/* * Wired Ethernet driver interface for QCA MACsec driver * Copyright (c) 2005-2009, Jouni Malinen * Copyright (c) 2004, Gunter Burchardt * Copyright (c) 2013-2014, Qualcomm Atheros, Inc. * Copyright (c) 2019, The Linux Foundation * * This software may be distributed under the terms of the BSD license. * See README for more details. */ #include "includes.h" #include #include #include #ifdef __linux__ #include #include #include #endif /* __linux__ */ #if defined(__FreeBSD__) || defined(__DragonFly__) || defined(__FreeBSD_kernel__) #include #include #endif /* defined(__FreeBSD__) || defined(__DragonFly__) || defined(__FreeBSD_kernel__) */ #ifdef __sun__ #include #endif /* __sun__ */ #include "utils/common.h" #include "utils/eloop.h" #include "common/defs.h" #include "common/ieee802_1x_defs.h" #include "common/eapol_common.h" #include "pae/ieee802_1x_kay.h" #include "driver.h" #include "driver_wired_common.h" #include "nss_macsec_secy.h" #include "nss_macsec_secy_rx.h" #include "nss_macsec_secy_tx.h" #define MAXSC 16 #define SAK_128_LEN 16 #define SAK_256_LEN 32 /* TCI field definition */ #define TCI_ES 0x40 #define TCI_SC 0x20 #define TCI_SCB 0x10 #define TCI_E 0x08 #define TCI_C 0x04 #ifdef _MSC_VER #pragma pack(push, 1) #endif /* _MSC_VER */ #ifdef _MSC_VER #pragma pack(pop) #endif /* _MSC_VER */ struct channel_map { struct ieee802_1x_mka_sci sci; }; struct macsec_qca_data { struct driver_wired_common_data common; int use_pae_group_addr; u32 secy_id; /* shadow */ bool always_include_sci; bool use_es; bool use_scb; bool protect_frames; bool replay_protect; u32 replay_window; struct channel_map receive_channel_map[MAXSC]; struct channel_map transmit_channel_map[MAXSC]; }; static void __macsec_drv_init(struct macsec_qca_data *drv) { int ret = 0; fal_rx_ctl_filt_t rx_ctl_filt; fal_tx_ctl_filt_t tx_ctl_filt; wpa_printf(MSG_INFO, "%s: secy_id=%d", __func__, drv->secy_id); /* Enable Secy and Let EAPoL bypass */ ret = nss_macsec_secy_en_set(drv->secy_id, true); if (ret) wpa_printf(MSG_ERROR, "nss_macsec_secy_en_set: FAIL"); ret = nss_macsec_secy_sc_sa_mapping_mode_set(drv->secy_id, FAL_SC_SA_MAP_1_4); if (ret) wpa_printf(MSG_ERROR, "nss_macsec_secy_sc_sa_mapping_mode_set: FAIL"); os_memset(&rx_ctl_filt, 0, sizeof(rx_ctl_filt)); rx_ctl_filt.bypass = 1; rx_ctl_filt.match_type = IG_CTL_COMPARE_ETHER_TYPE; rx_ctl_filt.match_mask = 0xffff; rx_ctl_filt.ether_type_da_range = 0x888e; ret = nss_macsec_secy_rx_ctl_filt_set(drv->secy_id, 0, &rx_ctl_filt); if (ret) wpa_printf(MSG_ERROR, "nss_macsec_secy_rx_ctl_filt_set: FAIL"); os_memset(&tx_ctl_filt, 0, sizeof(tx_ctl_filt)); tx_ctl_filt.bypass = 1; tx_ctl_filt.match_type = EG_CTL_COMPARE_ETHER_TYPE; tx_ctl_filt.match_mask = 0xffff; tx_ctl_filt.ether_type_da_range = 0x888e; ret = nss_macsec_secy_tx_ctl_filt_set(drv->secy_id, 0, &tx_ctl_filt); if (ret) wpa_printf(MSG_ERROR, "nss_macsec_secy_tx_ctl_filt_set: FAIL"); } static void __macsec_drv_deinit(struct macsec_qca_data *drv) { nss_macsec_secy_en_set(drv->secy_id, false); nss_macsec_secy_rx_sc_del_all(drv->secy_id); nss_macsec_secy_tx_sc_del_all(drv->secy_id); } #ifdef __linux__ static void macsec_qca_handle_data(void *ctx, unsigned char *buf, size_t len) { #ifdef HOSTAPD struct ieee8023_hdr *hdr; u8 *pos, *sa; size_t left; union wpa_event_data event; /* at least 6 bytes src macaddress, 6 bytes dst macaddress * and 2 bytes ethertype */ if (len < 14) { wpa_printf(MSG_MSGDUMP, "macsec_qca_handle_data: too short (%lu)", (unsigned long) len); return; } hdr = (struct ieee8023_hdr *) buf; switch (ntohs(hdr->ethertype)) { case ETH_P_PAE: wpa_printf(MSG_MSGDUMP, "Received EAPOL packet"); sa = hdr->src; os_memset(&event, 0, sizeof(event)); event.new_sta.addr = sa; wpa_supplicant_event(ctx, EVENT_NEW_STA, &event); pos = (u8 *) (hdr + 1); left = len - sizeof(*hdr); drv_event_eapol_rx(ctx, sa, pos, left); break; default: wpa_printf(MSG_DEBUG, "Unknown ethertype 0x%04x in data frame", ntohs(hdr->ethertype)); break; } #endif /* HOSTAPD */ } static void macsec_qca_handle_read(int sock, void *eloop_ctx, void *sock_ctx) { int len; unsigned char buf[3000]; len = recv(sock, buf, sizeof(buf), 0); if (len < 0) { wpa_printf(MSG_ERROR, "macsec_qca: recv: %s", strerror(errno)); return; } macsec_qca_handle_data(eloop_ctx, buf, len); } #endif /* __linux__ */ static int macsec_qca_init_sockets(struct macsec_qca_data *drv, u8 *own_addr) { #ifdef __linux__ struct ifreq ifr; struct sockaddr_ll addr; drv->common.sock = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_PAE)); if (drv->common.sock < 0) { wpa_printf(MSG_ERROR, "socket[PF_PACKET,SOCK_RAW]: %s", strerror(errno)); return -1; } if (eloop_register_read_sock(drv->common.sock, macsec_qca_handle_read, drv->common.ctx, NULL)) { wpa_printf(MSG_INFO, "Could not register read socket"); return -1; } os_memset(&ifr, 0, sizeof(ifr)); os_strlcpy(ifr.ifr_name, drv->common.ifname, sizeof(ifr.ifr_name)); if (ioctl(drv->common.sock, SIOCGIFINDEX, &ifr) != 0) { wpa_printf(MSG_ERROR, "ioctl(SIOCGIFINDEX): %s", strerror(errno)); return -1; } os_memset(&addr, 0, sizeof(addr)); addr.sll_family = AF_PACKET; addr.sll_ifindex = ifr.ifr_ifindex; wpa_printf(MSG_DEBUG, "Opening raw packet socket for ifindex %d", addr.sll_ifindex); if (bind(drv->common.sock, (struct sockaddr *) &addr, sizeof(addr)) < 0) { wpa_printf(MSG_ERROR, "macsec_qca: bind: %s", strerror(errno)); return -1; } /* filter multicast address */ if (wired_multicast_membership(drv->common.sock, ifr.ifr_ifindex, pae_group_addr, 1) < 0) { wpa_printf(MSG_ERROR, "macsec_qca_init_sockets: Failed to add multicast group membership"); return -1; } os_memset(&ifr, 0, sizeof(ifr)); os_strlcpy(ifr.ifr_name, drv->common.ifname, sizeof(ifr.ifr_name)); if (ioctl(drv->common.sock, SIOCGIFHWADDR, &ifr) != 0) { wpa_printf(MSG_ERROR, "ioctl(SIOCGIFHWADDR): %s", strerror(errno)); return -1; } if (ifr.ifr_hwaddr.sa_family != ARPHRD_ETHER) { wpa_printf(MSG_INFO, "Invalid HW-addr family 0x%04x", ifr.ifr_hwaddr.sa_family); return -1; } os_memcpy(own_addr, ifr.ifr_hwaddr.sa_data, ETH_ALEN); return 0; #else /* __linux__ */ return -1; #endif /* __linux__ */ } static int macsec_qca_secy_id_get(const char *ifname, u32 *secy_id) { #ifdef NSS_MACSEC_SECY_ID_GET_FUNC /* Get secy id from nss macsec driver */ return nss_macsec_secy_id_get((u8 *) ifname, secy_id); #else /* NSS_MACSEC_SECY_ID_GET_FUNC */ /* Board specific settings */ if (os_strcmp(ifname, "eth2") == 0) { *secy_id = 1; } else if (os_strcmp(ifname, "eth3") == 0) { *secy_id = 2; } else if (os_strcmp(ifname, "eth4") == 0 || os_strcmp(ifname, "eth0") == 0) { *secy_id = 0; } else if (os_strcmp(ifname, "eth5") == 0 || os_strcmp(ifname, "eth1") == 0) { *secy_id = 1; } else { *secy_id = -1; return -1; } return 0; #endif /* NSS_MACSEC_SECY_ID_GET_FUNC */ } static void * macsec_qca_init(void *ctx, const char *ifname) { struct macsec_qca_data *drv; drv = os_zalloc(sizeof(*drv)); if (drv == NULL) return NULL; if (macsec_qca_secy_id_get(ifname, &drv->secy_id)) { wpa_printf(MSG_ERROR, "macsec_qca: Failed to get secy_id for %s", ifname); os_free(drv); return NULL; } if (driver_wired_init_common(&drv->common, ifname, ctx) < 0) { os_free(drv); return NULL; } return drv; } static void macsec_qca_deinit(void *priv) { struct macsec_qca_data *drv = priv; driver_wired_deinit_common(&drv->common); os_free(drv); } static void * macsec_qca_hapd_init(struct hostapd_data *hapd, struct wpa_init_params *params) { struct macsec_qca_data *drv; drv = os_zalloc(sizeof(struct macsec_qca_data)); if (!drv) { wpa_printf(MSG_INFO, "Could not allocate memory for macsec_qca driver data"); return NULL; } if (macsec_qca_secy_id_get(params->ifname, &drv->secy_id)) { wpa_printf(MSG_ERROR, "macsec_qca: Failed to get secy_id for %s", params->ifname); os_free(drv); return NULL; } drv->common.ctx = hapd; os_strlcpy(drv->common.ifname, params->ifname, sizeof(drv->common.ifname)); drv->use_pae_group_addr = params->use_pae_group_addr; if (macsec_qca_init_sockets(drv, params->own_addr)) { os_free(drv); return NULL; } return drv; } static void macsec_qca_hapd_deinit(void *priv) { struct macsec_qca_data *drv = priv; if (drv->common.sock >= 0) { eloop_unregister_read_sock(drv->common.sock); close(drv->common.sock); } os_free(drv); } static int macsec_qca_send_eapol(void *priv, const u8 *addr, const u8 *data, size_t data_len, int encrypt, const u8 *own_addr, u32 flags, int link_id) { struct macsec_qca_data *drv = priv; struct ieee8023_hdr *hdr; size_t len; u8 *pos; int res; len = sizeof(*hdr) + data_len; hdr = os_zalloc(len); if (!hdr) { wpa_printf(MSG_INFO, "malloc() failed for macsec_qca_send_eapol(len=%lu)", (unsigned long) len); return -1; } os_memcpy(hdr->dest, drv->use_pae_group_addr ? pae_group_addr : addr, ETH_ALEN); os_memcpy(hdr->src, own_addr, ETH_ALEN); hdr->ethertype = htons(ETH_P_PAE); pos = (u8 *) (hdr + 1); os_memcpy(pos, data, data_len); res = send(drv->common.sock, (u8 *) hdr, len, 0); os_free(hdr); if (res < 0) { wpa_printf(MSG_ERROR, "macsec_qca_send_eapol - packet len: %lu - failed: send: %s", (unsigned long) len, strerror(errno)); } return res; } static int macsec_qca_macsec_init(void *priv, struct macsec_init_params *params) { struct