macsec_struct.h 29 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914
  1. /* SPDX-License-Identifier: GPL-2.0-only */
  2. /* Atlantic Network Driver
  3. * Copyright (C) 2020 Marvell International Ltd.
  4. */
  5. #ifndef _MACSEC_STRUCT_H_
  6. #define _MACSEC_STRUCT_H_
  7. /*! Represents the bitfields of a single row in the Egress CTL Filter
  8. * table.
  9. */
  10. struct aq_mss_egress_ctlf_record {
  11. /*! This is used to store the 48 bit value used to compare SA, DA or
  12. * halfDA+half SA value.
  13. */
  14. u32 sa_da[2];
  15. /*! This is used to store the 16 bit ethertype value used for
  16. * comparison.
  17. */
  18. u32 eth_type;
  19. /*! The match mask is per-nibble. 0 means don't care, i.e. every value
  20. * will match successfully. The total data is 64 bit, i.e. 16 nibbles
  21. * masks.
  22. */
  23. u32 match_mask;
  24. /*! 0: No compare, i.e. This entry is not used
  25. * 1: compare DA only
  26. * 2: compare SA only
  27. * 3: compare half DA + half SA
  28. * 4: compare ether type only
  29. * 5: compare DA + ethertype
  30. * 6: compare SA + ethertype
  31. * 7: compare DA+ range.
  32. */
  33. u32 match_type;
  34. /*! 0: Bypass the remaining modules if matched.
  35. * 1: Forward to next module for more classifications.
  36. */
  37. u32 action;
  38. };
  39. /*! Represents the bitfields of a single row in the Egress Packet
  40. * Classifier table.
  41. */
  42. struct aq_mss_egress_class_record {
  43. /*! VLAN ID field. */
  44. u32 vlan_id;
  45. /*! VLAN UP field. */
  46. u32 vlan_up;
  47. /*! VLAN Present in the Packet. */
  48. u32 vlan_valid;
  49. /*! The 8 bit value used to compare with extracted value for byte 3. */
  50. u32 byte3;
  51. /*! The 8 bit value used to compare with extracted value for byte 2. */
  52. u32 byte2;
  53. /*! The 8 bit value used to compare with extracted value for byte 1. */
  54. u32 byte1;
  55. /*! The 8 bit value used to compare with extracted value for byte 0. */
  56. u32 byte0;
  57. /*! The 8 bit TCI field used to compare with extracted value. */
  58. u32 tci;
  59. /*! The 64 bit SCI field in the SecTAG. */
  60. u32 sci[2];
  61. /*! The 16 bit Ethertype (in the clear) field used to compare with
  62. * extracted value.
  63. */
  64. u32 eth_type;
  65. /*! This is to specify the 40bit SNAP header if the SNAP header's mask
  66. * is enabled.
  67. */
  68. u32 snap[2];
  69. /*! This is to specify the 24bit LLC header if the LLC header's mask is
  70. * enabled.
  71. */
  72. u32 llc;
  73. /*! The 48 bit MAC_SA field used to compare with extracted value. */
  74. u32 mac_sa[2];
  75. /*! The 48 bit MAC_DA field used to compare with extracted value. */
  76. u32 mac_da[2];
  77. /*! The 32 bit Packet number used to compare with extracted value. */
  78. u32 pn;
  79. /*! 0~63: byte location used extracted by packets comparator, which
  80. * can be anything from the first 64 bytes of the MAC packets.
  81. * This byte location counted from MAC' DA address. i.e. set to 0
  82. * will point to byte 0 of DA address.
  83. */
  84. u32 byte3_location;
  85. /*! 0: don't care
  86. * 1: enable comparison of extracted byte pointed by byte 3 location.
  87. */
  88. u32 byte3_mask;
  89. /*! 0~63: byte location used extracted by packets comparator, which
  90. * can be anything from the first 64 bytes of the MAC packets.
  91. * This byte location counted from MAC' DA address. i.e. set to 0
  92. * will point to byte 0 of DA address.
  93. */
  94. u32 byte2_location;
  95. /*! 0: don't care
  96. * 1: enable comparison of extracted byte pointed by byte 2 location.
  97. */
  98. u32 byte2_mask;
  99. /*! 0~63: byte location used extracted by packets comparator, which
  100. * can be anything from the first 64 bytes of the MAC packets.
  101. * This byte location counted from MAC' DA address. i.e. set to 0
  102. * will point to byte 0 of DA address.
  103. */
  104. u32 byte1_location;
  105. /*! 0: don't care
  106. * 1: enable comparison of extracted byte pointed by byte 1 location.
  107. */
  108. u32 byte1_mask;
  109. /*! 0~63: byte location used extracted by packets comparator, which
  110. * can be anything from the first 64 bytes of the MAC packets.
