Commit | Line | Data |
---|---|---|
c0e4eadf AT |
1 | /* SPDX-License-Identifier: GPL-2.0+ */ |
2 | /* | |
3 | * MACsec netdev header, used for h/w accelerated implementations. | |
4 | * | |
5 | * Copyright (c) 2015 Sabrina Dubroca <sd@queasysnail.net> | |
6 | */ | |
7 | #ifndef _NET_MACSEC_H_ | |
8 | #define _NET_MACSEC_H_ | |
9 | ||
10 | #include <linux/u64_stats_sync.h> | |
11 | #include <uapi/linux/if_link.h> | |
12 | #include <uapi/linux/if_macsec.h> | |
13 | ||
48ef50fa EM |
14 | #define MACSEC_DEFAULT_PN_LEN 4 |
15 | #define MACSEC_XPN_PN_LEN 8 | |
16 | ||
a21ecf0e EM |
17 | #define MACSEC_NUM_AN 4 /* 2 bits for the association number */ |
18 | ||
b1671253 LN |
19 | #define MACSEC_SCI_LEN 8 |
20 | #define MACSEC_PORT_ES (htons(0x0001)) | |
21 | ||
22 | #define MACSEC_TCI_VERSION 0x80 | |
23 | #define MACSEC_TCI_ES 0x40 /* end station */ | |
24 | #define MACSEC_TCI_SC 0x20 /* SCI present */ | |
25 | #define MACSEC_TCI_SCB 0x10 /* epon */ | |
26 | #define MACSEC_TCI_E 0x08 /* encryption */ | |
27 | #define MACSEC_TCI_C 0x04 /* changed text */ | |
28 | #define MACSEC_AN_MASK 0x03 /* association number */ | |
29 | #define MACSEC_TCI_CONFID (MACSEC_TCI_E | MACSEC_TCI_C) | |
30 | ||
31 | #define MACSEC_DEFAULT_ICV_LEN 16 | |
32 | ||
c0e4eadf | 33 | typedef u64 __bitwise sci_t; |
a21ecf0e | 34 | typedef u32 __bitwise ssci_t; |
c0e4eadf | 35 | |
0a28bfd4 LN |
36 | struct metadata_dst; |
37 | ||
a21ecf0e EM |
38 | typedef union salt { |
39 | struct { | |
40 | u32 ssci; | |
41 | u64 pn; | |
42 | } __packed; | |
43 | u8 bytes[MACSEC_SALT_LEN]; | |
44 | } __packed salt_t; | |
45 | ||
46 | typedef union pn { | |
47 | struct { | |
48 | #if defined(__LITTLE_ENDIAN_BITFIELD) | |
49 | u32 lower; | |
50 | u32 upper; | |
51 | #elif defined(__BIG_ENDIAN_BITFIELD) | |
52 | u32 upper; | |
53 | u32 lower; | |
54 | #else | |
55 | #error "Please fix <asm/byteorder.h>" | |
56 | #endif | |
57 | }; | |
58 | u64 full64; | |
59 | } pn_t; | |
c0e4eadf AT |
60 | |
61 | /** | |
62 | * struct macsec_key - SA key | |
63 | * @id: user-provided key identifier | |
64 | * @tfm: crypto struct, key storage | |
a21ecf0e | 65 | * @salt: salt used to generate IV in XPN cipher suites |
c0e4eadf AT |
66 | */ |
67 | struct macsec_key { | |
68 | u8 id[MACSEC_KEYID_LEN]; | |
69 | struct crypto_aead *tfm; | |
a21ecf0e | 70 | salt_t salt; |
c0e4eadf AT |
71 | }; |
72 | ||
73 | struct macsec_rx_sc_stats { | |
74 | __u64 InOctetsValidated; | |
75 | __u64 InOctetsDecrypted; | |
76 | __u64 InPktsUnchecked; | |
77 | __u64 InPktsDelayed; | |
78 | __u64 InPktsOK; | |
79 | __u64 InPktsInvalid; | |
80 | __u64 InPktsLate; | |
81 | __u64 InPktsNotValid; | |
82 | __u64 InPktsNotUsingSA; | |
83 | __u64 InPktsUnusedSA; | |
84 | }; | |
85 | ||
86 | struct macsec_rx_sa_stats { | |
87 | __u32 InPktsOK; | |
88 | __u32 InPktsInvalid; | |
89 | __u32 InPktsNotValid; | |
90 | __u32 InPktsNotUsingSA; | |
91 | __u32 InPktsUnusedSA; | |
92 | }; | |
93 | ||
94 | struct macsec_tx_sa_stats { | |
95 | __u32 OutPktsProtected; | |
96 | __u32 OutPktsEncrypted; | |
97 | }; | |
98 | ||
99 | struct macsec_tx_sc_stats { | |
100 | __u64 OutPktsProtected; | |
101 | __u64 OutPktsEncrypted; | |
102 | __u64 OutOctetsProtected; | |
103 | __u64 OutOctetsEncrypted; | |
104 | }; | |
105 | ||
b62c3624 DB |
106 | struct macsec_dev_stats { |
107 | __u64 OutPktsUntagged; | |
108 | __u64 InPktsUntagged; | |
109 | __u64 OutPktsTooLong; | |
110 | __u64 InPktsNoTag; | |
111 | __u64 InPktsBadTag; | |
112 | __u64 InPktsUnknownSCI; | |
113 | __u64 InPktsNoSCI; | |
114 | __u64 InPktsOverrun; | |
115 | }; | |
116 | ||
c0e4eadf AT |
117 | /** |
118 | * struct macsec_rx_sa - receive secure association | |
119 | * @active: | |
