@@ -207,6 +207,8 @@ fill_macsec_sc_conf(const struct mcs_test_vector *td,
uint8_t i;
sc_conf->dir = dir;
+ sc_conf->pn_threshold = ((uint64_t)td->xpn << 32) |
+ rte_be_to_cpu_32(*(const uint32_t *)(&td->secure_pkt.data[tci_off + 2]));
if (dir == RTE_SECURITY_MACSEC_DIR_TX) {
sc_conf->sc_tx.sa_id = sa_id[0];
if (sa_id[1] != MCS_INVALID_SA) {
@@ -232,12 +234,16 @@ fill_macsec_sc_conf(const struct mcs_test_vector *td,
/* use some default SCI */
sc_conf->sc_tx.sci = 0xf1341e023a2b1c5d;
}
+ if (td->xpn > 0)
+ sc_conf->sc_tx.is_xpn = 1;
} else {
for (i = 0; i < RTE_SECURITY_MACSEC_NUM_AN; i++) {
sc_conf->sc_rx.sa_id[i] = sa_id[i];
sc_conf->sc_rx.sa_in_use[i] = opts->sa_in_use;
}
sc_conf->sc_rx.active = 1;
+ if (td->xpn > 0)
+ sc_conf->sc_rx.is_xpn = 1;
}
}
@@ -834,6 +840,7 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
struct rte_security_session_conf sess_conf = {0};
struct rte_security_macsec_sa sa_conf = {0};
struct rte_security_macsec_sc sc_conf = {0};
+ struct mcs_err_vector err_vector = {0};
struct rte_security_ctx *ctx;
int nb_rx = 0, nb_sent;
int i, j = 0, ret, id, an = 0;
@@ -868,6 +875,34 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
}
j++;
+ if (opts->rekey_en) {
+
+ err_vector.td = td[i];
+ err_vector.rekey_td = opts->rekey_td;
+ err_vector.event = RTE_ETH_EVENT_MACSEC_UNKNOWN;
+ err_vector.event_subtype = RTE_ETH_SUBEVENT_MACSEC_UNKNOWN;
+ rte_eth_dev_callback_register(port_id, RTE_ETH_EVENT_MACSEC,
+ test_macsec_event_callback, &err_vector);
+ if (op == MCS_DECAP || op == MCS_VERIFY_ONLY)
+ tx_pkts_burst[j] = init_packet(mbufpool,
+ opts->rekey_td->secure_pkt.data,
+ opts->rekey_td->secure_pkt.len);
+ else {
+ tx_pkts_burst[j] = init_packet(mbufpool,
+ opts->rekey_td->plain_pkt.data,
+ opts->rekey_td->plain_pkt.len);
+
+ tx_pkts_burst[j]->ol_flags |= RTE_MBUF_F_TX_MACSEC;
+ }
+ if (tx_pkts_burst[j] == NULL) {
+ while (j--)
+ rte_pktmbuf_free(tx_pkts_burst[j]);
+ ret = TEST_FAILED;
+ goto out;
+ }
+ j++;
+ }
+
if (op == MCS_DECAP || op == MCS_ENCAP_DECAP ||
op == MCS_VERIFY_ONLY || op == MCS_AUTH_VERIFY) {
for (an = 0; an < RTE_SECURITY_MACSEC_NUM_AN; an++) {
@@ -922,6 +957,20 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
}
tx_sa_id[i][0] = (uint16_t)id;
tx_sa_id[i][1] = MCS_INVALID_SA;
+ if (opts->rekey_en) {
+ memset(&sa_conf, 0, sizeof(struct rte_security_macsec_sa));
+ fill_macsec_sa_conf(opts->rekey_td, &sa_conf,
+ RTE_SECURITY_MACSEC_DIR_TX,
+ opts->rekey_td->secure_pkt.data[tci_off] &
+ RTE_MACSEC_AN_MASK,
+ tci_off);
+ id = rte_security_macsec_sa_create(ctx, &sa_conf);
+ if (id < 0) {
+ printf("MACsec rekey SA create failed : %d.\n", id);
+ goto out;
+ }
+ tx_sa_id[i][1] = (uint16_t)id;
+ }
fill_macsec_sc_conf(td[i], &sc_conf, opts,
RTE_SECURITY_MACSEC_DIR_TX, tx_sa_id[i], tci_off);
id = rte_security_macsec_sc_create(ctx, &sc_conf);
@@ -984,9 +1033,44 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
goto out;
}
+ if (opts->rekey_en) {
+ switch (err_vector.event) {
+ case RTE_ETH_EVENT_MACSEC_TX_SA_PN_SOFT_EXP:
+ printf("Received RTE_ETH_EVENT_MACSEC_TX_SA_PN_SOFT_EXP event\n");
+ /* The first sa is active now, so the 0th sa can be
+ * reconfigured. Using the same key as zeroeth sa, but
+ * other key can also be configured.