  111. * This byte location counted from MAC' DA address. i.e. set to 0
  112. * will point to byte 0 of DA address.
  113. */
  114. u32 byte0_location;
  115. /*! 0: don't care
  116. * 1: enable comparison of extracted byte pointed by byte 0 location.
  117. */
  118. u32 byte0_mask;
  119. /*! Mask is per-byte.
  120. * 0: don't care
  121. * 1: enable comparison of extracted VLAN ID field.
  122. */
  123. u32 vlan_id_mask;
  124. /*! 0: don't care
  125. * 1: enable comparison of extracted VLAN UP field.
  126. */
  127. u32 vlan_up_mask;
  128. /*! 0: don't care
  129. * 1: enable comparison of extracted VLAN Valid field.
  130. */
  131. u32 vlan_valid_mask;
  132. /*! This is bit mask to enable comparison the 8 bit TCI field,
  133. * including the AN field.
  134. * For explicit SECTAG, AN is hardware controlled. For sending
  135. * packet w/ explicit SECTAG, rest of the TCI fields are directly
  136. * from the SECTAG.
  137. */
  138. u32 tci_mask;
  139. /*! Mask is per-byte.
  140. * 0: don't care
  141. * 1: enable comparison of SCI
  142. * Note: If this field is not 0, this means the input packet's
  143. * SECTAG is explicitly tagged and MACSEC module will only update
  144. * the MSDU.
  145. * PN number is hardware controlled.
  146. */
  147. u32 sci_mask;
  148. /*! Mask is per-byte.
  149. * 0: don't care
  150. * 1: enable comparison of Ethertype.
  151. */
  152. u32 eth_type_mask;
  153. /*! Mask is per-byte.
  154. * 0: don't care and no SNAP header exist.
  155. * 1: compare the SNAP header.
  156. * If this bit is set to 1, the extracted filed will assume the
  157. * SNAP header exist as encapsulated in 802.3 (RFC 1042). I.E. the
  158. * next 5 bytes after the LLC header is SNAP header.
  159. */
  160. u32 snap_mask;
  161. /*! 0: don't care and no LLC header exist.
  162. * 1: compare the LLC header.
  163. * If this bit is set to 1, the extracted filed will assume the
  164. * LLC header exist as encapsulated in 802.3 (RFC 1042). I.E. the
  165. * next three bytes after the 802.3MAC header is LLC header.
  166. */
  167. u32 llc_mask;
  168. /*! Mask is per-byte.
  169. * 0: don't care
  170. * 1: enable comparison of MAC_SA.
  171. */
  172. u32 sa_mask;
  173. /*! Mask is per-byte.
  174. * 0: don't care
  175. * 1: enable comparison of MAC_DA.
  176. */
  177. u32 da_mask;
  178. /*! Mask is per-byte. */
  179. u32 pn_mask;
  180. /*! Reserved. This bit should be always 0. */
  181. u32 eight02dot2;
  182. /*! 1: For explicit sectag case use TCI_SC from table
  183. * 0: use TCI_SC from explicit sectag.
  184. */
  185. u32 tci_sc;
  186. /*! 1: For explicit sectag case,use TCI_V,ES,SCB,E,C from table
  187. * 0: use TCI_V,ES,SCB,E,C from explicit sectag.
  188. */
  189. u32 tci_87543;
  190. /*! 1: indicates that incoming packet has explicit sectag. */
  191. u32 exp_sectag_en;
  192. /*! If packet matches and tagged as controlled-packet, this SC/SA
  193. * index is used for later SC and SA table lookup.
  194. */
  195. u32 sc_idx;
  196. /*! This field is used to specify how many SA entries are
  197. * associated with 1 SC entry.
  198. * 2'b00: 1 SC has 4 SA.
  199. * SC index is equivalent to {SC_Index[4:2], 1'b0}.
  200. * SA index is equivalent to {SC_Index[4:2], SC entry's current AN[1:0]
  201. * 2'b10: 1 SC has 2 SA.
  202. * SC index is equivalent to SC_Index[4:1]
  203. * SA index is equivalent to {SC_Index[4:1], SC entry's current AN[0]}
  204. * 2'b11: 1 SC has 1 SA. No SC entry exists for the specific SA.
  205. * SA index is equivalent to SC_Index[4:0]
  206. * Note: if specified as 2'b11, hardware AN roll over is not
  207. * supported.
  208. */
  209. u32 sc_sa;
  210. /*! 0: the packets will be sent to MAC FIFO
  211. * 1: The packets will be sent to Debug/Loopback FIFO.
  212. * If the above's action is drop, this bit has no meaning.
  213. */
  214. u32 debug;
  215. /*! 0: forward to remaining modules
  216. * 1: bypass the next encryption modules. This packet is considered
  217. * un-control packet.
