1474876 100644
--- a/drivers/net/ixgbe/rte_pmd_ixgbe.c
+++ b/drivers/net/ixgbe/rte_pmd_ixgbe.c
@@ -515,82 +515,18 @@  rte_pmd_ixgbe_set_vf_rate_limit(uint16_t port, uint16_t vf,
 int
 rte_pmd_ixgbe_macsec_enable(uint16_t port, uint8_t en, uint8_t rp)
 {
-	struct ixgbe_hw *hw;
 	struct rte_eth_dev *dev;
-	uint32_t ctrl;
+	struct ixgbe_macsec_setting macsec_setting;
 
 	RTE_ETH_VALID_PORTID_OR_ERR_RET(port, -ENODEV);
 
 	dev = &rte_eth_devices[port];
 
-	if (!is_ixgbe_supported(dev))
-		return -ENOTSUP;
-
-	hw = IXGBE_DEV_PRIVATE_TO_HW(dev->data->dev_private);
+	macsec_setting.encrypt_en = en;
+	macsec_setting.replayprotect_en = rp;
 
-	/* Stop the data paths */
-	if (ixgbe_disable_sec_rx_path(hw) != IXGBE_SUCCESS)
-		return -ENOTSUP;
-	/**
-	 * Workaround:
-	 * As no ixgbe_disable_sec_rx_path equivalent is
-	 * implemented for tx in the base code, and we are
-	 * not allowed to modify the base code in DPDK, so
-	 * just call the hand-written one directly for now.
-	 * The hardware support has been checked by
-	 * ixgbe_disable_sec_rx_path().
-	 */
-	ixgbe_disable_sec_tx_path_generic(hw);
-
-	/* Enable Ethernet CRC (required by MACsec offload) */
-	ctrl = IXGBE_READ_REG(hw, IXGBE_HLREG0);
-	ctrl |= IXGBE_HLREG0_TXCRCEN | IXGBE_HLREG0_RXCRCSTRP;
-	IXGBE_WRITE_REG(hw, IXGBE_HLREG0, ctrl);
-
-	/* Enable the TX and RX crypto engines */
-	ctrl = IXGBE_READ_REG(hw, IXGBE_SECTXCTRL);
-	ctrl &= ~IXGBE_SECTXCTRL_SECTX_DIS;
-	IXGBE_WRITE_REG(hw, IXGBE_SECTXCTRL, ctrl);
-
-	ctrl = IXGBE_READ_REG(hw, IXGBE_SECRXCTRL);
-	ctrl &= ~IXGBE_SECRXCTRL_SECRX_DIS;
-	IXGBE_WRITE_REG(hw, IXGBE_SECRXCTRL, ctrl);
-
-	ctrl = IXGBE_READ_REG(hw, IXGBE_SECTXMINIFG);
-	ctrl &= ~IXGBE_SECTX_MINSECIFG_MASK;
-	ctrl |= 0x3;
-	IXGBE_WRITE_REG(hw, IXGBE_SECTXMINIFG, ctrl);
-
-	/* Enable SA lookup */
-	ctrl = IXGBE_READ_REG(hw, IXGBE_LSECTXCTRL);
-	ctrl &= ~IXGBE_LSECTXCTRL_EN_MASK;
-	ctrl |= en ? IXGBE_LSECTXCTRL_AUTH_ENCRYPT :
-		     IXGBE_LSECTXCTRL_AUTH;
-	ctrl |= IXGBE_LSECTXCTRL_AISCI;
-	ctrl &= ~IXGBE_LSECTXCTRL_PNTHRSH_MASK;
-	ctrl |= IXGBE_MACSEC_PNTHRSH & IXGBE_LSECTXCTRL_PNTHRSH_MASK;
-	IXGBE_WRITE_REG(hw, IXGBE_LSECTXCTRL, ctrl);
-
-	ctrl = IXGBE_READ_REG(hw, IXGBE_LSECRXCTRL);
-	ctrl &= ~IXGBE_LSECRXCTRL_EN_MASK;
-	ctrl |= IXGBE_LSECRXCTRL_STRICT << IXGBE_LSECRXCTRL_EN_SHIFT;
-	ctrl &= ~IXGBE_LSECRXCTRL_PLSH;
-	if (rp)
-		ctrl |= IXGBE_LSECRXCTRL_RP;
-	else
-		ctrl &= ~IXGBE_LSECRXCTRL_RP;
-	IXGBE_WRITE_REG(hw, IXGBE_LSECRXCTRL, ctrl);
-
-	/* Start the data paths */
-	ixgbe_enable_sec_rx_path(hw);
-	/**
-	 * Workaround:
-	 * As no ixgbe_enable_sec_rx_path equivalent is
-	 * implemented for tx in the base code, and we are
-	 * not allowed to modify the base code in DPDK, so
-	 * just call the hand-written one directly for now.
-	 */
-	ixgbe_enable_sec_tx_path_generic(hw);
+	/* Enable macsec setup  */
+	ixgbe_dev_macsec_setting_save(dev, &macsec_setting);
 
