]>
Commit | Line | Data |
---|---|---|
c0e4eadf AT |
1 | /* SPDX-License-Identifier: GPL-2.0+ */ |
2 | /* | |
3 | * MACsec netdev header, used for h/w accelerated implementations. | |
4 | * | |
5 | * Copyright (c) 2015 Sabrina Dubroca <sd@queasysnail.net> | |
6 | */ | |
7 | #ifndef _NET_MACSEC_H_ | |
8 | #define _NET_MACSEC_H_ | |
9 | ||
10 | #include <linux/u64_stats_sync.h> | |
11 | #include <uapi/linux/if_link.h> | |
12 | #include <uapi/linux/if_macsec.h> | |
13 | ||
48ef50fa EM |
14 | #define MACSEC_DEFAULT_PN_LEN 4 |
15 | #define MACSEC_XPN_PN_LEN 8 | |
16 | ||
a21ecf0e EM |
17 | #define MACSEC_SALT_LEN 12 |
18 | #define MACSEC_NUM_AN 4 /* 2 bits for the association number */ | |
19 | ||
c0e4eadf | 20 | typedef u64 __bitwise sci_t; |
a21ecf0e | 21 | typedef u32 __bitwise ssci_t; |
c0e4eadf | 22 | |
a21ecf0e EM |
23 | typedef union salt { |
24 | struct { | |
25 | u32 ssci; | |
26 | u64 pn; | |
27 | } __packed; | |
28 | u8 bytes[MACSEC_SALT_LEN]; | |
29 | } __packed salt_t; | |
30 | ||
31 | typedef union pn { | |
32 | struct { | |
33 | #if defined(__LITTLE_ENDIAN_BITFIELD) | |
34 | u32 lower; | |
35 | u32 upper; | |
36 | #elif defined(__BIG_ENDIAN_BITFIELD) | |
37 | u32 upper; | |
38 | u32 lower; | |
39 | #else | |
40 | #error "Please fix <asm/byteorder.h>" | |
41 | #endif | |
42 | }; | |
43 | u64 full64; | |
44 | } pn_t; | |
c0e4eadf AT |
45 | |
46 | /** | |
47 | * struct macsec_key - SA key | |
48 | * @id: user-provided key identifier | |
49 | * @tfm: crypto struct, key storage | |
a21ecf0e | 50 | * @salt: salt used to generate IV in XPN cipher suites |
c0e4eadf AT |
51 | */ |
52 | struct macsec_key { | |
53 | u8 id[MACSEC_KEYID_LEN]; | |
54 | struct crypto_aead *tfm; | |
a21ecf0e | 55 | salt_t salt; |
c0e4eadf AT |
56 | }; |
57 | ||
58 | struct macsec_rx_sc_stats { | |
59 | __u64 InOctetsValidated; | |
60 | __u64 InOctetsDecrypted; | |
61 | __u64 InPktsUnchecked; | |
62 | __u64 InPktsDelayed; | |
63 | __u64 InPktsOK; | |
64 | __u64 InPktsInvalid; | |
65 | __u64 InPktsLate; | |
66 | __u64 InPktsNotValid; | |
67 | __u64 InPktsNotUsingSA; | |
68 | __u64 InPktsUnusedSA; | |
69 | }; | |
70 | ||
71 | struct macsec_rx_sa_stats { | |
72 | __u32 InPktsOK; | |
73 | __u32 InPktsInvalid; | |
74 | __u32 InPktsNotValid; | |
75 | __u32 InPktsNotUsingSA; | |
76 | __u32 InPktsUnusedSA; | |
77 | }; | |
78 | ||
79 | struct macsec_tx_sa_stats { | |
80 | __u32 OutPktsProtected; | |
81 | __u32 OutPktsEncrypted; | |
82 | }; | |
83 | ||
84 | struct macsec_tx_sc_stats { | |
85 | __u64 OutPktsProtected; | |
86 | __u64 OutPktsEncrypted; | |
87 | __u64 OutOctetsProtected; | |
88 | __u64 OutOctetsEncrypted; | |
89 | }; | |
90 | ||
b62c3624 DB |
91 | struct macsec_dev_stats { |
92 | __u64 OutPktsUntagged; | |
93 | __u64 InPktsUntagged; | |
94 | __u64 OutPktsTooLong; | |
95 | __u64 InPktsNoTag; | |
96 | __u64 InPktsBadTag; | |
97 | __u64 InPktsUnknownSCI; | |
98 | __u64 InPktsNoSCI; | |
99 | __u64 InPktsOverrun; | |
100 | }; | |
101 | ||
c0e4eadf AT |
102 | /** |
103 | * struct macsec_rx_sa - receive secure association | |
104 | * @active: | |
105 | * @next_pn: packet number expected for the next packet | |
106 | * @lock: protects next_pn manipulations | |
107 | * @key: key structure | |
a21ecf0e | 108 | * @ssci: short secure channel identifier |
c0e4eadf AT |
109 | * @stats: per-SA stats |
110 | */ | |
111 | struct macsec_rx_sa { | |