120 | * @next_pn: packet number expected for the next packet | |
121 | * @lock: protects next_pn manipulations | |
122 | * @key: key structure | |
a21ecf0e | 123 | * @ssci: short secure channel identifier |
c0e4eadf AT |
124 | * @stats: per-SA stats |
125 | */ | |
126 | struct macsec_rx_sa { | |
127 | struct macsec_key key; | |
a21ecf0e | 128 | ssci_t ssci; |
c0e4eadf | 129 | spinlock_t lock; |
a21ecf0e EM |
130 | union { |
131 | pn_t next_pn_halves; | |
132 | u64 next_pn; | |
133 | }; | |
c0e4eadf AT |
134 | refcount_t refcnt; |
135 | bool active; | |
136 | struct macsec_rx_sa_stats __percpu *stats; | |
137 | struct macsec_rx_sc *sc; | |
138 | struct rcu_head rcu; | |
139 | }; | |
140 | ||
141 | struct pcpu_rx_sc_stats { | |
142 | struct macsec_rx_sc_stats stats; | |
143 | struct u64_stats_sync syncp; | |
144 | }; | |
145 | ||
146 | struct pcpu_tx_sc_stats { | |
147 | struct macsec_tx_sc_stats stats; | |
148 | struct u64_stats_sync syncp; | |
149 | }; | |
150 | ||
151 | /** | |
152 | * struct macsec_rx_sc - receive secure channel | |
153 | * @sci: secure channel identifier for this SC | |
154 | * @active: channel is active | |
155 | * @sa: array of secure associations | |
156 | * @stats: per-SC stats | |
157 | */ | |
158 | struct macsec_rx_sc { | |
159 | struct macsec_rx_sc __rcu *next; | |
160 | sci_t sci; | |
161 | bool active; | |
162 | struct macsec_rx_sa __rcu *sa[MACSEC_NUM_AN]; | |
163 | struct pcpu_rx_sc_stats __percpu *stats; | |
164 | refcount_t refcnt; | |
165 | struct rcu_head rcu_head; | |
166 | }; | |
167 | ||
168 | /** | |
169 | * struct macsec_tx_sa - transmit secure association | |
170 | * @active: | |
171 | * @next_pn: packet number to use for the next packet | |
172 | * @lock: protects next_pn manipulations | |
173 | * @key: key structure | |
a21ecf0e | 174 | * @ssci: short secure channel identifier |
c0e4eadf AT |
175 | * @stats: per-SA stats |
176 | */ | |
177 | struct macsec_tx_sa { | |
178 | struct macsec_key key; | |
a21ecf0e | 179 | ssci_t ssci; |
c0e4eadf | 180 | spinlock_t lock; |
a21ecf0e EM |
181 | union { |
182 | pn_t next_pn_halves; | |
183 | u64 next_pn; | |
184 | }; | |
c0e4eadf AT |
185 | refcount_t refcnt; |
186 | bool active; | |
187 | struct macsec_tx_sa_stats __percpu *stats; | |
188 | struct rcu_head rcu; | |
189 | }; | |
190 | ||
191 | /** | |
192 | * struct macsec_tx_sc - transmit secure channel | |
193 | * @active: | |
194 | * @encoding_sa: association number of the SA currently in use | |
195 | * @encrypt: encrypt packets on transmit, or authenticate only | |
196 | * @send_sci: always include the SCI in the SecTAG | |
197 | * @end_station: | |
198 | * @scb: single copy broadcast flag | |
199 | * @sa: array of secure associations | |
200 | * @stats: stats for this TXSC | |
0a28bfd4 | 201 | * @md_dst: MACsec offload metadata dst |
c0e4eadf AT |
202 | */ |
203 | struct macsec_tx_sc { | |
204 | bool active; | |
205 | u8 encoding_sa; | |
206 | bool encrypt; | |
207 | bool send_sci; | |
208 | bool end_station; | |
209 | bool scb; | |
210 | struct macsec_tx_sa __rcu *sa[MACSEC_NUM_AN]; | |
211 | struct pcpu_tx_sc_stats __percpu *stats; | |
0a28bfd4 | 212 | struct metadata_dst *md_dst; |
c0e4eadf AT |
213 | }; |
214 | ||
215 | /** | |
216 | * struct macsec_secy - MACsec Security Entity | |
217 | * @netdev: netdevice for this SecY | |
218 | * @n_rx_sc: number of receive secure channels configured on this SecY | |
219 | * @sci: secure channel identifier used for tx | |
220 | * @key_len: length of keys used by the cipher suite | |
221 | * @icv_len: length of ICV used by the cipher suite | |
222 | * @validate_frames: validation mode | |
a21ecf0e | 223 | * @xpn: enable XPN for this SecY |
c0e4eadf AT |