+ */
+ rte_security_macsec_sa_destroy(ctx, tx_sa_id[0][0],
+ RTE_SECURITY_MACSEC_DIR_TX);
+ fill_macsec_sa_conf(td[0], &sa_conf,
+ RTE_SECURITY_MACSEC_DIR_TX,
+ td[0]->secure_pkt.data[tci_off] &
+ RTE_MACSEC_AN_MASK, tci_off);
+ id = rte_security_macsec_sa_create(ctx, &sa_conf);
+ if (id < 0) {
+ printf("MACsec SA create failed : %d.\n", id);
+ return TEST_FAILED;
+ }
+ tx_sa_id[0][0] = (uint16_t)id;
+ break;
+ default:
+ printf("Received unsupported event\n");
+ }
+ }
+
for (i = 0; i < nb_rx; i++) {
- ret = test_macsec_post_process(rx_pkts_burst[i], td[i], op,
- opts->check_out_pkts_untagged);
+ if (opts->rekey_en && i == 1) {
+ /* The second received packet is matched with
+ * rekey td
+ */
+ ret = test_macsec_post_process(rx_pkts_burst[i],
+ opts->rekey_td, op,
+ opts->check_out_pkts_untagged);
+ } else {
+ ret = test_macsec_post_process(rx_pkts_burst[i], td[i],
+ op, opts->check_out_pkts_untagged);
+ }
if (ret != TEST_SUCCESS) {
for ( ; i < nb_rx; i++)
rte_pktmbuf_free(rx_pkts_burst[i]);
@@ -1019,6 +1103,10 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
destroy_default_flow(port_id);
+ if (opts->rekey_en)
+ rte_eth_dev_callback_unregister(port_id, RTE_ETH_EVENT_MACSEC,
+ test_macsec_event_callback, &err_vector);
+
/* Destroy session so that other cases can create the session again */
for (i = 0; i < opts->nb_td; i++) {
if (op == MCS_ENCAP || op == MCS_ENCAP_DECAP ||
@@ -1029,6 +1117,10 @@ test_macsec(const struct mcs_test_vector *td[], enum mcs_op op, const struct mcs
RTE_SECURITY_MACSEC_DIR_TX);
rte_security_macsec_sa_destroy(ctx, tx_sa_id[i][0],
RTE_SECURITY_MACSEC_DIR_TX);
+ if (opts->rekey_en) {
+ rte_security_macsec_sa_destroy(ctx, tx_sa_id[i][1],
+ RTE_SECURITY_MACSEC_DIR_TX);
+ }
}
if (op == MCS_DECAP || op == MCS_ENCAP_DECAP ||
op == MCS_VERIFY_ONLY || op == MCS_AUTH_VERIFY) {
@@ -1822,6 +1914,43 @@ test_inline_macsec_interrupts_all(const void *data __rte_unused)
return all_err;
}
+static int
+test_inline_macsec_rekey_tx(const void *data __rte_unused)
+{
+ const struct mcs_test_vector *cur_td;
+ struct mcs_test_opts opts = {0};
+ int err, all_err = 0;
+ int i, size;
+
+ opts.val_frames = RTE_SECURITY_MACSEC_VALIDATE_STRICT;
+ opts.protect_frames = true;
+ opts.encrypt = true;
+ opts.sa_in_use = 1;
+ opts.nb_td = 1;
+ opts.sectag_insert_mode = 1;
+ opts.mtu = RTE_ETHER_MTU;
+ opts.rekey_en = 1;
+
+ size = (sizeof(list_mcs_rekey_vectors) / sizeof((list_mcs_rekey_vectors)[0]));
+
+ for (i = 0; i < size; i++) {
+ cur_td = &list_mcs_rekey_vectors[i];
+ opts.rekey_td = &list_mcs_rekey_vectors[++i];
+ err = test_macsec(&cur_td, MCS_ENCAP, &opts);
+ if (err) {
+ printf("Tx hw rekey test case %d failed\n", i);
+ err = -1;
+ } else {
+ printf("Tx hw rekey test case %d passed\n", i);
+ err = 0;