112 | struct macsec_key key; | |
a21ecf0e | 113 | ssci_t ssci; |
c0e4eadf | 114 | spinlock_t lock; |
a21ecf0e EM |
115 | union { |
116 | pn_t next_pn_halves; | |
117 | u64 next_pn; | |
118 | }; | |
c0e4eadf AT |
119 | refcount_t refcnt; |
120 | bool active; | |
121 | struct macsec_rx_sa_stats __percpu *stats; | |
122 | struct macsec_rx_sc *sc; | |
123 | struct rcu_head rcu; | |
124 | }; | |
125 | ||
126 | struct pcpu_rx_sc_stats { | |
127 | struct macsec_rx_sc_stats stats; | |
128 | struct u64_stats_sync syncp; | |
129 | }; | |
130 | ||
131 | struct pcpu_tx_sc_stats { | |
132 | struct macsec_tx_sc_stats stats; | |
133 | struct u64_stats_sync syncp; | |
134 | }; | |
135 | ||
136 | /** | |
137 | * struct macsec_rx_sc - receive secure channel | |
138 | * @sci: secure channel identifier for this SC | |
139 | * @active: channel is active | |
140 | * @sa: array of secure associations | |
141 | * @stats: per-SC stats | |
142 | */ | |
143 | struct macsec_rx_sc { | |
144 | struct macsec_rx_sc __rcu *next; | |
145 | sci_t sci; | |
146 | bool active; | |
147 | struct macsec_rx_sa __rcu *sa[MACSEC_NUM_AN]; | |
148 | struct pcpu_rx_sc_stats __percpu *stats; | |
149 | refcount_t refcnt; | |
150 | struct rcu_head rcu_head; | |
151 | }; | |
152 | ||
153 | /** | |
154 | * struct macsec_tx_sa - transmit secure association | |
155 | * @active: | |
156 | * @next_pn: packet number to use for the next packet | |
157 | * @lock: protects next_pn manipulations | |
158 | * @key: key structure | |
a21ecf0e | 159 | * @ssci: short secure channel identifier |
c0e4eadf AT |
160 | * @stats: per-SA stats |
161 | */ | |
162 | struct macsec_tx_sa { | |
163 | struct macsec_key key; | |
a21ecf0e | 164 | ssci_t ssci; |
c0e4eadf | 165 | spinlock_t lock; |
a21ecf0e EM |
166 | union { |
167 | pn_t next_pn_halves; | |
168 | u64 next_pn; | |
169 | }; | |
c0e4eadf AT |
170 | refcount_t refcnt; |
171 | bool active; | |
172 | struct macsec_tx_sa_stats __percpu *stats; | |
173 | struct rcu_head rcu; | |
174 | }; | |
175 | ||
176 | /** | |
177 | * struct macsec_tx_sc - transmit secure channel | |
178 | * @active: | |
179 | * @encoding_sa: association number of the SA currently in use | |
180 | * @encrypt: encrypt packets on transmit, or authenticate only | |
181 | * @send_sci: always include the SCI in the SecTAG | |
182 | * @end_station: | |
183 | * @scb: single copy broadcast flag | |
184 | * @sa: array of secure associations | |
185 | * @stats: stats for this TXSC | |
186 | */ | |
187 | struct macsec_tx_sc { | |
188 | bool active; | |
189 | u8 encoding_sa; | |
190 | bool encrypt; | |
191 | bool send_sci; | |
192 | bool end_station; | |
193 | bool scb; | |
194 | struct macsec_tx_sa __rcu *sa[MACSEC_NUM_AN]; | |
195 | struct pcpu_tx_sc_stats __percpu *stats; | |
196 | }; | |
197 | ||
198 | /** | |
199 | * struct macsec_secy - MACsec Security Entity | |
200 | * @netdev: netdevice for this SecY | |
201 | * @n_rx_sc: number of receive secure channels configured on this SecY | |
202 | * @sci: secure channel identifier used for tx | |
203 | * @key_len: length of keys used by the cipher suite | |
204 | * @icv_len: length of ICV used by the cipher suite | |
205 | * @validate_frames: validation mode | |
a21ecf0e | 206 | * @xpn: enable XPN for this SecY |
c0e4eadf AT |
207 | * @operational: MAC_Operational flag |
208 | * @protect_frames: enable protection for this SecY | |