macsec_qca_data *drv = priv; drv->always_include_sci = params->always_include_sci; drv->use_es = params->use_es; drv->use_scb = params->use_scb; wpa_printf(MSG_DEBUG, "%s: es=%d, scb=%d, sci=%d", __func__, drv->use_es, drv->use_scb, drv->always_include_sci); __macsec_drv_init(drv); return 0; } static int macsec_qca_macsec_deinit(void *priv) { struct macsec_qca_data *drv = priv; wpa_printf(MSG_DEBUG, "%s", __func__); __macsec_drv_deinit(drv); return 0; } static int macsec_qca_get_capability(void *priv, enum macsec_cap *cap) { wpa_printf(MSG_DEBUG, "%s", __func__); *cap = MACSEC_CAP_INTEG_AND_CONF_0_30_50; return 0; } static int macsec_qca_enable_protect_frames(void *priv, bool enabled) { struct macsec_qca_data *drv = priv; int ret = 0; wpa_printf(MSG_DEBUG, "%s: enabled=%d", __func__, enabled); drv->protect_frames = enabled; return ret; } static int macsec_qca_set_replay_protect(void *priv, bool enabled, unsigned int window) { struct macsec_qca_data *drv = priv; int ret = 0; wpa_printf(MSG_DEBUG, "%s: enabled=%d, win=%u", __func__, enabled, window); drv->replay_protect = enabled; drv->replay_window = window; return ret; } static fal_cipher_suite_e macsec_qca_cs_type_get(u64 cs) { if (cs == CS_ID_GCM_AES_128) return FAL_CIPHER_SUITE_AES_GCM_128; if (cs == CS_ID_GCM_AES_256) return FAL_CIPHER_SUITE_AES_GCM_256; return FAL_CIPHER_SUITE_MAX; } static int macsec_qca_set_current_cipher_suite(void *priv, u64 cs) { struct macsec_qca_data *drv = priv; fal_cipher_suite_e cs_type; if (cs != CS_ID_GCM_AES_128 && cs != CS_ID_GCM_AES_256) { wpa_printf(MSG_ERROR, "%s: NOT supported CipherSuite: %016" PRIx64, __func__, cs); return -1; } wpa_printf(MSG_DEBUG, "%s: CipherSuite: %016" PRIx64, __func__, cs); cs_type = macsec_qca_cs_type_get(cs); return nss_macsec_secy_cipher_suite_set(drv->secy_id, cs_type); } static int macsec_qca_enable_controlled_port(void *priv, bool enabled) { struct macsec_qca_data *drv = priv; int ret = 0; wpa_printf(MSG_DEBUG, "%s: enable=%d", __func__, enabled); ret += nss_macsec_secy_controlled_port_en_set(drv->secy_id, enabled); return ret; } static int macsec_qca_lookup_channel(struct channel_map *map, struct ieee802_1x_mka_sci *sci, u32 *channel) { u32 i; for (i = 0; i < MAXSC; i++) { if (os_memcmp(&map[i].sci, sci, sizeof(struct ieee802_1x_mka_sci)) == 0) { *channel = i; return 0; } } return -1; } static void macsec_qca_register_channel(struct channel_map *map, struct ieee802_1x_mka_sci *sci, u32 channel) { os_memcpy(&map[channel].sci, sci, sizeof(struct ieee802_1x_mka_sci)); } static int macsec_qca_lookup_receive_channel(struct macsec_qca_data *drv, struct receive_sc *sc, u32 *channel) { return macsec_qca_lookup_channel(drv->receive_channel_map, &sc->sci, channel); } static void macsec_qca_register_receive_channel(struct macsec_qca_data *drv, struct receive_sc *sc, u32 channel) { macsec_qca_register_channel(drv->receive_channel_map, &sc->sci, channel); } static int macsec_qca_lookup_transmit_channel(struct macsec_qca_data *drv, struct transmit_sc *sc, u32 *channel) { return