+ }
+ all_err += err;
+ }
+
+ printf("\n%s: Success: %d, Failure: %d\n", __func__, size + all_err, -all_err);
+ return all_err;
+}
+
static int
ut_setup_inline_macsec(void)
{
@@ -2051,6 +2180,10 @@ static struct unit_test_suite inline_macsec_testsuite = {
"MACsec interrupts all",
ut_setup_inline_macsec, ut_teardown_inline_macsec,
test_inline_macsec_interrupts_all),
+ TEST_CASE_NAMED_ST(
+ "MACsec re-key Tx",
+ ut_setup_inline_macsec, ut_teardown_inline_macsec,
+ test_inline_macsec_rekey_tx),
TEST_CASES_END() /**< NULL terminate unit test array */
},
@@ -41,6 +41,7 @@ struct mcs_test_vector {
struct mcs_err_vector {
const struct mcs_test_vector *td;
+ const struct mcs_test_vector *rekey_td;
enum rte_eth_event_macsec_type event;
enum rte_eth_event_macsec_subtype event_subtype;
bool notify_event;
@@ -3182,4 +3183,246 @@ static const struct mcs_test_vector list_mcs_intr_test_vectors[] = {
},
};
+static const struct mcs_test_vector list_mcs_rekey_vectors[] = {
+/* Initial SA, AN = 0 and PN = 2 */
+{
+ .test_idx = 0,
+ .alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+ .ssci = 0x0,
+ .salt = {0},
+ .sa_key = {
+ .data = {
+ 0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+ 0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82
+ },
+ .len = 16,
+ },
+ .plain_pkt = {
+ .data = {/* MAC DA */
+ 0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+ /* MAC SA */
+ 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+ /* User Data */
+ 0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+ 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+ 0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+ 0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+ 0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+ 0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+ 0x43, 0x44, 0x45, 0x46,
+ },
+ .len = 64,
+ },
+ .secure_pkt = {
+ .data = {/* MAC DA */
+ 0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+ /* MAC SA */
+ 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+ /* MACsec EtherType */
+ 0x88, 0xE5,
+ /* TCI and AN */
+ 0x2C,
+ /* SL */
+ 0x0,
+ /* PN */
+ 0x0, 0x0, 0x0, 0x2,
+ /* SCI */
+ 0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+ /* Secure Data */
+ 0x39, 0x38, 0x97, 0x44, 0xA2, 0x6D, 0x71, 0x3D,
+ 0x14, 0x27, 0xC7, 0x3E, 0x02, 0x96, 0x81, 0xAD,
+ 0x47, 0x82, 0x2A, 0xCF, 0x19, 0x79, 0x12, 0x49,
+ 0x0F, 0x93, 0x5A, 0x32, 0x43, 0x79, 0xEF, 0x9D,
+ 0x70, 0xF8, 0xA9, 0xBE, 0x3D, 0x00, 0x5D, 0x22,
+ 0xDA, 0x87, 0x3D, 0xC1, 0xBE, 0x1B, 0x13, 0xD9,
+ 0x99, 0xDB, 0xF1, 0xC8,
+ /* ICV */
+ 0x4B, 0xC4, 0xF8, 0xC6, 0x09, 0x78, 0xB9, 0xBB,
+ 0x5D, 0xC0, 0x04, 0xF3, 0x20, 0x7D, 0x14, 0x87,
+ },
+ .len = 96,
+ },
+},
+/* Rekeyed SA. sa_key is different from the initial sa.