  218. * 2: drop
  219. * 3: Reserved.
  220. */
  221. u32 action;
  222. /*! 0: Not valid entry. This entry is not used
  223. * 1: valid entry.
  224. */
  225. u32 valid;
  226. };
  227. /*! Represents the bitfields of a single row in the Egress SC Lookup table. */
  228. struct aq_mss_egress_sc_record {
  229. /*! This is to specify when the SC was first used. Set by HW. */
  230. u32 start_time;
  231. /*! This is to specify when the SC was last used. Set by HW. */
  232. u32 stop_time;
  233. /*! This is to specify which of the SA entries are used by current HW.
  234. * Note: This value need to be set by SW after reset. It will be
  235. * automatically updated by HW, if AN roll over is enabled.
  236. */
  237. u32 curr_an;
  238. /*! 0: Clear the SA Valid Bit after PN expiry.
  239. * 1: Do not Clear the SA Valid bit after PN expiry of the current SA.
  240. * When the Enable AN roll over is set, S/W does not need to
  241. * program the new SA's and the H/W will automatically roll over
  242. * between the SA's without session expiry.
  243. * For normal operation, Enable AN Roll over will be set to '0'
  244. * and in which case, the SW needs to program the new SA values
  245. * after the current PN expires.
  246. */
  247. u32 an_roll;
  248. /*! This is the TCI field used if packet is not explicitly tagged. */
  249. u32 tci;
  250. /*! This value indicates the offset where the decryption will start.
  251. * [[Values of 0, 4, 8-50].
  252. */
  253. u32 enc_off;
  254. /*! 0: Do not protect frames, all the packets will be forwarded
  255. * unchanged. MIB counter (OutPktsUntagged) will be updated.
  256. * 1: Protect.
  257. */
  258. u32 protect;
  259. /*! 0: when none of the SA related to SC has inUse set.
  260. * 1: when either of the SA related to the SC has inUse set.
  261. * This bit is set by HW.
  262. */
  263. u32 recv;
  264. /*! 0: H/W Clears this bit on the first use.
  265. * 1: SW updates this entry, when programming the SC Table.
  266. */
  267. u32 fresh;
  268. /*! AES Key size
  269. * 00 - 128bits
  270. * 01 - 192bits
  271. * 10 - 256bits
  272. * 11 - Reserved.
  273. */
  274. u32 sak_len;
  275. /*! 0: Invalid SC
  276. * 1: Valid SC.
  277. */
  278. u32 valid;
  279. };
  280. /*! Represents the bitfields of a single row in the Egress SA Lookup table. */
  281. struct aq_mss_egress_sa_record {
  282. /*! This is to specify when the SC was first used. Set by HW. */
  283. u32 start_time;
  284. /*! This is to specify when the SC was last used. Set by HW. */
  285. u32 stop_time;
  286. /*! This is set by SW and updated by HW to store the Next PN number
  287. * used for encryption.
  288. */
  289. u32 next_pn;
  290. /*! The Next_PN number is going to wrapped around from 0xFFFF_FFFF
  291. * to 0. set by HW.
  292. */
  293. u32 sat_pn;
  294. /*! 0: This SA is in use.
  295. * 1: This SA is Fresh and set by SW.
  296. */
  297. u32 fresh;
  298. /*! 0: Invalid SA
  299. * 1: Valid SA.
  300. */
  301. u32 valid;
  302. };
  303. /*! Represents the bitfields of a single row in the Egress SA Key
  304. * Lookup table.
  305. */
  306. struct aq_mss_egress_sakey_record {
  307. /*! Key for AES-GCM processing. */
  308. u32 key[8];
  309. };
  310. /*! Represents the bitfields of a single row in the Ingress Pre-MACSec
  311. * CTL Filter table.
  312. */
  313. struct aq_mss_ingress_prectlf_record {
  314. /*! This is used to store the 48 bit value used to compare SA, DA
  315. * or halfDA+half SA value.
  316. */
  317. u32 sa_da[2];
  318. /*! This is used to store the 16 bit ethertype value used for
  319. * comparison.
  320. */
  321. u32 eth_type;
  322. /*! The match mask is per-nibble. 0 means don't care, i.e. every
  323. * value will match successfully. The total data is 64 bit, i.e.
  324. * 16 nibbles masks.
  325. */
  326. u32 match_mask;
  327. /*! 0: No compare, i.e. This entry is not used
  328. * 1: compare DA only
  329. * 2: compare SA only
  330. * 3: compare half DA + half SA
  331. * 4: compare ether type only
  332. * 5: compare DA + ethertype
  333. * 6: compare SA + ethertype
  334. * 7: compare DA+ range.
  335. */
  336. u32 match_type;
  337. /*! 0: Bypass the remaining modules if matched.