 	return 0;
 }
@@ -598,63 +534,14 @@  rte_pmd_ixgbe_macsec_enable(uint16_t port, uint8_t en, uint8_t rp)
 int
 rte_pmd_ixgbe_macsec_disable(uint16_t port)
 {
-	struct ixgbe_hw *hw;
 	struct rte_eth_dev *dev;
-	uint32_t ctrl;
 
 	RTE_ETH_VALID_PORTID_OR_ERR_RET(port, -ENODEV);
 
 	dev = &rte_eth_devices[port];
 
-	if (!is_ixgbe_supported(dev))
-		return -ENOTSUP;
-
-	hw = IXGBE_DEV_PRIVATE_TO_HW(dev->data->dev_private);
-
-	/* Stop the data paths */
-	if (ixgbe_disable_sec_rx_path(hw) != IXGBE_SUCCESS)
-		return -ENOTSUP;
-	/**
-	 * Workaround:
-	 * As no ixgbe_disable_sec_rx_path equivalent is
-	 * implemented for tx in the base code, and we are
-	 * not allowed to modify the base code in DPDK, so
-	 * just call the hand-written one directly for now.
-	 * The hardware support has been checked by
-	 * ixgbe_disable_sec_rx_path().
-	 */
-	ixgbe_disable_sec_tx_path_generic(hw);
-
-	/* Disable the TX and RX crypto engines */
-	ctrl = IXGBE_READ_REG(hw, IXGBE_SECTXCTRL);
-	ctrl |= IXGBE_SECTXCTRL_SECTX_DIS;
-	IXGBE_WRITE_REG(hw, IXGBE_SECTXCTRL, ctrl);
-
-	ctrl = IXGBE_READ_REG(hw, IXGBE_SECRXCTRL);
-	ctrl |= IXGBE_SECRXCTRL_SECRX_DIS;
-	IXGBE_WRITE_REG(hw, IXGBE_SECRXCTRL, ctrl);
-
-	/* Disable SA lookup */
-	ctrl = IXGBE_READ_REG(hw, IXGBE_LSECTXCTRL);
-	ctrl &= ~IXGBE_LSECTXCTRL_EN_MASK;
-	ctrl |= IXGBE_LSECTXCTRL_DISABLE;
-	IXGBE_WRITE_REG(hw, IXGBE_LSECTXCTRL, ctrl);
-
-	ctrl = IXGBE_READ_REG(hw, IXGBE_LSECRXCTRL);
-	ctrl &= ~IXGBE_LSECRXCTRL_EN_MASK;
-	ctrl |= IXGBE_LSECRXCTRL_DISABLE << IXGBE_LSECRXCTRL_EN_SHIFT;
-	IXGBE_WRITE_REG(hw, IXGBE_LSECRXCTRL, ctrl);
-
-	/* Start the data paths */
-	ixgbe_enable_sec_rx_path(hw);
-	/**
-	 * Workaround:
-	 * As no ixgbe_enable_sec_rx_path equivalent is
-	 * implemented for tx in the base code, and we are
-	 * not allowed to modify the base code in DPDK, so
-	 * just call the hand-written one directly for now.
-	 */
-	ixgbe_enable_sec_tx_path_generic(hw);
+	/* Disable macsec setup  */
+	ixgbe_dev_macsec_setting_reset(dev);
 
 	return 0;
 }