+ * Also, AN = 1 and PN = 1.
+ */
+{
+ .test_idx = 1,
+ .alg = RTE_SECURITY_MACSEC_ALG_GCM_128,
+ .ssci = 0x0,
+ .salt = {0},
+ .sa_key = {
+ .data = {
+ 0xAD, 0x7A, 0x2B, 0xD0, 0x3E, 0xAC, 0x83, 0x5A,
+ 0x6F, 0x62, 0x0F, 0xDC, 0xB5, 0x06, 0xB3, 0x45,
+ },
+ .len = 16,
+ },
+ .plain_pkt = {
+ .data = {/* MAC DA */
+ 0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+ /* MAC SA */
+ 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+ /* User Data */
+ 0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+ 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+ 0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+ 0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+ 0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+ 0x35, 0x36, 0x37, 0x38, 0x39, 0x40, 0x41, 0x42,
+ 0x43, 0x44, 0x45, 0x46,
+ },
+ .len = 64,
+ },
+ .secure_pkt = {
+ .data = {/* MAC DA */
+ 0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+ /* MAC SA */
+ 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+ /* MACsec EtherType */
+ 0x88, 0xE5,
+ /* TCI and AN */
+ 0x2D,
+ /* SL */
+ 0x00,
+ /* PN */
+ 0x00, 0x00, 0x00, 0x01,
+ /* SCI */
+ 0xFE, 0x2F, 0xCD, 0x14, 0x24, 0x1B, 0x88, 0x2C,
+ /* Secure Data */
+ 0x17, 0x66, 0xEF, 0xD9, 0x06, 0xDC, 0x15, 0xAF,
+ 0xE9, 0x06, 0xB1, 0xE6, 0x26, 0x22, 0xC8, 0x78,
+ 0x27, 0xE1, 0xED, 0x76, 0xF5, 0xC8, 0x16, 0xA1,
+ 0x6B, 0x0D, 0xA0, 0x8E, 0x24, 0x2A, 0x9D, 0x34,
+ 0xD0, 0xE0, 0x5F, 0xBA, 0x08, 0xF0, 0xE3, 0x7D,
+ 0x17, 0xC0, 0x2C, 0xCD, 0x8A, 0x44, 0xC9, 0xB9,
+ 0x28, 0xC0, 0xE8, 0x22,
+ /* ICV */
+ 0x1B, 0x16, 0x68, 0x5F, 0x14, 0x8A, 0x51, 0x29,
+ 0xB5, 0x3D, 0x61, 0x0E, 0x49, 0x20, 0x60, 0x09,
+ },
+ .len = 96,
+ },
+},
+{
+ .test_idx = 2,
+ .alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+ .ssci = 0x7A30C118,
+ .xpn = 0xB0DF459C, /* Most significant 32 bits */
+ .salt = {
+ 0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+ 0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+ },
+ .sa_key = {
+ .data = {
+ 0x07, 0x1B, 0x11, 0x3B, 0x0C, 0xA7, 0x43, 0xFE,
+ 0xCC, 0xCF, 0x3D, 0x05, 0x1F, 0x73, 0x73, 0x82,
+ },
+ .len = 16,
+ },
+ .plain_pkt = {
+ .data = {/* MAC DA */
+ 0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+ /* MAC SA */
+ 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+ /* User Data */
+ 0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+ 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+ 0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+ 0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+ 0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+ 0x00, 0x04,
