[linux-block.git] / include / net / macsec.h

/* SPDX-License-Identifier: GPL-2.0+ */
/*
 * MACsec netdev header, used for h/w accelerated implementations.
 *
 * Copyright (c) 2015 Sabrina Dubroca <sd@queasysnail.net>
 */
#ifndef _NET_MACSEC_H_
#define _NET_MACSEC_H_

#include <linux/u64_stats_sync.h>
#include <uapi/linux/if_link.h>
#include <uapi/linux/if_macsec.h>

#define MACSEC_DEFAULT_PN_LEN 4
#define MACSEC_XPN_PN_LEN 8

#define MACSEC_NUM_AN 4 /* 2 bits for the association number */

#define MACSEC_SCI_LEN 8
#define MACSEC_PORT_ES (htons(0x0001))

#define MACSEC_TCI_VERSION 0x80
#define MACSEC_TCI_ES      0x40 /* end station */
#define MACSEC_TCI_SC      0x20 /* SCI present */
#define MACSEC_TCI_SCB     0x10 /* epon */
#define MACSEC_TCI_E       0x08 /* encryption */
#define MACSEC_TCI_C       0x04 /* changed text */
#define MACSEC_AN_MASK     0x03 /* association number */
#define MACSEC_TCI_CONFID  (MACSEC_TCI_E | MACSEC_TCI_C)

#define MACSEC_DEFAULT_ICV_LEN 16

typedef u64 __bitwise sci_t;
typedef u32 __bitwise ssci_t;

struct metadata_dst;

typedef union salt {
	struct {
		u32 ssci;
		u64 pn;
	} __packed;
	u8 bytes[MACSEC_SALT_LEN];
} __packed salt_t;

typedef union pn {
	struct {
#if defined(__LITTLE_ENDIAN_BITFIELD)
		u32 lower;
		u32 upper;
#elif defined(__BIG_ENDIAN_BITFIELD)
		u32 upper;
		u32 lower;
#else
#error	"Please fix <asm/byteorder.h>"
#endif
	};
	u64 full64;
} pn_t;

/**
 * struct macsec_key - SA key
 * @id: user-provided key identifier
 * @tfm: crypto struct, key storage
 * @salt: salt used to generate IV in XPN cipher suites
 */
struct macsec_key {
	u8 id[MACSEC_KEYID_LEN];
	struct crypto_aead *tfm;
	salt_t salt;
};

struct macsec_rx_sc_stats {
	__u64 InOctetsValidated;
	__u64 InOctetsDecrypted;
	__u64 InPktsUnchecked;
	__u64 InPktsDelayed;
	__u64 InPktsOK;
	__u64 InPktsInvalid;
	__u64 InPktsLate;
	__u64 InPktsNotValid;
	__u64 InPktsNotUsingSA;
	__u64 InPktsUnusedSA;
};

struct macsec_rx_sa_stats {
	__u32 InPktsOK;
	__u32 InPktsInvalid;
	__u32 InPktsNotValid;
	__u32 InPktsNotUsingSA;
	__u32 InPktsUnusedSA;
};

struct macsec_tx_sa_stats {
	__u32 OutPktsProtected;
	__u32 OutPktsEncrypted;
};

struct macsec_tx_sc_stats {
	__u64 OutPktsProtected;
	__u64 OutPktsEncrypted;
	__u64 OutOctetsProtected;
	__u64 OutOctetsEncrypted;
};

struct macsec_dev_stats {
	__u64 OutPktsUntagged;
	__u64 InPktsUntagged;
	__u64 OutPktsTooLong;
	__u64 InPktsNoTag;
	__u64 InPktsBadTag;
	__u64 InPktsUnknownSCI;
	__u64 InPktsNoSCI;
	__u64 InPktsOverrun;
};