  338. * 1: Forward to next module for more classifications.
  339. */
  340. u32 action;
  341. };
  342. /*! Represents the bitfields of a single row in the Ingress Pre-MACSec
  343. * Packet Classifier table.
  344. */
  345. struct aq_mss_ingress_preclass_record {
  346. /*! The 64 bit SCI field used to compare with extracted value.
  347. * Should have SCI value in case TCI[SCI_SEND] == 0. This will be
  348. * used for ICV calculation.
  349. */
  350. u32 sci[2];
  351. /*! The 8 bit TCI field used to compare with extracted value. */
  352. u32 tci;
  353. /*! 8 bit encryption offset. */
  354. u32 encr_offset;
  355. /*! The 16 bit Ethertype (in the clear) field used to compare with
  356. * extracted value.
  357. */
  358. u32 eth_type;
  359. /*! This is to specify the 40bit SNAP header if the SNAP header's
  360. * mask is enabled.
  361. */
  362. u32 snap[2];
  363. /*! This is to specify the 24bit LLC header if the LLC header's
  364. * mask is enabled.
  365. */
  366. u32 llc;
  367. /*! The 48 bit MAC_SA field used to compare with extracted value. */
  368. u32 mac_sa[2];
  369. /*! The 48 bit MAC_DA field used to compare with extracted value. */
  370. u32 mac_da[2];
  371. /*! 0: this is to compare with non-LPBK packet
  372. * 1: this is to compare with LPBK packet.
  373. * This value is used to compare with a controlled-tag which goes
  374. * with the packet when looped back from Egress port.
  375. */
  376. u32 lpbk_packet;
  377. /*! The value of this bit mask will affects how the SC index and SA
  378. * index created.
  379. * 2'b00: 1 SC has 4 SA.
  380. * SC index is equivalent to {SC_Index[4:2], 1'b0}.
  381. * SA index is equivalent to {SC_Index[4:2], SECTAG's AN[1:0]}
  382. * Here AN bits are not compared.
  383. * 2'b10: 1 SC has 2 SA.
  384. * SC index is equivalent to SC_Index[4:1]
  385. * SA index is equivalent to {SC_Index[4:1], SECTAG's AN[0]}
  386. * Compare AN[1] field only
  387. * 2'b11: 1 SC has 1 SA. No SC entry exists for the specific SA.
  388. * SA index is equivalent to SC_Index[4:0]
  389. * AN[1:0] bits are compared.
  390. * NOTE: This design is to supports different usage of AN. User
  391. * can either ping-pong buffer 2 SA by using only the AN[0] bit.
  392. * Or use 4 SA per SC by use AN[1:0] bits. Or even treat each SA
  393. * as independent. i.e. AN[1:0] is just another matching pointer
  394. * to select SA.
  395. */
  396. u32 an_mask;
  397. /*! This is bit mask to enable comparison the upper 6 bits TCI
  398. * field, which does not include the AN field.
  399. * 0: don't compare
  400. * 1: enable comparison of the bits.
  401. */
  402. u32 tci_mask;
  403. /*! 0: don't care
  404. * 1: enable comparison of SCI.
  405. */
  406. u32 sci_mask;
  407. /*! Mask is per-byte.
  408. * 0: don't care
  409. * 1: enable comparison of Ethertype.
  410. */
  411. u32 eth_type_mask;
  412. /*! Mask is per-byte.
  413. * 0: don't care and no SNAP header exist.
  414. * 1: compare the SNAP header.
  415. * If this bit is set to 1, the extracted filed will assume the
  416. * SNAP header exist as encapsulated in 802.3 (RFC 1042). I.E. the
  417. * next 5 bytes after the LLC header is SNAP header.
  418. */
  419. u32 snap_mask;
  420. /*! Mask is per-byte.
  421. * 0: don't care and no LLC header exist.
  422. * 1: compare the LLC header.
  423. * If this bit is set to 1, the extracted filed will assume the
  424. * LLC header exist as encapsulated in 802.3 (RFC 1042). I.E. the
  425. * next three bytes after the 802.3MAC header is LLC header.
  426. */
  427. u32 llc_mask;
  428. /*! Reserved. This bit should be always 0. */
  429. u32 _802_2_encapsulate;
  430. /*! Mask is per-byte.
  431. * 0: don't care
  432. * 1: enable comparison of MAC_SA.
  433. */
  434. u32 sa_mask;
  435. /*! Mask is per-byte.
  436. * 0: don't care
  437. * 1: enable comparison of MAC_DA.
  438. */
  439. u32 da_mask;
  440. /*! 0: don't care
  441. * 1: enable checking if this is loopback packet or not.
