xref: /linux/include/net/macsec.h (revision b5bee6ced21ca98389000b7017dd41b0cc37fa50)
1 /* SPDX-License-Identifier: GPL-2.0+ */
2 /*
3  * MACsec netdev header, used for h/w accelerated implementations.
4  *
5  * Copyright (c) 2015 Sabrina Dubroca <sd@queasysnail.net>
6  */
7 #ifndef _NET_MACSEC_H_
8 #define _NET_MACSEC_H_
9 
10 #include <linux/u64_stats_sync.h>
11 #include <uapi/linux/if_link.h>
12 #include <uapi/linux/if_macsec.h>
13 
14 #define MACSEC_DEFAULT_PN_LEN 4
15 #define MACSEC_XPN_PN_LEN 8
16 
17 #define MACSEC_SALT_LEN 12
18 #define MACSEC_NUM_AN 4 /* 2 bits for the association number */
19 
20 typedef u64 __bitwise sci_t;
21 typedef u32 __bitwise ssci_t;
22 
23 typedef union salt {
24 	struct {
25 		u32 ssci;
26 		u64 pn;
27 	} __packed;
28 	u8 bytes[MACSEC_SALT_LEN];
29 } __packed salt_t;
30 
31 typedef union pn {
32 	struct {
33 #if defined(__LITTLE_ENDIAN_BITFIELD)
34 		u32 lower;
35 		u32 upper;
36 #elif defined(__BIG_ENDIAN_BITFIELD)
37 		u32 upper;
38 		u32 lower;
39 #else
40 #error	"Please fix <asm/byteorder.h>"
41 #endif
42 	};
43 	u64 full64;
44 } pn_t;
45 
46 /**
47  * struct macsec_key - SA key
48  * @id: user-provided key identifier
49  * @tfm: crypto struct, key storage
50  * @salt: salt used to generate IV in XPN cipher suites
51  */
52 struct macsec_key {
53 	u8 id[MACSEC_KEYID_LEN];
54 	struct crypto_aead *tfm;
55 	salt_t salt;
56 };
57 
58 struct macsec_rx_sc_stats {
59 	__u64 InOctetsValidated;
60 	__u64 InOctetsDecrypted;
61 	__u64 InPktsUnchecked;
62 	__u64 InPktsDelayed;
63 	__u64 InPktsOK;
64 	__u64 InPktsInvalid;
65 	__u64 InPktsLate;
66 	__u64 InPktsNotValid;
67 	__u64 InPktsNotUsingSA;
68 	__u64 InPktsUnusedSA;
69 };
70 
71 struct macsec_rx_sa_stats {
72 	__u32 InPktsOK;
73 	__u32 InPktsInvalid;
74 	__u32 InPktsNotValid;
75 	__u32 InPktsNotUsingSA;
76 	__u32 InPktsUnusedSA;
77 };
78 
79 struct macsec_tx_sa_stats {
80 	__u32 OutPktsProtected;
81 	__u32 OutPktsEncrypted;
82 };
83 
84 struct macsec_tx_sc_stats {
85 	__u64 OutPktsProtected;
86 	__u64 OutPktsEncrypted;
87 	__u64 OutOctetsProtected;
88 	__u64 OutOctetsEncrypted;
89 };
90 
91 struct macsec_dev_stats {
92 	__u64 OutPktsUntagged;
93 	__u64 InPktsUntagged;
94 	__u64 OutPktsTooLong;
95 	__u64 InPktsNoTag;
96 	__u64 InPktsBadTag;
97 	__u64 InPktsUnknownSCI;
98 	__u64 InPktsNoSCI;
99 	__u64 InPktsOverrun;
100 };
101 
102 /**
103  * struct macsec_rx_sa - receive secure association
104  * @active:
105  * @next_pn: packet number expected for the next packet
106  * @lock: protects next_pn manipulations
107  * @key: key structure
108  * @ssci: short secure channel identifier
109  * @stats: per-SA stats
110  */
111 struct macsec_rx_sa {
112 	struct macsec_key key;
113 	ssci_t ssci;
114 	spinlock_t lock;
115 	union {
116 		pn_t next_pn_halves;
117 		u64 next_pn;
118 	};
119 	refcount_t refcnt;
120 	bool active;
121 	struct macsec_rx_sa_stats __percpu *stats;
122 	struct macsec_rx_sc *sc;
123 	struct rcu_head rcu;
124 };
125 
126 struct pcpu_rx_sc_stats {
127 	struct macsec_rx_sc_stats stats;
128 	struct u64_stats_sync syncp;
129 };
130 
131 struct pcpu_tx_sc_stats {
132 	struct macsec_tx_sc_stats stats;
133 	struct u64_stats_sync syncp;
134 };
135 
136 /**
137  * struct macsec_rx_sc - receive secure channel
138  * @sci: secure channel identifier for this SC
139  * @active: channel is active
140  * @sa: array of secure associations
141  * @stats: per-SC stats
142  */
143 struct macsec_rx_sc {
144 	struct macsec_rx_sc __rcu *next;
145 	sci_t sci;
146 	bool active;
147 	struct macsec_rx_sa __rcu *sa[MACSEC_NUM_AN];
148 	struct pcpu_rx_sc_stats __percpu *stats;
149 	refcount_t refcnt;
150 	struct rcu_head rcu_head;
151 };
152 
153 /**
154  * struct macsec_tx_sa - transmit secure association
155  * @active:
156  * @next_pn: packet number to use for the next packet
157  * @lock: protects next_pn manipulations
158  * @key: key structure
159  * @ssci: short secure channel identifier
160  * @stats: per-SA stats
161  */
162 struct macsec_tx_sa {
163 	struct macsec_key key;
164 	ssci_t ssci;
165 	spinlock_t lock;
166 	union {
167 		pn_t next_pn_halves;