+ },
+ .len = 54,
+ },
+ .secure_pkt = {
+ .data = {/* MAC DA */
+ 0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+ /* MAC SA */
+ 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+ /* MACsec EtherType */
+ 0x88, 0xE5,
+ /* TCI and AN */
+ 0x4C,
+ /* SL */
+ 0x2A,
+ /* PN */
+ 0x76, 0xD4, 0x57, 0xED,
+ /* Secure Data */
+ 0x9C, 0xA4, 0x69, 0x84, 0x43, 0x02, 0x03, 0xED,
+ 0x41, 0x6E, 0xBD, 0xC2, 0xFE, 0x26, 0x22, 0xBA,
+ 0x3E, 0x5E, 0xAB, 0x69, 0x61, 0xC3, 0x63, 0x83,
+ 0x00, 0x9E, 0x18, 0x7E, 0x9B, 0x0C, 0x88, 0x56,
+ 0x46, 0x53, 0xB9, 0xAB, 0xD2, 0x16, 0x44, 0x1C,
+ 0x6A, 0xB6,
+ /* ICV */
+ 0xF0, 0xA2, 0x32, 0xE9, 0xE4, 0x4C, 0x97, 0x8C,
+ 0xF7, 0xCD, 0x84, 0xD4, 0x34, 0x84, 0xD1, 0x01,
+ },
+ .len = 78,
+ },
+},
+/* Rekeyed SA. sa_key is different from the initial sa.
+ * Also, AN = 1, XPN = 0 and PN = 1.
+ */
+{
+ .test_idx = 3,
+ .alg = RTE_SECURITY_MACSEC_ALG_GCM_XPN_128,
+ .ssci = 0x7A30C118,
+ .xpn = 0x0, /* Most significant 32 bits */
+ .salt = {
+ 0xE6, 0x30, 0xE8, 0x1A, 0x48, 0xDE,
+ 0x86, 0xA2, 0x1C, 0x66, 0xFA, 0x6D,
+ },
+ .sa_key = {
+ .data = {
+ 0xAD, 0x7A, 0x2B, 0xD0, 0x3E, 0xAC, 0x83, 0x5A,
+ 0x6F, 0x62, 0x0F, 0xDC, 0xB5, 0x06, 0xB3, 0x45,
+ },
+ .len = 16,
+ },
+ .plain_pkt = {
+ .data = {/* MAC DA */
+ 0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+ /* MAC SA */
+ 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+ /* User Data */
+ 0x08, 0x00, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14,
+ 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C,
+ 0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24,
+ 0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C,
+ 0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34,
+ 0x00, 0x04,
+ },
+ .len = 54,
+ },
+ .secure_pkt = {
+ .data = {/* MAC DA */
+ 0xE2, 0x01, 0x06, 0xD7, 0xCD, 0x0D,
+ /* MAC SA */
+ 0xF0, 0x76, 0x1E, 0x8D, 0xCD, 0x3D,
+ /* MACsec EtherType */
+ 0x88, 0xE5,
+ /* TCI and AN */
+ 0x4D,
+ /* SL */
+ 0x2A,
+ /* PN */
+ 0x0, 0x0, 0x0, 0x1,
+ /* Secure Data */
+ 0x91, 0x00, 0xC0, 0xE4, 0xB9, 0x4E, 0x2C, 0x1C,
+ 0x86, 0xDF, 0xE1, 0x8F, 0xDD, 0xB6, 0xE6, 0x79,
+ 0x65, 0x87, 0x80, 0xE7, 0x9C, 0x5D, 0x8A, 0xB7,
+ 0x68, 0xFD, 0xE1, 0x6E, 0x3F, 0xF1, 0xDE, 0x20,
+ 0x4A, 0xF6, 0xBA, 0xE6, 0x14, 0xDB, 0x6A, 0x05,
+ 0xE9, 0xB6,
+ /* ICV */
+ 0x2D, 0xDF, 0x59, 0x27, 0x25, 0x41, 0x68, 0x1D,
+ 0x74, 0x1A, 0xAA, 0xC4, 0x18, 0x49, 0xB4, 0x22,
+ },
+ .len = 78,
+ },
+},
+};
+
#endif