  442. */
  443. u32 lpbk_mask;
  444. /*! If packet matches and tagged as controlled-packet. This SC/SA
  445. * index is used for later SC and SA table lookup.
  446. */
  447. u32 sc_idx;
  448. /*! 0: the packets will be sent to MAC FIFO
  449. * 1: The packets will be sent to Debug/Loopback FIFO.
  450. * If the above's action is drop. This bit has no meaning.
  451. */
  452. u32 proc_dest;
  453. /*! 0: Process: Forward to next two modules for 802.1AE decryption.
  454. * 1: Process but keep SECTAG: Forward to next two modules for
  455. * 802.1AE decryption but keep the MACSEC header with added error
  456. * code information. ICV will be stripped for all control packets.
  457. * 2: Bypass: Bypass the next two decryption modules but processed
  458. * by post-classification.
  459. * 3: Drop: drop this packet and update counts accordingly.
  460. */
  461. u32 action;
  462. /*! 0: This is a controlled-port packet if matched.
  463. * 1: This is an uncontrolled-port packet if matched.
  464. */
  465. u32 ctrl_unctrl;
  466. /*! Use the SCI value from the Table if 'SC' bit of the input
  467. * packet is not present.
  468. */
  469. u32 sci_from_table;
  470. /*! Reserved. */
  471. u32 reserved;
  472. /*! 0: Not valid entry. This entry is not used
  473. * 1: valid entry.
  474. */
  475. u32 valid;
  476. };
  477. /*! Represents the bitfields of a single row in the Ingress SC Lookup table. */
  478. struct aq_mss_ingress_sc_record {
  479. /*! This is to specify when the SC was first used. Set by HW. */
  480. u32 stop_time;
  481. /*! This is to specify when the SC was first used. Set by HW. */
  482. u32 start_time;
  483. /*! 0: Strict
  484. * 1: Check
  485. * 2: Disabled.
  486. */
  487. u32 validate_frames;
  488. /*! 1: Replay control enabled.
  489. * 0: replay control disabled.
  490. */
  491. u32 replay_protect;
  492. /*! This is to specify the window range for anti-replay. Default is 0.
  493. * 0: is strict order enforcement.
  494. */
  495. u32 anti_replay_window;
  496. /*! 0: when none of the SA related to SC has inUse set.
  497. * 1: when either of the SA related to the SC has inUse set.
  498. * This bit is set by HW.
  499. */
  500. u32 receiving;
  501. /*! 0: when hardware processed the SC for the first time, it clears
  502. * this bit
  503. * 1: This bit is set by SW, when it sets up the SC.
  504. */
  505. u32 fresh;
  506. /*! 0: The AN number will not automatically roll over if Next_PN is
  507. * saturated.
  508. * 1: The AN number will automatically roll over if Next_PN is
  509. * saturated.
  510. * Rollover is valid only after expiry. Normal roll over between
  511. * SA's should be normal process.
  512. */
  513. u32 an_rol;
  514. /*! Reserved. */
  515. u32 reserved;
  516. /*! 0: Invalid SC
  517. * 1: Valid SC.
  518. */
  519. u32 valid;
  520. };
  521. /*! Represents the bitfields of a single row in the Ingress SA Lookup table. */
  522. struct aq_mss_ingress_sa_record {
  523. /*! This is to specify when the SC was first used. Set by HW. */
  524. u32 stop_time;
  525. /*! This is to specify when the SC was first used. Set by HW. */
  526. u32 start_time;
  527. /*! This is updated by HW to store the expected NextPN number for
  528. * anti-replay.
  529. */
  530. u32 next_pn;
  531. /*! The Next_PN number is going to wrapped around from 0XFFFF_FFFF
  532. * to 0. set by HW.
  533. */
  534. u32 sat_nextpn;
  535. /*! 0: This SA is not yet used.
  536. * 1: This SA is inUse.
  537. */
  538. u32 in_use;
  539. /*! 0: when hardware processed the SC for the first time, it clears
  540. * this timer
  541. * 1: This bit is set by SW, when it sets up the SC.
  542. */
  543. u32 fresh;
  544. /*! Reserved. */
  545. u32 reserved;
  546. /*! 0: Invalid SA.
  547. * 1: Valid SA.
  548. */
  549. u32 valid;
  550. };
  551. /*! Represents the bitfields of a single row in the Ingress SA Key
  552. * Lookup table.
  553. */
  554. struct aq_mss_ingress_sakey_record {
  555. /*! Key for AES-GCM processing. */
  556. u32 key[8];
  557. /*! AES key size
  558. * 00 - 128bits
  559. * 01 - 192bits
  560. * 10 - 256bits
  561. * 11 - reserved.
  562. */
  563. u32 key_len;
  564. };
  565. /*! Represents the bitfields of a single row in the Ingress Post-
  566. * MACSec Packet Classifier table.
