xref: /linux/include/net/macsec.h (revision 0a91330b2af9f71ceeeed483f92774182b58f6d9)
1 /* SPDX-License-Identifier: GPL-2.0+ */
2 /*
3  * MACsec netdev header, used for h/w accelerated implementations.
4  *
5  * Copyright (c) 2015 Sabrina Dubroca <sd@queasysnail.net>
6  */
7 #ifndef _NET_MACSEC_H_
8 #define _NET_MACSEC_H_
9 
10 #include <linux/u64_stats_sync.h>
11 #include <uapi/linux/if_link.h>
12 #include <uapi/linux/if_macsec.h>
13 
14 typedef u64 __bitwise sci_t;
15 
16 #define MACSEC_NUM_AN 4 /* 2 bits for the association number */
17 
18 /**
19  * struct macsec_key - SA key
20  * @id: user-provided key identifier
21  * @tfm: crypto struct, key storage
22  */
23 struct macsec_key {
24 	u8 id[MACSEC_KEYID_LEN];
25 	struct crypto_aead *tfm;
26 };
27 
28 struct macsec_rx_sc_stats {
29 	__u64 InOctetsValidated;
30 	__u64 InOctetsDecrypted;
31 	__u64 InPktsUnchecked;
32 	__u64 InPktsDelayed;
33 	__u64 InPktsOK;
34 	__u64 InPktsInvalid;
35 	__u64 InPktsLate;
36 	__u64 InPktsNotValid;
37 	__u64 InPktsNotUsingSA;
38 	__u64 InPktsUnusedSA;
39 };
40 
41 struct macsec_rx_sa_stats {
42 	__u32 InPktsOK;
43 	__u32 InPktsInvalid;
44 	__u32 InPktsNotValid;
45 	__u32 InPktsNotUsingSA;
46 	__u32 InPktsUnusedSA;
47 };
48 
49 struct macsec_tx_sa_stats {
50 	__u32 OutPktsProtected;
51 	__u32 OutPktsEncrypted;
52 };
53 
54 struct macsec_tx_sc_stats {
55 	__u64 OutPktsProtected;
56 	__u64 OutPktsEncrypted;
57 	__u64 OutOctetsProtected;
58 	__u64 OutOctetsEncrypted;
59 };
60 
61 /**
62  * struct macsec_rx_sa - receive secure association
63  * @active:
64  * @next_pn: packet number expected for the next packet
65  * @lock: protects next_pn manipulations
66  * @key: key structure
67  * @stats: per-SA stats
68  */
69 struct macsec_rx_sa {
70 	struct macsec_key key;
71 	spinlock_t lock;
72 	u32 next_pn;
73 	refcount_t refcnt;
74 	bool active;
75 	struct macsec_rx_sa_stats __percpu *stats;
76 	struct macsec_rx_sc *sc;
77 	struct rcu_head rcu;
78 };
79 
80 struct pcpu_rx_sc_stats {
81 	struct macsec_rx_sc_stats stats;
82 	struct u64_stats_sync syncp;
83 };
84 
85 struct pcpu_tx_sc_stats {
86 	struct macsec_tx_sc_stats stats;
87 	struct u64_stats_sync syncp;
88 };
89 
90 /**
91  * struct macsec_rx_sc - receive secure channel
92  * @sci: secure channel identifier for this SC
93  * @active: channel is active
94  * @sa: array of secure associations
95  * @stats: per-SC stats
96  */
97 struct macsec_rx_sc {
98 	struct macsec_rx_sc __rcu *next;
99 	sci_t sci;
100 	bool active;
101 	struct macsec_rx_sa __rcu *sa[MACSEC_NUM_AN];
102 	struct pcpu_rx_sc_stats __percpu *stats;
103 	refcount_t refcnt;
104 	struct rcu_head rcu_head;
105 };
106 
107 /**
108  * struct macsec_tx_sa - transmit secure association
109  * @active:
110  * @next_pn: packet number to use for the next packet
111  * @lock: protects next_pn manipulations
112  * @key: key structure
113  * @stats: per-SA stats
114  */
115 struct macsec_tx_sa {
116 	struct macsec_key key;
117 	spinlock_t lock;
118 	u32 next_pn;
119 	refcount_t refcnt;
120 	bool active;
121 	struct macsec_tx_sa_stats __percpu *stats;
122 	struct rcu_head rcu;
123 };
124 
125 /**
126  * struct macsec_tx_sc - transmit secure channel
127  * @active:
128  * @encoding_sa: association number of the SA currently in use
129  * @encrypt: encrypt packets on transmit, or authenticate only
130  * @send_sci: always include the SCI in the SecTAG
131  * @end_station:
132  * @scb: single copy broadcast flag
133  * @sa: array of secure associations
134  * @stats: stats for this TXSC
135  */
136 struct macsec_tx_sc {
137 	bool active;
138 	u8 encoding_sa;
139 	bool encrypt;
140 	bool send_sci;
141 	bool end_station;
142 	bool scb;
143 	struct macsec_tx_sa __rcu *sa[MACSEC_NUM_AN];
144 	struct pcpu_tx_sc_stats __percpu *stats;
145 };
146 
147 /**
148  * struct macsec_secy - MACsec Security Entity
149  * @netdev: netdevice for this SecY
150  * @n_rx_sc: number of receive secure channels configured on this SecY
151  * @sci: secure channel identifier used for tx
152  * @key_len: length of keys used by the cipher suite
153  * @icv_len: length of ICV used by the cipher suite
154  * @validate_frames: validation mode
155  * @operational: MAC_Operational flag
156  * @protect_frames: enable protection for this SecY
157  * @replay_protect: enable packet number checks on receive
158  * @replay_window: size of the replay window
159  * @tx_sc: transmit secure channel
160  * @rx_sc: linked list of receive secure channels
161  */
162 struct macsec_secy {
163 	struct net_device *netdev;
164 	unsigned int n_rx_sc;
165 	sci_t sci;
166 	u16 key_len;
167 	u16 icv_len;
168 	enum macsec_validation_type validate_frames;
169 	bool operational;
170 	bool protect_frames;
171 	bool replay_protect;
172 	u32 replay_window;
173 	struct macsec_tx_sc tx_sc;
174 	struct macsec_rx_sc __rcu *rx_sc;
175 };
176 
177 /**
178  * struct macsec_context - MACsec context for hardware offloading
179  */
180 struct macsec_context {
181 	struct phy_device *phydev;
182 	enum macsec_offload offload;
183 
184 	struct macsec_secy *secy;
185 	struct macsec_rx_sc *rx_sc;
186 	struct {
187 		unsigned char assoc_num;
188 		u8 key[MACSEC_KEYID_LEN];
189 		union {
190 			struct macsec_rx_sa *rx_sa;
191 			struct macsec_tx_sa *tx_sa;
192 		};
193 	} sa;
194 
195 	u8 prepare:1;
196 };
197 
198 /**
199  * struct macsec_ops - MACsec offloading operations
200  */
201 struct macsec_ops {
202 	/* Device wide */
203 	int (*mdo_dev_open)(struct macsec_context *ctx);
204 	int (*mdo_dev_stop)(struct macsec_context *ctx);
205 	/* SecY */
206 	int (*mdo_add_secy)(struct macsec_context *ctx);
207 	int (*mdo_upd_secy)(struct macsec_context *ctx);
208 	int (*mdo_del_secy)(struct macsec_context *ctx);
209 	/* Security channels */
210 	int (*mdo_add_rxsc)(struct macsec_context *ctx);
211 	int (*mdo_upd_rxsc)(struct macsec_context *ctx);
212 	int (*mdo_del_rxsc)(struct macsec_context *ctx);
213 	/* Security associations */
214 	int (*mdo_add_rxsa)(struct macsec_context *ctx);
215 	int (*mdo_upd_rxsa)(struct macsec_context *ctx);
216 	int (*mdo_del_rxsa)(struct macsec_context *ctx);
217 	int (*mdo_add_txsa)(struct macsec_context *ctx);
218 	int (*mdo_upd_txsa)(struct macsec_context *ctx);
219 	int (*mdo_del_txsa)(struct macsec_context *ctx);
220 };
221 
222 void macsec_pn_wrapped(struct macsec_secy *secy, struct macsec_tx_sa *tx_sa);
223 
224 #endif /* _NET_MACSEC_H_ */
225