/**
 * struct macsec_rx_sa - receive secure association
 * @active:
 * @next_pn: packet number expected for the next packet
 * @lock: protects next_pn manipulations
 * @key: key structure
 * @ssci: short secure channel identifier
 * @stats: per-SA stats
 */
struct macsec_rx_sa {
	struct macsec_key key;
	ssci_t ssci;
	spinlock_t lock;
	union {
		pn_t next_pn_halves;
		u64 next_pn;
	};
	refcount_t refcnt;
	bool active;
	struct macsec_rx_sa_stats __percpu *stats;
	struct macsec_rx_sc *sc;
	struct rcu_head rcu;
};

struct pcpu_rx_sc_stats {
	struct macsec_rx_sc_stats stats;
	struct u64_stats_sync syncp;
};

struct pcpu_tx_sc_stats {
	struct macsec_tx_sc_stats stats;
	struct u64_stats_sync syncp;
};

/**
 * struct macsec_rx_sc - receive secure channel
 * @sci: secure channel identifier for this SC
 * @active: channel is active
 * @sa: array of secure associations
 * @stats: per-SC stats
 */
struct macsec_rx_sc {
	struct macsec_rx_sc __rcu *next;
	sci_t sci;
	bool active;
	struct macsec_rx_sa __rcu *sa[MACSEC_NUM_AN];
	struct pcpu_rx_sc_stats __percpu *stats;
	refcount_t refcnt;
	struct rcu_head rcu_head;
};

/**
 * struct macsec_tx_sa - transmit secure association
 * @active:
 * @next_pn: packet number to use for the next packet
 * @lock: protects next_pn manipulations
 * @key: key structure
 * @ssci: short secure channel identifier
 * @stats: per-SA stats
 */
struct macsec_tx_sa {
	struct macsec_key key;
	ssci_t ssci;
	spinlock_t lock;
	union {
		pn_t next_pn_halves;
		u64 next_pn;
	};
	refcount_t refcnt;
	bool active;
	struct macsec_tx_sa_stats __percpu *stats;
	struct rcu_head rcu;
};

/**
 * struct macsec_tx_sc - transmit secure channel
 * @active:
 * @encoding_sa: association number of the SA currently in use
 * @encrypt: encrypt packets on transmit, or authenticate only
 * @send_sci: always include the SCI in the SecTAG
 * @end_station:
 * @scb: single copy broadcast flag
 * @sa: array of secure associations
 * @stats: stats for this TXSC
 * @md_dst: MACsec offload metadata dst
 */
struct macsec_tx_sc {
	bool active;
	u8 encoding_sa;
	bool encrypt;
	bool send_sci;
	bool end_station;
	bool scb;
	struct macsec_tx_sa __rcu *sa[MACSEC_NUM_AN];
	struct pcpu_tx_sc_stats __percpu *stats;
	struct metadata_dst *md_dst;
};

/**
 * struct macsec_secy - MACsec Security Entity
 * @netdev: netdevice for this SecY
 * @n_rx_sc: number of receive secure channels configured on this SecY
 * @sci: secure channel identifier used for tx
 * @key_len: length of keys used by the cipher suite
 * @icv_len: length of ICV used by the cipher suite
 * @validate_frames: validation mode
 * @xpn: enable XPN for this SecY
 * @operational: MAC_Operational flag
 * @protect_frames: enable protection for this SecY
 * @replay_protect: enable packet number checks on receive
 * @replay_window: size of the replay window
 * @tx_sc: transmit secure channel
 * @rx_sc: linked list of receive secure channels
 */
struct macsec_secy {
	struct net_device *netdev;
	unsigned int n_rx_sc;
	sci_t sci;
	u16 key_len;
	u16 icv_len;
	enum macsec_validation_type validate_frames;
	bool xpn;
	bool operational;
	bool protect_frames;
	bool replay_protect;
	u32 replay_window;
	struct macsec_tx_sc tx_sc;
	struct macsec_rx_sc __rcu *rx_sc;
};

