macsec.h 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384
  1. /* SPDX-License-Identifier: GPL-2.0+ */
  2. /*
  3. * MACsec netdev header, used for h/w accelerated implementations.
  4. *
  5. * Copyright (c) 2015 Sabrina Dubroca <sd@queasysnail.net>
  6. */
  7. #ifndef _NET_MACSEC_H_
  8. #define _NET_MACSEC_H_
  9. #include <linux/u64_stats_sync.h>
  10. #include <linux/if_vlan.h>
  11. #include <uapi/linux/if_link.h>
  12. #include <uapi/linux/if_macsec.h>
  13. #define MACSEC_DEFAULT_PN_LEN 4
  14. #define MACSEC_XPN_PN_LEN 8
  15. #define MACSEC_NUM_AN 4 /* 2 bits for the association number */
  16. #define MACSEC_SCI_LEN 8
  17. #define MACSEC_PORT_ES (htons(0x0001))
  18. #define MACSEC_TCI_VERSION 0x80
  19. #define MACSEC_TCI_ES 0x40 /* end station */
  20. #define MACSEC_TCI_SC 0x20 /* SCI present */
  21. #define MACSEC_TCI_SCB 0x10 /* epon */
  22. #define MACSEC_TCI_E 0x08 /* encryption */
  23. #define MACSEC_TCI_C 0x04 /* changed text */
  24. #define MACSEC_AN_MASK 0x03 /* association number */
  25. #define MACSEC_TCI_CONFID (MACSEC_TCI_E | MACSEC_TCI_C)
  26. #define MACSEC_DEFAULT_ICV_LEN 16
  27. typedef u64 __bitwise sci_t;
  28. typedef u32 __bitwise ssci_t;
  29. struct metadata_dst;
  30. typedef union salt {
  31. struct {
  32. ssci_t ssci;
  33. __be64 pn;
  34. } __packed;
  35. u8 bytes[MACSEC_SALT_LEN];
  36. } __packed salt_t;
  37. typedef union pn {
  38. struct {
  39. #if defined(__LITTLE_ENDIAN_BITFIELD)
  40. u32 lower;
  41. u32 upper;
  42. #elif defined(__BIG_ENDIAN_BITFIELD)
  43. u32 upper;
  44. u32 lower;
  45. #else
  46. #error "Please fix <asm/byteorder.h>"
  47. #endif
  48. };
  49. u64 full64;
  50. } pn_t;
  51. /**
  52. * struct macsec_key - SA key
  53. * @id: user-provided key identifier
  54. * @tfm: crypto struct, key storage
  55. * @salt: salt used to generate IV in XPN cipher suites
  56. */
  57. struct macsec_key {
  58. u8 id[MACSEC_KEYID_LEN];
  59. struct crypto_aead *tfm;
  60. salt_t salt;
  61. };
  62. struct macsec_rx_sc_stats {
  63. __u64 InOctetsValidated;
  64. __u64 InOctetsDecrypted;
  65. __u64 InPktsUnchecked;
  66. __u64 InPktsDelayed;
  67. __u64 InPktsOK;
  68. __u64 InPktsInvalid;
  69. __u64 InPktsLate;
  70. __u64 InPktsNotValid;
  71. __u64 InPktsNotUsingSA;
  72. __u64 InPktsUnusedSA;
  73. };
  74. struct macsec_rx_sa_stats {
  75. __u32 InPktsOK;
  76. __u32 InPktsInvalid;
  77. __u32 InPktsNotValid;
  78. __u32 InPktsNotUsingSA;
  79. __u32 InPktsUnusedSA;
  80. };
  81. struct macsec_tx_sa_stats {
  82. __u32 OutPktsProtected;
  83. __u32 OutPktsEncrypted;
  84. };
  85. struct macsec_tx_sc_stats {
  86. __u64 OutPktsProtected;
  87. __u64 OutPktsEncrypted;
  88. __u64 OutOctetsProtected;
  89. __u64 OutOctetsEncrypted;
  90. };
  91. struct macsec_dev_stats {
  92. __u64 OutPktsUntagged;
  93. __u64 InPktsUntagged;
  94. __u64 OutPktsTooLong;
  95. __u64 InPktsNoTag;
  96. __u64 InPktsBadTag;
  97. __u64 InPktsUnknownSCI;
  98. __u64 InPktsNoSCI;
  99. __u64 InPktsOverrun;
  100. };
  101. /**
  102. * struct macsec_rx_sa - receive secure association
  103. * @active:
  104. * @next_pn: packet number expected for the next packet
  105. * @lock: protects next_pn manipulations