  567. */
  568. struct aq_mss_ingress_postclass_record {
  569. /*! The 8 bit value used to compare with extracted value for byte 0. */
  570. u32 byte0;
  571. /*! The 8 bit value used to compare with extracted value for byte 1. */
  572. u32 byte1;
  573. /*! The 8 bit value used to compare with extracted value for byte 2. */
  574. u32 byte2;
  575. /*! The 8 bit value used to compare with extracted value for byte 3. */
  576. u32 byte3;
  577. /*! Ethertype in the packet. */
  578. u32 eth_type;
  579. /*! Ether Type value > 1500 (0x5dc). */
  580. u32 eth_type_valid;
  581. /*! VLAN ID after parsing. */
  582. u32 vlan_id;
  583. /*! VLAN priority after parsing. */
  584. u32 vlan_up;
  585. /*! Valid VLAN coding. */
  586. u32 vlan_valid;
  587. /*! SA index. */
  588. u32 sai;
  589. /*! SAI hit, i.e. controlled packet. */
  590. u32 sai_hit;
  591. /*! Mask for payload ethertype field. */
  592. u32 eth_type_mask;
  593. /*! 0~63: byte location used extracted by packets comparator, which
  594. * can be anything from the first 64 bytes of the MAC packets.
  595. * This byte location counted from MAC' DA address. i.e. set to 0
  596. * will point to byte 0 of DA address.
  597. */
  598. u32 byte3_location;
  599. /*! Mask for Byte Offset 3. */
  600. u32 byte3_mask;
  601. /*! 0~63: byte location used extracted by packets comparator, which
  602. * can be anything from the first 64 bytes of the MAC packets.
  603. * This byte location counted from MAC' DA address. i.e. set to 0
  604. * will point to byte 0 of DA address.
  605. */
  606. u32 byte2_location;
  607. /*! Mask for Byte Offset 2. */
  608. u32 byte2_mask;
  609. /*! 0~63: byte location used extracted by packets comparator, which
  610. * can be anything from the first 64 bytes of the MAC packets.
  611. * This byte location counted from MAC' DA address. i.e. set to 0
  612. * will point to byte 0 of DA address.
  613. */
  614. u32 byte1_location;
  615. /*! Mask for Byte Offset 1. */
  616. u32 byte1_mask;
  617. /*! 0~63: byte location used extracted by packets comparator, which
  618. * can be anything from the first 64 bytes of the MAC packets.
  619. * This byte location counted from MAC' DA address. i.e. set to 0
  620. * will point to byte 0 of DA address.
  621. */
  622. u32 byte0_location;
  623. /*! Mask for Byte Offset 0. */
  624. u32 byte0_mask;
  625. /*! Mask for Ethertype valid field. Indicates 802.3 vs. Other. */
  626. u32 eth_type_valid_mask;
  627. /*! Mask for VLAN ID field. */
  628. u32 vlan_id_mask;
  629. /*! Mask for VLAN UP field. */
  630. u32 vlan_up_mask;
  631. /*! Mask for VLAN valid field. */
  632. u32 vlan_valid_mask;
  633. /*! Mask for SAI. */
  634. u32 sai_mask;
  635. /*! Mask for SAI_HIT. */
  636. u32 sai_hit_mask;
  637. /*! Action if only first level matches and second level does not.
  638. * 0: pass
  639. * 1: drop (fail).
  640. */
  641. u32 firstlevel_actions;
  642. /*! Action if both first and second level matched.
  643. * 0: pass
  644. * 1: drop (fail).
  645. */
  646. u32 secondlevel_actions;
  647. /*! Reserved. */
  648. u32 reserved;
  649. /*! 0: Not valid entry. This entry is not used
  650. * 1: valid entry.
  651. */
  652. u32 valid;
  653. };
  654. /*! Represents the bitfields of a single row in the Ingress Post-
  655. * MACSec CTL Filter table.
  656. */
  657. struct aq_mss_ingress_postctlf_record {
  658. /*! This is used to store the 48 bit value used to compare SA, DA
  659. * or halfDA+half SA value.
  660. */
  661. u32 sa_da[2];
  662. /*! This is used to store the 16 bit ethertype value used for
  663. * comparison.
  664. */
  665. u32 eth_type;
  666. /*! The match mask is per-nibble. 0 means don't care, i.e. every
  667. * value will match successfully. The total data is 64 bit, i.e.
  668. * 16 nibbles masks.
  669. */
  670. u32 match_mask;
  671. /*! 0: No compare, i.e. This entry is not used
  672. * 1: compare DA only
  673. * 2: compare SA only
  674. * 3: compare half DA + half SA
  675. * 4: compare ether type only
  676. * 5: compare DA + ethertype
  677. * 6: compare SA + ethertype
  678. * 7: compare DA+ range.