/**
 * struct macsec_context - MACsec context for hardware offloading
 */
struct macsec_context {
	union {
		struct net_device *netdev;
		struct phy_device *phydev;
	};
	enum macsec_offload offload;

	struct macsec_secy *secy;
	struct macsec_rx_sc *rx_sc;
	struct {
		unsigned char assoc_num;
		u8 key[MACSEC_MAX_KEY_LEN];
		union {
			struct macsec_rx_sa *rx_sa;
			struct macsec_tx_sa *tx_sa;
		};
	} sa;
	union {
		struct macsec_tx_sc_stats *tx_sc_stats;
		struct macsec_tx_sa_stats *tx_sa_stats;
		struct macsec_rx_sc_stats *rx_sc_stats;
		struct macsec_rx_sa_stats *rx_sa_stats;
		struct macsec_dev_stats  *dev_stats;
	} stats;
};

/**
 * struct macsec_ops - MACsec offloading operations
 */
struct macsec_ops {
	/* Device wide */
	int (*mdo_dev_open)(struct macsec_context *ctx);
	int (*mdo_dev_stop)(struct macsec_context *ctx);
	/* SecY */
	int (*mdo_add_secy)(struct macsec_context *ctx);
	int (*mdo_upd_secy)(struct macsec_context *ctx);
	int (*mdo_del_secy)(struct macsec_context *ctx);
	/* Security channels */
	int (*mdo_add_rxsc)(struct macsec_context *ctx);
	int (*mdo_upd_rxsc)(struct macsec_context *ctx);
	int (*mdo_del_rxsc)(struct macsec_context *ctx);
	/* Security associations */
	int (*mdo_add_rxsa)(struct macsec_context *ctx);
	int (*mdo_upd_rxsa)(struct macsec_context *ctx);
	int (*mdo_del_rxsa)(struct macsec_context *ctx);
	int (*mdo_add_txsa)(struct macsec_context *ctx);
	int (*mdo_upd_txsa)(struct macsec_context *ctx);
	int (*mdo_del_txsa)(struct macsec_context *ctx);
	/* Statistics */
	int (*mdo_get_dev_stats)(struct macsec_context *ctx);
	int (*mdo_get_tx_sc_stats)(struct macsec_context *ctx);
	int (*mdo_get_tx_sa_stats)(struct macsec_context *ctx);
	int (*mdo_get_rx_sc_stats)(struct macsec_context *ctx);
	int (*mdo_get_rx_sa_stats)(struct macsec_context *ctx);
};

void macsec_pn_wrapped(struct macsec_secy *secy, struct macsec_tx_sa *tx_sa);
static inline bool macsec_send_sci(const struct macsec_secy *secy)
{
	const struct macsec_tx_sc *tx_sc = &secy->tx_sc;

	return tx_sc->send_sci ||
		(secy->n_rx_sc > 1 && !tx_sc->end_station && !tx_sc->scb);
}