macsec_qca_lookup_channel(drv->transmit_channel_map, &sc->sci, channel); } static void macsec_qca_register_transmit_channel(struct macsec_qca_data *drv, struct transmit_sc *sc, u32 channel) { macsec_qca_register_channel(drv->transmit_channel_map, &sc->sci, channel); } static int macsec_qca_get_receive_lowest_pn(void *priv, struct receive_sa *sa) { struct macsec_qca_data *drv = priv; int ret = 0; u32 next_pn = 0; bool enabled = false; u32 win; u32 channel; ret = macsec_qca_lookup_receive_channel(priv, sa->sc, &channel); if (ret != 0) return ret; ret += nss_macsec_secy_rx_sa_next_pn_get(drv->secy_id, channel, sa->an, &next_pn); ret += nss_macsec_secy_rx_sc_replay_protect_get(drv->secy_id, channel, &enabled); ret += nss_macsec_secy_rx_sc_anti_replay_window_get(drv->secy_id, channel, &win); if (enabled) sa->lowest_pn = (next_pn > win) ? (next_pn - win) : 1; else sa->lowest_pn = next_pn; wpa_printf(MSG_DEBUG, "%s: lpn=0x%x", __func__, sa->lowest_pn); return ret; } static int macsec_qca_get_transmit_next_pn(void *priv, struct transmit_sa *sa) { struct macsec_qca_data *drv = priv; int ret = 0; u32 channel; ret = macsec_qca_lookup_transmit_channel(priv, sa->sc, &channel); if (ret != 0) return ret; ret += nss_macsec_secy_tx_sa_next_pn_get(drv->secy_id, channel, sa->an, &sa->next_pn); wpa_printf(MSG_DEBUG, "%s: npn=0x%x", __func__, sa->next_pn); return ret; } static int macsec_qca_set_transmit_next_pn(void *priv, struct transmit_sa *sa) { struct macsec_qca_data *drv = priv; int ret = 0; u32 channel; ret = macsec_qca_lookup_transmit_channel(priv, sa->sc, &channel); if (ret != 0) return ret; ret += nss_macsec_secy_tx_sa_next_pn_set(drv->secy_id, channel, sa->an, sa->next_pn); wpa_printf(MSG_INFO, "%s: npn=0x%x", __func__, sa->next_pn); return ret; } static int macsec_qca_get_available_receive_sc(void *priv, u32 *channel) { struct macsec_qca_data *drv = priv; int ret = 0; u32 sc_ch = 0; bool in_use = false; for (sc_ch = 0; sc_ch < MAXSC; sc_ch++) { ret = nss_macsec_secy_rx_sc_in_used_get(drv->secy_id, sc_ch, &in_use); if (ret) continue; if (!in_use) { *channel = sc_ch; wpa_printf(MSG_DEBUG, "%s: channel=%d", __func__, *channel); return 0; } } wpa_printf(MSG_DEBUG, "%s: no available channel", __func__); return -1; } static int macsec_qca_create_receive_sc(void *priv, struct receive_sc *sc, unsigned int conf_offset, int validation) { struct macsec_qca_data *drv = priv; int ret = 0; fal_rx_prc_lut_t entry; fal_rx_sc_validate_frame_e vf; enum validate_frames validate_frames = validation; u32 channel; const u8 *sci_addr = sc->sci.addr; u16 sci_port = be_to_host16(sc->sci.port); ret = macsec_qca_get_available_receive_sc(priv, &channel); if (ret != 0) return ret; wpa_printf(MSG_DEBUG, "%s: channel=%d", __func__, channel); /* rx prc lut */ os_memset(&entry, 0, sizeof(entry)); os_memcpy(entry.sci, sci_addr, ETH_ALEN); entry.sci[6] = (sci_port >> 8) & 0xff; entry.sci[7] = sci_port & 0xff; entry.sci_mask = 0xf; entry.valid = 1; entry.channel = channel; entry.action = FAL_RX_PRC_ACTION_PROCESS; entry.offset = conf_offset; /* rx