1 /* SPDX-License-Identifier: GPL-2.0+ */ 2 /* 3 * MACsec netdev header, used for h/w accelerated implementations. 4 * 5 * Copyright (c) 2015 Sabrina Dubroca <sd@queasysnail.net> 6 */ 7 #ifndef _NET_MACSEC_H_ 8 #define _NET_MACSEC_H_ 9 10 #include <linux/u64_stats_sync.h> 11 #include <uapi/linux/if_link.h> 12 #include <uapi/linux/if_macsec.h> 13 14 #define MACSEC_DEFAULT_PN_LEN 4 15 #define MACSEC_XPN_PN_LEN 8 16 17 #define MACSEC_SALT_LEN 12 18 #define MACSEC_NUM_AN 4 /* 2 bits for the association number */ 19 20 typedef u64 __bitwise sci_t; 21 typedef u32 __bitwise ssci_t; 22 23 typedef union salt { 24 struct { 25 u32 ssci; 26 u64 pn; 27 } __packed; 28 u8 bytes[MACSEC_SALT_LEN]; 29 } __packed salt_t; 30 31 typedef union pn { 32 struct { 33 #if defined(__LITTLE_ENDIAN_BITFIELD) 34 u32 lower; 35 u32 upper; 36 #elif defined(__BIG_ENDIAN_BITFIELD) 37 u32 upper; 38 u32 lower; 39 #else 40 #error "Please fix <asm/byteorder.h>" 41 #endif 42 }; 43 u64 full64; 44 } pn_t; 45 46 /** 47 * struct macsec_key - SA key 48 * @id: user-provided key identifier 49 * @tfm: crypto struct, key storage 50 * @salt: salt used to generate IV in XPN cipher suites 51 */ 52 struct macsec_key { 53 u8 id[MACSEC_KEYID_LEN]; 54 struct crypto_aead *tfm; 55 salt_t salt; 56 }; 57 58 struct macsec_rx_sc_stats { 59 __u64 InOctetsValidated; 60 __u64 InOctetsDecrypted; 61 __u64 InPktsUnchecked; 62 __u64 InPktsDelayed; 63 __u64 InPktsOK; 64 __u64 InPktsInvalid; 65 __u64 InPktsLate; 66 __u64 InPktsNotValid; 67 __u64 InPktsNotUsingSA; 68 __u64 InPktsUnusedSA; 69 }; 70 71 struct macsec_rx_sa_stats { 72 __u32 InPktsOK; 73 __u32 InPktsInvalid; 74 __u32 InPktsNotValid; 75 __u32 InPktsNotUsingSA; 76 __u32 InPktsUnusedSA; 77 }; 78 79 struct macsec_tx_sa_stats { 80 __u32 OutPktsProtected; 81 __u32 OutPktsEncrypted; 82 }; 83 84 struct macsec_tx_sc_stats { 85 __u64 OutPktsProtected; 86 __u64 OutPktsEncrypted; 87 __u64 OutOctetsProtected; 88 __u64 OutOctetsEncrypted; 89 }; 90 91 /** 92 * struct macsec_rx_sa - receive secure association 93 * @active: 94 * @next_pn: packet number expected for the next packet 95 * @lock: protects next_pn manipulations 96 * @key: key structure 97 * @ssci: short secure channel identifier 98 * @stats: per-SA stats 99 */ 100 struct macsec_rx_sa { 101 struct macsec_key key; 102 ssci_t ssci; 103 spinlock_t lock; 104 union { 105 pn_t next_pn_halves; 106 u64 next_pn; 107 }; 108 refcount_t refcnt; 109 bool active; 110 struct macsec_rx_sa_stats __percpu *stats; 111 struct macsec_rx_sc *sc; 112 struct rcu_head rcu; 113 }; 114 115 struct pcpu_rx_sc_stats { 116 struct macsec_rx_sc_stats stats; 117 struct u64_stats_sync syncp; 118 }; 119 120 struct pcpu_tx_sc_stats { 121 struct macsec_tx_sc_stats stats; 122 struct u64_stats_sync syncp; 123 }; 124 125 /** 126 * struct macsec_rx_sc - receive secure channel 127 * @sci: secure channel identifier for this SC 128 * @active: channel is active 129 * @sa: array of secure associations 130 * @stats: per-SC stats 131 */ 132 struct macsec_rx_sc { 133 struct macsec_rx_sc __rcu *next; 134 sci_t sci; 135 bool active; 136 struct macsec_rx_sa __rcu *sa[MACSEC_NUM_AN]; 137 struct pcpu_rx_sc_stats __percpu *stats; 138 refcount_t refcnt; 139 struct rcu_head rcu_head; 140 }; 141 142 /** 143 * struct macsec_tx_sa - transmit secure association 144 * @active: 145 * @next_pn: packet number to use for the next packet 146 * @lock: protects next_pn manipulations 147 * @key: key structure 148 * @ssci: short secure channel identifier 149 * @stats: per-SA stats 