#endif /* _NET_MACSEC_H_ */
Commit	Line	Data
c0e4eadf AT	1	/* SPDX-License-Identifier: GPL-2.0+ */
	2	/*
	3	* MACsec netdev header, used for h/w accelerated implementations.
	4	*
	5	* Copyright (c) 2015 Sabrina Dubroca <sd@queasysnail.net>
	6	*/
	7	#ifndef _NET_MACSEC_H_
	8	#define _NET_MACSEC_H_
	9
	10	#include <linux/u64_stats_sync.h>
	11	#include <uapi/linux/if_link.h>
	12	#include <uapi/linux/if_macsec.h>
	13
48ef50fa EM	14	#define MACSEC_DEFAULT_PN_LEN 4
	15	#define MACSEC_XPN_PN_LEN 8
	16
a21ecf0e EM	17	#define MACSEC_NUM_AN 4 /* 2 bits for the association number */
a21ecf0e EM	18
b1671253 LN	19	#define MACSEC_SCI_LEN 8
	20	#define MACSEC_PORT_ES (htons(0x0001))
	21
	22	#define MACSEC_TCI_VERSION 0x80
	23	#define MACSEC_TCI_ES 0x40 /* end station */
	24	#define MACSEC_TCI_SC 0x20 /* SCI present */
	25	#define MACSEC_TCI_SCB 0x10 /* epon */
	26	#define MACSEC_TCI_E 0x08 /* encryption */
	27	#define MACSEC_TCI_C 0x04 /* changed text */
	28	#define MACSEC_AN_MASK 0x03 /* association number */
	29	#define MACSEC_TCI_CONFID (MACSEC_TCI_E \| MACSEC_TCI_C)
	30
	31	#define MACSEC_DEFAULT_ICV_LEN 16
	32
c0e4eadf	33	typedef u64 __bitwise sci_t;
a21ecf0e	34	typedef u32 __bitwise ssci_t;
c0e4eadf	35
0a28bfd4 LN	36	struct metadata_dst;
0a28bfd4 LN	37
a21ecf0e EM	38	typedef union salt {
	39	struct {
	40	u32 ssci;
	41	u64 pn;
	42	} __packed;
	43	u8 bytes[MACSEC_SALT_LEN];
	44	} __packed salt_t;
	45
	46	typedef union pn {
	47	struct {
	48	#if defined(__LITTLE_ENDIAN_BITFIELD)
	49	u32 lower;
	50	u32 upper;
	51	#elif defined(__BIG_ENDIAN_BITFIELD)
	52	u32 upper;
	53	u32 lower;
	54	#else
	55	#error "Please fix <asm/byteorder.h>"
	56	#endif
	57	};
	58	u64 full64;
	59	} pn_t;
c0e4eadf AT	60
	61	/**
	62	* struct macsec_key - SA key
	63	* @id: user-provided key identifier
	64	* @tfm: crypto struct, key storage
a21ecf0e	65	* @salt: salt used to generate IV in XPN cipher suites
c0e4eadf AT	66	*/
	67	struct macsec_key {
	68	u8 id[MACSEC_KEYID_LEN];
	69	struct crypto_aead *tfm;
a21ecf0e	70	salt_t salt;
c0e4eadf AT	71	};
	72
	73	struct macsec_rx_sc_stats {
	74	__u64 InOctetsValidated;
	75	__u64 InOctetsDecrypted;
	76	__u64 InPktsUnchecked;
	77	__u64 InPktsDelayed;
	78	__u64 InPktsOK;
	79	__u64 InPktsInvalid;
	80	__u64 InPktsLate;
	81	__u64 InPktsNotValid;
	82	__u64 InPktsNotUsingSA;
	83	__u64 InPktsUnusedSA;
	84	};
	85
	86	struct macsec_rx_sa_stats {
	87	__u32 InPktsOK;
	88	__u32 InPktsInvalid;
	89	__u32 InPktsNotValid;
	90	__u32 InPktsNotUsingSA;
	91	__u32 InPktsUnusedSA;
	92	};
	93
	94	struct macsec_tx_sa_stats {
	95	__u32 OutPktsProtected;
	96	__u32 OutPktsEncrypted;
	97	};
	98
	99	struct macsec_tx_sc_stats {
	100	__u64 OutPktsProtected;
	101	__u64 OutPktsEncrypted;
	102	__u64 OutOctetsProtected;
	103	__u64 OutOctetsEncrypted;
	104	};
	105
b62c3624 DB	106	struct macsec_dev_stats {
	107	__u64 OutPktsUntagged;
	108	__u64 InPktsUntagged;
	109	__u64 OutPktsTooLong;
	110	__u64 InPktsNoTag;
	111	__u64 InPktsBadTag;
	112	__u64 InPktsUnknownSCI;
	113	__u64 InPktsNoSCI;
	114	__u64 InPktsOverrun;
	115	};
	116
c0e4eadf AT	117	/**
	118	* struct macsec_rx_sa - receive secure association
	119	* @active:
	120	* @next_pn: packet number expected for the next packet