224 | * @operational: MAC_Operational flag |
225 | * @protect_frames: enable protection for this SecY | |
226 | * @replay_protect: enable packet number checks on receive | |
227 | * @replay_window: size of the replay window | |
228 | * @tx_sc: transmit secure channel | |
229 | * @rx_sc: linked list of receive secure channels | |
230 | */ | |
231 | struct macsec_secy { | |
232 | struct net_device *netdev; | |
233 | unsigned int n_rx_sc; | |
234 | sci_t sci; | |
235 | u16 key_len; | |
236 | u16 icv_len; | |
237 | enum macsec_validation_type validate_frames; | |
a21ecf0e | 238 | bool xpn; |
c0e4eadf AT |
239 | bool operational; |
240 | bool protect_frames; | |
241 | bool replay_protect; | |
242 | u32 replay_window; | |
243 | struct macsec_tx_sc tx_sc; | |
244 | struct macsec_rx_sc __rcu *rx_sc; | |
245 | }; | |
246 | ||
76564261 AT |
247 | /** |
248 | * struct macsec_context - MACsec context for hardware offloading | |
249 | */ | |
250 | struct macsec_context { | |
8fa91371 AT |
251 | union { |
252 | struct net_device *netdev; | |
253 | struct phy_device *phydev; | |
254 | }; | |
76564261 AT |
255 | enum macsec_offload offload; |
256 | ||
257 | struct macsec_secy *secy; | |
258 | struct macsec_rx_sc *rx_sc; | |
259 | struct { | |
260 | unsigned char assoc_num; | |
1f7fe512 | 261 | u8 key[MACSEC_MAX_KEY_LEN]; |
76564261 AT |
262 | union { |
263 | struct macsec_rx_sa *rx_sa; | |
264 | struct macsec_tx_sa *tx_sa; | |
265 | }; | |
266 | } sa; | |
b62c3624 DB |
267 | union { |
268 | struct macsec_tx_sc_stats *tx_sc_stats; | |
269 | struct macsec_tx_sa_stats *tx_sa_stats; | |
270 | struct macsec_rx_sc_stats *rx_sc_stats; | |
271 | struct macsec_rx_sa_stats *rx_sa_stats; | |
272 | struct macsec_dev_stats *dev_stats; | |
273 | } stats; | |
76564261 AT |
274 | }; |
275 | ||
0830e20b AT |
276 | /** |
277 | * struct macsec_ops - MACsec offloading operations | |
278 | */ | |
279 | struct macsec_ops { | |
280 | /* Device wide */ | |
281 | int (*mdo_dev_open)(struct macsec_context *ctx); | |
282 | int (*mdo_dev_stop)(struct macsec_context *ctx); | |
283 | /* SecY */ | |
284 | int (*mdo_add_secy)(struct macsec_context *ctx); | |
285 | int (*mdo_upd_secy)(struct macsec_context *ctx); | |
286 | int (*mdo_del_secy)(struct macsec_context *ctx); | |
287 | /* Security channels */ | |
288 | int (*mdo_add_rxsc)(struct macsec_context *ctx); | |
289 | int (*mdo_upd_rxsc)(struct macsec_context *ctx); | |
290 | int (*mdo_del_rxsc)(struct macsec_context *ctx); | |
291 | /* Security associations */ | |
292 | int (*mdo_add_rxsa)(struct macsec_context *ctx); | |
293 | int (*mdo_upd_rxsa)(struct macsec_context *ctx); | |
294 | int (*mdo_del_rxsa)(struct macsec_context *ctx); | |
295 | int (*mdo_add_txsa)(struct macsec_context *ctx); | |
296 | int (*mdo_upd_txsa)(struct macsec_context *ctx); | |
297 | int (*mdo_del_txsa)(struct macsec_context *ctx); | |
b62c3624 DB |
298 | /* Statistics */ |
299 | int (*mdo_get_dev_stats)(struct macsec_context *ctx); | |
300 | int (*mdo_get_tx_sc_stats)(struct macsec_context *ctx); | |
301 | int (*mdo_get_tx_sa_stats)(struct macsec_context *ctx); | |
302 | int (*mdo_get_rx_sc_stats)(struct macsec_context *ctx); | |
303 | int (*mdo_get_rx_sa_stats)(struct macsec_context *ctx); | |
0830e20b AT |
304 | }; |
305 | ||
5c937de7 | 306 | void macsec_pn_wrapped(struct macsec_secy *secy, struct macsec_tx_sa *tx_sa); |
b1671253 LN |
307 | static inline bool macsec_send_sci(const struct macsec_secy *secy) |
308 | { | |
309 | const struct macsec_tx_sc *tx_sc = &secy->tx_sc; | |
310 | ||
311 | return tx_sc->send_sci || | |
312 | (secy->n_rx_sc > 1 && !tx_sc->end_station && !tx_sc->scb); | |
313 | } | |
5c937de7 | 314 | |
c0e4eadf | 315 | #endif /* _NET_MACSEC_H_ */ |