  106. * @key: key structure
  107. * @ssci: short secure channel identifier
  108. * @stats: per-SA stats
  109. */
  110. struct macsec_rx_sa {
  111. struct macsec_key key;
  112. ssci_t ssci;
  113. spinlock_t lock;
  114. union {
  115. pn_t next_pn_halves;
  116. u64 next_pn;
  117. };
  118. refcount_t refcnt;
  119. bool active;
  120. struct macsec_rx_sa_stats __percpu *stats;
  121. struct macsec_rx_sc *sc;
  122. struct rcu_head rcu;
  123. };
  124. struct pcpu_rx_sc_stats {
  125. struct macsec_rx_sc_stats stats;
  126. struct u64_stats_sync syncp;
  127. };
  128. struct pcpu_tx_sc_stats {
  129. struct macsec_tx_sc_stats stats;
  130. struct u64_stats_sync syncp;
  131. };
  132. /**
  133. * struct macsec_rx_sc - receive secure channel
  134. * @sci: secure channel identifier for this SC
  135. * @active: channel is active
  136. * @sa: array of secure associations
  137. * @stats: per-SC stats
  138. */
  139. struct macsec_rx_sc {
  140. struct macsec_rx_sc __rcu *next;
  141. sci_t sci;
  142. bool active;
  143. struct macsec_rx_sa __rcu *sa[MACSEC_NUM_AN];
  144. struct pcpu_rx_sc_stats __percpu *stats;
  145. refcount_t refcnt;
  146. struct rcu_head rcu_head;
  147. };
  148. /**
  149. * struct macsec_tx_sa - transmit secure association
  150. * @active:
  151. * @next_pn: packet number to use for the next packet
  152. * @lock: protects next_pn manipulations
  153. * @key: key structure
  154. * @ssci: short secure channel identifier
  155. * @stats: per-SA stats
  156. */
  157. struct macsec_tx_sa {
  158. struct macsec_key key;
  159. ssci_t ssci;
  160. spinlock_t lock;
  161. union {
  162. pn_t next_pn_halves;
  163. u64 next_pn;
  164. };
  165. refcount_t refcnt;
  166. bool active;
  167. struct macsec_tx_sa_stats __percpu *stats;
  168. struct rcu_head rcu;
  169. };
  170. /**
  171. * struct macsec_tx_sc - transmit secure channel
  172. * @active:
  173. * @encoding_sa: association number of the SA currently in use
  174. * @encrypt: encrypt packets on transmit, or authenticate only
  175. * @send_sci: always include the SCI in the SecTAG
  176. * @end_station:
  177. * @scb: single copy broadcast flag
  178. * @sa: array of secure associations
  179. * @stats: stats for this TXSC
  180. * @md_dst: MACsec offload metadata dst
  181. */
  182. struct macsec_tx_sc {
  183. bool active;
  184. u8 encoding_sa;
  185. bool encrypt;
  186. bool send_sci;
  187. bool end_station;
  188. bool scb;
  189. struct macsec_tx_sa __rcu *sa[MACSEC_NUM_AN];
  190. struct pcpu_tx_sc_stats __percpu *stats;
  191. struct metadata_dst *md_dst;
  192. };
  193. /**
  194. * struct macsec_secy - MACsec Security Entity
  195. * @netdev: netdevice for this SecY
  196. * @n_rx_sc: number of receive secure channels configured on this SecY
  197. * @sci: secure channel identifier used for tx
  198. * @key_len: length of keys used by the cipher suite
  199. * @icv_len: length of ICV used by the cipher suite
  200. * @validate_frames: validation mode
  201. * @xpn: enable XPN for this SecY
  202. * @operational: MAC_Operational flag
  203. * @protect_frames: enable protection for this SecY
  204. * @replay_protect: enable packet number checks on receive