209 | * @replay_protect: enable packet number checks on receive | |
210 | * @replay_window: size of the replay window | |
211 | * @tx_sc: transmit secure channel | |
212 | * @rx_sc: linked list of receive secure channels | |
213 | */ | |
214 | struct macsec_secy { | |
215 | struct net_device *netdev; | |
216 | unsigned int n_rx_sc; | |
217 | sci_t sci; | |
218 | u16 key_len; | |
219 | u16 icv_len; | |
220 | enum macsec_validation_type validate_frames; | |
a21ecf0e | 221 | bool xpn; |
c0e4eadf AT |
222 | bool operational; |
223 | bool protect_frames; | |
224 | bool replay_protect; | |
225 | u32 replay_window; | |
226 | struct macsec_tx_sc tx_sc; | |
227 | struct macsec_rx_sc __rcu *rx_sc; | |
228 | }; | |
229 | ||
76564261 AT |
230 | /** |
231 | * struct macsec_context - MACsec context for hardware offloading | |
232 | */ | |
233 | struct macsec_context { | |
8fa91371 AT |
234 | union { |
235 | struct net_device *netdev; | |
236 | struct phy_device *phydev; | |
237 | }; | |
76564261 AT |
238 | enum macsec_offload offload; |
239 | ||
240 | struct macsec_secy *secy; | |
241 | struct macsec_rx_sc *rx_sc; | |
242 | struct { | |
243 | unsigned char assoc_num; | |
244 | u8 key[MACSEC_KEYID_LEN]; | |
245 | union { | |
246 | struct macsec_rx_sa *rx_sa; | |
247 | struct macsec_tx_sa *tx_sa; | |
248 | }; | |
249 | } sa; | |
b62c3624 DB |
250 | union { |
251 | struct macsec_tx_sc_stats *tx_sc_stats; | |
252 | struct macsec_tx_sa_stats *tx_sa_stats; | |
253 | struct macsec_rx_sc_stats *rx_sc_stats; | |
254 | struct macsec_rx_sa_stats *rx_sa_stats; | |
255 | struct macsec_dev_stats *dev_stats; | |
256 | } stats; | |
76564261 AT |
257 | |
258 | u8 prepare:1; | |
259 | }; | |
260 | ||
0830e20b AT |
261 | /** |
262 | * struct macsec_ops - MACsec offloading operations | |
263 | */ | |
264 | struct macsec_ops { | |
265 | /* Device wide */ | |
266 | int (*mdo_dev_open)(struct macsec_context *ctx); | |
267 | int (*mdo_dev_stop)(struct macsec_context *ctx); | |
268 | /* SecY */ | |
269 | int (*mdo_add_secy)(struct macsec_context *ctx); | |
270 | int (*mdo_upd_secy)(struct macsec_context *ctx); | |
271 | int (*mdo_del_secy)(struct macsec_context *ctx); | |
272 | /* Security channels */ | |
273 | int (*mdo_add_rxsc)(struct macsec_context *ctx); | |
274 | int (*mdo_upd_rxsc)(struct macsec_context *ctx); | |
275 | int (*mdo_del_rxsc)(struct macsec_context *ctx); | |
276 | /* Security associations */ | |
277 | int (*mdo_add_rxsa)(struct macsec_context *ctx); | |
278 | int (*mdo_upd_rxsa)(struct macsec_context *ctx); | |
279 | int (*mdo_del_rxsa)(struct macsec_context *ctx); | |
280 | int (*mdo_add_txsa)(struct macsec_context *ctx); | |
281 | int (*mdo_upd_txsa)(struct macsec_context *ctx); | |
282 | int (*mdo_del_txsa)(struct macsec_context *ctx); | |
b62c3624 DB |
283 | /* Statistics */ |
284 | int (*mdo_get_dev_stats)(struct macsec_context *ctx); | |
285 | int (*mdo_get_tx_sc_stats)(struct macsec_context *ctx); | |
286 | int (*mdo_get_tx_sa_stats)(struct macsec_context *ctx); | |
287 | int (*mdo_get_rx_sc_stats)(struct macsec_context *ctx); | |
288 | int (*mdo_get_rx_sa_stats)(struct macsec_context *ctx); | |
0830e20b AT |
289 | }; |
290 | ||
5c937de7 AT |
291 | void macsec_pn_wrapped(struct macsec_secy *secy, struct macsec_tx_sa *tx_sa); |
292 | ||
c0e4eadf | 293 | #endif /* _NET_MACSEC_H_ */ |