168 		u64 next_pn;
169 	};
170 	refcount_t refcnt;
171 	bool active;
172 	struct macsec_tx_sa_stats __percpu *stats;
173 	struct rcu_head rcu;
174 };
175 
176 /**
177  * struct macsec_tx_sc - transmit secure channel
178  * @active:
179  * @encoding_sa: association number of the SA currently in use
180  * @encrypt: encrypt packets on transmit, or authenticate only
181  * @send_sci: always include the SCI in the SecTAG
182  * @end_station:
183  * @scb: single copy broadcast flag
184  * @sa: array of secure associations
185  * @stats: stats for this TXSC
186  */
187 struct macsec_tx_sc {
188 	bool active;
189 	u8 encoding_sa;
190 	bool encrypt;
191 	bool send_sci;
192 	bool end_station;
193 	bool scb;
194 	struct macsec_tx_sa __rcu *sa[MACSEC_NUM_AN];
195 	struct pcpu_tx_sc_stats __percpu *stats;
196 };
197 
198 /**
199  * struct macsec_secy - MACsec Security Entity
200  * @netdev: netdevice for this SecY
201  * @n_rx_sc: number of receive secure channels configured on this SecY
202  * @sci: secure channel identifier used for tx
203  * @key_len: length of keys used by the cipher suite
204  * @icv_len: length of ICV used by the cipher suite
205  * @validate_frames: validation mode
206  * @xpn: enable XPN for this SecY
207  * @operational: MAC_Operational flag
208  * @protect_frames: enable protection for this SecY
209  * @replay_protect: enable packet number checks on receive
210  * @replay_window: size of the replay window
211  * @tx_sc: transmit secure channel
212  * @rx_sc: linked list of receive secure channels
213  */
214 struct macsec_secy {
215 	struct net_device *netdev;
216 	unsigned int n_rx_sc;
217 	sci_t sci;
218 	u16 key_len;
219 	u16 icv_len;
220 	enum macsec_validation_type validate_frames;
221 	bool xpn;
222 	bool operational;
223 	bool protect_frames;
224 	bool replay_protect;
225 	u32 replay_window;
226 	struct macsec_tx_sc tx_sc;
227 	struct macsec_rx_sc __rcu *rx_sc;
228 };
229 
230 /**
231  * struct macsec_context - MACsec context for hardware offloading
232  */
233 struct macsec_context {
234 	union {
235 		struct net_device *netdev;
236 		struct phy_device *phydev;
237 	};
238 	enum macsec_offload offload;
239 
240 	struct macsec_secy *secy;
241 	struct macsec_rx_sc *rx_sc;
242 	struct {
243 		unsigned char assoc_num;
244 		u8 key[MACSEC_MAX_KEY_LEN];
245 		union {
246 			struct macsec_rx_sa *rx_sa;
247 			struct macsec_tx_sa *tx_sa;
248 		};
249 	} sa;
250 	union {
251 		struct macsec_tx_sc_stats *tx_sc_stats;
252 		struct macsec_tx_sa_stats *tx_sa_stats;
253 		struct macsec_rx_sc_stats *rx_sc_stats;
254 		struct macsec_rx_sa_stats *rx_sa_stats;
255 		struct macsec_dev_stats  *dev_stats;
256 	} stats;
257 
258 	u8 prepare:1;
259 };
260 
261 /**
262  * struct macsec_ops - MACsec offloading operations
263  */
264 struct macsec_ops {
265 	/* Device wide */
266 	int (*mdo_dev_open)(struct macsec_context *ctx);
267 	int (*mdo_dev_stop)(struct macsec_context *ctx);
268 	/* SecY */
269 	int (*mdo_add_secy)(struct macsec_context *ctx);
270 	int (*mdo_upd_secy)(struct macsec_context *ctx);
271 	int (*mdo_del_secy)(struct macsec_context *ctx);
272 	/* Security channels */
273 	int (*mdo_add_rxsc)(struct macsec_context *ctx);
274 	int (*mdo_upd_rxsc)(struct macsec_context *ctx);
275 	int (*mdo_del_rxsc)(struct macsec_context *ctx);
276 	/* Security associations */
277 	int (*mdo_add_rxsa)(struct macsec_context *ctx);
278 	int (*mdo_upd_rxsa)(struct macsec_context *ctx);
279 	int (*mdo_del_rxsa)(struct macsec_context *ctx);
280 	int (*mdo_add_txsa)(struct macsec_context *ctx);
281 	int (*mdo_upd_txsa)(struct macsec_context *ctx);
282 	int (*mdo_del_txsa)(struct macsec_context *ctx);
283 	/* Statistics */
284 	int (*mdo_get_dev_stats)(struct macsec_context *ctx);
285 	int (*mdo_get_tx_sc_stats)(struct macsec_context *ctx);
286 	int (*mdo_get_tx_sa_stats)(struct macsec_context *ctx);
287 	int (*mdo_get_rx_sc_stats)(struct macsec_context *ctx);
288 	int (*mdo_get_rx_sa_stats)(struct macsec_context *ctx);
289 };
290 
291 void macsec_pn_wrapped(struct macsec_secy *secy, struct macsec_tx_sa *tx_sa);
292 
293 #endif /* _NET_MACSEC_H_ */
294