  205. * @replay_window: size of the replay window
  206. * @tx_sc: transmit secure channel
  207. * @rx_sc: linked list of receive secure channels
  208. */
  209. struct macsec_secy {
  210. struct net_device *netdev;
  211. unsigned int n_rx_sc;
  212. sci_t sci;
  213. u16 key_len;
  214. u16 icv_len;
  215. enum macsec_validation_type validate_frames;
  216. bool xpn;
  217. bool operational;
  218. bool protect_frames;
  219. bool replay_protect;
  220. u32 replay_window;
  221. struct macsec_tx_sc tx_sc;
  222. struct macsec_rx_sc __rcu *rx_sc;
  223. };
  224. /**
  225. * struct macsec_context - MACsec context for hardware offloading
  226. * @netdev: a valid pointer to a struct net_device if @offload ==
  227. * MACSEC_OFFLOAD_MAC
  228. * @phydev: a valid pointer to a struct phy_device if @offload ==
  229. * MACSEC_OFFLOAD_PHY
  230. * @offload: MACsec offload status
  231. * @secy: pointer to a MACsec SecY
  232. * @rx_sc: pointer to a RX SC
  233. * @update_pn: when updating the SA, update the next PN
  234. * @assoc_num: association number of the target SA
  235. * @key: key of the target SA
  236. * @rx_sa: pointer to an RX SA if a RX SA is added/updated/removed
  237. * @tx_sa: pointer to an TX SA if a TX SA is added/updated/removed
  238. * @tx_sc_stats: pointer to TX SC stats structure
  239. * @tx_sa_stats: pointer to TX SA stats structure
  240. * @rx_sc_stats: pointer to RX SC stats structure
  241. * @rx_sa_stats: pointer to RX SA stats structure
  242. * @dev_stats: pointer to dev stats structure
  243. */
  244. struct macsec_context {
  245. union {
  246. struct net_device *netdev;
  247. struct phy_device *phydev;
  248. };
  249. enum macsec_offload offload;
  250. struct macsec_secy *secy;
  251. struct macsec_rx_sc *rx_sc;
  252. struct {
  253. bool update_pn;
  254. unsigned char assoc_num;
  255. u8 key[MACSEC_MAX_KEY_LEN];
  256. union {
  257. struct macsec_rx_sa *rx_sa;
  258. struct macsec_tx_sa *tx_sa;
  259. };
  260. } sa;
  261. union {
  262. struct macsec_tx_sc_stats *tx_sc_stats;
  263. struct macsec_tx_sa_stats *tx_sa_stats;
  264. struct macsec_rx_sc_stats *rx_sc_stats;
  265. struct macsec_rx_sa_stats *rx_sa_stats;
  266. struct macsec_dev_stats *dev_stats;
  267. } stats;
  268. };
  269. /**
  270. * struct macsec_ops - MACsec offloading operations
  271. * @mdo_dev_open: called when the MACsec interface transitions to the up state
  272. * @mdo_dev_stop: called when the MACsec interface transitions to the down
  273. * state
  274. * @mdo_add_secy: called when a new SecY is added
  275. * @mdo_upd_secy: called when the SecY flags are changed or the MAC address of
  276. * the MACsec interface is changed
  277. * @mdo_del_secy: called when the hw offload is disabled or the MACsec
  278. * interface is removed
  279. * @mdo_add_rxsc: called when a new RX SC is added
  280. * @mdo_upd_rxsc: called when a certain RX SC is updated
  281. * @mdo_del_rxsc: called when a certain RX SC is removed
  282. * @mdo_add_rxsa: called when a new RX SA is added
  283. * @mdo_upd_rxsa: called when a certain RX SA is updated
  284. * @mdo_del_rxsa: called when a certain RX SA is removed