150 */ 151 struct macsec_tx_sa { 152 struct macsec_key key; 153 ssci_t ssci; 154 spinlock_t lock; 155 union { 156 pn_t next_pn_halves; 157 u64 next_pn; 158 }; 159 refcount_t refcnt; 160 bool active; 161 struct macsec_tx_sa_stats __percpu *stats; 162 struct rcu_head rcu; 163 }; 164 165 /** 166 * struct macsec_tx_sc - transmit secure channel 167 * @active: 168 * @encoding_sa: association number of the SA currently in use 169 * @encrypt: encrypt packets on transmit, or authenticate only 170 * @send_sci: always include the SCI in the SecTAG 171 * @end_station: 172 * @scb: single copy broadcast flag 173 * @sa: array of secure associations 174 * @stats: stats for this TXSC 175 */ 176 struct macsec_tx_sc { 177 bool active; 178 u8 encoding_sa; 179 bool encrypt; 180 bool send_sci; 181 bool end_station; 182 bool scb; 183 struct macsec_tx_sa __rcu *sa[MACSEC_NUM_AN]; 184 struct pcpu_tx_sc_stats __percpu *stats; 185 }; 186 187 /** 188 * struct macsec_secy - MACsec Security Entity 189 * @netdev: netdevice for this SecY 190 * @n_rx_sc: number of receive secure channels configured on this SecY 191 * @sci: secure channel identifier used for tx 192 * @key_len: length of keys used by the cipher suite 193 * @icv_len: length of ICV used by the cipher suite 194 * @validate_frames: validation mode 195 * @xpn: enable XPN for this SecY 196 * @operational: MAC_Operational flag 197 * @protect_frames: enable protection for this SecY 198 * @replay_protect: enable packet number checks on receive 199 * @replay_window: size of the replay window 200 * @tx_sc: transmit secure channel 201 * @rx_sc: linked list of receive secure channels 202 */ 203 struct macsec_secy { 204 struct net_device *netdev; 205 unsigned int n_rx_sc; 206 sci_t sci; 207 u16 key_len; 208 u16 icv_len; 209 enum macsec_validation_type validate_frames; 210 bool xpn; 211 bool operational; 212 bool protect_frames; 213 bool replay_protect; 214 u32 replay_window; 215 struct macsec_tx_sc tx_sc; 216 struct macsec_rx_sc __rcu *rx_sc; 217 }; 218 219 /** 220 * struct macsec_context - MACsec context for hardware offloading 221 */ 222 struct macsec_context { 223 struct phy_device *phydev; 224 enum macsec_offload offload; 225 226 struct macsec_secy *secy; 227 struct macsec_rx_sc *rx_sc; 228 struct { 229 unsigned char assoc_num; 230 u8 key[MACSEC_KEYID_LEN]; 231 union { 232 struct macsec_rx_sa *rx_sa; 233 struct macsec_tx_sa *tx_sa; 234 }; 235 } sa; 236 237 u8 prepare:1; 238 }; 239 240 /** 241 * struct macsec_ops - MACsec offloading operations 242 */ 243 struct macsec_ops { 244 /* Device wide */ 245 int (*mdo_dev_open)(struct macsec_context *ctx); 246 int (*mdo_dev_stop)(struct macsec_context *ctx); 247 /* SecY */ 248 int (*mdo_add_secy)(struct macsec_context *ctx); 249 int (*mdo_upd_secy)(struct macsec_context *ctx); 250 int (*mdo_del_secy)(struct macsec_context *ctx); 251 /* Security channels */ 252 int (*mdo_add_rxsc)(struct macsec_context *ctx); 253 int (*mdo_upd_rxsc)(struct macsec_context *ctx); 254 int (*mdo_del_rxsc)(struct macsec_context *ctx); 255 /* Security associations */ 256 int (*mdo_add_rxsa)(struct macsec_context *ctx); 257 int (*mdo_upd_rxsa)(struct macsec_context *ctx); 258 int (*mdo_del_rxsa)(struct macsec_context *ctx); 259 int (*mdo_add_txsa)(struct macsec_context *ctx); 260 int (*mdo_upd_txsa)(struct macsec_context *ctx); 261 int (*mdo_del_txsa)(struct macsec_context *ctx); 262 }; 263 264 void macsec_pn_wrapped(struct macsec_secy *secy, struct macsec_tx_sa *tx_sa); 265 266 #endif /* _NET_MACSEC_H_ */ 267