	121	* @lock: protects next_pn manipulations
	122	* @key: key structure
a21ecf0e	123	* @ssci: short secure channel identifier
c0e4eadf AT	124	* @stats: per-SA stats
	125	*/
	126	struct macsec_rx_sa {
	127	struct macsec_key key;
a21ecf0e	128	ssci_t ssci;
c0e4eadf	129	spinlock_t lock;
a21ecf0e EM	130	union {
	131	pn_t next_pn_halves;
	132	u64 next_pn;
	133	};
c0e4eadf AT	134	refcount_t refcnt;
	135	bool active;
	136	struct macsec_rx_sa_stats __percpu *stats;
	137	struct macsec_rx_sc *sc;
	138	struct rcu_head rcu;
	139	};
	140
	141	struct pcpu_rx_sc_stats {
	142	struct macsec_rx_sc_stats stats;
	143	struct u64_stats_sync syncp;
	144	};
	145
	146	struct pcpu_tx_sc_stats {
	147	struct macsec_tx_sc_stats stats;
	148	struct u64_stats_sync syncp;
	149	};
	150
	151	/**
	152	* struct macsec_rx_sc - receive secure channel
	153	* @sci: secure channel identifier for this SC
	154	* @active: channel is active
	155	* @sa: array of secure associations
	156	* @stats: per-SC stats
	157	*/
	158	struct macsec_rx_sc {
	159	struct macsec_rx_sc __rcu *next;
	160	sci_t sci;
	161	bool active;
	162	struct macsec_rx_sa __rcu *sa[MACSEC_NUM_AN];
	163	struct pcpu_rx_sc_stats __percpu *stats;
	164	refcount_t refcnt;
	165	struct rcu_head rcu_head;
	166	};
	167
	168	/**
	169	* struct macsec_tx_sa - transmit secure association
	170	* @active:
	171	* @next_pn: packet number to use for the next packet
	172	* @lock: protects next_pn manipulations
	173	* @key: key structure
a21ecf0e	174	* @ssci: short secure channel identifier
c0e4eadf AT	175	* @stats: per-SA stats
	176	*/
	177	struct macsec_tx_sa {
	178	struct macsec_key key;
a21ecf0e	179	ssci_t ssci;
c0e4eadf	180	spinlock_t lock;
a21ecf0e EM	181	union {
	182	pn_t next_pn_halves;
	183	u64 next_pn;
	184	};
c0e4eadf AT	185	refcount_t refcnt;
	186	bool active;
	187	struct macsec_tx_sa_stats __percpu *stats;
	188	struct rcu_head rcu;
	189	};
	190
	191	/**
	192	* struct macsec_tx_sc - transmit secure channel
	193	* @active:
	194	* @encoding_sa: association number of the SA currently in use
	195	* @encrypt: encrypt packets on transmit, or authenticate only
	196	* @send_sci: always include the SCI in the SecTAG
	197	* @end_station:
	198	* @scb: single copy broadcast flag
	199	* @sa: array of secure associations
	200	* @stats: stats for this TXSC
0a28bfd4	201	* @md_dst: MACsec offload metadata dst
c0e4eadf AT	202	*/
	203	struct macsec_tx_sc {
	204	bool active;
	205	u8 encoding_sa;
	206	bool encrypt;
	207	bool send_sci;
	208	bool end_station;
	209	bool scb;
	210	struct macsec_tx_sa __rcu *sa[MACSEC_NUM_AN];
	211	struct pcpu_tx_sc_stats __percpu *stats;
0a28bfd4	212	struct metadata_dst *md_dst;
c0e4eadf AT	213	};
	214
	215	/**
	216	* struct macsec_secy - MACsec Security Entity
	217	* @netdev: netdevice for this SecY
	218	* @n_rx_sc: number of receive secure channels configured on this SecY
	219	* @sci: secure channel identifier used for tx
	220	* @key_len: length of keys used by the cipher suite
	221	* @icv_len: length of ICV used by the cipher suite
	222	* @validate_frames: validation mode
a21ecf0e	223	* @xpn: enable XPN for this SecY
c0e4eadf AT	224	* @operational: MAC_Operational flag