  285. * @mdo_add_txsa: called when a new TX SA is added
  286. * @mdo_upd_txsa: called when a certain TX SA is updated
  287. * @mdo_del_txsa: called when a certain TX SA is removed
  288. * @mdo_get_dev_stats: called when dev stats are read
  289. * @mdo_get_tx_sc_stats: called when TX SC stats are read
  290. * @mdo_get_tx_sa_stats: called when TX SA stats are read
  291. * @mdo_get_rx_sc_stats: called when RX SC stats are read
  292. * @mdo_get_rx_sa_stats: called when RX SA stats are read
  293. * @mdo_insert_tx_tag: called to insert the TX tag
  294. * @needed_headroom: number of bytes reserved at the beginning of the sk_buff
  295. * for the TX tag
  296. * @needed_tailroom: number of bytes reserved at the end of the sk_buff for the
  297. * TX tag
  298. * @rx_uses_md_dst: whether MACsec device offload supports sk_buff md_dst
  299. */
  300. struct macsec_ops {
  301. /* Device wide */
  302. int (*mdo_dev_open)(struct macsec_context *ctx);
  303. int (*mdo_dev_stop)(struct macsec_context *ctx);
  304. /* SecY */
  305. int (*mdo_add_secy)(struct macsec_context *ctx);
  306. int (*mdo_upd_secy)(struct macsec_context *ctx);
  307. int (*mdo_del_secy)(struct macsec_context *ctx);
  308. /* Security channels */
  309. int (*mdo_add_rxsc)(struct macsec_context *ctx);
  310. int (*mdo_upd_rxsc)(struct macsec_context *ctx);
  311. int (*mdo_del_rxsc)(struct macsec_context *ctx);
  312. /* Security associations */
  313. int (*mdo_add_rxsa)(struct macsec_context *ctx);
  314. int (*mdo_upd_rxsa)(struct macsec_context *ctx);
  315. int (*mdo_del_rxsa)(struct macsec_context *ctx);
  316. int (*mdo_add_txsa)(struct macsec_context *ctx);
  317. int (*mdo_upd_txsa)(struct macsec_context *ctx);
  318. int (*mdo_del_txsa)(struct macsec_context *ctx);
  319. /* Statistics */
  320. int (*mdo_get_dev_stats)(struct macsec_context *ctx);
  321. int (*mdo_get_tx_sc_stats)(struct macsec_context *ctx);
  322. int (*mdo_get_tx_sa_stats)(struct macsec_context *ctx);
  323. int (*mdo_get_rx_sc_stats)(struct macsec_context *ctx);
  324. int (*mdo_get_rx_sa_stats)(struct macsec_context *ctx);
  325. /* Offload tag */
  326. int (*mdo_insert_tx_tag)(struct phy_device *phydev,
  327. struct sk_buff *skb);
  328. unsigned int needed_headroom;
  329. unsigned int needed_tailroom;
  330. bool rx_uses_md_dst;
  331. };
  332. void macsec_pn_wrapped(struct macsec_secy *secy, struct macsec_tx_sa *tx_sa);
  333. static inline bool macsec_send_sci(const struct macsec_secy *secy)
  334. {
  335. const struct macsec_tx_sc *tx_sc = &secy->tx_sc;
  336. return tx_sc->send_sci ||
  337. (secy->n_rx_sc > 1 && !tx_sc->end_station && !tx_sc->scb);
  338. }
  339. struct net_device *macsec_get_real_dev(const struct net_device *dev);
  340. bool macsec_netdev_is_offloaded(struct net_device *dev);
  341. static inline void *macsec_netdev_priv(const struct net_device *dev)
  342. {
  343. #if IS_ENABLED(CONFIG_VLAN_8021Q)
  344. if (is_vlan_dev(dev))
  345. return netdev_priv(vlan_dev_priv(dev)->real_dev);
  346. #endif
  347. return netdev_priv(dev);
  348. }
  349. static inline u64 sci_to_cpu(sci_t sci)
  350. {
  351. return be64_to_cpu((__force __be64)sci);
  352. }
  353. #endif /* _NET_MACSEC_H_ */