validate frame */ if (validate_frames == Strict) vf = FAL_RX_SC_VALIDATE_FRAME_STRICT; else if (validate_frames == Checked) vf = FAL_RX_SC_VALIDATE_FRAME_CHECK; else vf = FAL_RX_SC_VALIDATE_FRAME_DISABLED; ret += nss_macsec_secy_rx_prc_lut_set(drv->secy_id, channel, &entry); ret += nss_macsec_secy_rx_sc_create(drv->secy_id, channel); ret += nss_macsec_secy_rx_sc_validate_frame_set(drv->secy_id, channel, vf); ret += nss_macsec_secy_rx_sc_replay_protect_set(drv->secy_id, channel, drv->replay_protect); ret += nss_macsec_secy_rx_sc_anti_replay_window_set(drv->secy_id, channel, drv->replay_window); macsec_qca_register_receive_channel(drv, sc, channel); return ret; } static int macsec_qca_delete_receive_sc(void *priv, struct receive_sc *sc) { struct macsec_qca_data *drv = priv; int ret; fal_rx_prc_lut_t entry; u32 channel; ret = macsec_qca_lookup_receive_channel(priv, sc, &channel); if (ret != 0) return ret; wpa_printf(MSG_DEBUG, "%s: channel=%d", __func__, channel); /* rx prc lut */ os_memset(&entry, 0, sizeof(entry)); ret += nss_macsec_secy_rx_sc_del(drv->secy_id, channel); ret += nss_macsec_secy_rx_prc_lut_set(drv->secy_id, channel, &entry); return ret; } static int macsec_qca_create_receive_sa(void *priv, struct receive_sa *sa) { struct macsec_qca_data *drv = priv; int ret; fal_rx_sak_t rx_sak; int i = 0; u32 channel; fal_rx_prc_lut_t entry; u32 offset; ret = macsec_qca_lookup_receive_channel(priv, sa->sc, &channel); if (ret != 0) return ret; wpa_printf(MSG_DEBUG, "%s, channel=%d, an=%d, lpn=0x%x", __func__, channel, sa->an, sa->lowest_pn); os_memset(&rx_sak, 0, sizeof(rx_sak)); rx_sak.sak_len = sa->pkey->key_len; if (sa->pkey->key_len == SAK_128_LEN) { for (i = 0; i < 16; i++) rx_sak.sak[i] = sa->pkey->key[15 - i]; } else if (sa->pkey->key_len == SAK_256_LEN) { for (i = 0; i < 16; i++) { rx_sak.sak1[i] = sa->pkey->key[15 - i]; rx_sak.sak[i] = sa->pkey->key[31 - i]; } } else { return -1; } if (sa->pkey->confidentiality_offset == CONFIDENTIALITY_OFFSET_0) offset = 0; else if (sa->pkey->confidentiality_offset == CONFIDENTIALITY_OFFSET_30) offset = 30; else if (sa->pkey->confidentiality_offset == CONFIDENTIALITY_OFFSET_50) offset = 50; else return -1; ret += nss_macsec_secy_rx_prc_lut_get(drv->secy_id, channel, &entry); entry.offset = offset; ret += nss_macsec_secy_rx_prc_lut_set(drv->secy_id, channel, &entry); ret += nss_macsec_secy_rx_sa_create(drv->secy_id, channel, sa->an); ret += nss_macsec_secy_rx_sak_set(drv->secy_id, channel, sa->an, &rx_sak); return ret; } static int macsec_qca_enable_receive_sa(void *priv, struct receive_sa *sa) { struct macsec_qca_data *drv = priv; int ret; u32 channel; ret = macsec_qca_lookup_receive_channel(priv, sa->sc, &channel); if (ret != 0) return ret; wpa_printf(MSG_DEBUG, "%s: channel=%d, an=%d", __func__, channel, sa->an); ret += nss_macsec_secy_rx_sa_en_set(drv->secy_id, channel, sa->an, true); return ret; } static int macsec_qca_disable_receive_sa(void *priv, struct receive_sa *sa) { struct macsec_qca_data *drv = priv; int ret; u32 channel; ret = macsec_qca_lookup_receive_channel(priv, sa->sc, &channel); if (ret != 0) return ret; wpa_printf(MSG_DEBUG, "%s: channel=%d, an=%d", __func__, channel, sa->an); ret += nss_macsec_secy_rx_sa_en_set(drv->secy_id, channel, sa->an, false); return ret; } static int macsec_qca_get_available_transmit_sc(void *priv, u32 *channel) { struct macsec_qca_data *drv = priv; u32 sc_ch = 0; bool in_use = false; for (sc_ch = 0; sc_ch < MAXSC; sc_ch++) { if (nss_macsec_secy_tx_sc_in_used_get(drv->secy_id, sc_ch, &in_use)) continue; if (!in_use) { *channel = sc_ch; wpa_printf(MSG_DEBUG, "%s: channel=%d", __func__, *channel); return 0; } } wpa_printf(MSG_DEBUG, "%s: no available channel", __func__); return -1; } static int macsec_qca_create_transmit_sc(void *priv, struct transmit_sc *sc, unsigned int conf_offset) { struct macsec_qca_data *drv = priv; int ret; fal_tx_class_lut_t entry; u8 psci[ETH_ALEN + 2]; u32 channel; u16 sci_port = be_to_host16(sc->sci.port); ret = macsec_qca_get_available_transmit_sc(priv, &channel); if (ret != 0) return ret; wpa_printf(MSG_DEBUG, "%s: channel=%d", __func__, channel); /* class lut */ os_memset(&entry, 0, sizeof(entry)); entry.valid = 1; entry.action = FAL_TX_CLASS_ACTION_FORWARD; entry.channel = channel; os_memcpy(psci, sc->sci.addr, ETH_ALEN); psci[6] = (sci_port >> 8) & 0xff; psci[7] = sci_port & 0xff; ret += nss_macsec_secy_tx_class_lut_set(drv->secy_id, channel, &entry); ret += nss_macsec_secy_tx_sc_create(drv->secy_id, channel, psci, 8); ret += nss_macsec_secy_tx_sc_protect_set(drv->secy_id, channel, drv->protect_frames); ret += nss_macsec_secy_tx_sc_confidentiality_offset_set(drv->secy_id, channel, conf_offset); macsec_qca_register_transmit_channel(drv, sc, channel); return ret; } static int macsec_qca_delete_transmit_sc(void *priv, struct transmit_sc *sc) { struct macsec_qca_data *drv = priv; int ret; fal_tx_class_lut_t entry; u32 channel; ret = macsec_qca_lookup_transmit_channel(priv, sc, &channel); if (ret != 0) return ret; wpa_printf(MSG_DEBUG, "%s: channel=%d", __func__, channel); /* class lut */ os_memset(&entry, 0, sizeof(entry)); ret += nss_macsec_secy_tx_class_lut_set(drv->secy_id, channel, &entry); ret += nss_macsec_secy_tx_sc_del(drv->secy_id, channel); return ret; } static int macsec_qca_create_transmit_sa(void *priv, struct transmit_sa *sa) { struct macsec_qca_data *drv = priv; int ret; u8 tci = 0; fal_tx_sak_t tx_sak; int i; u32 channel; u32 offset; ret = macsec_qca_lookup_transmit_channel(priv, sa->sc, &channel); if (ret != 0) return ret; wpa_printf(MSG_DEBUG, "%s: channel=%d, an=%d, next_pn=0x%x, confidentiality=%d", __func__, channel, sa->an, sa->next_pn, sa->confidentiality); if (drv->always_include_sci) tci |= TCI_SC; else if (drv->use_es) tci |= TCI_ES; else if (drv->use_scb) tci |= TCI_SCB; if (sa->confidentiality) tci |= TCI_E | TCI_C; os_memset(&tx_sak, 0, sizeof(tx_sak)); tx_sak.sak_len = sa->pkey->key_len; if (sa->pkey->key_len == SAK_128_LEN) { for (i = 0; i < 16; i++) tx_sak.sak[i] = sa->pkey->key[15 - i]; } else if (sa->pkey->key_len == SAK_256_LEN) { for (i = 0; i < 16; i++) { tx_sak.sak1[i] = sa->pkey->key[15 - i]; tx_sak.sak[i] = sa->pkey->key[31 - i]; } } else { return -1; } if (sa->pkey->confidentiality_offset == CONFIDENTIALITY_OFFSET_0) offset = 0; else if (sa->pkey->confidentiality_offset == CONFIDENTIALITY_OFFSET_30) offset = 30; else if (sa->pkey->confidentiality_offset == CONFIDENTIALITY_OFFSET_50) offset = 50; else return -1; ret += nss_macsec_secy_tx_sc_confidentiality_offset_set(drv->secy_id, channel, offset); ret += nss_macsec_secy_tx_sa_next_pn_set(drv->secy_id, channel, sa->an, sa->next_pn); ret += nss_macsec_secy_tx_sak_set(drv->secy_id, channel, sa->an, &tx_sak); ret += nss_macsec_secy_tx_sc_tci_7_2_set(drv->secy_id, channel, (tci >> 2)); ret += nss_macsec_secy_tx_sc_an_set(drv->secy_id, channel, sa->an); return ret; } static int macsec_qca_enable_transmit_sa(void *priv, struct transmit_sa *sa) { struct macsec_qca_data *drv = priv; int ret; u32 channel; ret = macsec_qca_lookup_transmit_channel(priv, sa->sc, &channel); if (ret != 0) return ret; wpa_printf(MSG_DEBUG, "%s: channel=%d, an=%d", __func__, channel, sa->an); ret += nss_macsec_secy_tx_sa_en_set(drv->secy_id, channel, sa->an, true); return ret; } static int macsec_qca_disable_transmit_sa(void *priv, struct transmit_sa *sa) { struct macsec_qca_data *drv = priv; int ret; u32 channel; ret = macsec_qca_lookup_transmit_channel(priv, sa->sc, &channel); if (ret != 0) return ret; wpa_printf(MSG_DEBUG, "%s: channel=%d, an=%d", __func__, channel, sa->an); ret += nss_macsec_secy_tx_sa_en_set(drv->secy_id, channel, sa->an, false); return ret; } const struct wpa_driver_ops wpa_driver_macsec_qca_ops = { .name = "macsec_qca", .desc = "QCA MACsec Ethernet driver", .get_ssid = driver_wired_get_ssid, .get_bssid = driver_wired_get_bssid, .get_capa = driver_wired_get_capa, .init = macsec_qca_init, .deinit = macsec_qca_deinit, .hapd_init = macsec_qca_hapd_init, .hapd_deinit = macsec_qca_hapd_deinit, .hapd_send_eapol = macsec_qca_send_eapol, .macsec_init = macsec_qca_macsec_init, .macsec_deinit = macsec_qca_macsec_deinit, .macsec_get_capability = macsec_qca_get_capability, .enable_protect_frames = macsec_qca_enable_protect_frames, .set_replay_protect = macsec_qca_set_replay_protect, .set_current_cipher_suite = macsec_qca_set_current_cipher_suite, .enable_controlled_port = macsec_qca_enable_controlled_port, .get_receive_lowest_pn = macsec_qca_get_receive_lowest_pn, .get_transmit_next_pn = macsec_qca_get_transmit_next_pn, .set_transmit_next_pn = macsec_qca_set_transmit_next_pn, .create_receive_sc = macsec_qca_create_receive_sc, .delete_receive_sc = macsec_qca_delete_receive_sc, .create_receive_sa = macsec_qca_create_receive_sa, .enable_receive_sa = macsec_qca_enable_receive_sa, .disable_receive_sa = macsec_qca_disable_receive_sa, .create_transmit_sc = macsec_qca_create_transmit_sc, .delete_transmit_sc = macsec_qca_delete_transmit_sc, .create_transmit_sa = macsec_qca_create_transmit_sa, .enable_transmit_sa = macsec_qca_enable_transmit_sa, .disable_transmit_sa = macsec_qca_disable_transmit_sa, };