  679. */
  680. u32 match_type;
  681. /*! 0: Bypass the remaining modules if matched.
  682. * 1: Forward to next module for more classifications.
  683. */
  684. u32 action;
  685. };
  686. /*! Represents the Egress MIB counters for a single SC. Counters are
  687. * 64 bits, lower 32 bits in field[0].
  688. */
  689. struct aq_mss_egress_sc_counters {
  690. /*! The number of integrity protected but not encrypted packets
  691. * for this transmitting SC.
  692. */
  693. u32 sc_protected_pkts[2];
  694. /*! The number of integrity protected and encrypted packets for
  695. * this transmitting SC.
  696. */
  697. u32 sc_encrypted_pkts[2];
  698. /*! The number of plain text octets that are integrity protected
  699. * but not encrypted on the transmitting SC.
  700. */
  701. u32 sc_protected_octets[2];
  702. /*! The number of plain text octets that are integrity protected
  703. * and encrypted on the transmitting SC.
  704. */
  705. u32 sc_encrypted_octets[2];
  706. };
  707. /*! Represents the Egress MIB counters for a single SA. Counters are
  708. * 64 bits, lower 32 bits in field[0].
  709. */
  710. struct aq_mss_egress_sa_counters {
  711. /*! The number of dropped packets for this transmitting SA. */
  712. u32 sa_hit_drop_redirect[2];
  713. /*! TODO */
  714. u32 sa_protected2_pkts[2];
  715. /*! The number of integrity protected but not encrypted packets
  716. * for this transmitting SA.
  717. */
  718. u32 sa_protected_pkts[2];
  719. /*! The number of integrity protected and encrypted packets for
  720. * this transmitting SA.
  721. */
  722. u32 sa_encrypted_pkts[2];
  723. };
  724. /*! Represents the common Egress MIB counters; the counter not
  725. * associated with a particular SC/SA. Counters are 64 bits, lower 32
  726. * bits in field[0].
  727. */
  728. struct aq_mss_egress_common_counters {
  729. /*! The number of transmitted packets classified as MAC_CTL packets. */
  730. u32 ctl_pkt[2];
  731. /*! The number of transmitted packets that did not match any rows
  732. * in the Egress Packet Classifier table.
  733. */
  734. u32 unknown_sa_pkts[2];
  735. /*! The number of transmitted packets where the SC table entry has
  736. * protect=0 (so packets are forwarded unchanged).
  737. */
  738. u32 untagged_pkts[2];
  739. /*! The number of transmitted packets discarded because the packet
  740. * length is greater than the ifMtu of the Common Port interface.
  741. */
  742. u32 too_long[2];
  743. /*! The number of transmitted packets for which table memory was
  744. * affected by an ECC error during processing.
  745. */
  746. u32 ecc_error_pkts[2];
  747. /*! The number of transmitted packets for where the matched row in
  748. * the Egress Packet Classifier table has action=drop.
  749. */
  750. u32 unctrl_hit_drop_redir[2];
  751. };
  752. /*! Represents the Ingress MIB counters for a single SA. Counters are
  753. * 64 bits, lower 32 bits in field[0].
  754. */
  755. struct aq_mss_ingress_sa_counters {
  756. /*! For this SA, the number of received packets without a SecTAG. */
  757. u32 untagged_hit_pkts[2];
  758. /*! For this SA, the number of received packets that were dropped. */
  759. u32 ctrl_hit_drop_redir_pkts[2];
  760. /*! For this SA which is not currently in use, the number of
  761. * received packets that have been discarded, and have either the
  762. * packets encrypted or the matched row in the Ingress SC Lookup
  763. * table has validate_frames=Strict.
  764. */
  765. u32 not_using_sa[2];
  766. /*! For this SA which is not currently in use, the number of
  767. * received, unencrypted, packets with the matched row in the
  768. * Ingress SC Lookup table has validate_frames!=Strict.
  769. */
  770. u32 unused_sa[2];
  771. /*! For this SA, the number discarded packets with the condition
  772. * that the packets are not valid and one of the following
  773. * conditions are true: either the matched row in the Ingress SC
  774. * Lookup table has validate_frames=Strict or the packets
  775. * encrypted.
  776. */
  777. u32 not_valid_pkts[2];
  778. /*! For this SA, the number of packets with the condition that the
  779. * packets are not valid and the matched row in the Ingress SC
  780. * Lookup table has validate_frames=Check.
  781. */
  782. u32 invalid_pkts[2];
  783. /*! For this SA, the number of validated packets. */
  784. u32 ok_pkts[2];
  785. /*! For this SC, the number of received packets that have been
  786. * discarded with the condition: the matched row in the Ingress
  787. * SC Lookup table has replay_protect=1 and the PN of the packet
  788. * is lower than the lower bound replay check PN.