	225	* @protect_frames: enable protection for this SecY
	226	* @replay_protect: enable packet number checks on receive
	227	* @replay_window: size of the replay window
	228	* @tx_sc: transmit secure channel
	229	* @rx_sc: linked list of receive secure channels
	230	*/
	231	struct macsec_secy {
	232	struct net_device *netdev;
	233	unsigned int n_rx_sc;
	234	sci_t sci;
	235	u16 key_len;
	236	u16 icv_len;
	237	enum macsec_validation_type validate_frames;
a21ecf0e	238	bool xpn;
c0e4eadf AT	239	bool operational;
	240	bool protect_frames;
	241	bool replay_protect;
	242	u32 replay_window;
	243	struct macsec_tx_sc tx_sc;
	244	struct macsec_rx_sc __rcu *rx_sc;
	245	};
	246
76564261 AT	247	/**
	248	* struct macsec_context - MACsec context for hardware offloading
	249	*/
	250	struct macsec_context {
8fa91371 AT	251	union {
	252	struct net_device *netdev;
	253	struct phy_device *phydev;
	254	};
76564261 AT	255	enum macsec_offload offload;
	256
	257	struct macsec_secy *secy;
	258	struct macsec_rx_sc *rx_sc;
	259	struct {
	260	unsigned char assoc_num;
1f7fe512	261	u8 key[MACSEC_MAX_KEY_LEN];
76564261 AT	262	union {
	263	struct macsec_rx_sa *rx_sa;
	264	struct macsec_tx_sa *tx_sa;
	265	};
	266	} sa;
b62c3624 DB	267	union {
	268	struct macsec_tx_sc_stats *tx_sc_stats;
	269	struct macsec_tx_sa_stats *tx_sa_stats;
	270	struct macsec_rx_sc_stats *rx_sc_stats;
	271	struct macsec_rx_sa_stats *rx_sa_stats;
	272	struct macsec_dev_stats *dev_stats;
	273	} stats;
76564261 AT	274	};
76564261 AT	275
0830e20b AT	276	/**
	277	* struct macsec_ops - MACsec offloading operations
	278	*/
	279	struct macsec_ops {
	280	/* Device wide */
	281	int (mdo_dev_open)(struct macsec_context ctx);
	282	int (mdo_dev_stop)(struct macsec_context ctx);
	283	/* SecY */
	284	int (mdo_add_secy)(struct macsec_context ctx);
	285	int (mdo_upd_secy)(struct macsec_context ctx);
	286	int (mdo_del_secy)(struct macsec_context ctx);
	287	/* Security channels */
	288	int (mdo_add_rxsc)(struct macsec_context ctx);
	289	int (mdo_upd_rxsc)(struct macsec_context ctx);
	290	int (mdo_del_rxsc)(struct macsec_context ctx);
	291	/* Security associations */
	292	int (mdo_add_rxsa)(struct macsec_context ctx);
	293	int (mdo_upd_rxsa)(struct macsec_context ctx);
	294	int (mdo_del_rxsa)(struct macsec_context ctx);
	295	int (mdo_add_txsa)(struct macsec_context ctx);
	296	int (mdo_upd_txsa)(struct macsec_context ctx);
	297	int (mdo_del_txsa)(struct macsec_context ctx);
b62c3624 DB	298	/* Statistics */
	299	int (mdo_get_dev_stats)(struct macsec_context ctx);
	300	int (mdo_get_tx_sc_stats)(struct macsec_context ctx);
	301	int (mdo_get_tx_sa_stats)(struct macsec_context ctx);
	302	int (mdo_get_rx_sc_stats)(struct macsec_context ctx);
	303	int (mdo_get_rx_sa_stats)(struct macsec_context ctx);
0830e20b AT	304	};
0830e20b AT	305
5c937de7	306	void macsec_pn_wrapped(struct macsec_secy secy, struct macsec_tx_sa tx_sa);
b1671253 LN	307	static inline bool macsec_send_sci(const struct macsec_secy *secy)
	308	{
	309	const struct macsec_tx_sc *tx_sc = &secy->tx_sc;
	310
	311	return tx_sc->send_sci \|\|
	312	(secy->n_rx_sc > 1 && !tx_sc->end_station && !tx_sc->scb);
	313	}
5c937de7	314
c0e4eadf	315	#endif /* _NET_MACSEC_H_ */