  789. */
  790. u32 late_pkts[2];
  791. /*! For this SA, the number of packets with the condition that the
  792. * PN of the packets is lower than the lower bound replay
  793. * protection PN.
  794. */
  795. u32 delayed_pkts[2];
  796. /*! For this SC, the number of packets with the following condition:
  797. * - the matched row in the Ingress SC Lookup table has
  798. * replay_protect=0 or
  799. * - the matched row in the Ingress SC Lookup table has
  800. * replay_protect=1 and the packet is not encrypted and the
  801. * integrity check has failed or
  802. * - the matched row in the Ingress SC Lookup table has
  803. * replay_protect=1 and the packet is encrypted and integrity
  804. * check has failed.
  805. */
  806. u32 unchecked_pkts[2];
  807. /*! The number of octets of plaintext recovered from received
  808. * packets that were integrity protected but not encrypted.
  809. */
  810. u32 validated_octets[2];
  811. /*! The number of octets of plaintext recovered from received
  812. * packets that were integrity protected and encrypted.
  813. */
  814. u32 decrypted_octets[2];
  815. };
  816. /*! Represents the common Ingress MIB counters; the counter not
  817. * associated with a particular SA. Counters are 64 bits, lower 32
  818. * bits in field[0].
  819. */
  820. struct aq_mss_ingress_common_counters {
  821. /*! The number of received packets classified as MAC_CTL packets. */
  822. u32 ctl_pkts[2];
  823. /*! The number of received packets with the MAC security tag
  824. * (SecTAG), not matching any rows in the Ingress Pre-MACSec
  825. * Packet Classifier table.
  826. */
  827. u32 tagged_miss_pkts[2];
  828. /*! The number of received packets without the MAC security tag
  829. * (SecTAG), not matching any rows in the Ingress Pre-MACSec
  830. * Packet Classifier table.
  831. */
  832. u32 untagged_miss_pkts[2];
  833. /*! The number of received packets discarded without the MAC
  834. * security tag (SecTAG) and with the matched row in the Ingress
  835. * SC Lookup table having validate_frames=Strict.
  836. */
  837. u32 notag_pkts[2];
  838. /*! The number of received packets without the MAC security tag
  839. * (SecTAG) and with the matched row in the Ingress SC Lookup
  840. * table having validate_frames!=Strict.
  841. */
  842. u32 untagged_pkts[2];
  843. /*! The number of received packets discarded with an invalid
  844. * SecTAG or a zero value PN or an invalid ICV.
  845. */
  846. u32 bad_tag_pkts[2];
  847. /*! The number of received packets discarded with unknown SCI
  848. * information with the condition:
  849. * the matched row in the Ingress SC Lookup table has
  850. * validate_frames=Strict or the C bit in the SecTAG is set.
  851. */
  852. u32 no_sci_pkts[2];
  853. /*! The number of received packets with unknown SCI with the condition:
  854. * The matched row in the Ingress SC Lookup table has
  855. * validate_frames!=Strict and the C bit in the SecTAG is not set.
  856. */
  857. u32 unknown_sci_pkts[2];
  858. /*! The number of received packets by the controlled port service
  859. * that passed the Ingress Post-MACSec Packet Classifier table
  860. * check.
  861. */
  862. u32 ctrl_prt_pass_pkts[2];
  863. /*! The number of received packets by the uncontrolled port
  864. * service that passed the Ingress Post-MACSec Packet Classifier
  865. * table check.
  866. */
  867. u32 unctrl_prt_pass_pkts[2];
  868. /*! The number of received packets by the controlled port service
  869. * that failed the Ingress Post-MACSec Packet Classifier table
  870. * check.
  871. */
  872. u32 ctrl_prt_fail_pkts[2];
  873. /*! The number of received packets by the uncontrolled port
  874. * service that failed the Ingress Post-MACSec Packet Classifier
  875. * table check.
  876. */
  877. u32 unctrl_prt_fail_pkts[2];
  878. /*! The number of received packets discarded because the packet
  879. * length is greater than the ifMtu of the Common Port interface.
  880. */
  881. u32 too_long_pkts[2];
  882. /*! The number of received packets classified as MAC_CTL by the
  883. * Ingress Post-MACSec CTL Filter table.
  884. */
  885. u32 igpoc_ctl_pkts[2];
  886. /*! The number of received packets for which table memory was
  887. * affected by an ECC error during processing.
  888. */
  889. u32 ecc_error_pkts[2];
  890. /*! The number of received packets by the uncontrolled port
  891. * service that were dropped.
  892. */
  893. u32 unctrl_hit_drop_redir[2];
  894. };
  895. #endif